Bulk vulnerability fix - Lockfile fix

[debricked-staging]

Bulk vulnerability fix - Lockfile fix

This pull request will update your transitive dependencies within the allowed version intervals provided by your direct dependencies.

Fixed vulnerabilities:

CVE–2021–3777

• Description

  Incorrect Comparison

  The software compares two entities in a security-relevant context, but the comparison is incorrect, which may lead to resultant weaknesses.

  NVD

  nodejs-tmpl is vulnerable to Inefficient Regular Expression Complexity

  GitHub

  Regular Expression Denial of Service in tmpl

  nodejs-tmpl is vulnerable to Inefficient Regular Expression Complexity which may lead to resource exhaustion.

• CVSS details - 7.5

   

  CVSS3 metrics
  Attack Vector	Network
  Attack Complexity	Low
  Privileges Required	None
  User interaction	None
  Scope	Unchanged
  Confidentiality	None
  Integrity	None
  Availability	High

• References

      NVD - CVE-2021-3777
      Regular Expression Denial of Service in tmpl · CVE-2021-3777 · GitHub Advisory Database · GitHub
      fix potential dos in regex · daaku/nodejs-tmpl@4c654e4 · GitHub
      Inefficient Regular Expression Complexity vulnerability found in nodejs-tmpl

CVE–2021–3918

• Description

  Improperly Controlled Modification of Dynamically-Determined Object Attributes

  The software receives input from an upstream component that specifies multiple attributes, properties, or fields that are to be initialized or updated in an object, but it does not properly control which attributes can be modified.

  NVD

  json-schema is vulnerable to Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')

  GitHub

  json-schema is vulnerable to Prototype Pollution

  json-schema is vulnerable to Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')

• CVSS details - 9.8

   

  CVSS3 metrics
  Attack Vector	Network
  Attack Complexity	Low
  Privileges Required	None
  User interaction	None
  Scope	Unchanged
  Confidentiality	High
  Integrity	High
  Availability	High

• References

      NVD - CVE-2021-3918
      Don't allow proto property to be used for schema default/coerce, … · kriszyp/json-schema@22f1461 · GitHub
      Prototype Pollution vulnerability found in json-schema
      Create SECURITY.md · Issue #84 · kriszyp/json-schema · GitHub
      GitHub - kriszyp/json-schema: JSON Schema specifications, reference schemas, and a CommonJS implementation
      json-schema/validate.js at master · kriszyp/json-schema · GitHub
      json-schema is vulnerable to Prototype Pollution · CVE-2021-3918 · GitHub Advisory Database · GitHub
      Protect against constructor modification, #84 · kriszyp/json-schema@b62f1da · GitHub
      Use a little more robust method of checking instances · kriszyp/json-schema@f6f6a3b · GitHub

CVE–2021–29059

• Description

  Allocation of Resources Without Limits or Throttling

  The software allocates a reusable resource or group of resources on behalf of an actor without imposing any restrictions on the size or number of resources that can be allocated, in violation of the intended security policy for that actor.

  NVD

  A vulnerability was discovered in IS-SVG version 2.1.0 to 4.2.2 and below where a Regular Expression Denial of Service (ReDOS) occurs if the application is provided and checks a crafted invalid SVG string.

  GitHub

  ReDOS in IS-SVG

  A vulnerability was discovered in IS-SVG version 4.3.1 and below where a Regular Expression Denial of Service (ReDOS) occurs if the application is provided and checks a crafted invalid SVG string.

• CVSS details - 7.5

   

  CVSS3 metrics
  Attack Vector	Network
  Attack Complexity	Low
  Privileges Required	None
  User interaction	None
  Scope	Unchanged
  Confidentiality	None
  Integrity	None
  Availability	High

• References

      NVD - CVE-2021-29059
      SaveResults/is-svg.js at main · yetingli/SaveResults · GitHub
      is-svg - npm
      Release v4.3.0 · sindresorhus/is-svg · GitHub
      PoCs/IS-SVG.md at main · yetingli/PoCs · GitHub
      GitHub - sindresorhus/is-svg: Check if a string or buffer is SVG
      GitHub - sindresorhus/is-svg: Check if a string or buffer is SVG
      Improve performance and accuracy · sindresorhus/is-svg@732fc72 · GitHub
      ReDOS in IS-SVG · CVE-2021-29059 · GitHub Advisory Database · GitHub

CVE–2021–3801

• Description

  Incorrect Comparison

  The software compares two entities in a security-relevant context, but the comparison is incorrect, which may lead to resultant weaknesses.

  NVD

  prism is vulnerable to Inefficient Regular Expression Complexity

  GitHub

  Regular Expression Denial of Service in prismjs

  The prismjs package is vulnerable to ReDoS (regular expression denial of service). An attacker that is able to provide a crafted HTML comment as input may cause an application to consume an excessive amount of CPU.

