vuln/npm: first dump of vulns from nsp DB

PR-URL: nodejs/security-wg#26
Reviewed-By: Colin Ihrig <[email protected]>

vuln/npm/1.json

@@ -0,0 +1,21 @@
+{
+  "id": 1,
+  "created_at": "2015-10-17T19:41:46.382+00:00",
+  "updated_at": "2016-04-28T19:16:19+00:00",
+  "title": "Arbitrary JavaScript Execution",
+  "author": "Jarda Kotěšovec",
+  "module_name": "bassmaster",
+  "publish_date": "2014-09-27T16:44:48+00:00",
+  "cves": [
+    "CVE-2014-7205"
+  ],
+  "vulnerable_versions": "<=1.5.1",
+  "patched_versions": ">=1.5.2",
+  "slug": "bassmaster_arbitrary-javascript-execution",
+  "overview": "A vulnerability exists in bassmaster <= 1.5.1 that allows for an attacker to provide arbitrary JavaScript that is then executed server side via eval.",
+  "recommendation": "Update to bassmaster version 1.5.2 or greater.",
+  "references": "- https://www.npmjs.org/package/bassmaster\n- https://github.com/hapijs/bassmaster/commit/b751602d8cb7194ee62a61e085069679525138c4",
+  "cvss_vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
+  "cvss_score": 6.5,
+  "coordinating_vendor": "^Lift Security"
+}

vuln/npm/10.json

@@ -0,0 +1,21 @@
+{
+  "id": 10,
+  "created_at": "2015-10-17T19:41:46.382+00:00",
+  "updated_at": "2016-04-20T16:14:03+00:00",
+  "title": "Directory Traversal",
+  "author": "Vikram Chaitanya",
+  "module_name": "geddy",
+  "publish_date": "2015-07-27T23:33:48+00:00",
+  "cves": [
+    "CVE-2015-5688"
+  ],
+  "vulnerable_versions": "<13.0.8",
+  "patched_versions": ">=13.0.8",
+  "slug": "geddy_directory-traversal",
+  "overview": "Geddy static file serving allows directory traversal with a URI encoded path.\n\n### Example\n```\nhttp://localhost:4000/..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc/passwd\n\ngeddy is serving the output as it doesn't match the routes and it's a static file\n```",
+  "recommendation": "Update to version >= 13.0.8",
+  "references": "- https://github.com/geddy/geddy/issues/697\n- https://github.com/geddy/geddy/pull/699",
+  "cvss_vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
+  "cvss_score": 5.3,
+  "coordinating_vendor": "^Lift Security"
+}

vuln/npm/100.json

@@ -0,0 +1,19 @@
+{
+  "id": 100,
+  "created_at": "2016-04-15T15:56:18+00:00",
+  "updated_at": "2017-04-14T18:44:23.704+00:00",
+  "title": "Regular Expression Denial Of Service",
+  "author": "Peter Dotchev",
+  "module_name": "uri-js",
+  "publish_date": "2017-04-14T18:44:23.702+00:00",
+  "cves": [],
+  "vulnerable_versions": "<=2.1.1",
+  "patched_versions": ">=3.0.0",
+  "slug": "uri-js_regular-expression-denial-of-service",
+  "overview": "uri-js is a module that tries to fully implement RFC 3986. One of these features is validating whether or not a supplied URL is valid or not. To do this, uri-js uses a regular expression, This regular expression is vulnerable to redos. This causes the program to hang and the CPU to idle at 100% usage while uri-js is trying to validate if the supplied URL is valid or not. \nTo check if you're vulnerable, look for a call to `require(\"uri-js\").parse()` where a user is able to send their own input.",
+  "recommendation": "Upgrade to v3.0.0",
+  "references": "- https://github.com/garycourt/uri-js/issues/12\n- https://www.owasp.org/index.php/Regular_expression_Denial_of_Service_-_ReDoS",
+  "cvss_vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
+  "cvss_score": 7.5,
+  "coordinating_vendor": "^Lift Security"
+}

