+---------------------+-----------+-------+-----------------------------+--------------------------------------------------+----------------------------------------------------+-------------+------------+------------------------------------------------------------------+ | CVE | SEVERITY | CVSS | PACKAGE | VERSION | STATUS | PUBLISHED | DISCOVERED | DESCRIPTION | +---------------------+-----------+-------+-----------------------------+--------------------------------------------------+----------------------------------------------------+-------------+------------+------------------------------------------------------------------+ | CVE-2020-1747 | critical | 9.80 | pyyaml | 5.3 | fixed in 5.3.1 | > 11 months | < 1 hour | A vulnerability was discovered in the PyYAML | | | | | | | | | | library in versions before 5.3.1, where it is | | | | | | | | | | susceptible to arbitrary code execution when it | | | | | | | | | | processes u... | +---------------------+-----------+-------+-----------------------------+--------------------------------------------------+----------------------------------------------------+-------------+------------+------------------------------------------------------------------+ | CVE-2020-14343 | critical | 9.80 | pyyaml | 5.3 | fixed in 5.4 | 35 days | < 1 hour | A vulnerability was discovered in the PyYAML | | | | | | | | | | library in versions before 5.4, where it is | | | | | | | | | | susceptible to arbitrary code execution when it | | | | | | | | | | processes unt... | +---------------------+-----------+-------+-----------------------------+--------------------------------------------------+----------------------------------------------------+-------------+------------+------------------------------------------------------------------+ | CVE-2018-13797 | critical | 9.80 | macaddress | 0.2.8 | fixed in 0.2.9 | > 2 years | < 1 hour | The macaddress module before 0.2.9 for Node.js is | | | | | | | | | | prone to an arbitrary command injection flaw, due | | | | | | | | | | to allowing unsanitized input to an exec (rather | | | | | | | | | | t... | +---------------------+-----------+-------+-----------------------------+--------------------------------------------------+----------------------------------------------------+-------------+------------+------------------------------------------------------------------+ | CVE-2020-36242 | critical | 9.10 | cryptography | 2.8 | fixed in 3.3.2 | 37 days | < 1 hour | In the cryptography package before 3.3.2 for | | | | | | | | | | Python, certain sequences of update calls to | | | | | | | | | | symmetrically encrypt multi-GB values could result | | | | | | | | | | in an int... | +---------------------+-----------+-------+-----------------------------+--------------------------------------------------+----------------------------------------------------+-------------+------------+------------------------------------------------------------------+ | GHSA-q42p-pg8m-cqh6 | critical | 9.00 | handlebars | 4.0.6 | fixed in 3.0.7, 4.0.14, 4.1.2 | > 1 years | < 1 hour | Versions of `handlebars` prior to 4.0.14 are | | | | | | | | | | vulnerable to Prototype Pollution. Templates may | | | | | | | | | | alter an Objects\' prototype, thus allowing an | | | | | | | | | | attacker ... | +---------------------+-----------+-------+-----------------------------+--------------------------------------------------+----------------------------------------------------+-------------+------------+------------------------------------------------------------------+ | CVE-2018-3774 | high | 10.00 | url-parse | 1.4.0 | fixed in 1.4.3 | > 2 years | < 1 hour | Incorrect parsing in url-parse <1.4.3 returns | | | | | | | | | | wrong hostname which leads to multiple | | | | | | | | | | vulnerabilities such as SSRF, Open Redirect, | | | | | | | | | | Bypass Authenticatio... | +---------------------+-----------+-------+-----------------------------+--------------------------------------------------+----------------------------------------------------+-------------+------------+------------------------------------------------------------------+ | CVE-2019-19919 | high | 9.80 | handlebars | 4.0.6 | fixed in 4.3.0 | > 1 years | < 1 hour | Versions of handlebars prior to 4.3.0 are | | | | | | | | | | vulnerable to Prototype Pollution leading to | | | | | | | | | | Remote Code Execution. Templates may alter an | | | | | | | | | | Object\'s __proto... | +---------------------+-----------+-------+-----------------------------+--------------------------------------------------+----------------------------------------------------+-------------+------------+------------------------------------------------------------------+ | CVE-2018-1000620 | high | 9.80 | cryptiles | 2.0.5 | fixed in 4.1.2 | > 2 years | < 1 hour | Eran Hammer cryptiles version 4.1.1 earlier | | | | | | | | | | contains a CWE-331: Insufficient Entropy | | | | | | | | | | vulnerability in randomDigits() method that can | | | | | | | | | | result in An atta... | +---------------------+-----------+-------+-----------------------------+--------------------------------------------------+----------------------------------------------------+-------------+------------+------------------------------------------------------------------+ | CVE-2019-10744 | high | 9.10 | lodash | 3.10.1 | fixed in 4.17.12 | > 1 years | < 1 hour | Versions of lodash lower than 4.17.12 are | | | | | | | | | | vulnerable to Prototype Pollution. The function | | | | | | | | | | defaultsDeep could be tricked into adding or | | | | | | | | | | modifying prope... | +---------------------+-----------+-------+-----------------------------+--------------------------------------------------+----------------------------------------------------+-------------+------------+------------------------------------------------------------------+ | CVE-2019-10744 | high | 9.10 | lodash | 4.17.4 | fixed in 4.17.12 | > 1 years | < 1 hour | Versions of lodash lower than 4.17.12 are | | | | | | | | | | vulnerable to Prototype Pollution. The function | | | | | | | | | | defaultsDeep could be tricked into adding or | | | | | | | | | | modifying prope... | +---------------------+-----------+-------+-----------------------------+--------------------------------------------------+----------------------------------------------------+-------------+------------+------------------------------------------------------------------+ | CVE-2018-3739 | high | 9.10 | https-proxy-agent | 1.0.0 | fixed in 2.2.0 | > 3 years | < 1 hour | https-proxy-agent before 2.1.1 passes auth | | | | | | | | | | option to the Buffer constructor without proper | | | | | | | | | | sanitization, resulting in DoS and uninitialized | | | | | | | | | | memory lea... | +---------------------+-----------+-------+-----------------------------+--------------------------------------------------+----------------------------------------------------+-------------+------------+------------------------------------------------------------------+ | CVE-2020-35654 | high | 8.80 | pillow | 7.2.0 | fixed in 8.1.0 | 64 days | < 1 hour | In Pillow before 8.1.0, TiffDecode has a | | | | | | | | | | heap-based buffer overflow when decoding crafted | | | | | | | | | | YCbCr files because of certain interpretation | | | | | | | | | | conflicts with... | +---------------------+-----------+-------+-----------------------------+--------------------------------------------------+----------------------------------------------------+-------------+------------+------------------------------------------------------------------+ | CVE-2020-12691 | high | 8.80 | python-keystoneclient | 3.22.0 | fixed in 15.0.1 | > 10 months | < 1 hour | An issue was discovered in OpenStack Keystone | | | | | | | | | | before 15.0.1, and 16.0.0. Any authenticated user | | | | | | | | | | can create an EC2 credential for themselves for a | | | | | | | | | | proj... | +---------------------+-----------+-------+-----------------------------+--------------------------------------------------+----------------------------------------------------+-------------+------------+------------------------------------------------------------------+ | CVE-2020-12690 | high | 8.80 | python-keystoneclient | 3.22.0 | fixed in 15.0.1 | > 10 months | < 1 hour | An issue was discovered in OpenStack Keystone | | | | | | | | | | before 15.0.1, and 16.0.0. The list of roles | | | | | | | | | | provided for an OAuth1 access token is silently | | | | | | | | | | ignored. Th... | +---------------------+-----------+-------+-----------------------------+--------------------------------------------------+----------------------------------------------------+-------------+------------+------------------------------------------------------------------+ | CVE-2020-12689 | high | 8.80 | python-keystoneclient | 3.22.0 | fixed in 15.0.1 | > 10 months | < 1 hour | An issue was discovered in OpenStack Keystone | | | | | | | | | | before 15.0.1, and 16.0.0. Any user authenticated | | | | | | | | | | within a limited scope (trust/oauth/application | | | | | | | | | | creden... | +---------------------+-----------+-------+-----------------------------+--------------------------------------------------+----------------------------------------------------+-------------+------------+------------------------------------------------------------------+ | CVE-2020-7660 | high | 8.10 | serialize-javascript | 2.1.0 | fixed in 3.1.0 | > 9 months | < 1 hour | serialize-javascript prior to 3.1.0 allows | | | | | | | | | | remote attackers to inject arbitrary code via the | | | | | | | | | | function \"deleteFunctions\" within \"index.js\". | +---------------------+-----------+-------+-----------------------------+--------------------------------------------------+----------------------------------------------------+-------------+------------+------------------------------------------------------------------+ | CVE-2020-7660 | high | 8.10 | serialize-javascript | 1.9.1 | fixed in 3.1.0 | > 9 months | < 1 hour | serialize-javascript prior to 3.1.0 allows | | | | | | | | | | remote attackers to inject arbitrary code via the | | | | | | | | | | function \"deleteFunctions\" within \"index.js\". | +---------------------+-----------+-------+-----------------------------+--------------------------------------------------+----------------------------------------------------+-------------+------------+------------------------------------------------------------------+ | CVE-2020-14363 | important | 7.80 | libX11 | 1.6.8-3.el8 | affected | > 6 months | < 1 hour | An integer overflow vulnerability leading to | | | | | | | | | | a double-free was found in libX11. This flaw | | | | | | | | | | allows a local privileged attacker to cause an | | | | | | | | | | application c... | +---------------------+-----------+-------+-----------------------------+--------------------------------------------------+----------------------------------------------------+-------------+------------+------------------------------------------------------------------+ | CVE-2020-13822 | high | 7.70 | elliptic | 6.4.0 | fixed in 6.5.3 | > 9 months | < 1 hour | The Elliptic package 6.5.2 for Node.js allows | | | | | | | | | | ECDSA signature malleability via variations | | | | | | | | | | in encoding, leading \'\\0\' bytes, or integer | | | | | | | | | | overflows. Th... | +---------------------+-----------+-------+-----------------------------+--------------------------------------------------+----------------------------------------------------+-------------+------------+------------------------------------------------------------------+ | CVE-2021-27923 | high | 7.50 | pillow | 7.2.0 | fixed in 8.1.1 | 14 days | < 1 hour | Pillow before 8.1.1 allows attackers to cause a | | | | | | | | | | denial of service (memory consumption) because the | | | | | | | | | | reported size of a contained image is not properly | | | | | | | | | | ... | +---------------------+-----------+-------+-----------------------------+--------------------------------------------------+----------------------------------------------------+-------------+------------+------------------------------------------------------------------+ | CVE-2021-27922 | high | 7.50 | pillow | 7.2.0 | fixed in 8.1.1 | 14 days | < 1 hour | Pillow before 8.1.1 allows attackers to cause a | | | | | | | | | | denial of service (memory consumption) because the | | | | | | | | | | reported size of a contained image is not properly | | | | | | | | | | ... | +---------------------+-----------+-------+-----------------------------+--------------------------------------------------+----------------------------------------------------+-------------+------------+------------------------------------------------------------------+ | CVE-2021-27921 | high | 7.50 | pillow | 7.2.0 | fixed in 8.1.1 | 14 days | < 1 hour | Pillow before 8.1.1 allows attackers to cause a | | | | | | | | | | denial of service (memory consumption) because the | | | | | | | | | | reported size of a contained image is not properly | | | | | | | | | | ... | +---------------------+-----------+-------+-----------------------------+--------------------------------------------------+----------------------------------------------------+-------------+------------+------------------------------------------------------------------+ | CVE-2021-22883 | important | 7.50 | npm | 6.14.10-1.10.23.1.1.module+el8.3.0+9502+012d8a97 | fixed in | 13 days | < 1 hour | Node.js before 10.24.0, 12.21.0, 14.16.0, and | | | | | | | 6.14.11-1.10.24.0.1.module+el8.3.0+10166+b07ac28e | | | 15.10.0 is vulnerable to a denial of service | | | | | | | | | | attack when too many connection attempts with an | | | | | | | | | | \'unknownP... | +---------------------+-----------+-------+-----------------------------+--------------------------------------------------+----------------------------------------------------+-------------+------------+------------------------------------------------------------------+ | CVE-2021-22883 | important | 7.50 | nodejs-full-i18n | 10.23.1-1.module+el8.3.0+9502+012d8a97 | fixed in 10.24.0-1.module+el8.3.0+10166+b07ac28e | 13 days | < 1 hour | Node.js before 10.24.0, 12.21.0, 14.16.0, and | | | | | | | | | | 15.10.0 is vulnerable to a denial of service | | | | | | | | | | attack when too many connection attempts with an | | | | | | | | | | \'unknownP... | +---------------------+-----------+-------+-----------------------------+--------------------------------------------------+----------------------------------------------------+-------------+------------+------------------------------------------------------------------+ | CVE-2021-22883 | important | 7.50 | nodejs | 10.23.1-1.module+el8.3.0+9502+012d8a97 | fixed in 10.24.0-1.module+el8.3.0+10166+b07ac28e | 13 days | < 1 hour | Node.js before 10.24.0, 12.21.0, 14.16.0, and | | | | | | | | | | 15.10.0 is vulnerable to a denial of service | | | | | | | | | | attack when too many connection attempts