@neftie/subgraph-0.0.0.tgz: 12 vulnerabilities (highest severity is: 9.8)

[mend-bolt-for-github]

Vulnerable Library - @neftie/subgraph-0.0.0.tgz

Path to dependency file: /package.json

Found in HEAD commit: 8e14993dfa9224814b31a2944ee9c5a18cccd4a1

Vulnerabilities

CVE	Severity	CVSS	Dependency	Type	Fixed in (@neftie/subgraph version)	Remediation Possible**
WS-2021-0153	Critical	9.8	ejs-2.7.4.tgz	Transitive	N/A*	❌
CVE-2022-29078	Critical	9.8	ejs-2.7.4.tgz	Transitive	N/A*	❌
CVE-2021-42581	Critical	9.1	detected in multiple dependencies	Transitive	N/A*	❌
CVE-2022-24772	High	7.5	node-forge-0.10.0.tgz	Transitive	N/A*	❌
CVE-2022-24771	High	7.5	node-forge-0.10.0.tgz	Transitive	N/A*	❌
WS-2022-0008	Medium	6.6	node-forge-0.10.0.tgz	Transitive	N/A*	❌
CVE-2022-0122	Medium	6.1	node-forge-0.10.0.tgz	Transitive	N/A*	❌
CVE-2023-28155	Medium	6.1	request-2.88.2.tgz	Transitive	N/A*	❌
CVE-2022-0235	Medium	6.1	node-fetch-2.6.0.tgz	Transitive	N/A*	❌
CVE-2020-7608	Medium	5.3	yargs-parser-16.1.0.tgz	Transitive	N/A*	❌
CVE-2020-15168	Medium	5.3	node-fetch-2.6.0.tgz	Transitive	N/A*	❌
CVE-2022-24773	Medium	5.3	node-forge-0.10.0.tgz	Transitive	N/A*	❌

*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.

**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation

Details

WS-2021-0153

Vulnerable Library - ejs-2.7.4.tgz

Embedded JavaScript templates

Library home page: https://registry.npmjs.org/ejs/-/ejs-2.7.4.tgz

Dependency Hierarchy:

• @neftie/subgraph-0.0.0.tgz (Root Library)
  • graph-cli-0.30.1.tgz
    • gluegun-4.3.1.tgz
      • ❌ ejs-2.7.4.tgz (Vulnerable Library)

Found in HEAD commit: 8e14993dfa9224814b31a2944ee9c5a18cccd4a1

Found in base branch: main

Vulnerability Details

Arbitrary Code Injection vulnerability was found in ejs before 3.1.6. Caused by filename which isn't sanitized for display.

Publish Date: 2021-01-22

URL: WS-2021-0153

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2021-01-22

Fix Resolution: ejs - 3.1.6

Step up your Open Source Security Game with Mend here

CVE-2022-29078

Vulnerable Library - ejs-2.7.4.tgz

Embedded JavaScript templates

Library home page: https://registry.npmjs.org/ejs/-/ejs-2.7.4.tgz

Dependency Hierarchy:

• @neftie/subgraph-0.0.0.tgz (Root Library)
  • graph-cli-0.30.1.tgz
    • gluegun-4.3.1.tgz
      • ❌ ejs-2.7.4.tgz (Vulnerable Library)

Found in HEAD commit: 8e14993dfa9224814b31a2944ee9c5a18cccd4a1

Found in base branch: main

Vulnerability Details

The ejs (aka Embedded JavaScript templates) package 3.1.6 for Node.js allows server-side template injection in settings[view options][outputFunctionName]. This is parsed as an internal option, and overwrites the outputFunctionName option with an arbitrary OS command (which is executed upon template compilation).

Publish Date: 2022-04-25

URL: CVE-2022-29078

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-29078~

Release Date: 2022-04-25

Fix Resolution: ejs - v3.1.7

Step up your Open Source Security Game with Mend here

CVE-2021-42581

Vulnerable Libraries - ramda-0.25.0.tgz, ramda-0.24.1.tgz

ramda-0.25.0.tgz

A practical functional library for JavaScript programmers.