vuln/npm/101.json

@@ -0,0 +1,19 @@
+{
+  "id": 101,
+  "created_at": "2016-04-18T16:26:59+00:00",
+  "updated_at": "2017-01-20T18:39:56+00:00",
+  "title": "Sanitization bypass using HTML Entities",
+  "author": "Matt Austin",
+  "module_name": "marked",
+  "publish_date": "2016-04-18T16:45:00+00:00",
+  "cves": [],
+  "vulnerable_versions": "<=0.3.5",
+  "patched_versions": ">=0.3.6",
+  "slug": "marked_content-injection",
+  "overview": "marked is an application that is meant to parse and compile markdown.\n\nDue to the way that marked parses input, specifically HTML entities, it's possible to bypass marked's content injection protection (`sanitize: true`) to inject a `javascript:` URL.\n\nThis flaw exists because `&#xNNanything;` gets parsed to what it could and leaves the rest behind, resulting in just `anything;` being left. \n\nFor example:\n\nIf a malicious user could provide this input to the application `javascript&#x58document;alert&#40;1&#41;` resulting in a valid link, that when a user clicked it would execute `alert(1)`.",
+  "recommendation": "Upgrade to version 0.3.6 or greater.",
+  "references": "- https://github.com/chjj/marked/pull/592\n- https://github.com/chjj/marked/pull/592/commits/2cff85979be8e7a026a9aca35542c470cf5da523",
+  "cvss_vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
+  "cvss_score": 5.3,
+  "coordinating_vendor": "^Lift Security"
+}

vuln/npm/102.json

@@ -0,0 +1,19 @@
+{
+  "id": 102,
+  "created_at": "2016-04-18T21:16:04+00:00",
+  "updated_at": "2016-10-31T20:33:10+00:00",
+  "title": "Improper Escaping of Bound Arrays",
+  "author": "Leibale Eidelman",
+  "module_name": "sequelize",
+  "publish_date": "2016-10-31T20:33:10+00:00",
+  "cves": [],
+  "vulnerable_versions": "<=3.19.3",
+  "patched_versions": ">=3.20.0",
+  "slug": "sequalize_improper-escaping-of-bound-arrays",
+  "overview": "sequalize is an Object-relational mapping, or a middleman to convert things from Postgres, MySQL, MariaDB, SQLite and Microsoft SQL Server into usable data for NodeJS\n\nIn Postgres, SQLite, and Microsoft SQL Server there is an issue where arrays are treated as strings and improperly escaped.\n\nThis causes potential SQL injection, where a malicious user could put `[\"test\", \"'); DELETE TestTable WHERE Id = 1 --')\"]` inside of\n```\ndatabase.query('SELECT * FROM TestTable WHERE Name IN (:names)', {\n  replacements: {\n    names: directCopyOfUserInput\n  }\n});\n``` and cause the SQL statement to become `SELECT Id FROM Table WHERE Name IN ('test', '\\'); DELETE TestTable WHERE Id = 1 --')`. \n\nIn Postgres, MSSQL, and SQLite, the backslash has no special meaning. This causes the the statement to delete whichever Id has a value of 1 in the TestTable table.",
+  "recommendation": "Upgrade to sequelize version 3.20.0 or greater",
+  "references": "- https://github.com/sequelize/sequelize/issues/5671",
+  "cvss_vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N",
+  "cvss_score": 4.8,
+  "coordinating_vendor": "^Lift Security"
+}

vuln/npm/104.json

@@ -0,0 +1,19 @@
+{
+  "id": 104,
+  "created_at": "2016-04-21T18:27:18+00:00",
+  "updated_at": "2016-06-22T16:23:20+00:00",
+  "title": "SSL Validation Defaults to False",
+  "author": "Mark Lee",
+  "module_name": "electron-packager",
+  "publish_date": "2016-04-22T15:56:50+00:00",
+  "cves": [],
+  "vulnerable_versions": ">= 5.2.1 <= 6.0.0 || >=6.0.0 <= 6.0.2",
+  "patched_versions": ">= 7.0.0",
+  "slug": "electron-packager_ssl-validation-defaults-to-false",
+  "overview": "- electron-packager is a command line tool that packages Electron source code into `.app` and `.exe` packages. along with Electron.\n- The `--strict-ssl` command line option defaults to false if not explicitly set to true\n\nThis could allow an attacker to Man In The Middle (MITM) the step where electron-packager does the following step: \"Download all supported target platforms and arches of Electron using the installed electron-prebuilt version (and cache the downloads in ~/.electron)\" effecting the integrity of the package and the cached downloads in ~/.electron.\n\nThis only affects users using the electron-packager CLI. The strict-ssl option defaults to true for the node.js API.",
+  "recommendation": "Upgrade to at least version 7.0.0\n\nIt's also recommended to delete the electron-download cache folder, by default named .electron, and located in your home folder. For example:\n\n```\nrm -rf ~/.electron\n```",
+  "references": "- https://github.com/electron-userland/electron-packager/issues/333",
+  "cvss_vector": "CVSS:3.0/AV:P/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N",
+  "cvss_score": 3.1,
+  "coordinating_vendor": "^Lift Security"
+}