with an | | | | | | | | | | \'unknownP... | +---------------------+-----------+-------+-----------------------------+--------------------------------------------------+----------------------------------------------------+-------------+------------+------------------------------------------------------------------+ | CVE-2020-36049 | high | 7.50 | socket.io-parser | 2.3.1 | fixed in 3.4.1 | 68 days | < 1 hour | socket.io-parser before 3.4.1 allows attackers to | | | | | | | | | | cause a denial of service (memory consumption) via | | | | | | | | | | a large packet because a concatenation approach | | | | | | | | | | i... | +---------------------+-----------+-------+-----------------------------+--------------------------------------------------+----------------------------------------------------+-------------+------------+------------------------------------------------------------------+ | CVE-2020-36048 | high | 7.50 | engine.io | 1.8.3 | fixed in 4.0.0 | 68 days | < 1 hour | Engine.IO before 4.0.0 allows attackers to cause | | | | | | | | | | a denial of service (resource consumption) via a | | | | | | | | | | POST request to the long polling transport. | +---------------------+-----------+-------+-----------------------------+--------------------------------------------------+----------------------------------------------------+-------------+------------+------------------------------------------------------------------+ | CVE-2020-1967 | high | 7.50 | cryptography | 2.8 | fixed in 2.9.1 | > 11 months | < 1 hour | Server or client applications that call the | | | | | | | | | | SSL_check_chain() function during or after a TLS | | | | | | | | | | 1.3 handshake may crash due to a NULL pointer | | | | | | | | | | dereference... | +---------------------+-----------+-------+-----------------------------+--------------------------------------------------+----------------------------------------------------+-------------+------------+------------------------------------------------------------------+ | CVE-2020-13757 | high | 7.50 | rsa | 4.0 | fixed in 4.1 | > 9 months | < 1 hour | Python-RSA before 4.1 ignores leading \'\\0\' | | | | | | | | | | bytes during decryption of ciphertext. This could | | | | | | | | | | conceivably have a security-relevant impact, e.g., | | | | | | | | | | by ... | +---------------------+-----------+-------+-----------------------------+--------------------------------------------------+----------------------------------------------------+-------------+------------+------------------------------------------------------------------+ | CVE-2018-3737 | high | 7.50 | sshpk | 1.10.2 | fixed in 1.13.2 | > 2 years | < 1 hour | sshpk is vulnerable to ReDoS when parsing crafted | | | | | | | | | | invalid public keys. | +---------------------+-----------+-------+-----------------------------+--------------------------------------------------+----------------------------------------------------+-------------+------------+------------------------------------------------------------------+ | CVE-2017-16113 | high | 7.50 | parsejson | 0.0.3 | open | > 2 years | < 1 hour | The parsejson module is vulnerable to regular | | | | | | | | | | expression denial of service when untrusted user | | | | | | | | | | input is passed into it to be parsed. | +---------------------+-----------+-------+-----------------------------+--------------------------------------------------+----------------------------------------------------+-------------+------------+------------------------------------------------------------------+ | CVE-2017-16099 | high | 7.50 | no-case | 2.3.1 | fixed in 2.3.2 | > 2 years | < 1 hour | The no-case module is vulnerable to regular | | | | | | | | | | expression denial of service. When malicious | | | | | | | | | | untrusted user input is passed into no-case it can | | | | | | | | | | block the ... | +---------------------+-----------+-------+-----------------------------+--------------------------------------------------+----------------------------------------------------+-------------+------------+------------------------------------------------------------------+ | CVE-2017-15010 | high | 7.50 | tough-cookie | 2.3.2 | fixed in 2.3.3 | > 3 years | < 1 hour | A ReDoS (regular expression denial of service) | | | | | | | | | | flaw was found in the tough-cookie module before | | | | | | | | | | 2.3.3 for Node.js. An attacker that is able to | | | | | | | | | | make an... | +---------------------+-----------+-------+-----------------------------+--------------------------------------------------+----------------------------------------------------+-------------+------------+------------------------------------------------------------------+ | CVE-2017-1000048 | high | 7.50 | qs | 6.3.1 | fixed in 6.3.2, 6.2.3, 6.1.2, 6.0.4 | > 3 years | < 1 hour | the web framework using ljharb\'s qs module | | | | | | | | | | older than v6.3.2, v6.2.3, v6.1.2, and v6.0.4 is | | | | | | | | | | vulnerable to a DoS. A malicious user can send a | | | | | | | | | | evil req... | +---------------------+-----------+-------+-----------------------------+--------------------------------------------------+----------------------------------------------------+-------------+------------+------------------------------------------------------------------+ | CVE-2020-8172 | important | 7.40 | nodejs | 10.23.1-1.module+el8.3.0+9502+012d8a97 | fixed in 12.18.2-1.module+el8.2.0+7233+61d664c1 | > 9 months | < 1 hour | TLS session reuse can lead to host certificate | | | | | | | | | | verification bypass in node version < 12.18.0 and | | | | | | | | | | < 14.4.0. | +---------------------+-----------+-------+-----------------------------+--------------------------------------------------+----------------------------------------------------+-------------+------------+------------------------------------------------------------------+ | CVE-2020-8172 | important | 7.40 | nodejs-full-i18n | 10.23.1-1.module+el8.3.0+9502+012d8a97 | fixed in 12.18.2-1.module+el8.2.0+7233+61d664c1 | > 9 months | < 1 hour | TLS session reuse can lead to host certificate | | | | | | | | | | verification bypass in node version < 12.18.0 and | | | | | | | | | | < 14.4.0. | +---------------------+-----------+-------+-----------------------------+--------------------------------------------------+----------------------------------------------------+-------------+------------+------------------------------------------------------------------+ | CVE-2021-23337 | high | 7.20 | lodash | 4.17.15 | fixed in 4.17.21 | 30 days | < 1 hour | All versions of package lodash; all versions of | | | | | | | | | | package org.fujion.webjars:lodash are vulnerable | | | | | | | | | | to Command Injection via template. | +---------------------+-----------+-------+-----------------------------+--------------------------------------------------+----------------------------------------------------+-------------+------------+------------------------------------------------------------------+ | CVE-2021-23337 | high | 7.20 | lodash | 3.10.1 | fixed in 4.17.21 | 30 days | < 1 hour | All versions of package lodash; all versions of | | | | | | | | | | package org.fujion.webjars:lodash are vulnerable | | | | | | | | | | to Command Injection via template. | +---------------------+-----------+-------+-----------------------------+--------------------------------------------------+----------------------------------------------------+-------------+------------+------------------------------------------------------------------+ | CVE-2021-23337 | high | 7.20 | lodash | 4.17.4 | fixed in 4.17.21 | 30 days | < 1 hour | All versions of package lodash; all versions of | | | | | | | | | | package org.fujion.webjars:lodash are vulnerable | | | | | | | | | | to Command Injection via template. | +---------------------+-----------+-------+-----------------------------+--------------------------------------------------+----------------------------------------------------+-------------+------------+------------------------------------------------------------------+ | CVE-2021-23337 | high | 7.20 | lodash | 4.17.19 | fixed in 4.17.21 | 30 days | < 1 hour | All versions of package lodash; all versions of | | | | | | | | | | package org.fujion.webjars:lodash are vulnerable | | | | | | | | | | to Command Injection via template. | +---------------------+-----------+-------+-----------------------------+--------------------------------------------------+----------------------------------------------------+-------------+------------+------------------------------------------------------------------+ | CVE-2020-35653 | high | 7.10 | pillow | 7.2.0 | fixed in 8.1.0 | 64 days | < 1 hour | In Pillow before 8.1.0, PcxDecode has a buffer | | | | | | | | | | over-read when decoding a crafted PCX file because | | | | | | | | | | the user-supplied stride value is trusted for | | | | | | | | | | buffer... | +---------------------+-----------+-------+-----------------------------+--------------------------------------------------+----------------------------------------------------+-------------+------------+------------------------------------------------------------------+ | GHSA-q2c6-c6pm-g3gh | high | 7.00 | handlebars | 4.0.6 | fixed in 4.5.3, 3.0.8 | > 6 months | < 1 hour | Versions of `handlebars` prior to 3.0.8 or 4.5.3 | | | | | | | | | | are vulnerable to Arbitrary Code Execution. | | | | | | | | | | The package\'s lookup helper fails to properly | | | | | | | | | | validate t... | +---------------------+-----------+-------+-----------------------------+--------------------------------------------------+----------------------------------------------------+-------------+------------+------------------------------------------------------------------+ | GHSA-pc5p-h8pf-mvwp | high | 7.00 | https-proxy-agent | 1.0.0 | fixed in 2.2.3 | > 11 months | < 1 hour | Versions of `https-proxy-agent` prior to 2.2.3 are | | | | | | | | | | vulnerable to Machine-In-The-Middle. The package | | | | | | | | | | fails to enforce TLS on the socket if the proxy | | | | | | | | | | se... | +---------------------+-----------+-------+-----------------------------+--------------------------------------------------+----------------------------------------------------+-------------+------------+------------------------------------------------------------------+ | GHSA-h6ch-v84p-w6p9 | high | 7.00 | diff | 3.2.0 | fixed in 3.5.0 | > 1 years | < 1 hour | A vulnerability was found in diff before v3.5.0, | | | | | | | | | | the affected versions of this package are | | | | | | | | | | vulnerable to Regular Expression Denial of Service | | | | | | | | | | (ReDoS) ... | +---------------------+-----------+-------+-----------------------------+--------------------------------------------------+----------------------------------------------------+-------------+------------+------------------------------------------------------------------+ | GHSA-g9r4-xpmj-mj65 | high | 7.00 | handlebars | 4.0.6 | fixed in 4.5.3, 3.0.8 | > 6 months | < 1 hour | Versions of `handlebars` prior to 3.0.8 or 4.5.3 | | | | | | | | | | are vulnerable to prototype pollution. It is | | | | | | | | | | possible to add or modify properties to the Object | | | | | | | | | | proto... | +---------------------+-----------+-------+-----------------------------+--------------------------------------------------+----------------------------------------------------+-------------+------------+------------------------------------------------------------------+ | GHSA-8j8c-7jfh-h6hx | high | 7.00 | js-yaml | 3.8.1 | fixed in 3.13.1 | > 1 years | < 1 hour | Versions of `js-yaml` prior to 3.13.1 are | | | | | | | | | | vulnerable to Code Injection. The `load()` | | | | | | | | | | function may execute arbitrary code injected | | | | | | | | | | through a malicious ... | +---------------------+-----------+-------+-----------------------------+--------------------------------------------------+----------------------------------------------------+-------------+------------+------------------------------------------------------------------+ | GHSA-8j8c-7jfh-h6hx | high | 7.00 | js-yaml | 3.7.0 | fixed in 3.13.1 | > 1 years | < 1 hour | Versions of `js-yaml` prior to 3.13.1 are | | | | | | | | | | vulnerable to Code Injection. The `load()` | | | | | | | | | | function may execute arbitrary code injected | | | | | | | | | | through a malicious ... | +---------------------+-----------+-------+-----------------------------+--------------------------------------------------+----------------------------------------------------+-------------+------------+------------------------------------------------------------------+ | GHSA-6x33-pw7p-hmpq | high | 7.00 | http-proxy | 1.16.2 | fixed in 1.18.1 | > 6 months | < 1 hour | Versions of `http-proxy` prior to 1.18.1 | | | | | | | | | | are vulnerable to Denial of Service. An | | | | | | | | | | HTTP request with a long body triggers an | | | | | | | | | | `ERR_HTTP_HEADERS_SENT` unh... | +---------------------+-----------+-------+-----------------------------+--------------------------------------------------+----------------------------------------------------+-------------+------------+------------------------------------------------------------------+ | GHSA-2cf5-4w76-r9qv | high | 7.00 | handlebars | 4.0.6 | fixed in 4.5.2, 3.0.8 | > 6 months | < 1 hour | Versions of `handlebars` prior to 3.0.8 or 4.5.2 | | | | | | | | | | are vulnerable to Arbitrary Code Execution. | | | | | | | | | | The package\'s lookup helper fails to properly | | | | | | | | | | validate t... | +---------------------+-----------+-------+-----------------------------+--------------------------------------------------+----------------------------------------------------+-------------+------------+------------------------------------------------------------------+ | CVE-2019-10746 | important | 7.00 | nodejs | 10.23.1-1.module+el8.3.0+9502+012d8a97 | fixed in 12.20.1-1.module+el8.3.0+9503+19cb079c | > 1 years | < 1 hour | mixin-deep is vulnerable to Prototype Pollution | | | | | | | | | | in versions before 1.3.2 and version 2.0.0. The | | | | | | | | | | function mixin-deep could be tricked into adding | | | | | | | | | | or mo... | +---------------------+-----------+-------+-----------------------------+--------------------------------------------------+----------------------------------------------------+-------------+------------+------------------------------------------------------------------+ | CVE-2019-10746 | important | 7.00 | nodejs-full-i18n | 10.23.1-1.module+el8.3.0+9502+012d8a97 | fixed in 12.20.1-1.module+el8.3.0+9503+19cb079c | > 1 years | < 1 hour | mixin-deep is vulnerable to Prototype Pollution | | | | | | | | | | in versions before 1.3.2 and version 2.0.0. The | | | | | | | | | | function mixin-deep could be tricked into adding | | | | | | | | | | or