Library home page: https://registry.npmjs.org/ramda/-/ramda-0.25.0.tgz

Dependency Hierarchy:

• @neftie/subgraph-0.0.0.tgz (Root Library)
  • graph-cli-0.30.1.tgz
    • gluegun-4.3.1.tgz
      • apisauce-1.1.5.tgz
        • ❌ ramda-0.25.0.tgz (Vulnerable Library)

ramda-0.24.1.tgz

A practical functional library for JavaScript programmers.

Library home page: https://registry.npmjs.org/ramda/-/ramda-0.24.1.tgz

Dependency Hierarchy:

• @neftie/subgraph-0.0.0.tgz (Root Library)
  • graph-cli-0.30.1.tgz
    • gluegun-4.3.1.tgz
      • ramdasauce-2.1.3.tgz
        • ❌ ramda-0.24.1.tgz (Vulnerable Library)

Found in HEAD commit: 8e14993dfa9224814b31a2944ee9c5a18cccd4a1

Found in base branch: main

Vulnerability Details

** DISPUTED ** Prototype poisoning in function mapObjIndexed in Ramda 0.27.0 and earlier allows attackers to compromise integrity or availability of application via supplying a crafted object (that contains an own property "proto") as an argument to the function. NOTE: the vendor disputes this because the observed behavior only means that a user can create objects that the user didn't know would contain custom prototypes.

Publish Date: 2022-05-10

URL: CVE-2021-42581

CVSS 3 Score Details (9.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: High
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-42581

Release Date: 2022-05-10

Fix Resolution: ramda - v0.27.1

Step up your Open Source Security Game with Mend here

CVE-2022-24772

Vulnerable Library - node-forge-0.10.0.tgz

JavaScript implementations of network transports, cryptography, ciphers, PKI, message digests, and various utilities.

Library home page: https://registry.npmjs.org/node-forge/-/node-forge-0.10.0.tgz

Dependency Hierarchy:

• @neftie/subgraph-0.0.0.tgz (Root Library)
  • graph-cli-0.30.1.tgz
    • ipfs-http-client-34.0.0.tgz
      • peer-id-0.12.5.tgz
        • libp2p-crypto-0.16.4.tgz
          • ❌ node-forge-0.10.0.tgz (Vulnerable Library)

Found in HEAD commit: 8e14993dfa9224814b31a2944ee9c5a18cccd4a1

Found in base branch: main

Vulnerability Details

Forge (also called node-forge) is a native implementation of Transport Layer Security in JavaScript. Prior to version 1.3.0, RSA PKCS#1 v1.5 signature verification code does not check for tailing garbage bytes after decoding a DigestInfo ASN.1 structure. This can allow padding bytes to be removed and garbage data added to forge a signature when a low public exponent is being used. The issue has been addressed in node-forge version 1.3.0. There are currently no known workarounds.

Publish Date: 2022-03-18

URL: CVE-2022-24772

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: High
  • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24772

Release Date: 2022-03-18

Fix Resolution: node-forge - 1.3.0

Step up your Open Source Security Game with Mend here

CVE-2022-24771

Vulnerable Library - node-forge-0.10.0.tgz

JavaScript implementations of network transports, cryptography, ciphers, PKI, message digests, and various utilities.

Library home page: https://registry.npmjs.org/node-forge/-/node-forge-0.10.0.tgz

Dependency Hierarchy:

• @neftie/subgraph-0.0.0.tgz (Root Library)
  • graph-cli-0.30.1.tgz
    • ipfs-http-client-34.0.0.tgz
      • peer-id-0.12.5.tgz
        • libp2p-crypto-0.16.4.tgz
          • ❌ node-forge-0.10.0.tgz (Vulnerable Library)

Found in HEAD commit: 8e14993dfa9224814b31a2944ee9c5a18cccd4a1

Found in base branch: main

Vulnerability Details

Forge (also called node-forge) is a native implementation of Transport Layer Security in JavaScript. Prior to version 1.3.0, RSA PKCS#1 v1.5 signature verification code is lenient in checking the digest algorithm structure. This can allow a crafted structure that steals padding bytes and uses unchecked portion of the PKCS#1 encoded message to forge a signature when a low public exponent is being used. The issue has been addressed in node-forge version 1.3.0. There are currently no known workarounds.