vuln/npm/106.json

@@ -0,0 +1,19 @@
+{
+  "id": 106,
+  "created_at": "2016-05-04T16:34:12+00:00",
+  "updated_at": "2016-06-16T20:37:24+00:00",
+  "title": "Regular Expression Denial of Service",
+  "author": "Adam Baldwin",
+  "module_name": "negotiator",
+  "publish_date": "2016-06-16T17:36:06+00:00",
+  "cves": [],
+  "vulnerable_versions": "<= 0.6.0",
+  "patched_versions": ">= 0.6.1",
+  "slug": "negotiator_regular-expression-denial-of-service",
+  "overview": "negotiator is an HTTP content negotiator for Node.js and is used by many modules and frameworks including Express and Koa.\n\nThe header for \"Accept-Language\", when parsed by negotiator is vulnerable to Regular Expression Denial of Service via a specially crafted string. \n\nTimeline\n\n- April 29th 2016 - Initial report to maintainers\n- April 29th 2016 - Confirm receipt from maintainers\n- May 1st 2016 - Fix confirmed\n- May 5th 2016 - 0.6.1 published with fix\n- June 16th 2016 - Advisory published (delay was to coordinate fixes in upstream frameworks, Koa and Express)",
+  "recommendation": "Upgrade to at least version 0.6.1\n\nExpress users should update to Express 4.14.0 or greater. If you want to see if you are using a vulnerable call,  a quick grep for the `acceptsLanguages` function call in your application will tell you if you are using this functionality.",
+  "references": "- https://www.owasp.org/index.php/Regular_expression_Denial_of_Service_-_ReDoS",
+  "cvss_vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
+  "cvss_score": 7.5,
+  "coordinating_vendor": "^Lift Security"
+}

vuln/npm/107.json

@@ -0,0 +1,21 @@
+{
+  "id": 107,
+  "created_at": "2016-05-05T20:30:51+00:00",
+  "updated_at": "2016-06-27T20:20:11+00:00",
+  "title": "Cross Site Scripting",
+  "author": "Unknown",
+  "module_name": "dojo",
+  "publish_date": "2016-05-23T16:48:27+00:00",
+  "cves": [
+    "CVE-2008-6681"
+  ],
+  "vulnerable_versions": "<= 1.0",
+  "patched_versions": ">= 1.1",
+  "slug": "dojo_cross-site-scripting",
+  "overview": "dojo is the core module for the Dojo Toolkit. The dojo package covers a wide range of functionality like AJAX, DOM manipulation, class-type programming, events, promises, data stores, drag-and-drop and internationalization libraries.\n\nThere is a bug in the `dijit.Editor` and `textarea` where input, even sanitized, executes javascript. This is because the `<textarea>` tag only sees the final, unsanitized, user input.",
+  "recommendation": "Upgrade to at least version 1.1",
+  "references": "- https://bugs.dojotoolkit.org/ticket/2140",
+  "cvss_vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N",
+  "cvss_score": 4.3,
+  "coordinating_vendor": "^Lift Security"
+}

vuln/npm/108.json

@@ -0,0 +1,19 @@
+{
+  "id": 108,
+  "created_at": "2016-05-05T21:21:09+00:00",
+  "updated_at": "2016-05-23T17:50:20+00:00",
+  "title": "Cross Site Scripting",
+  "author": "Unknown",
+  "module_name": "backbone",
+  "publish_date": "2016-05-23T17:50:20+00:00",
+  "cves": [],
+  "vulnerable_versions": "<= 0.3.3",
+  "patched_versions": ">= 0.5.0",
+  "slug": "backbone_cross-site-scripting",
+  "overview": "backbone is a module that adds in structure to a JavaScript heavy application through key-value pairs and custom events connecting to your RESTful API through JSON\n\nThere exists a potential Cross Site Scripting vulnerability in the `Model#Escape` function if a user is able to supply input.\n\nThis is due to the regex that's replacing things to miss the conversion of things such as `&#60;` to `<`.",
+  "recommendation": "Upgrade to at least version 0.5.0",
+  "references": "- https://github.com/jashkenas/backbone/compare/0.3.3...0.5.0#diff-0d56d0d310de7ff18b3cef9c2f8f75dcL1008\n- backbonejs.org/#changelog",
+  "cvss_vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
+  "cvss_score": 6.5,
+  "coordinating_vendor": "^Lift Security"
+}

