Vulnerabilities |
2 via 2 paths |
|---|---|
Dependencies |
11 |
Source |
GitHub |
Find, fix and prevent vulnerabilities in your code.
medium severity
new
- Vulnerable module: joi
- Introduced through: joi@17.13.4
Detailed paths
-
Introduced through: @envage/hapi-pg-rest-api@DEFRA/hapi-pg-rest-api › joi@17.13.4Remediation: Upgrade to joi@18.2.1.
Overview
Affected versions of this package are vulnerable to Uncaught Exception through the link validation. An attacker can cause the application to crash or become unresponsive by submitting deeply nested input that triggers an unhandled RangeError exception. This is only exploitable if input validation is performed without proper exception handling (such as missing try/catch blocks).
Remediation
Upgrade joi to version 18.2.1 or higher.
References
medium severity
- Vulnerable module: uuid
- Introduced through: uuid@3.4.0
Detailed paths
-
Introduced through: @envage/hapi-pg-rest-api@DEFRA/hapi-pg-rest-api › uuid@3.4.0Remediation: Upgrade to uuid@11.1.1.
Overview
uuid is a RFC4122 (v1, v4, and v5) compliant UUID library.
Affected versions of this package are vulnerable to Improper Validation of Specified Index, Position, or Offset in Input due to accepting external output buffers but not rejecting out-of-range writes (small buf or large offset). This inconsistency allows silent partial writes into caller-provided buffers.
PoC
cd /home/StrawHat/uuid
npm ci
npm run build
node --input-type=module -e "
import {v4,v5,v6} from './dist-node/index.js';
const ns='6ba7b810-9dad-11d1-80b4-00c04fd430c8';
for (const [name,fn] of [
['v4',()=>v4({},new Uint8Array(8),4)],
['v5',()=>v5('x',ns,new Uint8Array(8),4)],
['v6',()=>v6({},new Uint8Array(8),4)],
]) {
try { fn(); console.log(name,'NO_THROW'); }
catch(e){ console.log(name,'THREW',e.name); }
}"
Remediation
Upgrade uuid to version 11.1.1, 14.0.0 or higher.