GHSA-896r-f27r-55mw
advisory-database
GHSA-896r-f27r-55mw | advisory-database | |
---|---|---|
2 | 10 | |
- | 1,624 | |
- | 2.2% | |
- | 10.0 | |
- | 1 day ago | |
- | Creative Commons Attribution 4.0 |
Stars - the number of stars that a project has on GitHub. Growth - month over month growth in stars.
Activity is a relative number indicating how actively a project is being developed. Recent commits have higher weight than older ones.
For example, an activity of 9.0 indicates that a project is amongst the top 10% of the most actively developed projects that we are tracking.
GHSA-896r-f27r-55mw
-
Try to install git repository with Hardhat and got a lot of vulnerabilities
127 packages are looking for funding run `npm fund` for details # npm audit report async 2.0.0 - 2.6.3 Severity: high Prototype Pollution in async - https://github.com/advisories/GHSA-fwr7-v2mv-hh25 No fix available node_modules/ganache-core/node_modules/async ganache-core <=2.1.0-beta.7 || >=2.1.1 Depends on vulnerable versions of async Depends on vulnerable versions of lodash Depends on vulnerable versions of web3 Depends on vulnerable versions of web3-provider-engine node_modules/ganache-core @ethereum-waffle/provider <=4.0.1-dev.37f589d || 4.0.2-dev.0a87072 - 4.0.2-dev.c513a49 || 4.0.3-dev.0c13fb9 - 4.0.3-dev.e7e18f6 || 4.0.5-dev.06c4b26 - 4.0.5-dev.90390a9 Depends on vulnerable versions of @ethereum-waffle/ens Depends on vulnerable versions of ganache-core node_modules/@ethereum-waffle/provider @ethereum-waffle/chai 2.5.0 - 4.0.0-dev.e3fa452 Depends on vulnerable versions of @ethereum-waffle/provider node_modules/@ethereum-waffle/chai ethereum-waffle 2.3.0-istanbul.0 - 4.0.0-dev.e3fa452 Depends on vulnerable versions of @ethereum-waffle/chai Depends on vulnerable versions of @ethereum-waffle/provider node_modules/ethereum-waffle @nomiclabs/hardhat-waffle * Depends on vulnerable versions of ethereum-waffle node_modules/@nomiclabs/hardhat-waffle cross-fetch <=2.2.5 || 3.0.0 - 3.0.5 Severity: moderate Incorrect Authorization in cross-fetch - https://github.com/advisories/GHSA-7gc6-qh9x-w6h8 Depends on vulnerable versions of node-fetch fix available via `npm audit fix` node_modules/ganache-core/node_modules/cross-fetch elliptic <6.5.4 Severity: moderate Use of a Broken or Risky Cryptographic Algorithm - https://github.com/advisories/GHSA-r9p9-mrjm-926w fix available via `npm audit fix` node_modules/ganache-core/node_modules/elliptic @ethersproject/signing-key <=5.0.9 Depends on vulnerable versions of elliptic node_modules/ganache-core/node_modules/@ethersproject/signing-key got <11.8.5 Severity: moderate Got allows a redirect to a UNIX socket - https://github.com/advisories/GHSA-pfrx-2q88-qq97 No fix available node_modules/ganache-core/node_modules/got node_modules/ganache-core/node_modules/swarm-js/node_modules/got swarm-js 0.1.1 - 0.1.17 || 0.1.35 - 0.1.40 Depends on vulnerable versions of got node_modules/ganache-core/node_modules/swarm-js web3-bzz <=1.7.4 Depends on vulnerable versions of got Depends on vulnerable versions of underscore node_modules/ganache-core/node_modules/web3-bzz web3 <=1.7.4 || 2.0.0-alpha - 3.0.0-rc.4 Depends on vulnerable versions of web3-bzz Depends on vulnerable versions of web3-core Depends on vulnerable versions of web3-eth Depends on vulnerable versions of web3-eth-personal Depends on vulnerable versions of web3-net Depends on vulnerable versions of web3-shh Depends on vulnerable versions of web3-utils node_modules/ganache-core/node_modules/web3 json-schema <0.4.0 Severity: critical json-schema is vulnerable to Prototype Pollution - https://github.com/advisories/GHSA-896r-f27r-55mw fix available via `npm audit fix` node_modules/ganache-core/node_modules/json-schema jsprim 0.3.0 - 1.4.1 || 2.0.0 - 2.0.1 Depends on vulnerable versions of json-schema node_modules/ganache-core/node_modules/jsprim lodash <=4.17.20 Severity: high Command Injection in lodash - https://github.com/advisories/GHSA-35jh-r3h4-6jhm Regular Expression Denial of Service (ReDoS) in lodash - https://github.com/advisories/GHSA-29mw-wpgm-hmr9 fix available via `npm audit