mo... | +---------------------+-----------+-------+-----------------------------+--------------------------------------------------+----------------------------------------------------+-------------+------------+------------------------------------------------------------------+ | CVE-2019-10746 | important | 7.00 | npm | 6.14.10-1.10.23.1.1.module+el8.3.0+9502+012d8a97 | fixed in | > 1 years | < 1 hour | mixin-deep is vulnerable to Prototype Pollution | | | | | | | 6.14.10-1.12.20.1.1.module+el8.3.0+9503+19cb079c | | | in versions before 1.3.2 and version 2.0.0. The | | | | | | | | | | function mixin-deep could be tricked into adding | | | | | | | | | | or mo... | +---------------------+-----------+-------+-----------------------------+--------------------------------------------------+----------------------------------------------------+-------------+------------+------------------------------------------------------------------+ | CVE-2015-9251 | high | 6.10 | jquery | 1.12.4 | fixed in 3.0.0 | > 3 years | < 1 hour | jQuery before 3.0.0 is vulnerable to Cross-site | | | | | | | | | | Scripting (XSS) attacks when a cross-domain Ajax | | | | | | | | | | request is performed without the dataType option, | | | | | | | | | | cau... | +---------------------+-----------+-------+-----------------------------+--------------------------------------------------+----------------------------------------------------+-------------+------------+------------------------------------------------------------------+ | CVE-2018-16487 | high | 5.60 | lodash | 4.17.4 | fixed in 4.17.11 | > 2 years | < 1 hour | A prototype pollution vulnerability was found | | | | | | | | | | in lodash <4.17.11 where the functions merge, | | | | | | | | | | mergeWith, and defaultsDeep can be tricked into | | | | | | | | | | adding or ... | +---------------------+-----------+-------+-----------------------------+--------------------------------------------------+----------------------------------------------------+-------------+------------+------------------------------------------------------------------+ | CVE-2018-16487 | high | 5.60 | lodash | 3.10.1 | fixed in 4.17.11 | > 2 years | < 1 hour | A prototype pollution vulnerability was found | | | | | | | | | | in lodash <4.17.11 where the functions merge, | | | | | | | | | | mergeWith, and defaultsDeep can be tricked into | | | | | | | | | | adding or ... | +---------------------+-----------+-------+-----------------------------+--------------------------------------------------+----------------------------------------------------+-------------+------------+------------------------------------------------------------------+ | CVE-2018-1002204 | high | 5.50 | adm-zip | 0.4.4 | fixed in 0.4.11 | > 2 years | < 1 hour | adm-zip npm library before 0.4.9 is vulnerable to | | | | | | | | | | directory traversal, allowing attackers to write | | | | | | | | | | to arbitrary files via a ../ (dot dot slash) in a | | | | | | | | | | Z... | +---------------------+-----------+-------+-----------------------------+--------------------------------------------------+----------------------------------------------------+-------------+------------+------------------------------------------------------------------+ | CVE-2018-1002204 | high | 5.50 | adm-zip | 0.4.7 | fixed in 0.4.11 | > 2 years | < 1 hour | adm-zip npm library before 0.4.9 is vulnerable to | | | | | | | | | | directory traversal, allowing attackers to write | | | | | | | | | | to arbitrary files via a ../ (dot dot slash) in a | | | | | | | | | | Z... | +---------------------+-----------+-------+-----------------------------+--------------------------------------------------+----------------------------------------------------+-------------+------------+------------------------------------------------------------------+ | CVE-2020-28500 | high | 5.30 | lodash | 4.17.19 | fixed in 4.17.21 | 30 days | < 1 hour | All versions of package lodash; all versions of | | | | | | | | | | package org.fujion.webjars:lodash are vulnerable | | | | | | | | | | to Regular Expression Denial of Service (ReDoS) | | | | | | | | | | via t... | +---------------------+-----------+-------+-----------------------------+--------------------------------------------------+----------------------------------------------------+-------------+------------+------------------------------------------------------------------+ | CVE-2020-28500 | high | 5.30 | lodash | 4.17.15 | fixed in 4.17.21 | 30 days | < 1 hour | All versions of package lodash; all versions of | | | | | | | | | | package org.fujion.webjars:lodash are vulnerable | | | | | | | | | | to Regular Expression Denial of Service (ReDoS) | | | | | | | | | | via t... | +---------------------+-----------+-------+-----------------------------+--------------------------------------------------+----------------------------------------------------+-------------+------------+------------------------------------------------------------------+ | CVE-2020-28500 | high | 5.30 | lodash | 4.17.4 | fixed in 4.17.21 | 30 days | < 1 hour | All versions of package lodash; all versions of | | | | | | | | | | package org.fujion.webjars:lodash are vulnerable | | | | | | | | | | to Regular Expression Denial of Service (ReDoS) | | | | | | | | | | via t... | +---------------------+-----------+-------+-----------------------------+--------------------------------------------------+----------------------------------------------------+-------------+------------+------------------------------------------------------------------+ | CVE-2020-28500 | high | 5.30 | lodash | 3.10.1 | fixed in 4.17.21 | 30 days | < 1 hour | All versions of package lodash; all versions of | | | | | | | | | | package org.fujion.webjars:lodash are vulnerable | | | | | | | | | | to Regular Expression Denial of Service (ReDoS) | | | | | | | | | | via t... | +---------------------+-----------+-------+-----------------------------+--------------------------------------------------+----------------------------------------------------+-------------+------------+------------------------------------------------------------------+ | CVE-2019-25013 | important | 4.80 | glibc | 2.28-127.el8_3.2 | affected | 71 days | < 1 hour | The iconv feature in the GNU C Library (aka glibc | | | | | | | | | | or libc6) through 2.32, when processing invalid | | | | | | | | | | multi-byte input sequences in the EUC-KR encoding, | | | | | | | | | | m... | +---------------------+-----------+-------+-----------------------------+--------------------------------------------------+----------------------------------------------------+-------------+------------+------------------------------------------------------------------+ | CVE-2021-22884 | important | 4.20 | nodejs | 10.23.1-1.module+el8.3.0+9502+012d8a97 | fixed in 10.24.0-1.module+el8.3.0+10166+b07ac28e | 13 days | < 1 hour | Node.js before 10.24.0, 12.21.0, 14.16.0, and | | | | | | | | | | 15.10.0 is vulnerable to DNS rebinding attacks | | | | | | | | | | as the whitelist includes “localhost6”. When | | | | | | | | | | “local... | +---------------------+-----------+-------+-----------------------------+--------------------------------------------------+----------------------------------------------------+-------------+------------+------------------------------------------------------------------+ | CVE-2021-22884 | important | 4.20 | nodejs-full-i18n | 10.23.1-1.module+el8.3.0+9502+012d8a97 | fixed in 10.24.0-1.module+el8.3.0+10166+b07ac28e | 13 days | < 1 hour | Node.js before 10.24.0, 12.21.0, 14.16.0, and | | | | | | | | | | 15.10.0 is vulnerable