vuln/npm/109.json

@@ -0,0 +1,19 @@
+{
+  "id": 109,
+  "created_at": "2016-05-05T21:50:26+00:00",
+  "updated_at": "2016-10-31T20:32:07+00:00",
+  "title": "Potential SQL Injection",
+  "author": null,
+  "module_name": "sequelize",
+  "publish_date": "2016-10-31T20:32:07+00:00",
+  "cves": [],
+  "vulnerable_versions": "<= 2.1.3",
+  "patched_versions": ">= 3.0.0",
+  "slug": "sequelize_potential-sql-injection",
+  "overview": "sequalize is an Object-relational mapping, or a middleman to convert things from Postgres, MySQL, MariaDB, SQLite and Microsoft SQL Server into usable data for NodeJS\n\nA fix was pushed out that fixed potential SQL injection.\n\nThe two fixes were\n\n- [REMOVED/SECURITY] findOne no longer takes a string / integer / binary argument to represent a primaryKey. Use findById instead\n- [REMOVED/SECURITY] where: \"raw query\" is no longer legal, you must now explicitly use where: [\"raw query\", [replacements]]",
+  "recommendation": "Upgrade to at least version 3.0.0",
+  "references": "- https://github.com/sequelize/sequelize/blob/master/changelog.md#300",
+  "cvss_vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
+  "cvss_score": 6.5,
+  "coordinating_vendor": "^Lift Security"
+}

vuln/npm/11.json

@@ -0,0 +1,21 @@
+{
+  "id": 11,
+  "created_at": "2015-10-17T19:41:46.382+00:00",
+  "updated_at": "2016-04-28T19:59:41+00:00",
+  "title": "File Descriptor Leak Can Cause DoS Vulnerability",
+  "author": "Jo Liss",
+  "module_name": "hapi",
+  "publish_date": "2014-02-14T17:33:48+00:00",
+  "cves": [
+    "CVE-2014-3742"
+  ],
+  "vulnerable_versions": "2.0.x || 2.1.x",
+  "patched_versions": ">= 2.2.x",
+  "slug": "hapi_file-descriptor-leak-can-cause-dos-vulnerability",
+  "overview": "Versions 2.0.x and 2.1.x have a file descriptor leak that when triggered repeatedly will cause the server to run out of file descriptors and the node process to die. The effort required to take down a server depends on the process file descriptor limit. No other side effects or exploits have been identified.\n\n### Impact\n\nThis vulnerability allows an attacker to take down a hapi-based server running versions 2.0.x and 2.1.x.\n\nThis does NOT affect hapi 1.x deployments.",
+  "recommendation": "- Please upgrade to version 2.2.x or above as soon as possible.",
+  "references": "https://github.com/spumko/hapi/issues/1427",
+  "cvss_vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
+  "cvss_score": 7.5,
+  "coordinating_vendor": "^Lift Security"
+}

vuln/npm/112.json

@@ -0,0 +1,19 @@
+{
+  "id": 112,
+  "created_at": "2016-05-05T22:08:26+00:00",
+  "updated_at": "2016-10-31T20:31:20+00:00",
+  "title": "SQL Injection",
+  "author": "Spencer Creasey",
+  "module_name": "sequelize",
+  "publish_date": "2016-10-31T20:31:20+00:00",
+  "cves": [],
+  "vulnerable_versions": "<= 3.16.0",
+  "patched_versions": ">= 3.17.0",
+  "slug": "sequelize_sql-injection",
+  "overview": "sequalize is an Object-relational mapping, or a middleman to convert things from Postgres, MySQL, MariaDB, SQLite and Microsoft SQL Server into usable data for NodeJS\n\nIf user input goes into the `limit` or `order` parameters, a malicious user can put in their own SQL statements. \n\n`1; DELETE FROM \"Users\" WHERE 1=1; --`",
+  "recommendation": "Upgrade sequelize to version 3.17.0 or greater",
+  "references": "- https://github.com/sequelize/sequelize/pull/5167/commits/f282d85e60e3df5e57ecdb82adccb4eaef404f03",
+  "cvss_vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
+  "cvss_score": 6.5,
+  "coordinating_vendor": "^Lift Security"
+}

vuln/npm/113.json

@@ -0,0 +1,19 @@
+{
+  "id": 113,
+  "created_at": "2016-05-05T22:16:32+00:00",
+  "updated_at": "2016-10-31T20:32:24+00:00",
+  "title": "SQL Injection",
+  "author": null,
+  "module_name": "sequelize",
+  "publish_date": "2016-10-31T20:32:24+00:00",
+  "cves": [],
+  "vulnerable_versions": "<= 1.7.0-alpha2",
+  "patched_versions": ">= 1.7.0-alpha3",
+  "slug": "sequelize_sql-injection",
+  "overview": "sequelize is an Object-relational mapping, or a middleman to convert things from Postgres, MySQL, MariaDB, SQLite and Microsoft SQL Server into usable data for NodeJS\n\nBefore version 1.7.0-alpha3, sequelize defaulted SQLite to use MySQL backslash escaping, even though SQLite uses Postgres escaping.",
+  "recommendation": "Upgrade to at least version <=1.7.0-alpha3",
+  "references": "- https://github.com/sequelize/sequelize/commit/c876192aa6ce1f67e22b26a4d175b8478615f42d",
+  "cvss_vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
+  "cvss_score": 6.5,
+  "coordinating_vendor": "^Lift Security"
+}

