gitimages.expertflow.com/cim/team-announcement:4.3 (alpine 3.12.3) ================================================================== Total: 76 (UNKNOWN: 0, LOW: 10, MEDIUM: 20, HIGH: 40, CRITICAL: 6) +--------------+------------------+----------+-------------------+---------------+---------------------------------------+ | LIBRARY | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION | TITLE | +--------------+------------------+----------+-------------------+---------------+---------------------------------------+ | apk-tools | CVE-2021-36159 | CRITICAL | 2.10.5-r1 | 2.10.7-r0 | libfetch: an out of | | | | | | | boundary read while libfetch | | | | | | | uses strtol to parse... | | | | | | | -->avd.aquasec.com/nvd/cve-2021-36159 | + +------------------+----------+ +---------------+---------------------------------------+ | | CVE-2021-30139 | HIGH | | 2.10.6-r0 | In Alpine Linux apk-tools | | | | | | | before 2.12.5, the tarball | | | | | | | parser allows a buffer... | | | | | | | -->avd.aquasec.com/nvd/cve-2021-30139 | +--------------+------------------+ +-------------------+---------------+---------------------------------------+ | busybox | CVE-2021-28831 | | 1.31.1-r19 | 1.31.1-r20 | busybox: invalid free or segmentation | | | | | | | fault via malformed gzip data | | | | | | | -->avd.aquasec.com/nvd/cve-2021-28831 | + +------------------+ + +---------------+---------------------------------------+ | | CVE-2021-42378 | | | 1.31.1-r21 | busybox: use-after-free in | | | | | | | awk applet leads to denial | | | | | | | of service and possibly... | | | | | | | -->avd.aquasec.com/nvd/cve-2021-42378 | + +------------------+ + + +---------------------------------------+ | | CVE-2021-42379 | | | | busybox: use-after-free in | | | | | | | awk applet leads to denial | | | | | | | of service and possibly... | | | | | | | -->avd.aquasec.com/nvd/cve-2021-42379 | + +------------------+ + + +---------------------------------------+ | | CVE-2021-42380 | | | | busybox: use-after-free in | | | | | | | awk applet leads to denial | | | | | | | of service and possibly... | | | | | | | -->avd.aquasec.com/nvd/cve-2021-42380 | + +------------------+ + + +---------------------------------------+ | | CVE-2021-42381 | | | | busybox: use-after-free in | | | | | | | awk applet leads to denial | | | | | | | of service and possibly... | | | | | | | -->avd.aquasec.com/nvd/cve-2021-42381 | + +------------------+ + + +---------------------------------------+ | | CVE-2021-42382 | | | | busybox: use-after-free in | | | | | | | awk applet leads to denial | | | | | | | of service and possibly... | | | | | | | -->avd.aquasec.com/nvd/cve-2021-42382 | + +------------------+ + + +---------------------------------------+ | | CVE-2021-42383 | | | | busybox: use-after-free in | | | | | | | awk applet leads to denial | | | | | | | of service and possibly... | | | | | | | -->avd.aquasec.com/nvd/cve-2021-42383 | + +------------------+ + + +---------------------------------------+ | | CVE-2021-42384 | | | | busybox: use-after-free in | | | | | | | awk applet leads to denial | | | | | | | of service and possibly... | | | | | | | -->avd.aquasec.com/nvd/cve-2021-42384 | + +------------------+ + + +---------------------------------------+ | | CVE-2021-42385 | | | | busybox: use-after-free in | | | | | | | awk applet leads to denial | | | | | | | of service and possibly... | | | | | | | -->avd.aquasec.com/nvd/cve-2021-42385 | + +------------------+ + + +---------------------------------------+ | | CVE-2021-42386 | | | | busybox: use-after-free in | | | | | | | awk applet leads to denial | | | | | | | of service and possibly... | | | | | | | -->avd.aquasec.com/nvd/cve-2021-42386 | + +------------------+ + +---------------+---------------------------------------+ | | CVE-2022-28391 | | | 1.31.1-r22 | busybox: remote attackers may execute | | | | | | | arbitrary code if netstat is used | | | | | | | -->avd.aquasec.com/nvd/cve-2022-28391 | + +------------------+----------+ +---------------+---------------------------------------+ | | CVE-2021-42374 | MEDIUM | | 1.31.1-r21 | busybox: out-of-bounds read | | | | | | | in unlzma applet leads to | | | | | | | information leak and denial... | | | | | | | -->avd.aquasec.com/nvd/cve-2021-42374 | +--------------+------------------+----------+-------------------+---------------+---------------------------------------+ | curl | CVE-2021-22945 | CRITICAL | 7.69.1-r3 | 7.79.0-r0 | curl: use-after-free and | | | | | | | double-free in MQTT sending | | | | | | | -->avd.aquasec.com/nvd/cve-2021-22945 | + +------------------+----------+ +---------------+---------------------------------------+ | | CVE-2021-22901 | HIGH | | 7.77.0-r0 | curl: Use-after-free in | | | | | | | TLS session handling when | | | | | | | using OpenSSL TLS backend | | | | | | | -->avd.aquasec.com/nvd/cve-2021-22901 | + +------------------+ + +---------------+---------------------------------------+ | | CVE-2021-22946 | | | 7.79.0-r0 | curl: Requirement to use | | | | | | | TLS not properly enforced | | | | | | | for IMAP, POP3, and... | | | | | | | -->avd.aquasec.com/nvd/cve-2021-22946 | + +------------------+ + +---------------+---------------------------------------+ | | CVE-2022-22576 | | | 7.79.1-r1 | curl: OAUTH2 bearer bypass | | | | | | | in connection re-use | | | | | | | -->avd.aquasec.com/nvd/cve-2022-22576 | + +------------------+ + + +---------------------------------------+ | | CVE-2022-27775 | | | | curl: bad local IPv6 connection reuse | | | | | | | -->avd.aquasec.com/nvd/cve-2022-27775 | + +------------------+----------+ +---------------+---------------------------------------+ | | CVE-2021-22876 | MEDIUM | | 7.76.0-r0 | curl: Leak of authentication | | | | | | | credentials in URL | | | | | | | via automatic Referer | | | | | | | -->avd.aquasec.com/nvd/cve-2021-22876 | + +------------------+ + +---------------+---------------------------------------+ | | CVE-2021-22922 | | | 7.78.0-r0 | curl: Content not matching hash | | | | | | | in Metalink is not being discarded | | | | | | | -->avd.aquasec.com/nvd/cve-2021-22922 | + +------------------+ + + +---------------------------------------+ | | CVE-2021-22923 | | | | curl: Metalink download | | | | | | | sends credentials | | | | | | | -->avd.aquasec.com/nvd/cve-2021-22923 | + +------------------+ + + +---------------------------------------+ | | CVE-2021-22925 | | | | curl: Incorrect fix for | | | | | | | CVE-2021-22898 TELNET | | | | | | | stack contents disclosure | | | | | | | -->avd.aquasec.com/nvd/cve-2021-22925 | + +------------------+ + +---------------+---------------------------------------+ | | CVE-2021-22947 | | | 7.79.0-r0 | curl: Server responses | | | | | | | received before STARTTLS | | | | | | | processed after TLS handshake | | | | | | | -->avd.aquasec.com/nvd/cve-2021-22947 | + +------------------+ + +---------------+---------------------------------------+ | | CVE-2022-27774 | | | 7.79.1-r1 | curl: credential leak on redirect | | | | | | | -->avd.aquasec.com/nvd/cve-2022-27774 | + +------------------+ + + +---------------------------------------+ | | CVE-2022-27776 | | | | curl: auth/cookie leak on redirect | | | | | | | -->avd.aquasec.com/nvd/cve-2022-27776 | + +------------------+----------+ +---------------+---------------------------------------+ | | CVE-2020-8284 | LOW | | 7.74.0-r0 | curl: FTP PASV command | | | | | | | response can cause curl | | | | | | | to connect to arbitrary... | | | | | | | -->avd.aquasec.com/nvd/cve-2020-8284 | + +------------------+ + +---------------+---------------------------------------+ | | CVE-2021-22890 | | | 7.76.0-r0 | curl: TLS 1.3 session ticket | | | | | | | mix-up with HTTPS proxy host | | | | | | | -->avd.aquasec.com/nvd/cve-2021-22890 | + +------------------+ + +---------------+---------------------------------------+ | | CVE-2021-22898 | | | 7.77.0-r0 | curl: TELNET stack | | | | | | | contents disclosure | | | | | | | -->avd.aquasec.com/nvd/cve-2021-22898 | + +------------------+ + +---------------+---------------------------------------+ | | CVE-2021-22924 | | | 7.78.0-r0 | curl: Bad connection reuse | | | | | | | due to flawed path name checks | | | | | | | -->avd.aquasec.com/nvd/cve-2021-22924 | +--------------+------------------+----------+-------------------+---------------+---------------------------------------+ | libcrypto1.1 | CVE-2021-3711 | CRITICAL | 1.1.1i-r0 | 1.1.1l-r0 | openssl: SM2 Decryption | | | | | | | Buffer Overflow | | | | | | | -->avd.aquasec.com/nvd/cve-2021-3711 | + +------------------+----------+ +---------------+---------------------------------------+ | | CVE-2021-23840 | HIGH | | 1.1.1j-r0 | openssl: integer | | | | | | | overflow in CipherUpdate | | | | | | | -->avd.aquasec.com/nvd/cve-2021-23840 | + +------------------+ + +---------------+---------------------------------------+ | | CVE-2021-3450 | | | 1.1.1k-r0 | openssl: CA certificate check | | | | | | | bypass with X509_V_FLAG_X509_STRICT | | | | | | | -->avd.aquasec.com/nvd/cve-2021-3450 | + +------------------+ + +---------------+---------------------------------------+ | | CVE-2021-3712 | | | 1.1.1l-r0 | openssl: Read buffer overruns | | | | | | | processing ASN.1 strings | | | | | | | -->avd.aquasec.com/nvd/cve-2021-3712 | + +------------------+ + +---------------+---------------------------------------+ | | CVE-2022-0778 | | | 1.1.1n-r0 | openssl: Infinite loop in | | | | | | | BN_mod_sqrt() reachable | | | | | | | when parsing certificates | | | | | | | -->avd.aquasec.com/nvd/cve-2022-0778 | + +------------------+----------+ +---------------+---------------------------------------+ | | CVE-2021-23841 | MEDIUM | | 1.1.1j-r0 | openssl: NULL pointer dereference | | | | | | | in X509_issuer_and_serial_hash() | | | | | | | -->avd.aquasec.com/nvd/cve-2021-23841 | + +------------------+ + +---------------+---------------------------------------+ | | CVE-2021-3449 | | | 1.1.1k-r0 | openssl: NULL pointer dereference | | | | | | | in signature_algorithms processing | | | | | | | -->avd.aquasec.com/nvd/cve-2021-3449 | + +------------------+----------+ +---------------+---------------------------------------+ | | CVE-2021-23839 | LOW | | 1.1.1j-r0 | openssl: incorrect SSLv2 | | | | | | | rollback protection | | | | | | | -->avd.aquasec.com/nvd/cve-2021-23839 | +--------------+------------------+----------+-------------------+---------------+---------------------------------------+ | libcurl | CVE-2021-22945 | CRITICAL | 7.69.1-r3 | 7.79.0-r0 | curl: use-after-free and | | | | | | | double-free in MQTT sending | | | | | | | -->avd.aquasec.com/nvd/cve-2021-22945 | + +------------------+----------+ +---------------+---------------------------------------+ | | CVE-2021-22901 | HIGH | | 7.77.0-r0 | curl: Use-after-free in | | | | | | | TLS session handling when | | | | | | | using OpenSSL TLS backend | | | | | | | -->avd.aquasec.com/nvd/cve-2021-22901 | + +------------------+ + +---------------+---------------------------------------+ | | CVE-2021-22946 | | | 7.79.0-r0 | curl: Requirement to use | | | | | | | TLS not properly enforced | | | | | | | for IMAP, POP3, and... | | | | | | | -->avd.aquasec.com/nvd/cve-2021-22946 | + +------------------+ + +---------------+---------------------------------------+ | | CVE-2022-22576 | | | 7.79.1-r1 | curl: OAUTH2 bearer bypass | | | | | | | in connection re-use | | | | | | | -->avd.aquasec.com/nvd/cve-2022-22576 | + +------------------+ + + +---------------------------------------+ | | CVE-2022-27775 | | | | curl: bad local IPv6 connection reuse | | | | | | | -->avd.aquasec.com/nvd/cve-2022-27775 | + +------------------+----------+ +---------------+---------------------------------------+ | | CVE-2021-22876 | MEDIUM | | 7.76.0-r0 | curl: Leak of authentication | | | | | | | credentials in URL | | | | | | | via automatic Referer | | | | | | | -->avd.aquasec.com/nvd/cve-2021-22876 | + +------------------+ + +---------------+---------------------------------------+ | | CVE-2021-22922 | | | 7.78.0-r0 | curl: Content not matching hash | | | | | | | in Metalink is not being discarded | | | | | | | -->avd.aquasec.com/nvd/cve-2021-22922 | + +------------------+ + + +---------------------------------------+ | | CVE-2021-22923 | | | | curl: Metalink download | | | | | | | sends credentials | | | | | | | -->avd.aquasec.com/nvd/cve-2021-22923 | + +------------------+ + + +---------------------------------------+ | | CVE-2021-22925 | | | | curl: Incorrect fix for | | | | | | | CVE-2021-22898 TELNET | | | | | | | stack contents disclosure | | | | | | | -->avd.aquasec.com/nvd/cve-2021-22925 | + +------------------+ + +---------------+---------------------------------------+ | | CVE-2021-22947 | | | 7.79.0-r0 | curl: Server responses | | | | | | | received before STARTTLS | | | | | | | processed after TLS handshake | | | | | | | -->avd.aquasec.com/nvd/cve-2021-22947 | + +------------------+ + +---------------+---------------------------------------+ | | CVE-2022-27774 | | | 7.79.1-r1 | curl: credential leak on redirect | | | | | | | -->avd.aquasec.com/nvd/cve-2022-27774 | + +------------------+ + + +---------------------------------------+ | | CVE-2022-27776 | | | | curl: auth/cookie leak on redirect | | | | | | | -->avd.aquasec.com/nvd/cve-2022-27776 | + +------------------+----------+ +---------------+---------------------------------------+ | | CVE-2020-8284 | LOW | | 7.74.0-r0 | curl: FTP PASV command | | | | | | | response can cause curl | | | | | | | to connect to arbitrary... | | | | | | | -->avd.aquasec.com/nvd/cve-2020-8284 | + +------------------+ + +---------------+---------------------------------------+ | | CVE-2021-22890 | | | 7.76.0-r0 | curl: TLS 1.3 session ticket | | | | | | | mix-up with HTTPS proxy host | | | | | | | -->avd.aquasec.com/nvd/cve-2021-22890 | + +------------------+ + +---------------+---------------------------------------+ | | CVE-2021-22898 | | | 7.77.0-r0 | curl: TELNET stack | | | | | | | contents disclosure | | | | | | | -->avd.aquasec.com/nvd/cve-2021-22898 | + +------------------+ + +---------------+---------------------------------------+ | | CVE-2021-22924 | | | 7.78.0-r0 | curl: Bad connection reuse | | | | | | | due to flawed path name checks | | | | | | | -->avd.aquasec.com/nvd/cve-2021-22924 | +--------------+------------------+----------+-------------------+---------------+---------------------------------------+ | libssl1.1 | CVE-2021-3711 | CRITICAL | 1.1.1i-r0 | 1.1.1l-r0 | openssl: SM2 Decryption | | | | | | | Buffer Overflow | | | | | | | -->avd.aquasec.com/nvd/cve-2021-3711 | + +------------------+----------+ +---------------+---------------------------------------+ | | CVE-2021-23840 | HIGH | | 1.1.1j-r0 | openssl: integer | | | | | | | overflow in CipherUpdate | | | | | | | -->avd.aquasec.com/nvd/cve-2021-23840 | + +------------------+ + +---------------+---------------------------------------+ | | CVE-2021-3450 | | | 1.1.1k-r0 | openssl: CA certificate check | | | | | | | bypass with X509_V_FLAG_X509_STRICT | | | | | | | -->avd.aquasec.com/nvd/cve-2021-3450 | + +------------------+ + +---------------+---------------------------------------+ | | CVE-2021-3712 | | | 1.1.1l-r0 | openssl: Read buffer overruns | | | | | | | processing ASN.1 strings | | | | | | | -->avd.aquasec.com/nvd/cve-2021-3712 | + +------------------+ + +---------------+---------------------------------------+ | | CVE-2022-0778 | | | 1.1.1n-r0 | openssl: Infinite loop in | | | | | | | BN_mod_sqrt() reachable | | | | | | | when parsing certificates | | | | | | | -->avd.aquasec.com/nvd/cve-2022-0778 | + +------------------+----------+ +---------------+---------------------------------------+ | | CVE-2021-23841 | MEDIUM | | 1.1.1j-r0 | openssl: NULL pointer dereference | | | | | | | in X509_issuer_and_serial_hash() | | | | | | | -->avd.aquasec.com/nvd/cve-2021-23841 | + +------------------+ + +---------------+---------------------------------------+ | | CVE-2021-3449 | | | 1.1.1k-r0 | openssl: NULL pointer dereference | | | | | | | in signature_algorithms processing | | | | | | | -->avd.aquasec.com/nvd/cve-2021-3449 | + +------------------+----------+ +---------------+---------------------------------------+ | | CVE-2021-23839 | LOW | | 1.1.1j-r0 | openssl: incorrect SSLv2 | | | | | | | rollback protection | | | | | | | -->avd.aquasec.com/nvd/cve-2021-23839 | +--------------+------------------+----------+-------------------+---------------+---------------------------------------+ | ssl_client | CVE-2021-28831 | HIGH | 1.31.1-r19 | 1.31.1-r20 | busybox: invalid free or segmentation | | | | | | | fault via malformed gzip data | | | | | | | -->avd.aquasec.com/nvd/cve-2021-28831 | + +------------------+ + +---------------+---------------------------------------+ | | CVE-2021-42378 | | | 1.31.1-r21 | busybox: use-after-free in | | | | | | | awk applet leads to denial | | | | | | | of service and possibly... | | | | | | | -->avd.aquasec.com/nvd/cve-2021-42378 | + +------------------+ + + +---------------------------------------+ | | CVE-2021-42379 | | | | busybox: use-after-free in | | | | | | | awk applet leads to denial | | | | | | | of service and possibly... | | | | | | | -->avd.aquasec.com/nvd/cve-2021-42379 | + +------------------+ + + +---------------------------------------+ | | CVE-2021-42380 | | | | busybox: use-after-free in | | | | | | | awk applet leads to denial | | | | | | | of service and possibly... | | | | | | | -->avd.aquasec.com/nvd/cve-2021-42380 | + +------------------+ + + +---------------------------------------+ | | CVE-2021-42381 | | | | busybox: use-after-free in | | | | | | | awk applet leads to denial | | | | | | | of service and possibly... | | | | | | | -->avd.aquasec.com/nvd/cve-2021-42381 | + +------------------+ + + +---------------------------------------+ | | CVE-2021-42382 | | | | busybox: use-after-free in | | | | | | | awk applet leads to denial | | | | | | | of service and possibly... | | | | | | | -->avd.aquasec.com/nvd/cve-2021-42382 | + +------------------+ + + +---------------------------------------+ | | CVE-2021-42383 | | | | busybox: use-after-free in | | | | | | | awk applet leads to denial | | | | | | | of service and possibly... | | | | | | | -->avd.aquasec.com/nvd/cve-2021-42383 | + +------------------+ + + +---------------------------------------+ | | CVE-2021-42384 | | | | busybox: use-after-free in | | | | | | | awk applet leads to denial | | | | | | | of service and possibly... | | | | | | | -->avd.aquasec.com/nvd/cve-2021-42384 | + +------------------+ + + +---------------------------------------+ | | CVE-2021-42385 | | | | busybox: use-after-free in | | | | | | | awk applet leads to denial | | | | | | | of service and possibly... | | | | | | | -->avd.aquasec.com/nvd/cve-2021-42385 | + +------------------+ + + +---------------------------------------+ | | CVE-2021-42386 | | | | busybox: use-after-free in | | | | | | | awk applet leads to denial | | | | | | | of service and possibly... | | | | | | | -->avd.aquasec.com/nvd/cve-2021-42386 | + +------------------+ + +---------------+---------------------------------------+ | | CVE-2022-28391 | | | 1.31.1-r22 | busybox: remote attackers may execute | | | | | | | arbitrary code if netstat is used | | | | | | | -->avd.aquasec.com/nvd/cve-2022-28391 | + +------------------+----------+ +---------------+---------------------------------------+ | | CVE-2021-42374 | MEDIUM | | 1.31.1-r21 | busybox: out-of-bounds read | | | | | | | in unlzma applet leads to | | | | | | | information leak and denial... | | | | | | | -->avd.aquasec.com/nvd/cve-2021-42374 | +--------------+------------------+----------+-------------------+---------------+---------------------------------------+ | zlib | CVE-2022-37434 | CRITICAL | 1.2.11-r3 | 1.2.12-r2 | zlib: heap-based buffer | | | | | | | over-read and overflow in | | | | | | | inflate() in inflate.c via a... | | | | | | | -->avd.aquasec.com/nvd/cve-2022-37434 | + +------------------+----------+ +---------------+---------------------------------------+ | | CVE-2018-25032 | HIGH | | 1.2.12-r0 | zlib: A flaw found in | | | | | | | zlib when compressing (not | | | | | | | decompressing) certain inputs... | | | | | | | -->avd.aquasec.com/nvd/cve-2018-25032 | +--------------+------------------+----------+-------------------+---------------+---------------------------------------+ Java (jar) ========== Total: 1 (UNKNOWN: 0, LOW: 0, MEDIUM: 1, HIGH: 0, CRITICAL: 0) +------------------------+------------------+----------+-------------------+---------------+--------------------------------------+ | LIBRARY | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION | TITLE | +------------------------+------------------+----------+-------------------+---------------+--------------------------------------+ | com.squareup.okio:okio | CVE-2023-3635 | MEDIUM | 1.13.0 | 3.4.0, 1.17.6 | okio: GzipSource class | | | | | | | improper exception handling | | | | | | | -->avd.aquasec.com/nvd/cve-2023-3635 | +------------------------+------------------+----------+-------------------+---------------+--------------------------------------+ Node.js (node-pkg) ================== Total: 45 (UNKNOWN: 0, LOW: 0, MEDIUM: 25, HIGH: 16, CRITICAL: 4) +----------------------+---------------------+----------+-------------------+--------------------------------+----------------------------------------------+ | LIBRARY | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION | TITLE | +----------------------+---------------------+----------+-------------------+--------------------------------+----------------------------------------------+ | ansi-regex | CVE-2021-3807 | HIGH | 3.0.0 | 6.0.1, 5.0.1, 4.1.1, 3.0.1 | nodejs-ansi-regex: Regular | | | | | | | expression denial of service | | | | | | | (ReDoS) matching ANSI escape codes | | | | | | | -->avd.aquasec.com/nvd/cve-2021-3807 | + + + +-------------------+ + + | | | | 4.1.0 | | | | | | | | | | | | | | | | | | | | | | | | +----------------------+---------------------+----------+-------------------+--------------------------------+----------------------------------------------+ | axios | CVE-2023-45857 | MEDIUM | 0.21.4 | 