to DNS rebinding attacks | | | | | | | | | | as the whitelist includes “localhost6”. When | | | | | | | | | | “local... | +---------------------+-----------+-------+-----------------------------+--------------------------------------------------+----------------------------------------------------+-------------+------------+------------------------------------------------------------------+ | CVE-2021-22884 | important | 4.20 | npm | 6.14.10-1.10.23.1.1.module+el8.3.0+9502+012d8a97 | fixed in | 13 days | < 1 hour | Node.js before 10.24.0, 12.21.0, 14.16.0, and | | | | | | | 6.14.11-1.10.24.0.1.module+el8.3.0+10166+b07ac28e | | | 15.10.0 is vulnerable to DNS rebinding attacks | | | | | | | | | | as the whitelist includes “localhost6”. When | | | | | | | | | | “local... | +---------------------+-----------+-------+-----------------------------+--------------------------------------------------+----------------------------------------------------+-------------+------------+------------------------------------------------------------------+ | PRISMA-2021-0041 | high | 0.00 | oauthlib | 3.1.0 | open | n/a | < 1 hour | | +---------------------+-----------+-------+-----------------------------+--------------------------------------------------+----------------------------------------------------+-------------+------------+------------------------------------------------------------------+ | PRISMA-2021-0034 | high | 0.00 | adm-zip | 0.4.16 | fixed in 0.5.3 | n/a | < 1 hour | | +---------------------+-----------+-------+-----------------------------+--------------------------------------------------+----------------------------------------------------+-------------+------------+------------------------------------------------------------------+ | PRISMA-2021-0034 | high | 0.00 | adm-zip | 0.4.4 | fixed in 0.5.3 | n/a | < 1 hour | | +---------------------+-----------+-------+-----------------------------+--------------------------------------------------+----------------------------------------------------+-------------+------------+------------------------------------------------------------------+ | PRISMA-2021-0034 | high | 0.00 | adm-zip | 0.4.7 | fixed in 0.5.3 | n/a | < 1 hour | | +---------------------+-----------+-------+-----------------------------+--------------------------------------------------+----------------------------------------------------+-------------+------------+------------------------------------------------------------------+ | PRISMA-2021-0015 | high | 0.00 | pillow | 7.2.0 | fixed in 8.1.0 | n/a | < 1 hour | | +---------------------+-----------+-------+-----------------------------+--------------------------------------------------+----------------------------------------------------+-------------+------------+------------------------------------------------------------------+ | PRISMA-2021-0010 | high | 0.00 | pillow | 7.2.0 | fixed in 8.1.0 | n/a | < 1 hour | | +---------------------+-----------+-------+-----------------------------+--------------------------------------------------+----------------------------------------------------+-------------+------------+------------------------------------------------------------------+ | CVE-2020-28469 | high | 0.00 | glob-parent | 2.0.0 | open | n/a | < 1 hour | | +---------------------+-----------+-------+-----------------------------+--------------------------------------------------+----------------------------------------------------+-------------+------------+------------------------------------------------------------------+ | CVE-2020-28469 | high | 0.00 | glob-parent | 3.1.0 | open | n/a | < 1 hour | | +---------------------+-----------+-------+-----------------------------+--------------------------------------------------+----------------------------------------------------+-------------+------------+------------------------------------------------------------------+ | CVE-2020-28469 | high | 0.00 | glob-parent | 5.1.1 | open | n/a | < 1 hour | | +---------------------+-----------+-------+-----------------------------+--------------------------------------------------+----------------------------------------------------+-------------+------------+------------------------------------------------------------------+ | CVE-2018-16492 | moderate | 9.80 | extend | 3.0.0 | fixed in 2.0.2, 3.0.2 | > 2 years | < 1 hour | A prototype pollution vulnerability was found | | | | | | | | | | in module extend <2.0.2, ~<3.0.2 that allows | | | | | | | | | | an attacker to inject arbitrary properties onto | | | | | | | | | | Object.prot... | +---------------------+-----------+-------+-----------------------------+--------------------------------------------------+----------------------------------------------------+-------------+------------+------------------------------------------------------------------+ | CVE-2018-3728 | moderate | 8.80 | hoek | 2.16.3 | fixed in 5.0.3, 4.2.1 | > 2 years | < 1 hour | hoek node module before 4.2.0 and 5.0.x | | | | | | | | | | before 5.0.3 suffers from a Modification of | | | | | | | | | | Assumed-Immutable Data (MAID) vulnerability via | | | | | | | | | | \'merge\' and \'ap... | +---------------------+-----------+-------+-----------------------------+--------------------------------------------------+----------------------------------------------------+-------------+------------+------------------------------------------------------------------+ | CVE-2021-3326 | moderate | 7.50 | glibc | 2.28-127.el8_3.2 | affected | 48 days | < 1 hour | The iconv function in the GNU C Library (aka | | | | | | | | | | glibc or libc6) 2.32 and earlier, when processing | | | | | | | | | | invalid input sequences in the ISO-2022-JP-3 | | | | | | | | | | encoding, ... | +---------------------+-----------+-------+-----------------------------+--------------------------------------------------+----------------------------------------------------+-------------+------------+------------------------------------------------------------------+ | CVE-2021-27516 | moderate | 7.50 | urijs | 1.18.10 | fixed in 1.19.6 | 23 days | < 1 hour | URI.js (aka urijs) before 1.19.6 mishandles | | | | | | | | | | certain uses of backslash such as http:\\/ and | | | | | | | | | | interprets the URI as a relative path. | +---------------------+-----------+-------+-----------------------------+--------------------------------------------------+----------------------------------------------------+-------------+------------+------------------------------------------------------------------+ | CVE-2021-27516 | moderate | 7.50 | urijs | 1.19.2 | fixed in 1.19.6 | 23 days | < 1 hour | URI.js (aka urijs) before 1.19.6 mishandles | | | | | | | | | | certain uses of backslash such as http:\\/ and | | | | | | | | | | interprets the URI as a relative path. | +---------------------+-----------+-------+-----------------------------+--------------------------------------------------+----------------------------------------------------+-------------+------------+------------------------------------------------------------------+ | CVE-2021-27219 | moderate | 7.50 | glib2 | 2.56.4-8.el8 | affected | 30 days | < 1 hour | An issue was discovered in GNOME GLib before | | | | | | | | | | 2.66.6 and 2.67.x before 2.67.3. The function | | | | | | | | | | g_bytes_new has an integer overflow on 64-bit | | | | | | | | | | platforms due... | +---------------------+-----------+-------+-----------------------------+--------------------------------------------------+----------------------------------------------------+-------------+------------+------------------------------------------------------------------+ | CVE-2021-27218 | moderate | 7.50 | glib2 | 2.56.4-8.el8 | affected | 30 days | < 1 hour | An issue was discovered in GNOME GLib | | | | | | | | | | before 2.66.7 and 2.67.x before 2.67.4. If | | | | | | | | | | g_byte_array_new_take() was called with a buffer | | | | | | | | | | of 4GB or more on a ... | +---------------------+-----------+-------+-----------------------------+--------------------------------------------------+----------------------------------------------------+-------------+------------+------------------------------------------------------------------+ | CVE-2021-23840 | moderate | 7.50 | openssl | 1.1.1g-12.el8_3 | affected | 29 days | < 1 hour | Calls to EVP_CipherUpdate, EVP_EncryptUpdate and | | | | | | | | | | EVP_DecryptUpdate may overflow the output length | | | | | | | | | | argument in some cases where the input length is | | | | | | | | | | clo... | +---------------------+-----------+-------+-----------------------------+--------------------------------------------------+----------------------------------------------------+-------------+------------+------------------------------------------------------------------+ | CVE-2020-8277 | moderate | 7.50 | nodejs-full-i18n | 10.23.1-1.module+el8.3.0+9502+012d8a97 | fixed in 12.19.1-1.module+el8.3.0+8851+b7b41ca0 | > 3 months | < 1 hour | A Node.js application that allows an attacker to | | | | | | | | | | trigger a DNS request for a host of their choice | | | | | | | | | | could trigger a Denial of Service in versions < | | | | | | | | | | 15.2... | +---------------------+-----------+-------+-----------------------------+--------------------------------------------------+----------------------------------------------------+-------------+------------+------------------------------------------------------------------+ | CVE-2020-8277 | moderate | 7.50 | nodejs | 10.23.1-1.module+el8.3.0+9502+012d8a97 | fixed in 12.19.1-1.module+el8.3.0+8851+b7b41ca0 | > 3 months | < 1 hour | A Node.js application that allows an attacker to | | | | | | | | | | trigger a DNS request for a host of their choice | | | | | | | | | | could trigger a Denial of Service in versions < | | | | | | | | | | 15.2... | +---------------------+-----------+-------+-----------------------------+--------------------------------------------------+----------------------------------------------------+-------------+------------+------------------------------------------------------------------+ | CVE-2020-29363 | moderate | 7.50 | p11-kit | 0.23.14-5.el8_0 | affected | > 3 months | < 1 hour | An issue was discovered in p11-kit 0.23.6 through | | | | | | | | | | 0.23.21. A heap-based buffer overflow has been | | | | | | | | | | discovered in the RPC protocol used by p11-kit | | | | | | | | | | server... | +---------------------+-----------+-------+-----------------------------+--------------------------------------------------+----------------------------------------------------+-------------+------------+------------------------------------------------------------------+ | CVE-2020-29361 | moderate | 7.50 | p11-kit | 0.23.14-5.el8_0 | affected | > 3 months | < 1 hour | An issue was discovered in p11-kit 0.21.1 through | | | | | | | | | | 0.23.21. Multiple integer overflows have been | | | | | | | | | | discovered in the array allocations in the p11-kit | | | | | | | | | | lib... | +---------------------+-----------+-------+-----------------------------+--------------------------------------------------+----------------------------------------------------+-------------+------------+------------------------------------------------------------------+ | CVE-2019-10768 | moderate | 7.50 | angular | 1.6.2 | fixed in 1.7.9 | > 1 years | < 1 hour | In AngularJS before 1.7.9 the function `merge()` | | | | | | | | | | could be tricked into adding or modifying | | | | | | | | | | properties of `Object.prototype` using a | | | | | | | | | | `__proto__` payloa... | +---------------------+-----------+-------+-----------------------------+--------------------------------------------------+----------------------------------------------------+-------------+------------+------------------------------------------------------------------+ | CVE-2017-18077 | moderate | 7.50 | brace-expansion | 1.1.6 | fixed in 1.1.7 | > 3 years | < 1 hour | index.js in brace-expansion before 1.1.7 is | | | | | | | | | | vulnerable to Regular Expression Denial of Service | | | | | | | | | | (ReDoS) attacks, as demonstrated by an expand | | | | | | | | | | argument ... | +---------------------+-----------+-------+-----------------------------+--------------------------------------------------+----------------------------------------------------+-------------+------------+------------------------------------------------------------------+ | CVE-2017-16138 | moderate | 7.50 | mime | 1.3.4 | fixed in 2.0.3, 1.4.1 | > 2 years | < 1 hour | The mime module < 1.4.1, 2.0.1, 2.0.2 is | | | | | | | | | | vulnerable to regular expression denial of service | | | | | | | | | | when a mime lookup is performed on untrusted user | | | | | | | | | | input. | +---------------------+-----------+-------+-----------------------------+--------------------------------------------------+----------------------------------------------------+-------------+------------+------------------------------------------------------------------+ | CVE-2021-20232 | moderate | 7.40 | gnutls | 3.6.14-7.el8_3 | affected | 4 days | < 1 hour | A flaw was found in gnutls. A use after free issue | | | | | | | | | | in client_send_params in lib/ext/pre_shared_key.c | | | | | | | | | | may lead to memory corruption and other | | | | | | | | | | potential... | +---------------------+-----------+-------+-----------------------------+--------------------------------------------------+----------------------------------------------------+-------------+------------+------------------------------------------------------------------+ | CVE-2021-20231 | moderate | 7.40 | gnutls | 3.6.14-7.el8_3 | affected | 4 days | < 1 hour | A flaw was found in gnutls. A use after free issue | | | | | | | | | | in client sending key_share extension may lead to | | | | | | | | | | memory corruption and other consequences. | +---------------------+-----------+-------+-----------------------------+--------------------------------------------------+----------------------------------------------------+-------------+------------+------------------------------------------------------------------+ | CVE-2020-8286 | moderate | 7.40 | curl | 7.61.1-14.el8_3.1 | affected | > 3 months | < 1 hour | curl 7.41.0 through 7.73.0 is vulnerable to an | | | | | | | | | | improper check for certificate revocation due to | | | | | | | | | | insufficient verification of the OCSP response. | +---------------------+-----------+-------+-----------------------------+--------------------------------------------------+----------------------------------------------------+-------------+------------+------------------------------------------------------------------+ | CVE-2020-8201 | moderate | 7.40 | nodejs-full-i18n | 10.23.1-1.module+el8.3.0+9502+012d8a97 | fixed in 12.18.4-2.module+el8.2.0+8361+192e434e | > 5 months | < 1 hour | Node.js < 12.18.4 and < 14.11 can be exploited to | | | | | | | | | | perform HTTP desync attacks and deliver malicious | | | | | | | | | | payloads to unsuspecting