vuln/npm/114.json

@@ -0,0 +1,21 @@
+{
+  "id": 114,
+  "created_at": "2016-05-05T22:29:59+00:00",
+  "updated_at": "2017-02-10T19:28:03+00:00",
+  "title": "Insecure Defaults Leads to Potential MITM",
+  "author": "Adam Baldwin",
+  "module_name": "ezseed-transmission",
+  "publish_date": "2016-07-29T22:27:11+00:00",
+  "cves": [
+    "CVE-2016-1000224"
+  ],
+  "vulnerable_versions": ">= 0.0.10 <= 0.0.14",
+  "patched_versions": ">= 0.0.15",
+  "slug": "ezseed-transmission_insecure-defaults-leads-to-potential-mitm",
+  "overview": "ezseed-transmission is a module that provides shell bindings for Ezseed transmission.\n\nBetween versions 0.0.10 and 0.0.14 (inclusive), ezseed-transmission would download a script from `http://stedolan.github.io/jq/download/linux64/jq` without checking the certificate.  An attacker on the same network or on an ISP level could intercept the traffic and push their own version of the file, causing the attackers code to be executed.",
+  "recommendation": "Upgrade to at least version 0.0.15",
+  "references": null,
+  "cvss_vector": "CVSS:3.0/AV:A/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N",
+  "cvss_score": 4.2,
+  "coordinating_vendor": "^Lift Security"
+}

vuln/npm/115.json

@@ -0,0 +1,19 @@
+{
+  "id": 115,
+  "created_at": "2016-05-06T16:50:34+00:00",
+  "updated_at": "2016-10-31T20:31:32+00:00",
+  "title": "SQL Injection",
+  "author": "James Hush",
+  "module_name": "waterline-sequel",
+  "publish_date": "2016-10-31T20:31:32+00:00",
+  "cves": [],
+  "vulnerable_versions": "0.5.0",
+  "patched_versions": ">= 0.5.1",
+  "slug": "waterline-sequel_sql-injection",
+  "overview": "waterline-sequel is a module that helps generate SQL statements for Waterline apps\n\nAny user input that goes into Waterline's `like`, `contains`, `startsWith`, or `endsWith` will end up in waterline-sequel with the potential for malicious code.\n\nA malicious user can input their own SQL statements that will get executed and have full access to the database.",
+  "recommendation": "Upgrade to at least version 0.5.1",
+  "references": "- https://github.com/balderdashy/waterline/issues/1219#issuecomment-157294530\n- https://www.owasp.org/index.php/SQL_Injection",
+  "cvss_vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N",
+  "cvss_score": 8.2,
+  "coordinating_vendor": "^Lift Security"
+}

vuln/npm/116.json

@@ -0,0 +1,19 @@
+{
+  "id": 116,
+  "created_at": "2016-05-15T15:44:16+00:00",
+  "updated_at": "2016-10-31T20:31:53+00:00",
+  "title": "Resources Downloaded over Insecure Protocol",
+  "author": "Adam Baldwin",
+  "module_name": "igniteui",
+  "publish_date": "2016-10-31T20:31:53+00:00",
+  "cves": [],
+  "vulnerable_versions": "<=0.0.5",
+  "patched_versions": "<0.0.0",
+  "slug": "igniteui_resources-downloaded-over-insecure-protocol",
+  "overview": "Downloads JavaScript and CSS resources over insecure protocol\n\nhttp://cdn-na.infragistics.com/igniteui/latest/css/structure/infragistics.css\nhttp://cdn-na.infragistics.com/igniteui/latest/css/themes/infragistics/infragistics.theme.css\nhttp://cdn-na.infragistics.com/igniteui/latest/js/infragistics.lob.js\nhttp://cdn-na.infragistics.com/igniteui/latest/js/infragistics.dv.js\nhttp://cdn-na.infragistics.com/igniteui/latest/js/infragistics.core.js",
+  "recommendation": null,
+  "references": null,
+  "cvss_vector": "CVSS:3.0/AV:A/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N",
+  "cvss_score": 3.5,
+  "coordinating_vendor": "^Lift Security"
+}