Vulnerabilities

4 via 7 paths

Dependencies

282

Source

GitHub

Commit

d5fe05b3

Find, fix and prevent vulnerabilities in your code.

Severity
  • 1
  • 3
Status
  • 4
  • 0
  • 0

high severity

Command Injection

  • Vulnerable module: lodash.template
  • Introduced through: @salesforce/command@2.2.0

Detailed paths

  • Introduced through: sfdxplugin@cgsmeets/sfdxplugin#d5fe05b3be51a88709432ba2014e8e9a36085505 @salesforce/command@2.2.0 @oclif/plugin-help@2.2.3 lodash.template@4.5.0

Overview

lodash.template is a The Lodash method _.template exported as a Node.js module.

Affected versions of this package are vulnerable to Command Injection via template.

PoC

var _ = require('lodash');

_.template('', { variable: '){console.log(process.env)}; with(obj' })()

Remediation

There is no fixed version for lodash.template.

References

medium severity

Use of a Broken or Risky Cryptographic Algorithm

  • Vulnerable module: jsonwebtoken
  • Introduced through: @salesforce/core@2.37.1 and @salesforce/command@2.2.0

Detailed paths

  • Introduced through: sfdxplugin@cgsmeets/sfdxplugin#d5fe05b3be51a88709432ba2014e8e9a36085505 @salesforce/core@2.37.1 jsonwebtoken@8.5.0
    Remediation: Upgrade to @salesforce/core@3.32.12.
  • Introduced through: sfdxplugin@cgsmeets/sfdxplugin#d5fe05b3be51a88709432ba2014e8e9a36085505 @salesforce/command@2.2.0 @salesforce/core@2.37.1 jsonwebtoken@8.5.0
    Remediation: Upgrade to @salesforce/command@5.0.0.

Overview

jsonwebtoken is a JSON Web Token implementation (symmetric and asymmetric)

Affected versions of this package are vulnerable to Use of a Broken or Risky Cryptographic Algorithm such that the library can be misconfigured to use legacy, insecure key types for signature verification. For example, DSA keys could be used with the RS256 algorithm.

Exploitability

Users are affected when using an algorithm and a key type other than the combinations mentioned below:

EC: ES256, ES384, ES512

RSA: RS256, RS384, RS512, PS256, PS384, PS512

RSA-PSS: PS256, PS384, PS512

And for Elliptic Curve algorithms:

ES256: prime256v1

ES384: secp384r1

ES512: secp521r1

Workaround

Users who are unable to upgrade to the fixed version can use the allowInvalidAsymmetricKeyTypes option to true in the sign() and verify() functions to continue usage of invalid key type/algorithm combination in 9.0.0 for legacy compatibility.

Remediation

Upgrade jsonwebtoken to version 9.0.0 or higher.

References

medium severity

Improper Restriction of Security Token Assignment

  • Vulnerable module: jsonwebtoken
  • Introduced through: @salesforce/core@2.37.1 and @salesforce/command@2.2.0

Detailed paths

  • Introduced through: sfdxplugin@cgsmeets/sfdxplugin#d5fe05b3be51a88709432ba2014e8e9a36085505 @salesforce/core@2.37.1 jsonwebtoken@8.5.0
    Remediation: Upgrade to @salesforce/core@3.32.12.
  • Introduced through: sfdxplugin@cgsmeets/sfdxplugin#d5fe05b3be51a88709432ba2014e8e9a36085505 @salesforce/command@2.2.0 @salesforce/core@2.37.1 jsonwebtoken@8.5.0
    Remediation: Upgrade to @salesforce/command@5.0.0.

Overview

jsonwebtoken is a JSON Web Token implementation (symmetric and asymmetric)

Affected versions of this package are vulnerable to Improper Restriction of Security Token Assignment via the secretOrPublicKey argument due to misconfigurations of the key retrieval function jwt.verify(). Exploiting this vulnerability might result in incorrect verification of forged tokens when tokens signed with an asymmetric public key could be verified with a symmetric HS256 algorithm.

Note: This vulnerability affects your application if it supports the usage of both symmetric and asymmetric keys in jwt.verify() implementation with the same key retrieval function.

Remediation

Upgrade jsonwebtoken to version 9.0.0 or higher.

References

medium severity

Improper Authentication

  • Vulnerable module: jsonwebtoken
  • Introduced through: @salesforce/core@2.37.1 and @salesforce/command@2.2.0

Detailed paths

  • Introduced through: sfdxplugin@cgsmeets/sfdxplugin#d5fe05b3be51a88709432ba2014e8e9a36085505 @salesforce/core@2.37.1 jsonwebtoken@8.5.0
    Remediation: Upgrade to @salesforce/core@3.32.12.
  • Introduced through: sfdxplugin@cgsmeets/sfdxplugin#d5fe05b3be51a88709432ba2014e8e9a36085505 @salesforce/command@2.2.0 @salesforce/core@2.37.1 jsonwebtoken@8.5.0
    Remediation: Upgrade to @salesforce/command@5.0.0.

Overview

jsonwebtoken is a JSON Web Token implementation (symmetric and asymmetric)

Affected versions of this package are vulnerable to Improper Authentication such that the lack of algorithm definition in the jwt.verify() function can lead to signature validation bypass due to defaulting to the none algorithm for signature verification.

Exploitability

Users are affected only if all of the following conditions are true for the jwt.verify() function:

  1. A token with no signature is received.

  2. No algorithms are specified.

  3. A falsy (e.g., null, false, undefined) secret or key is passed.

    Remediation

    Upgrade jsonwebtoken to version 9.0.0 or higher.

    References