fix` node_modules/ganache-core/node_modules/lodash minimist <1.2.6 Severity: critical Prototype Pollution in minimist - https://github.com/advisories/GHSA-xvch-5gv4-984h fix available via `npm audit fix` node_modules/ganache-core/node_modules/minimist node-fetch <=2.6.6 Severity: high The `size` option isn't honored after following a redirect in node-fetch - https://github.com/advisories/GHSA-w7rc-rwvf-8q5r node-fetch is vulnerable to Exposure of Sensitive Information to an Unauthorized Actor - https://github.com/advisories/GHSA-r683-j2x4-v87g No fix available node_modules/ganache-core/node_modules/fetch-ponyfill/node_modules/node-fetch node_modules/ganache-core/node_modules/node-fetch fetch-ponyfill 1.0.0 - 6.0.2 Depends on vulnerable versions of node-fetch node_modules/ganache-core/node_modules/fetch-ponyfill eth-json-rpc-middleware 1.1.0 - 5.0.2 Depends on vulnerable versions of fetch-ponyfill node_modules/ganache-core/node_modules/eth-json-rpc-middleware eth-json-rpc-infura <=5.0.0 Depends on vulnerable versions of eth-json-rpc-middleware node_modules/ganache-core/node_modules/eth-json-rpc-infura web3-provider-engine 14.0.0 - 15.0.12 Depends on vulnerable versions of eth-json-rpc-infura node_modules/ganache-core/node_modules/web3-provider-engine normalize-url 4.3.0 - 4.5.0 Severity: high ReDoS in normalize-url - https://github.com/advisories/GHSA-px4h-xg32-q955 fix available via `npm audit fix` node_modules/ganache-core/node_modules/normalize-url path-parse <1.0.7 Severity: moderate Regular Expression Denial of Service in path-parse - https://github.com/advisories/GHSA-hj48-42vr-x3v9 fix available via `npm audit fix` node_modules/ganache-core/node_modules/path-parse s imple-get <2.8.2 Severity: high Exposure of Sensitive Information in simple-get - https://github.com/advisories/GHSA-wpg7-2c88-r8xv fix available via `npm audit fix` node_modules/ganache-core/node_modules/simple-get tar <=4.4.17 Severity: high Arbitrary File Creation/Overwrite on Windows via insufficient relative path sanitization - https://github.com/advisories/GHSA-5955-9wpr-37jh Arbitrary File Creation/Overwrite via insufficient symlink protection due to directory cache poisoning using symbolic links - https://github.com/advisories/GHSA-qq89-hq3f-393p Arbitrary File Creation/Overwrite via insufficient symlink protection due to directory cache poisoning using symbolic links - https://github.com/advisories/GHSA-9r2w-394v-53qc Arbitrary File Creation/Overwrite due to insufficient absolute path sanitization - https://github.com/advisories/GHSA-3jfq-g458-7qm9 Arbitrary File Creation/Overwrite via insufficient symlink protection due to directory cache poisoning - https://github.com/advisories/GHSA-r628-mhmh-qjhw fix available via `npm audit fix` node_modules/ganache-core/node_modules/tar underscore 1.3.2 - 1.12.0 Severity: critical Arbitrary Code Execution in underscore - https://github.com/advisories/GHSA-cf4h-3jhx-xvhq No fix available node_modules/ganache-core/node_modules/underscore web3-core-helpers <=1.3.6-rc.2 || 2.0.0-alpha - 3.0.0-rc.4 Depends on vulnerable versions of underscore Depends on vulnerable versions of web3-eth-iban Depends on vulnerable versions of web3-utils node_modules/ganache-core/node_modules/web3-core-helpers web3-core <=1.3.5 || 2.0.0-alpha - 3.0.0-rc.4 Depends on vulnerable versions of web3-core-helpers Depends on vulnerable versions of web3-core-method Depends on vulnerable versions of web3-core-requestmanager Depends on vulnerable versions of web3-utils node_modules/ganache-core/node_modules/web3-core web3-eth-ens <=1.3.6-rc.2 || 2.0.0-alpha - 3.0.0-rc.4 Depends on vulnerable versions of underscore Depends on vulnerable versions of web3-core Depends on vulnerable versions of web3-core-helpers Depends on vulnerable versions of web3-eth-abi Depends on vulnerable versions of web3-eth-contract Depends on vulnerable versions of web3-utils node_modules/ganache-core/node_modules/web3-eth-ens web3-eth <=1.3.6-rc.2 || 2.0.0-alpha - 3.0.0-rc.4 Depends on vulnerable versions of underscore Depends on vulnerable versions of web3-core Depends on vulnerable versions of web3-core-helpers