From 2f95f16472a9dea6de6d5ee128d96c9597f7ee99 Mon Sep 17 00:00:00 2001 From: John Benjamin Date: Wed, 16 Aug 2023 13:53:41 +0100 Subject: [PATCH 01/23] EUI-8736 JRD e-Links API V2 --- api/prd/judicial/data/judicial.mock.data.ts | 16 ++++++++++++---- api/prd/judicial/models/judicialUser.model.ts | 6 +++++- .../hearing-judge-names-list.component.spec.ts | 4 +++- .../hearing-judge.component.spec.ts | 16 ++++++++++++---- .../hearing-panel.component.spec.ts | 8 ++++++-- src/hearings/hearing.test.data.ts | 12 +++++++++--- src/hearings/models/judicialUser.model.ts | 2 ++ 7 files changed, 49 insertions(+), 15 deletions(-) diff --git a/api/prd/judicial/data/judicial.mock.data.ts b/api/prd/judicial/data/judicial.mock.data.ts index 712ab135b6..29f88e50f8 100644 --- a/api/prd/judicial/data/judicial.mock.data.ts +++ b/api/prd/judicial/data/judicial.mock.data.ts @@ -70,7 +70,9 @@ export const ALL_JUDICIAL_USERS: JudicialUserModel[] = [ knownAs: 'Hearing Judge', personalCode: 'p1000000', surname: 'Collins', - title: 'Mr' + title: 'Mr', + initials: 'JC', + postNominals: 'JP' }, { emailId: 'jasmine.chiswell@judicial.com', @@ -82,7 +84,9 @@ export const ALL_JUDICIAL_USERS: JudicialUserModel[] = [ knownAs: 'Lead Judge', personalCode: 'p1000001', surname: 'Chiswell', - title: 'Mr' + title: 'Mr', + initials: 'JC', + postNominals: 'JP' }, { emailId: 'jamie.vardy@judicial.com', @@ -94,7 +98,9 @@ export const ALL_JUDICIAL_USERS: JudicialUserModel[] = [ knownAs: 'Lead Judge', personalCode: 'p1000002', surname: 'Vardy', - title: 'Mr' + title: 'Mr', + initials: 'JV', + postNominals: 'JP' }, { emailId: 'james.priest@judicial.com', @@ -106,6 +112,8 @@ export const ALL_JUDICIAL_USERS: JudicialUserModel[] = [ knownAs: 'Hearing Judge', personalCode: 'p1000003', surname: 'Priest', - title: 'Mr' + title: 'Mr', + initials: 'JP', + postNominals: 'JP' } ]; diff --git a/api/prd/judicial/models/judicialUser.model.ts b/api/prd/judicial/models/judicialUser.model.ts index 6753de8a66..838d807e0f 100644 --- a/api/prd/judicial/models/judicialUser.model.ts +++ b/api/prd/judicial/models/judicialUser.model.ts @@ -24,6 +24,8 @@ export interface JudicialUserModel { personalCode: string; surname: string; title: string; + initials: string; + postNominals: string; } /** @@ -44,6 +46,8 @@ export function transformToJudicialUserModel(rawJudicialUserModel: RawJudicialUs knownAs: rawJudicialUserModel.known_as, personalCode: rawJudicialUserModel.personal_code, surname: rawJudicialUserModel.surname, - title: rawJudicialUserModel.title + title: rawJudicialUserModel.title, + initials: '', + postNominals: '' }; } diff --git a/src/hearings/components/hearing-judge-names-list/hearing-judge-names-list.component.spec.ts b/src/hearings/components/hearing-judge-names-list/hearing-judge-names-list.component.spec.ts index 8aaaf6567b..51df4473b7 100644 --- a/src/hearings/components/hearing-judge-names-list/hearing-judge-names-list.component.spec.ts +++ b/src/hearings/components/hearing-judge-names-list/hearing-judge-names-list.component.spec.ts @@ -18,7 +18,9 @@ describe('HearingJudgeNamesListComponent', () => { knownAs: 'Hearing Judge', personalCode: 'P100001', surname: 'Jacky', - title: '' + title: '', + initials: 'JC', + postNominals: 'JP' }; beforeEach(waitForAsync(() => { diff --git a/src/hearings/containers/request-hearing/hearing-judge/hearing-judge.component.spec.ts b/src/hearings/containers/request-hearing/hearing-judge/hearing-judge.component.spec.ts index 3bda5b8fe4..d0215b3e5c 100644 --- a/src/hearings/containers/request-hearing/hearing-judge/hearing-judge.component.spec.ts +++ b/src/hearings/containers/request-hearing/hearing-judge/hearing-judge.component.spec.ts @@ -134,7 +134,9 @@ describe('HearingJudgeComponent', () => { knownAs: 'Hearing Judge', personalCode: 'P100001', surname: 'Jacky', - title: 'Mr' + title: 'Mr', + initials: 'JC', + postNominals: 'JP' }; component.showSpecificJudge(RadioOptions.YES); expect(component.specificJudgeSelection).toBe(RadioOptions.YES); @@ -165,7 +167,9 @@ describe('HearingJudgeComponent', () => { knownAs: 'Hearing Judge', personalCode: 'P100001', surname: 'Jacky', - title: 'Mr' + title: 'Mr', + initials: 'JC', + postNominals: 'JP' }; component.hearingJudgeForm.controls.specificJudge.setValue(RadioOptions.YES); @@ -214,7 +218,9 @@ describe('HearingJudgeComponent', () => { knownAs: 'Jacky Collins', personalCode: 'P100001', surname: 'Jacky Collins', - title: 'Mr' + title: 'Mr', + initials: 'JC', + postNominals: 'JP' }, { emailId: 'jammie.williams@judicial.com', @@ -226,7 +232,9 @@ describe('HearingJudgeComponent', () => { knownAs: 'Jammie Williams', personalCode: 'P0000002', surname: 'Jammie Williams', - title: 'Mr' + title: 'Mr', + initials: 'JW', + postNominals: 'JP' }]; component.specificJudgeSelection = RadioOptions.YES; component.hearingJudgeFormInfo.includedJudges = ['P0000001']; diff --git a/src/hearings/containers/request-hearing/hearing-panel/hearing-panel.component.spec.ts b/src/hearings/containers/request-hearing/hearing-panel/hearing-panel.component.spec.ts index 207b893255..22cf2798bf 100644 --- a/src/hearings/containers/request-hearing/hearing-panel/hearing-panel.component.spec.ts +++ b/src/hearings/containers/request-hearing/hearing-panel/hearing-panel.component.spec.ts @@ -277,7 +277,9 @@ describe('HearingPanelComponent', () => { knownAs: 'Hearing Judge', personalCode: 'P0000001', surname: 'Jacky Collins', - title: 'Mr' + title: 'Mr', + initials: 'JC', + postNominals: 'JP' }]; component.initForm(); expect(component.includedJudgeList.length).toBe(1); @@ -297,7 +299,9 @@ describe('HearingPanelComponent', () => { knownAs: 'Hearing Judge', personalCode: 'P0000001', surname: 'Jacky', - title: 'Mr' + title: 'Mr', + initials: 'JC', + postNominals: 'JP' }; component.includedJudge.judgeList = [judgeInfo]; diff --git a/src/hearings/hearing.test.data.ts b/src/hearings/hearing.test.data.ts index 113dc851d1..749742c99e 100644 --- a/src/hearings/hearing.test.data.ts +++ b/src/hearings/hearing.test.data.ts @@ -82,7 +82,9 @@ export const judicialUsersRefData: JudicialUserModel[] = [{ knownAs: 'Jacky Collins', personalCode: 'P0000001', surname: 'Jacky Collins', - title: 'Mr' + title: 'Mr', + initials: 'JC', + postNominals: 'JP' }]; export const panelMembersRefData: JudicialUserModel[] = [{ @@ -95,7 +97,9 @@ export const panelMembersRefData: JudicialUserModel[] = [{ knownAs: 'Ramon', personalCode: '7007496', surname: 'Herrera', - title: 'Mr' + title: 'Mr', + initials: 'RH', + postNominals: 'JP' }]; export const judgeRefData: JudicialUserModel[] = [ @@ -109,7 +113,9 @@ export const judgeRefData: JudicialUserModel[] = [ knownAs: 'Jacky Collins', personalCode: 'P0000001', surname: 'Collins', - title: 'Mr' + title: 'Mr', + initials: 'JC', + postNominals: 'JP' }]; export const hearingPriorityRefData = [ diff --git a/src/hearings/models/judicialUser.model.ts b/src/hearings/models/judicialUser.model.ts index ab9fd633bc..2ed111f7da 100644 --- a/src/hearings/models/judicialUser.model.ts +++ b/src/hearings/models/judicialUser.model.ts @@ -9,4 +9,6 @@ export interface JudicialUserModel { personalCode: string; surname: string; title: string; + initials: string; + postNominals: string; } From 484cb19d89cc009d4e1c0a862086d54f243af90b Mon Sep 17 00:00:00 2001 From: John Benjamin Date: Tue, 22 Aug 2023 10:23:59 +0100 Subject: [PATCH 02/23] EUI-8736 JRD e-Links API V2 --- api/prd/judicial/index.ts | 12 +++++++++--- 1 file changed, 9 insertions(+), 3 deletions(-) diff --git a/api/prd/judicial/index.ts b/api/prd/judicial/index.ts index de410ae764..aaff844c0c 100644 --- a/api/prd/judicial/index.ts +++ b/api/prd/judicial/index.ts @@ -8,8 +8,10 @@ import { RawJudicialUserModel, transformToJudicialUserModel } from './models/judicialUser.model'; +import { FeatureToggleService } from '@hmcts/rpx-xui-common-lib'; const prdUrl: string = getConfigValue(SERVICES_PRD_JUDICIAL_API); +const ENABLE_JRD_E_LINKS_API_V2 = 'enable-jrd-e-links-api-v2'; /** * @overview searchJudicialUserByPersonalCodes from personalCodes, i.e. ['p1000000','p1000001'] @@ -20,9 +22,13 @@ export async function searchJudicialUserByPersonalCodes(req: EnhancedRequest, re const reqBody = req.body; const markupPath: string = `${prdUrl}/refdata/judicial/users`; try { - const { status, data }: { status: number, data: RawJudicialUserModel[] } = await handlePost(markupPath, reqBody, req, next); - const result = data.map(transformToJudicialUserModel); - res.status(status).send(result); + const featureToggleService = new FeatureToggleService(); + const isV2FeatureEnabled = await featureToggleService.getValue(ENABLE_JRD_E_LINKS_API_V2, false); + const response = await handlePost(markupPath, reqBody, req, next); + const data = isV2FeatureEnabled + ? response.data as JudicialUserModel[] + : (response.data as RawJudicialUserModel[]).map(transformToJudicialUserModel); + res.status(response.status).send(data); } catch (error) { next(error); } From fb6029b98953332ee55c203e0e024d64edce12fd Mon Sep 17 00:00:00 2001 From: John Benjamin Date: Wed, 23 Aug 2023 09:14:52 +0100 Subject: [PATCH 03/23] Revert "EUI-8736 JRD e-Links API V2" This reverts commit 484cb19d89cc009d4e1c0a862086d54f243af90b. --- api/prd/judicial/index.ts | 12 +++--------- 1 file changed, 3 insertions(+), 9 deletions(-) diff --git a/api/prd/judicial/index.ts b/api/prd/judicial/index.ts index aaff844c0c..de410ae764 100644 --- a/api/prd/judicial/index.ts +++ b/api/prd/judicial/index.ts @@ -8,10 +8,8 @@ import { RawJudicialUserModel, transformToJudicialUserModel } from './models/judicialUser.model'; -import { FeatureToggleService } from '@hmcts/rpx-xui-common-lib'; const prdUrl: string = getConfigValue(SERVICES_PRD_JUDICIAL_API); -const ENABLE_JRD_E_LINKS_API_V2 = 'enable-jrd-e-links-api-v2'; /** * @overview searchJudicialUserByPersonalCodes from personalCodes, i.e. ['p1000000','p1000001'] @@ -22,13 +20,9 @@ export async function searchJudicialUserByPersonalCodes(req: EnhancedRequest, re const reqBody = req.body; const markupPath: string = `${prdUrl}/refdata/judicial/users`; try { - const featureToggleService = new FeatureToggleService(); - const isV2FeatureEnabled = await featureToggleService.getValue(ENABLE_JRD_E_LINKS_API_V2, false); - const response = await handlePost(markupPath, reqBody, req, next); - const data = isV2FeatureEnabled - ? response.data as JudicialUserModel[] - : (response.data as RawJudicialUserModel[]).map(transformToJudicialUserModel); - res.status(response.status).send(data); + const { status, data }: { status: number, data: RawJudicialUserModel[] } = await handlePost(markupPath, reqBody, req, next); + const result = data.map(transformToJudicialUserModel); + res.status(status).send(result); } catch (error) { next(error); } From 8c36afe3dafdde412e99babf44bc54875318b3c5 Mon Sep 17 00:00:00 2001 From: John Benjamin Date: Wed, 23 Aug 2023 11:19:30 +0100 Subject: [PATCH 04/23] EUI-8736 JRD e-Links API V2 --- api/prd/judicial/data/judicial.mock.data.ts | 92 +++++++++++-------- api/prd/judicial/models/judicialUser.model.ts | 37 ++++---- ...hearing-judge-names-list.component.spec.ts | 16 ++-- .../hearing-judge.component.spec.ts | 64 ++++++------- .../hearing-panel.component.spec.ts | 32 +++---- src/hearings/hearing.test.data.ts | 48 +++++----- src/hearings/models/judicialUser.model.ts | 14 +-- 7 files changed, 159 insertions(+), 144 deletions(-) diff --git a/api/prd/judicial/data/judicial.mock.data.ts b/api/prd/judicial/data/judicial.mock.data.ts index 29f88e50f8..60df7096c2 100644 --- a/api/prd/judicial/data/judicial.mock.data.ts +++ b/api/prd/judicial/data/judicial.mock.data.ts @@ -6,11 +6,14 @@ export const RAW_JUDICIAL_USERS: RawJudicialUserModel[] = [ object_id: '8cf0cafa-b95b-11eb-836e-3e30bdb78f20', known_as: 'Hearing Judge', surname: 'Collins', - personal_code: 'p1000000', full_name: 'Jacky Collins', - post_nominals: '', + post_nominals: 'JP', email_id: 'jacky.collins@judicial.com', + personal_code: 'p1000000', title: 'Mr', + initials: 'JC', + retirement_date: '', + active_flag: 'Y', is_judge: 'Y', is_panel_number: 'Y', is_magistrate: 'Y' @@ -20,11 +23,14 @@ export const RAW_JUDICIAL_USERS: RawJudicialUserModel[] = [ object_id: '8cf0cafa-b95c-11eb-836e-3e30bdb78f20', known_as: 'Lead Judge', surname: 'Chiswell', - personal_code: 'p1000001', full_name: 'Jasmine Chiswell', - post_nominals: '', + post_nominals: 'JP', email_id: 'jasmine.chiswell@judicial.com', + personal_code: 'p1000001', title: 'Mr', + initials: 'JC', + retirement_date: '', + active_flag: 'Y', is_judge: 'Y', is_panel_number: 'Y', is_magistrate: 'Y' @@ -34,11 +40,14 @@ export const RAW_JUDICIAL_USERS: RawJudicialUserModel[] = [ object_id: '8cf0cafa-b95d-11eb-836e-3e30bdb78f20', known_as: 'Lead Judge', surname: 'Vardy', - personal_code: 'p1000002', full_name: 'Jamie Vardy', - post_nominals: '', + post_nominals: 'JP', email_id: 'jamie.vardy@judicial.com', + personal_code: 'p1000002', title: 'Mr', + initials: 'JV', + retirement_date: '', + active_flag: 'Y', is_judge: 'Y', is_panel_number: 'Y', is_magistrate: 'Y' @@ -48,11 +57,14 @@ export const RAW_JUDICIAL_USERS: RawJudicialUserModel[] = [ object_id: '8cf0cafa-b95e-11eb-836e-3e30bdb78f20', known_as: 'Hearing Judge', surname: 'Priest', - personal_code: 'p1000003', full_name: 'James Priest', - post_nominals: '', + post_nominals: 'JP', email_id: 'james.priest@judicial.com', + personal_code: 'p1000003', title: 'Mr', + initials: 'JP', + retirement_date: '', + active_flag: 'Y', is_judge: 'Y', is_panel_number: 'Y', is_magistrate: 'Y' @@ -61,59 +73,59 @@ export const RAW_JUDICIAL_USERS: RawJudicialUserModel[] = [ export const ALL_JUDICIAL_USERS: JudicialUserModel[] = [ { - emailId: 'jacky.collins@judicial.com', + title: 'Mr', + knownAs: 'Hearing Judge', + surname: 'Collins', fullName: 'Jacky Collins', + emailId: 'jacky.collins@judicial.com', idamId: '38eb0c5e-29c7-453e-b92d-f2029aaed6c1', + initials: 'JC', + postNominals: 'JP', + personalCode: 'p1000000', isJudge: 'Y', isMagistrate: 'Y', - isPanelMember: 'Y', - knownAs: 'Hearing Judge', - personalCode: 'p1000000', - surname: 'Collins', - title: 'Mr', - initials: 'JC', - postNominals: 'JP' + isPanelMember: 'Y' }, { - emailId: 'jasmine.chiswell@judicial.com', + title: 'Mr', + knownAs: 'Lead Judge', + surname: 'Chiswell', fullName: 'Jasmine Chiswell', + emailId: 'jasmine.chiswell@judicial.com', idamId: '38eb0c5e-29c7-453e-b92d-f2029aaed6c2', + initials: 'JC', + postNominals: 'JP', + personalCode: 'p1000001', isJudge: 'Y', isMagistrate: 'Y', - isPanelMember: 'Y', - knownAs: 'Lead Judge', - personalCode: 'p1000001', - surname: 'Chiswell', - title: 'Mr', - initials: 'JC', - postNominals: 'JP' + isPanelMember: 'Y' }, { - emailId: 'jamie.vardy@judicial.com', + title: 'Mr', + knownAs: 'Lead Judge', + surname: 'Vardy', fullName: 'Jamie Vardy', + emailId: 'jamie.vardy@judicial.com', idamId: '38eb0c5e-29c7-453e-b92d-f2029aaed6c3', + initials: 'JV', + postNominals: 'JP', + personalCode: 'p1000002', isJudge: 'Y', isMagistrate: 'Y', - isPanelMember: 'Y', - knownAs: 'Lead Judge', - personalCode: 'p1000002', - surname: 'Vardy', - title: 'Mr', - initials: 'JV', - postNominals: 'JP' + isPanelMember: 'Y' }, { - emailId: 'james.priest@judicial.com', + title: 'Mr', + knownAs: 'Hearing Judge', + surname: 'Priest', fullName: 'James Priest', + emailId: 'james.priest@judicial.com', idamId: '38eb0c5e-29c7-453e-b92d-f2029aaed6c4', + initials: 'JP', + postNominals: 'JP', + personalCode: 'p1000003', isJudge: 'Y', isMagistrate: 'Y', - isPanelMember: 'Y', - knownAs: 'Hearing Judge', - personalCode: 'p1000003', - surname: 'Priest', - title: 'Mr', - initials: 'JP', - postNominals: 'JP' + isPanelMember: 'Y' } ]; diff --git a/api/prd/judicial/models/judicialUser.model.ts b/api/prd/judicial/models/judicialUser.model.ts index 838d807e0f..e4ddd14b34 100644 --- a/api/prd/judicial/models/judicialUser.model.ts +++ b/api/prd/judicial/models/judicialUser.model.ts @@ -3,29 +3,32 @@ export interface RawJudicialUserModel { object_id: string; known_as: string; surname: string; - title: string; - personal_code: string; full_name: string; post_nominals: string; email_id: string; + personal_code: string; + title: string; + initials: string; + retirement_date: string; + active_flag: string; is_judge: string; is_panel_number: string; is_magistrate: string; } export interface JudicialUserModel { - emailId: string; + title: string; + knownAs: string; + surname: string; fullName: string; + emailId: string; idamId: string; + initials: string; + postNominals: string; + personalCode: string; isJudge: string; isMagistrate: string; isPanelMember: string; - knownAs: string; - personalCode: string; - surname: string; - title: string; - initials: string; - postNominals: string; } /** @@ -37,17 +40,17 @@ export interface JudicialUserModel { */ export function transformToJudicialUserModel(rawJudicialUserModel: RawJudicialUserModel): JudicialUserModel { return { - emailId: rawJudicialUserModel.email_id, + title: rawJudicialUserModel.title, + knownAs: rawJudicialUserModel.known_as, + surname: rawJudicialUserModel.surname, fullName: rawJudicialUserModel.full_name, + emailId: rawJudicialUserModel.email_id, idamId: rawJudicialUserModel.sidam_id, + initials: rawJudicialUserModel.initials, + postNominals: rawJudicialUserModel.post_nominals, + personalCode: rawJudicialUserModel.personal_code, isJudge: rawJudicialUserModel.is_judge, isMagistrate: rawJudicialUserModel.is_magistrate, - isPanelMember: rawJudicialUserModel.is_panel_number, - knownAs: rawJudicialUserModel.known_as, - personalCode: rawJudicialUserModel.personal_code, - surname: rawJudicialUserModel.surname, - title: rawJudicialUserModel.title, - initials: '', - postNominals: '' + isPanelMember: rawJudicialUserModel.is_panel_number }; } diff --git a/src/hearings/components/hearing-judge-names-list/hearing-judge-names-list.component.spec.ts b/src/hearings/components/hearing-judge-names-list/hearing-judge-names-list.component.spec.ts index 51df4473b7..638b3d1863 100644 --- a/src/hearings/components/hearing-judge-names-list/hearing-judge-names-list.component.spec.ts +++ b/src/hearings/components/hearing-judge-names-list/hearing-judge-names-list.component.spec.ts @@ -9,18 +9,18 @@ describe('HearingJudgeNamesListComponent', () => { let fixture: ComponentFixture; const judgeDetails: JudicialUserModel = { - emailId: 'jacky.collins@judicial.com', + title: '', + knownAs: 'Hearing Judge', + surname: 'Jacky', fullName: 'Jacky Collins', + emailId: 'jacky.collins@judicial.com', idamId: '38eb0c5e-29c7-453e-b92d-f2029aaed6c1', + initials: 'JC', + postNominals: 'JP', isJudge: '', - isMagistrate: '', - isPanelMember: '', - knownAs: 'Hearing Judge', personalCode: 'P100001', - surname: 'Jacky', - title: '', - initials: 'JC', - postNominals: 'JP' + isMagistrate: '', + isPanelMember: '' }; beforeEach(waitForAsync(() => { diff --git a/src/hearings/containers/request-hearing/hearing-judge/hearing-judge.component.spec.ts b/src/hearings/containers/request-hearing/hearing-judge/hearing-judge.component.spec.ts index d0215b3e5c..00fc91282b 100644 --- a/src/hearings/containers/request-hearing/hearing-judge/hearing-judge.component.spec.ts +++ b/src/hearings/containers/request-hearing/hearing-judge/hearing-judge.component.spec.ts @@ -125,18 +125,18 @@ describe('HearingJudgeComponent', () => { it('should check RadioButton selection', () => { const judgeInfo: JudicialUserModel = { - emailId: 'jacky.collins@judicial.com', + title: 'Mr', + knownAs: 'Hearing Judge', + surname: 'Jacky', fullName: 'Jacky Collins', + emailId: 'jacky.collins@judicial.com', idamId: '38eb0c5e-29c7-453e-b92d-f2029aaed6c1', + initials: 'JC', + postNominals: 'JP', + personalCode: 'P100001', isJudge: '', isMagistrate: '', - isPanelMember: '', - knownAs: 'Hearing Judge', - personalCode: 'P100001', - surname: 'Jacky', - title: 'Mr', - initials: 'JC', - postNominals: 'JP' + isPanelMember: '' }; component.showSpecificJudge(RadioOptions.YES); expect(component.specificJudgeSelection).toBe(RadioOptions.YES); @@ -158,18 +158,18 @@ describe('HearingJudgeComponent', () => { it('should check prepareHearingRequestData', () => { const judgeInfo: JudicialUserModel = { - emailId: 'jacky.collins@judicial.com', + title: 'Mr', + knownAs: 'Hearing Judge', + surname: 'Jacky', fullName: 'Jacky Collins', + emailId: 'jacky.collins@judicial.com', idamId: '38eb0c5e-29c7-453e-b92d-f2029aaed6c1', + initials: 'JC', + postNominals: 'JP', + personalCode: 'P100001', isJudge: '', isMagistrate: '', - isPanelMember: '', - knownAs: 'Hearing Judge', - personalCode: 'P100001', - surname: 'Jacky', - title: 'Mr', - initials: 'JC', - postNominals: 'JP' + isPanelMember: '' }; component.hearingJudgeForm.controls.specificJudge.setValue(RadioOptions.YES); @@ -209,32 +209,32 @@ describe('HearingJudgeComponent', () => { component.setFormData(); expect(component.excludedJudgeList.length).toBe(0); const personalCodeJudgeList: JudicialUserModel[] = [{ - emailId: 'jacky.collins@judicial.com', + title: 'Mr', + knownAs: 'Jacky Collins', + surname: 'Jacky Collins', fullName: 'Jacky Collins', + emailId: 'jacky.collins@judicial.com', idamId: '1102839232', + initials: 'JC', + postNominals: 'JP', + personalCode: 'P100001', isJudge: '', isMagistrate: '', - isPanelMember: '', - knownAs: 'Jacky Collins', - personalCode: 'P100001', - surname: 'Jacky Collins', - title: 'Mr', - initials: 'JC', - postNominals: 'JP' + isPanelMember: '' }, { - emailId: 'jammie.williams@judicial.com', + title: 'Mr', + knownAs: 'Jammie Williams', + surname: 'Jammie Williams', fullName: 'Jammie Williams', + emailId: 'jammie.williams@judicial.com', idamId: '1102839233', + initials: 'JW', + postNominals: 'JP', + personalCode: 'P0000002', isJudge: '', isMagistrate: '', - isPanelMember: '', - knownAs: 'Jammie Williams', - personalCode: 'P0000002', - surname: 'Jammie Williams', - title: 'Mr', - initials: 'JW', - postNominals: 'JP' + isPanelMember: '' }]; component.specificJudgeSelection = RadioOptions.YES; component.hearingJudgeFormInfo.includedJudges = ['P0000001']; diff --git a/src/hearings/containers/request-hearing/hearing-panel/hearing-panel.component.spec.ts b/src/hearings/containers/request-hearing/hearing-panel/hearing-panel.component.spec.ts index 22cf2798bf..a4f1476969 100644 --- a/src/hearings/containers/request-hearing/hearing-panel/hearing-panel.component.spec.ts +++ b/src/hearings/containers/request-hearing/hearing-panel/hearing-panel.component.spec.ts @@ -268,18 +268,18 @@ describe('HearingPanelComponent', () => { it('should check getPannelMemberList', () => { component.personalCodejudgeList = [{ - emailId: 'jacky.collins@judicial.com', + title: 'Mr', + knownAs: 'Hearing Judge', + surname: 'Jacky Collins', fullName: 'Jacky Collins', + emailId: 'jacky.collins@judicial.com', idamId: '1102839232', + initials: 'JC', + postNominals: 'JP', + personalCode: 'P0000001', isJudge: '', isMagistrate: '', - isPanelMember: '', - knownAs: 'Hearing Judge', - personalCode: 'P0000001', - surname: 'Jacky Collins', - title: 'Mr', - initials: 'JC', - postNominals: 'JP' + isPanelMember: '' }]; component.initForm(); expect(component.includedJudgeList.length).toBe(1); @@ -290,18 +290,18 @@ describe('HearingPanelComponent', () => { it('should check prepareData', () => { const judgeInfo: JudicialUserModel = { - emailId: 'jacky.collins@judicial.com', + title: 'Mr', + knownAs: 'Hearing Judge', + surname: 'Jacky', fullName: 'Jacky Collins', + emailId: 'jacky.collins@judicial.com', idamId: '38eb0c5e-29c7-453e-b92d-f2029aaed6c1', + initials: 'JC', + postNominals: 'JP', + personalCode: 'P0000001', isJudge: '', isMagistrate: '', - isPanelMember: '', - knownAs: 'Hearing Judge', - personalCode: 'P0000001', - surname: 'Jacky', - title: 'Mr', - initials: 'JC', - postNominals: 'JP' + isPanelMember: '' }; component.includedJudge.judgeList = [judgeInfo]; diff --git a/src/hearings/hearing.test.data.ts b/src/hearings/hearing.test.data.ts index 749742c99e..0a2d6fd9ec 100644 --- a/src/hearings/hearing.test.data.ts +++ b/src/hearings/hearing.test.data.ts @@ -73,49 +73,49 @@ export const hearingStageRefData = [ ]; export const judicialUsersRefData: JudicialUserModel[] = [{ - emailId: 'jacky.collins@judicial.com', + title: 'Mr', + knownAs: 'Jacky Collins', + surname: 'Jacky Collins', fullName: 'Jacky Collins', + emailId: 'jacky.collins@judicial.com', idamId: '1102839232', + initials: 'JC', + postNominals: 'JP', + personalCode: 'P0000001', isJudge: '', isMagistrate: '', - isPanelMember: '', - knownAs: 'Jacky Collins', - personalCode: 'P0000001', - surname: 'Jacky Collins', - title: 'Mr', - initials: 'JC', - postNominals: 'JP' + isPanelMember: '' }]; export const panelMembersRefData: JudicialUserModel[] = [{ - emailId: '7007496EMP-@ejudiciary.net', + title: 'Mr', + knownAs: 'Ramon', + surname: 'Herrera', fullName: 'Ramon Herrera', + emailId: '7007496EMP-@ejudiciary.net', idamId: 'a229ec37-d84d-4eed-bd7f-0c77a6721da6', + initials: 'RH', + postNominals: 'JP', + personalCode: '7007496', isJudge: '', isMagistrate: '', - isPanelMember: '', - knownAs: 'Ramon', - personalCode: '7007496', - surname: 'Herrera', - title: 'Mr', - initials: 'RH', - postNominals: 'JP' + isPanelMember: '' }]; export const judgeRefData: JudicialUserModel[] = [ { - emailId: 'jacky.collins@judicial.com', + title: 'Mr', + knownAs: 'Jacky Collins', + surname: 'Collins', fullName: 'Jacky Collins', + emailId: 'jacky.collins@judicial.com', idamId: '38eb0c5e-29c7-453e-b92d-f2029aaed6c1', + initials: 'JC', + postNominals: 'JP', + personalCode: 'P0000001', isJudge: '', isMagistrate: '', - isPanelMember: '', - knownAs: 'Jacky Collins', - personalCode: 'P0000001', - surname: 'Collins', - title: 'Mr', - initials: 'JC', - postNominals: 'JP' + isPanelMember: '' }]; export const hearingPriorityRefData = [ diff --git a/src/hearings/models/judicialUser.model.ts b/src/hearings/models/judicialUser.model.ts index 2ed111f7da..1fece6788c 100644 --- a/src/hearings/models/judicialUser.model.ts +++ b/src/hearings/models/judicialUser.model.ts @@ -1,14 +1,14 @@ export interface JudicialUserModel { - emailId: string; + title: string; + knownAs: string; + surname: string; fullName: string; + emailId: string; idamId: string; + initials: string; + postNominals: string; + personalCode: string; isJudge: string; isMagistrate: string; isPanelMember: string; - knownAs: string; - personalCode: string; - surname: string; - title: string; - initials: string; - postNominals: string; } From efbc9a3f5893156ed6cb5afcb86c75dd6bde6d7b Mon Sep 17 00:00:00 2001 From: John Benjamin Date: Thu, 24 Aug 2023 11:45:29 +0100 Subject: [PATCH 05/23] EUI-8779 Merge unmerged RA code --- api/prd/judicial/index.ts | 81 +++++++++++++++++++++++++++++++++++++-- package.json | 1 + yarn.lock | 49 ++++++++++++++++++++++- 3 files changed, 126 insertions(+), 5 deletions(-) diff --git a/api/prd/judicial/index.ts b/api/prd/judicial/index.ts index de410ae764..cc0c384292 100644 --- a/api/prd/judicial/index.ts +++ b/api/prd/judicial/index.ts @@ -1,15 +1,23 @@ +import { FeatureUser, LaunchDarklyService } from '@hmcts/rpx-xui-common-lib'; import { NextFunction, Response } from 'express'; -import { handlePost } from '../../common/crudService'; import { getConfigValue } from '../../configuration'; -import { SERVICES_PRD_JUDICIAL_API } from '../../configuration/references'; +import { LAUNCH_DARKLY_CLIENT_ID, SERVICES_PRD_JUDICIAL_API } from '../../configuration/references'; +import { http } from '../../lib/http'; import { EnhancedRequest } from '../../lib/models'; import { JudicialUserModel, RawJudicialUserModel, transformToJudicialUserModel } from './models/judicialUser.model'; +import { setHeaders } from '../../lib/proxy'; +import * as LaunchDarkly from '@launchdarkly/node-server-sdk'; +const ENABLE_JRD_E_LINKS_API_V2 = 'enable-jrd-e-links-api-v2'; +const CONTENT_TYPE_V1 = 'application/json'; +const CONTENT_TYPE_V2 = 'application/vnd.jrd.api+json;Version=2.0'; const prdUrl: string = getConfigValue(SERVICES_PRD_JUDICIAL_API); +const launchDarklyKey = getConfigValue(LAUNCH_DARKLY_CLIENT_ID); +let ldClient: LaunchDarkly.LDClient; /** * @overview searchJudicialUserByPersonalCodes from personalCodes, i.e. ['p1000000','p1000001'] @@ -20,7 +28,9 @@ export async function searchJudicialUserByPersonalCodes(req: EnhancedRequest, re const reqBody = req.body; const markupPath: string = `${prdUrl}/refdata/judicial/users`; try { - const { status, data }: { status: number, data: RawJudicialUserModel[] } = await handlePost(markupPath, reqBody, req, next); + //const headers = getPrdJudicialUsersAPIHeader(); + const headers = setHeaders(req); + const { status, data }: { status: number, data: RawJudicialUserModel[] } = await http.post(markupPath, reqBody, { headers }); const result = data.map(transformToJudicialUserModel); res.status(status).send(result); } catch (error) { @@ -37,9 +47,72 @@ export async function getJudicialUsersSearch(req: EnhancedRequest, res: Response const reqBody = req.body; const markupPath: string = `${prdUrl}/refdata/judicial/users/search`; try { - const { status, data }: { status: number, data: JudicialUserModel[] } = await handlePost(markupPath, reqBody, req, next); + // const headers = getPrdJudicialUsersAPIHeader(); + // req.session.passport.user.userinfo + const userInfo = req.session.passport.user.userinfo; + console.log('USER INFO FROM SESSION', userInfo); + // console.log(req.session.passport.user); + // console.log(req.session.passport); + // console.log(req.session); + console.log('LAUNCH DARKLY KEY', launchDarklyKey); + + const featureUser: FeatureUser = { + key: userInfo.id || userInfo.uid, + custom: { + roles: userInfo.roles, + orgId: '-1' + } + }; + + const flagValue = getFlagValue(ENABLE_JRD_E_LINKS_API_V2, null); + + console.log('FLAG VALUE', flagValue); + + // const featureToggleService = new LaunchDarklyService(); + // featureToggleService.initialize(featureUser, launchDarklyKey); + // const isV2FeatureEnabled = await featureToggleService.isEnabled(ENABLE_JRD_E_LINKS_API_V2); + // console.log('IS V2 FEATURE ENABLED', isV2FeatureEnabled); + // const headers = isV2FeatureEnabled + // ? CONTENT_TYPE_V2 + // : CONTENT_TYPE_V1; + // console.log('HEADERS', headers); + const headers = setHeaders(req, CONTENT_TYPE_V1); + console.log('HEADERS', headers); + const { status, data }: { status: number, data: JudicialUserModel[] } = await http.post(markupPath, reqBody, { headers }); + console.log('DATA', data); res.status(status).send(data); } catch (error) { + console.log('ERROR', error); next(error); } } + +async function getClient(): Promise { + const client = LaunchDarkly.init(launchDarklyKey); + await client.waitForInitialization(); + return client; +} + +async function getFlagValue(key: string, user: LaunchDarkly.LDUser | null, defaultValue: any = false): Promise { + if (!ldClient) { + ldClient = await getClient(); + } + if (!user) { + user = { + key: 'anonymous' + }; + } + const flagValue = await ldClient.variation(key, user, defaultValue); + return flagValue; +} + +// export async function getPrdJudicialUsersAPIHeader(): Promise { +// const featureToggleService = new FeatureToggleService(); +// const isV2FeatureEnabled = await featureToggleService.getValue(ENABLE_JRD_E_LINKS_API_V2, false); +// console.log('IS V2 FEATURE ENABLED', isV2FeatureEnabled); +// const headers = isV2FeatureEnabled +// ? CONTENT_TYPE_V2 +// : CONTENT_TYPE_V1; +// console.log('HEADERS', headers); +// return headers; +// } diff --git a/package.json b/package.json index 41a3b94c1a..936e07e05f 100644 --- a/package.json +++ b/package.json @@ -93,6 +93,7 @@ "@hmcts/properties-volume": "^0.0.13", "@hmcts/rpx-xui-common-lib": "1.9.0-welsh-translation", "@hmcts/rpx-xui-node-lib": "2.25.12", + "@launchdarkly/node-server-sdk": "^8.2.1", "@ng-idle/core": "^11.1.0", "@ng-idle/keepalive": "^11.0.3", "@ngrx/effects": "^7.4.0", diff --git a/yarn.lock b/yarn.lock index 4e118b3f78..64c97e8f70 100644 --- a/yarn.lock +++ b/yarn.lock @@ -2906,6 +2906,34 @@ __metadata: languageName: node linkType: hard +"@launchdarkly/js-sdk-common@npm:1.1.0": + version: 1.1.0 + resolution: "@launchdarkly/js-sdk-common@npm:1.1.0" + checksum: d7d98005973fb02637f9e064d360c06a3a7cfada3e853d3966b28ac69d288c28bba20aece4ab0a3b8444cd75ea0edd8ea303a384dbf834ce8e5b77f3750c7701 + languageName: node + linkType: hard + +"@launchdarkly/js-server-sdk-common@npm:1.2.0": + version: 1.2.0 + resolution: "@launchdarkly/js-server-sdk-common@npm:1.2.0" + dependencies: + "@launchdarkly/js-sdk-common": 1.1.0 + semver: 7.5.4 + checksum: 59410b3b32dffc01cc11fdde4eb282795b525b57673c1aaaa4f19d7d610d4b7c91c3ce214488a2e3fda7dfac03ef832df55f5b604df286d71e989656ea4932fb + languageName: node + linkType: hard + +"@launchdarkly/node-server-sdk@npm:^8.2.1": + version: 8.2.1 + resolution: "@launchdarkly/node-server-sdk@npm:8.2.1" + dependencies: + "@launchdarkly/js-server-sdk-common": 1.2.0 + https-proxy-agent: ^5.0.1 + launchdarkly-eventsource: 2.0.0 + checksum: 768a0615e69285030632158dc68d3cb4cef7c465be275032cbcd6d6bd72881d91af2471ea2c4ee1846824435bd651867be15f6219446c60fb619e380d6578d9b + languageName: node + linkType: hard + "@ng-idle/core@npm:^11.1.0": version: 11.1.0 resolution: "@ng-idle/core@npm:11.1.0" @@ -11690,7 +11718,7 @@ __metadata: languageName: node linkType: hard -"https-proxy-agent@npm:5.0.1, https-proxy-agent@npm:^5.0.0": +"https-proxy-agent@npm:5.0.1, https-proxy-agent@npm:^5.0.0, https-proxy-agent@npm:^5.0.1": version: 5.0.1 resolution: "https-proxy-agent@npm:5.0.1" dependencies: @@ -14082,6 +14110,13 @@ __metadata: languageName: node linkType: hard +"launchdarkly-eventsource@npm:2.0.0": + version: 2.0.0 + resolution: "launchdarkly-eventsource@npm:2.0.0" + checksum: e945c08e9eb9f93cf6f5e25610fe052788936ca02d458489c67205b59fc6af43154cccb10b31a9cbde13b43d59ec3de18dccb4ee92beb8b6930526e3a00a14be + languageName: node + linkType: hard + "launchdarkly-js-client-sdk@npm:^2.16.3": version: 2.22.1 resolution: "launchdarkly-js-client-sdk@npm:2.22.1" @@ -19278,6 +19313,7 @@ __metadata: "@hmcts/properties-volume": ^0.0.13 "@hmcts/rpx-xui-common-lib": 1.9.0-welsh-translation "@hmcts/rpx-xui-node-lib": 2.25.12 + "@launchdarkly/node-server-sdk": ^8.2.1 "@ng-idle/core": ^11.1.0 "@ng-idle/keepalive": ^11.0.3 "@ngrx/effects": ^7.4.0 @@ -19734,6 +19770,17 @@ __metadata: languageName: node linkType: hard +"semver@npm:7.5.4": + version: 7.5.4 + resolution: "semver@npm:7.5.4" + dependencies: + lru-cache: ^6.0.0 + bin: + semver: bin/semver.js + checksum: 12d8ad952fa353b0995bf180cdac205a4068b759a140e5d3c608317098b3575ac2f1e09182206bf2eb26120e1c0ed8fb92c48c592f6099680de56bb071423ca3 + languageName: node + linkType: hard + "semver@npm:^6.0.0, semver@npm:^6.3.0, semver@npm:~6.3.0": version: 6.3.0 resolution: "semver@npm:6.3.0" From 0491e96af17c2982f9e5f3c61f103ffb3491ebff Mon Sep 17 00:00:00 2001 From: John Benjamin Date: Thu, 24 Aug 2023 16:14:44 +0100 Subject: [PATCH 06/23] Revert "EUI-8779 Merge unmerged RA code" This reverts commit efbc9a3f5893156ed6cb5afcb86c75dd6bde6d7b. --- api/prd/judicial/index.ts | 81 ++------------------------------------- package.json | 1 - yarn.lock | 49 +---------------------- 3 files changed, 5 insertions(+), 126 deletions(-) diff --git a/api/prd/judicial/index.ts b/api/prd/judicial/index.ts index cc0c384292..de410ae764 100644 --- a/api/prd/judicial/index.ts +++ b/api/prd/judicial/index.ts @@ -1,23 +1,15 @@ -import { FeatureUser, LaunchDarklyService } from '@hmcts/rpx-xui-common-lib'; import { NextFunction, Response } from 'express'; +import { handlePost } from '../../common/crudService'; import { getConfigValue } from '../../configuration'; -import { LAUNCH_DARKLY_CLIENT_ID, SERVICES_PRD_JUDICIAL_API } from '../../configuration/references'; -import { http } from '../../lib/http'; +import { SERVICES_PRD_JUDICIAL_API } from '../../configuration/references'; import { EnhancedRequest } from '../../lib/models'; import { JudicialUserModel, RawJudicialUserModel, transformToJudicialUserModel } from './models/judicialUser.model'; -import { setHeaders } from '../../lib/proxy'; -import * as LaunchDarkly from '@launchdarkly/node-server-sdk'; -const ENABLE_JRD_E_LINKS_API_V2 = 'enable-jrd-e-links-api-v2'; -const CONTENT_TYPE_V1 = 'application/json'; -const CONTENT_TYPE_V2 = 'application/vnd.jrd.api+json;Version=2.0'; const prdUrl: string = getConfigValue(SERVICES_PRD_JUDICIAL_API); -const launchDarklyKey = getConfigValue(LAUNCH_DARKLY_CLIENT_ID); -let ldClient: LaunchDarkly.LDClient; /** * @overview searchJudicialUserByPersonalCodes from personalCodes, i.e. ['p1000000','p1000001'] @@ -28,9 +20,7 @@ export async function searchJudicialUserByPersonalCodes(req: EnhancedRequest, re const reqBody = req.body; const markupPath: string = `${prdUrl}/refdata/judicial/users`; try { - //const headers = getPrdJudicialUsersAPIHeader(); - const headers = setHeaders(req); - const { status, data }: { status: number, data: RawJudicialUserModel[] } = await http.post(markupPath, reqBody, { headers }); + const { status, data }: { status: number, data: RawJudicialUserModel[] } = await handlePost(markupPath, reqBody, req, next); const result = data.map(transformToJudicialUserModel); res.status(status).send(result); } catch (error) { @@ -47,72 +37,9 @@ export async function getJudicialUsersSearch(req: EnhancedRequest, res: Response const reqBody = req.body; const markupPath: string = `${prdUrl}/refdata/judicial/users/search`; try { - // const headers = getPrdJudicialUsersAPIHeader(); - // req.session.passport.user.userinfo - const userInfo = req.session.passport.user.userinfo; - console.log('USER INFO FROM SESSION', userInfo); - // console.log(req.session.passport.user); - // console.log(req.session.passport); - // console.log(req.session); - console.log('LAUNCH DARKLY KEY', launchDarklyKey); - - const featureUser: FeatureUser = { - key: userInfo.id || userInfo.uid, - custom: { - roles: userInfo.roles, - orgId: '-1' - } - }; - - const flagValue = getFlagValue(ENABLE_JRD_E_LINKS_API_V2, null); - - console.log('FLAG VALUE', flagValue); - - // const featureToggleService = new LaunchDarklyService(); - // featureToggleService.initialize(featureUser, launchDarklyKey); - // const isV2FeatureEnabled = await featureToggleService.isEnabled(ENABLE_JRD_E_LINKS_API_V2); - // console.log('IS V2 FEATURE ENABLED', isV2FeatureEnabled); - // const headers = isV2FeatureEnabled - // ? CONTENT_TYPE_V2 - // : CONTENT_TYPE_V1; - // console.log('HEADERS', headers); - const headers = setHeaders(req, CONTENT_TYPE_V1); - console.log('HEADERS', headers); - const { status, data }: { status: number, data: JudicialUserModel[] } = await http.post(markupPath, reqBody, { headers }); - console.log('DATA', data); + const { status, data }: { status: number, data: JudicialUserModel[] } = await handlePost(markupPath, reqBody, req, next); res.status(status).send(data); } catch (error) { - console.log('ERROR', error); next(error); } } - -async function getClient(): Promise { - const client = LaunchDarkly.init(launchDarklyKey); - await client.waitForInitialization(); - return client; -} - -async function getFlagValue(key: string, user: LaunchDarkly.LDUser | null, defaultValue: any = false): Promise { - if (!ldClient) { - ldClient = await getClient(); - } - if (!user) { - user = { - key: 'anonymous' - }; - } - const flagValue = await ldClient.variation(key, user, defaultValue); - return flagValue; -} - -// export async function getPrdJudicialUsersAPIHeader(): Promise { -// const featureToggleService = new FeatureToggleService(); -// const isV2FeatureEnabled = await featureToggleService.getValue(ENABLE_JRD_E_LINKS_API_V2, false); -// console.log('IS V2 FEATURE ENABLED', isV2FeatureEnabled); -// const headers = isV2FeatureEnabled -// ? CONTENT_TYPE_V2 -// : CONTENT_TYPE_V1; -// console.log('HEADERS', headers); -// return headers; -// } diff --git a/package.json b/package.json index 936e07e05f..41a3b94c1a 100644 --- a/package.json +++ b/package.json @@ -93,7 +93,6 @@ "@hmcts/properties-volume": "^0.0.13", "@hmcts/rpx-xui-common-lib": "1.9.0-welsh-translation", "@hmcts/rpx-xui-node-lib": "2.25.12", - "@launchdarkly/node-server-sdk": "^8.2.1", "@ng-idle/core": "^11.1.0", "@ng-idle/keepalive": "^11.0.3", "@ngrx/effects": "^7.4.0", diff --git a/yarn.lock b/yarn.lock index 64c97e8f70..4e118b3f78 100644 --- a/yarn.lock +++ b/yarn.lock @@ -2906,34 +2906,6 @@ __metadata: languageName: node linkType: hard -"@launchdarkly/js-sdk-common@npm:1.1.0": - version: 1.1.0 - resolution: "@launchdarkly/js-sdk-common@npm:1.1.0" - checksum: d7d98005973fb02637f9e064d360c06a3a7cfada3e853d3966b28ac69d288c28bba20aece4ab0a3b8444cd75ea0edd8ea303a384dbf834ce8e5b77f3750c7701 - languageName: node - linkType: hard - -"@launchdarkly/js-server-sdk-common@npm:1.2.0": - version: 1.2.0 - resolution: "@launchdarkly/js-server-sdk-common@npm:1.2.0" - dependencies: - "@launchdarkly/js-sdk-common": 1.1.0 - semver: 7.5.4 - checksum: 59410b3b32dffc01cc11fdde4eb282795b525b57673c1aaaa4f19d7d610d4b7c91c3ce214488a2e3fda7dfac03ef832df55f5b604df286d71e989656ea4932fb - languageName: node - linkType: hard - -"@launchdarkly/node-server-sdk@npm:^8.2.1": - version: 8.2.1 - resolution: "@launchdarkly/node-server-sdk@npm:8.2.1" - dependencies: - "@launchdarkly/js-server-sdk-common": 1.2.0 - https-proxy-agent: ^5.0.1 - launchdarkly-eventsource: 2.0.0 - checksum: 768a0615e69285030632158dc68d3cb4cef7c465be275032cbcd6d6bd72881d91af2471ea2c4ee1846824435bd651867be15f6219446c60fb619e380d6578d9b - languageName: node - linkType: hard - "@ng-idle/core@npm:^11.1.0": version: 11.1.0 resolution: "@ng-idle/core@npm:11.1.0" @@ -11718,7 +11690,7 @@ __metadata: languageName: node linkType: hard -"https-proxy-agent@npm:5.0.1, https-proxy-agent@npm:^5.0.0, https-proxy-agent@npm:^5.0.1": +"https-proxy-agent@npm:5.0.1, https-proxy-agent@npm:^5.0.0": version: 5.0.1 resolution: "https-proxy-agent@npm:5.0.1" dependencies: @@ -14110,13 +14082,6 @@ __metadata: languageName: node linkType: hard -"launchdarkly-eventsource@npm:2.0.0": - version: 2.0.0 - resolution: "launchdarkly-eventsource@npm:2.0.0" - checksum: e945c08e9eb9f93cf6f5e25610fe052788936ca02d458489c67205b59fc6af43154cccb10b31a9cbde13b43d59ec3de18dccb4ee92beb8b6930526e3a00a14be - languageName: node - linkType: hard - "launchdarkly-js-client-sdk@npm:^2.16.3": version: 2.22.1 resolution: "launchdarkly-js-client-sdk@npm:2.22.1" @@ -19313,7 +19278,6 @@ __metadata: "@hmcts/properties-volume": ^0.0.13 "@hmcts/rpx-xui-common-lib": 1.9.0-welsh-translation "@hmcts/rpx-xui-node-lib": 2.25.12 - "@launchdarkly/node-server-sdk": ^8.2.1 "@ng-idle/core": ^11.1.0 "@ng-idle/keepalive": ^11.0.3 "@ngrx/effects": ^7.4.0 @@ -19770,17 +19734,6 @@ __metadata: languageName: node linkType: hard -"semver@npm:7.5.4": - version: 7.5.4 - resolution: "semver@npm:7.5.4" - dependencies: - lru-cache: ^6.0.0 - bin: - semver: bin/semver.js - checksum: 12d8ad952fa353b0995bf180cdac205a4068b759a140e5d3c608317098b3575ac2f1e09182206bf2eb26120e1c0ed8fb92c48c592f6099680de56bb071423ca3 - languageName: node - linkType: hard - "semver@npm:^6.0.0, semver@npm:^6.3.0, semver@npm:~6.3.0": version: 6.3.0 resolution: "semver@npm:6.3.0" From 5cfc350f76bf9877af47fd3f425b67df3ae3b178 Mon Sep 17 00:00:00 2001 From: johnbenjamin-hmcts Date: Thu, 24 Aug 2023 15:43:57 +0000 Subject: [PATCH 07/23] feature/EUI-8736-JRD-e-Links-API-V2: Setting Preview Deployment ID --- charts/xui-webapp/values.preview.template.