Vulnerabilities

 1 via 12 paths

Dependencies

 98

Source

 GitHub

Find, fix and prevent vulnerabilities in your code.

Test and protect my applications
Severity
  • 1
Status
  • 1
  • 0
  • 0

medium severity
new

Improper Validation of Specified Index, Position, or Offset in Input

  • Vulnerable module: uuid
  • Introduced through: uuid@9.0.1, gcp-metadata@6.1.1 and others

Detailed paths

  • Introduced through: @google-cloud/trace-agent@GoogleCloudPlatform/cloud-trace-nodejs uuid@9.0.1
    Remediation: Upgrade to uuid@11.1.1.
  • Introduced through: @google-cloud/trace-agent@GoogleCloudPlatform/cloud-trace-nodejs gcp-metadata@6.1.1 gaxios@6.7.1 uuid@9.0.1
    Remediation: Upgrade to gcp-metadata@7.0.0.
  • Introduced through: @google-cloud/trace-agent@GoogleCloudPlatform/cloud-trace-nodejs google-auth-library@9.15.1 gaxios@6.7.1 uuid@9.0.1
    Remediation: Upgrade to google-auth-library@10.0.0.
  • Introduced through: @google-cloud/trace-agent@GoogleCloudPlatform/cloud-trace-nodejs @google-cloud/common@5.0.2 teeny-request@9.0.0 uuid@9.0.1
    Remediation: Upgrade to @google-cloud/common@6.0.0.
  • Introduced through: @google-cloud/trace-agent@GoogleCloudPlatform/cloud-trace-nodejs google-auth-library@9.15.1 gcp-metadata@6.1.1 gaxios@6.7.1 uuid@9.0.1
    Remediation: Upgrade to google-auth-library@10.0.0.
  • Introduced through: @google-cloud/trace-agent@GoogleCloudPlatform/cloud-trace-nodejs google-auth-library@9.15.1 gtoken@7.1.0 gaxios@6.7.1 uuid@9.0.1
    Remediation: Upgrade to google-auth-library@10.0.0.
  • Introduced through: @google-cloud/trace-agent@GoogleCloudPlatform/cloud-trace-nodejs @google-cloud/common@5.0.2 google-auth-library@9.15.1 gaxios@6.7.1 uuid@9.0.1
    Remediation: Upgrade to @google-cloud/common@6.0.0.
  • Introduced through: @google-cloud/trace-agent@GoogleCloudPlatform/cloud-trace-nodejs @google-cloud/common@5.0.2 retry-request@7.0.2 teeny-request@9.0.0 uuid@9.0.1
    Remediation: Upgrade to @google-cloud/common@6.0.0.
  • Introduced through: @google-cloud/trace-agent@GoogleCloudPlatform/cloud-trace-nodejs @google-cloud/common@5.0.2 google-auth-library@9.15.1 gcp-metadata@6.1.1 gaxios@6.7.1 uuid@9.0.1
    Remediation: Upgrade to @google-cloud/common@6.0.0.
  • Introduced through: @google-cloud/trace-agent@GoogleCloudPlatform/cloud-trace-nodejs @google-cloud/common@5.0.2 google-auth-library@9.15.1 gtoken@7.1.0 gaxios@6.7.1 uuid@9.0.1
    Remediation: Upgrade to @google-cloud/common@6.0.0.
  • Introduced through: @google-cloud/trace-agent@GoogleCloudPlatform/cloud-trace-nodejs @opencensus/propagation-stackdriver@0.1.0 uuid@8.3.2
  • Introduced through: @google-cloud/trace-agent@GoogleCloudPlatform/cloud-trace-nodejs @opencensus/propagation-stackdriver@0.1.0 @opencensus/core@0.1.0 uuid@8.3.2

Overview

uuid is a RFC4122 (v1, v4, and v5) compliant UUID library.

Affected versions of this package are vulnerable to Improper Validation of Specified Index, Position, or Offset in Input due to accepting external output buffers but not rejecting out-of-range writes (small buf or large offset). This inconsistency allows silent partial writes into caller-provided buffers.

PoC

cd /home/StrawHat/uuid
npm ci
npm run build

node --input-type=module -e "
import {v4,v5,v6} from './dist-node/index.js';
const ns='6ba7b810-9dad-11d1-80b4-00c04fd430c8';
for (const [name,fn] of [
  ['v4',()=>v4({},new Uint8Array(8),4)],
  ['v5',()=>v5('x',ns,new Uint8Array(8),4)],
  ['v6',()=>v6({},new Uint8Array(8),4)],
]) {
  try { fn(); console.log(name,'NO_THROW'); }
  catch(e){ console.log(name,'THREW',e.name); }
}"

Remediation

Upgrade uuid to version 11.1.1, 14.0.0 or higher.

References

Improper Validation of Specified Index, Position, or Offset in Input vulnerability report