Depends on vulnerable versions of web3-core-method Depends on vulnerable versions of web3-core-subscriptions Depends on vulnerable versions of web3-eth-abi Depends on vulnerable versions of web3-eth-accounts Depends on vulnerable versions of web3-eth-contract Depends on vulnerable versions of web3-eth-ens Depends on vulnerable versions of web3-eth-iban Depends on vulnerable versions of web3-eth-personal Depends on vulnerable versions of web3-net Depends on vulnerable versions of web3-utils node_modules/ganache-core/node_modules/web3-eth web3-core-method <=1.3.6-rc.2 || 2.0.0-alpha - 3.0.0-rc.4 Depends on vulnerable versions of underscore Depends on vulnerable versions of web3-core-helpers Depends on vulnerable versions of web3-core-subscriptions Depends on vulnerable versions of web3-utils node_modules/ganache-core/node_modules/web3-core-method web3-net 1.2.0 - 1.3.5 || 2.0.0-alpha - 3.0.0-rc.4 Depends on vulnerable versions of web3-core Depends on vulnerable versions of web3-core-method Depends on vulnerable versions of web3-utils node_modules/ganache-core/node_modules/web3-net web3-eth-personal <=1.3.5 || 2.0.0-alpha - 3.0.0-rc.4 Depends on vulnerable versions of web3-core Depends on vulnerable versions of web3-core-helpers Depends on vulnerable versions of web3-core-method Depends on vulnerable versions of web3-net Depends on vulnerable versions of web3-utils node_modules/ganache-core/node_modules/web3-eth-personal web3-shh <=1.3.5 Depends on vulnerable versions of web3-core Depends on vulnerable versions of web3-core-method Depends on vulnerable versions of web3-core-subscriptions Depends on vulnerable versions of web3-net node_modules/ganache-core/node_modules/web3-shh web3-core-subscriptions <=1.3.6-rc.2 || 2.0.0-alpha - 3.0.0-rc.4 Depends on vulnerable versions of underscore Depends on vulnerable versions of web3-core-helpers node_modules/ganache-core/node_modules/web3-core-subscriptions web3-eth-contract <=1.3.6-rc.2 || 2.0.0-alpha - 3.0.0-rc.4 Depends on vulnerable versions of underscore Depends on vulnerable versions of web3-core Depends on vulnerable versions of web3-core-helpers Depends on vulnerable versions of web3-core-method Depends on vulnerable versions of web3-core-subscriptions Depends on vulnerable versions of web3-eth-abi Depends on vulnerable versions of web3-utils node_modules/ganache-core/node_modules/web3-eth-contract web3-providers-http <=1.0.0 || 1.2.0 - 1.3.5 || 3.0.0-rc.0 - 3.0.0-rc.4 Depends on vulnerable versions of web3-core-helpers node_modules/ganache-core/node_modules/web3-providers-http web3-providers-ipc <=1.3.6-rc.2 || 3.0.0-rc.0 - 3.0.0-rc.5 Depends on vulnerable versions of underscore Depends on vulnerable versions of web3-core-helpers node_modules/ganache-core/node_modules/web3-providers-ipc web3-providers-ws <=1.3.6-rc.2 || 3.0.0-rc.0 - 3.0.0-rc.4 Depends on vulnerable versions of underscore Depends on vulnerable versions of web3-core-helpers node_modules/ganache-core/node_modules/web3-providers-ws web3-core-requestmanager <=1.3.5 || 3.0.0-rc.0 - 3.0.0-rc.4 Depends on vulnerable versions of underscore Depends on vulnerable versions of web3-core-helpers Depends on vulnerable versions of web3-providers-http Depends on vulnerable versions of web3-providers-ipc Depends on vulnerable versions of web3-providers-ws node_modules/ganache-core/node_modules/web3-core-requestmanager web3-eth-abi <=1.3.6-rc.2 || 2.0.0-alpha - 3.0.0-rc.4 Depends on vulnerable versions of underscore Depends on vulnerable versions of web3-utils node_modules/ganache-core/node_modules/web3-eth-abi web3-eth-accounts <=1.3.5 || 2.0.0-alpha - 3.0.0-rc.4 Depends on vulnerable versions of underscore Depends on vulnerable versions of web3-core Depends on vulnerable versions of web3-core-helpers Depends on vulnerable versions of web3-core-method Depends on vulnerable versions of web3-utils n ode_modules/ganache-core/node_modules/web3-eth-accounts web3-utils 1.0.0-beta.8 - 1.3.5 || 2.0.0-alpha - 3.0.0-rc.4 Depends on vulnerable versions of underscore node_modules/ganache-core/node_modules/web3-utils web3-eth-iban <=1.3.5 || 2.0.0-alpha - 3.0.0-rc.4 Depends