bigchaindb-driver@0.2.0

Vulnerabilities

5 via 7 paths

Dependencies

212

Source

npm

Find, fix and prevent vulnerabilities in your code.

Severity
  • 2
  • 2
  • 1
Status
  • 5
  • 0
  • 0

high severity

Improper Integrity Checks

  • Vulnerable module: yarn
  • Introduced through: yarn@0.24.6

Detailed paths

  • Introduced through: bigchaindb-driver@0.2.0 yarn@0.24.6
    Remediation: Upgrade to bigchaindb-driver@3.1.0.

Overview

yarn is a package for dependency management.

Affected versions of this package are vulnerable to Improper Integrity Checks. It allows to pollute yarn cache via a crafted yarn.lock file and place a malicious package into cache under any name/version, bypassing both integrity and hash checks in yarn.lock so that any future installs of that package will install the fake version (regardless of integrity and hashes).

Remediation

Upgrade yarn to version 1.19 or higher.

References

high severity

Man-in-the-Middle (MitM)

  • Vulnerable module: yarn
  • Introduced through: yarn@0.24.6

Detailed paths

  • Introduced through: bigchaindb-driver@0.2.0 yarn@0.24.6
    Remediation: Upgrade to bigchaindb-driver@3.1.0.

Overview

yarn is a package for dependency management.

Affected versions of this package are vulnerable to Man-in-the-Middle (MitM). Npm credentials such as _authToken were found to be sent over clear text when processing scoped packages that are listed as resolved. This could allow a suitably positioned attacker to eavesdrop and compromise the sent credentials.

Remediation

Upgrade yarn to version 1.17.3 or higher.

References

medium severity

Denial of Service

  • Vulnerable module: node-fetch
  • Introduced through: fetch-ponyfill@4.1.0, isomorphic-fetch@2.2.1 and others

Detailed paths

  • Introduced through: bigchaindb-driver@0.2.0 fetch-ponyfill@4.1.0 node-fetch@1.7.3
    Remediation: Upgrade to bigchaindb-driver@4.0.0.
  • Introduced through: bigchaindb-driver@0.2.0 isomorphic-fetch@2.2.1 node-fetch@1.7.3
    Remediation: Upgrade to bigchaindb-driver@4.2.0.
  • Introduced through: bigchaindb-driver@0.2.0 js-utility-belt@1.5.0 fetch-ponyfill@1.0.0 node-fetch@1.5.1

Overview

node-fetch is an A light-weight module that brings window.fetch to node.js

Affected versions of this package are vulnerable to Denial of Service. Node Fetch did not honor the size option after following a redirect, which means that when a content size was over the limit, a FetchError would never get thrown and the process would end without failure.

Remediation

Upgrade node-fetch to version 2.6.1, 3.0.0-beta.9 or higher.

References

medium severity

Arbitrary File Overwrite

  • Vulnerable module: yarn
  • Introduced through: yarn@0.24.6

Detailed paths

  • Introduced through: bigchaindb-driver@0.2.0 yarn@0.24.6
    Remediation: Upgrade to bigchaindb-driver@3.1.0.

Overview

yarn is a package for dependency management.

Affected versions of this package are vulnerable to Arbitrary File Overwrite. It is possible for a malicious package, upon install, to write to any path on the filesystem even when the --ignore-scripts option is set. This occurs due to symlinks not being correctly unpacked as part of the Yarn install process.

Details

A Directory Traversal attack (also known as path traversal) aims to access files and directories that are stored outside the intended folder. By manipulating files with "dot-dot-slash (../)" sequences and its variations, or by using absolute file paths, it may be possible to access arbitrary files and directories stored on file system, including application source code, configuration, and other critical system files.

Directory Traversal vulnerabilities can be generally divided into two types:

  • Information Disclosure: Allows the attacker to gain information about the folder structure or read the contents of sensitive files on the system.

st is a module for serving static files on web pages, and contains a vulnerability of this type. In our example, we will serve files from the public route.

If an attacker requests the following URL from our server, it will in turn leak the sensitive private key of the root user.

curl http://localhost:8080/public/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/root/.ssh/id_rsa

Note %2e is the URL encoded version of . (dot).

  • Writing arbitrary files: Allows the attacker to create or replace existing files. This type of vulnerability is also known as Zip-Slip.

One way to achieve this is by using a malicious zip archive that holds path traversal filenames. When each filename in the zip archive gets concatenated to the target extraction folder, without validation, the final path ends up outside of the target folder. If an executable or a configuration file is overwritten with a file containing malicious code, the problem can turn into an arbitrary code execution issue quite easily.

The following is an example of a zip archive with one benign file and one malicious file. Extracting the malicious file will result in traversing out of the target folder, ending up in /root/.ssh/ overwriting the authorized_keys file:

2018-04-15 22:04:29 .....           19           19  good.txt
2018-04-15 22:04:42 .....           20           20  ../../../../../../root/.ssh/authorized_keys

Remediation

Upgrade yarn to version 1.22.0 or higher.

References

low severity

Arbitrary File Write

  • Vulnerable module: yarn
  • Introduced through: yarn@0.24.6

Detailed paths

  • Introduced through: bigchaindb-driver@0.2.0 yarn@0.24.6
    Remediation: Upgrade to bigchaindb-driver@3.1.0.

Overview

yarn is a package for dependency management.

Affected versions of this package are vulnerable to Arbitrary File Write. The package install functionality can be abused to generate arbitrary symlinks on the host filesystem by using specially crafted bin keys. Existing files could be overwritten depending on the current user permission set.

Details

A Directory Traversal attack (also known as path traversal) aims to access files and directories that are stored outside the intended folder. By manipulating files with "dot-dot-slash (../)" sequences and its variations, or by using absolute file paths, it may be possible to access arbitrary files and directories stored on file system, including application source code, configuration, and other critical system files.

Directory Traversal vulnerabilities can be generally divided into two types:

  • Information Disclosure: Allows the attacker to gain information about the folder structure or read the contents of sensitive files on the system.

st is a module for serving static files on web pages, and contains a vulnerability of this type. In our example, we will serve files from the public route.

If an attacker requests the following URL from our server, it will in turn leak the sensitive private key of the root user.

curl http://localhost:8080/public/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/root/.ssh/id_rsa

Note %2e is the URL encoded version of . (dot).

  • Writing arbitrary files: Allows the attacker to create or replace existing files. This type of vulnerability is also known as Zip-Slip.

One way to achieve this is by using a malicious zip archive that holds path traversal filenames. When each filename in the zip archive gets concatenated to the target extraction folder, without validation, the final path ends up outside of the target folder. If an executable or a configuration file is overwritten with a file containing malicious code, the problem can turn into an arbitrary code execution issue quite easily.

The following is an example of a zip archive with one benign file and one malicious file. Extracting the malicious file will result in traversing out of the target folder, ending up in /root/.ssh/ overwriting the authorized_keys file:

2018-04-15 22:04:29 .....           19           19  good.txt
2018-04-15 22:04:42 .....           20           20  ../../../../../../root/.ssh/authorized_keys

Remediation

Upgrade yarn to version 1.21.1 or higher.

References