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/charts/xui-webapp/values.preview.template.yaml b/charts/xui-webapp/values.preview.template.yaml index 130e2808c7..4823a626d6 100644 --- a/charts/xui-webapp/values.preview.template.yaml +++ b/charts/xui-webapp/values.preview.template.yaml @@ -23,7 +23,7 @@ nodejs: SERVICES_CASE_JUDICIAL_API: http://rd-judicial-api-aat.service.core-compute-aat.internal SERVICES_LOCATION_REF_API_URL: http://rd-location-ref-api-aat.service.core-compute-aat.internal FEATURE_ACCESS_MANAGEMENT_ENABLED: true - PREVIEW_DEPLOYMENT_ID: exui-preview-deployment-3230 + PREVIEW_DEPLOYMENT_ID: exui-preview-deployment-3227 keyVaults: rpx: secrets: From 502d771c88f7582fb7f92ab7129a97546a46d620 Mon Sep 17 00:00:00 2001 From: John Benjamin Date: Thu, 24 Aug 2023 17:29:51 +0100 Subject: [PATCH 08/23] EUI-8736 JRD e-Links API V2 --- api/configuration/appConfig.ts | 2 ++ api/configuration/references.ts | 2 ++ api/prd/judicial/index.ts | 16 ++++++++++++++-- charts/xui-webapp/values.preview.template.yaml | 1 + config/custom-environment-variables.json | 12 ++++++++---- config/default.json | 1 + 6 files changed, 28 insertions(+), 6 deletions(-) diff --git a/api/configuration/appConfig.ts b/api/configuration/appConfig.ts index 0b9a91b182..f000aa380a 100644 --- a/api/configuration/appConfig.ts +++ b/api/configuration/appConfig.ts @@ -5,6 +5,7 @@ import { FEATURE_ACCESS_MANAGEMENT_ENABLED, FEATURE_APP_INSIGHTS_ENABLED, FEATURE_HELMET_ENABLED, + FEATURE_JRD_E_LINKS_V2_ENABLED, FEATURE_OIDC_ENABLED, FEATURE_PROXY_ENABLED, FEATURE_REDIS_ENABLED, @@ -62,6 +63,7 @@ export const applicationConfiguration = () => { featureSecureCookieEnabled: showFeature(FEATURE_SECURE_COOKIE_ENABLED), featureTermsAndConditionsEnabled: showFeature(FEATURE_TERMS_AND_CONDITIONS_ENABLED), featureWorkAllocationEnabled: showFeature(FEATURE_WORKALLOCATION_ENABLED), + featureJrdELinksV2Enabled: showFeature(FEATURE_JRD_E_LINKS_V2_ENABLED), health: getConfigValue(HEALTH), idamApiUrl: getConfigValue(SERVICES_IDAM_API_URL), idamWeb: getConfigValue(SERVICES_IDAM_LOGIN_URL), diff --git a/api/configuration/references.ts b/api/configuration/references.ts index cc65f4c644..16dcfdd51a 100644 --- a/api/configuration/references.ts +++ b/api/configuration/references.ts @@ -120,6 +120,8 @@ export const FEATURE_COMPRESSION_ENABLED = 'compressionEnabled'; export const FEATURE_WORKALLOCATION_ENABLED = 'workAllocationEnabled'; +export const FEATURE_JRD_E_LINKS_V2_ENABLED = 'jrdELinksV2Enabled'; + export const HELMET = 'helmet'; export const REDIS_KEY_PREFIX = 'redis.prefix'; diff --git a/api/prd/judicial/index.ts b/api/prd/judicial/index.ts index de410ae764..c30af26bfd 100644 --- a/api/prd/judicial/index.ts +++ b/api/prd/judicial/index.ts @@ -1,14 +1,18 @@ import { NextFunction, Response } from 'express'; import { handlePost } from '../../common/crudService'; import { getConfigValue } from '../../configuration'; -import { SERVICES_PRD_JUDICIAL_API } from '../../configuration/references'; +import { FEATURE_JRD_E_LINKS_V2_ENABLED, SERVICES_PRD_JUDICIAL_API } from '../../configuration/references'; +import { http } from '../../lib/http'; import { EnhancedRequest } from '../../lib/models'; +import { setHeaders } from '../../lib/proxy'; import { JudicialUserModel, RawJudicialUserModel, transformToJudicialUserModel } from './models/judicialUser.model'; +const CONTENT_TYPE_V1 = 'application/json'; +const CONTENT_TYPE_V2 = 'application/vnd.jrd.api+json;Version=2.0'; const prdUrl: string = getConfigValue(SERVICES_PRD_JUDICIAL_API); /** @@ -37,7 +41,15 @@ export async function getJudicialUsersSearch(req: EnhancedRequest, res: Response const reqBody = req.body; const markupPath: string = `${prdUrl}/refdata/judicial/users/search`; try { - const { status, data }: { status: number, data: JudicialUserModel[] } = await handlePost(markupPath, reqBody, req, next); + console.log('FEATURE_JRD_E_LINKS_V2_ENABLED', getConfigValue(FEATURE_JRD_E_LINKS_V2_ENABLED)); + + const headers = getConfigValue(FEATURE_JRD_E_LINKS_V2_ENABLED) + ? setHeaders(req, CONTENT_TYPE_V1) + : setHeaders(req, CONTENT_TYPE_V2); + + console.log('HEADERS', headers); + + const { status, data }: { status: number, data: JudicialUserModel[] } = await http.post(markupPath, reqBody, { headers }); res.status(status).send(data); } catch (error) { next(error); diff --git a/charts/xui-webapp/values.preview.template.yaml b/charts/xui-webapp/values.preview.template.yaml index 130e2808c7..37b5f51816 100644 --- a/charts/xui-webapp/values.preview.template.yaml +++ b/charts/xui-webapp/values.preview.template.yaml @@ -23,6 +23,7 @@ nodejs: SERVICES_CASE_JUDICIAL_API: http://rd-judicial-api-aat.service.core-compute-aat.internal SERVICES_LOCATION_REF_API_URL: http://rd-location-ref-api-aat.service.core-compute-aat.internal FEATURE_ACCESS_MANAGEMENT_ENABLED: true + FEATURE_JRD_E_LINKS_V2_ENABLED: true PREVIEW_DEPLOYMENT_ID: exui-preview-deployment-3230 keyVaults: rpx: diff --git a/config/custom-environment-variables.json b/config/custom-environment-variables.json index 80d23d3c5b..016d3849a3 100644 --- a/config/custom-environment-variables.json +++ b/config/custom-environment-variables.json @@ -160,19 +160,23 @@ }, "oidcEnabled": { "__name": "FEATURE_OIDC_ENABLED", - "__format":"json" + "__format": "json" }, "workAllocationEnabled": { "__name": "FEATURE_WORKALLOCATION_ENABLED", - "__format":"json" + "__format": "json" + }, + "jrdELinksV2Enabled": { + "__name": "FEATURE_JRD_E_LINKS_V2_ENABLED", + "__format": "json" }, "substantiveRoleEnabled": { "__name": "FEATURE_SUBSTANTIVE_ROLE_ENABLED", - "__format":"json" + "__format": "json" }, "accessManagementEnabled": { "__name": "FEATURE_ACCESS_MANAGEMENT_ENABLED", - "__format":"json" + "__format": "json" }, "compressionEnabled": { "__name": "FEATURE_COMPRESSION_ENABLED", diff --git a/config/default.json b/config/default.json index b0d98c74d1..d3cb735034 100644 --- a/config/default.json +++ b/config/default.json @@ -179,6 +179,7 @@ "redisEnabled": false, "oidcEnabled": false, "workAllocationEnabled": false, + "jrdELinksV2Enabled": false, "roleEnabled": false, "caseworkerRefEnabled": false, "substantiveRoleEnabled": true, From 1c2294132aa448ac7349de42abe01b20699ec6c4 Mon Sep 17 00:00:00 2001 From: johnbenjamin-hmcts Date: Thu, 24 Aug 2023 16:30:41 +0000 Subject: [PATCH 09/23] feature/EUI-8736-JRD-e-Links-API-V2: Setting Preview Deployment ID --- charts/xui-webapp/values.preview.template.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/charts/xui-webapp/values.preview.template.yaml b/charts/xui-webapp/values.preview.template.yaml index 2696c11a13..be4bda9b67 100644 --- a/charts/xui-webapp/values.preview.template.yaml +++ b/charts/xui-webapp/values.preview.template.yaml @@ -24,7 +24,7 @@ nodejs: SERVICES_LOCATION_REF_API_URL: http://rd-location-ref-api-aat.service.core-compute-aat.internal FEATURE_ACCESS_MANAGEMENT_ENABLED: true FEATURE_JRD_E_LINKS_V2_ENABLED: true - PREVIEW_DEPLOYMENT_ID: exui-preview-deployment-3230 + PREVIEW_DEPLOYMENT_ID: exui-preview-deployment-3227 PREVIEW_DEPLOYMENT_ID: exui-preview-deployment-3227 keyVaults: rpx: From 6713406f50d7cd772a7209e2e9bd93f6460dcf34 Mon Sep 17 00:00:00 2001 From: John Benjamin Date: Fri, 25 Aug 2023 09:48:33 +0100 Subject: [PATCH 10/23] Merge from master --- charts/xui-webapp/values.preview.template.yaml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/charts/xui-webapp/values.preview.template.yaml b/charts/xui-webapp/values.preview.template.yaml index be4bda9b67..37b5f51816 100644 --- a/charts/xui-webapp/values.preview.template.yaml +++ b/charts/xui-webapp/values.preview.template.yaml @@ -24,8 +24,7 @@ nodejs: SERVICES_LOCATION_REF_API_URL: http://rd-location-ref-api-aat.service.core-compute-aat.internal FEATURE_ACCESS_MANAGEMENT_ENABLED: true FEATURE_JRD_E_LINKS_V2_ENABLED: true - PREVIEW_DEPLOYMENT_ID: exui-preview-deployment-3227 - PREVIEW_DEPLOYMENT_ID: exui-preview-deployment-3227 + PREVIEW_DEPLOYMENT_ID: exui-preview-deployment-3230 keyVaults: rpx: secrets: From 5b9191745946d4749e37d0970e5f642bb42ca61f Mon Sep 17 00:00:00 2001 From: johnbenjamin-hmcts Date: Fri, 25 Aug 2023 08:49:04 +0000 Subject: [PATCH 11/23] feature/EUI-8736-JRD-e-Links-API-V2: Setting Preview Deployment ID --- charts/xui-webapp/values.preview.template.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/charts/xui-webapp/values.preview.template.yaml b/charts/xui-webapp/values.preview.template.yaml index 37b5f51816..41a1a65eb4 100644 --- a/charts/xui-webapp/values.preview.template.yaml +++ b/charts/xui-webapp/values.preview.template.yaml @@ -24,7 +24,7 @@ nodejs: SERVICES_LOCATION_REF_API_URL: http://rd-location-ref-api-aat.service.core-compute-aat.internal FEATURE_ACCESS_MANAGEMENT_ENABLED: true FEATURE_JRD_E_LINKS_V2_ENABLED: true - PREVIEW_DEPLOYMENT_ID: exui-preview-deployment-3230 + PREVIEW_DEPLOYMENT_ID: exui-preview-deployment-3227 keyVaults: rpx: secrets: From d7fdabeb2efad7ed0da293f21ca2c25edd7daabe Mon Sep 17 00:00:00 2001 From: John Benjamin Date: Fri, 25 Aug 2023 11:10:21 +0100 Subject: [PATCH 12/23] EUI-8736 JRD e-Links API V2 --- api/prd/judicial/index.ts | 21 ++++++++++----------- api/roleAccess/exclusionService.ts | 14 +++++++++----- api/workAllocation/personService.ts | 11 ++++++++--- charts/xui-webapp/values.yaml | 1 + 4 files changed, 28 insertions(+), 19 deletions(-) diff --git a/api/prd/judicial/index.ts b/api/prd/judicial/index.ts index c30af26bfd..3d57cd2831 100644 --- a/api/prd/judicial/index.ts +++ b/api/prd/judicial/index.ts @@ -1,6 +1,5 @@ import { NextFunction, Response } from 'express'; -import { handlePost } from '../../common/crudService'; -import { getConfigValue } from '../../configuration'; +import { getConfigValue, showFeature } from '../../configuration'; import { FEATURE_JRD_E_LINKS_V2_ENABLED, SERVICES_PRD_JUDICIAL_API } from '../../configuration/references'; import { http } from '../../lib/http'; import { EnhancedRequest } from '../../lib/models'; @@ -24,7 +23,11 @@ export async function searchJudicialUserByPersonalCodes(req: EnhancedRequest, re const reqBody = req.body; const markupPath: string = `${prdUrl}/refdata/judicial/users`; try { - const { status, data }: { status: number, data: RawJudicialUserModel[] } = await handlePost(markupPath, reqBody, req, next); + // Judicial User search API version to be used depends on the config entry FEATURE_JRD_E_LINKS_V2_ENABLED's value + const headers = showFeature(FEATURE_JRD_E_LINKS_V2_ENABLED) + ? setHeaders(req, CONTENT_TYPE_V2) + : setHeaders(req, CONTENT_TYPE_V1); + const { status, data }: { status: number, data: RawJudicialUserModel[] } = await http.post(markupPath, reqBody, { headers }); const result = data.map(transformToJudicialUserModel); res.status(status).send(result); } catch (error) { @@ -41,14 +44,10 @@ export async function getJudicialUsersSearch(req: EnhancedRequest, res: Response const reqBody = req.body; const markupPath: string = `${prdUrl}/refdata/judicial/users/search`; try { - console.log('FEATURE_JRD_E_LINKS_V2_ENABLED', getConfigValue(FEATURE_JRD_E_LINKS_V2_ENABLED)); - - const headers = getConfigValue(FEATURE_JRD_E_LINKS_V2_ENABLED) - ? setHeaders(req, CONTENT_TYPE_V1) - : setHeaders(req, CONTENT_TYPE_V2); - - console.log('HEADERS', headers); - + // Judicial User search API version to be used depends on the config entry FEATURE_JRD_E_LINKS_V2_ENABLED's value + const headers = showFeature(FEATURE_JRD_E_LINKS_V2_ENABLED) + ? setHeaders(req, CONTENT_TYPE_V2) + : setHeaders(req, CONTENT_TYPE_V1); const { status, data }: { status: number, data: JudicialUserModel[] } = await http.post(markupPath, reqBody, { headers }); res.status(status).send(data); } catch (error) { diff --git a/api/roleAccess/exclusionService.ts b/api/roleAccess/exclusionService.ts index e120b4fba0..ffe38c0c2d 100644 --- a/api/roleAccess/exclusionService.ts +++ b/api/roleAccess/exclusionService.ts @@ -3,8 +3,8 @@ import * as express from 'express'; import { NextFunction, Response } from 'express'; import { UserInfo } from '../auth/interfaces/UserInfo'; import { sendPost } from '../common/crudService'; -import { getConfigValue } from '../configuration'; -import { SERVICES_CASE_JUDICIAL_REF_PATH, SERVICES_ROLE_ASSIGNMENT_API_PATH } from '../configuration/references'; +import { getConfigValue, showFeature } from '../configuration'; +import { FEATURE_JRD_E_LINKS_V2_ENABLED, SERVICES_CASE_JUDICIAL_REF_PATH, SERVICES_ROLE_ASSIGNMENT_API_PATH } from '../configuration/references'; import { http } from '../lib/http'; import { EnhancedRequest } from '../lib/models'; import { setHeaders } from '../lib/proxy'; @@ -14,6 +14,8 @@ import { RoleCategory } from './models/allocate-role.enum'; import { CaseRoleRequestPayload, RoleExclusion } from './models/caseRoleRequestPayload'; import { release2ContentType } from './models/release2ContentType'; +const CONTENT_TYPE_V1 = 'application/json'; +const CONTENT_TYPE_V2 = 'application/vnd.jrd.api+json;Version=2.0'; const baseRoleAccessUrl = getConfigValue(SERVICES_ROLE_ASSIGNMENT_API_PATH); const JUDICIAL_REF_URL = getConfigValue(SERVICES_CASE_JUDICIAL_REF_PATH); @@ -170,8 +172,10 @@ export function getCorrectRoleCategory(domain: string): RoleCategory { } } -export function -getJudicialUsersFromApi(req: express.Request, ids: string[], serviceCode: string): Promise> { - const headers = setHeaders(req); +export function getJudicialUsersFromApi(req: express.Request, ids: string[], serviceCode: string): Promise> { + // Judicial User search API version to be used depends on the config entry FEATURE_JRD_E_LINKS_V2_ENABLED's value + const headers = showFeature(FEATURE_JRD_E_LINKS_V2_ENABLED) + ? setHeaders(req, CONTENT_TYPE_V2) + : setHeaders(req, CONTENT_TYPE_V1); return http.post(`${JUDICIAL_REF_URL}/refdata/judicial/users`, { sidam_ids: ids, serviceCode }, { headers }); } diff --git a/api/workAllocation/personService.ts b/api/workAllocation/personService.ts index b259b675b6..ec53398d26 100644 --- a/api/workAllocation/personService.ts +++ b/api/workAllocation/personService.ts @@ -1,6 +1,6 @@ import { Response } from 'express'; -import { getConfigValue } from '../configuration'; -import { SERVICES_CASE_JUDICIAL_REF_PATH } from '../configuration/references'; +import { getConfigValue, showFeature } from '../configuration'; +import { FEATURE_JRD_E_LINKS_V2_ENABLED, SERVICES_CASE_JUDICIAL_REF_PATH } from '../configuration/references'; import { http } from '../lib/http'; import { EnhancedRequest } from '../lib/models'; import { setHeaders } from '../lib/proxy'; @@ -9,6 +9,8 @@ import { PERSON } from './constants/mock.data'; import { PersonRole } from './interfaces/person'; import { applySearchFilter } from './util'; +const CONTENT_TYPE_V1 = 'application/json'; +const CONTENT_TYPE_V2 = 'application/vnd.jrd.api+json;Version=2.0'; const JUDICIAL_REF_URL = getConfigValue(SERVICES_CASE_JUDICIAL_REF_PATH); // judicial person search @@ -34,8 +36,11 @@ export async function postFindPersonSearch(req: EnhancedRequest, res: Response) let searchResult: any = []; if (domain === PersonRole.JUDICIAL) { try { - const headers = setHeaders(req); for (const serviceCode of serviceCodes) { + // Judicial User search API version to be used depends on the config entry FEATURE_JRD_E_LINKS_V2_ENABLED's value + const headers = showFeature(FEATURE_JRD_E_LINKS_V2_ENABLED) + ? setHeaders(req, CONTENT_TYPE_V2) + : setHeaders(req, CONTENT_TYPE_V1); const body = { searchString, serviceCode }; const response = await http.post(`${JUDICIAL_REF_URL}/refdata/judicial/users/search`, body, { headers }); searchResult = response.data ? [...response.data, ...searchResult] : searchResult; diff --git a/charts/xui-webapp/values.yaml b/charts/xui-webapp/values.yaml index 7ca88e0c75..e13401f1bc 100644 --- a/charts/xui-webapp/values.yaml +++ b/charts/xui-webapp/values.yaml @@ -128,6 +128,7 @@ nodejs: FEATURE_OIDC_ENABLED: false FEATURE_UPDATED_TASK_PERMISSIONS_ENABLED: true FEATURE_WORKALLOCATION_ENABLED: false + FEATURE_JRD_E_LINKS_V2_ENABLED: false FEATURE_SUBSTANTIVE_ROLE_ENABLED: true FEATURE_ACCESS_MANAGEMENT_ENABLED: false From f28a6526fe573f00b2f62bf2465edea7534559f8 Mon Sep 17 00:00:00 2001 From: hmcts-jenkins-j-to-z <61242337+hmcts-jenkins-j-to-z[bot]@users.noreply.github.com> Date: Fri, 25 Aug 2023 10:11:09 +0000 Subject: [PATCH 13/23] Bumping chart version/ fixing aliases --- charts/xui-webapp/Chart.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/charts/xui-webapp/Chart.yaml b/charts/xui-webapp/Chart.yaml index c932dcc984..d5077c67b7 100644 --- a/charts/xui-webapp/Chart.yaml +++ b/charts/xui-webapp/Chart.yaml @@ -1,7 +1,7 @@ apiVersion: v2 name: xui-webapp home: https://github.com/hmcts/rpx-xui-webapp -version: 1.0.9 +version: 1.0.10 description: Expert UI maintainers: - name: HMCTS RPX XUI From eb7fde8c9b7eaf350d566d4a41246aa8c6c9522e Mon Sep 17 00:00:00 2001 From: John Benjamin Date: Fri, 1 Sep 2023 11:38:13 +0100 Subject: [PATCH 14/23] EUI-8736 JRD e-Links API V2 --- api/prd/judicial/index.ts | 26 ++++++++++++++++++-------- 1 file changed, 18 insertions(+), 8 deletions(-) diff --git a/api/prd/judicial/index.ts b/api/prd/judicial/index.ts index 3d57cd2831..2ffcd39a0e 100644 --- a/api/prd/judicial/index.ts +++ b/api/prd/judicial/index.ts @@ -23,10 +23,8 @@ export async function searchJudicialUserByPersonalCodes(req: EnhancedRequest, re const reqBody = req.body; const markupPath: string = `${prdUrl}/refdata/judicial/users`; try { - // Judicial User search API version to be used depends on the config entry FEATURE_JRD_E_LINKS_V2_ENABLED's value - const headers = showFeature(FEATURE_JRD_E_LINKS_V2_ENABLED) - ? setHeaders(req, CONTENT_TYPE_V2) - : setHeaders(req, CONTENT_TYPE_V1); + // Judicial User search API version to be used depends upon the config entry FEATURE_JRD_E_LINKS_V2_ENABLED's value + const headers = getHeadersBasedOnJudicialUserApiVersion(req); const { status, data }: { status: number, data: RawJudicialUserModel[] } = await http.post(markupPath, reqBody, { headers }); const result = data.map(transformToJudicialUserModel); res.status(status).send(result); @@ -44,13 +42,25 @@ export async function getJudicialUsersSearch(req: EnhancedRequest, res: Response const reqBody = req.body; const markupPath: string = `${prdUrl}/refdata/judicial/users/search`; try { - // Judicial User search API version to be used depends on the config entry FEATURE_JRD_E_LINKS_V2_ENABLED's value - const headers = showFeature(FEATURE_JRD_E_LINKS_V2_ENABLED) - ? setHeaders(req, CONTENT_TYPE_V2) - : setHeaders(req, CONTENT_TYPE_V1); + // Judicial User search API version to be used depends upon the config entry FEATURE_JRD_E_LINKS_V2_ENABLED's value + const headers = getHeadersBasedOnJudicialUserApiVersion(req); const { status, data }: { status: number, data: JudicialUserModel[] } = await http.post(markupPath, reqBody, { headers }); res.status(status).send(data); } catch (error) { + // console.log('ERROR', error); next(error); } } + +function getHeadersBasedOnJudicialUserApiVersion(req: EnhancedRequest): any { + // Set the request headers accept property based on the API version enabled + req.headers.accept = showFeature(FEATURE_JRD_E_LINKS_V2_ENABLED) + ? CONTENT_TYPE_V2 + : CONTENT_TYPE_V1; + // Set the request headers content type property based on the API version enabled + const headers = showFeature(FEATURE_JRD_E_LINKS_V2_ENABLED) + ? setHeaders(req, CONTENT_TYPE_V2) + : setHeaders(req, CONTENT_TYPE_V1); + // Return the updated request headers + return headers; +} From 9ee97755e331607ade72c85465375f4a7a408bdb Mon Sep 17 00:00:00 2001 From: johnbenjamin-hmcts Date: Fri, 1 Sep 2023 10:39:51 +0000 Subject: [PATCH 15/23] feature/EUI-8736-JRD-e-Links-API-V2: Setting Preview Deployment ID --- charts/xui-webapp/values.preview.template.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/charts/xui-webapp/values.preview.template.yaml b/charts/xui-webapp/values.preview.template.yaml index 1322aabfd7..4823a626d6 100644 --- a/charts/xui-webapp/values.preview.template.yaml +++ b/charts/xui-webapp/values.preview.template.yaml @@ -23,7 +23,7 @@ nodejs: SERVICES_CASE_JUDICIAL_API: http://rd-judicial-api-aat.service.core-compute-aat.internal SERVICES_LOCATION_REF_API_URL: http://rd-location-ref-api-aat.service.core-compute-aat.internal FEATURE_ACCESS_MANAGEMENT_ENABLED: true - PREVIEW_DEPLOYMENT_ID: exui-preview-deployment-3250 + PREVIEW_DEPLOYMENT_ID: exui-preview-deployment-3227 keyVaults: rpx: secrets: From 0263e90692b8914bcc6c8528f4945e2202d29a26 Mon Sep 17 00:00:00 2001 From: John Benjamin Date: Fri, 1 Sep 2023 11:45:14 +0100 Subject: [PATCH 16/23] EUI-8736 JRD e-Links API V2 --- api/prd/judicial/index.ts | 1 - 1 file changed, 1 deletion(-) diff --git a/api/prd/judicial/index.ts b/api/prd/judicial/index.ts index 2ffcd39a0e..41e8a863ad 100644 --- a/api/prd/judicial/index.ts +++ b/api/prd/judicial/index.ts @@ -47,7 +47,6 @@ export async function getJudicialUsersSearch(req: EnhancedRequest, res: Response const { status, data }: { status: number, data: JudicialUserModel[] } = await http.post(markupPath, reqBody, { headers }); res.status(status).send(data); } catch (error) { - // console.log('ERROR', error); next(error); } } From 60c7d2f94fa01b8f6eb1d3fb3a611697da28f5c2 Mon Sep 17 00:00:00 2001 From: John Benjamin Date: Fri, 1 Sep 2023 11:55:26 +0100 Subject: [PATCH 17/23] Update yarn-audit-known-issues --- yarn-audit-known-issues | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/yarn-audit-known-issues b/yarn-audit-known-issues index fac242c3b0..27fe2698f3 100644 --- a/yarn-audit-known-issues +++ b/yarn-audit-known-issues @@ -1 +1 @@ -{"actions":[],"advisories":{"1085674":{"findings":[{"version":"3.10.1","paths":["lodash","@edium/fsm>lodash","codeceptjs>inquirer>lodash","codeceptjs>chai-deep-match>lodash-pickdeep>lodash"]}],"metadata":null,"vulnerable_versions":"<4.17.11","module_name":"lodash","severity":"moderate","github_advisory_id":"GHSA-x5rq-j2xg-h7qm","cves":["CVE-2019-1010266"],"access":"public","patched_versions":">=4.17.11","cvss":{"score":0,"vectorString":null},"updated":"2023-01-09T05:01:38.000Z","recommendation":"Upgrade to version 4.17.11 or later","cwe":["CWE-400"],"found_by":null,"deleted":null,"id":1085674,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2019-1010266\n- https://github.com/lodash/lodash/issues/3359\n- https://snyk.io/vuln/SNYK-JS-LODASH-73639\n- https://github.com/lodash/lodash/commit/5c08f18d365b64063bfbfa686cbb97cdd6267347\n- https://github.com/lodash/lodash/wiki/Changelog\n- https://security.netapp.com/advisory/ntap-20190919-0004/\n- https://github.com/advisories/GHSA-x5rq-j2xg-h7qm","created":"2019-07-19T16:13:07.000Z","reported_by":null,"title":"Regular Expression Denial of Service (ReDoS) in lodash","npm_advisory_id":null,"overview":"lodash prior to 4.7.11 is affected by: CWE-400: Uncontrolled Resource Consumption. The impact is: Denial of service. The component is: Date handler. The attack vector is: Attacker provides very long strings, which the library attempts to match using a regular expression. The fixed version is: 4.7.11.","url":"https://github.com/advisories/GHSA-x5rq-j2xg-h7qm"},"1087627":{"findings":[{"version":"3.10.1","paths":["lodash","@edium/fsm>lodash","codeceptjs>inquirer>lodash","codeceptjs>chai-deep-match>lodash-pickdeep>lodash"]}],"metadata":null,"vulnerable_versions":"<4.17.11","module_name":"lodash","severity":"high","github_advisory_id":"GHSA-4xc9-xhrj-v574","cves":["CVE-2018-16487"],"access":"public","patched_versions":">=4.17.11","cvss":{"score":0,"vectorString":null},"updated":"2023-01-09T05:02:32.000Z","recommendation":"Upgrade to version 4.17.11 or later","cwe":["CWE-400"],"found_by":null,"deleted":null,"id":1087627,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2018-16487\n- https://hackerone.com/reports/380873\n- https://github.com/advisories/GHSA-4xc9-xhrj-v574\n- https://www.npmjs.com/advisories/782\n- https://security.netapp.com/advisory/ntap-20190919-0004/","created":"2019-02-07T18:16:48.000Z","reported_by":null,"title":"Prototype Pollution in lodash","npm_advisory_id":null,"overview":"Versions of `lodash` before 4.17.5 are vulnerable to prototype pollution. \n\nThe vulnerable functions are 'defaultsDeep', 'merge', and 'mergeWith' which allow a malicious user to modify the prototype of `Object` via `{constructor: {prototype: {...}}}` causing the addition or modification of an existing property that will exist on all objects.\n\n\n\n\n## Recommendation\n\nUpdate to version 4.17.11 or later.","url":"https://github.com/advisories/GHSA-4xc9-xhrj-v574"},"1087663":{"findings":[{"version":"3.10.1","paths":["lodash","@edium/fsm>lodash","codeceptjs>inquirer>lodash","codeceptjs>chai-deep-match>lodash-pickdeep>lodash"]}],"metadata":null,"vulnerable_versions":"<4.17.5","module_name":"lodash","severity":"low","github_advisory_id":"GHSA-fvqr-27wr-82fm","cves":["CVE-2018-3721"],"access":"public","patched_versions":">=4.17.5","cvss":{"score":0,"vectorString":null},"updated":"2023-01-09T05:03:02.000Z","recommendation":"Upgrade to version 4.17.5 or later","cwe":["CWE-471"],"found_by":null,"deleted":null,"id":1087663,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2018-3721\n- https://hackerone.com/reports/310443\n- https://github.com/advisories/GHSA-fvqr-27wr-82fm\n- https://www.npmjs.com/advisories/577\n- https://github.com/lodash/lodash/commit/d8e069cc3410082e44eb18fcf8e7f3d08ebe1d4a\n- https://security.netapp.com/advisory/ntap-20190919-0004/","created":"2018-07-26T15:14:52.000Z","reported_by":null,"title":"Prototype Pollution in lodash","npm_advisory_id":null,"overview":"Versions of `lodash` before 4.17.5 are vulnerable to prototype pollution. \n\nThe vulnerable functions are 'defaultsDeep', 'merge', and 'mergeWith' which allow a malicious user to modify the prototype of `Object` via `__proto__` causing the addition or modification of an existing property that will exist on all objects.\n\n\n\n\n## Recommendation\n\nUpdate to version 4.17.5 or later.","url":"https://github.com/advisories/GHSA-fvqr-27wr-82fm"},"1088208":{"findings":[{"version":"0.8.4","paths":["git-rev-sync>shelljs"]}],"metadata":null,"vulnerable_versions":"<0.8.5","module_name":"shelljs","severity":"moderate","github_advisory_id":"GHSA-64g7-mvw6-v9qj","cves":[],"access":"public","patched_versions":">=0.8.5","cvss":{"score":0,"vectorString":null},"updated":"2023-01-11T05:03:39.000Z","recommendation":"Upgrade to version 0.8.5 or later","cwe":["CWE-269"],"found_by":null,"deleted":null,"id":1088208,"references":"- https://github.com/shelljs/shelljs/security/advisories/GHSA-64g7-mvw6-v9qj\n- https://huntr.dev/bounties/50996581-c08e-4eed-a90e-c0bac082679c/\n- https://github.com/advisories/GHSA-64g7-mvw6-v9qj","created":"2022-01-14T21:09:50.000Z","reported_by":null,"title":"Improper Privilege Management in shelljs","npm_advisory_id":null,"overview":"### Impact\nOutput from the synchronous version of `shell.exec()` may be visible to other users on the same system. You may be affected if you execute `shell.exec()` in multi-user Mac, Linux, or WSL environments, or if you execute `shell.exec()` as the root user.\n\nOther shelljs functions (including the asynchronous version of `shell.exec()`) are not impacted.\n\n### Patches\nPatched in shelljs 0.8.5\n\n### Workarounds\nRecommended action is to upgrade to 0.8.5.\n\n### References\nhttps://huntr.dev/bounties/50996581-c08e-4eed-a90e-c0bac082679c/\n\n### For more information\nIf you have any questions or comments about this advisory:\n* Ask at https://github.com/shelljs/shelljs/issues/1058\n* Open an issue at https://github.com/shelljs/shelljs/issues/new\n","url":"https://github.com/advisories/GHSA-64g7-mvw6-v9qj"},"1088402":{"findings":[{"version":"0.5.34","paths":["moment-timezone"]}],"metadata":null,"vulnerable_versions":">=0.1.0 <0.5.35","module_name":"moment-timezone","severity":"low","github_advisory_id":"GHSA-56x4-j7p9-fcf9","cves":[],"access":"public","patched_versions":">=0.5.35","cvss":{"score":0,"vectorString":null},"updated":"2023-01-12T05:07:32.000Z","recommendation":"Upgrade to version 0.5.35 or later","cwe":[],"found_by":null,"deleted":null,"id":1088402,"references":"- https://github.com/moment/moment-timezone/security/advisories/GHSA-56x4-j7p9-fcf9\n- https://github.com/moment/moment-timezone/commit/ce955a301ff372e8e9fb3a5b516620c60e7a082a\n- https://github.com/advisories/GHSA-56x4-j7p9-fcf9","created":"2022-08-30T20:31:21.000Z","reported_by":null,"title":"Command Injection in moment-timezone","npm_advisory_id":null,"overview":"### Impact\n\nAll versions of moment-timezone from 0.1.0 contain build tasks vulnerable to command injection.\n\n* if Alice uses tzdata pipeline to package moment-timezone on her own (for example via `grunt data:2014d`, where `2014d` stands for the version of the tzdata to be used from IANA's website),\n* and Alice let's Mallory select the version (`2014d` in our example), then Mallory can execute arbitrary commands on the machine running the grunt task, with the same privilege as the grunt task\n\n#### Am I affected?\n\n##### Do you build custom versions of moment-timezone with grunt?\n\nIf no, you're not affected.\n\n##### Do you allow a third party to specify which particular version you want build?\n\nIf yes, you're vulnerable to command injection -- third party may execute arbitrary commands on the system running grunt task with the same privileges as grunt task.\n\n### Description\n\n#### Command Injection via grunt-zdownload.js and MITM on iana's ftp endpoint\n\nThe `tasks/data-download.js` script takes in a parameter from grunt and uses it to form a command line which is then executed:\n\n```\n6 module.exports = function (grunt) {\n7 grunt.registerTask('data-download', '1. Download data from iana.org/time-zones.', function (version) {\n8 version = version || 'latest';\n\n10 var done = this.async(),\n11 src = 'ftp://ftp.iana.org/tz/tzdata-latest.tar.gz',\n12 curl = path.resolve('temp/curl', version, 'data.tar.gz'),\n13 dest = path.resolve('temp/download', version);\n...\n24 exec('curl ' + src + ' -o ' + curl + ' && cd ' + dest + ' && gzip -dc ' + curl + ' | tar -xf -', function (err) {\n```\n\nOrdinarily, one one run this script using something like `grunt data-download:2014d`, in which case version would have the value `2014d`. However, if an attacker were to provide additional content on the command line, they would be able to execute arbitrary code\n\n```\nroot@e94ba0490b65:/usr/src/app/moment-timezone# grunt 'data-download:2014d ; echo flag>/tmp/foo #'\n\\Running \"data-download:2014d ; echo flag>/tmp/foo #\" (data-download) task\n>> Downloading https://data.iana.org/time-zones/releases/tzdata2014d ; echo flag>/tmp/foo #.tar.gz\n>> Downloaded https://data.iana.org/time-zones/releases/tzdata2014d ; echo flag>/tmp/foo #.tar.gz\n\nDone.\nroot@e94ba0490b65:/usr/src/app/moment-timezone# cat /tmp/foo\nflag\n```\n\n#### Command Injection via data-zdump.js\n\nThe `tasks/data-zdump.js` script reads a list of files present in a temporary directory (created by previous tasks), and for each one, assembles and executes a command line without sanitization. As a result, an attacker able to influence the contents of that directory could gain code execution. This attack is exacerbated by timezone data being downloaded via cleartext FTP (described above), but beyond that, an attacker at iana.org able to modify the timezone files could disrupt any systems that build moment-timezone.\n\n```\n15 files = grunt.file.expand({ filter : 'isFile', cwd : 'temp/zic/' + version }, '**/*');\n...\n27 function next () {\n...\n33 var file = files.pop(),\n34 src = path.join(zicBase, file),\n35 dest = path.join(zdumpBase, file);\n36 exec('zdump -v ' + src, { maxBuffer: 20*1024*1024 }, function (err, stdout) {\n```\n\nIn this case, an attacker able to add a file to `temp/zic/2014d` (for example) with a filename like `Z; curl www.example.com` would influence the called to exec on line 36 and run arbitrary code. There are a few minor challenges in exploiting this, since the string needs to be a valid filename.\n\n#### Command Injection via data-zic.js\n\nSimilar to the vulnerability in /tasks/data-download.js, the /tasks/data-zic.js script takes a version from the command line and uses it as part of a command line, executed without sanitization.\n\n```\n10 var done = this.async(),\n11 dest = path.resolve('temp/zic', version),\n...\n22 var file = files.shift(),\n23 src = path.resolve('temp/download', version, file);\n24\n25 exec('zic -d ' + dest + ' ' + src, function (err) {\n```\n\nAs a result, an attacker able to influence that string can run arbitrary commands. Of course, it requires an attacker able to influence the command passed to grunt, so may be unlikely in practice.\n\n```\nroot@e94ba0490b65:/usr/src/app/moment-timezone# grunt 'data-zic:2014d; echo hi > /tmp/evil; echo '\nRunning \"data-zic:2014d; echo hi > /tmp/evil; echo \" (data-zic) task\nexec: zid -d /usr/src/app/moment-timezone/temp/zic/2014d; echo hi > /tmp/evil; echo /usr/src/app/moment-timezone/temp/download/2014d; echo hi > /tmp/evil; echo /africa\n...\n\nroot@e94ba0490b65:/usr/src/app/moment-timezone# cat /tmp/evil\nhi\n```\n\n### Patches\n\nThe supplied patch on top of 0.5.34 is applicable with minor tweaks to all affected versions. It switches `exec` to `execFile` so arbitrary bash fragments won't be executed any more.\n\n### References\n\n* https://knowledge-base.secureflag.com/vulnerabilities/code_injection/os_command_injection_nodejs.html\n* https://auth0.com/blog/preventing-command-injection-attacks-in-node-js-apps/","url":"https://github.com/advisories/GHSA-56x4-j7p9-fcf9"},"1088403":{"findings":[{"version":"0.5.34","paths":["moment-timezone"]}],"metadata":null,"vulnerable_versions":">=0.1.0 <0.5.35","module_name":"moment-timezone","severity":"moderate","github_advisory_id":"GHSA-v78c-4p63-2j6c","cves":[],"access":"public","patched_versions":">=0.5.35","cvss":{"score":0,"vectorString":null},"updated":"2023-01-12T05:07:10.000Z","recommendation":"Upgrade to version 0.5.35 or later","cwe":["CWE-319"],"found_by":null,"deleted":null,"id":1088403,"references":"- https://github.com/moment/moment-timezone/security/advisories/GHSA-v78c-4p63-2j6c\n- https://github.com/moment/moment-timezone/commit/7915ac567ab19700e44ad6b5d8ef0b85e48a9e75\n- https://github.com/advisories/GHSA-v78c-4p63-2j6c","created":"2022-08-30T20:28:43.000Z","reported_by":null,"title":"Cleartext Transmission of Sensitive Information in moment-timezone","npm_advisory_id":null,"overview":"### Impact\n\n* if Alice uses `grunt data` (or `grunt release`) to prepare a custom-build, moment-timezone with the latest tzdata from IANA's website\n* and Mallory intercepts the request to IANA's unencrypted ftp server, Mallory can serve data which might exploit further stages of the moment-timezone tzdata pipeline, or potentially produce a tainted version of moment-timezone (practicality of such attacks is not proved)\n\n### Patches\nProblem has been patched in version 0.5.35, patch should be applicable with minor modifications to all affected versions. The patch includes changing the FTP endpoint with an HTTPS endpoint.\n\n### Workarounds\nSpecify the exact version of tzdata (like `2014d`, full command being `grunt data:2014d`, then run the rest of the release tasks by hand), or just apply the patch before issuing the grunt command.\n","url":"https://github.com/advisories/GHSA-v78c-4p63-2j6c"},"1088659":{"findings":[{"version":"2.1.3","paths":["@hmcts/nodejs-healthcheck>superagent>cookiejar"]}],"metadata":null,"vulnerable_versions":"<2.1.4","module_name":"cookiejar","severity":"moderate","github_advisory_id":"GHSA-h452-7996-h45h","cves":["CVE-2022-25901"],"access":"public","patched_versions":">=2.1.4","cvss":{"score":5.3,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"},"updated":"2023-01-23T16:59:53.000Z","recommendation":"Upgrade to version 2.1.4 or later","cwe":["CWE-1333"],"found_by":null,"deleted":null,"id":1088659,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2022-25901\n- https://github.com/bmeck/node-cookiejar/pull/39\n- https://github.com/bmeck/node-cookiejar/pull/39/commits/eaa00021caf6ae09449dde826108153b578348e5\n- https://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-3176681\n- https://security.snyk.io/vuln/SNYK-JS-COOKIEJAR-3149984\n- https://github.com/bmeck/node-cookiejar/blob/master/cookiejar.js#23L73\n- https://github.com/advisories/GHSA-h452-7996-h45h","created":"2023-01-18T06:31:03.000Z","reported_by":null,"title":"cookiejar Regular Expression Denial of Service via Cookie.parse function","npm_advisory_id":null,"overview":"Versions of the package cookiejar before 2.1.4 are vulnerable to Regular Expression Denial of Service (ReDoS) via the `Cookie.parse` function and other aspects of the API, which use an insecure regular expression for parsing cookie values. Applications could be stalled for extended periods of time if untrusted input is passed to cookie values or attempted to parse from request headers.