Publish Date: 2022-03-18

URL: CVE-2022-24771

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: High
  • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24771

Release Date: 2022-03-18

Fix Resolution: node-forge - 1.3.0

Step up your Open Source Security Game with Mend here

WS-2022-0008

Vulnerable Library - node-forge-0.10.0.tgz

JavaScript implementations of network transports, cryptography, ciphers, PKI, message digests, and various utilities.

Library home page: https://registry.npmjs.org/node-forge/-/node-forge-0.10.0.tgz

Dependency Hierarchy:

• @neftie/subgraph-0.0.0.tgz (Root Library)
  • graph-cli-0.30.1.tgz
    • ipfs-http-client-34.0.0.tgz
      • peer-id-0.12.5.tgz
        • libp2p-crypto-0.16.4.tgz
          • ❌ node-forge-0.10.0.tgz (Vulnerable Library)

Found in HEAD commit: 8e14993dfa9224814b31a2944ee9c5a18cccd4a1

Found in base branch: main

Vulnerability Details

The forge.debug API had a potential prototype pollution issue if called with untrusted input. The API was only used for internal debug purposes in a safe way and never documented or advertised. It is suspected that uses of this API, if any exist, would likely not have used untrusted inputs in a vulnerable way.

Publish Date: 2022-01-08

URL: WS-2022-0008

CVSS 3 Score Details (6.6)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: High
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-5rrq-pxf6-6jx5

Release Date: 2022-01-08

Fix Resolution: node-forge - 1.0.0

Step up your Open Source Security Game with Mend here

CVE-2022-0122

Vulnerable Library - node-forge-0.10.0.tgz

JavaScript implementations of network transports, cryptography, ciphers, PKI, message digests, and various utilities.

Library home page: https://registry.npmjs.org/node-forge/-/node-forge-0.10.0.tgz

Dependency Hierarchy:

• @neftie/subgraph-0.0.0.tgz (Root Library)
  • graph-cli-0.30.1.tgz
    • ipfs-http-client-34.0.0.tgz
      • peer-id-0.12.5.tgz
        • libp2p-crypto-0.16.4.tgz
          • ❌ node-forge-0.10.0.tgz (Vulnerable Library)

Found in HEAD commit: 8e14993dfa9224814b31a2944ee9c5a18cccd4a1

Found in base branch: main

Vulnerability Details

forge is vulnerable to URL Redirection to Untrusted Site
Mend Note: Converted from WS-2022-0007, on 2022-11-07.

Publish Date: 2022-01-06

URL: CVE-2022-0122

CVSS 3 Score Details (6.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-gf8q-jrpm-jvxq

Release Date: 2022-01-06

Fix Resolution: node-forge - 1.0.0

Step up your Open Source Security Game with Mend here

CVE-2023-28155

Vulnerable Library - request-2.88.2.tgz

Simplified HTTP request client.

Library home page: https://registry.npmjs.org/request/-/request-2.88.2.tgz

Dependency Hierarchy:

• @neftie/subgraph-0.0.0.tgz (Root Library)
  • graph-cli-0.30.1.tgz
    • ❌ request-2.88.2.tgz (Vulnerable Library)

Found in HEAD commit: 8e14993dfa9224814b31a2944ee9c5a18cccd4a1

Found in base branch: main

Vulnerability Details

** UNSUPPORTED WHEN ASSIGNED ** The Request package through 2.88.1 for Node.js allows a bypass of SSRF mitigations via an attacker-controller server that does a cross-protocol redirect (HTTP to HTTPS, or HTTPS to HTTP). NOTE: This vulnerability only affects products that are no longer supported by the maintainer.

Publish Date: 2023-03-16

URL: CVE-2023-28155

CVSS 3 Score Details (6.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: None

For more information on CVSS3 Scores, click here.

