gitimages.expertflow.com/chat-solution/file-engine:3.17.0 (alpine 3.12.1) ========================================================================= Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0) Node.js (node-pkg) ================== Total: 43 (UNKNOWN: 0, LOW: 1, MEDIUM: 19, HIGH: 21, CRITICAL: 2) +----------------------+------------------+----------+-------------------+--------------------------------+---------------------------------------+ | LIBRARY | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION | TITLE | +----------------------+------------------+----------+-------------------+--------------------------------+---------------------------------------+ | ansi-regex | CVE-2021-3807 | HIGH | 3.0.0 | 6.0.1, 5.0.1, 4.1.1, 3.0.1 | nodejs-ansi-regex: Regular | | | | | | | expression denial of service | | | | | | | (ReDoS) matching ANSI escape codes | | | | | | | -->avd.aquasec.com/nvd/cve-2021-3807 | + + + +-------------------+ + + | | | | 4.1.0 | | | | | | | | | | | | | | | | | | | | | | | | +----------------------+------------------+ +-------------------+--------------------------------+---------------------------------------+ | axios | CVE-2021-3749 | | 0.21.1 | 0.21.2 | nodejs-axios: Regular expression | | | | | | | denial of service in trim function | | | | | | | -->avd.aquasec.com/nvd/cve-2021-3749 | + +------------------+----------+ +--------------------------------+---------------------------------------+ | | CVE-2023-45857 | MEDIUM | | 1.6.0, 0.28.0 | axios: exposure of confidential | | | | | | | data stored in cookies | | | | | | | -->avd.aquasec.com/nvd/cve-2023-45857 | +----------------------+------------------+----------+-------------------+--------------------------------+---------------------------------------+ | debug | CVE-2017-16137 | LOW | 3.2.6 | 2.6.9, 3.1.0, 3.2.7, 4.3.1 | nodejs-debug: Regular | | | | | | | expression Denial of Service | | | | | | | -->avd.aquasec.com/nvd/cve-2017-16137 | +----------------------+------------------+----------+-------------------+--------------------------------+---------------------------------------+ | decode-uri-component | CVE-2022-38900 | HIGH | 0.2.0 | 0.2.1 | decode-uri-component: improper | | | | | | | input validation resulting in DoS | | | | | | | -->avd.aquasec.com/nvd/cve-2022-38900 | +----------------------+------------------+ +-------------------+--------------------------------+---------------------------------------+ | dicer | CVE-2022-24434 | | 0.2.5 | | dicer: nodejs service crash | | | | | | | by sending a crafted payload | | | | | | | -->avd.aquasec.com/nvd/cve-2022-24434 | +----------------------+------------------+----------+-------------------+--------------------------------+---------------------------------------+ | express | CVE-2024-29041 | MEDIUM | 4.17.1 | 4.19.2, 5.0.0-beta.3 | Express.js minimalist | | | | | | | web framework for node. | | | | | | | Versions of Express.js p ... | | | | | | | -->avd.aquasec.com/nvd/cve-2024-29041 | +----------------------+------------------+----------+-------------------+--------------------------------+---------------------------------------+ | follow-redirects | CVE-2022-0155 | HIGH | 1.13.2 | 1.14.7 | follow-redirects: Exposure of | | | | | | | Private Personal Information | | | | | | | to an Unauthorized Actor | | | | | | | -->avd.aquasec.com/nvd/cve-2022-0155 | + +------------------+----------+ +--------------------------------+---------------------------------------+ | | CVE-2022-0536 | MEDIUM | | 1.14.8 | follow-redirects: Exposure | | | | | | | of Sensitive Information via | | | | | | | Authorization Header leak | | | | | | | -->avd.aquasec.com/nvd/cve-2022-0536 | + +------------------+ + +--------------------------------+---------------------------------------+ | | CVE-2023-26159 | | | 1.15.4 | follow-redirects: Improper | | | | | | | Input Validation due to the | | | | | | | improper handling of URLs by... | | | | | | | -->avd.aquasec.com/nvd/cve-2023-26159 | + +------------------+ + +--------------------------------+---------------------------------------+ | | CVE-2024-28849 | | | 1.15.6 | follow-redirects: | | | | | | | Possible credential leak | | | | | | | -->avd.aquasec.com/nvd/cve-2024-28849 | + +------------------+----------+-------------------+--------------------------------+---------------------------------------+ | | CVE-2022-0155 | HIGH | 1.5.10 | 1.14.7 | follow-redirects: Exposure of | | | | | | | Private Personal Information | | | | | | | to an Unauthorized Actor | | | | | | | -->avd.aquasec.com/nvd/cve-2022-0155 | + +------------------+----------+ +--------------------------------+---------------------------------------+ | | CVE-2022-0536 | MEDIUM | | 1.14.8 | follow-redirects: Exposure | | | | | | | of Sensitive Information via | | | | | | | Authorization Header leak | | | | | | | -->avd.aquasec.com/nvd/cve-2022-0536 | + +------------------+ + +--------------------------------+---------------------------------------+ | | CVE-2023-26159 | | | 1.15.4 | follow-redirects: Improper | | | | | | | Input Validation due to the | | | | | | | improper handling of URLs by... | | | | | | | -->avd.aquasec.com/nvd/cve-2023-26159 | + +------------------+ + +--------------------------------+---------------------------------------+ | | CVE-2024-28849 | | | 1.15.6 | follow-redirects: | | | | | | | Possible credential leak | | | | | | | -->avd.aquasec.com/nvd/cve-2024-28849 | +----------------------+------------------+ +-------------------+--------------------------------+---------------------------------------+ | got | CVE-2022-33987 | | 6.7.1 | 12.1.0, 11.8.5 | nodejs-got: missing verification | | | | | | | of requested URLs allows | | | | | | | redirects to UNIX sockets | | | | | | | -->avd.aquasec.com/nvd/cve-2022-33987 | +----------------------+------------------+ +-------------------+--------------------------------+---------------------------------------+ | hosted-git-info | CVE-2021-23362 | | 2.8.8 | 2.8.9, 3.0.8 | nodejs-hosted-git-info: Regular | | | | | | | Expression denial of service | | | | | | | via shortcutMatch in fromUrl() | | | | | | | -->avd.aquasec.com/nvd/cve-2021-23362 | +----------------------+------------------+----------+-------------------+--------------------------------+---------------------------------------+ | http-cache-semantics | CVE-2022-25881 | HIGH | 3.8.1 | 4.1.1 | http-cache-semantics: | | | | | | | Regular Expression Denial of | | | | | | | Service (ReDoS) vulnerability | | | | | | | -->avd.aquasec.com/nvd/cve-2022-25881 | +----------------------+------------------+ +-------------------+--------------------------------+---------------------------------------+ | ini | CVE-2020-7788 | | 1.3.5 | 1.3.6 | nodejs-ini: Prototype pollution | | | | | | | via malicious INI file | | | | | | | -->avd.aquasec.com/nvd/cve-2020-7788 | +----------------------+------------------+----------+-------------------+--------------------------------+---------------------------------------+ | ip | CVE-2023-42282 | MEDIUM | 1.1.5 | 2.0.1, 1.1.9 | nodejs-ip: arbitrary code execution | | | | | | | via the isPublic() function | | | | | | | -->avd.aquasec.com/nvd/cve-2023-42282 | +----------------------+------------------+----------+-------------------+--------------------------------+---------------------------------------+ | json-schema | CVE-2021-3918 | CRITICAL | 0.2.3 | 0.4.0 | nodejs-json-schema: Prototype | | | | | | | pollution vulnerability | | | | | | | -->avd.aquasec.com/nvd/cve-2021-3918 | +----------------------+------------------+----------+-------------------+--------------------------------+---------------------------------------+ | minimatch | CVE-2022-3517 | HIGH | 3.0.4 | 3.0.5 | nodejs-minimatch: ReDoS via | | | | | | | the braceExpand function | | | | | | | -->avd.aquasec.com/nvd/cve-2022-3517 | +----------------------+------------------+----------+-------------------+--------------------------------+---------------------------------------+ | minimist | CVE-2021-44906 | CRITICAL | 1.2.5 | 1.2.6, 0.2.4 | minimist: prototype pollution | | | | | | | -->avd.aquasec.com/nvd/cve-2021-44906 | +----------------------+------------------+----------+-------------------+--------------------------------+---------------------------------------+ | node-fetch | CVE-2022-0235 | HIGH | 2.6.1 | 3.1.1, 2.6.7 | node-fetch: exposure of sensitive | | | | | | | information to an unauthorized actor | | | | | | | -->avd.aquasec.com/nvd/cve-2022-0235 | +----------------------+------------------+----------+-------------------+--------------------------------+---------------------------------------+ | path-parse | CVE-2021-23343 | MEDIUM | 1.0.6 | 1.0.7 | nodejs-path-parse: | | | | | | | ReDoS via splitDeviceRe, | | | | | | | splitTailRe and splitPathRe | | | | | | | -->avd.aquasec.com/nvd/cve-2021-23343 | +----------------------+------------------+----------+-------------------+--------------------------------+---------------------------------------+ | qs | CVE-2022-24999 | HIGH | 6.5.2 | 6.10.3, 6.9.7, 6.8.3, 6.7.3, | express: "qs" prototype poisoning | | | | | | 6.6.1, 6.5.3, 6.4.1, 6.3.3, | causes the hang of the node process | | | | | | 6.2.4 | -->avd.aquasec.com/nvd/cve-2022-24999 | + + + +-------------------+ + + | | | | 6.7.0 | | | | | | | | | | | | | | | | | +----------------------+------------------+----------+-------------------+--------------------------------+---------------------------------------+ | request | CVE-2023-28155 | MEDIUM | 2.88.0 | | The Request package | | | | | | | through 2.88.1 for Node.js | | | | | | | allows a bypass of SSRF... | | | | | | | -->avd.aquasec.com/nvd/cve-2023-28155 | + + + +-------------------+--------------------------------+ + | | | | 2.88.2 | | | | | | | | | | | | | | | | | | | | | | | | +----------------------+------------------+ +-------------------+--------------------------------+---------------------------------------+ | semver | CVE-2022-25883 | | 5.7.1 | 7.5.2, 6.3.1, 5.7.2 | nodejs-semver: Regular | | | | | | | expression denial of service | | | | | | | -->avd.aquasec.com/nvd/cve-2022-25883 | +----------------------+------------------+----------+-------------------+--------------------------------+---------------------------------------+ | ssri | CVE-2021-27290 | HIGH | 6.0.1 | 6.0.2, 7.1.1, 8.0.1 | nodejs-ssri: Regular expression | | | | | | | DoS (ReDoS) when parsing | | | | | | | malicious SRI in strict mode... | | | | | | | -->avd.aquasec.com/nvd/cve-2021-27290 | +----------------------+------------------+ +-------------------+--------------------------------+---------------------------------------+ | tar | CVE-2021-32803 | | 4.4.13 | 3.2.3, 4.4.15, 5.0.7, 6.1.2 | nodejs-tar: Insufficient symlink | | | | | | | protection allowing arbitrary | | | | | | | file creation and overwrite | | | | | | | -->avd.aquasec.com/nvd/cve-2021-32803 | + +------------------+ + +--------------------------------+---------------------------------------+ | | CVE-2021-32804 | | | 3.2.2, 4.4.14, 5.0.6, 6.1.1 | nodejs-tar: Insufficient absolute | | | | | | | path sanitization allowing arbitrary | | | | | | | file creation and overwrite | | | | | | | -->avd.aquasec.com/nvd/cve-2021-32804 | + +------------------+ + +--------------------------------+---------------------------------------+ | | CVE-2021-37701 | | | 4.4.16, 5.0.8, 6.1.7 | nodejs-tar: Insufficient symlink | | | | | | | protection due to directory cache | | | | | | | poisoning using symbolic links... | | | | | | | -->avd.aquasec.com/nvd/cve-2021-37701 | + +------------------+ + +--------------------------------+---------------------------------------+ | | CVE-2021-37712 | | | 4.4.18, 5.0.10, 6.1.9 | nodejs-tar: Insufficient symlink | | | | | | | protection due to directory cache | | | | | | | poisoning using symbolic links... | | | | | | | -->avd.aquasec.com/nvd/cve-2021-37712 | + +------------------+ + + +---------------------------------------+ | | CVE-2021-37713 | | | | nodejs-tar: Arbitrary | | | | | | | File Creation/Overwrite on | | | | | | | Windows via insufficient | | | | | | | relative path sanitization | | | | | | | -->avd.aquasec.com/nvd/cve-2021-37713 | + +------------------+----------+ +--------------------------------+---------------------------------------+ | | CVE-2024-28863 | MEDIUM | | 6.2.1 | node-tar is a Tar for | | | | | | | Node.js. node-tar prior | | | | | | | to version 6.2.1 has... | | | | | | | -->avd.aquasec.com/nvd/cve-2024-28863 | +----------------------+------------------+ +-------------------+--------------------------------+---------------------------------------+ | tough-cookie | CVE-2023-26136 | | 2.4.3 | 4.1.3 | tough-cookie: prototype | | | | | | | pollution in cookie memstore | | | | | | | -->avd.aquasec.com/nvd/cve-2023-26136 | + + + +-------------------+ + + | | | | 2.5.0 | | | | | | | | | | | | | | | | | +----------------------+------------------+ +-------------------+--------------------------------+---------------------------------------+ | xml2js | CVE-2023-0842 | | 0.4.19 | 0.5.0 | node-xml2js: xml2js is | | | | | | | vulnerable to prototype pollution | | | | | | | -->avd.aquasec.com/nvd/cve-2023-0842 | +----------------------+------------------+----------+-------------------+--------------------------------+---------------------------------------+ | y18n | CVE-2020-7774 | HIGH | 4.0.0 | 3.2.2, 4.0.1, 5.0.5 | nodejs-y18n: prototype | | | | | | | pollution vulnerability | | | | | | | -->avd.aquasec.com/nvd/cve-2020-7774 | +----------------------+------------------+ +-------------------+--------------------------------+---------------------------------------+ | yarn | CVE-2021-4435 | | 1.22.5 | 1.22.13 | yarn: untrusted search path | | | | | | | -->avd.aquasec.com/nvd/cve-2021-4435 | +----------------------+------------------+----------+-------------------+--------------------------------+---------------------------------------+