\n\nProof of concept:\n\n```\nts\\nconst { CookieJar } = require(\"cookiejar\");\n\nconst jar = new CookieJar();\n\nconst start = performance.now();\n\nconst attack = \"a\" + \"t\".repeat(50_000);\njar.setCookie(attack);\n\nconsole.log(`CookieJar.setCookie(): ${performance.now() - start}ms`);\n\n```\n\n```\nCookieJar.setCookie(): 2963.214399999939ms\n```","url":"https://github.com/advisories/GHSA-h452-7996-h45h"},"1088907":{"findings":[{"version":"0.4.1","paths":["@hmcts/rpx-xui-node-lib>passport"]}],"metadata":null,"vulnerable_versions":"<0.6.0","module_name":"passport","severity":"moderate","github_advisory_id":"GHSA-v923-w3x8-wh69","cves":["CVE-2022-25896"],"access":"public","patched_versions":">=0.6.0","cvss":{"score":4.8,"vectorString":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:L"},"updated":"2023-01-27T05:04:51.000Z","recommendation":"Upgrade to version 0.6.0 or later","cwe":["CWE-384"],"found_by":null,"deleted":null,"id":1088907,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2022-25896\n- https://github.com/jaredhanson/passport/pull/900\n- https://github.com/jaredhanson/passport/commit/7e9b9cf4d7be02428e963fc729496a45baeea608\n- https://snyk.io/vuln/SNYK-JS-PASSPORT-2840631\n- https://github.com/advisories/GHSA-v923-w3x8-wh69","created":"2022-07-02T00:00:19.000Z","reported_by":null,"title":"Passport before 0.6.0 vulnerable to session regeneration when a users logs in or out","npm_advisory_id":null,"overview":"This affects the package passport before 0.6.0. When a user logs in or logs out, the session is regenerated instead of being closed.","url":"https://github.com/advisories/GHSA-v923-w3x8-wh69"},"1088948":{"findings":[{"version":"9.6.0","paths":["@hmcts/rpx-xui-node-lib>openid-client>got"]}],"metadata":null,"vulnerable_versions":"<11.8.5","module_name":"got","severity":"moderate","github_advisory_id":"GHSA-pfrx-2q88-qq97","cves":["CVE-2022-33987"],"access":"public","patched_versions":">=11.8.5","cvss":{"score":5.3,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"},"updated":"2023-01-27T05:05:01.000Z","recommendation":"Upgrade to version 11.8.5 or later","cwe":[],"found_by":null,"deleted":null,"id":1088948,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2022-33987\n- https://github.com/sindresorhus/got/pull/2047\n- https://github.com/sindresorhus/got/compare/v12.0.3...v12.1.0\n- https://github.com/sindresorhus/got/commit/861ccd9ac2237df762a9e2beed7edd88c60782dc\n- https://github.com/sindresorhus/got/releases/tag/v11.8.5\n- https://github.com/sindresorhus/got/releases/tag/v12.1.0\n- https://github.com/advisories/GHSA-pfrx-2q88-qq97","created":"2022-06-19T00:00:21.000Z","reported_by":null,"title":"Got allows a redirect to a UNIX socket","npm_advisory_id":null,"overview":"The got package before 11.8.5 and 12.1.0 for Node.js allows a redirect to a UNIX socket.","url":"https://github.com/advisories/GHSA-pfrx-2q88-qq97"},"1089152":{"findings":[{"version":"4.1.1","paths":["codeceptjs>mocha>yargs-unparser>flat","codeceptjs>mocha-junit-reporter>mocha>yargs-unparser>flat"]}],"metadata":null,"vulnerable_versions":"<5.0.1","module_name":"flat","severity":"critical","github_advisory_id":"GHSA-2j2x-2gpw-g8fm","cves":["CVE-2020-36632"],"access":"public","patched_versions":">=5.0.1","cvss":{"score":9.8,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},"updated":"2023-01-29T05:01:29.000Z","recommendation":"Upgrade to version 5.0.1 or later","cwe":["CWE-1321"],"found_by":null,"deleted":null,"id":1089152,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2020-36632\n- https://github.com/hughsk/flat/issues/105\n- https://github.com/hughsk/flat/pull/106\n- https://github.com/hughsk/flat/commit/20ef0ef55dfa028caddaedbcb33efbdb04d18e13\n- https://github.com/hughsk/flat/releases/tag/5.0.1\n- https://vuldb.com/?ctiid.216777\n- https://vuldb.com/?id.216777\n- https://github.com/advisories/GHSA-2j2x-2gpw-g8fm","created":"2022-12-25T21:30:22.000Z","reported_by":null,"title":"flat vulnerable to Prototype Pollution","npm_advisory_id":null,"overview":"flat helps flatten/unflatten nested Javascript objects. A vulnerability, which was classified as critical, was found in hughsk flat up to 5.0.0. This affects the function unflatten of the file index.js. The manipulation leads to improperly controlled modification of object prototype attributes ('prototype pollution'). It is possible to initiate the attack remotely. Upgrading to version 5.0.1 can address this issue. The name of the patch is 20ef0ef55dfa028caddaedbcb33efbdb04d18e13. It is recommended to upgrade the affected component. The identifier VDB-216777 was assigned to this vulnerability.","url":"https://github.com/advisories/GHSA-2j2x-2gpw-g8fm"},"1089270":{"findings":[{"version":"2.7.4","paths":["ejs"]}],"metadata":null,"vulnerable_versions":"<3.1.7","module_name":"ejs","severity":"critical","github_advisory_id":"GHSA-phwq-j96m-2c2q","cves":["CVE-2022-29078"],"access":"public","patched_versions":">=3.1.7","cvss":{"score":9.8,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},"updated":"2023-01-30T05:02:57.000Z","recommendation":"Upgrade to version 3.1.7 or later","cwe":["CWE-74"],"found_by":null,"deleted":null,"id":1089270,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2022-29078\n- https://eslam.io/posts/ejs-server-side-template-injection-rce/\n- https://github.com/mde/ejs/commit/15ee698583c98dadc456639d6245580d17a24baf\n- https://github.com/mde/ejs/releases\n- https://security.netapp.com/advisory/ntap-20220804-0001/\n- https://github.com/advisories/GHSA-phwq-j96m-2c2q","created":"2022-04-26T00:00:40.000Z","reported_by":null,"title":"ejs template injection vulnerability","npm_advisory_id":null,"overview":"The ejs (aka Embedded JavaScript templates) package 3.1.6 for Node.js allows server-side template injection in settings[view options][outputFunctionName]. This is parsed as an internal option, and overwrites the outputFunctionName option with an arbitrary OS command (which is executed upon template compilation).","url":"https://github.com/advisories/GHSA-phwq-j96m-2c2q"},"1089698":{"findings":[{"version":"0.15.6","paths":["xlsx"]}],"metadata":null,"vulnerable_versions":"<0.17.0","module_name":"xlsx","severity":"moderate","github_advisory_id":"GHSA-g973-978j-2c3p","cves":["CVE-2021-32014"],"access":"public","patched_versions":">=0.17.0","cvss":{"score":5.5,"vectorString":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H"},"updated":"2023-02-01T05:05:54.000Z","recommendation":"Upgrade to version 0.17.0 or later","cwe":["CWE-345","CWE-400"],"found_by":null,"deleted":null,"id":1089698,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2021-32014\n- https://floqast.com/engineering-blog/post/fuzzing-and-parsing-securely/\n- https://sheetjs.com/pro\n- https://www.npmjs.com/package/xlsx/v/0.17.0\n- https://www.oracle.com/security-alerts/cpujan2022.html\n- https://github.com/advisories/GHSA-g973-978j-2c3p","created":"2021-07-22T19:47:15.000Z","reported_by":null,"title":"Denial of Service in SheetJS Pro","npm_advisory_id":null,"overview":"SheetJS Pro through 0.16.9 allows attackers to cause a denial of service (CPU consumption) via a crafted .xlsx document that is mishandled when read by xlsx.js.","url":"https://github.com/advisories/GHSA-g973-978j-2c3p"},"1089699":{"findings":[{"version":"0.15.6","paths":["xlsx"]}],"metadata":null,"vulnerable_versions":"<0.17.0","module_name":"xlsx","severity":"moderate","github_advisory_id":"GHSA-3x9f-74h4-2fqr","cves":["CVE-2021-32012"],"access":"public","patched_versions":">=0.17.0","cvss":{"score":5.5,"vectorString":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H"},"updated":"2023-02-01T05:06:10.000Z","recommendation":"Upgrade to version 0.17.0 or later","cwe":["CWE-400"],"found_by":null,"deleted":null,"id":1089699,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2021-32012\n- https://floqast.com/engineering-blog/post/fuzzing-and-parsing-securely/\n- https://sheetjs.com/pro\n- https://www.npmjs.com/package/xlsx/v/0.17.0\n- https://www.oracle.com/security-alerts/cpujan2022.html\n- https://github.com/advisories/GHSA-3x9f-74h4-2fqr","created":"2021-07-22T19:48:17.000Z","reported_by":null,"title":"Denial of Service in SheetJS Pro","npm_advisory_id":null,"overview":"SheetJS Pro through 0.16.9 allows attackers to cause a denial of service (memory consumption) via a crafted .xlsx document that is mishandled when read by xlsx.js (issue 1 of 2).","url":"https://github.com/advisories/GHSA-3x9f-74h4-2fqr"},"1089700":{"findings":[{"version":"0.15.6","paths":["xlsx"]}],"metadata":null,"vulnerable_versions":"<0.17.0","module_name":"xlsx","severity":"moderate","github_advisory_id":"GHSA-8vcr-vxm8-293m","cves":["CVE-2021-32013"],"access":"public","patched_versions":">=0.17.0","cvss":{"score":5.5,"vectorString":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H"},"updated":"2023-02-01T05:06:00.000Z","recommendation":"Upgrade to version 0.17.0 or later","cwe":["CWE-400"],"found_by":null,"deleted":null,"id":1089700,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2021-32013\n- https://floqast.com/engineering-blog/post/fuzzing-and-parsing-securely/\n- https://sheetjs.com/pro\n- https://www.npmjs.com/package/xlsx/v/0.17.0\n- https://www.oracle.com/security-alerts/cpujan2022.html\n- https://github.com/advisories/GHSA-8vcr-vxm8-293m","created":"2021-07-22T19:48:13.000Z","reported_by":null,"title":"Denial of Service in SheetsJS Pro","npm_advisory_id":null,"overview":"SheetJS Pro through 0.16.9 allows attackers to cause a denial of service (memory consumption) via a crafted .xlsx document that is mishandled when read by xlsx.js (issue 2 of 2).","url":"https://github.com/advisories/GHSA-8vcr-vxm8-293m"},"1091181":{"findings":[{"version":"3.1.0","paths":["codeceptjs>mocha>chokidar>glob-parent","codeceptjs>mocha-junit-reporter>mocha>chokidar>glob-parent"]}],"metadata":null,"vulnerable_versions":"<5.1.2","module_name":"glob-parent","severity":"high","github_advisory_id":"GHSA-ww39-953v-wcq6","cves":["CVE-2020-28469"],"access":"public","patched_versions":">=5.1.2","cvss":{"score":7.5,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},"updated":"2023-02-28T22:39:43.000Z","recommendation":"Upgrade to version 5.1.2 or later","cwe":["CWE-400"],"found_by":null,"deleted":null,"id":1091181,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2020-28469\n- https://github.com/gulpjs/glob-parent/pull/36\n- https://github.com/gulpjs/glob-parent/blob/6ce8d11f2f1ed8e80a9526b1dc8cf3aa71f43474/index.js%23L9\n- https://github.com/gulpjs/glob-parent/releases/tag/v5.1.2\n- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWERGITHUBES128-1059093\n- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1059092\n- https://snyk.io/vuln/SNYK-JS-GLOBPARENT-1016905\n- https://www.oracle.com/security-alerts/cpujan2022.html\n- https://github.com/gulpjs/glob-parent/pull/36/commits/c6db86422a9731d4f3d332ce4a81c27ea6b0ee46\n- https://github.com/advisories/GHSA-ww39-953v-wcq6","created":"2021-06-07T21:56:34.000Z","reported_by":null,"title":"glob-parent before 5.1.2 vulnerable to Regular Expression Denial of Service in enclosure regex","npm_advisory_id":null,"overview":"This affects the package glob-parent before 5.1.2. The enclosure regex used to check for strings ending in enclosure containing path separator.","url":"https://github.com/advisories/GHSA-ww39-953v-wcq6"},"1091307":{"findings":[{"version":"3.10.1","paths":["lodash","@edium/fsm>lodash","codeceptjs>inquirer>lodash","codeceptjs>chai-deep-match>lodash-pickdeep>lodash"]}],"metadata":null,"vulnerable_versions":"<4.17.20","module_name":"lodash","severity":"high","github_advisory_id":"GHSA-p6mc-m468-83gw","cves":["CVE-2020-8203"],"access":"public","patched_versions":">=4.17.20","cvss":{"score":7.4,"vectorString":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:H"},"updated":"2023-03-08T05:05:35.000Z","recommendation":"Upgrade to version 4.17.20 or later","cwe":["CWE-770","CWE-1321"],"found_by":null,"deleted":null,"id":1091307,"references":"- https://github.com/lodash/lodash/issues/4744\n- https://github.com/lodash/lodash/commit/c84fe82760fb2d3e03a63379b297a1cc1a2fce12\n- https://www.npmjs.com/advisories/1523\n- https://nvd.nist.gov/vuln/detail/CVE-2020-8203\n- https://hackerone.com/reports/712065\n- https://security.netapp.com/advisory/ntap-20200724-0006/\n- https://github.com/lodash/lodash/issues/4874\n- https://www.oracle.com/security-alerts/cpuApr2021.html\n- https://www.oracle.com//security-alerts/cpujul2021.html\n- https://www.oracle.com/security-alerts/cpuoct2021.html\n- https://www.oracle.com/security-alerts/cpujan2022.html\n- https://www.oracle.com/security-alerts/cpuapr2022.html\n- https://github.com/advisories/GHSA-p6mc-m468-83gw","created":"2020-07-15T19:15:48.000Z","reported_by":null,"title":"Prototype Pollution in lodash","npm_advisory_id":null,"overview":"Versions of lodash prior to 4.17.19 are vulnerable to Prototype Pollution. The function zipObjectDeep allows a malicious user to modify the prototype of Object if the property identifiers are user-supplied. Being affected by this issue requires zipping objects based on user-provided property arrays.\n\nThis vulnerability causes the addition or modification of an existing property that will exist on all objects and may lead to Denial of Service or Code Execution under specific circumstances.","url":"https://github.com/advisories/GHSA-p6mc-m468-83gw"},"1091453":{"findings":[{"version":"0.8.4","paths":["git-rev-sync>shelljs"]}],"metadata":null,"vulnerable_versions":"<0.8.5","module_name":"shelljs","severity":"high","github_advisory_id":"GHSA-4rq4-32rv-6wp6","cves":["CVE-2022-0144"],"access":"public","patched_versions":">=0.8.5","cvss":{"score":7.1,"vectorString":"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H"},"updated":"2023-03-21T20:10:17.000Z","recommendation":"Upgrade to version 0.8.5 or later","cwe":["CWE-269"],"found_by":null,"deleted":null,"id":1091453,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2022-0144\n- https://github.com/shelljs/shelljs/commit/d919d22dd6de385edaa9d90313075a77f74b338c\n- https://huntr.dev/bounties/50996581-c08e-4eed-a90e-c0bac082679c\n- https://github.com/advisories/GHSA-4rq4-32rv-6wp6","created":"2022-01-21T23:37:28.000Z","reported_by":null,"title":"Improper Privilege Management in shelljs","npm_advisory_id":null,"overview":"shelljs is vulnerable to Improper Privilege Management","url":"https://github.com/advisories/GHSA-4rq4-32rv-6wp6"},"1091832":{"findings":[{"version":"3.10.1","paths":["lodash","@edium/fsm>lodash","codeceptjs>inquirer>lodash","codeceptjs>chai-deep-match>lodash-pickdeep>lodash"]}],"metadata":null,"vulnerable_versions":"<4.17.21","module_name":"lodash","severity":"high","github_advisory_id":"GHSA-35jh-r3h4-6jhm","cves":["CVE-2021-23337"],"access":"public","patched_versions":">=4.17.21","cvss":{"score":7.2,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H"},"updated":"2023-04-26T17:56:06.000Z","recommendation":"Upgrade to version 4.17.21 or later","cwe":["CWE-77","CWE-94"],"found_by":null,"deleted":null,"id":1091832,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2021-23337\n- https://github.com/lodash/lodash/commit/3469357cff396a26c363f8c1b5a91dde28ba4b1c\n- https://security.netapp.com/advisory/ntap-20210312-0006/\n- https://snyk.io/vuln/SNYK-JS-LODASH-1040724\n- https://github.com/lodash/lodash/blob/ddfd9b11a0126db2302cb70ec9973b66baec0975/lodash.js#L14851\n- https://github.com/lodash/lodash/blob/ddfd9b11a0126db2302cb70ec9973b66baec0975/lodash.js%23L14851\n- https://snyk.io/vuln/SNYK-JAVA-ORGFUJIONWEBJARS-1074932\n- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARS-1074930\n- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-1074928\n- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWERGITHUBLODASH-1074931\n- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1074929\n- https://www.oracle.com//security-alerts/cpujul2021.html\n- https://www.oracle.com/security-alerts/cpuoct2021.html\n- https://www.oracle.com/security-alerts/cpujan2022.html\n- https://www.oracle.com/security-alerts/cpujul2022.html\n- https://cert-portal.siemens.com/productcert/pdf/ssa-637483.pdf\n- https://github.com/advisories/GHSA-35jh-r3h4-6jhm","created":"2021-05-06T16:05:51.000Z","reported_by":null,"title":"Command Injection in lodash","npm_advisory_id":null,"overview":"`lodash` versions prior to 4.17.21 are vulnerable to Command Injection via the template function.","url":"https://github.com/advisories/GHSA-35jh-r3h4-6jhm"},"1091860":{"findings":[{"version":"3.10.1","paths":["lodash","@edium/fsm>lodash","codeceptjs>inquirer>lodash","codeceptjs>chai-deep-match>lodash-pickdeep>lodash"]}],"metadata":null,"vulnerable_versions":"<4.17.21","module_name":"lodash","severity":"moderate","github_advisory_id":"GHSA-29mw-wpgm-hmr9","cves":["CVE-2020-28500"],"access":"public","patched_versions":">=4.17.21","cvss":{"score":5.3,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"},"updated":"2023-05-01T20:20:44.000Z","recommendation":"Upgrade to version 4.17.21 or later","cwe":["CWE-400","CWE-1333"],"found_by":null,"deleted":null,"id":1091860,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2020-28500\n- https://github.com/lodash/lodash/pull/5065\n- https://github.com/lodash/lodash/pull/5065/commits/02906b8191d3c100c193fe6f7b27d1c40f200bb7\n- https://github.com/lodash/lodash/blob/npm/trimEnd.js%23L8\n- https://security.netapp.com/advisory/ntap-20210312-0006/\n- https://snyk.io/vuln/SNYK-JS-LODASH-1018905\n- https://snyk.io/vuln/SNYK-JAVA-ORGFUJIONWEBJARS-1074896\n- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARS-1074894\n- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-1074892\n- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWERGITHUBLODASH-1074895\n- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1074893\n- https://www.oracle.com//security-alerts/cpujul2021.html\n- https://www.oracle.com/security-alerts/cpuoct2021.html\n- https://www.oracle.com/security-alerts/cpujan2022.html\n- https://www.oracle.com/security-alerts/cpujul2022.html\n- https://cert-portal.siemens.com/productcert/pdf/ssa-637483.pdf\n- https://github.com/advisories/GHSA-29mw-wpgm-hmr9","created":"2022-01-06T20:30:46.000Z","reported_by":null,"title":"Regular Expression Denial of Service (ReDoS) in lodash","npm_advisory_id":null,"overview":"All versions of package lodash prior to 4.17.21 are vulnerable to Regular Expression Denial of Service (ReDoS) via the toNumber, trim and trimEnd functions. Steps to reproduce (provided by reporter Liyuan Chen): var lo = require('lodash'); function build_blank (n) { var ret = \"1\" for (var i = 0; i < n; i++) { ret += \" \" } return ret + \"1\"; } var s = build_blank(50000) var time0 = Date.now(); lo.trim(s) var time_cost0 = Date.now() - time0; console.log(\"time_cost0: \" + time_cost0) var time1 = Date.now(); lo.toNumber(s) var time_cost1 = Date.now() - time1; console.log(\"time_cost1: \" + time_cost1) var time2 = Date.now(); lo.trimEnd(s) var time_cost2 = Date.now() - time2; console.log(\"time_cost2: \" + time_cost2)","url":"https://github.com/advisories/GHSA-29mw-wpgm-hmr9"},"1092096":{"findings":[{"version":"0.15.6","paths":["xlsx"]}],"metadata":null,"vulnerable_versions":"<0.19.3","module_name":"xlsx","severity":"high","github_advisory_id":"GHSA-4r6h-8v6p-xvw6","cves":["CVE-2023-30533"],"access":"public","patched_versions":">=0.19.3","cvss":{"score":7.8,"vectorString":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"},"updated":"2023-05-23T13:29:07.000Z","recommendation":"Upgrade to version 0.19.3 or later","cwe":["CWE-1321"],"found_by":null,"deleted":null,"id":1092096,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2023-30533\n- https://cdn.sheetjs.com/advisories/CVE-2023-30533\n- https://git.sheetjs.com/sheetjs/sheetjs/src/branch/master/CHANGELOG.md\n- https://git.sheetjs.com/sheetjs/sheetjs/issues/2667\n- https://github.com/advisories/GHSA-4r6h-8v6p-xvw6","created":"2023-04-24T09:30:19.000Z","reported_by":null,"title":"Prototype Pollution in sheetJS","npm_advisory_id":null,"overview":"All versions of SheetJS CE through 0.19.2 are vulnerable to \"Prototype Pollution\" when reading specially crafted files. Workflows that do not read arbitrary files (for example, exporting data to spreadsheet files) are unaffected.\n\nA non-vulnerable version cannot be found via npm, as the repository hosted on GitHub and the npm package `xlsx` are no longer maintained.","url":"https://github.com/advisories/GHSA-4r6h-8v6p-xvw6"},"1092174":{"findings":[{"version":"4.0.5","paths":["@hmcts/media-viewer>socket.io-client>socket.io-parser"]}],"metadata":null,"vulnerable_versions":">=4.0.4 <4.2.3","module_name":"socket.io-parser","severity":"high","github_advisory_id":"GHSA-cqmj-92xf-r6r9","cves":["CVE-2023-32695"],"access":"public","patched_versions":">=4.2.3","cvss":{"score":7.3,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L"},"updated":"2023-06-05T21:07:58.000Z","recommendation":"Upgrade to version 4.2.3 or later","cwe":["CWE-20","CWE-754"],"found_by":null,"deleted":null,"id":1092174,"references":"- https://github.com/socketio/socket.io-parser/security/advisories/GHSA-cqmj-92xf-r6r9\n- https://github.com/socketio/socket.io-parser/commit/2dc3c92622dad113b8676be06f23b1ed46b02ced\n- https://github.com/socketio/socket.io-parser/commit/3b78117bf6ba7e99d7a5cfc1ba54d0477554a7f3\n- https://github.com/socketio/socket.io-parser/commit/1c220ddbf45ea4b44bc8dbf6f9ae245f672ba1b9\n- https://nvd.nist.gov/vuln/detail/CVE-2023-32695\n- https://github.com/socketio/socket.io-parser/releases/tag/4.2.3\n- https://github.com/advisories/GHSA-cqmj-92xf-r6r9","created":"2023-05-23T19:55:13.000Z","reported_by":null,"title":"Insufficient validation when decoding a Socket.IO packet","npm_advisory_id":null,"overview":"### Impact\n\nA specially crafted Socket.IO packet can trigger an uncaught exception on the Socket.IO server, thus killing the Node.js process.\n\n```\nTypeError: Cannot convert object to primitive value\n at Socket.emit (node:events:507:25)\n at .../node_modules/socket.io/lib/socket.js:531:14\n```\n\n### Patches\n\nA fix has been released today (2023/05/22):\n\n- https://github.com/socketio/socket.io-parser/commit/3b78117bf6ba7e99d7a5cfc1ba54d0477554a7f3, included in `socket.io-parser@4.2.3`\n- https://github.com/socketio/socket.io-parser/commit/2dc3c92622dad113b8676be06f23b1ed46b02ced, included in `socket.io-parser@3.4.3`\n\n| `socket.io` version | `socket.io-parser` version | Needs minor update? |\n|---------------------|---------------------------------------------------------------------------------------------------------|--------------------------------------|\n| `4.5.2...latest` | `~4.2.0` ([ref](https://github.com/socketio/socket.io/commit/9890b036cf942f6b6ad2afeb6a8361c32cd5d528)) | `npm audit fix` should be sufficient |\n| `4.1.3...4.5.1` | `~4.1.1` ([ref](https://github.com/socketio/socket.io/commit/7c44893d7878cd5bba1eff43150c3e664f88fb57)) | Please upgrade to `socket.io@4.6.x` |\n| `3.0.5...4.1.2` | `~4.0.3` ([ref](https://github.com/socketio/socket.io/commit/752dfe3b1e5fecda53dae899b4a39e6fed5a1a17)) | Please upgrade to `socket.io@4.6.x` |\n| `3.0.0...3.0.4` | `~4.0.1` ([ref](https://github.com/socketio/socket.io/commit/1af3267e3f5f7884214cf2ca4d5282d620092fb0)) | Please upgrade to `socket.io@4.6.x` |\n| `2.3.0...2.5.0` | `~3.4.0` ([ref](https://github.com/socketio/socket.io/commit/cf39362014f5ff13a17168b74772c43920d6e4fd)) | `npm audit fix` should be sufficient |\n\n\n### Workarounds\n\nThere is no known workaround except upgrading to a safe version.\n\n### For more information\n\nIf you have any questions or comments about this advisory:\n\n- Open a discussion [here](https://github.com/socketio/socket.io/discussions)\n\nThanks to [@rafax00](https://github.com/rafax00) for the responsible disclosure.\n","url":"https://github.com/advisories/GHSA-cqmj-92xf-r6r9"},"1092301":{"findings":[{"version":"0.4.23","paths":["protractor-screenshot-utils>protractor>selenium-webdriver>xml2js","protractor-screenshot-utils>protractor>webdriver-js-extender>selenium-webdriver>xml2js"]}],"metadata":null,"vulnerable_versions":"<0.5.0","module_name":"xml2js","severity":"moderate","github_advisory_id":"GHSA-776f-qx25-q3cc","cves":["CVE-2023-0842"],"access":"public","patched_versions":">=0.5.0","cvss":{"score":5.3,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"},"updated":"2023-06-21T18:11:17.000Z","recommendation":"Upgrade to version 0.5.0 or later","cwe":["CWE-1321"],"found_by":null,"deleted":null,"id":1092301,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2023-0842\n- https://fluidattacks.com/advisories/myers/\n- https://github.com/Leonidas-from-XIV/node-xml2js/issues/663\n- https://github.com/Leonidas-from-XIV/node-xml2js/pull/603/commits/581b19a62d88f8a3c068b5a45f4542c2d6a495a5\n- https://github.com/advisories/GHSA-776f-qx25-q3cc","created":"2023-04-05T21:30:24.000Z","reported_by":null,"title":"xml2js is vulnerable to prototype pollution","npm_advisory_id":null,"overview":"xml2js versions before 0.5.0 allows an external attacker to edit or add new properties to an object. This is possible because the application does not properly validate incoming JSON keys, thus allowing the `__proto__` property to be edited.","url":"https://github.com/advisories/GHSA-776f-qx25-q3cc"},"1092316":{"findings":[{"version":"4.1.0","paths":["@hmcts/rpx-xui-node-lib>openid-client>got>cacheable-request>http-cache-semantics","codeceptjs>mocha>chokidar>fsevents>nan>node-gyp>make-fetch-happen>http-cache-semantics","codeceptjs>mocha-junit-reporter>mocha>chokidar>fsevents>nan>node-gyp>make-fetch-happen>http-cache-semantics","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>@jest/core>jest-haste-map>fsevents>nan>node-gyp>make-fetch-happen>http-cache-semantics","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>@jest/core>@jest/transform>jest-haste-map>fsevents>nan>node-gyp>make-fetch-happen>http-cache-semantics","@hmcts/rpx-xui-node-lib>jest-mock-axios>@jest/globals>@jest/expect>jest-snapshot>@jest/transform>jest-haste-map>fsevents>nan>node-gyp>make-fetch-happen>http-cache-semantics","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>@jest/core>jest-resolve-dependencies>jest-snapshot>@jest/transform>jest-haste-map>fsevents>nan>node-gyp>make-fetch-happen>http-cache-semantics","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>jest-cli>@jest/core>jest-resolve-dependencies>jest-snapshot>@jest/transform>jest-haste-map>fsevents>nan>node-gyp>make-fetch-happen>http-cache-semantics","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>@jest/core>jest-runtime>@jest/globals>@jest/expect>jest-snapshot>@jest/transform>jest-haste-map>fsevents>nan>node-gyp>make-fetch-happen>http-cache-semantics","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>@jest/core>jest-runner>jest-runtime>@jest/globals>@jest/expect>jest-snapshot>@jest/transform>jest-haste-map>fsevents>nan>node-gyp>make-fetch-happen>http-cache-semantics","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>jest-cli>@jest/core>jest-runner>jest-runtime>@jest/globals>@jest/expect>jest-snapshot>@jest/transform>jest-haste-map>fsevents>nan>node-gyp>make-fetch-happen>http-cache-semantics","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>jest-cli>@jest/core>jest-config>jest-runner>jest-runtime>@jest/globals>@jest/expect>jest-snapshot>@jest/transform>jest-haste-map>fsevents>nan>node-gyp>make-fetch-happen>http-cache-semantics"]}],"metadata":null,"vulnerable_versions":"<4.1.1","module_name":"http-cache-semantics","severity":"high","github_advisory_id":"GHSA-rc47-6667-2j5j","cves":["CVE-2022-25881"],"access":"public","patched_versions":">=4.1.1","cvss":{"score":7.5,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},"updated":"2023-06-22T17:26:15.000Z","recommendation":"Upgrade to version 4.1.1 or later","cwe":["CWE-1333"],"found_by":null,"deleted":null,"id":1092316,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2022-25881\n- https://github.com/kornelski/http-cache-semantics/blob/master/index.js%23L83\n- https://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-3253332\n- https://security.snyk.io/vuln/SNYK-JS-HTTPCACHESEMANTICS-3248783\n- https://github.com/kornelski/http-cache-semantics/commit/560b2d8ef452bbba20ffed69dc155d63ac757b74\n- https://security.netapp.com/advisory/ntap-20230622-0008/\n- https://github.com/advisories/GHSA-rc47-6667-2j5j","created":"2023-01-31T06:30:26.000Z","reported_by":null,"title":"http-cache-semantics vulnerable to Regular Expression Denial of Service","npm_advisory_id":null,"overview":"http-cache semantics contains an Inefficient Regular Expression Complexity , leading to Denial of Service. This affects versions of the package http-cache-semantics before 4.1.1. The issue can be exploited via malicious request header values sent to a server, when that server reads the cache policy from the request using this library.","url":"https://github.com/advisories/GHSA-rc47-6667-2j5j"},"1092365":{"findings":[{"version":"0.2.0","paths":["http-proxy-middleware>micromatch>snapdragon>source-map-resolve>decode-uri-component","http-proxy-middleware>micromatch>braces>snapdragon>source-map-resolve>decode-uri-component","@hmcts/rpx-xui-node-lib>ts-auto-mock>micromatch>braces>snapdragon>source-map-resolve>decode-uri-component","@hmcts/rpx-xui-node-lib>jest-ts-auto-mock>ts-auto-mock>micromatch>braces>snapdragon>source-map-resolve>decode-uri-component","codeceptjs>mocha>chokidar>anymatch>micromatch>braces>snapdragon>source-map-resolve>decode-uri-component","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>@jest/core>jest-message-util>micromatch>braces>snapdragon>source-map-resolve>decode-uri-component","@hmcts/rpx-xui-node-lib>jest-mock-axios>@jest/globals>@jest/environment>@jest/fake-timers>jest-message-util>micromatch>braces>snapdragon>source-map-resolve>decode-uri-component","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>@jest/core>jest-runtime>@jest/fake-timers>jest-message-util>micromatch>braces>snapdragon>source-map-resolve>decode-uri-component","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>@jest/core>jest-runner>@jest/environment>@jest/fake-timers>jest-message-util>micromatch>braces>snapdragon>source-map-resolve>decode-uri-component","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>@jest/core>jest-runtime>@jest/globals>@jest/environment>@jest/fake-timers>jest-message-util>micromatch>braces>snapdragon>source-map-resolve>decode-uri-component","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>@jest/core>jest-runner>jest-runtime>@jest/globals>@jest/environment>@jest/fake-timers>jest-message-util>micromatch>braces>snapdragon>source-map-resolve>decode-uri-component","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>jest-cli>@jest/core>jest-runner>jest-runtime>@jest/globals>@jest/environment>@jest/fake-timers>jest-message-util>micromatch>braces>snapdragon>source-map-resolve>decode-uri-component","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>jest-cli>@jest/core>jest-config>jest-runner>jest-runtime>@jest/globals>@jest/environment>@jest/fake-timers>jest-message-util>micromatch>braces>snapdragon>source-map-resolve>decode-uri-component","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>jest-cli>@jest/core>jest-config>jest-runner>jest-runtime>@jest/globals>@jest/expect>jest-snapshot>expect>jest-message-util>micromatch>braces>snapdragon>source-map-resolve>decode-uri-component","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>jest-cli>@jest/core>jest-config>jest-runner>jest-runtime>@jest/globals>@jest/expect>jest-snapshot>@jest/transform>jest-haste-map>anymatch>micromatch>braces>snapdragon>source-map-resolve>decode-uri-component","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>jest-cli>@jest/core>jest-config>jest-runner>jest-runtime>@jest/globals>@jest/expect>jest-snapshot>@jest/transform>jest-haste-map>anymatch>micromatch>extglob>expand-brackets>snapdragon>source-map-resolve>decode-uri-component"]}],"metadata":null,"vulnerable_versions":"<0.2.1","module_name":"decode-uri-component","severity":"high","github_advisory_id":"GHSA-w573-4hg7-7wgq","cves":["CVE-2022-38900"],"access":"public","patched_versions":">=0.2.1","cvss":{"score":7.5,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},"updated":"2023-07-03T18:38:26.000Z","recommendation":"Upgrade to version 0.2.1 or later","cwe":["CWE-20"],"found_by":null,"deleted":null,"id":1092365,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2022-38900\n- https://github.com/SamVerschueren/decode-uri-component/issues/5\n- https://github.com/sindresorhus/query-string/issues/345\n- https://github.com/SamVerschueren/decode-uri-component/commit/746ca5dcb6667c5d364e782d53c542830e4c10b9\n- https://github.com/SamVerschueren/decode-uri-component/releases/tag/v0.2.1\n- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ERN6YE3DS7NBW7UH44SCJBMNC2NWQ7SM/\n- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KAC5KQ2SEWAMQ6UZAUBZ5KXKEOESH375/\n- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VNV2GNZXOTEDAJRFH3ZYWRUBGIVL7BSU/\n- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QABOUA2I542UTANVZIVFKWMRYVHLV32D/\n- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UW4SCMT3SEUFVIL7YIADQ5K36GJEO6I5/\n- https://github.com/advisories/GHSA-w573-4hg7-7wgq","created":"2022-11-28T15:30:24.000Z","reported_by":null,"title":"decode-uri-component vulnerable to Denial of Service (DoS)","npm_advisory_id":null,"overview":"decode-uri-component 0.2.0 is vulnerable to Improper Input Validation resulting in DoS.","url":"https://github.com/advisories/GHSA-w573-4hg7-7wgq"},"1092420":{"findings":[{"version":"3.10.1","paths":["lodash","@edium/fsm>lodash","codeceptjs>inquirer>lodash","codeceptjs>chai-deep-match>lodash-pickdeep>lodash"]}],"metadata":null,"vulnerable_versions":"<4.17.12","module_name":"lodash","severity":"critical","github_advisory_id":"GHSA-jf85-cpcp-j695","cves":["CVE-2019-10744"],"access":"public","patched_versions":">=4.17.12","cvss":{"score":9.1,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H"},"updated":"2023-07-07T18:54:15.000Z","recommendation":"Upgrade to version 4.17.12 or later","cwe":["CWE-20"],"found_by":null,"deleted":null,"id":1092420,"references":"- https://github.com/lodash/lodash/pull/4336\n- https://nvd.nist.gov/vuln/detail/CVE-2019-10744\n- https://snyk.io/vuln/SNYK-JS-LODASH-450202\n- https://www.npmjs.com/advisories/1065\n- https://access.redhat.com/errata/RHSA-2019:3024\n- https://security.netapp.com/advisory/ntap-20191004-0005/\n- https://support.f5.com/csp/article/K47105354?utm_source=f5support&utm_medium=RSS\n- https://www.oracle.com/security-alerts/cpujan2021.html\n- https://www.oracle.com/security-alerts/cpuoct2020.html\n- https://github.com/advisories/GHSA-jf85-cpcp-j695","created":"2019-07-10T19:45:23.000Z","reported_by":null,"title":"Prototype Pollution in lodash","npm_advisory_id":null,"overview":"Versions of `lodash` before 4.17.12 are vulnerable to Prototype Pollution. The function `defaultsDeep` allows a malicious user to modify the prototype of `Object` via `{constructor: {prototype: {...}}}` causing the addition or modification of an existing property that will exist on all objects.