gitimages.expertflow.com/cim/cim-backend:4.4 (alpine 3.8.1) =========================================================== Total: 2 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 2) +------------+------------------+----------+-------------------+---------------+---------------------------------------+ | LIBRARY | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION | TITLE | +------------+------------------+----------+-------------------+---------------+---------------------------------------+ | musl | CVE-2019-14697 | CRITICAL | 1.1.19-r10 | 1.1.19-r11 | musl libc through 1.1.23 | | | | | | | has an x87 floating-point | | | | | | | stack adjustment im ...... | | | | | | | -->avd.aquasec.com/nvd/cve-2019-14697 | +------------+ + + + + + | musl-utils | | | | | | | | | | | | | | | | | | | | | | | | | | | +------------+------------------+----------+-------------------+---------------+---------------------------------------+ Node.js (node-pkg) ================== Total: 69 (UNKNOWN: 0, LOW: 5, MEDIUM: 27, HIGH: 30, CRITICAL: 7) +----------------------+---------------------+----------+-------------------+--------------------------------+----------------------------------------------+ | LIBRARY | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION | TITLE | +----------------------+---------------------+----------+-------------------+--------------------------------+----------------------------------------------+ | ajv | CVE-2020-15366 | MEDIUM | 5.5.2 | 6.12.3 | nodejs-ajv: prototype pollution | | | | | | | via crafted JSON schema | | | | | | | in ajv.validate function | | | | | | | -->avd.aquasec.com/nvd/cve-2020-15366 | +----------------------+---------------------+----------+-------------------+--------------------------------+----------------------------------------------+ | ansi-regex | CVE-2021-3807 | HIGH | 3.0.0 | 6.0.1, 5.0.1, 4.1.1, 3.0.1 | nodejs-ansi-regex: Regular | | | | | | | expression denial of service | | | | | | | (ReDoS) matching ANSI escape codes | | | | | | | -->avd.aquasec.com/nvd/cve-2021-3807 | +----------------------+---------------------+----------+-------------------+--------------------------------+----------------------------------------------+ | bin-links | GHSA-2mj8-pj3j-h362 | LOW | 1.1.2 | 1.1.5 | Symlink reference outside | | | | | | | of node_modules in bin-links | | | | | | | -->github.com/advisories/GHSA-2mj8-pj3j-h362 | + +---------------------+ + + +----------------------------------------------+ | | GHSA-gqf6-75v8-vr26 | | | | Arbitrary File Write in bin-links | | | | | | | -->github.com/advisories/GHSA-gqf6-75v8-vr26 | + +---------------------+ + +--------------------------------+----------------------------------------------+ | | GHSA-v45m-2wcp-gg98 | | | 1.1.6 | Global node_modules Binary | | | | | | | Overwrite in bin-links | | | | | | | -->github.com/advisories/GHSA-v45m-2wcp-gg98 | +----------------------+---------------------+ +-------------------+--------------------------------+----------------------------------------------+ | chownr | CVE-2017-18869 | | 1.0.1 | 1.1.0 | nodejs-chownr: TOCTOU vulnerability | | | | | | | in `chownr` function in chownr.js | | | | | | | -->avd.aquasec.com/nvd/cve-2017-18869 | +----------------------+---------------------+----------+-------------------+--------------------------------+----------------------------------------------+ | decode-uri-component | CVE-2022-38900 | HIGH | 0.2.0 | 0.2.1 | decode-uri-component: improper | | | | | | | input validation resulting in DoS | | | | | | | -->avd.aquasec.com/nvd/cve-2022-38900 | +----------------------+---------------------+ +-------------------+--------------------------------+----------------------------------------------+ | dicer | CVE-2022-24434 | | 0.2.5 | | dicer: nodejs service crash | | | | | | | by sending a crafted payload | | | | | | | -->avd.aquasec.com/nvd/cve-2022-24434 | +----------------------+---------------------+ +-------------------+--------------------------------+----------------------------------------------+ | dot-prop | CVE-2020-8116 | | 4.2.0 | 4.2.1, 5.1.1 | nodejs-dot-prop: prototype pollution | | | | | | | -->avd.aquasec.com/nvd/cve-2020-8116 | +----------------------+---------------------+----------+-------------------+--------------------------------+----------------------------------------------+ | express | CVE-2024-29041 | MEDIUM | 4.18.2 | 4.19.2, 5.0.0-beta.3 | Express.js minimalist | | | | | | | web framework for node. | | | | | | | Versions of Express.js p ... | | | | | | | -->avd.aquasec.com/nvd/cve-2024-29041 | +----------------------+---------------------+----------+-------------------+--------------------------------+----------------------------------------------+ | flat | CVE-2020-36632 | CRITICAL | 4.1.1 | 5.0.1 | flat vulnerable to | | | | | | | Prototype Pollution | | | | | | | -->avd.aquasec.com/nvd/cve-2020-36632 | +----------------------+---------------------+----------+-------------------+--------------------------------+----------------------------------------------+ | follow-redirects | CVE-2024-28849 | MEDIUM | 1.15.5 | 1.15.6 | follow-redirects: | | | | | | | Possible credential leak | | | | | | | -->avd.aquasec.com/nvd/cve-2024-28849 | +----------------------+---------------------+----------+-------------------+--------------------------------+----------------------------------------------+ | formidable | CVE-2022-29622 | CRITICAL | 2.1.2 | 3.2.4 | An arbitrary file upload | | | | | | | vulnerability in formidable | | | | | | | v3.1.4 allows att ... | | | | | | | -->avd.aquasec.com/nvd/cve-2022-29622 | +----------------------+---------------------+----------+-------------------+--------------------------------+----------------------------------------------+ | fstream | CVE-2019-13173 | HIGH | 1.0.11 | 1.0.12 | nodejs-fstream: File overwrite | | | | | | | in fstream.DirWriter() function | | | | | | | -->avd.aquasec.com/nvd/cve-2019-13173 | +----------------------+---------------------+----------+-------------------+--------------------------------+----------------------------------------------+ | got | CVE-2022-33987 | MEDIUM | 6.7.1 | 12.1.0, 11.8.5 | nodejs-got: missing verification | | | | | | | of requested URLs allows | | | | | | | redirects to UNIX sockets | | | | | | | -->avd.aquasec.com/nvd/cve-2022-33987 | +----------------------+---------------------+ +-------------------+--------------------------------+----------------------------------------------+ | hosted-git-info | CVE-2021-23362 | | 2.7.1 | 2.8.9, 3.0.8 | nodejs-hosted-git-info: Regular | | | | | | | Expression denial of service | | | | | | | via shortcutMatch in fromUrl() | | | | | | | -->avd.aquasec.com/nvd/cve-2021-23362 | +----------------------+---------------------+----------+-------------------+--------------------------------+----------------------------------------------+ | http-cache-semantics | CVE-2022-25881 | HIGH | 3.8.1 | 4.1.1 | http-cache-semantics: | | | | | | | Regular Expression Denial of | | | | | | | Service (ReDoS) vulnerability | | | | | | | -->avd.aquasec.com/nvd/cve-2022-25881 | +----------------------+---------------------+----------+-------------------+--------------------------------+----------------------------------------------+ | https-proxy-agent | GHSA-pc5p-h8pf-mvwp | MEDIUM | 2.2.1 | 2.2.3 | Machine-In-The-Middle in https-proxy-agent | | | | | | | -->github.com/advisories/GHSA-pc5p-h8pf-mvwp | + +---------------------+ + +--------------------------------+----------------------------------------------+ | | NSWG-ECO-505 | | | >=2.2.3 | Man-in-the-Middle | | | | | | | -->hackerone.com/reports/541502 | +----------------------+---------------------+----------+-------------------+--------------------------------+----------------------------------------------+ | ini | CVE-2020-7788 | HIGH | 1.3.5 | 1.3.6 | nodejs-ini: Prototype pollution | | | | | | | via malicious INI file | | | | | | | -->avd.aquasec.com/nvd/cve-2020-7788 | +----------------------+---------------------+----------+-------------------+--------------------------------+----------------------------------------------+ | ip | CVE-2023-42282 | MEDIUM | 1.1.5 | 2.0.1, 1.1.9 | nodejs-ip: arbitrary code execution | | | | | | | via the isPublic() function | | | | | | | -->avd.aquasec.com/nvd/cve-2023-42282 | + + + +-------------------+ + + | | | | 2.0.0 | | | | | | | | | | | | | | | | | +----------------------+---------------------+----------+-------------------+--------------------------------+----------------------------------------------+ | json-schema | CVE-2021-3918 | CRITICAL | 0.2.3 | 0.4.0 | nodejs-json-schema: Prototype | | | | | | | pollution vulnerability | | | | | | | -->avd.aquasec.com/nvd/cve-2021-3918 | +----------------------+---------------------+----------+-------------------+--------------------------------+----------------------------------------------+ | lodash.set | CVE-2020-8203 | HIGH | 4.3.2 | | nodejs-lodash: prototype pollution | | | | | | | in zipObjectDeep function | | | | | | | -->avd.aquasec.com/nvd/cve-2020-8203 | +----------------------+---------------------+----------+-------------------+--------------------------------+----------------------------------------------+ | mem | GHSA-4xcv-9jjx-gfj3 | MEDIUM | 1.1.0 | 4.0.0 | Denial of Service in mem | | | | | | | -->github.com/advisories/GHSA-4xcv-9jjx-gfj3 | +----------------------+---------------------+----------+-------------------+--------------------------------+----------------------------------------------+ | minimatch | CVE-2022-3517 | HIGH | 3.0.4 | 3.0.5 | nodejs-minimatch: ReDoS via | | | | | | | the braceExpand function | | | | | | | -->avd.aquasec.com/nvd/cve-2022-3517 | +----------------------+---------------------+----------+-------------------+--------------------------------+----------------------------------------------+ | minimist | CVE-2021-44906 | CRITICAL | 0.0.8 | 1.2.6, 0.2.4 | minimist: prototype pollution | | | | | | | -->avd.aquasec.com/nvd/cve-2021-44906 | + +---------------------+----------+ +--------------------------------+----------------------------------------------+ | | CVE-2020-7598 | MEDIUM | | 0.2.1, 1.2.3 | nodejs-minimist: prototype | | | | | | | pollution allows adding | | | | | | | or modifying properties of | | | | | | | Object.prototype using a... | | | | | | | -->avd.aquasec.com/nvd/cve-2020-7598 | + +---------------------+----------+-------------------+--------------------------------+----------------------------------------------+ | | CVE-2021-44906 | CRITICAL | 1.2.0 | 1.2.6, 0.2.4 | minimist: prototype pollution | | | | | | | -->avd.aquasec.com/nvd/cve-2021-44906 | + +---------------------+----------+ +--------------------------------+----------------------------------------------+ | | CVE-2020-7598 | MEDIUM | | 0.2.1, 1.2.3 | nodejs-minimist: prototype | | | | | | | pollution allows adding | | | | | | | or modifying properties of | | | | | | | Object.prototype using a... | | | | | | | -->avd.aquasec.com/nvd/cve-2020-7598 | +----------------------+---------------------+----------+-------------------+--------------------------------+----------------------------------------------+ | mysql2 | CVE-2024-21508 | CRITICAL | 2.3.3 | 3.9.4 | mysql2: Remote Code Execution | | | | | | | -->avd.aquasec.com/nvd/cve-2024-21508 | + +---------------------+ + +--------------------------------+----------------------------------------------+ | | CVE-2024-21511 | | | 3.9.7 | MySQL2 for Node | | | | | | | Arbitrary Code Injection | | | | | | | -->avd.aquasec.com/nvd/cve-2024-21511 | + +---------------------+----------+ +--------------------------------+----------------------------------------------+ | | CVE-2024-21507 | MEDIUM | | 3.9.3 | mysql2: Improper Input Validation | | | | | | | -->avd.aquasec.com/nvd/cve-2024-21507 | + +---------------------+ + +--------------------------------+----------------------------------------------+ | | CVE-2024-21509 | | | 3.9.4 | mysql2: Prototype Poisoning | | | | | | | -->avd.aquasec.com/nvd/cve-2024-21509 | +----------------------+---------------------+----------+-------------------+--------------------------------+----------------------------------------------+ | npm | CVE-2019-16775 | HIGH | 6.4.1 | 6.13.3 | npm: Symlink reference | | | | | | | outside of node_modules folder | | | | | | | through the bin field upon... | | | | | | | -->avd.aquasec.com/nvd/cve-2019-16775 | + +---------------------+ + + +----------------------------------------------+ | | CVE-2019-16776 | | | | npm: Arbitrary file write | | | | | | | via constructed entry in the | | | | | | | package.json bin field... | | | | | | | -->avd.aquasec.com/nvd/cve-2019-16776 | + +---------------------+ + +--------------------------------+----------------------------------------------+ | | CVE-2019-16777 | | | 6.13.4 | npm: Global node_modules | | | | | | | Binary Overwrite | | | | | | | -->avd.aquasec.com/nvd/cve-2019-16777 | + +---------------------+----------+ +--------------------------------+----------------------------------------------+ | | CVE-2020-15095 | MEDIUM | | 6.14.6 | npm: sensitive information | | | | | | | exposure through logs | | | | | | | -->avd.aquasec.com/nvd/cve-2020-15095 | +----------------------+---------------------+ +-------------------+--------------------------------+----------------------------------------------+ | npm-registry-fetch | GHSA-jmqm-f2gx-4fjv | | 1.1.0 | 4.0.5, 8.1.1 | Sensitive information exposure | | | | | | | through logs in npm-registry-fetch | | | | | | | -->github.com/advisories/GHSA-jmqm-f2gx-4fjv | + + + +-------------------+ + + | | | | 3.1.1 | | | | | | | | | | | | | | | | | +----------------------+---------------------+----------+-------------------+--------------------------------+----------------------------------------------+ | npm-user-validate | CVE-2020-7754 | HIGH | 1.0.0 | 1.0.1 | nodejs-npm-user-validate: improper | | | | | | | input validation when validating | | | | | | | user emails leads to ReDoS | | | | | | | -->avd.aquasec.com/nvd/cve-2020-7754 | + +---------------------+----------+ + +----------------------------------------------+ | | GHSA-xgh6-85xh-479p | LOW | | | Regular Expression Denial of | | | | | | | Service in npm-user-validate | | | | | | | -->github.com/advisories/GHSA-xgh6-85xh-479p | +----------------------+---------------------+----------+-------------------+--------------------------------+----------------------------------------------+ | qs | CVE-2022-24999 | HIGH | 6.5.2 | 6.10.3, 6.9.7, 6.8.3, 6.7.3, | express: "qs" prototype poisoning | | | | | | 6.6.1, 6.5.3, 6.4.1, 6.3.3, | causes the hang of the node process | | | | | | 6.2.4 | -->avd.aquasec.com/nvd/cve-2022-24999 | +----------------------+---------------------+----------+-------------------+--------------------------------+----------------------------------------------+ | request | CVE-2023-28155 | MEDIUM | 2.88.0 | | The Request package | | | | | | | through 2.88.1 for Node.js | | | | | | | allows a bypass of SSRF... | | | | | | | -->avd.aquasec.com/nvd/cve-2023-28155 | +----------------------+---------------------+ +-------------------+--------------------------------+----------------------------------------------+ | semver | CVE-2022-25883 | | 5.3.0 | 7.5.2, 6.3.1, 5.7.2 | nodejs-semver: Regular | | | | | | | expression denial of service | | | | | | | -->avd.aquasec.com/nvd/cve-2022-25883 | + + + +-------------------+ + + | | | | 5.5.0 | | | | | | | | | | | | | | | | | + + + +-------------------+ + + | | | | 7.0.0 | | | | | | | | | | | | | | | | | +----------------------+---------------------+----------+-------------------+--------------------------------+----------------------------------------------+ | ssri | CVE-2021-27290 | HIGH | 5.3.0 | 6.0.2, 7.1.1, 8.0.1 | nodejs-ssri: Regular expression | | | | | | | DoS (ReDoS) when parsing | | | | | | | malicious SRI in strict mode... | | | | | | | -->avd.aquasec.com/nvd/cve-2021-27290 | + + + +-------------------+ + + | | | | 6.0.0 | | | | | | | | | | | | | | | | | | | | | | | | +----------------------+---------------------+ +-------------------+--------------------------------+----------------------------------------------+ | tar | CVE-2018-20834 | | 2.2.1 | 4.4.2, 2.2.2 | nodejs-tar: Arbitrary file | | | | | | | overwrites when extracting | | | | | | | tarballs containing a hard-link | | | | | | | -->avd.aquasec.com/nvd/cve-2018-20834 | + +---------------------+ + +--------------------------------+----------------------------------------------+ | | CVE-2021-32804 | | | 3.2.2, 4.4.14, 5.0.6, 6.1.1 | nodejs-tar: Insufficient absolute | | | | | | | path sanitization allowing arbitrary | | | | | | | file creation and overwrite | | | | | | | -->avd.aquasec.com/nvd/cve-2021-32804 | + +---------------------+ + +--------------------------------+----------------------------------------------+ | | CVE-2021-37713 | | | 4.4.18, 5.0.10, 6.1.9 | nodejs-tar: Arbitrary | | | | | | | File Creation/Overwrite on | | | | | | | Windows via insufficient | | | | | | | relative path sanitization | | | | | | | -->avd.aquasec.com/nvd/cve-2021-37713 | + +---------------------+----------+ +--------------------------------+----------------------------------------------+ | | CVE-2024-28863 | MEDIUM | | 6.2.1 | node-tar is a Tar for | | | | | | | Node.js. node-tar prior | | | | | | | to version 6.2.1 has... | | | | | | | -->avd.aquasec.com/nvd/cve-2024-28863 | + + + +-------------------+ + + | | | | 4.4.19 | | | | | | | | | | | | | | | | | | | | | | | | + +---------------------+----------+-------------------+--------------------------------+----------------------------------------------+ | | CVE-2021-32803 | HIGH | 4.4.6 | 3.2.3, 4.4.15, 5.0.7, 6.1.2 | nodejs-tar: Insufficient symlink | | | | | | | protection allowing arbitrary | | | | | | | file creation and overwrite | | | | | | | -->avd.aquasec.com/nvd/cve-2021-32803 | + +---------------------+ + +--------------------------------+----------------------------------------------+ | | CVE-2021-32804 | | | 3.2.2, 4.4.14, 5.0.6, 6.1.1 | nodejs-tar: Insufficient absolute | | | | | | | path sanitization allowing arbitrary | | | | | | | file creation and overwrite | | | | | | | -->avd.aquasec.com/nvd/cve-2021-32804 | + +---------------------+ + +--------------------------------+----------------------------------------------+ | | CVE-2021-37701 | | | 4.4.16, 5.0.8, 6.1.7 | nodejs-tar: Insufficient symlink | | | | | | | protection due to directory cache | | | | | | | poisoning using symbolic