• CVSS details - 6.5

   

  CVSS3 metrics
  Attack Vector	Network
  Attack Complexity	Low
  Privileges Required	None
  User interaction	Required
  Scope	Unchanged
  Confidentiality	None
  Integrity	None
  Availability	High

• References

      NVD - CVE-2021-3801
      Regular Expression Denial of Service in prismjs · CVE-2021-3801 · GitHub Advisory Database · GitHub
      Markup: Fixed ReDoS (#3078) · PrismJS/prism@0ff371b · GitHub
      Inefficient Regular Expression Complexity vulnerability found in prism

CVE–2022–23647

• Description

  Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

  The software does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

  NVD

  Prism is a syntax highlighting library. Starting with version 1.14.0 and prior to version 1.27.0, Prism's command line plugin can be used by attackers to achieve a cross-site scripting attack. The command line plugin did not properly escape its output, leading to the input text being inserted into the DOM as HTML code. Server-side usage of Prism is not impacted. Websites that do not use the Command Line plugin are also not impacted. This bug has been fixed in v1.27.0. As a workaround, do not use the command line plugin on untrusted inputs, or sanitize all code blocks (remove all HTML code text) from all code blocks that use the command line plugin.

  GitHub

  Cross-site Scripting in Prism

  Impact

  Prism's Command line plugin can be used by attackers to achieve an XSS attack. The Command line plugin did not properly escape its output, leading to the input text being inserted into the DOM as HTML code.

  Server-side usage of Prism is not impacted. Websites that do not use the Command Line plugin are also not impacted.

  Patches

  This bug has been fixed in v1.27.0.

  Workarounds

  Do not use the Command line plugin on untrusted inputs, or sanitized all code blocks (remove all HTML code text) from all code blocks that use the Command line plugin.

  References

  • Command Line: Escape markup in command line output PrismJS/prism#3341

• CVSS details - 6.1

   

  CVSS3 metrics
  Attack Vector	Network
  Attack Complexity	Low
  Privileges Required	None
  User interaction	Required
  Scope	Changed
  Confidentiality	Low
  Integrity	Low
  Availability	None

• References

      NVD - CVE-2022-23647
      Cross-site Scripting in Prism · CVE-2022-23647 · GitHub Advisory Database · GitHub
      Command Line: Escape markup in command line output by at055612 · Pull Request #3341 · PrismJS/prism · GitHub
      Command Line: Escape markup in command line output (#3341) · PrismJS/prism@e002e78 · GitHub
      XSS vulnerability in the Command line plugin in prismjs · Advisory · PrismJS/prism · GitHub

CVE–2022–0144

• Description

  Improper Privilege Management

  The software does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor.

  NVD

  shelljs is vulnerable to Improper Privilege Management

  GitHub

  Improper Privilege Management in shelljs

  shelljs is vulnerable to Improper Privilege Management

• CVSS details - 7.1

   

  CVSS3 metrics
  Attack Vector	Local
  Attack Complexity	Low
  Privileges Required	Low
  User interaction	None
  Scope	Unchanged
  Confidentiality	High
  Integrity	None
  Availability	High

• References

      NVD - CVE-2022-0144
      fix(exec): lockdown file permissions (#1060) · shelljs/shelljs@d919d22 · GitHub
      Improper Privilege Management vulnerability found in shelljs
      Trying to get in touch regarding a security issue · Issue #1058 · shelljs/shelljs · GitHub
      GitHub - shelljs/shelljs: Portable Unix shell commands for Node.js
      shelljs/exec.js at master · shelljs/shelljs · GitHub
      Improper Privilege Management in shelljs · CVE-2022-0144 · GitHub Advisory Database · GitHub

debricked–180554

• Description

  GitHub

  Improper Privilege Management in shelljs

  Impact

  Output from the synchronous version of shell.exec() may be visible to other users on the same system. You may be affected if you execute shell.exec() in multi-user Mac, Linux, or WSL environments, or if you execute shell.exec() as the root user.

  Other shelljs functions (including the asynchronous version of shell.exec()) are not impacted.

  Patches

  Patched in shelljs 0.8.5

  Workarounds

  Recommended action is to upgrade to 0.8.5.

  References

  https://huntr.dev/bounties/50996581-c08e-4eed-a90e-c0bac082679c/

  For more information

  If you have any questions or comments about this advisory:

  • Ask at Trying to get in touch regarding a security issue shelljs/shelljs#1058
  • Open an issue at https://github.com/shelljs/shelljs/issues/new

• CVSS details

      No information

• References

      Improper Privilege Management in shelljs · GHSA-64g7-mvw6-v9qj · GitHub Advisory Database · GitHub
      Improper Privilege Management vulnerability found in shelljs
      Improper Privilege Management in shell.exec · Advisory · shelljs/shelljs · GitHub

 

Related information

📌 Remember! Check the changes to ensure they don't introduce any breaking changes.
📚 Read more at Debricked