1.6.0, 0.28.0 | axios: exposure of confidential | | | | | | | data stored in cookies | | | | | | | -->avd.aquasec.com/nvd/cve-2023-45857 | +----------------------+---------------------+----------+-------------------+--------------------------------+----------------------------------------------+ | crypto-js | CVE-2023-46233 | CRITICAL | 4.1.1 | 4.2.0 | crypto-js: PBKDF2 1,000 | | | | | | | times weaker than specified | | | | | | | in 1993 and 1.3M times... | | | | | | | -->avd.aquasec.com/nvd/cve-2023-46233 | +----------------------+---------------------+----------+-------------------+--------------------------------+----------------------------------------------+ | decode-uri-component | CVE-2022-38900 | HIGH | 0.2.0 | 0.2.1 | decode-uri-component: improper | | | | | | | input validation resulting in DoS | | | | | | | -->avd.aquasec.com/nvd/cve-2022-38900 | +----------------------+---------------------+ +-------------------+--------------------------------+----------------------------------------------+ | degenerator | CVE-2021-23406 | | 2.2.0 | 3.0.1 | nodejs-pac-resolver: remote | | | | | | | code execution when used with | | | | | | | untrusted input due to unsafe... | | | | | | | -->avd.aquasec.com/nvd/cve-2021-23406 | +----------------------+---------------------+----------+-------------------+--------------------------------+----------------------------------------------+ | express | CVE-2024-29041 | MEDIUM | 4.18.2 | 4.19.2, 5.0.0-beta.3 | Express.js minimalist | | | | | | | web framework for node. | | | | | | | Versions of Express.js p ... | | | | | | | -->avd.aquasec.com/nvd/cve-2024-29041 | +----------------------+---------------------+ +-------------------+--------------------------------+----------------------------------------------+ | follow-redirects | CVE-2023-26159 | | 1.15.3 | 1.15.4 | follow-redirects: Improper | | | | | | | Input Validation due to the | | | | | | | improper handling of URLs by... | | | | | | | -->avd.aquasec.com/nvd/cve-2023-26159 | + +---------------------+ + +--------------------------------+----------------------------------------------+ | | CVE-2024-28849 | | | 1.15.6 | follow-redirects: | | | | | | | Possible credential leak | | | | | | | -->avd.aquasec.com/nvd/cve-2024-28849 | +----------------------+---------------------+----------+-------------------+--------------------------------+----------------------------------------------+ | formidable | CVE-2022-29622 | CRITICAL | 1.2.6 | 3.2.4 | An arbitrary file upload | | | | | | | vulnerability in formidable | | | | | | | v3.1.4 allows att ... | | | | | | | -->avd.aquasec.com/nvd/cve-2022-29622 | +----------------------+---------------------+----------+-------------------+--------------------------------+----------------------------------------------+ | got | CVE-2022-33987 | MEDIUM | 6.7.1 | 12.1.0, 11.8.5 | nodejs-got: missing verification | | | | | | | of requested URLs allows | | | | | | | redirects to UNIX sockets | | | | | | | -->avd.aquasec.com/nvd/cve-2022-33987 | +----------------------+---------------------+ +-------------------+--------------------------------+----------------------------------------------+ | hosted-git-info | CVE-2021-23362 | | 2.8.8 | 2.8.9, 3.0.8 | nodejs-hosted-git-info: Regular | | | | | | | Expression denial of service | | | | | | | via shortcutMatch in fromUrl() | | | | | | | -->avd.aquasec.com/nvd/cve-2021-23362 | +----------------------+---------------------+----------+-------------------+--------------------------------+----------------------------------------------+ | http-cache-semantics | CVE-2022-25881 | HIGH | 3.8.1 | 4.1.1 | http-cache-semantics: | | | | | | | Regular Expression Denial of | | | | | | | Service (ReDoS) vulnerability | | | | | | | -->avd.aquasec.com/nvd/cve-2022-25881 | +----------------------+---------------------+----------+-------------------+--------------------------------+----------------------------------------------+ | ip | CVE-2023-42282 | MEDIUM | 1.1.5 | 2.0.1, 1.1.9 | nodejs-ip: arbitrary code execution | | | | | | | via the isPublic() function | | | | | | | -->avd.aquasec.com/nvd/cve-2023-42282 | + + + +-------------------+ + + | | | | 1.1.8 | | | | | | | | | | | | | | | | | + + + +-------------------+ + + | | | | 2.0.0 | | | | | | | | | | | | | | | | | +----------------------+---------------------+----------+-------------------+--------------------------------+----------------------------------------------+ | json-schema | CVE-2021-3918 | CRITICAL | 0.2.3 | 0.4.0 | nodejs-json-schema: Prototype | | | | | | | pollution vulnerability | | | | | | | -->avd.aquasec.com/nvd/cve-2021-3918 | +----------------------+---------------------+----------+-------------------+--------------------------------+----------------------------------------------+ | jsonwebtoken | CVE-2022-23539 | MEDIUM | 8.5.1 | 9.0.0 | jsonwebtoken: Unrestricted key type | | | | | | | could lead to legacy keys usagen | | | | | | | -->avd.aquasec.com/nvd/cve-2022-23539 | + +---------------------+ + + +----------------------------------------------+ | | CVE-2022-23540 | | | | jsonwebtoken: Insecure default | | | | | | | algorithm in jwt.verify() could lead | | | | | | | to signature validation bypass... | | | | | | | -->avd.aquasec.com/nvd/cve-2022-23540 | + +---------------------+ + + +----------------------------------------------+ | | CVE-2022-23541 | | | | jsonwebtoken: Insecure implementation | | | | | | | of key retrieval function could | | | | | | | lead to Forgeable Public/Private... | | | | | | | -->avd.aquasec.com/nvd/cve-2022-23541 | +----------------------+---------------------+ +-------------------+--------------------------------+----------------------------------------------+ | keycloak-connect | CVE-2022-2237 | | 10.0.2 | 21.0.1 | Keycloak Node.js Adapter: Open | | | | | | | redirect vulnerability in checkSSO | | | | | | | -->avd.aquasec.com/nvd/cve-2022-2237 | +----------------------+---------------------+----------+-------------------+--------------------------------+----------------------------------------------+ | minimatch | CVE-2022-3517 | HIGH | 3.0.4 | 3.0.5 | nodejs-minimatch: ReDoS via | | | | | | | the braceExpand function | | | | | | | -->avd.aquasec.com/nvd/cve-2022-3517 | +----------------------+---------------------+----------+-------------------+--------------------------------+----------------------------------------------+ | minimist | CVE-2021-44906 | CRITICAL | 1.2.5 | 1.2.6, 0.2.4 | minimist: prototype pollution | | | | | | | -->avd.aquasec.com/nvd/cve-2021-44906 | +----------------------+---------------------+----------+-------------------+--------------------------------+----------------------------------------------+ | nodemailer | GHSA-9h6g-pr28-7cqp | MEDIUM | 6.9.6 | 6.9.9 | nodemailer ReDoS when trying to | | | | | | | send a specially crafted email | | | | | | | -->github.com/advisories/GHSA-9h6g-pr28-7cqp | +----------------------+---------------------+----------+-------------------+--------------------------------+----------------------------------------------+ | pac-resolver | CVE-2021-23406 | HIGH | 4.2.0 | 5.0.0 | nodejs-pac-resolver: remote | | | | | | | code execution when used with | | | | | | | untrusted input due to unsafe... | | | | | | | -->avd.aquasec.com/nvd/cve-2021-23406 | +----------------------+---------------------+----------+-------------------+--------------------------------+----------------------------------------------+ | passport | CVE-2022-25896 | MEDIUM | 0.4.1 | 0.6.0 | passport: incorrect | | | | | | | session regeneration | | | | | | | -->avd.aquasec.com/nvd/cve-2022-25896 | +----------------------+---------------------+ +-------------------+--------------------------------+----------------------------------------------+ | path-parse | CVE-2021-23343 | | 1.0.6 | 1.0.7 | nodejs-path-parse: | | | | | | | ReDoS via splitDeviceRe, | | | | | | | splitTailRe and splitPathRe | | | | | | | -->avd.aquasec.com/nvd/cve-2021-23343 | +----------------------+---------------------+----------+-------------------+--------------------------------+----------------------------------------------+ | qs | CVE-2022-24999 | HIGH | 6.5.2 | 6.10.3, 6.9.7, 6.8.3, 6.7.3, | express: "qs" prototype poisoning | | | | | | 6.6.1, 6.5.3, 6.4.1, 6.3.3, | causes the hang of the node process | | | | | | 6.2.4 | -->avd.aquasec.com/nvd/cve-2022-24999 | +----------------------+---------------------+----------+-------------------+--------------------------------+----------------------------------------------+ | request | CVE-2023-28155 | MEDIUM | 2.88.0 | | The Request package | | | | | | | through 2.88.1 for Node.js | | | | | | | allows a bypass of SSRF... | | | | | | | -->avd.aquasec.com/nvd/cve-2023-28155 | + + + +-------------------+--------------------------------+ + | | | | 2.88.2 | | | | | | | | | | | | | | | | | | | | | | | | +----------------------+---------------------+ +-------------------+--------------------------------+----------------------------------------------+ | semver | CVE-2022-25883 | | 5.7.1 | 7.5.2, 6.3.1, 5.7.2 | nodejs-semver: Regular | | | | | | | expression denial of service | | | | | | | -->avd.aquasec.com/nvd/cve-2022-25883 | + + + +-------------------+ + + | | | | 7.0.0 | | | | | | | | | | | | | | | | | + + + +-------------------+ + + | | | | 7.2.3 | | | | | | | | | | | | | | | | | +----------------------+---------------------+----------+-------------------+--------------------------------+----------------------------------------------+ | ssri | CVE-2021-27290 | HIGH | 6.0.1 | 6.0.2, 7.1.1, 8.0.1 | nodejs-ssri: Regular expression | | | | | | | DoS (ReDoS) when parsing | | | | | | | malicious SRI in strict mode... | | | | | | | -->avd.aquasec.com/nvd/cve-2021-27290 | +----------------------+---------------------+ +-------------------+--------------------------------+----------------------------------------------+ | tar | CVE-2021-32803 | | 4.4.13 | 3.2.3, 4.4.15, 5.0.7, 6.1.2 | nodejs-tar: Insufficient symlink | | | | | | | protection allowing arbitrary | | | | | | | file creation and overwrite | | | | | | | -->avd.aquasec.com/nvd/cve-2021-32803 | + +---------------------+ + +--------------------------------+----------------------------------------------+ | | CVE-2021-32804 | | | 3.2.2, 4.4.14, 5.0.6, 6.1.1 | nodejs-tar: Insufficient absolute | | | | | | | path sanitization allowing arbitrary | | | | | | | file creation and overwrite | | | | | | | -->avd.aquasec.com/nvd/cve-2021-32804 | + +---------------------+ + +--------------------------------+----------------------------------------------+ | | CVE-2021-37701 | | | 4.4.16, 5.0.8, 6.1.7 | nodejs-tar: Insufficient symlink | | | | | | | protection due to directory cache | | | | | | | poisoning using symbolic links... | | | | | | | -->avd.aquasec.com/nvd/cve-2021-37701 | + +---------------------+ + +--------------------------------+----------------------------------------------+ | | CVE-2021-37712 | | | 4.4.18, 5.0.10, 6.1.9 | nodejs-tar: Insufficient symlink | | | | | | | protection due to directory cache | | | | | | | poisoning using symbolic links... | | | | | | | -->avd.aquasec.com/nvd/cve-2021-37712 | + +---------------------+ + + +----------------------------------------------+ | | CVE-2021-37713 | | | | nodejs-tar: Arbitrary | | | | | | | File Creation/Overwrite on | | | | | | | Windows via insufficient | | | | | | | relative path sanitization | | | | | | | -->avd.aquasec.com/nvd/cve-2021-37713 | + +---------------------+----------+ +--------------------------------+----------------------------------------------+ | | CVE-2024-28863 | MEDIUM | | 6.2.1 | node-tar is a Tar for | | | | | | | Node.js. node-tar prior | | | | | | | to version 6.2.1 has... | | | | | | | -->avd.aquasec.com/nvd/cve-2024-28863 | +----------------------+---------------------+ +-------------------+--------------------------------+----------------------------------------------+ | tough-cookie | CVE-2023-26136 | | 2.4.3 | 4.1.3 | tough-cookie: prototype | | | | | | | pollution in cookie memstore | | | | | | | -->avd.aquasec.com/nvd/cve-2023-26136 | + + + +-------------------+ + + | | | | 2.5.0 | | | | | | | | | | | | | | | | | +----------------------+---------------------+ +-------------------+--------------------------------+----------------------------------------------+ | ws | CVE-2021-32640 | | 7.2.5 | 7.4.6, 6.2.2, 5.2.3 | nodejs-ws: Specially crafted value | | | | | | | of the `Sec-Websocket-Protocol` | | | | | | | header can be used to... | | | | | | | -->avd.aquasec.com/nvd/cve-2021-32640 | +----------------------+---------------------+----------+-------------------+--------------------------------+----------------------------------------------+ | y18n | CVE-2020-7774 | HIGH | 4.0.0 | 3.2.2, 4.0.1, 5.0.5 | nodejs-y18n: prototype | | | | | | | pollution vulnerability | | | | | | | -->avd.aquasec.com/nvd/cve-2020-7774 | +----------------------+---------------------+ +-------------------+--------------------------------+----------------------------------------------+ | yarn | CVE-2021-4435 | | 1.22.5 | 1.22.13 | yarn: untrusted search path | | | | | | | -->avd.aquasec.com/nvd/cve-2021-4435 | +----------------------+---------------------+----------+-------------------+--------------------------------+----------------------------------------------+