\n\n\n\n\n## Recommendation\n\nUpdate to version 4.17.12 or later.","url":"https://github.com/advisories/GHSA-jf85-cpcp-j695"},"1092430":{"findings":[{"version":"10.11.0","paths":["mochawesome-report-generator>validator","mochawesome>mochawesome-report-generator>validator"]}],"metadata":null,"vulnerable_versions":"<13.7.0","module_name":"validator","severity":"moderate","github_advisory_id":"GHSA-qgmg-gppg-76g5","cves":["CVE-2021-3765"],"access":"public","patched_versions":">=13.7.0","cvss":{"score":5.3,"vectorString":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"},"updated":"2023-07-07T21:50:05.000Z","recommendation":"Upgrade to version 13.7.0 or later","cwe":["CWE-1333"],"found_by":null,"deleted":null,"id":1092430,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2021-3765\n- https://github.com/validatorjs/validator.js/commit/496fc8b2a7f5997acaaec33cc44d0b8dba5fb5e1\n- https://huntr.dev/bounties/c37e975c-21a3-4c5f-9b57-04d63b28cfc9\n- https://github.com/advisories/GHSA-qgmg-gppg-76g5","created":"2021-11-03T17:34:45.000Z","reported_by":null,"title":"Inefficient Regular Expression Complexity in validator.js","npm_advisory_id":null,"overview":"validator.js prior to 13.7.0 is vulnerable to Inefficient Regular Expression Complexity","url":"https://github.com/advisories/GHSA-qgmg-gppg-76g5"},"1092461":{"findings":[{"version":"7.3.8","paths":["codeceptjs>semver","@hmcts/nodejs-healthcheck>superagent>semver","applicationinsights>continuation-local-storage>async-listener>semver","@hmcts/rpx-xui-node-lib>jest-mock-axios>@jest/globals>@jest/expect>jest-snapshot>semver","@hmcts/rpx-xui-node-lib>jest-mock-axios>@jest/globals>@jest/expect>jest-snapshot>@babel/core>semver","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>@jest/core>jest-resolve-dependencies>jest-snapshot>@babel/core>semver","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>jest-cli>@jest/core>jest-resolve-dependencies>jest-snapshot>@babel/core>semver","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>@jest/core>jest-runtime>@jest/globals>@jest/expect>jest-snapshot>@babel/core>semver","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>@jest/core>jest-runner>jest-runtime>@jest/globals>@jest/expect>jest-snapshot>@babel/core>semver","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>jest-cli>@jest/core>jest-runner>jest-runtime>@jest/globals>@jest/expect>jest-snapshot>@babel/core>semver","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>jest-cli>@jest/core>jest-config>jest-runner>jest-runtime>@jest/globals>@jest/expect>jest-snapshot>@babel/core>semver","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>jest-cli>@jest/core>jest-config>jest-runner>jest-runtime>@jest/globals>@jest/expect>jest-snapshot>@jest/transform>@babel/core>semver","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>jest-cli>@jest/core>jest-runner>jest-runtime>@jest/globals>@jest/expect>jest-snapshot>@jest/transform>babel-plugin-istanbul>istanbul-lib-instrument>@babel/core>semver","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>jest-cli>@jest/core>jest-config>jest-runner>jest-runtime>@jest/globals>@jest/expect>jest-snapshot>@jest/transform>babel-plugin-istanbul>istanbul-lib-instrument>@babel/core>semver","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>jest-cli>@jest/core>jest-config>jest-runner>jest-runtime>@jest/globals>@jest/expect>jest-snapshot>@jest/transform>jest-haste-map>fsevents>nan>node-gyp>semver"]}],"metadata":null,"vulnerable_versions":">=7.0.0 <7.5.2","module_name":"semver","severity":"moderate","github_advisory_id":"GHSA-c2qf-rxjj-qqgw","cves":["CVE-2022-25883"],"access":"public","patched_versions":">=7.5.2","cvss":{"score":5.3,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"},"updated":"2023-07-10T22:57:58.000Z","recommendation":"Upgrade to version 7.5.2 or later","cwe":["CWE-1333"],"found_by":null,"deleted":null,"id":1092461,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2022-25883\n- https://github.com/npm/node-semver/pull/564\n- https://github.com/npm/node-semver/commit/717534ee353682f3bcf33e60a8af4292626d4441\n- https://security.snyk.io/vuln/SNYK-JS-SEMVER-3247795\n- https://github.com/npm/node-semver/blob/main/classes/range.js#L97-L104\n- https://github.com/npm/node-semver/blob/main/internal/re.js#L138\n- https://github.com/npm/node-semver/blob/main/internal/re.js#L160\n- https://github.com/npm/node-semver/pull/585\n- https://github.com/npm/node-semver/commit/928e56d21150da0413a3333a3148b20e741a920c\n- https://github.com/npm/node-semver/pull/593\n- https://github.com/npm/node-semver/commit/2f8fd41487acf380194579ecb6f8b1bbfe116be0\n- https://github.com/advisories/GHSA-c2qf-rxjj-qqgw","created":"2023-06-21T06:30:28.000Z","reported_by":null,"title":"semver vulnerable to Regular Expression Denial of Service","npm_advisory_id":null,"overview":"Versions of the package semver before 7.5.2 on the 7.x branch, before 6.3.1 on the 6.x branch, and all other versions before 5.7.2 are vulnerable to Regular Expression Denial of Service (ReDoS) via the function new Range, when untrusted user data is provided as a range.","url":"https://github.com/advisories/GHSA-c2qf-rxjj-qqgw"},"1092470":{"findings":[{"version":"2.5.0","paths":["protractor-screenshot-utils>protractor>webdriver-manager>request>tough-cookie"]}],"metadata":null,"vulnerable_versions":"<4.1.3","module_name":"tough-cookie","severity":"moderate","github_advisory_id":"GHSA-72xf-g2v4-qvf3","cves":["CVE-2023-26136"],"access":"public","patched_versions":">=4.1.3","cvss":{"score":6.5,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N"},"updated":"2023-07-11T13:44:36.000Z","recommendation":"Upgrade to version 4.1.3 or later","cwe":["CWE-1321"],"found_by":null,"deleted":null,"id":1092470,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2023-26136\n- https://github.com/salesforce/tough-cookie/issues/282\n- https://github.com/salesforce/tough-cookie/commit/12d474791bb856004e858fdb1c47b7608d09cf6e\n- https://github.com/salesforce/tough-cookie/releases/tag/v4.1.3\n- https://security.snyk.io/vuln/SNYK-JS-TOUGHCOOKIE-5672873\n- https://lists.debian.org/debian-lts-announce/2023/07/msg00010.html\n- https://github.com/advisories/GHSA-72xf-g2v4-qvf3","created":"2023-07-01T06:30:16.000Z","reported_by":null,"title":"tough-cookie Prototype Pollution vulnerability","npm_advisory_id":null,"overview":"Versions of the package tough-cookie before 4.1.3 are vulnerable to Prototype Pollution due to improper handling of Cookies when using CookieJar in `rejectPublicSuffixes=false` mode. This issue arises from the manner in which the objects are initialized.","url":"https://github.com/advisories/GHSA-72xf-g2v4-qvf3"},"1092636":{"findings":[{"version":"1.28.1","paths":["@hmcts/rpx-xui-node-lib>openid-client>jose"]}],"metadata":null,"vulnerable_versions":">=1.0.0 <=1.28.1","module_name":"jose","severity":"moderate","github_advisory_id":"GHSA-jv3g-j58f-9mq9","cves":["CVE-2022-36083"],"access":"public","patched_versions":">=1.28.2","cvss":{"score":5.3,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"},"updated":"2023-07-21T21:33:36.000Z","recommendation":"Upgrade to version 1.28.2 or later","cwe":["CWE-400","CWE-834"],"found_by":null,"deleted":null,"id":1092636,"references":"- https://github.com/panva/jose/security/advisories/GHSA-jv3g-j58f-9mq9\n- https://nvd.nist.gov/vuln/detail/CVE-2022-36083\n- https://github.com/panva/jose/commit/03d6d013bf6e070e85adfe5731f526978e3e8e4d\n- https://github.com/panva/jose/releases/tag/v4.9.2\n- https://github.com/advisories/GHSA-jv3g-j58f-9mq9","created":"2022-09-16T17:44:42.000Z","reported_by":null,"title":"JOSE vulnerable to resource exhaustion via specifically crafted JWE","npm_advisory_id":null,"overview":"The PBKDF2-based JWE key management algorithms expect a JOSE Header Parameter named `p2c` ([PBES2 Count](https://www.rfc-editor.org/rfc/rfc7518.html#section-4.8.1.2)), which determines how many PBKDF2 iterations must be executed in order to derive a CEK wrapping key. The purpose of this parameter is to intentionally slow down the key derivation function in order to make password brute-force and dictionary attacks more expensive.\n\nThis makes the PBES2 algorithms unsuitable for situations where the JWE is coming from an untrusted source: an adversary can intentionally pick an extremely high PBES2 Count value, that will initiate a CPU-bound computation that may take an unreasonable amount of time to finish.\n\n### Impact\n\nUnder certain conditions (see below) it is possible to have the user's environment consume unreasonable amount of CPU time.\n\n### Affected users\n\nThe impact is limited only to users utilizing the JWE decryption APIs with symmetric secrets to decrypt JWEs from untrusted parties who do not limit the accepted JWE Key Management Algorithms (`alg` Header Parameter) using the `keyManagementAlgorithms` (or `algorithms` in v1.x) decryption option or through other means.\n\nThe PBKDF2-based JWE Key Management Algorithm Identifiers are\n\n- `PBES2-HS256+A128KW`\n- `PBES2-HS384+A192KW`\n- `PBES2-HS512+A256KW`\n\ne.g.\n\n```js\nconst secret = new Uint8Array(16)\nconst jwe = '...' // JWE from an untrusted party\n\nawait jose.compactDecrypt(jwe, secret)\n```\n\nYou are NOT affected if any of the following applies to you\n\n- Your code does not use the JWE APIs\n- Your code only produces JWE tokens\n- Your code only decrypts JWEs using an asymmetric JWE Key Management Algorithm (this means you're providing an asymmetric key object to the JWE decryption API)\n- Your code only accepts JWEs produced by trusted sources\n- Your code limits the accepted JWE Key Management Algorithms using the `keyManagementAlgorithms` decryption option not including any of the PBKDF2-based JWE key management algorithms\n\n### Patches\n\n`v1.28.2`, `v2.0.6`, `v3.20.4`, and `v4.9.2` releases limit the maximum PBKDF2 iteration count to `10000` by default. It is possible to adjust this limit with a newly introduced `maxPBES2Count` decryption option.\n\n### Workarounds\n\nAll users should be able to upgrade given all stable semver major release lines have had new a patch release introduced which limits the PBKDF2 iteration count to `10000` by default. This removes the ability to craft JWEs that would consume unreasonable amount of CPU time.\n\nIf users are unable to upgrade their required library version they have two options depending on whether they expect to receive JWEs using any of the three PBKDF2-based JWE key management algorithms.\n\n- they can use the `keyManagementAlgorithms` decryption option to disable accepting PBKDF2 altogether\n- they can inspect the JOSE Header prior to using the decryption API and limit the PBKDF2 iteration count (`p2c` Header Parameter)\n\n### For more information\nIf you have any questions or comments about this advisory:\n* Open an discussion in the project's [repository](https://github.com/panva/jose/discussions/new?category=q-a&title=GHSA-jv3g-j58f-9mq9%20advisory%20question)\n* Email me at [panva.ip@gmail.com](mailto:panva.ip@gmail.com)\n","url":"https://github.com/advisories/GHSA-jv3g-j58f-9mq9"},"1092964":{"findings":[{"version":"0.7.0","paths":["ngx-md>marked"]}],"metadata":null,"vulnerable_versions":"<4.0.10","module_name":"marked","severity":"high","github_advisory_id":"GHSA-5v2h-r2cx-5xgj","cves":["CVE-2022-21681"],"access":"public","patched_versions":">=4.0.10","cvss":{"score":7.5,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},"updated":"2023-08-14T05:04:30.000Z","recommendation":"Upgrade to version 4.0.10 or later","cwe":["CWE-1333"],"found_by":null,"deleted":null,"id":1092964,"references":"- https://github.com/markedjs/marked/security/advisories/GHSA-5v2h-r2cx-5xgj\n- https://nvd.nist.gov/vuln/detail/CVE-2022-21681\n- https://github.com/markedjs/marked/commit/8f806573a3f6c6b7a39b8cdb66ab5ebb8d55a5f5\n- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/AIXDMC3CSHYW3YWVSQOXAWLUYQHAO5UX/\n- https://github.com/advisories/GHSA-5v2h-r2cx-5xgj","created":"2022-01-14T21:04:46.000Z","reported_by":null,"title":"Inefficient Regular Expression Complexity in marked","npm_advisory_id":null,"overview":"### Impact\n\n_What kind of vulnerability is it?_\n\nDenial of service.\n\nThe regular expression `inline.reflinkSearch` may cause catastrophic backtracking against some strings.\nPoC is the following.\n\n```javascript\nimport * as marked from 'marked';\n\nconsole.log(marked.parse(`[x]: x\n\n\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](`));\n```\n\n_Who is impacted?_\n\nAnyone who runs untrusted markdown through marked and does not use a worker with a time limit.\n\n### Patches\n\n_Has the problem been patched?_\n\nYes\n\n_What versions should users upgrade to?_\n\n4.0.10\n\n### Workarounds\n\n_Is there a way for users to fix or remediate the vulnerability without upgrading?_\n\nDo not run untrusted markdown through marked or run marked on a [worker](https://marked.js.org/using_advanced#workers) thread and set a reasonable time limit to prevent draining resources.\n\n### References\n\n_Are there any links users can visit to find out more?_\n\n- https://marked.js.org/using_advanced#workers\n- https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS\n\n### For more information\n\nIf you have any questions or comments about this advisory:\n\n* Open an issue in [marked](https://github.com/markedjs/marked)\n","url":"https://github.com/advisories/GHSA-5v2h-r2cx-5xgj"},"1092969":{"findings":[{"version":"0.7.0","paths":["ngx-md>marked"]}],"metadata":null,"vulnerable_versions":"<4.0.10","module_name":"marked","severity":"high","github_advisory_id":"GHSA-rrrm-qjm4-v8hf","cves":["CVE-2022-21680"],"access":"public","patched_versions":">=4.0.10","cvss":{"score":7.5,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},"updated":"2023-08-14T05:03:59.000Z","recommendation":"Upgrade to version 4.0.10 or later","cwe":["CWE-400","CWE-1333"],"found_by":null,"deleted":null,"id":1092969,"references":"- https://github.com/markedjs/marked/security/advisories/GHSA-rrrm-qjm4-v8hf\n- https://nvd.nist.gov/vuln/detail/CVE-2022-21680\n- https://github.com/markedjs/marked/commit/c4a3ccd344b6929afa8a1d50ac54a721e57012c0\n- https://github.com/markedjs/marked/releases/tag/v4.0.10\n- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/AIXDMC3CSHYW3YWVSQOXAWLUYQHAO5UX/\n- https://github.com/advisories/GHSA-rrrm-qjm4-v8hf","created":"2022-01-14T21:04:41.000Z","reported_by":null,"title":"Inefficient Regular Expression Complexity in marked","npm_advisory_id":null,"overview":"### Impact\n\n_What kind of vulnerability is it?_\n\nDenial of service.\n\nThe regular expression `block.def` may cause catastrophic backtracking against some strings.\nPoC is the following.\n\n```javascript\nimport * as marked from \"marked\";\n\nmarked.parse(`[x]:${' '.repeat(1500)}x ${' '.repeat(1500)} x`);\n```\n\n_Who is impacted?_\n\nAnyone who runs untrusted markdown through marked and does not use a worker with a time limit.\n\n### Patches\n\n_Has the problem been patched?_\n\nYes\n\n_What versions should users upgrade to?_\n\n4.0.10\n\n### Workarounds\n\n_Is there a way for users to fix or remediate the vulnerability without upgrading?_\n\nDo not run untrusted markdown through marked or run marked on a [worker](https://marked.js.org/using_advanced#workers) thread and set a reasonable time limit to prevent draining resources.\n\n### References\n\n_Are there any links users can visit to find out more?_\n\n- https://marked.js.org/using_advanced#workers\n- https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS\n\n### For more information\n\nIf you have any questions or comments about this advisory:\n\n* Open an issue in [marked](https://github.com/markedjs/marked)\n","url":"https://github.com/advisories/GHSA-rrrm-qjm4-v8hf"},"1092972":{"findings":[{"version":"2.88.2","paths":["protractor-screenshot-utils>protractor>webdriver-manager>request"]}],"metadata":null,"vulnerable_versions":"<=2.88.2","module_name":"request","severity":"moderate","github_advisory_id":"GHSA-p8p7-x288-28g6","cves":["CVE-2023-28155"],"access":"public","patched_versions":"<0.0.0","cvss":{"score":6.1,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},"updated":"2023-08-14T20:53:47.000Z","recommendation":"None","cwe":["CWE-918"],"found_by":null,"deleted":null,"id":1092972,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2023-28155\n- https://github.com/request/request/issues/3442\n- https://github.com/request/request/pull/3444\n- https://doyensec.com/resources/Doyensec_Advisory_RequestSSRF_Q12023.pdf\n- https://security.netapp.com/advisory/ntap-20230413-0007/\n- https://github.com/github/advisory-database/pull/2500\n- https://github.com/cypress-io/request/blob/master/lib/redirect.js#L116\n- https://github.com/request/request/blob/master/lib/redirect.js#L111\n- https://github.com/cypress-io/request/pull/28\n- https://github.com/cypress-io/request/commit/c5bcf21d40fb61feaff21a0e5a2b3934a440024f\n- https://github.com/cypress-io/request/releases/tag/v3.0.0\n- https://github.com/advisories/GHSA-p8p7-x288-28g6","created":"2023-03-16T15:30:19.000Z","reported_by":null,"title":"Server-Side Request Forgery in Request","npm_advisory_id":null,"overview":"The `request` package through 2.88.2 for Node.js and the `@cypress/request` package prior to 3.0.0 allow a bypass of SSRF mitigations via an attacker-controller server that does a cross-protocol redirect (HTTP to HTTPS, or HTTPS to HTTP).\n\nNOTE: The `request` package is no longer supported by the maintainer.","url":"https://github.com/advisories/GHSA-p8p7-x288-28g6"},"1093185":{"findings":[{"version":"1.2.5","paths":["codeceptjs>mkdirp>minimist","accessibility-checker>chromedriver>mkdirp>minimist","accessibility-checker>chromedriver>extract-zip>mkdirp>minimist","codeceptjs>mocha>chokidar>fsevents>nan>node-gyp>tar>mkdirp>minimist","codeceptjs>mocha>chokidar>fsevents>nan>node-gyp>make-fetch-happen>cacache>mkdirp>minimist","codeceptjs>mocha-junit-reporter>mocha>chokidar>fsevents>nan>node-gyp>make-fetch-happen>cacache>mkdirp>minimist","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>@jest/core>jest-haste-map>fsevents>nan>node-gyp>make-fetch-happen>cacache>mkdirp>minimist","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>@jest/core>@jest/transform>jest-haste-map>fsevents>nan>node-gyp>make-fetch-happen>cacache>mkdirp>minimist","@hmcts/rpx-xui-node-lib>jest-mock-axios>@jest/globals>@jest/expect>jest-snapshot>@jest/transform>jest-haste-map>fsevents>nan>node-gyp>make-fetch-happen>cacache>mkdirp>minimist","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>@jest/core>jest-resolve-dependencies>jest-snapshot>@jest/transform>jest-haste-map>fsevents>nan>node-gyp>make-fetch-happen>cacache>mkdirp>minimist","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>jest-cli>@jest/core>jest-resolve-dependencies>jest-snapshot>@jest/transform>jest-haste-map>fsevents>nan>node-gyp>make-fetch-happen>cacache>mkdirp>minimist","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>@jest/core>jest-runtime>@jest/globals>@jest/expect>jest-snapshot>@jest/transform>jest-haste-map>fsevents>nan>node-gyp>make-fetch-happen>cacache>mkdirp>minimist","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>@jest/core>jest-runner>jest-runtime>@jest/globals>@jest/expect>jest-snapshot>@jest/transform>jest-haste-map>fsevents>nan>node-gyp>make-fetch-happen>cacache>mkdirp>minimist","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>jest-cli>@jest/core>jest-runner>jest-runtime>@jest/globals>@jest/expect>jest-snapshot>@jest/transform>jest-haste-map>fsevents>nan>node-gyp>make-fetch-happen>cacache>mkdirp>minimist","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>jest-cli>@jest/core>jest-config>jest-runner>jest-runtime>@jest/globals>@jest/expect>jest-snapshot>@jest/transform>jest-haste-map>fsevents>nan>node-gyp>make-fetch-happen>cacache>mkdirp>minimist","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>jest-cli>@jest/core>jest-runner>jest-runtime>@jest/globals>@jest/expect>jest-snapshot>@jest/transform>jest-haste-map>fsevents>nan>node-gyp>make-fetch-happen>cacache>move-concurrently>copy-concurrently>mkdirp>minimist","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>jest-cli>@jest/core>jest-config>jest-runner>jest-runtime>@jest/globals>@jest/expect>jest-snapshot>@jest/transform>jest-haste-map>fsevents>nan>node-gyp>make-fetch-happen>cacache>move-concurrently>copy-concurrently>mkdirp>minimist"]}],"metadata":null,"vulnerable_versions":">=1.0.0 <1.2.6","module_name":"minimist","severity":"critical","github_advisory_id":"GHSA-xvch-5gv4-984h","cves":["CVE-2021-44906"],"access":"public","patched_versions":">=1.2.6","cvss":{"score":9.8,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},"updated":"2023-08-30T22:49:50.000Z","recommendation":"Upgrade to version 1.2.6 or later","cwe":["CWE-1321"],"found_by":null,"deleted":null,"id":1093185,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2021-44906\n- https://github.com/substack/minimist/issues/164\n- https://github.com/substack/minimist/blob/master/index.js#L69\n- https://snyk.io/vuln/SNYK-JS-MINIMIST-559764\n- https://stackoverflow.com/questions/8588563/adding-custom-properties-to-a-function/20278068#20278068\n- https://github.com/Marynk/JavaScript-vulnerability-detection/blob/main/minimist%20PoC.zip\n- https://github.com/minimistjs/minimist/issues/11\n- https://github.com/minimistjs/minimist/pull/24\n- https://github.com/minimistjs/minimist/commit/34e20b8461118608703d6485326abbb8e35e1703\n- https://github.com/minimistjs/minimist/commit/bc8ecee43875261f4f17eb20b1243d3ed15e70eb\n- https://github.com/minimistjs/minimist/commit/c2b981977fa834b223b408cfb860f933c9811e4d\n- https://github.com/minimistjs/minimist/commit/ef9153fc52b6cea0744b2239921c5dcae4697f11\n- https://github.com/minimistjs/minimist/commits/v0.2.4\n- https://github.com/advisories/GHSA-xvch-5gv4-984h","created":"2022-03-18T00:01:09.000Z","reported_by":null,"title":"Prototype Pollution in minimist","npm_advisory_id":null,"overview":"Minimist prior to 1.2.6 and 0.2.4 is vulnerable to Prototype Pollution via file `index.js`, function `setKey()` (lines 69-95).","url":"https://github.com/advisories/GHSA-xvch-5gv4-984h"}},"muted":[],"metadata":{"vulnerabilities":{"info":0,"low":5,"moderate":38,"high":47,"critical":24},"dependencies":1008,"devDependencies":7,"optionalDependencies":0,"totalDependencies":1015}} +{"actions":[],"advisories":{"1085674":{"findings":[{"version":"3.10.1","paths":["lodash","@edium/fsm>lodash","codeceptjs>inquirer>lodash","codeceptjs>chai-deep-match>lodash-pickdeep>lodash"]}],"metadata":null,"vulnerable_versions":"<4.17.11","module_name":"lodash","severity":"moderate","github_advisory_id":"GHSA-x5rq-j2xg-h7qm","cves":["CVE-2019-1010266"],"access":"public","patched_versions":">=4.17.11","cvss":{"score":0,"vectorString":null},"updated":"2023-01-09T05:01:38.000Z","recommendation":"Upgrade to version 4.17.11 or later","cwe":["CWE-400"],"found_by":null,"deleted":null,"id":1085674,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2019-1010266\n- https://github.com/lodash/lodash/issues/3359\n- https://snyk.io/vuln/SNYK-JS-LODASH-73639\n- https://github.com/lodash/lodash/commit/5c08f18d365b64063bfbfa686cbb97cdd6267347\n- https://github.com/lodash/lodash/wiki/Changelog\n- https://security.netapp.com/advisory/ntap-20190919-0004/\n- https://github.com/advisories/GHSA-x5rq-j2xg-h7qm","created":"2019-07-19T16:13:07.000Z","reported_by":null,"title":"Regular Expression Denial of Service (ReDoS) in lodash","npm_advisory_id":null,"overview":"lodash prior to 4.7.11 is affected by: CWE-400: Uncontrolled Resource Consumption. The impact is: Denial of service. The component is: Date handler. The attack vector is: Attacker provides very long strings, which the library attempts to match using a regular expression. The fixed version is: 4.7.11.","url":"https://github.com/advisories/GHSA-x5rq-j2xg-h7qm"},"1087627":{"findings":[{"version":"3.10.1","paths":["lodash","@edium/fsm>lodash","codeceptjs>inquirer>lodash","codeceptjs>chai-deep-match>lodash-pickdeep>lodash"]}],"metadata":null,"vulnerable_versions":"<4.17.11","module_name":"lodash","severity":"high","github_advisory_id":"GHSA-4xc9-xhrj-v574","cves":["CVE-2018-16487"],"access":"public","patched_versions":">=4.17.11","cvss":{"score":0,"vectorString":null},"updated":"2023-01-09T05:02:32.000Z","recommendation":"Upgrade to version 4.17.11 or later","cwe":["CWE-400"],"found_by":null,"deleted":null,"id":1087627,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2018-16487\n- https://hackerone.com/reports/380873\n- https://github.com/advisories/GHSA-4xc9-xhrj-v574\n- https://www.npmjs.com/advisories/782\n- https://security.netapp.com/advisory/ntap-20190919-0004/","created":"2019-02-07T18:16:48.000Z","reported_by":null,"title":"Prototype Pollution in lodash","npm_advisory_id":null,"overview":"Versions of `lodash` before 4.17.5 are vulnerable to prototype pollution. \n\nThe vulnerable functions are 'defaultsDeep', 'merge', and 'mergeWith' which allow a malicious user to modify the prototype of `Object` via `{constructor: {prototype: {...}}}` causing the addition or modification of an existing property that will exist on all objects.\n\n\n\n\n## Recommendation\n\nUpdate to version 4.17.11 or later.","url":"https://github.com/advisories/GHSA-4xc9-xhrj-v574"},"1087663":{"findings":[{"version":"3.10.1","paths":["lodash","@edium/fsm>lodash","codeceptjs>inquirer>lodash","codeceptjs>chai-deep-match>lodash-pickdeep>lodash"]}],"metadata":null,"vulnerable_versions":"<4.17.5","module_name":"lodash","severity":"low","github_advisory_id":"GHSA-fvqr-27wr-82fm","cves":["CVE-2018-3721"],"access":"public","patched_versions":">=4.17.5","cvss":{"score":0,"vectorString":null},"updated":"2023-01-09T05:03:02.000Z","recommendation":"Upgrade to version 4.17.5 or later","cwe":["CWE-471"],"found_by":null,"deleted":null,"id":1087663,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2018-3721\n- https://hackerone.com/reports/310443\n- https://github.com/advisories/GHSA-fvqr-27wr-82fm\n- https://www.npmjs.com/advisories/577\n- https://github.com/lodash/lodash/commit/d8e069cc3410082e44eb18fcf8e7f3d08ebe1d4a\n- https://security.netapp.com/advisory/ntap-20190919-0004/","created":"2018-07-26T15:14:52.000Z","reported_by":null,"title":"Prototype Pollution in lodash","npm_advisory_id":null,"overview":"Versions of `lodash` before 4.17.5 are vulnerable to prototype pollution. \n\nThe vulnerable functions are 'defaultsDeep', 'merge', and 'mergeWith' which allow a malicious user to modify the prototype of `Object` via `__proto__` causing the addition or modification of an existing property that will exist on all objects.\n\n\n\n\n## Recommendation\n\nUpdate to version 4.17.5 or later.","url":"https://github.com/advisories/GHSA-fvqr-27wr-82fm"},"1088208":{"findings":[{"version":"0.8.4","paths":["git-rev-sync>shelljs"]}],"metadata":null,"vulnerable_versions":"<0.8.5","module_name":"shelljs","severity":"moderate","github_advisory_id":"GHSA-64g7-mvw6-v9qj","cves":[],"access":"public","patched_versions":">=0.8.5","cvss":{"score":0,"vectorString":null},"updated":"2023-01-11T05:03:39.000Z","recommendation":"Upgrade to version 0.8.5 or later","cwe":["CWE-269"],"found_by":null,"deleted":null,"id":1088208,"references":"- https://github.com/shelljs/shelljs/security/advisories/GHSA-64g7-mvw6-v9qj\n- https://huntr.dev/bounties/50996581-c08e-4eed-a90e-c0bac082679c/\n- https://github.com/advisories/GHSA-64g7-mvw6-v9qj","created":"2022-01-14T21:09:50.000Z","reported_by":null,"title":"Improper Privilege Management in shelljs","npm_advisory_id":null,"overview":"### Impact\nOutput from the synchronous version of `shell.exec()` may be visible to other users on the same system. You may be affected if you execute `shell.exec()` in multi-user Mac, Linux, or WSL environments, or if you execute `shell.exec()` as the root user.\n\nOther shelljs functions (including the asynchronous version of `shell.exec()`) are not impacted.\n\n### Patches\nPatched in shelljs 0.8.5\n\n### Workarounds\nRecommended action is to upgrade to 0.8.5.\n\n### References\nhttps://huntr.dev/bounties/50996581-c08e-4eed-a90e-c0bac082679c/\n\n### For more information\nIf you have any questions or comments about this advisory:\n* Ask at https://github.com/shelljs/shelljs/issues/1058\n* Open an issue at https://github.com/shelljs/shelljs/issues/new\n","url":"https://github.com/advisories/GHSA-64g7-mvw6-v9qj"},"1088402":{"findings":[{"version":"0.5.34","paths":["moment-timezone"]}],"metadata":null,"vulnerable_versions":">=0.1.0 <0.5.35","module_name":"moment-timezone","severity":"low","github_advisory_id":"GHSA-56x4-j7p9-fcf9","cves":[],"access":"public","patched_versions":">=0.5.35","cvss":{"score":0,"vectorString":null},"updated":"2023-01-12T05:07:32.000Z","recommendation":"Upgrade to version 0.5.35 or later","cwe":[],"found_by":null,"deleted":null,"id":1088402,"references":"- https://github.com/moment/moment-timezone/security/advisories/GHSA-56x4-j7p9-fcf9\n- https://github.com/moment/moment-timezone/commit/ce955a301ff372e8e9fb3a5b516620c60e7a082a\n- https://github.com/advisories/GHSA-56x4-j7p9-fcf9","created":"2022-08-30T20:31:21.000Z","reported_by":null,"title":"Command Injection in moment-timezone","npm_advisory_id":null,"overview":"### Impact\n\nAll versions of moment-timezone from 0.1.0 contain build tasks vulnerable to command injection.\n\n* if Alice uses tzdata pipeline to package moment-timezone on her own (for example via `grunt data:2014d`, where `2014d` stands for the version of the tzdata to be used from IANA's website),\n* and Alice let's Mallory select the version (`2014d` in our example), then Mallory can execute arbitrary commands on the machine running the grunt task, with the same privilege as the grunt task\n\n#### Am I affected?\n\n##### Do you build custom versions of moment-timezone with grunt?\n\nIf no, you're not affected.\n\n##### Do you allow a third party to specify which particular version you want build?\n\nIf yes, you're vulnerable to command injection -- third party may execute arbitrary commands on the system running grunt task with the same privileges as grunt task.\n\n### Description\n\n#### Command Injection via grunt-zdownload.js and MITM on iana's ftp endpoint\n\nThe `tasks/data-download.js` script takes in a parameter from grunt and uses it to form a command line which is then executed:\n\n```\n6 module.exports = function (grunt) {\n7 grunt.registerTask('data-download', '1. Download data from iana.org/time-zones.', function (version) {\n8 version = version || 'latest';\n\n10 var done = this.async(),\n11 src = 'ftp://ftp.iana.org/tz/tzdata-latest.tar.gz',\n12 curl = path.resolve('temp/curl', version, 'data.tar.gz'),\n13 dest = path.resolve('temp/download', version);\n...\n24 exec('curl ' + src + ' -o ' + curl + ' && cd ' + dest + ' && gzip -dc ' + curl + ' | tar -xf -', function (err) {\n```\n\nOrdinarily, one one run this script using something like `grunt data-download:2014d`, in which case version would have the value `2014d`. However, if an attacker were to provide additional content on the command line, they would be able to execute arbitrary code\n\n```\nroot@e94ba0490b65:/usr/src/app/moment-timezone# grunt 'data-download:2014d ; echo flag>/tmp/foo #'\n\\Running \"data-download:2014d ; echo flag>/tmp/foo #\" (data-download) task\n>> Downloading https://data.iana.org/time-zones/releases/tzdata2014d ; echo flag>/tmp/foo #.tar.gz\n>> Downloaded https://data.iana.org/time-zones/releases/tzdata2014d ; echo flag>/tmp/foo #.tar.gz\n\nDone.\nroot@e94ba0490b65:/usr/src/app/moment-timezone# cat /tmp/foo\nflag\n```\n\n#### Command Injection via data-zdump.js\n\nThe `tasks/data-zdump.js` script reads a list of files present in a temporary directory (created by previous tasks), and for each one, assembles and executes a command line without sanitization. As a result, an attacker able to influence the contents of that directory could gain code execution. This attack is exacerbated by timezone data being downloaded via cleartext FTP (described above), but beyond that, an attacker at iana.org able to modify the timezone files could disrupt any systems that build moment-timezone.\n\n```\n15 files = grunt.file.expand({ filter : 'isFile', cwd : 'temp/zic/' + version }, '**/*');\n...\n27 function next () {\n...\n33 var file = files.pop(),\n34 src = path.join(zicBase, file),\n35 dest = path.join(zdumpBase, file);\n36 exec('zdump -v ' + src, { maxBuffer: 20*1024*1024 }, function (err, stdout) {\n```\n\nIn this case, an attacker able to add a file to `temp/zic/2014d` (for example) with a filename like `Z; curl www.example.com` would influence the called to exec on line 36 and run arbitrary code. There are a few minor challenges in exploiting this, since the string needs to be a valid filename.\n\n#### Command Injection via data-zic.js\n\nSimilar to the vulnerability in /tasks/data-download.js, the /tasks/data-zic.js script takes a version from the command line and uses it as part of a command line, executed without sanitization.\n\n```\n10 var done = this.async(),\n11 dest = path.resolve('temp/zic', version),\n...\n22 var file = files.shift(),\n23 src = path.resolve('temp/download', version, file);\n24\n25 exec('zic -d ' + dest + ' ' + src, function (err) {\n```\n\nAs a result, an attacker able to influence that string can run arbitrary commands. Of course, it requires an attacker able to influence the command passed to grunt, so may be unlikely in practice.\n\n```\nroot@e94ba0490b65:/usr/src/app/moment-timezone# grunt 'data-zic:2014d; echo hi > /tmp/evil; echo '\nRunning \"data-zic:2014d; echo hi > /tmp/evil; echo \" (data-zic) task\nexec: zid -d /usr/src/app/moment-timezone/temp/zic/2014d; echo hi > /tmp/evil; echo /usr/src/app/moment-timezone/temp/download/2014d; echo hi > /tmp/evil; echo /africa\n...\n\nroot@e94ba0490b65:/usr/src/app/moment-timezone# cat /tmp/evil\nhi\n```\n\n### Patches\n\nThe supplied patch on top of 0.5.34 is applicable with minor tweaks to all affected versions. It switches `exec` to `execFile` so arbitrary bash fragments won't be executed any more.\n\n### References\n\n* https://knowledge-base.secureflag.com/vulnerabilities/code_injection/os_command_injection_nodejs.html\n* https://auth0.com/blog/preventing-command-injection-attacks-in-node-js-apps/","url":"https://github.com/advisories/GHSA-56x4-j7p9-fcf9"},"1088403":{"findings":[{"version":"0.5.34","paths":["moment-timezone"]}],"metadata":null,"vulnerable_versions":">=0.1.0 <0.5.35","module_name":"moment-timezone","severity":"moderate","github_advisory_id":"GHSA-v78c-4p63-2j6c","cves":[],"access":"public","patched_versions":">=0.5.35","cvss":{"score":0,"vectorString":null},"updated":"2023-01-12T05:07:10.000Z","recommendation":"Upgrade to version 0.5.35 or later","cwe":["CWE-319"],"found_by":null,"deleted":null,"id":1088403,"references":"- https://github.com/moment/moment-timezone/security/advisories/GHSA-v78c-4p63-2j6c\n- https://github.com/moment/moment-timezone/commit/7915ac567ab19700e44ad6b5d8ef0b85e48a9e75\n- https://github.com/advisories/GHSA-v78c-4p63-2j6c","created":"2022-08-30T20:28:43.000Z","reported_by":null,"title":"Cleartext Transmission of Sensitive Information in moment-timezone","npm_advisory_id":null,"overview":"### Impact\n\n* if Alice uses `grunt data` (or `grunt release`) to prepare a custom-build, moment-timezone with the latest tzdata from IANA's website\n* and Mallory intercepts the request to IANA's unencrypted ftp server, Mallory can serve data which might exploit further stages of the moment-timezone tzdata pipeline, or potentially produce a tainted version of moment-timezone (practicality of such attacks is not proved)\n\n### Patches\nProblem has been patched in version 0.5.35, patch should be applicable with minor modifications to all affected versions. The patch includes changing the FTP endpoint with an HTTPS endpoint.\n\n### Workarounds\nSpecify the exact version of tzdata (like `2014d`, full command being `grunt data:2014d`, then run the rest of the release tasks by hand), or just apply the patch before issuing the grunt command.\n","url":"https://github.com/advisories/GHSA-v78c-4p63-2j6c"},"1088659":{"findings":[{"version":"2.1.3","paths":["@hmcts/nodejs-healthcheck>superagent>cookiejar"]}],"metadata":null,"vulnerable_versions":"<2.1.4","module_name":"cookiejar","severity":"moderate","github_advisory_id":"GHSA-h452-7996-h45h","cves":["CVE-2022-25901"],"access":"public","patched_versions":">=2.1.4","cvss":{"score":5.3,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"},"updated":"2023-01-23T16:59:53.000Z","recommendation":"Upgrade to version 2.1.4 or later","cwe":["CWE-1333"],"found_by":null,"deleted":null,"id":1088659,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2022-25901\n- https://github.com/bmeck/node-cookiejar/pull/39\n- https://github.com/bmeck/node-cookiejar/pull/39/commits/eaa00021caf6ae09449dde826108153b578348e5\n- https://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-3176681\n- https://security.snyk.io/vuln/SNYK-JS-COOKIEJAR-3149984\n- https://github.com/bmeck/node-cookiejar/blob/master/cookiejar.js#23L73\n- https://github.com/advisories/GHSA-h452-7996-h45h","created":"2023-01-18T06:31:03.000Z","reported_by":null,"title":"cookiejar Regular Expression Denial of Service via Cookie.parse function","npm_advisory_id":null,"overview":"Versions of the package cookiejar before 2.1.4 are vulnerable to Regular Expression Denial of Service (ReDoS) via the `Cookie.parse` function and other aspects of the API, which use an insecure regular expression for parsing cookie values. Applications could be stalled for extended periods of time if untrusted input is passed to cookie values or attempted to parse from request headers.