users. The payloads can | | | | | | | | | | b... | +---------------------+-----------+-------+-----------------------------+--------------------------------------------------+----------------------------------------------------+-------------+------------+------------------------------------------------------------------+ | CVE-2020-8201 | moderate | 7.40 | nodejs | 10.23.1-1.module+el8.3.0+9502+012d8a97 | fixed in 12.18.4-2.module+el8.2.0+8361+192e434e | > 5 months | < 1 hour | Node.js < 12.18.4 and < 14.11 can be exploited to | | | | | | | | | | perform HTTP desync attacks and deliver malicious | | | | | | | | | | payloads to unsuspecting users. The payloads can | | | | | | | | | | b... | +---------------------+-----------+-------+-----------------------------+--------------------------------------------------+----------------------------------------------------+-------------+------------+------------------------------------------------------------------+ | CVE-2020-28498 | moderate | 6.80 | elliptic | 6.4.0 | fixed in 6.5.4 | 42 days | < 1 hour | The package elliptic before 6.5.4 are vulnerable | | | | | | | | | | to Cryptographic Issues via the secp256k1 | | | | | | | | | | implementation in elliptic/ec/key.js. There is no | | | | | | | | | | check to ... | +---------------------+-----------+-------+-----------------------------+--------------------------------------------------+----------------------------------------------------+-------------+------------+------------------------------------------------------------------+ | CVE-2020-28498 | moderate | 6.80 | elliptic | 6.5.3 | fixed in 6.5.4 | 42 days | < 1 hour | The package elliptic before 6.5.4 are vulnerable | | | | | | | | | | to Cryptographic Issues via the secp256k1 | | | | | | | | | | implementation in elliptic/ec/key.js. There is no | | | | | | | | | | check to ... | +---------------------+-----------+-------+-----------------------------+--------------------------------------------------+----------------------------------------------------+-------------+------------+------------------------------------------------------------------+ | CVE-2020-14344 | moderate | 6.70 | libX11 | 1.6.8-3.el8 | affected | > 7 months | < 1 hour | An integer overflow leading to a heap-buffer | | | | | | | | | | overflow was found in The X Input Method (XIM) | | | | | | | | | | client was implemented in libX11 before version | | | | | | | | | | 1.6.10. As... | +---------------------+-----------+-------+-----------------------------+--------------------------------------------------+----------------------------------------------------+-------------+------------+------------------------------------------------------------------+ | CVE-2020-13776 | moderate | 6.70 | systemd | 239-41.el8_3.1 | affected | > 9 months | < 1 hour | systemd through v245 mishandles numerical | | | | | | | | | | usernames such as ones composed of decimal digits | | | | | | | | | | or 0x followed by hex digits, as demonstrated by | | | | | | | | | | use of ro... | +---------------------+-----------+-------+-----------------------------+--------------------------------------------------+----------------------------------------------------+-------------+------------+------------------------------------------------------------------+ | CVE-2020-8927 | moderate | 6.50 | brotli | 1.0.6-2.el8 | affected | > 6 months | < 1 hour | A buffer overflow exists in the Brotli library | | | | | | | | | | versions prior to 1.0.8 where an attacker | | | | | | | | | | controlling the input length of a \"one-shot\" | | | | | | | | | | decompression ... | +---------------------+-----------+-------+-----------------------------+--------------------------------------------------+----------------------------------------------------+-------------+------------+------------------------------------------------------------------+ | CVE-2020-8285 | moderate | 6.50 | curl | 7.61.1-14.el8_3.1 | affected | > 3 months | < 1 hour | curl 7.21.0 to and including 7.73.0 is vulnerable | | | | | | | | | | to uncontrolled recursion due to a stack overflow | | | | | | | | | | issue in FTP wildcard match parsing. | +---------------------+-----------+-------+-----------------------------+--------------------------------------------------+----------------------------------------------------+-------------+------------+------------------------------------------------------------------+ | CVE-2020-5236 | medium | 6.50 | waitress | 1.4.2 | | > 1 years | < 1 hour | Waitress version 1.4.2 allows a DOS attack When | | | | | | | | | | waitress receives a header that contains invalid | | | | | | | | | | characters. When a header like \"Bad-header: | | | | | | | | | | xxxxxxxx... | +---------------------+-----------+-------+-----------------------------+--------------------------------------------------+----------------------------------------------------+-------------+------------+------------------------------------------------------------------+ | CVE-2020-26291 | moderate | 6.50 | urijs | 1.19.2 | fixed in 1.19.4 | 76 days | < 1 hour | URI.js is a javascript URL mutation library (npm | | | | | | | | | | package urijs). In URI.js before version 1.19.4, | | | | | | | | | | the hostname can be spoofed by using a backslash | | | | | | | | | | (`\... | +---------------------+-----------+-------+-----------------------------+--------------------------------------------------+----------------------------------------------------+-------------+------------+------------------------------------------------------------------+ | CVE-2020-26291 | moderate | 6.50 | urijs | 1.18.10 | fixed in 1.19.4 | 76 days | < 1 hour | URI.js is a javascript URL mutation library (npm | | | | | | | | | | package urijs). In URI.js before version 1.19.4, | | | | | | | | | | the hostname can be spoofed by using a backslash | | | | | | | | | | (`\... | +---------------------+-----------+-------+-----------------------------+--------------------------------------------------+----------------------------------------------------+-------------+------------+------------------------------------------------------------------+ | CVE-2019-1010266 | moderate | 6.50 | lodash | 4.17.4 | fixed in 4.17.11 | > 1 years | < 1 hour | lodash prior to 4.17.11 is affected by: CWE-400: | | | | | | | | | | Uncontrolled Resource Consumption. The impact is: | | | | | | | | | | Denial of service. The component is: Date handler. | | | | | | | | | | ... | +---------------------+-----------+-------+-----------------------------+--------------------------------------------------+----------------------------------------------------+-------------+------------+------------------------------------------------------------------+ | CVE-2019-1010266 | moderate | 6.50 | lodash | 3.10.1 | fixed in 4.17.11 | > 1 years | < 1 hour | lodash prior to 4.17.11 is affected by: CWE-400: | | | | | | | | | | Uncontrolled Resource Consumption. The impact is: | | | | | | | | | | Denial of service. The component is: Date handler. | | | | | | | | | | ... | +---------------------+-----------+-------+-----------------------------+--------------------------------------------------+----------------------------------------------------+-------------+------------+------------------------------------------------------------------+ | CVE-2020-11023 | moderate | 6.10 | jquery | 1.12.4 | fixed in 3.5.0 | > 10 months | < 1 hour | In jQuery versions greater than or equal to 1.0.3 | | | | | | | | | | and before 3.5.0, passing HTML containing