vscode-contrib/vscode-versionlens

Shows the latest version for each package using code lens.
Vulnerabilities 2 via 7 paths
Dependencies 432
Source GitHub
Commit d44bfa5d

Find, fix and prevent vulnerabilities in your code.

Severity
  • 2
Status
  • 2
  • 0
  • 0
medium severity
new

Man-in-the-Middle (MitM)

  • Vulnerable module: https-proxy-agent
  • Introduced through: request-light@0.2.4 and npm@6.5.0

Detailed paths

  • Introduced through: vscode-versionlens@vscode-contrib/vscode-versionlens#d44bfa5d17f419754f29d586a771a371fdda2d2b request-light@0.2.4 https-proxy-agent@2.2.2
    Remediation: Open PR to patch https-proxy-agent@2.2.2.
  • Introduced through: vscode-versionlens@vscode-contrib/vscode-versionlens#d44bfa5d17f419754f29d586a771a371fdda2d2b npm@6.5.0 pacote@8.1.6 make-fetch-happen@4.0.2 https-proxy-agent@2.2.2
    Remediation: Open PR to patch https-proxy-agent@2.2.2.
  • Introduced through: vscode-versionlens@vscode-contrib/vscode-versionlens#d44bfa5d17f419754f29d586a771a371fdda2d2b npm@6.5.0 npm-profile@3.0.2 make-fetch-happen@4.0.2 https-proxy-agent@2.2.2
    Remediation: Open PR to patch https-proxy-agent@2.2.2.
  • Introduced through: vscode-versionlens@vscode-contrib/vscode-versionlens#d44bfa5d17f419754f29d586a771a371fdda2d2b npm@6.5.0 npm-registry-fetch@1.1.1 make-fetch-happen@3.0.0 https-proxy-agent@2.2.2
    Remediation: Open PR to patch https-proxy-agent@2.2.2.
  • Introduced through: vscode-versionlens@vscode-contrib/vscode-versionlens#d44bfa5d17f419754f29d586a771a371fdda2d2b npm@6.5.0 libcipm@2.0.2 pacote@8.1.6 make-fetch-happen@4.0.2 https-proxy-agent@2.2.2
    Remediation: Open PR to patch https-proxy-agent@2.2.2.
  • Introduced through: vscode-versionlens@vscode-contrib/vscode-versionlens#d44bfa5d17f419754f29d586a771a371fdda2d2b npm@6.5.0 libnpmhook@4.0.1 npm-registry-fetch@3.9.1 make-fetch-happen@4.0.2 https-proxy-agent@2.2.2
    Remediation: Open PR to patch https-proxy-agent@2.2.2.

Overview

https-proxy-agent is a module that provides an http.Agent implementation that connects to a specified HTTP or HTTPS proxy server, and can be used with the built-in https module.

Affected versions of this package are vulnerable to Man-in-the-Middle (MitM). When targeting a HTTP proxy, https-proxy-agent opens a socket to the proxy, and sends the proxy server a CONNECT request. If the proxy server responds with something other than a HTTP response 200, https-proxy-agent incorrectly returns the socket without any TLS upgrade. This request data may contain basic auth credentials or other secrets, is sent over an unencrypted connection. A suitably positioned attacker could steal these secrets and impersonate the client.

PoC by Kris Adler

var url = require('url');
var https = require('https');
var HttpsProxyAgent = require('https-proxy-agent');

var proxyOpts = url.parse('http://127.0.0.1:80');
var opts = url.parse('https://www.google.com');
var agent = new HttpsProxyAgent(proxyOpts);
opts.agent = agent;
opts.auth = 'username:password';
https.get(opts);

Remediation

Upgrade https-proxy-agent to version 3.0.0 or higher.

References

medium severity

Time of Check Time of Use (TOCTOU)

  • Vulnerable module: chownr
  • Introduced through: npm@6.5.0

Detailed paths

  • Introduced through: vscode-versionlens@vscode-contrib/vscode-versionlens#d44bfa5d17f419754f29d586a771a371fdda2d2b npm@6.5.0 chownr@1.0.1
    Remediation: Upgrade to npm@6.6.0.

Overview

chownr is a package that takes the same arguments as fs.chown()

Affected versions of this package are vulnerable to Time of Check Time of Use (TOCTOU). Affected versions of this package are vulnerable toTime of Check Time of Use (TOCTOU) attacks.

It does not dereference symbolic links and changes the owner of the link, which can trick it into descending into unintended trees if a non-symlink is replaced by a symlink at a critical moment:

      fs.lstat(pathChild, function(er, stats) {
        if (er)
          return cb(er)
        if (!stats.isSymbolicLink())
          chownr(pathChild, uid, gid, then)

Remediation

Upgrade chownr to version 1.1.0 or higher.

References