\n\nProof of concept:\n\n```\nts\\nconst { CookieJar } = require(\"cookiejar\");\n\nconst jar = new CookieJar();\n\nconst start = performance.now();\n\nconst attack = \"a\" + \"t\".repeat(50_000);\njar.setCookie(attack);\n\nconsole.log(`CookieJar.setCookie(): ${performance.now() - start}ms`);\n\n```\n\n```\nCookieJar.setCookie(): 2963.214399999939ms\n```","url":"https://github.com/advisories/GHSA-h452-7996-h45h"},"1088907":{"findings":[{"version":"0.4.1","paths":["@hmcts/rpx-xui-node-lib>passport"]}],"metadata":null,"vulnerable_versions":"<0.6.0","module_name":"passport","severity":"moderate","github_advisory_id":"GHSA-v923-w3x8-wh69","cves":["CVE-2022-25896"],"access":"public","patched_versions":">=0.6.0","cvss":{"score":4.8,"vectorString":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:L"},"updated":"2023-01-27T05:04:51.000Z","recommendation":"Upgrade to version 0.6.0 or later","cwe":["CWE-384"],"found_by":null,"deleted":null,"id":1088907,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2022-25896\n- https://github.com/jaredhanson/passport/pull/900\n- https://github.com/jaredhanson/passport/commit/7e9b9cf4d7be02428e963fc729496a45baeea608\n- https://snyk.io/vuln/SNYK-JS-PASSPORT-2840631\n- https://github.com/advisories/GHSA-v923-w3x8-wh69","created":"2022-07-02T00:00:19.000Z","reported_by":null,"title":"Passport before 0.6.0 vulnerable to session regeneration when a users logs in or out","npm_advisory_id":null,"overview":"This affects the package passport before 0.6.0. When a user logs in or logs out, the session is regenerated instead of being closed.","url":"https://github.com/advisories/GHSA-v923-w3x8-wh69"},"1088948":{"findings":[{"version":"9.6.0","paths":["@hmcts/rpx-xui-node-lib>openid-client>got"]}],"metadata":null,"vulnerable_versions":"<11.8.5","module_name":"got","severity":"moderate","github_advisory_id":"GHSA-pfrx-2q88-qq97","cves":["CVE-2022-33987"],"access":"public","patched_versions":">=11.8.5","cvss":{"score":5.3,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"},"updated":"2023-01-27T05:05:01.000Z","recommendation":"Upgrade to version 11.8.5 or later","cwe":[],"found_by":null,"deleted":null,"id":1088948,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2022-33987\n- https://github.com/sindresorhus/got/pull/2047\n- https://github.com/sindresorhus/got/compare/v12.0.3...v12.1.0\n- https://github.com/sindresorhus/got/commit/861ccd9ac2237df762a9e2beed7edd88c60782dc\n- https://github.com/sindresorhus/got/releases/tag/v11.8.5\n- https://github.com/sindresorhus/got/releases/tag/v12.1.0\n- https://github.com/advisories/GHSA-pfrx-2q88-qq97","created":"2022-06-19T00:00:21.000Z","reported_by":null,"title":"Got allows a redirect to a UNIX socket","npm_advisory_id":null,"overview":"The got package before 11.8.5 and 12.1.0 for Node.js allows a redirect to a UNIX socket.","url":"https://github.com/advisories/GHSA-pfrx-2q88-qq97"},"1089152":{"findings":[{"version":"4.1.1","paths":["codeceptjs>mocha>yargs-unparser>flat","codeceptjs>mocha-junit-reporter>mocha>yargs-unparser>flat"]}],"metadata":null,"vulnerable_versions":"<5.0.1","module_name":"flat","severity":"critical","github_advisory_id":"GHSA-2j2x-2gpw-g8fm","cves":["CVE-2020-36632"],"access":"public","patched_versions":">=5.0.1","cvss":{"score":9.8,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},"updated":"2023-01-29T05:01:29.000Z","recommendation":"Upgrade to version 5.0.1 or later","cwe":["CWE-1321"],"found_by":null,"deleted":null,"id":1089152,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2020-36632\n- https://github.com/hughsk/flat/issues/105\n- https://github.com/hughsk/flat/pull/106\n- https://github.com/hughsk/flat/commit/20ef0ef55dfa028caddaedbcb33efbdb04d18e13\n- https://github.com/hughsk/flat/releases/tag/5.0.1\n- https://vuldb.com/?ctiid.216777\n- https://vuldb.com/?id.216777\n- https://github.com/advisories/GHSA-2j2x-2gpw-g8fm","created":"2022-12-25T21:30:22.000Z","reported_by":null,"title":"flat vulnerable to Prototype Pollution","npm_advisory_id":null,"overview":"flat helps flatten/unflatten nested Javascript objects. A vulnerability, which was classified as critical, was found in hughsk flat up to 5.0.0. This affects the function unflatten of the file index.js. The manipulation leads to improperly controlled modification of object prototype attributes ('prototype pollution'). It is possible to initiate the attack remotely. Upgrading to version 5.0.1 can address this issue. The name of the patch is 20ef0ef55dfa028caddaedbcb33efbdb04d18e13. It is recommended to upgrade the affected component. The identifier VDB-216777 was assigned to this vulnerability.","url":"https://github.com/advisories/GHSA-2j2x-2gpw-g8fm"},"1089270":{"findings":[{"version":"2.7.4","paths":["ejs"]}],"metadata":null,"vulnerable_versions":"<3.1.7","module_name":"ejs","severity":"critical","github_advisory_id":"GHSA-phwq-j96m-2c2q","cves":["CVE-2022-29078"],"access":"public","patched_versions":">=3.1.7","cvss":{"score":9.8,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},"updated":"2023-01-30T05:02:57.000Z","recommendation":"Upgrade to version 3.1.7 or later","cwe":["CWE-74"],"found_by":null,"deleted":null,"id":1089270,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2022-29078\n- https://eslam.io/posts/ejs-server-side-template-injection-rce/\n- https://github.com/mde/ejs/commit/15ee698583c98dadc456639d6245580d17a24baf\n- https://github.com/mde/ejs/releases\n- https://security.netapp.com/advisory/ntap-20220804-0001/\n- https://github.com/advisories/GHSA-phwq-j96m-2c2q","created":"2022-04-26T00:00:40.000Z","reported_by":null,"title":"ejs template injection vulnerability","npm_advisory_id":null,"overview":"The ejs (aka Embedded JavaScript templates) package 3.1.6 for Node.js allows server-side template injection in settings[view options][outputFunctionName]. This is parsed as an internal option, and overwrites the outputFunctionName option with an arbitrary OS command (which is executed upon template compilation).","url":"https://github.com/advisories/GHSA-phwq-j96m-2c2q"},"1089698":{"findings":[{"version":"0.15.6","paths":["xlsx"]}],"metadata":null,"vulnerable_versions":"<0.17.0","module_name":"xlsx","severity":"moderate","github_advisory_id":"GHSA-g973-978j-2c3p","cves":["CVE-2021-32014"],"access":"public","patched_versions":">=0.17.0","cvss":{"score":5.5,"vectorString":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H"},"updated":"2023-02-01T05:05:54.000Z","recommendation":"Upgrade to version 0.17.0 or later","cwe":["CWE-345","CWE-400"],"found_by":null,"deleted":null,"id":1089698,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2021-32014\n- https://floqast.com/engineering-blog/post/fuzzing-and-parsing-securely/\n- https://sheetjs.com/pro\n- https://www.npmjs.com/package/xlsx/v/0.17.0\n- https://www.oracle.com/security-alerts/cpujan2022.html\n- https://github.com/advisories/GHSA-g973-978j-2c3p","created":"2021-07-22T19:47:15.000Z","reported_by":null,"title":"Denial of Service in SheetJS Pro","npm_advisory_id":null,"overview":"SheetJS Pro through 0.16.9 allows attackers to cause a denial of service (CPU consumption) via a crafted .xlsx document that is mishandled when read by xlsx.js.","url":"https://github.com/advisories/GHSA-g973-978j-2c3p"},"1089699":{"findings":[{"version":"0.15.6","paths":["xlsx"]}],"metadata":null,"vulnerable_versions":"<0.17.0","module_name":"xlsx","severity":"moderate","github_advisory_id":"GHSA-3x9f-74h4-2fqr","cves":["CVE-2021-32012"],"access":"public","patched_versions":">=0.17.0","cvss":{"score":5.5,"vectorString":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H"},"updated":"2023-02-01T05:06:10.000Z","recommendation":"Upgrade to version 0.17.0 or later","cwe":["CWE-400"],"found_by":null,"deleted":null,"id":1089699,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2021-32012\n- https://floqast.com/engineering-blog/post/fuzzing-and-parsing-securely/\n- https://sheetjs.com/pro\n- https://www.npmjs.com/package/xlsx/v/0.17.0\n- https://www.oracle.com/security-alerts/cpujan2022.html\n- https://github.com/advisories/GHSA-3x9f-74h4-2fqr","created":"2021-07-22T19:48:17.000Z","reported_by":null,"title":"Denial of Service in SheetJS Pro","npm_advisory_id":null,"overview":"SheetJS Pro through 0.16.9 allows attackers to cause a denial of service (memory consumption) via a crafted .xlsx document that is mishandled when read by xlsx.js (issue 1 of 2).","url":"https://github.com/advisories/GHSA-3x9f-74h4-2fqr"},"1089700":{"findings":[{"version":"0.15.6","paths":["xlsx"]}],"metadata":null,"vulnerable_versions":"<0.17.0","module_name":"xlsx","severity":"moderate","github_advisory_id":"GHSA-8vcr-vxm8-293m","cves":["CVE-2021-32013"],"access":"public","patched_versions":">=0.17.0","cvss":{"score":5.5,"vectorString":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H"},"updated":"2023-02-01T05:06:00.000Z","recommendation":"Upgrade to version 0.17.0 or later","cwe":["CWE-400"],"found_by":null,"deleted":null,"id":1089700,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2021-32013\n- https://floqast.com/engineering-blog/post/fuzzing-and-parsing-securely/\n- https://sheetjs.com/pro\n- https://www.npmjs.com/package/xlsx/v/0.17.0\n- https://www.oracle.com/security-alerts/cpujan2022.html\n- https://github.com/advisories/GHSA-8vcr-vxm8-293m","created":"2021-07-22T19:48:13.000Z","reported_by":null,"title":"Denial of Service in SheetsJS Pro","npm_advisory_id":null,"overview":"SheetJS Pro through 0.16.9 allows attackers to cause a denial of service (memory consumption) via a crafted .xlsx document that is mishandled when read by xlsx.js (issue 2 of 2).","url":"https://github.com/advisories/GHSA-8vcr-vxm8-293m"},"1091181":{"findings":[{"version":"3.1.0","paths":["codeceptjs>mocha>chokidar>glob-parent","codeceptjs>mocha-junit-reporter>mocha>chokidar>glob-parent"]}],"metadata":null,"vulnerable_versions":"<5.1.2","module_name":"glob-parent","severity":"high","github_advisory_id":"GHSA-ww39-953v-wcq6","cves":["CVE-2020-28469"],"access":"public","patched_versions":">=5.1.2","cvss":{"score":7.5,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},"updated":"2023-02-28T22:39:43.000Z","recommendation":"Upgrade to version 5.1.2 or later","cwe":["CWE-400"],"found_by":null,"deleted":null,"id":1091181,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2020-28469\n- https://github.com/gulpjs/glob-parent/pull/36\n- https://github.com/gulpjs/glob-parent/blob/6ce8d11f2f1ed8e80a9526b1dc8cf3aa71f43474/index.js%23L9\n- https://github.com/gulpjs/glob-parent/releases/tag/v5.1.2\n- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWERGITHUBES128-1059093\n- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1059092\n- https://snyk.io/vuln/SNYK-JS-GLOBPARENT-1016905\n- https://www.oracle.com/security-alerts/cpujan2022.html\n- https://github.com/gulpjs/glob-parent/pull/36/commits/c6db86422a9731d4f3d332ce4a81c27ea6b0ee46\n- https://github.com/advisories/GHSA-ww39-953v-wcq6","created":"2021-06-07T21:56:34.000Z","reported_by":null,"title":"glob-parent before 5.1.2 vulnerable to Regular Expression Denial of Service in enclosure regex","npm_advisory_id":null,"overview":"This affects the package glob-parent before 5.1.2. The enclosure regex used to check for strings ending in enclosure containing path separator.","url":"https://github.com/advisories/GHSA-ww39-953v-wcq6"},"1091307":{"findings":[{"version":"3.10.1","paths":["lodash","@edium/fsm>lodash","codeceptjs>inquirer>lodash","codeceptjs>chai-deep-match>lodash-pickdeep>lodash"]}],"metadata":null,"vulnerable_versions":"<4.17.20","module_name":"lodash","severity":"high","github_advisory_id":"GHSA-p6mc-m468-83gw","cves":["CVE-2020-8203"],"access":"public","patched_versions":">=4.17.20","cvss":{"score":7.4,"vectorString":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:H"},"updated":"2023-03-08T05:05:35.000Z","recommendation":"Upgrade to version 4.17.20 or later","cwe":["CWE-770","CWE-1321"],"found_by":null,"deleted":null,"id":1091307,"references":"- https://github.com/lodash/lodash/issues/4744\n- https://github.com/lodash/lodash/commit/c84fe82760fb2d3e03a63379b297a1cc1a2fce12\n- https://www.npmjs.com/advisories/1523\n- https://nvd.nist.gov/vuln/detail/CVE-2020-8203\n- https://hackerone.com/reports/712065\n- https://security.netapp.com/advisory/ntap-20200724-0006/\n- https://github.com/lodash/lodash/issues/4874\n- https://www.oracle.com/security-alerts/cpuApr2021.html\n- https://www.oracle.com//security-alerts/cpujul2021.html\n- https://www.oracle.com/security-alerts/cpuoct2021.html\n- https://www.oracle.com/security-alerts/cpujan2022.html\n- https://www.oracle.com/security-alerts/cpuapr2022.html\n- https://github.com/advisories/GHSA-p6mc-m468-83gw","created":"2020-07-15T19:15:48.000Z","reported_by":null,"title":"Prototype Pollution in lodash","npm_advisory_id":null,"overview":"Versions of lodash prior to 4.17.19 are vulnerable to Prototype Pollution. The function zipObjectDeep allows a malicious user to modify the prototype of Object if the property identifiers are user-supplied. Being affected by this issue requires zipping objects based on user-provided property arrays.\n\nThis vulnerability causes the addition or modification of an existing property that will exist on all objects and may lead to Denial of Service or Code Execution under specific circumstances.","url":"https://github.com/advisories/GHSA-p6mc-m468-83gw"},"1091453":{"findings":[{"version":"0.8.4","paths":["git-rev-sync>shelljs"]}],"metadata":null,"vulnerable_versions":"<0.8.5","module_name":"shelljs","severity":"high","github_advisory_id":"GHSA-4rq4-32rv-6wp6","cves":["CVE-2022-0144"],"access":"public","patched_versions":">=0.8.5","cvss":{"score":7.1,"vectorString":"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H"},"updated":"2023-03-21T20:10:17.000Z","recommendation":"Upgrade to version 0.8.5 or later","cwe":["CWE-269"],"found_by":null,"deleted":null,"id":1091453,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2022-0144\n- https://github.com/shelljs/shelljs/commit/d919d22dd6de385edaa9d90313075a77f74b338c\n- https://huntr.dev/bounties/50996581-c08e-4eed-a90e-c0bac082679c\n- https://github.com/advisories/GHSA-4rq4-32rv-6wp6","created":"2022-01-21T23:37:28.000Z","reported_by":null,"title":"Improper Privilege Management in shelljs","npm_advisory_id":null,"overview":"shelljs is vulnerable to Improper Privilege Management","url":"https://github.com/advisories/GHSA-4rq4-32rv-6wp6"},"1091832":{"findings":[{"version":"3.10.1","paths":["lodash","@edium/fsm>lodash","codeceptjs>inquirer>lodash","codeceptjs>chai-deep-match>lodash-pickdeep>lodash"]}],"metadata":null,"vulnerable_versions":"<4.17.21","module_name":"lodash","severity":"high","github_advisory_id":"GHSA-35jh-r3h4-6jhm","cves":["CVE-2021-23337"],"access":"public","patched_versions":">=4.17.21","cvss":{"score":7.2,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H"},"updated":"2023-04-26T17:56:06.000Z","recommendation":"Upgrade to version 4.17.21 or later","cwe":["CWE-77","CWE-94"],"found_by":null,"deleted":null,"id":1091832,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2021-23337\n- https://github.com/lodash/lodash/commit/3469357cff396a26c363f8c1b5a91dde28ba4b1c\n- https://security.netapp.com/advisory/ntap-20210312-0006/\n- https://snyk.io/vuln/SNYK-JS-LODASH-1040724\n- https://github.com/lodash/lodash/blob/ddfd9b11a0126db2302cb70ec9973b66baec0975/lodash.js#L14851\n- https://github.com/lodash/lodash/blob/ddfd9b11a0126db2302cb70ec9973b66baec0975/lodash.js%23L14851\n- https://snyk.io/vuln/SNYK-JAVA-ORGFUJIONWEBJARS-1074932\n- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARS-1074930\n- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-1074928\n- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWERGITHUBLODASH-1074931\n- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1074929\n- https://www.oracle.com//security-alerts/cpujul2021.html\n- https://www.oracle.com/security-alerts/cpuoct2021.html\n- https://www.oracle.com/security-alerts/cpujan2022.html\n- https://www.oracle.com/security-alerts/cpujul2022.html\n- https://cert-portal.siemens.com/productcert/pdf/ssa-637483.pdf\n- https://github.com/advisories/GHSA-35jh-r3h4-6jhm","created":"2021-05-06T16:05:51.000Z","reported_by":null,"title":"Command Injection in lodash","npm_advisory_id":null,"overview":"`lodash` versions prior to 4.17.21 are vulnerable to Command Injection via the template function.","url":"https://github.com/advisories/GHSA-35jh-r3h4-6jhm"},"1091860":{"findings":[{"version":"3.10.1","paths":["lodash","@edium/fsm>lodash","codeceptjs>inquirer>lodash","codeceptjs>chai-deep-match>lodash-pickdeep>lodash"]}],"metadata":null,"vulnerable_versions":"<4.17.21","module_name":"lodash","severity":"moderate","github_advisory_id":"GHSA-29mw-wpgm-hmr9","cves":["CVE-2020-28500"],"access":"public","patched_versions":">=4.17.21","cvss":{"score":5.3,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"},"updated":"2023-05-01T20:20:44.000Z","recommendation":"Upgrade to version 4.17.21 or later","cwe":["CWE-400","CWE-1333"],"found_by":null,"deleted":null,"id":1091860,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2020-28500\n- https://github.com/lodash/lodash/pull/5065\n- https://github.com/lodash/lodash/pull/5065/commits/02906b8191d3c100c193fe6f7b27d1c40f200bb7\n- https://github.com/lodash/lodash/blob/npm/trimEnd.js%23L8\n- https://security.netapp.com/advisory/ntap-20210312-0006/\n- https://snyk.io/vuln/SNYK-JS-LODASH-1018905\n- https://snyk.io/vuln/SNYK-JAVA-ORGFUJIONWEBJARS-1074896\n- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARS-1074894\n- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-1074892\n- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWERGITHUBLODASH-1074895\n- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1074893\n- https://www.oracle.com//security-alerts/cpujul2021.html\n- https://www.oracle.com/security-alerts/cpuoct2021.html\n- https://www.oracle.com/security-alerts/cpujan2022.html\n- https://www.oracle.com/security-alerts/cpujul2022.html\n- https://cert-portal.siemens.com/productcert/pdf/ssa-637483.pdf\n- https://github.com/advisories/GHSA-29mw-wpgm-hmr9","created":"2022-01-06T20:30:46.000Z","reported_by":null,"title":"Regular Expression Denial of Service (ReDoS) in lodash","npm_advisory_id":null,"overview":"All versions of package lodash prior to 4.17.21 are vulnerable to Regular Expression Denial of Service (ReDoS) via the toNumber, trim and trimEnd functions. Steps to reproduce (provided by reporter Liyuan Chen): var lo = require('lodash'); function build_blank (n) { var ret = \"1\" for (var i = 0; i < n; i++) { ret += \" \" } return ret + \"1\"; } var s = build_blank(50000) var time0 = Date.now(); lo.trim(s) var time_cost0 = Date.now() - time0; console.log(\"time_cost0: \" + time_cost0) var time1 = Date.now(); lo.toNumber(s) var time_cost1 = Date.now() - time1; console.log(\"time_cost1: \" + time_cost1) var time2 = Date.now(); lo.trimEnd(s) var time_cost2 = Date.now() - time2; console.log(\"time_cost2: \" + time_cost2)","url":"https://github.com/advisories/GHSA-29mw-wpgm-hmr9"},"1092096":{"findings":[{"version":"0.15.6","paths":["xlsx"]}],"metadata":null,"vulnerable_versions":"<0.19.3","module_name":"xlsx","severity":"high","github_advisory_id":"GHSA-4r6h-8v6p-xvw6","cves":["CVE-2023-30533"],"access":"public","patched_versions":">=0.19.3","cvss":{"score":7.8,"vectorString":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"},"updated":"2023-05-23T13:29:07.000Z","recommendation":"Upgrade to version 0.19.3 or later","cwe":["CWE-1321"],"found_by":null,"deleted":null,"id":1092096,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2023-30533\n- https://cdn.sheetjs.com/advisories/CVE-2023-30533\n- https://git.sheetjs.com/sheetjs/sheetjs/src/branch/master/CHANGELOG.md\n- https://git.sheetjs.com/sheetjs/sheetjs/issues/2667\n- https://github.com/advisories/GHSA-4r6h-8v6p-xvw6","created":"2023-04-24T09:30:19.000Z","reported_by":null,"title":"Prototype Pollution in sheetJS","npm_advisory_id":null,"overview":"All versions of SheetJS CE through 0.19.2 are vulnerable to \"Prototype Pollution\" when reading specially crafted files. Workflows that do not read arbitrary files (for example, exporting data to spreadsheet files) are unaffected.\n\nA non-vulnerable version cannot be found via npm, as the repository hosted on GitHub and the npm package `xlsx` are no longer maintained.","url":"https://github.com/advisories/GHSA-4r6h-8v6p-xvw6"},"1092174":{"findings":[{"version":"4.0.5","paths":["@hmcts/media-viewer>socket.io-client>socket.io-parser"]}],"metadata":null,"vulnerable_versions":">=4.0.4 <4.2.3","module_name":"socket.io-parser","severity":"high","github_advisory_id":"GHSA-cqmj-92xf-r6r9","cves":["CVE-2023-32695"],"access":"public","patched_versions":">=4.2.3","cvss":{"score":7.3,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L"},"updated":"2023-06-05T21:07:58.000Z","recommendation":"Upgrade to version 4.2.3 or later","cwe":["CWE-20","CWE-754"],"found_by":null,"deleted":null,"id":1092174,"references":"- https://github.com/socketio/socket.io-parser/security/advisories/GHSA-cqmj-92xf-r6r9\n- https://github.com/socketio/socket.io-parser/commit/2dc3c92622dad113b8676be06f23b1ed46b02ced\n- https://github.com/socketio/socket.io-parser/commit/3b78117bf6ba7e99d7a5cfc1ba54d0477554a7f3\n- https://github.com/socketio/socket.io-parser/commit/1c220ddbf45ea4b44bc8dbf6f9ae245f672ba1b9\n- https://nvd.nist.gov/vuln/detail/CVE-2023-32695\n- https://github.com/socketio/socket.io-parser/releases/tag/4.2.3\n- https://github.com/advisories/GHSA-cqmj-92xf-r6r9","created":"2023-05-23T19:55:13.000Z","reported_by":null,"title":"Insufficient validation when decoding a Socket.IO packet","npm_advisory_id":null,"overview":"### Impact\n\nA specially crafted Socket.IO packet can trigger an uncaught exception on the Socket.IO server, thus killing the Node.js process.\n\n```\nTypeError: Cannot convert object to primitive value\n at Socket.emit (node:events:507:25)\n at .../node_modules/socket.io/lib/socket.js:531:14\n```\n\n### Patches\n\nA fix has been released today (2023/05/22):\n\n- https://github.com/socketio/socket.io-parser/commit/3b78117bf6ba7e99d7a5cfc1ba54d0477554a7f3, included in `socket.io-parser@4.2.3`\n- https://github.com/socketio/socket.io-parser/commit/2dc3c92622dad113b8676be06f23b1ed46b02ced, included in `socket.io-parser@3.4.3`\n\n| `socket.io` version | `socket.io-parser` version | Needs minor update? |\n|---------------------|---------------------------------------------------------------------------------------------------------|--------------------------------------|\n| `4.5.2...latest` | `~4.2.0` ([ref](https://github.com/socketio/socket.io/commit/9890b036cf942f6b6ad2afeb6a8361c32cd5d528)) | `npm audit fix` should be sufficient |\n| `4.1.3...4.5.1` | `~4.1.1` ([ref](https://github.com/socketio/socket.io/commit/7c44893d7878cd5bba1eff43150c3e664f88fb57)) | Please upgrade to `socket.io@4.6.x` |\n| `3.0.5...4.1.2` | `~4.0.3` ([ref](https://github.com/socketio/socket.io/commit/752dfe3b1e5fecda53dae899b4a39e6fed5a1a17)) | Please upgrade to `socket.io@4.6.x` |\n| `3.0.0...3.0.4` | `~4.0.1` ([ref](https://github.com/socketio/socket.io/commit/1af3267e3f5f7884214cf2ca4d5282d620092fb0)) | Please upgrade to `socket.io@4.6.x` |\n| `2.3.0...2.5.0` | `~3.4.0` ([ref](https://github.com/socketio/socket.io/commit/cf39362014f5ff13a17168b74772c43920d6e4fd)) | `npm audit fix` should be sufficient |\n\n\n### Workarounds\n\nThere is no known workaround except upgrading to a safe version.\n\n### For more information\n\nIf you have any questions or comments about this advisory:\n\n- Open a discussion [here](https://github.com/socketio/socket.io/discussions)\n\nThanks to [@rafax00](https://github.com/rafax00) for the responsible disclosure.\n","url":"https://github.com/advisories/GHSA-cqmj-92xf-r6r9"},"1092301":{"findings":[{"version":"0.4.23","paths":["protractor-screenshot-utils>protractor>selenium-webdriver>xml2js","protractor-screenshot-utils>protractor>webdriver-js-extender>selenium-webdriver>xml2js"]}],"metadata":null,"vulnerable_versions":"<0.5.0","module_name":"xml2js","severity":"moderate","github_advisory_id":"GHSA-776f-qx25-q3cc","cves":["CVE-2023-0842"],"access":"public","patched_versions":">=0.5.0","cvss":{"score":5.3,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"},"updated":"2023-06-21T18:11:17.000Z","recommendation":"Upgrade to version 0.5.0 or later","cwe":["CWE-1321"],"found_by":null,"deleted":null,"id":1092301,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2023-0842\n- https://fluidattacks.com/advisories/myers/\n- https://github.com/Leonidas-from-XIV/node-xml2js/issues/663\n- https://github.com/Leonidas-from-XIV/node-xml2js/pull/603/commits/581b19a62d88f8a3c068b5a45f4542c2d6a495a5\n- https://github.com/advisories/GHSA-776f-qx25-q3cc","created":"2023-04-05T21:30:24.000Z","reported_by":null,"title":"xml2js is vulnerable to prototype pollution","npm_advisory_id":null,"overview":"xml2js versions before 0.5.0 allows an external attacker to edit or add new properties to an object. This is possible because the application does not properly validate incoming JSON keys, thus allowing the `__proto__` property to be edited.","url":"https://github.com/advisories/GHSA-776f-qx25-q3cc"},"1092316":{"findings":[{"version":"4.1.0","paths":["@hmcts/rpx-xui-node-lib>openid-client>got>cacheable-request>http-cache-semantics","codeceptjs>mocha>chokidar>fsevents>nan>node-gyp>make-fetch-happen>http-cache-semantics","codeceptjs>mocha-junit-reporter>mocha>chokidar>fsevents>nan>node-gyp>make-fetch-happen>http-cache-semantics","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>@jest/core>jest-haste-map>fsevents>nan>node-gyp>make-fetch-happen>http-cache-semantics","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>@jest/core>@jest/transform>jest-haste-map>fsevents>nan>node-gyp>make-fetch-happen>http-cache-semantics","@hmcts/rpx-xui-node-lib>jest-mock-axios>@jest/globals>@jest/expect>jest-snapshot>@jest/transform>jest-haste-map>fsevents>nan>node-gyp>make-fetch-happen>http-cache-semantics","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>@jest/core>jest-resolve-dependencies>jest-snapshot>@jest/transform>jest-haste-map>fsevents>nan>node-gyp>make-fetch-happen>http-cache-semantics","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>jest-cli>@jest/core>jest-resolve-dependencies>jest-snapshot>@jest/transform>jest-haste-map>fsevents>nan>node-gyp>make-fetch-happen>http-cache-semantics","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>@jest/core>jest-runtime>@jest/globals>@jest/expect>jest-snapshot>@jest/transform>jest-haste-map>fsevents>nan>node-gyp>make-fetch-happen>http-cache-semantics","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>@jest/core>jest-runner>jest-runtime>@jest/globals>@jest/expect>jest-snapshot>@jest/transform>jest-haste-map>fsevents>nan>node-gyp>make-fetch-happen>http-cache-semantics","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>jest-cli>@jest/core>jest-runner>jest-runtime>@jest/globals>@jest/expect>jest-snapshot>@jest/transform>jest-haste-map>fsevents>nan>node-gyp>make-fetch-happen>http-cache-semantics","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>jest-cli>@jest/core>jest-config>jest-runner>jest-runtime>@jest/globals>@jest/expect>jest-snapshot>@jest/transform>jest-haste-map>fsevents>nan>node-gyp>make-fetch-happen>http-cache-semantics"]}],"metadata":null,"vulnerable_versions":"<4.1.1","module_name":"http-cache-semantics","severity":"high","github_advisory_id":"GHSA-rc47-6667-2j5j","cves":["CVE-2022-25881"],"access":"public","patched_versions":">=4.1.1","cvss":{"score":7.5,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},"updated":"2023-06-22T17:26:15.000Z","recommendation":"Upgrade to version 4.1.1 or later","cwe":["CWE-1333"],"found_by":null,"deleted":null,"id":1092316,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2022-25881\n- https://github.com/kornelski/http-cache-semantics/blob/master/index.js%23L83\n- https://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-3253332\n- https://security.snyk.io/vuln/SNYK-JS-HTTPCACHESEMANTICS-3248783\n- https://github.com/kornelski/http-cache-semantics/commit/560b2d8ef452bbba20ffed69dc155d63ac757b74\n- https://security.netapp.com/advisory/ntap-20230622-0008/\n- https://github.com/advisories/GHSA-rc47-6667-2j5j","created":"2023-01-31T06:30:26.000Z","reported_by":null,"title":"http-cache-semantics vulnerable to Regular Expression Denial of Service","npm_advisory_id":null,"overview":"http-cache semantics contains an Inefficient Regular Expression Complexity , leading to Denial of Service. This affects versions of the package http-cache-semantics before 4.1.1. The issue can be exploited via malicious request header values sent to a server, when that server reads the cache policy from the request using this library.","url":"https://github.com/advisories/GHSA-rc47-6667-2j5j"},"1092420":{"findings":[{"version":"3.10.1","paths":["lodash","@edium/fsm>lodash","codeceptjs>inquirer>lodash","codeceptjs>chai-deep-match>lodash-pickdeep>lodash"]}],"metadata":null,"vulnerable_versions":"<4.17.12","module_name":"lodash","severity":"critical","github_advisory_id":"GHSA-jf85-cpcp-j695","cves":["CVE-2019-10744"],"access":"public","patched_versions":">=4.17.12","cvss":{"score":9.1,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H"},"updated":"2023-07-07T18:54:15.000Z","recommendation":"Upgrade to version 4.17.12 or later","cwe":["CWE-20"],"found_by":null,"deleted":null,"id":1092420,"references":"- https://github.com/lodash/lodash/pull/4336\n- https://nvd.nist.gov/vuln/detail/CVE-2019-10744\n- https://snyk.io/vuln/SNYK-JS-LODASH-450202\n- https://www.npmjs.com/advisories/1065\n- https://access.redhat.com/errata/RHSA-2019:3024\n- https://security.netapp.com/advisory/ntap-20191004-0005/\n- https://support.f5.com/csp/article/K47105354?utm_source=f5support&utm_medium=RSS\n- https://www.oracle.com/security-alerts/cpujan2021.html\n- https://www.oracle.com/security-alerts/cpuoct2020.html\n- https://github.com/advisories/GHSA-jf85-cpcp-j695","created":"2019-07-10T19:45:23.000Z","reported_by":null,"title":"Prototype Pollution in lodash","npm_advisory_id":null,"overview":"Versions of `lodash` before 4.17.12 are vulnerable to Prototype Pollution. The function `defaultsDeep` allows a malicious user to modify the prototype of `Object` via `{constructor: {prototype: {...}}}` causing the addition or modification of an existing property that will exist on all objects.\n\n\n\n\n## Recommendation\n\nUpdate to version 4.17.12 or later.","url":"https://github.com/advisories/GHSA-jf85-cpcp-j695"},"1092430":{"findings":[{"version":"10.11.0","paths":["mochawesome-report-generator>validator","mochawesome>mochawesome-report-generator>validator"]}],"metadata":null,"vulnerable_versions":"<13.7.0","module_name":"validator","severity":"moderate","github_advisory_id":"GHSA-qgmg-gppg-76g5","cves":["CVE-2021-3765"],"access":"public","patched_versions":">=13.7.0","cvss":{"score":5.3,"vectorString":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"},"updated":"2023-07-07T21:50:05.000Z","recommendation":"Upgrade to version 13.7.0 or later","cwe":["CWE-1333"],"found_by":null,"deleted":null,"id":1092430,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2021-3765\n- https://github.com/validatorjs/validator.js/commit/496fc8b2a7f5997acaaec33cc44d0b8dba5fb5e1\n- https://huntr.dev/bounties/c37e975c-21a3-4c5f-9b57-04d63b28cfc9\n- https://github.com/advisories/GHSA-qgmg-gppg-76g5","created":"2021-11-03T17:34:45.000Z","reported_by":null,"title":"Inefficient Regular Expression Complexity in validator.js","npm_advisory_id":null,"overview":"validator.js prior to 13.7.0 is vulnerable to Inefficient Regular Expression Complexity","url":"https://github.com/advisories/GHSA-qgmg-gppg-76g5"},"1092461":{"findings":[{"version":"7.3.8","paths":["codeceptjs>semver","@hmcts/nodejs-healthcheck>superagent>semver","applicationinsights>continuation-local-storage>async-listener>semver","@hmcts/rpx-xui-node-lib>jest-mock-axios>@jest/globals>@jest/expect>jest-snapshot>semver","@hmcts/rpx-xui-node-lib>jest-mock-axios>@jest/globals>@jest/expect>jest-snapshot>@babel/core>semver","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>@jest/core>jest-resolve-dependencies>jest-snapshot>@babel/core>semver","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>jest-cli>@jest/core>jest-resolve-dependencies>jest-snapshot>@babel/core>semver","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>@jest/core>jest-runtime>@jest/globals>@jest/expect>jest-snapshot>@babel/core>semver","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>@jest/core>jest-runner>jest-runtime>@jest/globals>@jest/expect>jest-snapshot>@babel/core>semver","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>jest-cli>@jest/core>jest-runner>jest-runtime>@jest/globals>@jest/expect>jest-snapshot>@babel/core>semver","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>jest-cli>@jest/core>jest-config>jest-runner>jest-runtime>@jest/globals>@jest/expect>jest-snapshot>@babel/core>semver","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>jest-cli>@jest/core>jest-config>jest-runner>jest-runtime>@jest/globals>@jest/expect>jest-snapshot>@jest/transform>@babel/core>semver","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>jest-cli>@jest/core>jest-runner>jest-runtime>@jest/globals>@jest/expect>jest-snapshot>@jest/transform>babel-plugin-istanbul>istanbul-lib-instrument>@babel/core>semver","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>jest-cli>@jest/core>jest-config>jest-runner>jest-runtime>@jest/globals>@jest/expect>jest-snapshot>@jest/transform>babel-plugin-istanbul>istanbul-lib-instrument>@babel/core>semver","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>jest-cli>@jest/core>jest-config>jest-runner>jest-runtime>@jest/globals>@jest/expect>jest-snapshot>@jest/transform>jest-haste-map>fsevents>nan>node-gyp>semver"]}],"metadata":null,"vulnerable_versions":">=7.0.0 <7.5.2","module_name":"semver","severity":"moderate","github_advisory_id":"GHSA-c2qf-rxjj-qqgw","cves":["CVE-2022-25883"],"access":"public","patched_versions":">=7.5.2","cvss":{"score":5.3,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"},"updated":"2023-07-10T22:57:58.000Z","recommendation":"Upgrade to version 7.5.2 or later","cwe":["CWE-1333"],"found_by":null,"deleted":null,"id":1092461,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2022-25883\n- https://github.com/npm/node-semver/pull/564\n- https://github.com/npm/node-semver/commit/717534ee353682f3bcf33e60a8af4292626d4441\n- https://security.snyk.io/vuln/SNYK-JS-SEMVER-3247795\n- https://github.com/npm/node-semver/blob/main/classes/range.js#L97-L104\n- https://github.com/npm/node-semver/blob/main/internal/re.js#L138\n- https://github.com/npm/node-semver/blob/main/internal/re.js#L160\n- https://github.com/npm/node-semver/pull/585\n- https://github.com/npm/node-semver/commit/928e56d21150da0413a3333a3148b20e741a920c\n- https://github.com/npm/node-semver/pull/593\n- https://github.com/npm/node-semver/commit/2f8fd41487acf380194579ecb6f8b1bbfe116be0\n- https://github.com/advisories/GHSA-c2qf-rxjj-qqgw","created":"2023-06-21T06:30:28.000Z","reported_by":null,"title":"semver vulnerable to Regular Expression Denial of Service","npm_advisory_id":null,"overview":"Versions of the package semver before 7.5.2 on the 7.x branch, before 6.3.1 on the 6.x branch, and all other versions before 5.7.2 are vulnerable to Regular Expression Denial of Service (ReDoS) via the function new Range, when untrusted user data is provided as a range.","url":"https://github.com/advisories/GHSA-c2qf-rxjj-qqgw"},"1092470":{"findings":[{"version":"2.5.0","paths":["protractor-screenshot-utils>protractor>webdriver-manager>request>tough-cookie"]}],"metadata":null,"vulnerable_versions":"<4.1.3","module_name":"tough-cookie","severity":"moderate","github_advisory_id":"GHSA-72xf-g2v4-qvf3","cves":["CVE-2023-26136"],"access":"public","patched_versions":">=4.1.3","cvss":{"score":6.5,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N"},"updated":"2023-07-11T13:44:36.000Z","recommendation":"Upgrade to version 4.1.3 or later","cwe":["CWE-1321"],"found_by":null,"deleted":null,"id":1092470,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2023-26136\n- https://github.com/salesforce/tough-cookie/issues/282\n- https://github.com/salesforce/tough-cookie/commit/12d474791bb856004e858fdb1c47b7608d09cf6e\n- https://github.com/salesforce/tough-cookie/releases/tag/v4.1.3\n- https://security.snyk.io/vuln/SNYK-JS-TOUGHCOOKIE-5672873\n- https://lists.debian.org/debian-lts-announce/2023/07/msg00010.html\n- https://github.com/advisories/GHSA-72xf-g2v4-qvf3","created":"2023-07-01T06:30:16.000Z","reported_by":null,"title":"tough-cookie Prototype Pollution vulnerability","npm_advisory_id":null,"overview":"Versions of the package tough-cookie before 4.1.3 are vulnerable to Prototype Pollution due to improper handling of Cookies when using CookieJar in `rejectPublicSuffixes=false` mode. This issue arises from the manner in which the objects are initialized.","url":"https://github.com/advisories/GHSA-72xf-g2v4-qvf3"},"1092636":{"findings":[{"version":"1.28.1","paths":["@hmcts/rpx-xui-node-lib>openid-client>jose"]}],"metadata":null,"vulnerable_versions":">=1.0.0 <=1.28.1","module_name":"jose","severity":"moderate","github_advisory_id":"GHSA-jv3g-j58f-9mq9","cves":["CVE-2022-36083"],"access":"public","patched_versions":">=1.28.2","cvss":{"score":5.3,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"},"updated":"2023-07-21T21:33:36.000Z","recommendation":"Upgrade to version 1.28.2 or later","cwe":["CWE-400","CWE-834"],"found_by":null,"deleted":null,"id":1092636,"references":"- https://github.com/panva/jose/security/advisories/GHSA-jv3g-j58f-9mq9\n- https://nvd.nist.gov/vuln/detail/CVE-2022-36083\n- https://github.com/panva/jose/commit/03d6d013bf6e070e85adfe5731f526978e3e8e4d\n- https://github.com/panva/jose/releases/tag/v4.9.2\n- https://github.com/advisories/GHSA-jv3g-j58f-9mq9","created":"2022-09-16T17:44:42.000Z","reported_by":null,"title":"JOSE vulnerable to resource exhaustion via specifically crafted JWE","npm_advisory_id":null,"overview":"The PBKDF2-based JWE key management algorithms expect a JOSE Header Parameter named `p2c` ([PBES2 Count](https://www.rfc-editor.org/rfc/rfc7518.html#section-4.8.1.2)), which determines how many PBKDF2 iterations must be executed in order to derive a CEK wrapping key. The purpose of this parameter is to intentionally slow down the key derivation function in order to make password brute-force and dictionary attacks more expensive.\n\nThis makes the PBES2 algorithms unsuitable for situations where the JWE is coming from an untrusted source: an adversary can intentionally pick an extremely high PBES2 Count value, that will initiate a CPU-bound computation that may take an unreasonable amount of time to finish.\n\n### Impact\n\nUnder certain conditions (see below) it is possible to have the user's environment consume unreasonable amount of CPU time.\n\n### Affected users\n\nThe impact is limited only to users utilizing the JWE decryption APIs with symmetric secrets to decrypt JWEs from untrusted parties who do not limit the accepted JWE Key Management Algorithms (`alg` Header Parameter) using the `keyManagementAlgorithms` (or `algorithms` in v1.x) decryption option or through other means.\n\nThe PBKDF2-based JWE Key Management Algorithm Identifiers are\n\n- `PBES2-HS256+A128KW`\n- `PBES2-HS384+A192KW`\n- `PBES2-HS512+A256KW`\n\ne.g.\n\n```js\nconst secret = new Uint8Array(16)\nconst jwe = '...' // JWE from an untrusted party\n\nawait jose.compactDecrypt(jwe, secret)\n```\n\nYou are NOT affected if any of the following applies to you\n\n- Your code does not use the JWE APIs\n- Your code only produces JWE tokens\n- Your code only decrypts JWEs using an asymmetric JWE Key Management Algorithm (this means you're providing an asymmetric key object to the JWE decryption API)\n- Your code only accepts JWEs produced by trusted sources\n- Your code limits the accepted JWE Key Management Algorithms using the `keyManagementAlgorithms` decryption option not including any of the PBKDF2-based JWE key management algorithms\n\n### Patches\n\n`v1.28.2`, `v2.0.6`, `v3.20.4`, and `v4.9.2` releases limit the maximum PBKDF2 iteration count to `10000` by default. It is possible to adjust this limit with a newly introduced `maxPBES2Count` decryption option.\n\n### Workarounds\n\nAll users should be able to upgrade given all stable semver major release lines have had new a patch release introduced which limits the PBKDF2 iteration count to `10000` by default. This removes the ability to craft JWEs that would consume unreasonable amount of CPU time.\n\nIf users are unable to upgrade their required library version they have two options depending on whether they expect to receive JWEs using any of the three PBKDF2-based JWE key management algorithms.\n\n- they can use the `keyManagementAlgorithms` decryption option to disable accepting PBKDF2 altogether\n- they can inspect the JOSE Header prior to using the decryption API and limit the PBKDF2 iteration count (`p2c` Header Parameter)\n\n### For more information\nIf you have any questions or comments about this advisory:\n* Open an discussion in the project's [repository](https://github.com/panva/jose/discussions/new?category=q-a&title=GHSA-jv3g-j58f-9mq9%20advisory%20question)\n* Email me at [panva.ip@gmail.com](mailto:panva.ip@gmail.com)\n","url":"https://github.com/advisories/GHSA-jv3g-j58f-9mq9"},"1092964":{"findings":[{"version":"0.7.0","paths":["ngx-md>marked"]}],"metadata":null,"vulnerable_versions":"<4.0.10","module_name":"marked","severity":"high","github_advisory_id":"GHSA-5v2h-r2cx-5xgj","cves":["CVE-2022-21681"],"access":"public","patched_versions":">=4.0.10","cvss":{"score":7.5,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},"updated":"2023-08-14T05:04:30.000Z","recommendation":"Upgrade to version 4.0.10 or later","cwe":["CWE-1333"],"found_by":null,"deleted":null,"id":1092964,"references":"- https://github.com/markedjs/marked/security/advisories/GHSA-5v2h-r2cx-5xgj\n- https://nvd.nist.gov/vuln/detail/CVE-2022-21681\n- https://github.com/markedjs/marked/commit/8f806573a3f6c6b7a39b8cdb66ab5ebb8d55a5f5\n- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/AIXDMC3CSHYW3YWVSQOXAWLUYQHAO5UX/\n- https://github.com/advisories/GHSA-5v2h-r2cx-5xgj","created":"2022-01-14T21:04:46.000Z","reported_by":null,"title":"Inefficient Regular Expression Complexity in marked","npm_advisory_id":null,"overview":"### Impact\n\n_What kind of vulnerability is it?_\n\nDenial of service.\n\nThe regular expression `inline.reflinkSearch` may cause catastrophic backtracking against some strings.\nPoC is the following.\n\n```javascript\nimport * as marked from 'marked';\n\nconsole.log(marked.parse(`[x]: x\n\n\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](`));\n```\n\n_Who is impacted?_\n\nAnyone who runs untrusted markdown through marked and does not use a worker with a time limit.\n\n### Patches\n\n_Has the problem been patched?_\n\nYes\n\n_What versions should users upgrade to?_\n\n4.0.10\n\n### Workarounds\n\n_Is there a way for users to fix or remediate the vulnerability without upgrading?_\n\nDo not run untrusted markdown through marked or run marked on a [worker](https://marked.js.org/using_advanced#workers) thread and set a reasonable time limit to prevent draining resources.\n\n### References\n\n_Are there any links users can visit to find out more?_\n\n- https://marked.js.org/using_advanced#workers\n- https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS\n\n### For more information\n\nIf you have any questions or comments about this advisory:\n\n* Open an issue in [marked](https://github.com/markedjs/marked)\n","url":"https://github.com/advisories/GHSA-5v2h-r2cx-5xgj"},"1092969":{"findings":[{"version":"0.7.0","paths":["ngx-md>marked"]}],"metadata":null,"vulnerable_versions":"<4.0.10","module_name":"marked","severity":"high","github_advisory_id":"GHSA-rrrm-qjm4-v8hf","cves":["CVE-2022-21680"],"access":"public","patched_versions":">=4.0.10","cvss":{"score":7.5,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},"updated":"2023-08-14T05:03:59.000Z","recommendation":"Upgrade to version 4.0.10 or later","cwe":["CWE-400","CWE-1333"],"found_by":null,"deleted":null,"id":1092969,"references":"- https://github.com/markedjs/marked/security/advisories/GHSA-rrrm-qjm4-v8hf\n- https://nvd.nist.gov/vuln/detail/CVE-2022-21680\n- https://github.com/markedjs/marked/commit/c4a3ccd344b6929afa8a1d50ac54a721e57012c0\n- https://github.com/markedjs/marked/releases/tag/v4.0.10\n- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/AIXDMC3CSHYW3YWVSQOXAWLUYQHAO5UX/\n- https://github.com/advisories/GHSA-rrrm-qjm4-v8hf","created":"2022-01-14T21:04:41.000Z","reported_by":null,"title":"Inefficient Regular Expression Complexity in marked","npm_advisory_id":null,"overview":"### Impact\n\n_What kind of vulnerability is it?_\n\nDenial of service.\n\nThe regular expression `block.def` may cause catastrophic backtracking against some strings.\nPoC is the following.\n\n```javascript\nimport * as marked from \"marked\";\n\nmarked.parse(`[x]:${' '.repeat(1500)}x ${' '.repeat(1500)} x`);\n```\n\n_Who is impacted?_\n\nAnyone who runs untrusted markdown through marked and does not use a worker with a time limit.\n\n### Patches\n\n_Has the problem been patched?_\n\nYes\n\n_What versions should users upgrade to?_\n\n4.0.10\n\n### Workarounds\n\n_Is there a way for users to fix or remediate the vulnerability without upgrading?