gitimages.expertflow.com/cim/agent-manager:4.4 (alpine 3.12.3) ============================================================== Total: 76 (UNKNOWN: 0, LOW: 10, MEDIUM: 20, HIGH: 40, CRITICAL: 6) +--------------+------------------+----------+-------------------+---------------+---------------------------------------+ | LIBRARY | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION | TITLE | +--------------+------------------+----------+-------------------+---------------+---------------------------------------+ | apk-tools | CVE-2021-36159 | CRITICAL | 2.10.5-r1 | 2.10.7-r0 | libfetch: an out of | | | | | | | boundary read while libfetch | | | | | | | uses strtol to parse... | | | | | | | -->avd.aquasec.com/nvd/cve-2021-36159 | + +------------------+----------+ +---------------+---------------------------------------+ | | CVE-2021-30139 | HIGH | | 2.10.6-r0 | In Alpine Linux apk-tools | | | | | | | before 2.12.5, the tarball | | | | | | | parser allows a buffer... | | | | | | | -->avd.aquasec.com/nvd/cve-2021-30139 | +--------------+------------------+ +-------------------+---------------+---------------------------------------+ | busybox | CVE-2021-28831 | | 1.31.1-r19 | 1.31.1-r20 | busybox: invalid free or segmentation | | | | | | | fault via malformed gzip data | | | | | | | -->avd.aquasec.com/nvd/cve-2021-28831 | + +------------------+ + +---------------+---------------------------------------+ | | CVE-2021-42378 | | | 1.31.1-r21 | busybox: use-after-free in | | | | | | | awk applet leads to denial | | | | | | | of service and possibly... | | | | | | | -->avd.aquasec.com/nvd/cve-2021-42378 | + +------------------+ + + +---------------------------------------+ | | CVE-2021-42379 | | | | busybox: use-after-free in | | | | | | | awk applet leads to denial | | | | | | | of service and possibly... | | | | | | | -->avd.aquasec.com/nvd/cve-2021-42379 | + +------------------+ + + +---------------------------------------+ | | CVE-2021-42380 | | | | busybox: use-after-free in | | | | | | | awk applet leads to denial | | | | | | | of service and possibly... | | | | | | | -->avd.aquasec.com/nvd/cve-2021-42380 | + +------------------+ + + +---------------------------------------+ | | CVE-2021-42381 | | | | busybox: use-after-free in | | | | | | | awk applet leads to denial | | | | | | | of service and possibly... | | | | | | | -->avd.aquasec.com/nvd/cve-2021-42381 | + +------------------+ + + +---------------------------------------+ | | CVE-2021-42382 | | | | busybox: use-after-free in | | | | | | | awk applet leads to denial | | | | | | | of service and possibly... | | | | | | | -->avd.aquasec.com/nvd/cve-2021-42382 | + +------------------+ + + +---------------------------------------+ | | CVE-2021-42383 | | | | busybox: use-after-free in | | | | | | | awk applet leads to denial | | | | | | | of service and possibly... | | | | | | | -->avd.aquasec.com/nvd/cve-2021-42383 | + +------------------+ + + +---------------------------------------+ | | CVE-2021-42384 | | | | busybox: use-after-free in | | | | | | | awk applet leads to denial | | | | | | | of service and possibly... | | | | | | | -->avd.aquasec.com/nvd/cve-2021-42384 | + +------------------+ + + +---------------------------------------+ | | CVE-2021-42385 | | | | busybox: use-after-free in | | | | | | | awk applet leads to denial | | | | | | | of service and possibly... | | | | | | | -->avd.aquasec.com/nvd/cve-2021-42385 | + +------------------+ + + +---------------------------------------+ | | CVE-2021-42386 | | | | busybox: use-after-free in | | | | | | | awk applet leads to denial | | | | | | | of service and possibly... | | | | | | | -->avd.aquasec.com/nvd/cve-2021-42386 | + +------------------+ + +---------------+---------------------------------------+ | | CVE-2022-28391 | | | 1.31.1-r22 | busybox: remote attackers may execute | | | | | | | arbitrary code if netstat is used | | | | | | | -->avd.aquasec.com/nvd/cve-2022-28391 | + +------------------+----------+ +---------------+---------------------------------------+ | | CVE-2021-42374 | MEDIUM | | 1.31.1-r21 | busybox: out-of-bounds read | | | | | | | in unlzma applet leads to | | | | | | | information leak and denial... | | | | | | | -->avd.aquasec.com/nvd/cve-2021-42374 | +--------------+------------------+----------+-------------------+---------------+---------------------------------------+ | curl | CVE-2021-22945 | CRITICAL | 7.69.1-r3 | 7.79.0-r0 | curl: use-after-free and | | | | | | | double-free in MQTT sending | | | | | | | -->avd.aquasec.com/nvd/cve-2021-22945 | + +------------------+----------+ +---------------+---------------------------------------+ | | CVE-2021-22901 | HIGH | | 7.77.0-r0 | curl: Use-after-free in | | | | | | | TLS session handling when | | | | | | | using OpenSSL TLS backend | | | | | | | -->avd.aquasec.com/nvd/cve-2021-22901 | + +------------------+ + +---------------+---------------------------------------+ | | CVE-2021-22946 | | | 7.79.0-r0 | curl: Requirement to use | | | | | | | TLS not properly enforced | | | | | | | for IMAP, POP3, and... | | | | | | | -->avd.aquasec.com/nvd/cve-2021-22946 | + +------------------+ + +---------------+---------------------------------------+ | | CVE-2022-22576 | | | 7.79.1-r1 | curl: OAUTH2 bearer bypass | | | | | | | in connection re-use | | | | | | | -->avd.aquasec.com/nvd/cve-2022-22576 | + +------------------+ + + +---------------------------------------+ | | CVE-2022-27775 | | | | curl: bad local IPv6 connection reuse | | | | | | | -->avd.aquasec.com/nvd/cve-2022-27775 | + +------------------+----------+ +---------------+---------------------------------------+ | | CVE-2021-22876 | MEDIUM | | 7.76.0-r0 | curl: Leak of authentication | | | | | | | credentials in URL | | | | | | | via automatic Referer | | | | | | | -->avd.aquasec.com/nvd/cve-2021-22876 | + +------------------+ + +---------------+---------------------------------------+ | | CVE-2021-22922 | | | 7.78.0-r0 | curl: Content not matching hash | | | | | | | in Metalink is not being discarded | | | | | | | -->avd.aquasec.com/nvd/cve-2021-22922 | + +------------------+ + + +---------------------------------------+ | | CVE-2021-22923 | | | | curl: Metalink download | | | | | | | sends credentials | | | | | | | -->avd.aquasec.com/nvd/cve-2021-22923 | + +------------------+ + + +---------------------------------------+ | | CVE-2021-22925 | | | | curl: Incorrect fix for | | | | | | | CVE-2021-22898 TELNET | | | | | | | stack contents disclosure | | | | | | | -->avd.aquasec.com/nvd/cve-2021-22925 | + +------------------+ + +---------------+---------------------------------------+ | | CVE-2021-22947 | | | 7.79.0-r0 | curl: Server responses | | | | | | | received before STARTTLS | | | | | | | processed after TLS handshake | | | | | | | -->avd.aquasec.com/nvd/cve-2021-22947 | + +------------------+ + +---------------+---------------------------------------+ | | CVE-2022-27774 | | | 7.79.1-r1 | curl: credential leak on redirect | | | | | | | -->avd.aquasec.com/nvd/cve-2022-27774 | + +------------------+ + + +---------------------------------------+ | | CVE-2022-27776 | | | | curl: auth/cookie leak on redirect | | | | | | | -->avd.aquasec.com/nvd/cve-2022-27776 | + +------------------+----------+ +---------------+---------------------------------------+ | | CVE-2020-8284 | LOW | | 7.74.0-r0 | curl: FTP PASV command | | | | | | | response can cause curl | | | | | | | to connect to arbitrary... | | | | | | | -->avd.aquasec.com/nvd/cve-2020-8284 | + +------------------+ + +---------------+---------------------------------------+ | | CVE-2021-22890 | | | 7.76.0-r0 | curl: TLS 1.3 session ticket | | | | | | | mix-up with HTTPS proxy host | | | | | | | -->avd.aquasec.com/nvd/cve-2021-22890 | + +------------------+ + +---------------+---------------------------------------+ | | CVE-2021-22898 | | | 7.77.0-r0 | curl: TELNET stack | | | | | | | contents disclosure | | | | | | | -->avd.aquasec.com/nvd/cve-2021-22898 | + +------------------+ + +---------------+---------------------------------------+ | | CVE-2021-22924 | | | 7.78.0-r0 | curl: Bad connection reuse | | | | | | | due to flawed path name checks | | | | | | | -->avd.aquasec.com/nvd/cve-2021-22924 | +--------------+------------------+----------+-------------------+---------------+---------------------------------------+ | libcrypto1.1 | CVE-2021-3711 | CRITICAL | 1.1.1i-r0 | 1.1.1l-r0 | openssl: SM2 Decryption | | | | | | | Buffer Overflow | | | | | | | -->avd.aquasec.com/nvd/cve-2021-3711 | + +------------------+----------+ +---------------+---------------------------------------+ | | CVE-2021-23840 | HIGH | | 1.1.1j-r0 | openssl: integer | | | | | | | overflow in CipherUpdate | | | | | | | -->avd.aquasec.com/nvd/cve-2021-23840 | + +------------------+ + +---------------+---------------------------------------+ | | CVE-2021-3450 | | | 1.1.1k-r0 | openssl: CA certificate check | | | | | | | bypass with X509_V_FLAG_X509_STRICT | | | | | | | -->avd.aquasec.com/nvd/cve-2021-3450 | + +------------------+ + +---------------+---------------------------------------+ | | CVE-2021-3712 | | | 1.1.1l-r0 | openssl: Read buffer overruns | | | | | | | processing ASN.1 strings | | | | | | | -->avd.aquasec.com/nvd/cve-2021-3712 | + +------------------+ + +---------------+---------------------------------------+ | | CVE-2022-0778 | | | 1.1.1n-r0 | openssl: Infinite loop in | | | | | | | BN_mod_sqrt() reachable | | | | | | | when parsing certificates | | | | | | | -->avd.aquasec.com/nvd/cve-2022-0778 | + +------------------+----------+ +---------------+---------------------------------------+ | | CVE-2021-23841 | MEDIUM | | 1.1.1j-r0 | openssl: NULL pointer dereference | | | | | | | in X509_issuer_and_serial_hash() | | | | | | | -->avd.aquasec.com/nvd/cve-2021-23841 | + +------------------+ + +---------------+---------------------------------------+ | | CVE-2021-3449 | | | 1.1.1k-r0 | openssl: NULL pointer dereference | | | | | | | in signature_algorithms processing | | | | | | | -->avd.aquasec.com/nvd/cve-2021-3449 | + +------------------+----------+ +---------------+---------------------------------------+ | | CVE-2021-23839 | LOW | | 1.1.1j-r0 | openssl: incorrect SSLv2 | | | | | | | rollback protection | | | | | | | -->avd.aquasec.com/nvd/cve-2021-23839 | +--------------+------------------+----------+-------------------+---------------+---------------------------------------+ | libcurl | CVE-2021-22945 | CRITICAL | 7.69.1-r3 | 7.79.0-r0 | curl: use-after-free and | | | | | | | double-free in MQTT sending | | | | | | | -->avd.aquasec.com/nvd/cve-2021-22945 | + +------------------+----------+ +---------------+---------------------------------------+ | | CVE-2021-22901 | HIGH | | 7.77.0-r0 | curl: Use-after-free in | | | | | | | TLS session handling when | | | | | | | using OpenSSL TLS backend | | | | | | | -->avd.aquasec.com/nvd/cve-2021-22901 | + +------------------+ + +---------------+---------------------------------------+ | | CVE-2021-22946 | | | 7.79.0-r0 | curl: Requirement to use | | | | | | | TLS not properly enforced | | | | | | | for IMAP, POP3, and... | | | | | | | -->avd.aquasec.com/nvd/cve-2021-22946 | + +------------------+ + +---------------+---------------------------------------+ | | CVE-2022-22576 | | | 7.79.1-r1 | curl: OAUTH2 bearer bypass | | | | | | | in connection re-use | | | | | | | -->avd.aquasec.com/nvd/cve-2022-22576 | + +------------------+ + + +---------------------------------------+ | | CVE-2022-27775 | | | | curl: bad local IPv6 connection reuse | | | | | | | -->avd.aquasec.com/nvd/cve-2022-27775 | + +------------------+----------+ +---------------+---------------------------------------+ | | CVE-2021-22876 | MEDIUM | | 7.76.0-r0 | curl: Leak of authentication | | | | | | | credentials in URL | | | | | | | via automatic Referer | | | | | | | -->avd.aquasec.com/nvd/cve-2021-22876 | + +------------------+ + +---------------+---------------------------------------+ | | CVE-2021-22922 | | | 7.78.0-r0 | curl: Content not matching hash | | | | | | | in Metalink is not being discarded | | | | | | | -->avd.aquasec.com/nvd/cve-2021-22922 | + +------------------+ + + +---------------------------------------+ | | CVE-2021-22923 | | | | curl: Metalink download | | | | | | | sends credentials | | | | | | | -->avd.aquasec.com/nvd/cve-2021-22923 | + +------------------+ + + +---------------------------------------+ | | CVE-2021-22925 | | | | curl: Incorrect fix for | | | | | | | CVE-2021-22898 TELNET | | | | | | | stack contents disclosure | | | | | | | -->avd.aquasec.com/nvd/cve-2021-22925 | + +------------------+ + +---------------+---------------------------------------+ | | CVE-2021-22947 | | | 7.79.0-r0 | curl: Server responses | | | | | | | received before STARTTLS | | | | | | | processed after TLS handshake | | | | | | | -->avd.aquasec.com/nvd/cve-2021-22947 | + +------------------+ + +---------------+---------------------------------------+ | | CVE-2022-27774 | | | 7.79.1-r1 | curl: credential leak on redirect | | | | | | | -->avd.aquasec.com/nvd/cve-2022-27774 | + +------------------+ + + +---------------------------------------+ | | CVE-2022-27776 | | | | curl: auth/cookie leak on redirect | | | | | | | -->avd.aquasec.com/nvd/cve-2022-27776 | + +------------------+----------+ +---------------+---------------------------------------+ | | CVE-2020-8284 | LOW | | 7.74.0-r0 | curl: FTP PASV command | | | | | | | response can cause curl | | | | | | | to connect to arbitrary... | | | | | | | -->avd.aquasec.com/nvd/cve-2020-8284 | + +------------------+ + +---------------+---------------------------------------+ | | CVE-2021-22890 | | | 7.76.0-r0 | curl: TLS 1.3 session ticket | | | | | | | mix-up with HTTPS proxy host | | | | | | | -->avd.aquasec.com/nvd/cve-2021-22890 | + +------------------+ + +---------------+---------------------------------------+ | | CVE-2021-22898 | | | 7.77.0-r0 | curl: TELNET stack | | | | | | | contents disclosure | | | | | | | -->avd.aquasec.com/nvd/cve-2021-22898 | + +------------------+ + +---------------+---------------------------------------+ | | CVE-2021-22924 | | | 7.78.0-r0 | curl: Bad connection reuse | | | | | | | due to flawed path name checks | | | | | | | -->avd.aquasec.com/nvd/cve-2021-22924 | +--------------+------------------+----------+-------------------+---------------+---------------------------------------+ | libssl1.1 | CVE-2021-3711 | CRITICAL | 1.1.1i-r0 | 1.1.1l-r0 | openssl: SM2 Decryption | | | | | | | Buffer Overflow | | | | | | | -->avd.aquasec.com/nvd/cve-2021-3711 | + +------------------+----------+ +---------------+---------------------------------------+ | | CVE-2021-23840 | HIGH | | 1.1.1j-r0 | openssl: integer | | | | | | | overflow in CipherUpdate | | | | | | | -->avd.aquasec.com/nvd/cve-2021-23840 | + +------------------+ + +---------------+---------------------------------------+ | | CVE-2021-3450 | | | 1.1.1k-r0 | openssl: CA certificate check | | | | | | | bypass with X509_V_FLAG_X509_STRICT | | | | | | | -->avd.aquasec.com/nvd/cve-2021-3450 | + +------------------+ + +---------------+---------------------------------------+ | | CVE-2021-3712 | | | 1.1.1l-r0 | openssl: Read buffer overruns | | | | | | | processing ASN.1 strings | | | | | | | -->avd.aquasec.com/nvd/cve-2021-3712 | + +------------------+ + +---------------+---------------------------------------+ | | CVE-2022-0778 | | | 1.1.1n-r0 | openssl: Infinite loop in | | | | | | | BN_mod_sqrt() reachable | | | | | | | when parsing certificates | | | | | | | -->avd.aquasec.com/nvd/cve-2022-0778 | + +------------------+----------+ +---------------+---------------------------------------+ | | CVE-2021-23841 | MEDIUM | | 1.1.1j-r0 | openssl: NULL pointer dereference | | | | | | | in X509_issuer_and_serial_hash() | | | | | | | -->avd.aquasec.com/nvd/cve-2021-23841 | + +------------------+ + +---------------+---------------------------------------+ | | CVE-2021-3449 | | | 1.1.1k-r0 | openssl: NULL pointer dereference | | | | | | | in signature_algorithms processing | | | | | | | -->avd.aquasec.com/nvd/cve-2021-3449 | + +------------------+----------+ +---------------+---------------------------------------+ | | CVE-2021-23839 | LOW | | 1.1.1j-r0 | openssl: incorrect SSLv2 | | | | | | | rollback protection | | | | | | | -->avd.aquasec.com/nvd/cve-2021-23839 | +--------------+------------------+----------+-------------------+---------------+---------------------------------------+ | ssl_client | CVE-2021-28831 | HIGH | 1.31.1-r19 | 1.31.1-r20 | busybox: invalid free or segmentation | | | | | | | fault via malformed gzip data | | | | | | | -->avd.aquasec.com/nvd/cve-2021-28831 | + +------------------+ + +---------------+---------------------------------------+ | | CVE-2021-42378 | | | 1.31.1-r21 | busybox: use-after-free in | | | | | | | awk applet leads to denial | | | | | | | of service and possibly... | | | | | | | -->avd.aquasec.com/nvd/cve-2021-42378 | + +------------------+ + + +---------------------------------------+ | | CVE-2021-42379 | | | | busybox: use-after-free in | | | | | | | awk applet leads to denial | | | | | | | of service and possibly... | | | | | | | -->avd.aquasec.com/nvd/cve-2021-42379 | + +------------------+ + + +---------------------------------------+ | | CVE-2021-42380 | | | | busybox: use-after-free in | | | | | | | awk applet leads to denial | | | | | | | of service and possibly... | | | | | | | -->avd.aquasec.com/nvd/cve-2021-42380 | + +------------------+ + + +---------------------------------------+ | | CVE-2021-42381 | | | | busybox: use-after-free in | | | | | | | awk applet leads to denial | | | | | | | of service and possibly... | | | | | | | -->avd.aquasec.com/nvd/cve-2021-42381 | + +------------------+ + + +---------------------------------------+ | | CVE-2021-42382 | | | | busybox: use-after-free in | | | | | | | awk applet leads to denial | | | | | | | of service and possibly... | | | | | | | -->avd.aquasec.com/nvd/cve-2021-42382 | + +------------------+ + + +---------------------------------------+ | | CVE-2021-42383 | | | | busybox: use-after-free in | | | | | | | awk applet leads to denial | | | | | | | of service and possibly... | | | | | | | -->avd.aquasec.com/nvd/cve-2021-42383 | + +------------------+ + + +---------------------------------------+ | | CVE-2021-42384 | | | | busybox: use-after-free in | | | | | | | awk applet leads to denial | | | | | | | of service and possibly... | | | | | | | -->avd.aquasec.com/nvd/cve-2021-42384 | + +------------------+ + + +---------------------------------------+ | | CVE-2021-42385 | | | | busybox: use-after-free in | | | | | | | awk applet leads to denial | | | | | | | of service and possibly... | | | | | | | -->avd.aquasec.com/nvd/cve-2021-42385 | + +------------------+ + + +---------------------------------------+ | | CVE-2021-42386 | | | | busybox: use-after-free in | | | | | | | awk applet leads to denial | | | | | | | of service and possibly... | | | | | | | -->avd.aquasec.com/nvd/cve-2021-42386 | + +------------------+ + +---------------+---------------------------------------+ | | CVE-2022-28391 | | | 1.31.1-r22 | busybox: remote attackers may execute | | | | | | | arbitrary code if netstat is used | | | | | | | -->avd.aquasec.com/nvd/cve-2022-28391 | + +------------------+----------+ +---------------+---------------------------------------+ | | CVE-2021-42374 | MEDIUM | | 1.31.1-r21 | busybox: out-of-bounds read | | | | | | | in unlzma applet leads to | | | | | | | information leak and denial... | | | | | | | -->avd.aquasec.com/nvd/cve-2021-42374 | +--------------+------------------+----------+-------------------+---------------+---------------------------------------+ | zlib | CVE-2022-37434 | CRITICAL | 1.2.11-r3 | 1.2.12-r2 | zlib: heap-based buffer | | | | | | | over-read and overflow in | | | | | | | inflate() in inflate.c via a... | | | | | | | -->avd.aquasec.com/nvd/cve-2022-37434 | + +------------------+----------+ +---------------+---------------------------------------+ | | CVE-2018-25032 | HIGH | | 1.2.12-r0 | zlib: A flaw found in | | | | | | | zlib when compressing (not | | | | | | | decompressing) certain inputs... | | | | | | | -->avd.aquasec.com/nvd/cve-2018-25032 | +--------------+------------------+----------+-------------------+---------------+---------------------------------------+ Java (jar) ========== Total: 1 (UNKNOWN: 0, LOW: 0, MEDIUM: 1, HIGH: 0, CRITICAL: 0) +------------------------+------------------+----------+-------------------+---------------+--------------------------------------+ | LIBRARY | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION | TITLE | +------------------------+------------------+----------+-------------------+---------------+--------------------------------------+ | com.squareup.okio:okio | CVE-2023-3635 | MEDIUM | 1.13.0 | 3.4.0, 1.17.6 | okio: GzipSource class | | | | | | | improper exception handling | | | | | | | -->avd.aquasec.com/nvd/cve-2023-3635 | +------------------------+------------------+----------+-------------------+---------------+--------------------------------------+ Node.js (node-pkg) ================== Total: 46 (UNKNOWN: 0, LOW: 0, MEDIUM: 25, HIGH: 15, CRITICAL: 6) +-------------------------+------------------+----------+-------------------+--------------------------------+---------------------------------------+ | LIBRARY | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION | TITLE | +-------------------------+------------------+----------+-------------------+--------------------------------+---------------------------------------+ | @google-cloud/firestore | CVE-2023-6460 | MEDIUM | 4.15.1 | 6.1.0 | Logging of the firestore | | | | | | | key within nodejs-firestore | | | | | | | -->avd.aquasec.com/nvd/cve-2023-6460 | +-------------------------+------------------+----------+-------------------+--------------------------------+---------------------------------------+ | ansi-regex | CVE-2021-3807 | HIGH | 3.0.0 | 6.0.1, 5.0.1, 4.1.1, 3.0.1 | nodejs-ansi-regex: Regular | | | | | | | expression denial of service | | | | | | | (ReDoS) matching ANSI escape codes | | | | | | | -->avd.aquasec.com/nvd/cve-2021-3807 | + + + +-------------------+ + + | | | | 4.1.0 | | | | | | | | | | | | | | | | | | | | | | | | +-------------------------+------------------+----------+-------------------+--------------------------------+---------------------------------------+ | axios | CVE-2023-45857 | MEDIUM | 0.21.4 | 1.6.0, 0.28.0 | axios: exposure of confidential | | | | | | | data stored in cookies | | | | | | | -->avd.aquasec.com/nvd/cve-2023-45857 | +-------------------------+------------------+----------+-------------------+--------------------------------+---------------------------------------+ | decode-uri-component | CVE-2022-38900 | HIGH | 0.2.0 | 0.2.1 | decode-uri-component: improper | | | | | | | input validation resulting in DoS | | | | | | | -->avd.aquasec.com/nvd/cve-2022-38900 | +-------------------------+------------------+----------+-------------------+--------------------------------+---------------------------------------+ | express | CVE-2024-29041 | MEDIUM | 4.18.2 | 4.19.2, 5.0.0-beta.3 | Express.js minimalist | | | | | | | web framework for node. | | | | | | | Versions of Express.js p ... | | | | | | | -->avd.aquasec.com/nvd/cve-2024-29041 | +-------------------------+------------------+ +-------------------+--------------------------------+---------------------------------------+ | follow-redirects | CVE-2024-28849 | | 1.15.5 | 1.15.6 | follow-redirects: | | | | | | | Possible credential leak | | | | | | | -->avd.aquasec.com/nvd/cve-2024-28849 | +-------------------------+------------------+----------+-------------------+--------------------------------+---------------------------------------+ | formidable | CVE-2022-29622 | CRITICAL | 1.2.6 | 3.2.4 | An arbitrary file upload | | | | | | | vulnerability in formidable | | | | | | | v3.1.4 allows att ... | | | | | | | -->avd.aquasec.com/nvd/cve-2022-29622 | +-------------------------+------------------+----------+-------------------+--------------------------------+---------------------------------------+ | got | CVE-2022-33987 | MEDIUM | 6.7.1 | 12.1.0, 11.8.5 | nodejs-got: missing verification | | | | | | | of requested URLs allows | | | | | | | redirects to UNIX sockets | | | | | | | -->avd.aquasec.com/nvd/cve-2022-33987 | +-------------------------+------------------+ +-------------------+--------------------------------+---------------------------------------+ | hosted-git-info | CVE-2021-23362 | | 2.8.8 | 2.8.9, 3.0.8 | nodejs-hosted-git-info: Regular | | | | | | | Expression denial of service | | | | | | | via shortcutMatch in fromUrl() | | | | | | | -->avd.aquasec.com/nvd/cve-2021-23362 | +-------------------------+------------------+----------+-------------------+--------------------------------+---------------------------------------+ | http-cache-semantics | CVE-2022-25881 | HIGH | 3.8.1 | 4.1.1 | http-cache-semantics: | | | | | | | Regular Expression Denial of | | | | | | | Service (ReDoS) vulnerability | | | | | | | -->avd.aquasec.com/nvd/cve-2022-25881 | +-------------------------+------------------+----------+-------------------+--------------------------------+---------------------------------------+ | ip | CVE-2023-42282 | MEDIUM | 1.1.5 | 2.0.1, 1.1.9 | nodejs-ip: arbitrary code execution | | | | | | | via the isPublic() function | | | | | | | -->avd.aquasec.com/nvd/cve-2023-42282 | + + + +-------------------+ + + | | | | 1.1.8 | | | | | | | | | | | | | | | | | + + + +-------------------+ + + | | | | 2.0.0 | | | | | | | | | | | | | | | | | +-------------------------+------------------+ +-------------------+--------------------------------+---------------------------------------+ | jose | CVE-2024-28176 | | 2.0.6 | 4.15.5, 2.0.7 | jose: resource exhaustion | | | | | | | -->avd.aquasec.com/nvd/cve-2024-28176 | +-------------------------+------------------+----------+-------------------+--------------------------------+---------------------------------------+ | json-schema | CVE-2021-3918 | CRITICAL | 0.2.3 | 0.4.0 | nodejs-json-schema: Prototype | | | | | | | pollution vulnerability | | | | | | | -->avd.aquasec.com/nvd/cve-2021-3918 | +-------------------------+------------------+----------+-------------------+--------------------------------+---------------------------------------+ | jsonwebtoken | CVE-2022-23539 | MEDIUM | 8.5.1 | 9.0.0 | jsonwebtoken: Unrestricted key type | | | | | | | could lead to legacy keys usagen | | | | | | | -->avd.aquasec.com/nvd/cve-2022-23539 | + +------------------+ + + +---------------------------------------+ | | CVE-2022-23540 | | | | jsonwebtoken: Insecure default | | | | | | | algorithm in jwt.verify() could lead | | | | | | | to signature validation bypass... | | | | | | | -->avd.aquasec.com/nvd/cve-2022-23540 | + +------------------+ + + +---------------------------------------+ | | CVE-2022-23541 | | | | jsonwebtoken: Insecure implementation | | | | | | | of key retrieval function could | | | | | | | lead to Forgeable Public/Private... | | | | | | | -->avd.aquasec.com/nvd/cve-2022-23541 | +-------------------------+------------------+ +-------------------+--------------------------------+---------------------------------------+ | keycloak-connect | CVE-2022-2237 | | 10.0.2 | 21.0.1 | Keycloak Node.js Adapter: Open | | | | | | | redirect vulnerability in checkSSO | | | | | | | -->avd.aquasec.com/nvd/cve-2022-2237 | +-------------------------+------------------+----------+-------------------+--------------------------------+---------------------------------------+ | minimatch | CVE-2022-3517 | HIGH | 3.0.4 | 3.0.5 | nodejs-minimatch: ReDoS via | | | | | | | the braceExpand function | | | | | | | -->avd.aquasec.com/nvd/cve-2022-3517 | +-------------------------+------------------+----------+-------------------+--------------------------------+---------------------------------------+ | minimist | CVE-2021-44906 | CRITICAL | 1.2.5 | 1.2.6, 0.2.4 | minimist: prototype pollution | | | | | | | -->avd.aquasec.com/nvd/cve-2021-44906 | +-------------------------+------------------+ +-------------------+--------------------------------+---------------------------------------+ | mysql2 | CVE-2024-21508 | | 2.3.3 | 3.9.4 | mysql2: Remote Code Execution | | | | | | | -->avd.aquasec.com/nvd/cve-2024-21508 | + +------------------+ + +--------------------------------+---------------------------------------+ | | CVE-2024-21511 | | | 3.9.7 | MySQL2 for Node | | | | | | | Arbitrary Code Injection | | | | | | | -->avd.aquasec.com/nvd/cve-2024-21511 | + +------------------+----------+ +--------------------------------+---------------------------------------+ | | CVE-2024-21507 | MEDIUM | | 3.9.3 | mysql2: Improper Input Validation | | | | | | | -->avd.aquasec.com/nvd/cve-2024-21507 | + +------------------+ + +--------------------------------+---------------------------------------+ | | CVE-2024-21509 | | | 3.9.4 | mysql2: Prototype Poisoning | | | | | | | -->avd.aquasec.com/nvd/cve-2024-21509 | +-------------------------+------------------+ +-------------------+--------------------------------+---------------------------------------+ | path-parse | CVE-2021-23343 | | 1.0.6 | 1.0.7 | nodejs-path-parse: | | | | | | | ReDoS via splitDeviceRe, | | | | | | | splitTailRe and splitPathRe | | | | | | | -->avd.aquasec.com/nvd/cve-2021-23343 | +-------------------------+------------------+----------+-------------------+--------------------------------+---------------------------------------+ | protobufjs | CVE-2023-36665 | CRITICAL | 6.11.3 | 7.2.5, 6.11.4 | protobufjs: prototype pollution using | | | | | | | user-controlled protobuf message | | | | | | | -->avd.aquasec.com/nvd/cve-2023-36665 | +-------------------------+------------------+----------+-------------------+--------------------------------+---------------------------------------+ | qs | CVE-2022-24999 | HIGH | 6.5.2 | 6.10.3, 6.9.7, 6.8.3, 6.7.3, | express: "qs" prototype poisoning | | | | | | 6.6.1, 6.5.3, 6.4.1, 6.3.3, | causes the hang of the node process | | | | | | 6.2.4 | -->avd.aquasec.com/nvd/cve-2022-24999 | +-------------------------+------------------+----------+-------------------+--------------------------------+---------------------------------------+ | request | CVE-2023-28155 | MEDIUM | 2.88.0 | | The Request package | | | | | | | through 2.88.1 for Node.js | | | | | | | allows a bypass of SSRF... | | | | | | | -->avd.aquasec.com/nvd/cve-2023-28155 | + + + +-------------------+--------------------------------+ + | | | | 2.88.2 | | | | | | | | | | | | | | | | | | | | | | | | +-------------------------+------------------+ +-------------------+--------------------------------+---------------------------------------+ | semver | CVE-2022-25883 | | 5.7.1 | 7.5.2, 6.3.1, 5.7.2 | nodejs-semver: Regular | | | | | | | expression denial of service | | | | | | | -->avd.aquasec.com/nvd/cve-2022-25883 | + + + +-------------------+ + + | | | | 7.0.0 | | | | | | | | | | | | | | | | | +-------------------------+------------------+----------+-------------------+--------------------------------+---------------------------------------+ | ssri | CVE-2021-27290 | HIGH | 6.0.1 | 6.0.2, 7.1.1, 8.0.1 | nodejs-ssri: Regular expression | | | | | | | DoS (ReDoS) when parsing | | | | | | | malicious SRI in strict mode... | | | | | | | -->avd.aquasec.com/nvd/cve-2021-27290 | +-------------------------+------------------+ +-------------------+--------------------------------+---------------------------------------+ | taffydb | CVE-2019-10790 | | 2.6.2 | | TaffyDB can allow access | | | | | | | to any data items in the DB | | | | | | | -->avd.aquasec.com/nvd/cve-2019-10790 | +-------------------------+------------------+ +-------------------+--------------------------------+---------------------------------------+ | tar | CVE-2021-32803 | | 4.4.13 | 3.2.3, 4.4.15, 5.0.7, 6.1.2 | nodejs-tar: Insufficient symlink | | | | | | | protection allowing arbitrary | | | | | | | file creation and overwrite | | | | | | | -->avd.aquasec.com/nvd/cve-2021-32803 | + +------------------+ + +--------------------------------+---------------------------------------+ | | CVE-2021-32804 | | | 3.2.2, 4.4.14, 5.0.6, 6.1.1 | nodejs-tar: Insufficient absolute | | | | | | | path sanitization allowing arbitrary | | | | | | | file creation and overwrite | | | | | | | -->avd.aquasec.com/nvd/cve-2021-32804 | + +------------------+ + +--------------------------------+---------------------------------------+ | | CVE-2021-37701 | | | 4.4.16, 5.0.8, 6.1.7 | nodejs-tar: Insufficient symlink | | | | | | | protection due to directory cache | | | | | | | poisoning using symbolic links... | | | | | | | -->avd.aquasec.com/nvd/cve-2021-37701 | + +------------------+ + +--------------------------------+---------------------------------------+ | | CVE-2021-37712 | | | 4.4.18, 5.0.10, 6.1.9 | nodejs-tar: Insufficient symlink | | | | | | | protection due to directory cache | | | | | | | poisoning using symbolic links... | | | | | | | -->avd.aquasec.com/nvd/cve-2021-37712 | + +------------------+ + + +---------------------------------------+ | | CVE-2021-37713 | | | | nodejs-tar: Arbitrary | | | | | | | File Creation/Overwrite on | | | | | | | Windows via insufficient | | | | | | | relative path sanitization | | | | | | | -->avd.aquasec.com/nvd/cve-2021-37713 | + +------------------+----------+ +--------------------------------+---------------------------------------+ | | CVE-2024-28863 | MEDIUM | | 6.2.1 | node-tar is a Tar for | | | | | | | Node.js. node-tar prior | | | | | | | to version 6.2.1 has... | | | | | | | -->avd.aquasec.com/nvd/cve-2024-28863 | + + + +-------------------+ + + | | | | 4.4.19 | | | | | | | | | | | | | | | | | | | | | | | | +-------------------------+------------------+ +-------------------+--------------------------------+---------------------------------------+ | tough-cookie | CVE-2023-26136 | | 2.4.3 | 4.1.3 | tough-cookie: prototype | | | | | | | pollution in cookie memstore | | | | | | | -->avd.aquasec.com/nvd/cve-2023-26136 | + + + +-------------------+ + + | | | | 2.5.0 | | | | | | | | | | | | | | | | | +-------------------------+------------------+----------+-------------------+--------------------------------+---------------------------------------+ | y18n | CVE-2020-7774 | HIGH | 4.0.0 | 3.2.2, 4.0.1, 5.0.5 | nodejs-y18n: prototype | | | | | | | pollution vulnerability | | | | | | | -->avd.aquasec.com/nvd/cve-2020-7774 | +-------------------------+------------------+ +-------------------+--------------------------------+---------------------------------------+ | yarn | CVE-2021-4435 | | 1.22.5 | 1.22.13 | yarn: untrusted search path | | | | | | | -->avd.aquasec.com/nvd/cve-2021-4435 | +-------------------------+------------------+----------+-------------------+--------------------------------+---------------------------------------+