Vulnerabilities

3 via 5 paths

Dependencies

110

Source

GitHub

Find, fix and prevent vulnerabilities in your code.

Severity
  • 1
  • 2
Status
  • 3
  • 0
  • 0

critical severity

Predictable Value Range from Previous Values

  • Vulnerable module: form-data
  • Introduced through: @cinerino/factory@9.35.4

Detailed paths

  • Introduced through: @alverca/factory@alverca/factory @cinerino/factory@9.35.4 @chevre/factory@4.76.0 @motionpicture/gmo-service@5.3.0 form-data@4.0.0

Overview

Affected versions of this package are vulnerable to Predictable Value Range from Previous Values via the boundary value, which uses Math.random(). An attacker can manipulate HTTP request boundaries by exploiting predictable values, potentially leading to HTTP parameter pollution.

Remediation

Upgrade form-data to version 2.5.4, 3.0.4, 4.0.4 or higher.

References

medium severity

Information Exposure

  • Vulnerable module: node-fetch
  • Introduced through: @cinerino/factory@9.35.4

Detailed paths

  • Introduced through: @alverca/factory@alverca/factory @cinerino/factory@9.35.4 @chevre/factory@4.76.0 @movieticket/reserve-api-nodejs-client@1.0.1 isomorphic-fetch@2.2.1 node-fetch@1.7.3
  • Introduced through: @alverca/factory@alverca/factory @cinerino/factory@9.35.4 @chevre/factory@4.76.0 @movieticket/reserve-api-nodejs-client@1.0.1 @movieticket/reserve-api-abstract-client@1.1.0 isomorphic-fetch@2.2.1 node-fetch@1.7.3

Overview

node-fetch is a light-weight module that brings window.fetch to node.js

Affected versions of this package are vulnerable to Information Exposure when fetching a remote url with Cookie, if it get a Location response header, it will follow that url and try to fetch that url with provided cookie. This can lead to forwarding secure headers to 3th party.

Remediation

Upgrade node-fetch to version 2.6.7, 3.1.1 or higher.

References

medium severity

Denial of Service

  • Vulnerable module: node-fetch
  • Introduced through: @cinerino/factory@9.35.4

Detailed paths

  • Introduced through: @alverca/factory@alverca/factory @cinerino/factory@9.35.4 @chevre/factory@4.76.0 @movieticket/reserve-api-nodejs-client@1.0.1 isomorphic-fetch@2.2.1 node-fetch@1.7.3
  • Introduced through: @alverca/factory@alverca/factory @cinerino/factory@9.35.4 @chevre/factory@4.76.0 @movieticket/reserve-api-nodejs-client@1.0.1 @movieticket/reserve-api-abstract-client@1.1.0 isomorphic-fetch@2.2.1 node-fetch@1.7.3

Overview

node-fetch is a light-weight module that brings window.fetch to node.js

Affected versions of this package are vulnerable to Denial of Service. Node Fetch did not honor the size option after following a redirect, which means that when a content size was over the limit, a FetchError would never get thrown and the process would end without failure.

Remediation

Upgrade node-fetch to version 2.6.1, 3.0.0-beta.9 or higher.

References