_\n\nDo not run untrusted markdown through marked or run marked on a [worker](https://marked.js.org/using_advanced#workers) thread and set a reasonable time limit to prevent draining resources.\n\n### References\n\n_Are there any links users can visit to find out more?_\n\n- https://marked.js.org/using_advanced#workers\n- https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS\n\n### For more information\n\nIf you have any questions or comments about this advisory:\n\n* Open an issue in [marked](https://github.com/markedjs/marked)\n","url":"https://github.com/advisories/GHSA-rrrm-qjm4-v8hf"},"1092972":{"findings":[{"version":"2.88.2","paths":["protractor-screenshot-utils>protractor>webdriver-manager>request"]}],"metadata":null,"vulnerable_versions":"<=2.88.2","module_name":"request","severity":"moderate","github_advisory_id":"GHSA-p8p7-x288-28g6","cves":["CVE-2023-28155"],"access":"public","patched_versions":"<0.0.0","cvss":{"score":6.1,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},"updated":"2023-08-14T20:53:47.000Z","recommendation":"None","cwe":["CWE-918"],"found_by":null,"deleted":null,"id":1092972,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2023-28155\n- https://github.com/request/request/issues/3442\n- https://github.com/request/request/pull/3444\n- https://doyensec.com/resources/Doyensec_Advisory_RequestSSRF_Q12023.pdf\n- https://security.netapp.com/advisory/ntap-20230413-0007/\n- https://github.com/github/advisory-database/pull/2500\n- https://github.com/cypress-io/request/blob/master/lib/redirect.js#L116\n- https://github.com/request/request/blob/master/lib/redirect.js#L111\n- https://github.com/cypress-io/request/pull/28\n- https://github.com/cypress-io/request/commit/c5bcf21d40fb61feaff21a0e5a2b3934a440024f\n- https://github.com/cypress-io/request/releases/tag/v3.0.0\n- https://github.com/advisories/GHSA-p8p7-x288-28g6","created":"2023-03-16T15:30:19.000Z","reported_by":null,"title":"Server-Side Request Forgery in Request","npm_advisory_id":null,"overview":"The `request` package through 2.88.2 for Node.js and the `@cypress/request` package prior to 3.0.0 allow a bypass of SSRF mitigations via an attacker-controller server that does a cross-protocol redirect (HTTP to HTTPS, or HTTPS to HTTP).\n\nNOTE: The `request` package is no longer supported by the maintainer.","url":"https://github.com/advisories/GHSA-p8p7-x288-28g6"},"1093185":{"findings":[{"version":"1.2.5","paths":["codeceptjs>mkdirp>minimist","accessibility-checker>chromedriver>mkdirp>minimist","accessibility-checker>chromedriver>extract-zip>mkdirp>minimist","codeceptjs>mocha>chokidar>fsevents>nan>node-gyp>tar>mkdirp>minimist","codeceptjs>mocha>chokidar>fsevents>nan>node-gyp>make-fetch-happen>cacache>mkdirp>minimist","codeceptjs>mocha-junit-reporter>mocha>chokidar>fsevents>nan>node-gyp>make-fetch-happen>cacache>mkdirp>minimist","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>@jest/core>jest-haste-map>fsevents>nan>node-gyp>make-fetch-happen>cacache>mkdirp>minimist","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>@jest/core>@jest/transform>jest-haste-map>fsevents>nan>node-gyp>make-fetch-happen>cacache>mkdirp>minimist","@hmcts/rpx-xui-node-lib>jest-mock-axios>@jest/globals>@jest/expect>jest-snapshot>@jest/transform>jest-haste-map>fsevents>nan>node-gyp>make-fetch-happen>cacache>mkdirp>minimist","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>@jest/core>jest-resolve-dependencies>jest-snapshot>@jest/transform>jest-haste-map>fsevents>nan>node-gyp>make-fetch-happen>cacache>mkdirp>minimist","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>jest-cli>@jest/core>jest-resolve-dependencies>jest-snapshot>@jest/transform>jest-haste-map>fsevents>nan>node-gyp>make-fetch-happen>cacache>mkdirp>minimist","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>@jest/core>jest-runtime>@jest/globals>@jest/expect>jest-snapshot>@jest/transform>jest-haste-map>fsevents>nan>node-gyp>make-fetch-happen>cacache>mkdirp>minimist","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>@jest/core>jest-runner>jest-runtime>@jest/globals>@jest/expect>jest-snapshot>@jest/transform>jest-haste-map>fsevents>nan>node-gyp>make-fetch-happen>cacache>mkdirp>minimist","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>jest-cli>@jest/core>jest-runner>jest-runtime>@jest/globals>@jest/expect>jest-snapshot>@jest/transform>jest-haste-map>fsevents>nan>node-gyp>make-fetch-happen>cacache>mkdirp>minimist","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>jest-cli>@jest/core>jest-config>jest-runner>jest-runtime>@jest/globals>@jest/expect>jest-snapshot>@jest/transform>jest-haste-map>fsevents>nan>node-gyp>make-fetch-happen>cacache>mkdirp>minimist","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>jest-cli>@jest/core>jest-runner>jest-runtime>@jest/globals>@jest/expect>jest-snapshot>@jest/transform>jest-haste-map>fsevents>nan>node-gyp>make-fetch-happen>cacache>move-concurrently>copy-concurrently>mkdirp>minimist","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>jest-cli>@jest/core>jest-config>jest-runner>jest-runtime>@jest/globals>@jest/expect>jest-snapshot>@jest/transform>jest-haste-map>fsevents>nan>node-gyp>make-fetch-happen>cacache>move-concurrently>copy-concurrently>mkdirp>minimist"]}],"metadata":null,"vulnerable_versions":">=1.0.0 <1.2.6","module_name":"minimist","severity":"critical","github_advisory_id":"GHSA-xvch-5gv4-984h","cves":["CVE-2021-44906"],"access":"public","patched_versions":">=1.2.6","cvss":{"score":9.8,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},"updated":"2023-08-30T22:49:50.000Z","recommendation":"Upgrade to version 1.2.6 or later","cwe":["CWE-1321"],"found_by":null,"deleted":null,"id":1093185,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2021-44906\n- https://github.com/substack/minimist/issues/164\n- https://github.com/substack/minimist/blob/master/index.js#L69\n- https://snyk.io/vuln/SNYK-JS-MINIMIST-559764\n- https://stackoverflow.com/questions/8588563/adding-custom-properties-to-a-function/20278068#20278068\n- https://github.com/Marynk/JavaScript-vulnerability-detection/blob/main/minimist%20PoC.zip\n- https://github.com/minimistjs/minimist/issues/11\n- https://github.com/minimistjs/minimist/pull/24\n- https://github.com/minimistjs/minimist/commit/34e20b8461118608703d6485326abbb8e35e1703\n- https://github.com/minimistjs/minimist/commit/bc8ecee43875261f4f17eb20b1243d3ed15e70eb\n- https://github.com/minimistjs/minimist/commit/c2b981977fa834b223b408cfb860f933c9811e4d\n- https://github.com/minimistjs/minimist/commit/ef9153fc52b6cea0744b2239921c5dcae4697f11\n- https://github.com/minimistjs/minimist/commits/v0.2.4\n- https://github.com/advisories/GHSA-xvch-5gv4-984h","created":"2022-03-18T00:01:09.000Z","reported_by":null,"title":"Prototype Pollution in minimist","npm_advisory_id":null,"overview":"Minimist prior to 1.2.6 and 0.2.4 is vulnerable to Prototype Pollution via file `index.js`, function `setKey()` (lines 69-95).","url":"https://github.com/advisories/GHSA-xvch-5gv4-984h"},"1093221":{"findings":[{"version":"0.2.0","paths":["http-proxy-middleware>micromatch>snapdragon>source-map-resolve>decode-uri-component","http-proxy-middleware>micromatch>braces>snapdragon>source-map-resolve>decode-uri-component","@hmcts/rpx-xui-node-lib>ts-auto-mock>micromatch>braces>snapdragon>source-map-resolve>decode-uri-component","@hmcts/rpx-xui-node-lib>jest-ts-auto-mock>ts-auto-mock>micromatch>braces>snapdragon>source-map-resolve>decode-uri-component","codeceptjs>mocha>chokidar>anymatch>micromatch>braces>snapdragon>source-map-resolve>decode-uri-component","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>@jest/core>jest-message-util>micromatch>braces>snapdragon>source-map-resolve>decode-uri-component","@hmcts/rpx-xui-node-lib>jest-mock-axios>@jest/globals>@jest/environment>@jest/fake-timers>jest-message-util>micromatch>braces>snapdragon>source-map-resolve>decode-uri-component","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>@jest/core>jest-runtime>@jest/fake-timers>jest-message-util>micromatch>braces>snapdragon>source-map-resolve>decode-uri-component","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>@jest/core>jest-runner>@jest/environment>@jest/fake-timers>jest-message-util>micromatch>braces>snapdragon>source-map-resolve>decode-uri-component","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>@jest/core>jest-runtime>@jest/globals>@jest/environment>@jest/fake-timers>jest-message-util>micromatch>braces>snapdragon>source-map-resolve>decode-uri-component","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>@jest/core>jest-runner>jest-runtime>@jest/globals>@jest/environment>@jest/fake-timers>jest-message-util>micromatch>braces>snapdragon>source-map-resolve>decode-uri-component","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>jest-cli>@jest/core>jest-runner>jest-runtime>@jest/globals>@jest/environment>@jest/fake-timers>jest-message-util>micromatch>braces>snapdragon>source-map-resolve>decode-uri-component","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>jest-cli>@jest/core>jest-config>jest-runner>jest-runtime>@jest/globals>@jest/environment>@jest/fake-timers>jest-message-util>micromatch>braces>snapdragon>source-map-resolve>decode-uri-component","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>jest-cli>@jest/core>jest-config>jest-runner>jest-runtime>@jest/globals>@jest/expect>jest-snapshot>expect>jest-message-util>micromatch>braces>snapdragon>source-map-resolve>decode-uri-component","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>jest-cli>@jest/core>jest-config>jest-runner>jest-runtime>@jest/globals>@jest/expect>jest-snapshot>@jest/transform>jest-haste-map>anymatch>micromatch>braces>snapdragon>source-map-resolve>decode-uri-component","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>jest-cli>@jest/core>jest-config>jest-runner>jest-runtime>@jest/globals>@jest/expect>jest-snapshot>@jest/transform>jest-haste-map>anymatch>micromatch>extglob>expand-brackets>snapdragon>source-map-resolve>decode-uri-component"]}],"metadata":null,"vulnerable_versions":"<0.2.1","module_name":"decode-uri-component","severity":"high","github_advisory_id":"GHSA-w573-4hg7-7wgq","cves":["CVE-2022-38900"],"access":"public","patched_versions":">=0.2.1","cvss":{"score":7.5,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},"updated":"2023-08-31T22:59:05.000Z","recommendation":"Upgrade to version 0.2.1 or later","cwe":["CWE-20"],"found_by":null,"deleted":null,"id":1093221,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2022-38900\n- https://github.com/SamVerschueren/decode-uri-component/issues/5\n- https://github.com/sindresorhus/query-string/issues/345\n- https://github.com/SamVerschueren/decode-uri-component/commit/746ca5dcb6667c5d364e782d53c542830e4c10b9\n- https://github.com/SamVerschueren/decode-uri-component/releases/tag/v0.2.1\n- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ERN6YE3DS7NBW7UH44SCJBMNC2NWQ7SM/\n- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KAC5KQ2SEWAMQ6UZAUBZ5KXKEOESH375/\n- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VNV2GNZXOTEDAJRFH3ZYWRUBGIVL7BSU/\n- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QABOUA2I542UTANVZIVFKWMRYVHLV32D/\n- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UW4SCMT3SEUFVIL7YIADQ5K36GJEO6I5/\n- https://github.com/advisories/GHSA-w573-4hg7-7wgq","created":"2022-11-28T15:30:24.000Z","reported_by":null,"title":"decode-uri-component vulnerable to Denial of Service (DoS)","npm_advisory_id":null,"overview":"decode-uri-component 0.2.0 is vulnerable to Improper Input Validation resulting in DoS.","url":"https://github.com/advisories/GHSA-w573-4hg7-7wgq"}},"muted":[],"metadata":{"vulnerabilities":{"info":0,"low":5,"moderate":38,"high":47,"critical":24},"dependencies":1008,"devDependencies":7,"optionalDependencies":0,"totalDependencies":1015}} From 535fbe2200cc35ad4ea39a3b0c9aeee5688846f1 Mon Sep 17 00:00:00 2001 From: John Benjamin Date: Thu, 28 Sep 2023 09:56:25 +0100 Subject: [PATCH 18/23] Update yarn-audit-known-issues --- yarn-audit-known-issues | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/yarn-audit-known-issues b/yarn-audit-known-issues index dd606f40ed..d7aaeee429 100644 --- a/yarn-audit-known-issues +++ b/yarn-audit-known-issues @@ -1 +1 @@ -{"actions":[],"advisories":{"1085674":{"findings":[{"version":"3.10.1","paths":["lodash","@edium/fsm>lodash","codeceptjs>inquirer>lodash","codeceptjs>chai-deep-match>lodash-pickdeep>lodash"]}],"metadata":null,"vulnerable_versions":"<4.17.11","module_name":"lodash","severity":"moderate","github_advisory_id":"GHSA-x5rq-j2xg-h7qm","cves":["CVE-2019-1010266"],"access":"public","patched_versions":">=4.17.11","cvss":{"score":0,"vectorString":null},"updated":"2023-01-09T05:01:38.000Z","recommendation":"Upgrade to version 4.17.11 or later","cwe":["CWE-400"],"found_by":null,"deleted":null,"id":1085674,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2019-1010266\n- https://github.com/lodash/lodash/issues/3359\n- https://snyk.io/vuln/SNYK-JS-LODASH-73639\n- https://github.com/lodash/lodash/commit/5c08f18d365b64063bfbfa686cbb97cdd6267347\n- https://github.com/lodash/lodash/wiki/Changelog\n- https://security.netapp.com/advisory/ntap-20190919-0004/\n- https://github.com/advisories/GHSA-x5rq-j2xg-h7qm","created":"2019-07-19T16:13:07.000Z","reported_by":null,"title":"Regular Expression Denial of Service (ReDoS) in lodash","npm_advisory_id":null,"overview":"lodash prior to 4.7.11 is affected by: CWE-400: Uncontrolled Resource Consumption. The impact is: Denial of service. The component is: Date handler. The attack vector is: Attacker provides very long strings, which the library attempts to match using a regular expression. The fixed version is: 4.7.11.","url":"https://github.com/advisories/GHSA-x5rq-j2xg-h7qm"},"1087627":{"findings":[{"version":"3.10.1","paths":["lodash","@edium/fsm>lodash","codeceptjs>inquirer>lodash","codeceptjs>chai-deep-match>lodash-pickdeep>lodash"]}],"metadata":null,"vulnerable_versions":"<4.17.11","module_name":"lodash","severity":"high","github_advisory_id":"GHSA-4xc9-xhrj-v574","cves":["CVE-2018-16487"],"access":"public","patched_versions":">=4.17.11","cvss":{"score":0,"vectorString":null},"updated":"2023-01-09T05:02:32.000Z","recommendation":"Upgrade to version 4.17.11 or later","cwe":["CWE-400"],"found_by":null,"deleted":null,"id":1087627,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2018-16487\n- https://hackerone.com/reports/380873\n- https://github.com/advisories/GHSA-4xc9-xhrj-v574\n- https://www.npmjs.com/advisories/782\n- https://security.netapp.com/advisory/ntap-20190919-0004/","created":"2019-02-07T18:16:48.000Z","reported_by":null,"title":"Prototype Pollution in lodash","npm_advisory_id":null,"overview":"Versions of `lodash` before 4.17.5 are vulnerable to prototype pollution. \n\nThe vulnerable functions are 'defaultsDeep', 'merge', and 'mergeWith' which allow a malicious user to modify the prototype of `Object` via `{constructor: {prototype: {...}}}` causing the addition or modification of an existing property that will exist on all objects.\n\n\n\n\n## Recommendation\n\nUpdate to version 4.17.11 or later.","url":"https://github.com/advisories/GHSA-4xc9-xhrj-v574"},"1087663":{"findings":[{"version":"3.10.1","paths":["lodash","@edium/fsm>lodash","codeceptjs>inquirer>lodash","codeceptjs>chai-deep-match>lodash-pickdeep>lodash"]}],"metadata":null,"vulnerable_versions":"<4.17.5","module_name":"lodash","severity":"low","github_advisory_id":"GHSA-fvqr-27wr-82fm","cves":["CVE-2018-3721"],"access":"public","patched_versions":">=4.17.5","cvss":{"score":0,"vectorString":null},"updated":"2023-01-09T05:03:02.000Z","recommendation":"Upgrade to version 4.17.5 or later","cwe":["CWE-471"],"found_by":null,"deleted":null,"id":1087663,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2018-3721\n- https://hackerone.com/reports/310443\n- https://github.com/advisories/GHSA-fvqr-27wr-82fm\n- https://www.npmjs.com/advisories/577\n- https://github.com/lodash/lodash/commit/d8e069cc3410082e44eb18fcf8e7f3d08ebe1d4a\n- https://security.netapp.com/advisory/ntap-20190919-0004/","created":"2018-07-26T15:14:52.000Z","reported_by":null,"title":"Prototype Pollution in lodash","npm_advisory_id":null,"overview":"Versions of `lodash` before 4.17.5 are vulnerable to prototype pollution. \n\nThe vulnerable functions are 'defaultsDeep', 'merge', and 'mergeWith' which allow a malicious user to modify the prototype of `Object` via `__proto__` causing the addition or modification of an existing property that will exist on all objects.\n\n\n\n\n## Recommendation\n\nUpdate to version 4.17.5 or later.","url":"https://github.com/advisories/GHSA-fvqr-27wr-82fm"},"1088208":{"findings":[{"version":"0.8.4","paths":["git-rev-sync>shelljs"]}],"metadata":null,"vulnerable_versions":"<0.8.5","module_name":"shelljs","severity":"moderate","github_advisory_id":"GHSA-64g7-mvw6-v9qj","cves":[],"access":"public","patched_versions":">=0.8.5","cvss":{"score":0,"vectorString":null},"updated":"2023-01-11T05:03:39.000Z","recommendation":"Upgrade to version 0.8.5 or later","cwe":["CWE-269"],"found_by":null,"deleted":null,"id":1088208,"references":"- https://github.com/shelljs/shelljs/security/advisories/GHSA-64g7-mvw6-v9qj\n- https://huntr.dev/bounties/50996581-c08e-4eed-a90e-c0bac082679c/\n- https://github.com/advisories/GHSA-64g7-mvw6-v9qj","created":"2022-01-14T21:09:50.000Z","reported_by":null,"title":"Improper Privilege Management in shelljs","npm_advisory_id":null,"overview":"### Impact\nOutput from the synchronous version of `shell.exec()` may be visible to other users on the same system. You may be affected if you execute `shell.exec()` in multi-user Mac, Linux, or WSL environments, or if you execute `shell.exec()` as the root user.\n\nOther shelljs functions (including the asynchronous version of `shell.exec()`) are not impacted.\n\n### Patches\nPatched in shelljs 0.8.5\n\n### Workarounds\nRecommended action is to upgrade to 0.8.5.\n\n### References\nhttps://huntr.dev/bounties/50996581-c08e-4eed-a90e-c0bac082679c/\n\n### For more information\nIf you have any questions or comments about this advisory:\n* Ask at https://github.com/shelljs/shelljs/issues/1058\n* Open an issue at https://github.com/shelljs/shelljs/issues/new\n","url":"https://github.com/advisories/GHSA-64g7-mvw6-v9qj"},"1088402":{"findings":[{"version":"0.5.34","paths":["moment-timezone"]}],"metadata":null,"vulnerable_versions":">=0.1.0 <0.5.35","module_name":"moment-timezone","severity":"low","github_advisory_id":"GHSA-56x4-j7p9-fcf9","cves":[],"access":"public","patched_versions":">=0.5.35","cvss":{"score":0,"vectorString":null},"updated":"2023-01-12T05:07:32.000Z","recommendation":"Upgrade to version 0.5.35 or later","cwe":[],"found_by":null,"deleted":null,"id":1088402,"references":"- https://github.com/moment/moment-timezone/security/advisories/GHSA-56x4-j7p9-fcf9\n- https://github.com/moment/moment-timezone/commit/ce955a301ff372e8e9fb3a5b516620c60e7a082a\n- https://github.com/advisories/GHSA-56x4-j7p9-fcf9","created":"2022-08-30T20:31:21.000Z","reported_by":null,"title":"Command Injection in moment-timezone","npm_advisory_id":null,"overview":"### Impact\n\nAll versions of moment-timezone from 0.1.0 contain build tasks vulnerable to command injection.\n\n* if Alice uses tzdata pipeline to package moment-timezone on her own (for example via `grunt data:2014d`, where `2014d` stands for the version of the tzdata to be used from IANA's website),\n* and Alice let's Mallory select the version (`2014d` in our example), then Mallory can execute arbitrary commands on the machine running the grunt task, with the same privilege as the grunt task\n\n#### Am I affected?\n\n##### Do you build custom versions of moment-timezone with grunt?\n\nIf no, you're not affected.\n\n##### Do you allow a third party to specify which particular version you want build?\n\nIf yes, you're vulnerable to command injection -- third party may execute arbitrary commands on the system running grunt task with the same privileges as grunt task.\n\n### Description\n\n#### Command Injection via grunt-zdownload.js and MITM on iana's ftp endpoint\n\nThe `tasks/data-download.js` script takes in a parameter from grunt and uses it to form a command line which is then executed:\n\n```\n6 module.exports = function (grunt) {\n7 grunt.registerTask('data-download', '1. Download data from iana.org/time-zones.', function (version) {\n8 version = version || 'latest';\n\n10 var done = this.async(),\n11 src = 'ftp://ftp.iana.org/tz/tzdata-latest.tar.gz',\n12 curl = path.resolve('temp/curl', version, 'data.tar.gz'),\n13 dest = path.resolve('temp/download', version);\n...\n24 exec('curl ' + src + ' -o ' + curl + ' && cd ' + dest + ' && gzip -dc ' + curl + ' | tar -xf -', function (err) {\n```\n\nOrdinarily, one one run this script using something like `grunt data-download:2014d`, in which case version would have the value `2014d`. However, if an attacker were to provide additional content on the command line, they would be able to execute arbitrary code\n\n```\nroot@e94ba0490b65:/usr/src/app/moment-timezone# grunt 'data-download:2014d ; echo flag>/tmp/foo #'\n\\Running \"data-download:2014d ; echo flag>/tmp/foo #\" (data-download) task\n>> Downloading https://data.iana.org/time-zones/releases/tzdata2014d ; echo flag>/tmp/foo #.tar.gz\n>> Downloaded https://data.iana.org/time-zones/releases/tzdata2014d ; echo flag>/tmp/foo #.tar.gz\n\nDone.\nroot@e94ba0490b65:/usr/src/app/moment-timezone# cat /tmp/foo\nflag\n```\n\n#### Command Injection via data-zdump.js\n\nThe `tasks/data-zdump.js` script reads a list of files present in a temporary directory (created by previous tasks), and for each one, assembles and executes a command line without sanitization. As a result, an attacker able to influence the contents of that directory could gain code execution. This attack is exacerbated by timezone data being downloaded via cleartext FTP (described above), but beyond that, an attacker at iana.org able to modify the timezone files could disrupt any systems that build moment-timezone.\n\n```\n15 files = grunt.file.expand({ filter : 'isFile', cwd : 'temp/zic/' + version }, '**/*');\n...\n27 function next () {\n...\n33 var file = files.pop(),\n34 src = path.join(zicBase, file),\n35 dest = path.join(zdumpBase, file);\n36 exec('zdump -v ' + src, { maxBuffer: 20*1024*1024 }, function (err, stdout) {\n```\n\nIn this case, an attacker able to add a file to `temp/zic/2014d` (for example) with a filename like `Z; curl www.example.com` would influence the called to exec on line 36 and run arbitrary code. There are a few minor challenges in exploiting this, since the string needs to be a valid filename.\n\n#### Command Injection via data-zic.js\n\nSimilar to the vulnerability in /tasks/data-download.js, the /tasks/data-zic.js script takes a version from the command line and uses it as part of a command line, executed without sanitization.\n\n```\n10 var done = this.async(),\n11 dest = path.resolve('temp/zic', version),\n...\n22 var file = files.shift(),\n23 src = path.resolve('temp/download', version, file);\n24\n25 exec('zic -d ' + dest + ' ' + src, function (err) {\n```\n\nAs a result, an attacker able to influence that string can run arbitrary commands. Of course, it requires an attacker able to influence the command passed to grunt, so may be unlikely in practice.\n\n```\nroot@e94ba0490b65:/usr/src/app/moment-timezone# grunt 'data-zic:2014d; echo hi > /tmp/evil; echo '\nRunning \"data-zic:2014d; echo hi > /tmp/evil; echo \" (data-zic) task\nexec: zid -d /usr/src/app/moment-timezone/temp/zic/2014d; echo hi > /tmp/evil; echo /usr/src/app/moment-timezone/temp/download/2014d; echo hi > /tmp/evil; echo /africa\n...\n\nroot@e94ba0490b65:/usr/src/app/moment-timezone# cat /tmp/evil\nhi\n```\n\n### Patches\n\nThe supplied patch on top of 0.5.34 is applicable with minor tweaks to all affected versions. It switches `exec` to `execFile` so arbitrary bash fragments won't be executed any more.\n\n### References\n\n* https://knowledge-base.secureflag.com/vulnerabilities/code_injection/os_command_injection_nodejs.html\n* https://auth0.com/blog/preventing-command-injection-attacks-in-node-js-apps/","url":"https://github.com/advisories/GHSA-56x4-j7p9-fcf9"},"1088403":{"findings":[{"version":"0.5.34","paths":["moment-timezone"]}],"metadata":null,"vulnerable_versions":">=0.1.0 <0.5.35","module_name":"moment-timezone","severity":"moderate","github_advisory_id":"GHSA-v78c-4p63-2j6c","cves":[],"access":"public","patched_versions":">=0.5.35","cvss":{"score":0,"vectorString":null},"updated":"2023-01-12T05:07:10.000Z","recommendation":"Upgrade to version 0.5.35 or later","cwe":["CWE-319"],"found_by":null,"deleted":null,"id":1088403,"references":"- https://github.com/moment/moment-timezone/security/advisories/GHSA-v78c-4p63-2j6c\n- https://github.com/moment/moment-timezone/commit/7915ac567ab19700e44ad6b5d8ef0b85e48a9e75\n- https://github.com/advisories/GHSA-v78c-4p63-2j6c","created":"2022-08-30T20:28:43.000Z","reported_by":null,"title":"Cleartext Transmission of Sensitive Information in moment-timezone","npm_advisory_id":null,"overview":"### Impact\n\n* if Alice uses `grunt data` (or `grunt release`) to prepare a custom-build, moment-timezone with the latest tzdata from IANA's website\n* and Mallory intercepts the request to IANA's unencrypted ftp server, Mallory can serve data which might exploit further stages of the moment-timezone tzdata pipeline, or potentially produce a tainted version of moment-timezone (practicality of such attacks is not proved)\n\n### Patches\nProblem has been patched in version 0.5.35, patch should be applicable with minor modifications to all affected versions. The patch includes changing the FTP endpoint with an HTTPS endpoint.\n\n### Workarounds\nSpecify the exact version of tzdata (like `2014d`, full command being `grunt data:2014d`, then run the rest of the release tasks by hand), or just apply the patch before issuing the grunt command.\n","url":"https://github.com/advisories/GHSA-v78c-4p63-2j6c"},"1088659":{"findings":[{"version":"2.1.3","paths":["@hmcts/nodejs-healthcheck>superagent>cookiejar"]}],"metadata":null,"vulnerable_versions":"<2.1.4","module_name":"cookiejar","severity":"moderate","github_advisory_id":"GHSA-h452-7996-h45h","cves":["CVE-2022-25901"],"access":"public","patched_versions":">=2.1.4","cvss":{"score":5.3,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"},"updated":"2023-01-23T16:59:53.000Z","recommendation":"Upgrade to version 2.1.4 or later","cwe":["CWE-1333"],"found_by":null,"deleted":null,"id":1088659,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2022-25901\n- https://github.com/bmeck/node-cookiejar/pull/39\n- https://github.com/bmeck/node-cookiejar/pull/39/commits/eaa00021caf6ae09449dde826108153b578348e5\n- https://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-3176681\n- https://security.snyk.io/vuln/SNYK-JS-COOKIEJAR-3149984\n- https://github.com/bmeck/node-cookiejar/blob/master/cookiejar.js#23L73\n- https://github.com/advisories/GHSA-h452-7996-h45h","created":"2023-01-18T06:31:03.000Z","reported_by":null,"title":"cookiejar Regular Expression Denial of Service via Cookie.parse function","npm_advisory_id":null,"overview":"Versions of the package cookiejar before 2.1.4 are vulnerable to Regular Expression Denial of Service (ReDoS) via the `Cookie.parse` function and other aspects of the API, which use an insecure regular expression for parsing cookie values. Applications could be stalled for extended periods of time if untrusted input is passed to cookie values or attempted to parse from request headers.\n\nProof of concept:\n\n```\nts\\nconst { CookieJar } = require(\"cookiejar\");\n\nconst jar = new CookieJar();\n\nconst start = performance.now();\n\nconst attack = \"a\" + \"t\".repeat(50_000);\njar.setCookie(attack);\n\nconsole.log(`CookieJar.setCookie(): ${performance.now() - start}ms`);\n\n```\n\n```\nCookieJar.setCookie(): 2963.214399999939ms\n```","url":"https://github.com/advisories/GHSA-h452-7996-h45h"},"1088948":{"findings":[{"version":"9.6.0","paths":["@hmcts/rpx-xui-node-lib>openid-client>got"]}],"metadata":null,"vulnerable_versions":"<11.8.5","module_name":"got","severity":"moderate","github_advisory_id":"GHSA-pfrx-2q88-qq97","cves":["CVE-2022-33987"],"access":"public","patched_versions":">=11.8.5","cvss":{"score":5.3,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"},"updated":"2023-01-27T05:05:01.000Z","recommendation":"Upgrade to version 11.8.5 or later","cwe":[],"found_by":null,"deleted":null,"id":1088948,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2022-33987\n- https://github.com/sindresorhus/got/pull/2047\n- https://github.com/sindresorhus/got/compare/v12.0.3...v12.1.0\n- https://github.com/sindresorhus/got/commit/861ccd9ac2237df762a9e2beed7edd88c60782dc\n- https://github.com/sindresorhus/got/releases/tag/v11.8.5\n- https://github.com/sindresorhus/got/releases/tag/v12.1.0\n- https://github.com/advisories/GHSA-pfrx-2q88-qq97","created":"2022-06-19T00:00:21.000Z","reported_by":null,"title":"Got allows a redirect to a UNIX socket","npm_advisory_id":null,"overview":"The got package before 11.8.5 and 12.1.0 for Node.js allows a redirect to a UNIX socket.","url":"https://github.com/advisories/GHSA-pfrx-2q88-qq97"},"1089152":{"findings":[{"version":"4.1.1","paths":["codeceptjs>mocha>yargs-unparser>flat","codeceptjs>mocha-junit-reporter>mocha>yargs-unparser>flat"]}],"metadata":null,"vulnerable_versions":"<5.0.1","module_name":"flat","severity":"critical","github_advisory_id":"GHSA-2j2x-2gpw-g8fm","cves":["CVE-2020-36632"],"access":"public","patched_versions":">=5.0.1","cvss":{"score":9.8,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},"updated":"2023-01-29T05:01:29.000Z","recommendation":"Upgrade to version 5.0.1 or later","cwe":["CWE-1321"],"found_by":null,"deleted":null,"id":1089152,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2020-36632\n- https://github.com/hughsk/flat/issues/105\n- https://github.com/hughsk/flat/pull/106\n- https://github.com/hughsk/flat/commit/20ef0ef55dfa028caddaedbcb33efbdb04d18e13\n- https://github.com/hughsk/flat/releases/tag/5.0.1\n- https://vuldb.com/?ctiid.216777\n- https://vuldb.com/?id.216777\n- https://github.com/advisories/GHSA-2j2x-2gpw-g8fm","created":"2022-12-25T21:30:22.000Z","reported_by":null,"title":"flat vulnerable to Prototype Pollution","npm_advisory_id":null,"overview":"flat helps flatten/unflatten nested Javascript objects. A vulnerability, which was classified as critical, was found in hughsk flat up to 5.0.0. This affects the function unflatten of the file index.js. The manipulation leads to improperly controlled modification of object prototype attributes ('prototype pollution'). It is possible to initiate the attack remotely. Upgrading to version 5.0.1 can address this issue. The name of the patch is 20ef0ef55dfa028caddaedbcb33efbdb04d18e13. It is recommended to upgrade the affected component. The identifier VDB-216777 was assigned to this vulnerability.","url":"https://github.com/advisories/GHSA-2j2x-2gpw-g8fm"},"1089270":{"findings":[{"version":"2.7.4","paths":["ejs"]}],"metadata":null,"vulnerable_versions":"<3.1.7","module_name":"ejs","severity":"critical","github_advisory_id":"GHSA-phwq-j96m-2c2q","cves":["CVE-2022-29078"],"access":"public","patched_versions":">=3.1.7","cvss":{"score":9.8,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},"updated":"2023-01-30T05:02:57.000Z","recommendation":"Upgrade to version 3.1.7 or later","cwe":["CWE-74"],"found_by":null,"deleted":null,"id":1089270,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2022-29078\n- https://eslam.io/posts/ejs-server-side-template-injection-rce/\n- https://github.com/mde/ejs/commit/15ee698583c98dadc456639d6245580d17a24baf\n- https://github.com/mde/ejs/releases\n- https://security.netapp.com/advisory/ntap-20220804-0001/\n- https://github.com/advisories/GHSA-phwq-j96m-2c2q","created":"2022-04-26T00:00:40.000Z","reported_by":null,"title":"ejs template injection vulnerability","npm_advisory_id":null,"overview":"The ejs (aka Embedded JavaScript templates) package 3.1.6 for Node.js allows server-side template injection in settings[view options][outputFunctionName]. This is parsed as an internal option, and overwrites the outputFunctionName option with an arbitrary OS command (which is executed upon template compilation).","url":"https://github.com/advisories/GHSA-phwq-j96m-2c2q"},"1089698":{"findings":[{"version":"0.15.6","paths":["xlsx"]}],"metadata":null,"vulnerable_versions":"<0.17.0","module_name":"xlsx","severity":"moderate","github_advisory_id":"GHSA-g973-978j-2c3p","cves":["CVE-2021-32014"],"access":"public","patched_versions":">=0.17.0","cvss":{"score":5.5,"vectorString":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H"},"updated":"2023-02-01T05:05:54.000Z","recommendation":"Upgrade to version 0.17.0 or later","cwe":["CWE-345","CWE-400"],"found_by":null,"deleted":null,"id":1089698,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2021-32014\n- https://floqast.com/engineering-blog/post/fuzzing-and-parsing-securely/\n- https://sheetjs.com/pro\n- https://www.npmjs.com/package/xlsx/v/0.17.0\n- https://www.oracle.com/security-alerts/cpujan2022.html\n- https://github.com/advisories/GHSA-g973-978j-2c3p","created":"2021-07-22T19:47:15.000Z","reported_by":null,"title":"Denial of Service in SheetJS Pro","npm_advisory_id":null,"overview":"SheetJS Pro through 0.16.9 allows attackers to cause a denial of service (CPU consumption) via a crafted .xlsx document that is mishandled when read by xlsx.js.","url":"https://github.com/advisories/GHSA-g973-978j-2c3p"},"1089699":{"findings":[{"version":"0.15.6","paths":["xlsx"]}],"metadata":null,"vulnerable_versions":"<0.17.0","module_name":"xlsx","severity":"moderate","github_advisory_id":"GHSA-3x9f-74h4-2fqr","cves":["CVE-2021-32012"],"access":"public","patched_versions":">=0.17.0","cvss":{"score":5.5,"vectorString":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H"},"updated":"2023-02-01T05:06:10.000Z","recommendation":"Upgrade to version 0.17.0 or later","cwe":["CWE-400"],"found_by":null,"deleted":null,"id":1089699,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2021-32012\n- https://floqast.com/engineering-blog/post/fuzzing-and-parsing-securely/\n- https://sheetjs.com/pro\n- https://www.npmjs.com/package/xlsx/v/0.17.0\n- https://www.oracle.com/security-alerts/cpujan2022.html\n- https://github.com/advisories/GHSA-3x9f-74h4-2fqr","created":"2021-07-22T19:48:17.000Z","reported_by":null,"title":"Denial of Service in SheetJS Pro","npm_advisory_id":null,"overview":"SheetJS Pro through 0.16.9 allows attackers to cause a denial of service (memory consumption) via a crafted .xlsx document that is mishandled when read by xlsx.js (issue 1 of 2).","url":"https://github.com/advisories/GHSA-3x9f-74h4-2fqr"},"1089700":{"findings":[{"version":"0.15.6","paths":["xlsx"]}],"metadata":null,"vulnerable_versions":"<0.17.0","module_name":"xlsx","severity":"moderate","github_advisory_id":"GHSA-8vcr-vxm8-293m","cves":["CVE-2021-32013"],"access":"public","patched_versions":">=0.17.0","cvss":{"score":5.5,"vectorString":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H"},"updated":"2023-02-01T05:06:00.000Z","recommendation":"Upgrade to version 0.17.0 or later","cwe":["CWE-400"],"found_by":null,"deleted":null,"id":1089700,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2021-32013\n- https://floqast.com/engineering-blog/post/fuzzing-and-parsing-securely/\n- https://sheetjs.com/pro\n- https://www.npmjs.com/package/xlsx/v/0.17.0\n- https://www.oracle.com/security-alerts/cpujan2022.html\n- https://github.com/advisories/GHSA-8vcr-vxm8-293m","created":"2021-07-22T19:48:13.000Z","reported_by":null,"title":"Denial of Service in SheetsJS Pro","npm_advisory_id":null,"overview":"SheetJS Pro through 0.16.9 allows attackers to cause a denial of service (memory consumption) via a crafted .xlsx document that is mishandled when read by xlsx.js (issue 2 of 2).","url":"https://github.com/advisories/GHSA-8vcr-vxm8-293m"},"1091181":{"findings":[{"version":"3.1.0","paths":["codeceptjs>mocha>chokidar>glob-parent","codeceptjs>mocha-junit-reporter>mocha>chokidar>glob-parent"]}],"metadata":null,"vulnerable_versions":"<5.1.2","module_name":"glob-parent","severity":"high","github_advisory_id":"GHSA-ww39-953v-wcq6","cves":["CVE-2020-28469"],"access":"public","patched_versions":">=5.1.2","cvss":{"score":7.5,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},"updated":"2023-02-28T22:39:43.000Z","recommendation":"Upgrade to version 5.1.2 or later","cwe":["CWE-400"],"found_by":null,"deleted":null,"id":1091181,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2020-28469\n- https://github.com/gulpjs/glob-parent/pull/36\n- https://github.com/gulpjs/glob-parent/blob/6ce8d11f2f1ed8e80a9526b1dc8cf3aa71f43474/index.js%23L9\n- https://github.com/gulpjs/glob-parent/releases/tag/v5.1.2\n- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWERGITHUBES128-1059093\n- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1059092\n- https://snyk.io/vuln/SNYK-JS-GLOBPARENT-1016905\n- https://www.oracle.com/security-alerts/cpujan2022.html\n- https://github.com/gulpjs/glob-parent/pull/36/commits/c6db86422a9731d4f3d332ce4a81c27ea6b0ee46\n- https://github.com/advisories/GHSA-ww39-953v-wcq6","created":"2021-06-07T21:56:34.000Z","reported_by":null,"title":"glob-parent before 5.1.2 vulnerable to Regular Expression Denial of Service in enclosure regex","npm_advisory_id":null,"overview":"This affects the package glob-parent before 5.1.2. The enclosure regex used to check for strings ending in enclosure containing path separator.","url":"https://github.com/advisories/GHSA-ww39-953v-wcq6"},"1091307":{"findings":[{"version":"3.10.1","paths":["lodash","@edium/fsm>lodash","codeceptjs>inquirer>lodash","codeceptjs>chai-deep-match>lodash-pickdeep>lodash"]}],"metadata":null,"vulnerable_versions":"<4.17.20","module_name":"lodash","severity":"high","github_advisory_id":"GHSA-p6mc-m468-83gw","cves":["CVE-2020-8203"],"access":"public","patched_versions":">=4.17.20","cvss":{"score":7.4,"vectorString":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:H"},"updated":"2023-03-08T05:05:35.000Z","recommendation":"Upgrade to version 4.17.20 or later","cwe":["CWE-770","CWE-1321"],"found_by":null,"deleted":null,"id":1091307,"references":"- https://github.com/lodash/lodash/issues/4744\n- https://github.com/lodash/lodash/commit/c84fe82760fb2d3e03a63379b297a1cc1a2fce12\n- https://www.npmjs.com/advisories/1523\n- https://nvd.nist.gov/vuln/detail/CVE-2020-8203\n- https://hackerone.com/reports/712065\n- https://security.netapp.com/advisory/ntap-20200724-0006/\n- https://github.com/lodash/lodash/issues/4874\n- https://www.oracle.com/security-alerts/cpuApr2021.html\n- https://www.oracle.com//security-alerts/cpujul2021.html\n- https://www.oracle.com/security-alerts/cpuoct2021.html\n- https://www.oracle.com/security-alerts/cpujan2022.html\n- https://www.oracle.com/security-alerts/cpuapr2022.html\n- https://github.com/advisories/GHSA-p6mc-m468-83gw","created":"2020-07-15T19:15:48.000Z","reported_by":null,"title":"Prototype Pollution in lodash","npm_advisory_id":null,"overview":"Versions of lodash prior to 4.17.19 are vulnerable to Prototype Pollution. The function zipObjectDeep allows a malicious user to modify the prototype of Object if the property identifiers are user-supplied. Being affected by this issue requires zipping objects based on user-provided property arrays.