Skip to content

Commit

Permalink
run for BE
Browse files Browse the repository at this point in the history
  • Loading branch information
AdamAdHocTeam committed Oct 7, 2024
1 parent 8162601 commit 9f72edd
Showing 1 changed file with 0 additions and 1 deletion.
1 change: 0 additions & 1 deletion yarn-audit-known-issues
Original file line number Diff line number Diff line change
@@ -1,2 +1 @@
{"type":"auditAdvisory","data":{"resolution":{"id":1096366,"path":"email-templates>preview-email>mailparser>nodemailer","dev":false,"optional":false,"bundled":false},"advisory":{"findings":[{"version":"6.7.3","paths":["email-templates>preview-email>mailparser>nodemailer"]}],"found_by":null,"deleted":null,"references":"- https://github.com/nodemailer/nodemailer/security/advisories/GHSA-9h6g-pr28-7cqp\n- https://gist.github.com/francoatmega/890dd5053375333e40c6fdbcc8c58df6\n- https://gist.github.com/francoatmega/9aab042b0b24968d7b7039818e8b2698\n- https://github.com/nodemailer/nodemailer/commit/dd8f5e8a4ddc99992e31df76bcff9c590035cd4a\n- https://github.com/advisories/GHSA-9h6g-pr28-7cqp","created":"2024-01-31T22:42:54.000Z","id":1096366,"npm_advisory_id":null,"overview":"### Summary\nA ReDoS vulnerability occurs when nodemailer tries to parse img files with the parameter `attachDataUrls` set, causing the stuck of event loop. \nAnother flaw was found when nodemailer tries to parse an attachments with a embedded file, causing the stuck of event loop. \n\n### Details\n\nRegex: /^data:((?:[^;]*;)*(?:[^,]*)),(.*)$/\n\nPath: compile -> getAttachments -> _processDataUrl\n\nRegex: /(<img\\b[^>]* src\\s*=[\\s\"']*)(data:([^;]+);[^\"'>\\s]+)/\n\nPath: _convertDataImages\n\n### PoC\n\nhttps://gist.github.com/francoatmega/890dd5053375333e40c6fdbcc8c58df6\nhttps://gist.github.com/francoatmega/9aab042b0b24968d7b7039818e8b2698\n\n### Impact\n\nReDoS causes the event loop to stuck a specially crafted evil email can cause this problem.\n","reported_by":null,"title":"nodemailer ReDoS when trying to send a specially crafted email","metadata":null,"cves":[],"access":"public","severity":"moderate","module_name":"nodemailer","vulnerable_versions":"<=6.9.8","github_advisory_id":"GHSA-9h6g-pr28-7cqp","recommendation":"Upgrade to version 6.9.9 or later","patched_versions":">=6.9.9","updated":"2024-02-01T17:58:50.000Z","cvss":{"score":5.3,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"},"cwe":["CWE-1333"],"url":"https://github.com/advisories/GHSA-9h6g-pr28-7cqp"}}}
{"type":"auditAdvisory","data":{"resolution":{"id":1099846,"path":"express>cookie","dev":false,"optional":false,"bundled":false},"advisory":{"findings":[{"version":"0.6.0","paths":["express>cookie"]}],"found_by":null,"deleted":null,"references":"- https://github.com/jshttp/cookie/security/advisories/GHSA-pxg6-pf52-xh8x\n- https://github.com/jshttp/cookie/pull/167\n- https://github.com/jshttp/cookie/commit/e10042845354fea83bd8f34af72475eed1dadf5c\n- https://github.com/advisories/GHSA-pxg6-pf52-xh8x","created":"2024-10-04T20:31:00.000Z","id":1099846,"npm_advisory_id":null,"overview":"### Impact\n\nThe cookie name could be used to set other fields of the cookie, resulting in an unexpected cookie value. For example, `serialize(\"userName=<script>alert('XSS3')</script>; Max-Age=2592000; a\", value)` would result in `\"userName=<script>alert('XSS3')</script>; Max-Age=2592000; a=test\"`, setting `userName` cookie to `<script>` and ignoring `value`.\n\nA similar escape can be used for `path` and `domain`, which could be abused to alter other fields of the cookie.\n\n### Patches\n\nUpgrade to 0.7.0, which updates the validation for `name`, `path`, and `domain`.\n\n### Workarounds\n\nAvoid passing untrusted or arbitrary values for these fields, ensure they are set by the application instead of user input.\n\n### References\n\n* https://github.com/jshttp/cookie/pull/167","reported_by":null,"title":"cookie accepts cookie name, path, and domain with out of bounds characters","metadata":null,"cves":["CVE-2024-47764"],"access":"public","severity":"low","module_name":"cookie","vulnerable_versions":"<0.7.0","github_advisory_id":"GHSA-pxg6-pf52-xh8x","recommendation":"Upgrade to version 0.7.0 or later","patched_versions":">=0.7.0","updated":"2024-10-04T20:31:01.000Z","cvss":{"score":0,"vectorString":null},"cwe":["CWE-74"],"url":"https://github.com/advisories/GHSA-pxg6-pf52-xh8x"}}}

0 comments on commit 9f72edd

Please sign in to comment.