Step up your Open Source Security Game with Mend here

CVE-2022-0235

Vulnerable Library - node-fetch-2.6.0.tgz

A light-weight module that brings window.fetch to node.js

Library home page: https://registry.npmjs.org/node-fetch/-/node-fetch-2.6.0.tgz

Dependency Hierarchy:

• @neftie/subgraph-0.0.0.tgz (Root Library)
  • graph-cli-0.30.1.tgz
    • ❌ node-fetch-2.6.0.tgz (Vulnerable Library)

Found in HEAD commit: 8e14993dfa9224814b31a2944ee9c5a18cccd4a1

Found in base branch: main

Vulnerability Details

node-fetch is vulnerable to Exposure of Sensitive Information to an Unauthorized Actor

Publish Date: 2022-01-16

URL: CVE-2022-0235

CVSS 3 Score Details (6.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-r683-j2x4-v87g

Release Date: 2022-01-16

Fix Resolution: node-fetch - 2.6.7,3.1.1

Step up your Open Source Security Game with Mend here

CVE-2020-7608

Vulnerable Library - yargs-parser-16.1.0.tgz

the mighty option parser used by yargs

Library home page: https://registry.npmjs.org/yargs-parser/-/yargs-parser-16.1.0.tgz

Dependency Hierarchy:

• @neftie/subgraph-0.0.0.tgz (Root Library)
  • graph-cli-0.30.1.tgz
    • gluegun-4.3.1.tgz
      • ❌ yargs-parser-16.1.0.tgz (Vulnerable Library)

Found in HEAD commit: 8e14993dfa9224814b31a2944ee9c5a18cccd4a1

Found in base branch: main

Vulnerability Details

yargs-parser could be tricked into adding or modifying properties of Object.prototype using a "proto" payload.

Publish Date: 2020-03-16

URL: CVE-2020-7608

CVSS 3 Score Details (5.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Local
  • Attack Complexity: Low
  • Privileges Required: Low
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2020-03-16

Fix Resolution: 5.0.1;13.1.2;15.0.1;18.1.1

Step up your Open Source Security Game with Mend here

CVE-2020-15168

Vulnerable Library - node-fetch-2.6.0.tgz

A light-weight module that brings window.fetch to node.js

Library home page: https://registry.npmjs.org/node-fetch/-/node-fetch-2.6.0.tgz

Dependency Hierarchy:

• @neftie/subgraph-0.0.0.tgz (Root Library)
  • graph-cli-0.30.1.tgz
    • ❌ node-fetch-2.6.0.tgz (Vulnerable Library)

Found in HEAD commit: 8e14993dfa9224814b31a2944ee9c5a18cccd4a1

Found in base branch: main

Vulnerability Details

node-fetch before versions 2.6.1 and 3.0.0-beta.9 did not honor the size option after following a redirect, which means that when a content size was over the limit, a FetchError would never get thrown and the process would end without failure. For most people, this fix will have a little or no impact. However, if you are relying on node-fetch to gate files above a size, the impact could be significant, for example: If you don't double-check the size of the data after fetch() has completed, your JS thread could get tied up doing work on a large file (DoS) and/or cost you money in computing.

Publish Date: 2020-09-10

URL: CVE-2020-15168

CVSS 3 Score Details (5.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-w7rc-rwvf-8q5r

Release Date: 2020-09-17

Fix Resolution: 2.6.1,3.0.0-beta.9

Step up your Open Source Security Game with Mend here

CVE-2022-24773

Vulnerable Library - node-forge-0.10.0.tgz

JavaScript implementations of network transports, cryptography, ciphers, PKI, message digests, and various utilities.

Library home page: https://registry.npmjs.org/node-forge/-/node-forge-0.10.0.tgz

Dependency Hierarchy:

• @neftie/subgraph-0.0.0.tgz (Root Library)
  • graph-cli-0.30.1.tgz
    • ipfs-http-client-34.0.0.tgz
      • peer-id-0.12.5.tgz
        • libp2p-crypto-0.16.4.tgz
          • ❌ node-forge-0.10.0.tgz (Vulnerable Library)

Found in HEAD commit: 8e14993dfa9224814b31a2944ee9c5a18cccd4a1

Found in base branch: main

Vulnerability Details

Forge (also called node-forge) is a native implementation of Transport Layer Security in JavaScript. Prior to version 1.3.0, RSA PKCS#1 v1.5 signature verification code does not properly check DigestInfo for a proper ASN.1 structure. This can lead to successful verification with signatures that contain invalid structures but a valid digest. The issue has been addressed in node-forge version 1.3.0. There are currently no known workarounds.

Publish Date: 2022-03-18

URL: CVE-2022-24773

CVSS 3 Score Details (5.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: Low
  • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24773

Release Date: 2022-03-18

Fix Resolution: node-forge - 1.3.0

Step up your Open Source Security Game with Mend here