Vulnerabilities |
1 via 14 paths |
|---|---|
Dependencies |
339 |
Source |
GitHub |
Find, fix and prevent vulnerabilities in your code.
medium severity
new
- Vulnerable module: uuid
- Introduced through: pg-boss@9.0.3, @google-analytics/data@4.12.1 and others
Detailed paths
-
Introduced through: analytics-reporter@18F/analytics-reporter › pg-boss@9.0.3 › uuid@9.0.1Remediation: Upgrade to pg-boss@10.0.0.
-
Introduced through: analytics-reporter@18F/analytics-reporter › @google-analytics/data@4.12.1 › google-gax@4.6.1 › uuid@9.0.1Remediation: Upgrade to @google-analytics/data@5.0.0.
-
Introduced through: analytics-reporter@18F/analytics-reporter › googleapis@140.0.1 › googleapis-common@7.2.0 › uuid@9.0.1Remediation: Upgrade to googleapis@152.0.0.
-
Introduced through: analytics-reporter@18F/analytics-reporter › googleapis@140.0.1 › google-auth-library@9.15.1 › gaxios@6.7.1 › uuid@9.0.1Remediation: Upgrade to googleapis@150.0.1.
-
Introduced through: analytics-reporter@18F/analytics-reporter › googleapis@140.0.1 › googleapis-common@7.2.0 › gaxios@6.7.1 › uuid@9.0.1Remediation: Upgrade to googleapis@152.0.0.
-
Introduced through: analytics-reporter@18F/analytics-reporter › googleapis@140.0.1 › google-auth-library@9.15.1 › gcp-metadata@6.1.1 › gaxios@6.7.1 › uuid@9.0.1Remediation: Upgrade to googleapis@150.0.1.
-
Introduced through: analytics-reporter@18F/analytics-reporter › googleapis@140.0.1 › google-auth-library@9.15.1 › gtoken@7.1.0 › gaxios@6.7.1 › uuid@9.0.1Remediation: Upgrade to googleapis@150.0.1.
-
Introduced through: analytics-reporter@18F/analytics-reporter › @google-analytics/data@4.12.1 › google-gax@4.6.1 › google-auth-library@9.15.1 › gaxios@6.7.1 › uuid@9.0.1Remediation: Upgrade to @google-analytics/data@5.0.0.
-
Introduced through: analytics-reporter@18F/analytics-reporter › googleapis@140.0.1 › googleapis-common@7.2.0 › google-auth-library@9.15.1 › gaxios@6.7.1 › uuid@9.0.1Remediation: Upgrade to googleapis@152.0.0.
-
Introduced through: analytics-reporter@18F/analytics-reporter › @google-analytics/data@4.12.1 › google-gax@4.6.1 › retry-request@7.0.2 › teeny-request@9.0.0 › uuid@9.0.1Remediation: Upgrade to @google-analytics/data@5.0.0.
-
Introduced through: analytics-reporter@18F/analytics-reporter › @google-analytics/data@4.12.1 › google-gax@4.6.1 › google-auth-library@9.15.1 › gcp-metadata@6.1.1 › gaxios@6.7.1 › uuid@9.0.1Remediation: Upgrade to @google-analytics/data@5.0.0.
-
Introduced through: analytics-reporter@18F/analytics-reporter › googleapis@140.0.1 › googleapis-common@7.2.0 › google-auth-library@9.15.1 › gcp-metadata@6.1.1 › gaxios@6.7.1 › uuid@9.0.1Remediation: Upgrade to googleapis@152.0.0.
-
Introduced through: analytics-reporter@18F/analytics-reporter › @google-analytics/data@4.12.1 › google-gax@4.6.1 › google-auth-library@9.15.1 › gtoken@7.1.0 › gaxios@6.7.1 › uuid@9.0.1Remediation: Upgrade to @google-analytics/data@5.0.0.
-
Introduced through: analytics-reporter@18F/analytics-reporter › googleapis@140.0.1 › googleapis-common@7.2.0 › google-auth-library@9.15.1 › gtoken@7.1.0 › gaxios@6.7.1 › uuid@9.0.1Remediation: Upgrade to googleapis@152.0.0.
Overview
uuid is a RFC4122 (v1, v4, and v5) compliant UUID library.
Affected versions of this package are vulnerable to Improper Validation of Specified Index, Position, or Offset in Input due to accepting external output buffers but not rejecting out-of-range writes (small buf or large offset). This inconsistency allows silent partial writes into caller-provided buffers.
PoC
cd /home/StrawHat/uuid
npm ci
npm run build
node --input-type=module -e "
import {v4,v5,v6} from './dist-node/index.js';
const ns='6ba7b810-9dad-11d1-80b4-00c04fd430c8';
for (const [name,fn] of [
['v4',()=>v4({},new Uint8Array(8),4)],
['v5',()=>v5('x',ns,new Uint8Array(8),4)],
['v6',()=>v6({},new Uint8Array(8),4)],
]) {
try { fn(); console.log(name,'NO_THROW'); }
catch(e){ console.log(name,'THREW',e.name); }
}"
Remediation
Upgrade uuid to version 11.1.1, 14.0.0 or higher.