\n\nThis vulnerability causes the addition or modification of an existing property that will exist on all objects and may lead to Denial of Service or Code Execution under specific circumstances.","url":"https://github.com/advisories/GHSA-p6mc-m468-83gw"},"1091453":{"findings":[{"version":"0.8.4","paths":["git-rev-sync>shelljs"]}],"metadata":null,"vulnerable_versions":"<0.8.5","module_name":"shelljs","severity":"high","github_advisory_id":"GHSA-4rq4-32rv-6wp6","cves":["CVE-2022-0144"],"access":"public","patched_versions":">=0.8.5","cvss":{"score":7.1,"vectorString":"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H"},"updated":"2023-03-21T20:10:17.000Z","recommendation":"Upgrade to version 0.8.5 or later","cwe":["CWE-269"],"found_by":null,"deleted":null,"id":1091453,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2022-0144\n- https://github.com/shelljs/shelljs/commit/d919d22dd6de385edaa9d90313075a77f74b338c\n- https://huntr.dev/bounties/50996581-c08e-4eed-a90e-c0bac082679c\n- https://github.com/advisories/GHSA-4rq4-32rv-6wp6","created":"2022-01-21T23:37:28.000Z","reported_by":null,"title":"Improper Privilege Management in shelljs","npm_advisory_id":null,"overview":"shelljs is vulnerable to Improper Privilege Management","url":"https://github.com/advisories/GHSA-4rq4-32rv-6wp6"},"1091832":{"findings":[{"version":"3.10.1","paths":["lodash","@edium/fsm>lodash","codeceptjs>inquirer>lodash","codeceptjs>chai-deep-match>lodash-pickdeep>lodash"]}],"metadata":null,"vulnerable_versions":"<4.17.21","module_name":"lodash","severity":"high","github_advisory_id":"GHSA-35jh-r3h4-6jhm","cves":["CVE-2021-23337"],"access":"public","patched_versions":">=4.17.21","cvss":{"score":7.2,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H"},"updated":"2023-04-26T17:56:06.000Z","recommendation":"Upgrade to version 4.17.21 or later","cwe":["CWE-77","CWE-94"],"found_by":null,"deleted":null,"id":1091832,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2021-23337\n- https://github.com/lodash/lodash/commit/3469357cff396a26c363f8c1b5a91dde28ba4b1c\n- https://security.netapp.com/advisory/ntap-20210312-0006/\n- https://snyk.io/vuln/SNYK-JS-LODASH-1040724\n- https://github.com/lodash/lodash/blob/ddfd9b11a0126db2302cb70ec9973b66baec0975/lodash.js#L14851\n- https://github.com/lodash/lodash/blob/ddfd9b11a0126db2302cb70ec9973b66baec0975/lodash.js%23L14851\n- https://snyk.io/vuln/SNYK-JAVA-ORGFUJIONWEBJARS-1074932\n- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARS-1074930\n- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-1074928\n- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWERGITHUBLODASH-1074931\n- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1074929\n- https://www.oracle.com//security-alerts/cpujul2021.html\n- https://www.oracle.com/security-alerts/cpuoct2021.html\n- https://www.oracle.com/security-alerts/cpujan2022.html\n- https://www.oracle.com/security-alerts/cpujul2022.html\n- https://cert-portal.siemens.com/productcert/pdf/ssa-637483.pdf\n- https://github.com/advisories/GHSA-35jh-r3h4-6jhm","created":"2021-05-06T16:05:51.000Z","reported_by":null,"title":"Command Injection in lodash","npm_advisory_id":null,"overview":"`lodash` versions prior to 4.17.21 are vulnerable to Command Injection via the template function.","url":"https://github.com/advisories/GHSA-35jh-r3h4-6jhm"},"1092174":{"findings":[{"version":"4.0.5","paths":["@hmcts/media-viewer>socket.io-client>socket.io-parser"]}],"metadata":null,"vulnerable_versions":">=4.0.4 <4.2.3","module_name":"socket.io-parser","severity":"high","github_advisory_id":"GHSA-cqmj-92xf-r6r9","cves":["CVE-2023-32695"],"access":"public","patched_versions":">=4.2.3","cvss":{"score":7.3,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L"},"updated":"2023-06-05T21:07:58.000Z","recommendation":"Upgrade to version 4.2.3 or later","cwe":["CWE-20","CWE-754"],"found_by":null,"deleted":null,"id":1092174,"references":"- https://github.com/socketio/socket.io-parser/security/advisories/GHSA-cqmj-92xf-r6r9\n- https://github.com/socketio/socket.io-parser/commit/2dc3c92622dad113b8676be06f23b1ed46b02ced\n- https://github.com/socketio/socket.io-parser/commit/3b78117bf6ba7e99d7a5cfc1ba54d0477554a7f3\n- https://github.com/socketio/socket.io-parser/commit/1c220ddbf45ea4b44bc8dbf6f9ae245f672ba1b9\n- https://nvd.nist.gov/vuln/detail/CVE-2023-32695\n- https://github.com/socketio/socket.io-parser/releases/tag/4.2.3\n- https://github.com/advisories/GHSA-cqmj-92xf-r6r9","created":"2023-05-23T19:55:13.000Z","reported_by":null,"title":"Insufficient validation when decoding a Socket.IO packet","npm_advisory_id":null,"overview":"### Impact\n\nA specially crafted Socket.IO packet can trigger an uncaught exception on the Socket.IO server, thus killing the Node.js process.\n\n```\nTypeError: Cannot convert object to primitive value\n at Socket.emit (node:events:507:25)\n at .../node_modules/socket.io/lib/socket.js:531:14\n```\n\n### Patches\n\nA fix has been released today (2023/05/22):\n\n- https://github.com/socketio/socket.io-parser/commit/3b78117bf6ba7e99d7a5cfc1ba54d0477554a7f3, included in `socket.io-parser@4.2.3`\n- https://github.com/socketio/socket.io-parser/commit/2dc3c92622dad113b8676be06f23b1ed46b02ced, included in `socket.io-parser@3.4.3`\n\n| `socket.io` version | `socket.io-parser` version | Needs minor update? |\n|---------------------|---------------------------------------------------------------------------------------------------------|--------------------------------------|\n| `4.5.2...latest` | `~4.2.0` ([ref](https://github.com/socketio/socket.io/commit/9890b036cf942f6b6ad2afeb6a8361c32cd5d528)) | `npm audit fix` should be sufficient |\n| `4.1.3...4.5.1` | `~4.1.1` ([ref](https://github.com/socketio/socket.io/commit/7c44893d7878cd5bba1eff43150c3e664f88fb57)) | Please upgrade to `socket.io@4.6.x` |\n| `3.0.5...4.1.2` | `~4.0.3` ([ref](https://github.com/socketio/socket.io/commit/752dfe3b1e5fecda53dae899b4a39e6fed5a1a17)) | Please upgrade to `socket.io@4.6.x` |\n| `3.0.0...3.0.4` | `~4.0.1` ([ref](https://github.com/socketio/socket.io/commit/1af3267e3f5f7884214cf2ca4d5282d620092fb0)) | Please upgrade to `socket.io@4.6.x` |\n| `2.3.0...2.5.0` | `~3.4.0` ([ref](https://github.com/socketio/socket.io/commit/cf39362014f5ff13a17168b74772c43920d6e4fd)) | `npm audit fix` should be sufficient |\n\n\n### Workarounds\n\nThere is no known workaround except upgrading to a safe version.\n\n### For more information\n\nIf you have any questions or comments about this advisory:\n\n- Open a discussion [here](https://github.com/socketio/socket.io/discussions)\n\nThanks to [@rafax00](https://github.com/rafax00) for the responsible disclosure.\n","url":"https://github.com/advisories/GHSA-cqmj-92xf-r6r9"},"1092301":{"findings":[{"version":"0.4.23","paths":["protractor-screenshot-utils>protractor>selenium-webdriver>xml2js","protractor-screenshot-utils>protractor>webdriver-js-extender>selenium-webdriver>xml2js"]}],"metadata":null,"vulnerable_versions":"<0.5.0","module_name":"xml2js","severity":"moderate","github_advisory_id":"GHSA-776f-qx25-q3cc","cves":["CVE-2023-0842"],"access":"public","patched_versions":">=0.5.0","cvss":{"score":5.3,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"},"updated":"2023-06-21T18:11:17.000Z","recommendation":"Upgrade to version 0.5.0 or later","cwe":["CWE-1321"],"found_by":null,"deleted":null,"id":1092301,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2023-0842\n- https://fluidattacks.com/advisories/myers/\n- https://github.com/Leonidas-from-XIV/node-xml2js/issues/663\n- https://github.com/Leonidas-from-XIV/node-xml2js/pull/603/commits/581b19a62d88f8a3c068b5a45f4542c2d6a495a5\n- https://github.com/advisories/GHSA-776f-qx25-q3cc","created":"2023-04-05T21:30:24.000Z","reported_by":null,"title":"xml2js is vulnerable to prototype pollution","npm_advisory_id":null,"overview":"xml2js versions before 0.5.0 allows an external attacker to edit or add new properties to an object. This is possible because the application does not properly validate incoming JSON keys, thus allowing the `__proto__` property to be edited.","url":"https://github.com/advisories/GHSA-776f-qx25-q3cc"},"1092316":{"findings":[{"version":"4.1.0","paths":["@hmcts/rpx-xui-node-lib>openid-client>got>cacheable-request>http-cache-semantics","codeceptjs>mocha>chokidar>fsevents>nan>node-gyp>make-fetch-happen>http-cache-semantics","codeceptjs>mocha-junit-reporter>mocha>chokidar>fsevents>nan>node-gyp>make-fetch-happen>http-cache-semantics","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>@jest/core>jest-haste-map>fsevents>nan>node-gyp>make-fetch-happen>http-cache-semantics","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>@jest/core>@jest/transform>jest-haste-map>fsevents>nan>node-gyp>make-fetch-happen>http-cache-semantics","@hmcts/rpx-xui-node-lib>jest-mock-axios>@jest/globals>@jest/expect>jest-snapshot>@jest/transform>jest-haste-map>fsevents>nan>node-gyp>make-fetch-happen>http-cache-semantics","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>@jest/core>jest-resolve-dependencies>jest-snapshot>@jest/transform>jest-haste-map>fsevents>nan>node-gyp>make-fetch-happen>http-cache-semantics","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>jest-cli>@jest/core>jest-resolve-dependencies>jest-snapshot>@jest/transform>jest-haste-map>fsevents>nan>node-gyp>make-fetch-happen>http-cache-semantics","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>@jest/core>jest-runtime>@jest/globals>@jest/expect>jest-snapshot>@jest/transform>jest-haste-map>fsevents>nan>node-gyp>make-fetch-happen>http-cache-semantics","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>@jest/core>jest-runner>jest-runtime>@jest/globals>@jest/expect>jest-snapshot>@jest/transform>jest-haste-map>fsevents>nan>node-gyp>make-fetch-happen>http-cache-semantics","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>jest-cli>@jest/core>jest-runner>jest-runtime>@jest/globals>@jest/expect>jest-snapshot>@jest/transform>jest-haste-map>fsevents>nan>node-gyp>make-fetch-happen>http-cache-semantics","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>jest-cli>@jest/core>jest-config>jest-runner>jest-runtime>@jest/globals>@jest/expect>jest-snapshot>@jest/transform>jest-haste-map>fsevents>nan>node-gyp>make-fetch-happen>http-cache-semantics"]}],"metadata":null,"vulnerable_versions":"<4.1.1","module_name":"http-cache-semantics","severity":"high","github_advisory_id":"GHSA-rc47-6667-2j5j","cves":["CVE-2022-25881"],"access":"public","patched_versions":">=4.1.1","cvss":{"score":7.5,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},"updated":"2023-06-22T17:26:15.000Z","recommendation":"Upgrade to version 4.1.1 or later","cwe":["CWE-1333"],"found_by":null,"deleted":null,"id":1092316,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2022-25881\n- https://github.com/kornelski/http-cache-semantics/blob/master/index.js%23L83\n- https://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-3253332\n- https://security.snyk.io/vuln/SNYK-JS-HTTPCACHESEMANTICS-3248783\n- https://github.com/kornelski/http-cache-semantics/commit/560b2d8ef452bbba20ffed69dc155d63ac757b74\n- https://security.netapp.com/advisory/ntap-20230622-0008/\n- https://github.com/advisories/GHSA-rc47-6667-2j5j","created":"2023-01-31T06:30:26.000Z","reported_by":null,"title":"http-cache-semantics vulnerable to Regular Expression Denial of Service","npm_advisory_id":null,"overview":"http-cache semantics contains an Inefficient Regular Expression Complexity , leading to Denial of Service. This affects versions of the package http-cache-semantics before 4.1.1. The issue can be exploited via malicious request header values sent to a server, when that server reads the cache policy from the request using this library.","url":"https://github.com/advisories/GHSA-rc47-6667-2j5j"},"1092430":{"findings":[{"version":"10.11.0","paths":["mochawesome-report-generator>validator","mochawesome>mochawesome-report-generator>validator"]}],"metadata":null,"vulnerable_versions":"<13.7.0","module_name":"validator","severity":"moderate","github_advisory_id":"GHSA-qgmg-gppg-76g5","cves":["CVE-2021-3765"],"access":"public","patched_versions":">=13.7.0","cvss":{"score":5.3,"vectorString":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"},"updated":"2023-07-07T21:50:05.000Z","recommendation":"Upgrade to version 13.7.0 or later","cwe":["CWE-1333"],"found_by":null,"deleted":null,"id":1092430,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2021-3765\n- https://github.com/validatorjs/validator.js/commit/496fc8b2a7f5997acaaec33cc44d0b8dba5fb5e1\n- https://huntr.dev/bounties/c37e975c-21a3-4c5f-9b57-04d63b28cfc9\n- https://github.com/advisories/GHSA-qgmg-gppg-76g5","created":"2021-11-03T17:34:45.000Z","reported_by":null,"title":"Inefficient Regular Expression Complexity in validator.js","npm_advisory_id":null,"overview":"validator.js prior to 13.7.0 is vulnerable to Inefficient Regular Expression Complexity","url":"https://github.com/advisories/GHSA-qgmg-gppg-76g5"},"1092470":{"findings":[{"version":"2.5.0","paths":["protractor-screenshot-utils>protractor>webdriver-manager>request>tough-cookie"]}],"metadata":null,"vulnerable_versions":"<4.1.3","module_name":"tough-cookie","severity":"moderate","github_advisory_id":"GHSA-72xf-g2v4-qvf3","cves":["CVE-2023-26136"],"access":"public","patched_versions":">=4.1.3","cvss":{"score":6.5,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N"},"updated":"2023-07-11T13:44:36.000Z","recommendation":"Upgrade to version 4.1.3 or later","cwe":["CWE-1321"],"found_by":null,"deleted":null,"id":1092470,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2023-26136\n- https://github.com/salesforce/tough-cookie/issues/282\n- https://github.com/salesforce/tough-cookie/commit/12d474791bb856004e858fdb1c47b7608d09cf6e\n- https://github.com/salesforce/tough-cookie/releases/tag/v4.1.3\n- https://security.snyk.io/vuln/SNYK-JS-TOUGHCOOKIE-5672873\n- https://lists.debian.org/debian-lts-announce/2023/07/msg00010.html\n- https://github.com/advisories/GHSA-72xf-g2v4-qvf3","created":"2023-07-01T06:30:16.000Z","reported_by":null,"title":"tough-cookie Prototype Pollution vulnerability","npm_advisory_id":null,"overview":"Versions of the package tough-cookie before 4.1.3 are vulnerable to Prototype Pollution due to improper handling of Cookies when using CookieJar in `rejectPublicSuffixes=false` mode. This issue arises from the manner in which the objects are initialized.","url":"https://github.com/advisories/GHSA-72xf-g2v4-qvf3"},"1092636":{"findings":[{"version":"1.28.1","paths":["@hmcts/rpx-xui-node-lib>openid-client>jose"]}],"metadata":null,"vulnerable_versions":">=1.0.0 <=1.28.1","module_name":"jose","severity":"moderate","github_advisory_id":"GHSA-jv3g-j58f-9mq9","cves":["CVE-2022-36083"],"access":"public","patched_versions":">=1.28.2","cvss":{"score":5.3,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"},"updated":"2023-07-21T21:33:36.000Z","recommendation":"Upgrade to version 1.28.2 or later","cwe":["CWE-400","CWE-834"],"found_by":null,"deleted":null,"id":1092636,"references":"- https://github.com/panva/jose/security/advisories/GHSA-jv3g-j58f-9mq9\n- https://nvd.nist.gov/vuln/detail/CVE-2022-36083\n- https://github.com/panva/jose/commit/03d6d013bf6e070e85adfe5731f526978e3e8e4d\n- https://github.com/panva/jose/releases/tag/v4.9.2\n- https://github.com/advisories/GHSA-jv3g-j58f-9mq9","created":"2022-09-16T17:44:42.000Z","reported_by":null,"title":"JOSE vulnerable to resource exhaustion via specifically crafted JWE","npm_advisory_id":null,"overview":"The PBKDF2-based JWE key management algorithms expect a JOSE Header Parameter named `p2c` ([PBES2 Count](https://www.rfc-editor.org/rfc/rfc7518.html#section-4.8.1.2)), which determines how many PBKDF2 iterations must be executed in order to derive a CEK wrapping key. The purpose of this parameter is to intentionally slow down the key derivation function in order to make password brute-force and dictionary attacks more expensive.\n\nThis makes the PBES2 algorithms unsuitable for situations where the JWE is coming from an untrusted source: an adversary can intentionally pick an extremely high PBES2 Count value, that will initiate a CPU-bound computation that may take an unreasonable amount of time to finish.\n\n### Impact\n\nUnder certain conditions (see below) it is possible to have the user's environment consume unreasonable amount of CPU time.\n\n### Affected users\n\nThe impact is limited only to users utilizing the JWE decryption APIs with symmetric secrets to decrypt JWEs from untrusted parties who do not limit the accepted JWE Key Management Algorithms (`alg` Header Parameter) using the `keyManagementAlgorithms` (or `algorithms` in v1.x) decryption option or through other means.\n\nThe PBKDF2-based JWE Key Management Algorithm Identifiers are\n\n- `PBES2-HS256+A128KW`\n- `PBES2-HS384+A192KW`\n- `PBES2-HS512+A256KW`\n\ne.g.\n\n```js\nconst secret = new Uint8Array(16)\nconst jwe = '...' // JWE from an untrusted party\n\nawait jose.compactDecrypt(jwe, secret)\n```\n\nYou are NOT affected if any of the following applies to you\n\n- Your code does not use the JWE APIs\n- Your code only produces JWE tokens\n- Your code only decrypts JWEs using an asymmetric JWE Key Management Algorithm (this means you're providing an asymmetric key object to the JWE decryption API)\n- Your code only accepts JWEs produced by trusted sources\n- Your code limits the accepted JWE Key Management Algorithms using the `keyManagementAlgorithms` decryption option not including any of the PBKDF2-based JWE key management algorithms\n\n### Patches\n\n`v1.28.2`, `v2.0.6`, `v3.20.4`, and `v4.9.2` releases limit the maximum PBKDF2 iteration count to `10000` by default. It is possible to adjust this limit with a newly introduced `maxPBES2Count` decryption option.\n\n### Workarounds\n\nAll users should be able to upgrade given all stable semver major release lines have had new a patch release introduced which limits the PBKDF2 iteration count to `10000` by default. This removes the ability to craft JWEs that would consume unreasonable amount of CPU time.\n\nIf users are unable to upgrade their required library version they have two options depending on whether they expect to receive JWEs using any of the three PBKDF2-based JWE key management algorithms.\n\n- they can use the `keyManagementAlgorithms` decryption option to disable accepting PBKDF2 altogether\n- they can inspect the JOSE Header prior to using the decryption API and limit the PBKDF2 iteration count (`p2c` Header Parameter)\n\n### For more information\nIf you have any questions or comments about this advisory:\n* Open an discussion in the project's [repository](https://github.com/panva/jose/discussions/new?category=q-a&title=GHSA-jv3g-j58f-9mq9%20advisory%20question)\n* Email me at [panva.ip@gmail.com](mailto:panva.ip@gmail.com)\n","url":"https://github.com/advisories/GHSA-jv3g-j58f-9mq9"},"1092964":{"findings":[{"version":"0.7.0","paths":["ngx-md>marked"]}],"metadata":null,"vulnerable_versions":"<4.0.10","module_name":"marked","severity":"high","github_advisory_id":"GHSA-5v2h-r2cx-5xgj","cves":["CVE-2022-21681"],"access":"public","patched_versions":">=4.0.10","cvss":{"score":7.5,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},"updated":"2023-08-14T05:04:30.000Z","recommendation":"Upgrade to version 4.0.10 or later","cwe":["CWE-1333"],"found_by":null,"deleted":null,"id":1092964,"references":"- https://github.com/markedjs/marked/security/advisories/GHSA-5v2h-r2cx-5xgj\n- https://nvd.nist.gov/vuln/detail/CVE-2022-21681\n- https://github.com/markedjs/marked/commit/8f806573a3f6c6b7a39b8cdb66ab5ebb8d55a5f5\n- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/AIXDMC3CSHYW3YWVSQOXAWLUYQHAO5UX/\n- https://github.com/advisories/GHSA-5v2h-r2cx-5xgj","created":"2022-01-14T21:04:46.000Z","reported_by":null,"title":"Inefficient Regular Expression Complexity in marked","npm_advisory_id":null,"overview":"### Impact\n\n_What kind of vulnerability is it?_\n\nDenial of service.\n\nThe regular expression `inline.reflinkSearch` may cause catastrophic backtracking against some strings.\nPoC is the following.\n\n```javascript\nimport * as marked from 'marked';\n\nconsole.log(marked.parse(`[x]: x\n\n\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](`));\n```\n\n_Who is impacted?_\n\nAnyone who runs untrusted markdown through marked and does not use a worker with a time limit.\n\n### Patches\n\n_Has the problem been patched?_\n\nYes\n\n_What versions should users upgrade to?_\n\n4.0.10\n\n### Workarounds\n\n_Is there a way for users to fix or remediate the vulnerability without upgrading?_\n\nDo not run untrusted markdown through marked or run marked on a [worker](https://marked.js.org/using_advanced#workers) thread and set a reasonable time limit to prevent draining resources.\n\n### References\n\n_Are there any links users can visit to find out more?_\n\n- https://marked.js.org/using_advanced#workers\n- https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS\n\n### For more information\n\nIf you have any questions or comments about this advisory:\n\n* Open an issue in [marked](https://github.com/markedjs/marked)\n","url":"https://github.com/advisories/GHSA-5v2h-r2cx-5xgj"},"1092969":{"findings":[{"version":"0.7.0","paths":["ngx-md>marked"]}],"metadata":null,"vulnerable_versions":"<4.0.10","module_name":"marked","severity":"high","github_advisory_id":"GHSA-rrrm-qjm4-v8hf","cves":["CVE-2022-21680"],"access":"public","patched_versions":">=4.0.10","cvss":{"score":7.5,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},"updated":"2023-08-14T05:03:59.000Z","recommendation":"Upgrade to version 4.0.10 or later","cwe":["CWE-400","CWE-1333"],"found_by":null,"deleted":null,"id":1092969,"references":"- https://github.com/markedjs/marked/security/advisories/GHSA-rrrm-qjm4-v8hf\n- https://nvd.nist.gov/vuln/detail/CVE-2022-21680\n- https://github.com/markedjs/marked/commit/c4a3ccd344b6929afa8a1d50ac54a721e57012c0\n- https://github.com/markedjs/marked/releases/tag/v4.0.10\n- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/AIXDMC3CSHYW3YWVSQOXAWLUYQHAO5UX/\n- https://github.com/advisories/GHSA-rrrm-qjm4-v8hf","created":"2022-01-14T21:04:41.000Z","reported_by":null,"title":"Inefficient Regular Expression Complexity in marked","npm_advisory_id":null,"overview":"### Impact\n\n_What kind of vulnerability is it?_\n\nDenial of service.\n\nThe regular expression `block.def` may cause catastrophic backtracking against some strings.\nPoC is the following.\n\n```javascript\nimport * as marked from \"marked\";\n\nmarked.parse(`[x]:${' '.repeat(1500)}x ${' '.repeat(1500)} x`);\n```\n\n_Who is impacted?_\n\nAnyone who runs untrusted markdown through marked and does not use a worker with a time limit.\n\n### Patches\n\n_Has the problem been patched?_\n\nYes\n\n_What versions should users upgrade to?_\n\n4.0.10\n\n### Workarounds\n\n_Is there a way for users to fix or remediate the vulnerability without upgrading?_\n\nDo not run untrusted markdown through marked or run marked on a [worker](https://marked.js.org/using_advanced#workers) thread and set a reasonable time limit to prevent draining resources.\n\n### References\n\n_Are there any links users can visit to find out more?_\n\n- https://marked.js.org/using_advanced#workers\n- https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS\n\n### For more information\n\nIf you have any questions or comments about this advisory:\n\n* Open an issue in [marked](https://github.com/markedjs/marked)\n","url":"https://github.com/advisories/GHSA-rrrm-qjm4-v8hf"},"1092972":{"findings":[{"version":"2.88.2","paths":["protractor-screenshot-utils>protractor>webdriver-manager>request"]}],"metadata":null,"vulnerable_versions":"<=2.88.2","module_name":"request","severity":"moderate","github_advisory_id":"GHSA-p8p7-x288-28g6","cves":["CVE-2023-28155"],"access":"public","patched_versions":"<0.0.0","cvss":{"score":6.1,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},"updated":"2023-08-14T20:53:47.000Z","recommendation":"None","cwe":["CWE-918"],"found_by":null,"deleted":null,"id":1092972,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2023-28155\n- https://github.com/request/request/issues/3442\n- https://github.com/request/request/pull/3444\n- https://doyensec.com/resources/Doyensec_Advisory_RequestSSRF_Q12023.pdf\n- https://security.netapp.com/advisory/ntap-20230413-0007/\n- https://github.com/github/advisory-database/pull/2500\n- https://github.com/cypress-io/request/blob/master/lib/redirect.js#L116\n- https://github.com/request/request/blob/master/lib/redirect.js#L111\n- https://github.com/cypress-io/request/pull/28\n- https://github.com/cypress-io/request/commit/c5bcf21d40fb61feaff21a0e5a2b3934a440024f\n- https://github.com/cypress-io/request/releases/tag/v3.0.0\n- https://github.com/advisories/GHSA-p8p7-x288-28g6","created":"2023-03-16T15:30:19.000Z","reported_by":null,"title":"Server-Side Request Forgery in Request","npm_advisory_id":null,"overview":"The `request` package through 2.88.2 for Node.js and the `@cypress/request` package prior to 3.0.0 allow a bypass of SSRF mitigations via an attacker-controller server that does a cross-protocol redirect (HTTP to HTTPS, or HTTPS to HTTP).\n\nNOTE: The `request` package is no longer supported by the maintainer.","url":"https://github.com/advisories/GHSA-p8p7-x288-28g6"},"1093264":{"findings":[{"version":"7.3.8","paths":["codeceptjs>semver","@hmcts/nodejs-healthcheck>superagent>semver","applicationinsights>continuation-local-storage>async-listener>semver","@hmcts/rpx-xui-node-lib>jest-mock-axios>@jest/globals>@jest/expect>jest-snapshot>semver","@hmcts/rpx-xui-node-lib>jest-mock-axios>@jest/globals>@jest/expect>jest-snapshot>@babel/core>semver","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>@jest/core>jest-resolve-dependencies>jest-snapshot>@babel/core>semver","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>jest-cli>@jest/core>jest-resolve-dependencies>jest-snapshot>@babel/core>semver","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>@jest/core>jest-runtime>@jest/globals>@jest/expect>jest-snapshot>@babel/core>semver","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>@jest/core>jest-runner>jest-runtime>@jest/globals>@jest/expect>jest-snapshot>@babel/core>semver","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>jest-cli>@jest/core>jest-runner>jest-runtime>@jest/globals>@jest/expect>jest-snapshot>@babel/core>semver","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>jest-cli>@jest/core>jest-config>jest-runner>jest-runtime>@jest/globals>@jest/expect>jest-snapshot>@babel/core>semver","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>jest-cli>@jest/core>jest-config>jest-runner>jest-runtime>@jest/globals>@jest/expect>jest-snapshot>@jest/transform>@babel/core>semver","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>jest-cli>@jest/core>jest-runner>jest-runtime>@jest/globals>@jest/expect>jest-snapshot>@jest/transform>babel-plugin-istanbul>istanbul-lib-instrument>@babel/core>semver","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>jest-cli>@jest/core>jest-config>jest-runner>jest-runtime>@jest/globals>@jest/expect>jest-snapshot>@jest/transform>babel-plugin-istanbul>istanbul-lib-instrument>@babel/core>semver","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>jest-cli>@jest/core>jest-config>jest-runner>jest-runtime>@jest/globals>@jest/expect>jest-snapshot>@jest/transform>jest-haste-map>fsevents>nan>node-gyp>semver"]}],"metadata":null,"vulnerable_versions":">=7.0.0 <7.5.2","module_name":"semver","severity":"moderate","github_advisory_id":"GHSA-c2qf-rxjj-qqgw","cves":["CVE-2022-25883"],"access":"public","patched_versions":">=7.5.2","cvss":{"score":5.3,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"},"updated":"2023-09-01T23:43:55.000Z","recommendation":"Upgrade to version 7.5.2 or later","cwe":["CWE-1333"],"found_by":null,"deleted":null,"id":1093264,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2022-25883\n- https://github.com/npm/node-semver/pull/564\n- https://github.com/npm/node-semver/commit/717534ee353682f3bcf33e60a8af4292626d4441\n- https://security.snyk.io/vuln/SNYK-JS-SEMVER-3247795\n- https://github.com/npm/node-semver/blob/main/classes/range.js#L97-L104\n- https://github.com/npm/node-semver/blob/main/internal/re.js#L138\n- https://github.com/npm/node-semver/blob/main/internal/re.js#L160\n- https://github.com/npm/node-semver/pull/585\n- https://github.com/npm/node-semver/commit/928e56d21150da0413a3333a3148b20e741a920c\n- https://github.com/npm/node-semver/pull/593\n- https://github.com/npm/node-semver/commit/2f8fd41487acf380194579ecb6f8b1bbfe116be0\n- https://github.com/advisories/GHSA-c2qf-rxjj-qqgw","created":"2023-06-21T06:30:28.000Z","reported_by":null,"title":"semver vulnerable to Regular Expression Denial of Service","npm_advisory_id":null,"overview":"Versions of the package semver before 7.5.2 on the 7.x branch, before 6.3.1 on the 6.x branch, and all other versions before 5.7.2 are vulnerable to Regular Expression Denial of Service (ReDoS) via the function new Range, when untrusted user data is provided as a range.","url":"https://github.com/advisories/GHSA-c2qf-rxjj-qqgw"},"1093296":{"findings":[{"version":"3.10.1","paths":["lodash","@edium/fsm>lodash","codeceptjs>inquirer>lodash","codeceptjs>chai-deep-match>lodash-pickdeep>lodash"]}],"metadata":null,"vulnerable_versions":"<4.17.21","module_name":"lodash","severity":"moderate","github_advisory_id":"GHSA-29mw-wpgm-hmr9","cves":["CVE-2020-28500"],"access":"public","patched_versions":">=4.17.21","cvss":{"score":5.3,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"},"updated":"2023-09-05T22:58:26.000Z","recommendation":"Upgrade to version 4.17.21 or later","cwe":["CWE-400","CWE-1333"],"found_by":null,"deleted":null,"id":1093296,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2020-28500\n- https://github.com/lodash/lodash/pull/5065\n- https://github.com/lodash/lodash/pull/5065/commits/02906b8191d3c100c193fe6f7b27d1c40f200bb7\n- https://github.com/lodash/lodash/blob/npm/trimEnd.js%23L8\n- https://security.netapp.com/advisory/ntap-20210312-0006/\n- https://snyk.io/vuln/SNYK-JS-LODASH-1018905\n- https://snyk.io/vuln/SNYK-JAVA-ORGFUJIONWEBJARS-1074896\n- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARS-1074894\n- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-1074892\n- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWERGITHUBLODASH-1074895\n- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1074893\n- https://www.oracle.com//security-alerts/cpujul2021.html\n- https://www.oracle.com/security-alerts/cpuoct2021.html\n- https://www.oracle.com/security-alerts/cpujan2022.html\n- https://www.oracle.com/security-alerts/cpujul2022.html\n- https://cert-portal.siemens.com/productcert/pdf/ssa-637483.pdf\n- https://github.com/lodash/lodash/commit/c4847ebe7d14540bb28a8b932a9ce1b9ecbfee1a\n- https://github.com/advisories/GHSA-29mw-wpgm-hmr9","created":"2022-01-06T20:30:46.000Z","reported_by":null,"title":"Regular Expression Denial of Service (ReDoS) in lodash","npm_advisory_id":null,"overview":"All versions of package lodash prior to 4.17.21 are vulnerable to Regular Expression Denial of Service (ReDoS) via the `toNumber`, `trim` and `trimEnd` functions. \n\nSteps to reproduce (provided by reporter Liyuan Chen):\n```js\nvar lo = require('lodash');\n\nfunction build_blank(n) {\n var ret = \"1\"\n for (var i = 0; i < n; i++) {\n ret += \" \"\n }\n return ret + \"1\";\n}\nvar s = build_blank(50000) var time0 = Date.now();\nlo.trim(s) var time_cost0 = Date.now() - time0;\nconsole.log(\"time_cost0: \" + time_cost0) var time1 = Date.now();\nlo.toNumber(s) var time_cost1 = Date.now() - time1;\nconsole.log(\"time_cost1: \" + time_cost1) var time2 = Date.now();\nlo.trimEnd(s) var time_cost2 = Date.now() - time2;\nconsole.log(\"time_cost2: \" + time_cost2)\n```","url":"https://github.com/advisories/GHSA-29mw-wpgm-hmr9"},"1093314":{"findings":[{"version":"3.10.1","paths":["lodash","@edium/fsm>lodash","codeceptjs>inquirer>lodash","codeceptjs>chai-deep-match>lodash-pickdeep>lodash"]}],"metadata":null,"vulnerable_versions":"<4.17.12","module_name":"lodash","severity":"critical","github_advisory_id":"GHSA-jf85-cpcp-j695","cves":["CVE-2019-10744"],"access":"public","patched_versions":">=4.17.12","cvss":{"score":9.1,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H"},"updated":"2023-09-05T22:24:56.000Z","recommendation":"Upgrade to version 4.17.12 or later","cwe":["CWE-20"],"found_by":null,"deleted":null,"id":1093314,"references":"- https://github.com/lodash/lodash/pull/4336\n- https://nvd.nist.gov/vuln/detail/CVE-2019-10744\n- https://snyk.io/vuln/SNYK-JS-LODASH-450202\n- https://www.npmjs.com/advisories/1065\n- https://access.redhat.com/errata/RHSA-2019:3024\n- https://security.netapp.com/advisory/ntap-20191004-0005/\n- https://support.f5.com/csp/article/K47105354?utm_source=f5support&utm_medium=RSS\n- https://www.oracle.com/security-alerts/cpujan2021.html\n- https://www.oracle.com/security-alerts/cpuoct2020.html\n- https://github.com/advisories/GHSA-jf85-cpcp-j695","created":"2019-07-10T19:45:23.000Z","reported_by":null,"title":"Prototype Pollution in lodash","npm_advisory_id":null,"overview":"Versions of `lodash` before 4.17.12 are vulnerable to Prototype Pollution. The function `defaultsDeep` allows a malicious user to modify the prototype of `Object` via `{constructor: {prototype: {...}}}` causing the addition or modification of an existing property that will exist on all objects.\n\n## Recommendation\n\nUpdate to version 4.17.12 or later.","url":"https://github.com/advisories/GHSA-jf85-cpcp-j695"},"1093500":{"findings":[{"version":"0.15.6","paths":["xlsx"]}],"metadata":null,"vulnerable_versions":"<0.19.3","module_name":"xlsx","severity":"high","github_advisory_id":"GHSA-4r6h-8v6p-xvw6","cves":["CVE-2023-30533"],"access":"public","patched_versions":">=0.19.3","cvss":{"score":7.8,"vectorString":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"},"updated":"2023-09-07T21:28:03.000Z","recommendation":"Upgrade to version 0.19.3 or later","cwe":["CWE-1321"],"found_by":null,"deleted":null,"id":1093500,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2023-30533\n- https://cdn.sheetjs.com/advisories/CVE-2023-30533\n- https://git.sheetjs.com/sheetjs/sheetjs/src/branch/master/CHANGELOG.md\n- https://git.sheetjs.com/sheetjs/sheetjs/issues/2667\n- https://git.sheetjs.com/sheetjs/sheetjs/issues/2986\n- https://github.com/advisories/GHSA-4r6h-8v6p-xvw6","created":"2023-04-24T09:30:19.000Z","reported_by":null,"title":"Prototype Pollution in sheetJS","npm_advisory_id":null,"overview":"All versions of SheetJS CE through 0.19.2 are vulnerable to \"Prototype Pollution\" when reading specially crafted files. Workflows that do not read arbitrary files (for example, exporting data to spreadsheet files) are unaffected.