on vulnerable versions of web3-utils node_modules/ganache-core/node_modules/web3-eth-iban ws 5.0.0 - 5.2.2 Severity: moderate ReDoS in Sec-Websocket-Protocol header - https://github.com/advisories/GHSA-6fc8-4gx4-v693 fix available via `npm audit fix` node_modules/ganache-core/node_modules/web3-provider-engine/node_modules/ws yargs-parser <=5.0.0 Severity: moderate yargs-parser Vulnerable to Prototype Pollution - https://github.com/advisories/GHSA-p9pc-299p-vxgp No fix available node_modules/@ensdomains/ens/node_modules/yargs-parser yargs 4.0.0-alpha1 - 7.0.0-alpha.3 || 7.1.1 Depends on vulnerable versions of yargs-parser node_modules/@ensdomains/ens/node_modules/yargs solc 0.3.6 - 0.4.26 Depends on vulnerable versions of yargs node_modules/@ensdomains/ens/node_modules/solc @ensdomains/ens * Depends on vulnerable versions of solc node_modules/@ensdomains/ens @ethereum-waffle/ens <=4.0.1-dev.e7e18f6 || 4.0.3-dev.06c4b26 - 4.0.3-dev.90390a9 Depends on vulnerable versions of @ensdomains/ens node_modules/@ethereum-waffle/ens 51 vulnerabilities (4 low, 12 moderate, 11 high, 24 critical) To address issues that do not require attention, run: npm audit fix Some issues need review, and may require choosing a different dependency.
-
GitHub’s database of security advisories is now open source
What is the rationale behind GHSA advisory score having a lower score for vulnerability severity than what the security community thinks. I've come across this again and again where the CVSS score was higher than the GHSA. Example:
GHSA has moderate severity:
https://github.com/advisories/GHSA-896r-f27r-55mw
The CVSS3 score of the CVE is actually critical!!
If GHSA is "self-reporting" then why is it allowed to deviate in a direction that is harmful (downplaying the issue). If this means what I think it means (and I might be wrong) then the GHSA score is broken.
Also it breaks security workflows that build on GHSA: If a manager looking at the conflicting severity levels lowers the urgency of the backlog ticket because severity is only moderate.
advisory-database
- Request GitHub to build an advisory database for C / C++ packages · Issue #2963 · github/advisory-database
- Extend GitHub's CNA scope to manage CVEs for projects on GitHub
-
A CVE has been issued for hyper. Denial of Service possible
That has since been updated to Moderate: https://github.com/github/advisory-database/commit/aa9e5d5386c5610944edf2b0ee0e4301aabaf1c5
-
CVE-2022-23529 – node-jsonwebtoken
I am trying this on GitHub https://github.com/github/advisory-database/pull/1595
- CVE-2022-23529 - jsonwebtoken has insecure input validation in jwt.verify function - used by over 22,000 projects and downloaded over 36 million times per month on NPM - Exploiting the flaw could enable attackers to bypass authentication mechanisms, access confidential information etc.
-
GitHub’s database of security advisories is now open source
We already have fixed versions (where they exist) - example link below.
On backfilling the data to include advisories from before 2017 - absolutely. So far we've done this in a relatively ad-hoc way - you should already find that the most important (severe and wide-reaching) CVEs from before 2017 are in the database (and if there are any that aren't you think should be we'd love you to open an issue on the DB). We want to do a more complete backfill in the near future.
https://github.com/github/advisory-database/blob/main/adviso...
- GitHub's database of known vulnerabilities is now open source
- Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software
What are some alternatives?
GHSA-px4h-xg32-q955
h2 - HTTP 2.0 client & server implementation for Rust.
GHSA-fwr7-v2mv-hh25
vulndb - [mirror] The Go Vulnerability Database
elixir-security-advisories - Public database of Elixir security advisories
GHSA-3jfq-g458-7qm9
rustsec - RustSec API & Tooling
Apache Log4j 2 - Apache Log4j 2 is a versatile, feature-rich, efficient logging API and backend for Java.
napkin-math - Techniques and numbers for estimating system's performance from first-principles
GHSA-7gc6-qh9x-w6h8
hyper - An HTTP library for Rust