links... | | | | | | | -->avd.aquasec.com/nvd/cve-2021-37701 | + +---------------------+ + +--------------------------------+----------------------------------------------+ | | CVE-2021-37712 | | | 4.4.18, 5.0.10, 6.1.9 | nodejs-tar: Insufficient symlink | | | | | | | protection due to directory cache | | | | | | | poisoning using symbolic links... | | | | | | | -->avd.aquasec.com/nvd/cve-2021-37712 | + +---------------------+ + + +----------------------------------------------+ | | CVE-2021-37713 | | | | nodejs-tar: Arbitrary | | | | | | | File Creation/Overwrite on | | | | | | | Windows via insufficient | | | | | | | relative path sanitization | | | | | | | -->avd.aquasec.com/nvd/cve-2021-37713 | + +---------------------+----------+ +--------------------------------+----------------------------------------------+ | | CVE-2024-28863 | MEDIUM | | 6.2.1 | node-tar is a Tar for | | | | | | | Node.js. node-tar prior | | | | | | | to version 6.2.1 has... | | | | | | | -->avd.aquasec.com/nvd/cve-2024-28863 | +----------------------+---------------------+ +-------------------+--------------------------------+----------------------------------------------+ | tough-cookie | CVE-2023-26136 | | 2.4.3 | 4.1.3 | tough-cookie: prototype | | | | | | | pollution in cookie memstore | | | | | | | -->avd.aquasec.com/nvd/cve-2023-26136 | +----------------------+---------------------+----------+-------------------+--------------------------------+----------------------------------------------+ | y18n | CVE-2020-7774 | HIGH | 3.2.1 | 3.2.2, 4.0.1, 5.0.5 | nodejs-y18n: prototype | | | | | | | pollution vulnerability | | | | | | | -->avd.aquasec.com/nvd/cve-2020-7774 | + + + +-------------------+ + + | | | | 4.0.0 | | | | | | | | | | | | | | | | | +----------------------+---------------------+----------+-------------------+--------------------------------+----------------------------------------------+ | yargs-parser | CVE-2020-7608 | MEDIUM | 9.0.2 | 13.1.2, 15.0.1, 18.1.1, 5.0.1 | nodejs-yargs-parser: prototype | | | | | | | pollution vulnerability | | | | | | | -->avd.aquasec.com/nvd/cve-2020-7608 | +----------------------+---------------------+----------+-------------------+--------------------------------+----------------------------------------------+ | yarn | CVE-2019-10773 | HIGH | 1.12.3 | 1.22.0 | nodejs-yarn: Install | | | | | | | functionality can be abused | | | | | | | to generate arbitrary symlinks | | | | | | | -->avd.aquasec.com/nvd/cve-2019-10773 | + +---------------------+ + +--------------------------------+----------------------------------------------+ | | CVE-2019-5448 | | | 1.17.3 | Yarn before 1.17.3 is | | | | | | | vulnerable to Missing Encryption | | | | | | | of Sensitive Da ...... | | | | | | | -->avd.aquasec.com/nvd/cve-2019-5448 | + +---------------------+ + +--------------------------------+----------------------------------------------+ | | CVE-2020-8131 | | | 1.22.0 | yarn: Arbitrary filesystem | | | | | | | write via tar expansion | | | | | | | -->avd.aquasec.com/nvd/cve-2020-8131 | + +---------------------+ + +--------------------------------+----------------------------------------------+ | | CVE-2021-4435 | | | 1.22.13 | yarn: untrusted search path | | | | | | | -->avd.aquasec.com/nvd/cve-2021-4435 | + +---------------------+----------+ +--------------------------------+----------------------------------------------+ | | CVE-2019-15608 | MEDIUM | | 1.19.0 | yarn: TOCTOU vulnerability | | | | | | | leads to cache pollution | | | | | | | -->avd.aquasec.com/nvd/cve-2019-15608 | +----------------------+---------------------+----------+-------------------+--------------------------------+----------------------------------------------+