\n\nA non-vulnerable version cannot be found via npm, as the repository hosted on GitHub and the npm package `xlsx` are no longer maintained.","url":"https://github.com/advisories/GHSA-4r6h-8v6p-xvw6"},"1093639":{"findings":[{"version":"0.4.1","paths":["@hmcts/rpx-xui-node-lib>passport"]}],"metadata":null,"vulnerable_versions":"<0.6.0","module_name":"passport","severity":"moderate","github_advisory_id":"GHSA-v923-w3x8-wh69","cves":["CVE-2022-25896"],"access":"public","patched_versions":">=0.6.0","cvss":{"score":4.8,"vectorString":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:L"},"updated":"2023-09-11T16:22:18.000Z","recommendation":"Upgrade to version 0.6.0 or later","cwe":["CWE-384"],"found_by":null,"deleted":null,"id":1093639,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2022-25896\n- https://github.com/jaredhanson/passport/pull/900\n- https://github.com/jaredhanson/passport/commit/7e9b9cf4d7be02428e963fc729496a45baeea608\n- https://snyk.io/vuln/SNYK-JS-PASSPORT-2840631\n- https://github.com/advisories/GHSA-v923-w3x8-wh69","created":"2022-07-02T00:00:19.000Z","reported_by":null,"title":"Passport vulnerable to session regeneration when a users logs in or out","npm_advisory_id":null,"overview":"This affects the package passport before 0.6.0. When a user logs in or logs out, the session is regenerated instead of being closed.","url":"https://github.com/advisories/GHSA-v923-w3x8-wh69"},"1094086":{"findings":[{"version":"1.2.5","paths":["codeceptjs>requireg>rc>minimist"]}],"metadata":null,"vulnerable_versions":">=1.0.0 <1.2.6","module_name":"minimist","severity":"critical","github_advisory_id":"GHSA-xvch-5gv4-984h","cves":["CVE-2021-44906"],"access":"public","patched_versions":">=1.2.6","cvss":{"score":9.8,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},"updated":"2023-09-21T22:07:42.000Z","recommendation":"Upgrade to version 1.2.6 or later","cwe":["CWE-1321"],"found_by":null,"deleted":null,"id":1094086,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2021-44906\n- https://github.com/substack/minimist/issues/164\n- https://github.com/substack/minimist/blob/master/index.js#L69\n- https://snyk.io/vuln/SNYK-JS-MINIMIST-559764\n- https://stackoverflow.com/questions/8588563/adding-custom-properties-to-a-function/20278068#20278068\n- https://github.com/Marynk/JavaScript-vulnerability-detection/blob/main/minimist%20PoC.zip\n- https://github.com/minimistjs/minimist/issues/11\n- https://github.com/minimistjs/minimist/pull/24\n- https://github.com/minimistjs/minimist/commit/34e20b8461118608703d6485326abbb8e35e1703\n- https://github.com/minimistjs/minimist/commit/bc8ecee43875261f4f17eb20b1243d3ed15e70eb\n- https://github.com/minimistjs/minimist/commit/c2b981977fa834b223b408cfb860f933c9811e4d\n- https://github.com/minimistjs/minimist/commit/ef9153fc52b6cea0744b2239921c5dcae4697f11\n- https://github.com/minimistjs/minimist/commits/v0.2.4\n- https://github.com/advisories/GHSA-xvch-5gv4-984h","created":"2022-03-18T00:01:09.000Z","reported_by":null,"title":"Prototype Pollution in minimist","npm_advisory_id":null,"overview":"Minimist prior to 1.2.6 and 0.2.4 is vulnerable to Prototype Pollution via file `index.js`, function `setKey()` (lines 69-95).","url":"https://github.com/advisories/GHSA-xvch-5gv4-984h"},"1094087":{"findings":[{"version":"0.2.0","paths":["http-proxy-middleware>micromatch>snapdragon>source-map-resolve>decode-uri-component","http-proxy-middleware>micromatch>braces>snapdragon>source-map-resolve>decode-uri-component","@hmcts/rpx-xui-node-lib>ts-auto-mock>micromatch>braces>snapdragon>source-map-resolve>decode-uri-component","@hmcts/rpx-xui-node-lib>jest-ts-auto-mock>ts-auto-mock>micromatch>braces>snapdragon>source-map-resolve>decode-uri-component","codeceptjs>mocha>chokidar>anymatch>micromatch>braces>snapdragon>source-map-resolve>decode-uri-component","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>@jest/core>jest-message-util>micromatch>braces>snapdragon>source-map-resolve>decode-uri-component","@hmcts/rpx-xui-node-lib>jest-mock-axios>@jest/globals>@jest/environment>@jest/fake-timers>jest-message-util>micromatch>braces>snapdragon>source-map-resolve>decode-uri-component","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>@jest/core>jest-runtime>@jest/fake-timers>jest-message-util>micromatch>braces>snapdragon>source-map-resolve>decode-uri-component","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>@jest/core>jest-runner>@jest/environment>@jest/fake-timers>jest-message-util>micromatch>braces>snapdragon>source-map-resolve>decode-uri-component","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>@jest/core>jest-runtime>@jest/globals>@jest/environment>@jest/fake-timers>jest-message-util>micromatch>braces>snapdragon>source-map-resolve>decode-uri-component","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>@jest/core>jest-runner>jest-runtime>@jest/globals>@jest/environment>@jest/fake-timers>jest-message-util>micromatch>braces>snapdragon>source-map-resolve>decode-uri-component","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>jest-cli>@jest/core>jest-runner>jest-runtime>@jest/globals>@jest/environment>@jest/fake-timers>jest-message-util>micromatch>braces>snapdragon>source-map-resolve>decode-uri-component","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>jest-cli>@jest/core>jest-config>jest-runner>jest-runtime>@jest/globals>@jest/environment>@jest/fake-timers>jest-message-util>micromatch>braces>snapdragon>source-map-resolve>decode-uri-component","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>jest-cli>@jest/core>jest-config>jest-runner>jest-runtime>@jest/globals>@jest/expect>jest-snapshot>expect>jest-message-util>micromatch>braces>snapdragon>source-map-resolve>decode-uri-component","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>jest-cli>@jest/core>jest-config>jest-runner>jest-runtime>@jest/globals>@jest/expect>jest-snapshot>@jest/transform>jest-haste-map>anymatch>micromatch>braces>snapdragon>source-map-resolve>decode-uri-component","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>jest-cli>@jest/core>jest-config>jest-runner>jest-runtime>@jest/globals>@jest/expect>jest-snapshot>@jest/transform>jest-haste-map>anymatch>micromatch>extglob>expand-brackets>snapdragon>source-map-resolve>decode-uri-component"]}],"metadata":null,"vulnerable_versions":"<0.2.1","module_name":"decode-uri-component","severity":"high","github_advisory_id":"GHSA-w573-4hg7-7wgq","cves":["CVE-2022-38900"],"access":"public","patched_versions":">=0.2.1","cvss":{"score":7.5,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},"updated":"2023-09-21T22:16:39.000Z","recommendation":"Upgrade to version 0.2.1 or later","cwe":["CWE-20"],"found_by":null,"deleted":null,"id":1094087,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2022-38900\n- https://github.com/SamVerschueren/decode-uri-component/issues/5\n- https://github.com/sindresorhus/query-string/issues/345\n- https://github.com/SamVerschueren/decode-uri-component/commit/746ca5dcb6667c5d364e782d53c542830e4c10b9\n- https://github.com/SamVerschueren/decode-uri-component/releases/tag/v0.2.1\n- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ERN6YE3DS7NBW7UH44SCJBMNC2NWQ7SM/\n- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KAC5KQ2SEWAMQ6UZAUBZ5KXKEOESH375/\n- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VNV2GNZXOTEDAJRFH3ZYWRUBGIVL7BSU/\n- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QABOUA2I542UTANVZIVFKWMRYVHLV32D/\n- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UW4SCMT3SEUFVIL7YIADQ5K36GJEO6I5/\n- https://github.com/advisories/GHSA-w573-4hg7-7wgq","created":"2022-11-28T15:30:24.000Z","reported_by":null,"title":"decode-uri-component vulnerable to Denial of Service (DoS)","npm_advisory_id":null,"overview":"decode-uri-component 0.2.0 is vulnerable to Improper Input Validation resulting in DoS.","url":"https://github.com/advisories/GHSA-w573-4hg7-7wgq"}},"muted":[],"metadata":{"vulnerabilities":{"info":0,"low":5,"moderate":38,"high":47,"critical":8},"dependencies":1007,"devDependencies":8,"optionalDependencies":0,"totalDependencies":1015}} +{"actions":[],"advisories":{"1085674":{"findings":[{"version":"3.10.1","paths":["lodash","@edium/fsm>lodash","codeceptjs>inquirer>lodash","codeceptjs>chai-deep-match>lodash-pickdeep>lodash"]}],"metadata":null,"vulnerable_versions":"<4.17.11","module_name":"lodash","severity":"moderate","github_advisory_id":"GHSA-x5rq-j2xg-h7qm","cves":["CVE-2019-1010266"],"access":"public","patched_versions":">=4.17.11","cvss":{"score":0,"vectorString":null},"updated":"2023-01-09T05:01:38.000Z","recommendation":"Upgrade to version 4.17.11 or later","cwe":["CWE-400"],"found_by":null,"deleted":null,"id":1085674,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2019-1010266\n- https://github.com/lodash/lodash/issues/3359\n- https://snyk.io/vuln/SNYK-JS-LODASH-73639\n- https://github.com/lodash/lodash/commit/5c08f18d365b64063bfbfa686cbb97cdd6267347\n- https://github.com/lodash/lodash/wiki/Changelog\n- https://security.netapp.com/advisory/ntap-20190919-0004/\n- https://github.com/advisories/GHSA-x5rq-j2xg-h7qm","created":"2019-07-19T16:13:07.000Z","reported_by":null,"title":"Regular Expression Denial of Service (ReDoS) in lodash","npm_advisory_id":null,"overview":"lodash prior to 4.7.11 is affected by: CWE-400: Uncontrolled Resource Consumption. The impact is: Denial of service. The component is: Date handler. The attack vector is: Attacker provides very long strings, which the library attempts to match using a regular expression. The fixed version is: 4.7.11.","url":"https://github.com/advisories/GHSA-x5rq-j2xg-h7qm"},"1087627":{"findings":[{"version":"3.10.1","paths":["lodash","@edium/fsm>lodash","codeceptjs>inquirer>lodash","codeceptjs>chai-deep-match>lodash-pickdeep>lodash"]}],"metadata":null,"vulnerable_versions":"<4.17.11","module_name":"lodash","severity":"high","github_advisory_id":"GHSA-4xc9-xhrj-v574","cves":["CVE-2018-16487"],"access":"public","patched_versions":">=4.17.11","cvss":{"score":0,"vectorString":null},"updated":"2023-01-09T05:02:32.000Z","recommendation":"Upgrade to version 4.17.11 or later","cwe":["CWE-400"],"found_by":null,"deleted":null,"id":1087627,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2018-16487\n- https://hackerone.com/reports/380873\n- https://github.com/advisories/GHSA-4xc9-xhrj-v574\n- https://www.npmjs.com/advisories/782\n- https://security.netapp.com/advisory/ntap-20190919-0004/","created":"2019-02-07T18:16:48.000Z","reported_by":null,"title":"Prototype Pollution in lodash","npm_advisory_id":null,"overview":"Versions of `lodash` before 4.17.5 are vulnerable to prototype pollution. \n\nThe vulnerable functions are 'defaultsDeep', 'merge', and 'mergeWith' which allow a malicious user to modify the prototype of `Object` via `{constructor: {prototype: {...}}}` causing the addition or modification of an existing property that will exist on all objects.\n\n\n\n\n## Recommendation\n\nUpdate to version 4.17.11 or later.","url":"https://github.com/advisories/GHSA-4xc9-xhrj-v574"},"1087663":{"findings":[{"version":"3.10.1","paths":["lodash","@edium/fsm>lodash","codeceptjs>inquirer>lodash","codeceptjs>chai-deep-match>lodash-pickdeep>lodash"]}],"metadata":null,"vulnerable_versions":"<4.17.5","module_name":"lodash","severity":"low","github_advisory_id":"GHSA-fvqr-27wr-82fm","cves":["CVE-2018-3721"],"access":"public","patched_versions":">=4.17.5","cvss":{"score":0,"vectorString":null},"updated":"2023-01-09T05:03:02.000Z","recommendation":"Upgrade to version 4.17.5 or later","cwe":["CWE-471"],"found_by":null,"deleted":null,"id":1087663,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2018-3721\n- https://hackerone.com/reports/310443\n- https://github.com/advisories/GHSA-fvqr-27wr-82fm\n- https://www.npmjs.com/advisories/577\n- https://github.com/lodash/lodash/commit/d8e069cc3410082e44eb18fcf8e7f3d08ebe1d4a\n- https://security.netapp.com/advisory/ntap-20190919-0004/","created":"2018-07-26T15:14:52.000Z","reported_by":null,"title":"Prototype Pollution in lodash","npm_advisory_id":null,"overview":"Versions of `lodash` before 4.17.5 are vulnerable to prototype pollution. \n\nThe vulnerable functions are 'defaultsDeep', 'merge', and 'mergeWith' which allow a malicious user to modify the prototype of `Object` via `__proto__` causing the addition or modification of an existing property that will exist on all objects.\n\n\n\n\n## Recommendation\n\nUpdate to version 4.17.5 or later.","url":"https://github.com/advisories/GHSA-fvqr-27wr-82fm"},"1088208":{"findings":[{"version":"0.8.4","paths":["git-rev-sync>shelljs"]}],"metadata":null,"vulnerable_versions":"<0.8.5","module_name":"shelljs","severity":"moderate","github_advisory_id":"GHSA-64g7-mvw6-v9qj","cves":[],"access":"public","patched_versions":">=0.8.5","cvss":{"score":0,"vectorString":null},"updated":"2023-01-11T05:03:39.000Z","recommendation":"Upgrade to version 0.8.5 or later","cwe":["CWE-269"],"found_by":null,"deleted":null,"id":1088208,"references":"- https://github.com/shelljs/shelljs/security/advisories/GHSA-64g7-mvw6-v9qj\n- https://huntr.dev/bounties/50996581-c08e-4eed-a90e-c0bac082679c/\n- https://github.com/advisories/GHSA-64g7-mvw6-v9qj","created":"2022-01-14T21:09:50.000Z","reported_by":null,"title":"Improper Privilege Management in shelljs","npm_advisory_id":null,"overview":"### Impact\nOutput from the synchronous version of `shell.exec()` may be visible to other users on the same system. You may be affected if you execute `shell.exec()` in multi-user Mac, Linux, or WSL environments, or if you execute `shell.exec()` as the root user.\n\nOther shelljs functions (including the asynchronous version of `shell.exec()`) are not impacted.\n\n### Patches\nPatched in shelljs 0.8.5\n\n### Workarounds\nRecommended action is to upgrade to 0.8.5.\n\n### References\nhttps://huntr.dev/bounties/50996581-c08e-4eed-a90e-c0bac082679c/\n\n### For more information\nIf you have any questions or comments about this advisory:\n* Ask at https://github.com/shelljs/shelljs/issues/1058\n* Open an issue at https://github.com/shelljs/shelljs/issues/new\n","url":"https://github.com/advisories/GHSA-64g7-mvw6-v9qj"},"1088402":{"findings":[{"version":"0.5.34","paths":["moment-timezone"]}],"metadata":null,"vulnerable_versions":">=0.1.0 <0.5.35","module_name":"moment-timezone","severity":"low","github_advisory_id":"GHSA-56x4-j7p9-fcf9","cves":[],"access":"public","patched_versions":">=0.5.35","cvss":{"score":0,"vectorString":null},"updated":"2023-01-12T05:07:32.000Z","recommendation":"Upgrade to version 0.5.35 or later","cwe":[],"found_by":null,"deleted":null,"id":1088402,"references":"- https://github.com/moment/moment-timezone/security/advisories/GHSA-56x4-j7p9-fcf9\n- https://github.com/moment/moment-timezone/commit/ce955a301ff372e8e9fb3a5b516620c60e7a082a\n- https://github.com/advisories/GHSA-56x4-j7p9-fcf9","created":"2022-08-30T20:31:21.000Z","reported_by":null,"title":"Command Injection in moment-timezone","npm_advisory_id":null,"overview":"### Impact\n\nAll versions of moment-timezone from 0.1.0 contain build tasks vulnerable to command injection.\n\n* if Alice uses tzdata pipeline to package moment-timezone on her own (for example via `grunt data:2014d`, where `2014d` stands for the version of the tzdata to be used from IANA's website),\n* and Alice let's Mallory select the version (`2014d` in our example), then Mallory can execute arbitrary commands on the machine running the grunt task, with the same privilege as the grunt task\n\n#### Am I affected?\n\n##### Do you build custom versions of moment-timezone with grunt?\n\nIf no, you're not affected.\n\n##### Do you allow a third party to specify which particular version you want build?\n\nIf yes, you're vulnerable to command injection -- third party may execute arbitrary commands on the system running grunt task with the same privileges as grunt task.\n\n### Description\n\n#### Command Injection via grunt-zdownload.js and MITM on iana's ftp endpoint\n\nThe `tasks/data-download.js` script takes in a parameter from grunt and uses it to form a command line which is then executed:\n\n```\n6 module.exports = function (grunt) {\n7 grunt.registerTask('data-download', '1. Download data from iana.org/time-zones.', function (version) {\n8 version = version || 'latest';\n\n10 var done = this.async(),\n11 src = 'ftp://ftp.iana.org/tz/tzdata-latest.tar.gz',\n12 curl = path.resolve('temp/curl', version, 'data.tar.gz'),\n13 dest = path.resolve('temp/download', version);\n...\n24 exec('curl ' + src + ' -o ' + curl + ' && cd ' + dest + ' && gzip -dc ' + curl + ' | tar -xf -', function (err) {\n```\n\nOrdinarily, one one run this script using something like `grunt data-download:2014d`, in which case version would have the value `2014d`. However, if an attacker were to provide additional content on the command line, they would be able to execute arbitrary code\n\n```\nroot@e94ba0490b65:/usr/src/app/moment-timezone# grunt 'data-download:2014d ; echo flag>/tmp/foo #'\n\\Running \"data-download:2014d ; echo flag>/tmp/foo #\" (data-download) task\n>> Downloading https://data.iana.org/time-zones/releases/tzdata2014d ; echo flag>/tmp/foo #.tar.gz\n>> Downloaded https://data.iana.org/time-zones/releases/tzdata2014d ; echo flag>/tmp/foo #.tar.gz\n\nDone.\nroot@e94ba0490b65:/usr/src/app/moment-timezone# cat /tmp/foo\nflag\n```\n\n#### Command Injection via data-zdump.js\n\nThe `tasks/data-zdump.js` script reads a list of files present in a temporary directory (created by previous tasks), and for each one, assembles and executes a command line without sanitization. As a result, an attacker able to influence the contents of that directory could gain code execution. This attack is exacerbated by timezone data being downloaded via cleartext FTP (described above), but beyond that, an attacker at iana.org able to modify the timezone files could disrupt any systems that build moment-timezone.\n\n```\n15 files = grunt.file.expand({ filter : 'isFile', cwd : 'temp/zic/' + version }, '**/*');\n...\n27 function next () {\n...\n33 var file = files.pop(),\n34 src = path.join(zicBase, file),\n35 dest = path.join(zdumpBase, file);\n36 exec('zdump -v ' + src, { maxBuffer: 20*1024*1024 }, function (err, stdout) {\n```\n\nIn this case, an attacker able to add a file to `temp/zic/2014d` (for example) with a filename like `Z; curl www.example.com` would influence the called to exec on line 36 and run arbitrary code. There are a few minor challenges in exploiting this, since the string needs to be a valid filename.\n\n#### Command Injection via data-zic.js\n\nSimilar to the vulnerability in /tasks/data-download.js, the /tasks/data-zic.js script takes a version from the command line and uses it as part of a command line, executed without sanitization.\n\n```\n10 var done = this.async(),\n11 dest = path.resolve('temp/zic', version),\n...\n22 var file = files.shift(),\n23 src = path.resolve('temp/download', version, file);\n24\n25 exec('zic -d ' + dest + ' ' + src, function (err) {\n```\n\nAs a result, an attacker able to influence that string can run arbitrary commands. Of course, it requires an attacker able to influence the command passed to grunt, so may be unlikely in practice.\n\n```\nroot@e94ba0490b65:/usr/src/app/moment-timezone# grunt 'data-zic:2014d; echo hi > /tmp/evil; echo '\nRunning \"data-zic:2014d; echo hi > /tmp/evil; echo \" (data-zic) task\nexec: zid -d /usr/src/app/moment-timezone/temp/zic/2014d; echo hi > /tmp/evil; echo /usr/src/app/moment-timezone/temp/download/2014d; echo hi > /tmp/evil; echo /africa\n...\n\nroot@e94ba0490b65:/usr/src/app/moment-timezone# cat /tmp/evil\nhi\n```\n\n### Patches\n\nThe supplied patch on top of 0.5.34 is applicable with minor tweaks to all affected versions. It switches `exec` to `execFile` so arbitrary bash fragments won't be executed any more.\n\n### References\n\n* https://knowledge-base.secureflag.com/vulnerabilities/code_injection/os_command_injection_nodejs.html\n* https://auth0.com/blog/preventing-command-injection-attacks-in-node-js-apps/","url":"https://github.com/advisories/GHSA-56x4-j7p9-fcf9"},"1088403":{"findings":[{"version":"0.5.34","paths":["moment-timezone"]}],"metadata":null,"vulnerable_versions":">=0.1.0 <0.5.35","module_name":"moment-timezone","severity":"moderate","github_advisory_id":"GHSA-v78c-4p63-2j6c","cves":[],"access":"public","patched_versions":">=0.5.35","cvss":{"score":0,"vectorString":null},"updated":"2023-01-12T05:07:10.000Z","recommendation":"Upgrade to version 0.5.35 or later","cwe":["CWE-319"],"found_by":null,"deleted":null,"id":1088403,"references":"- https://github.com/moment/moment-timezone/security/advisories/GHSA-v78c-4p63-2j6c\n- https://github.com/moment/moment-timezone/commit/7915ac567ab19700e44ad6b5d8ef0b85e48a9e75\n- https://github.com/advisories/GHSA-v78c-4p63-2j6c","created":"2022-08-30T20:28:43.000Z","reported_by":null,"title":"Cleartext Transmission of Sensitive Information in moment-timezone","npm_advisory_id":null,"overview":"### Impact\n\n* if Alice uses `grunt data` (or `grunt release`) to prepare a custom-build, moment-timezone with the latest tzdata from IANA's website\n* and Mallory intercepts the request to IANA's unencrypted ftp server, Mallory can serve data which might exploit further stages of the moment-timezone tzdata pipeline, or potentially produce a tainted version of moment-timezone (practicality of such attacks is not proved)\n\n### Patches\nProblem has been patched in version 0.5.35, patch should be applicable with minor modifications to all affected versions. The patch includes changing the FTP endpoint with an HTTPS endpoint.\n\n### Workarounds\nSpecify the exact version of tzdata (like `2014d`, full command being `grunt data:2014d`, then run the rest of the release tasks by hand), or just apply the patch before issuing the grunt command.\n","url":"https://github.com/advisories/GHSA-v78c-4p63-2j6c"},"1088659":{"findings":[{"version":"2.1.3","paths":["@hmcts/nodejs-healthcheck>superagent>cookiejar"]}],"metadata":null,"vulnerable_versions":"<2.1.4","module_name":"cookiejar","severity":"moderate","github_advisory_id":"GHSA-h452-7996-h45h","cves":["CVE-2022-25901"],"access":"public","patched_versions":">=2.1.4","cvss":{"score":5.3,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"},"updated":"2023-01-23T16:59:53.000Z","recommendation":"Upgrade to version 2.1.4 or later","cwe":["CWE-1333"],"found_by":null,"deleted":null,"id":1088659,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2022-25901\n- https://github.com/bmeck/node-cookiejar/pull/39\n- https://github.com/bmeck/node-cookiejar/pull/39/commits/eaa00021caf6ae09449dde826108153b578348e5\n- https://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-3176681\n- https://security.snyk.io/vuln/SNYK-JS-COOKIEJAR-3149984\n- https://github.com/bmeck/node-cookiejar/blob/master/cookiejar.js#23L73\n- https://github.com/advisories/GHSA-h452-7996-h45h","created":"2023-01-18T06:31:03.000Z","reported_by":null,"title":"cookiejar Regular Expression Denial of Service via Cookie.parse function","npm_advisory_id":null,"overview":"Versions of the package cookiejar before 2.1.4 are vulnerable to Regular Expression Denial of Service (ReDoS) via the `Cookie.parse` function and other aspects of the API, which use an insecure regular expression for parsing cookie values. Applications could be stalled for extended periods of time if untrusted input is passed to cookie values or attempted to parse from request headers.\n\nProof of concept:\n\n```\nts\\nconst { CookieJar } = require(\"cookiejar\");\n\nconst jar = new CookieJar();\n\nconst start = performance.now();\n\nconst attack = \"a\" + \"t\".repeat(50_000);\njar.setCookie(attack);\n\nconsole.log(`CookieJar.setCookie(): ${performance.now() - start}ms`);\n\n```\n\n```\nCookieJar.setCookie(): 2963.214399999939ms\n```","url":"https://github.com/advisories/GHSA-h452-7996-h45h"},"1088948":{"findings":[{"version":"9.6.0","paths":["@hmcts/rpx-xui-node-lib>openid-client>got"]}],"metadata":null,"vulnerable_versions":"<11.8.5","module_name":"got","severity":"moderate","github_advisory_id":"GHSA-pfrx-2q88-qq97","cves":["CVE-2022-33987"],"access":"public","patched_versions":">=11.8.5","cvss":{"score":5.3,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"},"updated":"2023-01-27T05:05:01.000Z","recommendation":"Upgrade to version 11.8.5 or later","cwe":[],"found_by":null,"deleted":null,"id":1088948,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2022-33987\n- https://github.com/sindresorhus/got/pull/2047\n- https://github.com/sindresorhus/got/compare/v12.0.3...v12.1.0\n- https://github.com/sindresorhus/got/commit/861ccd9ac2237df762a9e2beed7edd88c60782dc\n- https://github.com/sindresorhus/got/releases/tag/v11.8.5\n- https://github.com/sindresorhus/got/releases/tag/v12.1.0\n- https://github.com/advisories/GHSA-pfrx-2q88-qq97","created":"2022-06-19T00:00:21.000Z","reported_by":null,"title":"Got allows a redirect to a UNIX socket","npm_advisory_id":null,"overview":"The got package before 11.8.5 and 12.1.0 for Node.js allows a redirect to a UNIX socket.","url":"https://github.com/advisories/GHSA-pfrx-2q88-qq97"},"1089152":{"findings":[{"version":"4.1.1","paths":["codeceptjs>mocha>yargs-unparser>flat","codeceptjs>mocha-junit-reporter>mocha>yargs-unparser>flat"]}],"metadata":null,"vulnerable_versions":"<5.0.1","module_name":"flat","severity":"critical","github_advisory_id":"GHSA-2j2x-2gpw-g8fm","cves":["CVE-2020-36632"],"access":"public","patched_versions":">=5.0.1","cvss":{"score":9.8,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},"updated":"2023-01-29T05:01:29.000Z","recommendation":"Upgrade to version 5.0.1 or later","cwe":["CWE-1321"],"found_by":null,"deleted":null,"id":1089152,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2020-36632\n- https://github.com/hughsk/flat/issues/105\n- https://github.com/hughsk/flat/pull/106\n- https://github.com/hughsk/flat/commit/20ef0ef55dfa028caddaedbcb33efbdb04d18e13\n- https://github.com/hughsk/flat/releases/tag/5.0.1\n- https://vuldb.com/?ctiid.216777\n- https://vuldb.com/?id.216777\n- https://github.com/advisories/GHSA-2j2x-2gpw-g8fm","created":"2022-12-25T21:30:22.000Z","reported_by":null,"title":"flat vulnerable to Prototype Pollution","npm_advisory_id":null,"overview":"flat helps flatten/unflatten nested Javascript objects. A vulnerability, which was classified as critical, was found in hughsk flat up to 5.0.0. This affects the function unflatten of the file index.js. The manipulation leads to improperly controlled modification of object prototype attributes ('prototype pollution'). It is possible to initiate the attack remotely. Upgrading to version 5.0.1 can address this issue. The name of the patch is 20ef0ef55dfa028caddaedbcb33efbdb04d18e13. It is recommended to upgrade the affected component. The identifier VDB-216777 was assigned to this vulnerability.","url":"https://github.com/advisories/GHSA-2j2x-2gpw-g8fm"},"1089270":{"findings":[{"version":"2.7.4","paths":["ejs"]}],"metadata":null,"vulnerable_versions":"<3.1.7","module_name":"ejs","severity":"critical","github_advisory_id":"GHSA-phwq-j96m-2c2q","cves":["CVE-2022-29078"],"access":"public","patched_versions":">=3.1.7","cvss":{"score":9.8,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},"updated":"2023-01-30T05:02:57.000Z","recommendation":"Upgrade to version 3.1.7 or later","cwe":["CWE-74"],"found_by":null,"deleted":null,"id":1089270,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2022-29078\n- https://eslam.io/posts/ejs-server-side-template-injection-rce/\n- https://github.com/mde/ejs/commit/15ee698583c98dadc456639d6245580d17a24baf\n- https://github.com/mde/ejs/releases\n- https://security.netapp.com/advisory/ntap-20220804-0001/\n- https://github.com/advisories/GHSA-phwq-j96m-2c2q","created":"2022-04-26T00:00:40.000Z","reported_by":null,"title":"ejs template injection vulnerability","npm_advisory_id":null,"overview":"The ejs (aka Embedded JavaScript templates) package 3.1.6 for Node.js allows server-side template injection in settings[view options][outputFunctionName]. This is parsed as an internal option, and overwrites the outputFunctionName option with an arbitrary OS command (which is executed upon template compilation).","url":"https://github.com/advisories/GHSA-phwq-j96m-2c2q"},"1089698":{"findings":[{"version":"0.15.6","paths":["xlsx"]}],"metadata":null,"vulnerable_versions":"<0.17.0","module_name":"xlsx","severity":"moderate","github_advisory_id":"GHSA-g973-978j-2c3p","cves":["CVE-2021-32014"],"access":"public","patched_versions":">=0.17.0","cvss":{"score":5.5,"vectorString":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H"},"updated":"2023-02-01T05:05:54.000Z","recommendation":"Upgrade to version 0.17.0 or later","cwe":["CWE-345","CWE-400"],"found_by":null,"deleted":null,"id":1089698,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2021-32014\n- https://floqast.com/engineering-blog/post/fuzzing-and-parsing-securely/\n- https://sheetjs.com/pro\n- https://www.npmjs.com/package/xlsx/v/0.17.0\n- https://www.oracle.com/security-alerts/cpujan2022.html\n- https://github.com/advisories/GHSA-g973-978j-2c3p","created":"2021-07-22T19:47:15.000Z","reported_by":null,"title":"Denial of Service in SheetJS Pro","npm_advisory_id":null,"overview":"SheetJS Pro through 0.16.9 allows attackers to cause a denial of service (CPU consumption) via a crafted .xlsx document that is mishandled when read by xlsx.js.","url":"https://github.com/advisories/GHSA-g973-978j-2c3p"},"1089699":{"findings":[{"version":"0.15.6","paths":["xlsx"]}],"metadata":null,"vulnerable_versions":"<0.17.0","module_name":"xlsx","severity":"moderate","github_advisory_id":"GHSA-3x9f-74h4-2fqr","cves":["CVE-2021-32012"],"access":"public","patched_versions":">=0.17.0","cvss":{"score":5.5,"vectorString":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H"},"updated":"2023-02-01T05:06:10.000Z","recommendation":"Upgrade to version 0.17.0 or later","cwe":["CWE-400"],"found_by":null,"deleted":null,"id":1089699,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2021-32012\n- https://floqast.com/engineering-blog/post/fuzzing-and-parsing-securely/\n- https://sheetjs.com/pro\n- https://www.npmjs.com/package/xlsx/v/0.17.0\n- https://www.oracle.com/security-alerts/cpujan2022.html\n- https://github.com/advisories/GHSA-3x9f-74h4-2fqr","created":"2021-07-22T19:48:17.000Z","reported_by":null,"title":"Denial of Service in SheetJS Pro","npm_advisory_id":null,"overview":"SheetJS Pro through 0.16.9 allows attackers to cause a denial of service (memory consumption) via a crafted .xlsx document that is mishandled when read by xlsx.js (issue 1 of 2).","url":"https://github.com/advisories/GHSA-3x9f-74h4-2fqr"},"1089700":{"findings":[{"version":"0.15.6","paths":["xlsx"]}],"metadata":null,"vulnerable_versions":"<0.17.0","module_name":"xlsx","severity":"moderate","github_advisory_id":"GHSA-8vcr-vxm8-293m","cves":["CVE-2021-32013"],"access":"public","patched_versions":">=0.17.0","cvss":{"score":5.5,"vectorString":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H"},"updated":"2023-02-01T05:06:00.000Z","recommendation":"Upgrade to version 0.17.0 or later","cwe":["CWE-400"],"found_by":null,"deleted":null,"id":1089700,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2021-32013\n- https://floqast.com/engineering-blog/post/fuzzing-and-parsing-securely/\n- https://sheetjs.com/pro\n- https://www.npmjs.com/package/xlsx/v/0.17.0\n- https://www.oracle.com/security-alerts/cpujan2022.html\n- https://github.com/advisories/GHSA-8vcr-vxm8-293m","created":"2021-07-22T19:48:13.000Z","reported_by":null,"title":"Denial of Service in SheetsJS Pro","npm_advisory_id":null,"overview":"SheetJS Pro through 0.16.9 allows attackers to cause a denial of service (memory consumption) via a crafted .xlsx document that is mishandled when read by xlsx.js (issue 2 of 2).","url":"https://github.com/advisories/GHSA-8vcr-vxm8-293m"},"1091181":{"findings":[{"version":"3.1.0","paths":["codeceptjs>mocha>chokidar>glob-parent","codeceptjs>mocha-junit-reporter>mocha>chokidar>glob-parent"]}],"metadata":null,"vulnerable_versions":"<5.1.2","module_name":"glob-parent","severity":"high","github_advisory_id":"GHSA-ww39-953v-wcq6","cves":["CVE-2020-28469"],"access":"public","patched_versions":">=5.1.2","cvss":{"score":7.5,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},"updated":"2023-02-28T22:39:43.000Z","recommendation":"Upgrade to version 5.1.2 or later","cwe":["CWE-400"],"found_by":null,"deleted":null,"id":1091181,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2020-28469\n- https://github.com/gulpjs/glob-parent/pull/36\n- https://github.com/gulpjs/glob-parent/blob/6ce8d11f2f1ed8e80a9526b1dc8cf3aa71f43474/index.js%23L9\n- https://github.com/gulpjs/glob-parent/releases/tag/v5.1.2\n- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWERGITHUBES128-1059093\n- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1059092\n- https://snyk.io/vuln/SNYK-JS-GLOBPARENT-1016905\n- https://www.oracle.com/security-alerts/cpujan2022.html\n- https://github.com/gulpjs/glob-parent/pull/36/commits/c6db86422a9731d4f3d332ce4a81c27ea6b0ee46\n- https://github.com/advisories/GHSA-ww39-953v-wcq6","created":"2021-06-07T21:56:34.000Z","reported_by":null,"title":"glob-parent before 5.1.2 vulnerable to Regular Expression Denial of Service in enclosure regex","npm_advisory_id":null,"overview":"This affects the package glob-parent before 5.1.2. The enclosure regex used to check for strings ending in enclosure containing path separator.","url":"https://github.com/advisories/GHSA-ww39-953v-wcq6"},"1091307":{"findings":[{"version":"3.10.1","paths":["lodash","@edium/fsm>lodash","codeceptjs>inquirer>lodash","codeceptjs>chai-deep-match>lodash-pickdeep>lodash"]}],"metadata":null,"vulnerable_versions":"<4.17.20","module_name":"lodash","severity":"high","github_advisory_id":"GHSA-p6mc-m468-83gw","cves":["CVE-2020-8203"],"access":"public","patched_versions":">=4.17.20","cvss":{"score":7.4,"vectorString":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:H"},"updated":"2023-03-08T05:05:35.000Z","recommendation":"Upgrade to version 4.17.20 or later","cwe":["CWE-770","CWE-1321"],"found_by":null,"deleted":null,"id":1091307,"references":"- https://github.com/lodash/lodash/issues/4744\n- https://github.com/lodash/lodash/commit/c84fe82760fb2d3e03a63379b297a1cc1a2fce12\n- https://www.npmjs.com/advisories/1523\n- https://nvd.nist.gov/vuln/detail/CVE-2020-8203\n- https://hackerone.com/reports/712065\n- https://security.netapp.com/advisory/ntap-20200724-0006/\n- https://github.com/lodash/lodash/issues/4874\n- https://www.oracle.com/security-alerts/cpuApr2021.html\n- https://www.oracle.com//security-alerts/cpujul2021.html\n- https://www.oracle.com/security-alerts/cpuoct2021.html\n- https://www.oracle.com/security-alerts/cpujan2022.html\n- https://www.oracle.com/security-alerts/cpuapr2022.html\n- https://github.com/advisories/GHSA-p6mc-m468-83gw","created":"2020-07-15T19:15:48.000Z","reported_by":null,"title":"Prototype Pollution in lodash","npm_advisory_id":null,"overview":"Versions of lodash prior to 4.17.19 are vulnerable to Prototype Pollution. The function zipObjectDeep allows a malicious user to modify the prototype of Object if the property identifiers are user-supplied. Being affected by this issue requires zipping objects based on user-provided property arrays.\n\nThis vulnerability causes the addition or modification of an existing property that will exist on all objects and may lead to Denial of Service or Code Execution under specific circumstances.","url":"https://github.com/advisories/GHSA-p6mc-m468-83gw"},"1091453":{"findings":[{"version":"0.8.4","paths":["git-rev-sync>shelljs"]}],"metadata":null,"vulnerable_versions":"<0.8.5","module_name":"shelljs","severity":"high","github_advisory_id":"GHSA-4rq4-32rv-6wp6","cves":["CVE-2022-0144"],"access":"public","patched_versions":">=0.8.5","cvss":{"score":7.1,"vectorString":"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H"},"updated":"2023-03-21T20:10:17.000Z","recommendation":"Upgrade to version 0.8.5 or later","cwe":["CWE-269"],"found_by":null,"deleted":null,"id":1091453,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2022-0144\n- https://github.com/shelljs/shelljs/commit/d919d22dd6de385edaa9d90313075a77f74b338c\n- https://huntr.dev/bounties/50996581-c08e-4eed-a90e-c0bac082679c\n- https://github.com/advisories/GHSA-4rq4-32rv-6wp6","created":"2022-01-21T23:37:28.000Z","reported_by":null,"title":"Improper Privilege Management in shelljs","npm_advisory_id":null,"overview":"shelljs is vulnerable to Improper Privilege Management","url":"https://github.com/advisories/GHSA-4rq4-32rv-6wp6"},"1091832":{"findings":[{"version":"3.10.1","paths":["lodash","@edium/fsm>lodash","codeceptjs>inquirer>lodash","codeceptjs>chai-deep-match>lodash-pickdeep>lodash"]}],"metadata":null,"vulnerable_versions":"<4.17.21","module_name":"lodash","severity":"high","github_advisory_id":"GHSA-35jh-r3h4-6jhm","cves":["CVE-2021-23337"],"access":"public","patched_versions":">=4.17.21","cvss":{"score":7.2,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H"},"updated":"2023-04-26T17:56:06.000Z","recommendation":"Upgrade to version 4.17.21 or later","cwe":["CWE-77","CWE-94"],"found_by":null,"deleted":null,"id":1091832,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2021-23337\n- https://github.com/lodash/lodash/commit/3469357cff396a26c363f8c1b5a91dde28ba4b1c\n- https://security.netapp.com/advisory/ntap-20210312-0006/\n- https://snyk.io/vuln/SNYK-JS-LODASH-1040724\n- https://github.com/lodash/lodash/blob/ddfd9b11a0126db2302cb70ec9973b66baec0975/lodash.js#L14851\n- https://github.com/lodash/lodash/blob/ddfd9b11a0126db2302cb70ec9973b66baec0975/lodash.js%23L14851\n- https://snyk.io/vuln/SNYK-JAVA-ORGFUJIONWEBJARS-1074932\n- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARS-1074930\n- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-1074928\n- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWERGITHUBLODASH-1074931\n- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1074929\n- https://www.oracle.com//security-alerts/cpujul2021.html\n- https://www.oracle.com/security-alerts/cpuoct2021.html\n- https://www.oracle.com/security-alerts/cpujan2022.html\n- https://www.oracle.com/security-alerts/cpujul2022.html\n- https://cert-portal.siemens.com/productcert/pdf/ssa-637483.pdf\n- https://github.com/advisories/GHSA-35jh-r3h4-6jhm","created":"2021-05-06T16:05:51.000Z","reported_by":null,"title":"Command Injection in lodash","npm_advisory_id":null,"overview":"`lodash` versions prior to 4.17.21 are vulnerable to Command Injection via the template function.","url":"https://github.com/advisories/GHSA-35jh-r3h4-6jhm"},"1092174":{"findings":[{"version":"4.0.5","paths":["@hmcts/media-viewer>socket.io-client>socket.io-parser"]}],"metadata":null,"vulnerable_versions":">=4.0.4 <4.2.3","module_name":"socket.io-parser","severity":"high","github_advisory_id":"GHSA-cqmj-92xf-r6r9","cves":["CVE-2023-32695"],"access":"public","patched_versions":">=4.2.3","cvss":{"score":7.3,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L"},"updated":"2023-06-05T21:07:58.000Z","recommendation":"Upgrade to version 4.2.3 or later","cwe":["CWE-20","CWE-754"],"found_by":null,"deleted":null,"id":1092174,"references":"- https://github.com/socketio/socket.io-parser/security/advisories/GHSA-cqmj-92xf-r6r9\n- https://github.com/socketio/socket.io-parser/commit/2dc3c92622dad113b8676be06f23b1ed46b02ced\n- https://github.com/socketio/socket.io-parser/commit/3b78117bf6ba7e99d7a5cfc1ba54d0477554a7f3\n- https://github.com/socketio/socket.io-parser/commit/1c220ddbf45ea4b44bc8dbf6f9ae245f672ba1b9\n- https://nvd.nist.gov/vuln/detail/CVE-2023-32695\n- https://github.com/socketio/socket.io-parser/releases/tag/4.2.3\n- https://github.com/advisories/GHSA-cqmj-92xf-r6r9","created":"2023-05-23T19:55:13.000Z","reported_by":null,"title":"Insufficient validation when decoding a Socket.IO packet","npm_advisory_id":null,"overview":"### Impact\n\nA specially crafted Socket.IO packet can trigger an uncaught exception on the Socket.IO server, thus killing the Node.js process.\n\n```\nTypeError: Cannot convert object to primitive value\n at Socket.emit (node:events:507:25)\n at .../node_modules/socket.io/lib/socket.js:531:14\n```\n\n### Patches\n\nA fix has been released today (2023/05/22):\n\n- https://github.com/socketio/socket.io-parser/commit/3b78117bf6ba7e99d7a5cfc1ba54d0477554a7f3, included in `socket.io-parser@4.2.3`\n- https://github.com/socketio/socket.io-parser/commit/2dc3c92622dad113b8676be06f23b1ed46b02ced, included in `socket.io-parser@3.4.3`\n\n| `socket.io` version | `socket.io-parser` version | Needs minor update? |\n|---------------------|---------------------------------------------------------------------------------------------------------|--------------------------------------|\n| `4.5.2...latest` | `~4.2.0` ([ref](https://github.com/socketio/socket.io/commit/9890b036cf942f6b6ad2afeb6a8361c32cd5d528)) | `npm audit fix` should be sufficient |\n| `4.1.3...4.5.1` | `~4.1.1` ([ref](https://github.com/socketio/socket.io/commit/7c44893d7878cd5bba1eff43150c3e664f88fb57)) | Please upgrade to `socket.io@4.6.x` |\n| `3.0.5...4.1.2` | `~4.0.3` ([ref](https://github.com/socketio/socket.io/commit/752dfe3b1e5fecda53dae899b4a39e6fed5a1a17)) | Please upgrade to `socket.io@4.6.x` |\n| `3.0.0...3.0.4` | `~4.0.1` ([ref](https://github.com/socketio/socket.io/commit/1af3267e3f5f7884214cf2ca4d5282d620092fb0)) | Please upgrade to `socket.io@4.6.x` |\n| `2.3.0...2.5.0` | `~3.4.0` ([ref](https://github.com/socketio/socket.io/commit/cf39362014f5ff13a17168b74772c43920d6e4fd)) | `npm audit fix` should be sufficient |\n\n\n### Workarounds\n\nThere is no known workaround except upgrading to a safe version.\n\n### For more information\n\nIf you have any questions or comments about this advisory:\n\n- Open a discussion [here](https://github.com/socketio/socket.io/discussions)\n\nThanks to [@rafax00](https://github.com/rafax00) for the responsible disclosure.\n","url":"https://github.com/advisories/GHSA-cqmj-92xf-r6r9"},"1092301":{"findings":[{"version":"0.4.23","paths":["protractor-screenshot-utils>protractor>selenium-webdriver>xml2js","protractor-screenshot-utils>protractor>webdriver-js-extender>selenium-webdriver>xml2js"]}],"metadata":null,"vulnerable_versions":"<0.5.0","module_name":"xml2js","severity":"moderate","github_advisory_id":"GHSA-776f-qx25-q3cc","cves":["CVE-2023-0842"],"access":"public","patched_versions":">=0.5.0","cvss":{"score":5.3,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"},"updated":"2023-06-21T18:11:17.000Z","recommendation":"Upgrade to version 0.5.0 or later","cwe":["CWE-1321"],"found_by":null,"deleted":null,"id":1092301,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2023-0842\n- https://fluidattacks.com/advisories/myers/\n- https://github.com/Leonidas-from-XIV/node-xml2js/issues/663\n- https://github.com/Leonidas-from-XIV/node-xml2js/pull/603/commits/581b19a62d88f8a3c068b5a45f4542c2d6a495a5\n- https://github.com/advisories/GHSA-776f-qx25-q3cc","created":"2023-04-05T21:30:24.000Z","reported_by":null,"title":"xml2js is vulnerable to prototype pollution","npm_advisory_id":null,"overview":"xml2js versions before 0.5.0 allows an external attacker to edit or add new properties to an object. This is possible because the application does not properly validate incoming JSON keys, thus allowing the `__proto__` property to be edited.","url":"https://github.com/advisories/GHSA-776f-qx25-q3cc"},"1092316":{"findings":[{"version":"4.1.0","paths":["@hmcts/rpx-xui-node-lib>openid-client>got>cacheable-request>http-cache-semantics","codeceptjs>mocha>chokidar>fsevents>nan>node-gyp>make-fetch-happen>http-cache-semantics","codeceptjs>mocha-junit-reporter>mocha>chokidar>fsevents>nan>node-gyp>make-fetch-happen>http-cache-semantics","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>@jest/core>jest-haste-map>fsevents>nan>node-gyp>make-fetch-happen>http-cache-semantics","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>@jest/core>@jest/transform>jest-haste-map>fsevents>nan>node-gyp>make-fetch-happen>http-cache-semantics","@hmcts/rpx-xui-node-lib>jest-mock-axios>@jest/globals>@jest/expect>jest-snapshot>@jest/transform>jest-haste-map>fsevents>nan>node-gyp>make-fetch-happen>http-cache-semantics","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>@jest/core>jest-resolve-dependencies>jest-snapshot>@jest/transform>jest-haste-map>fsevents>nan>node-gyp>make-fetch-happen>http-cache-semantics","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>jest-cli>@jest/core>jest-resolve-dependencies>jest-snapshot>@jest/transform>jest-haste-map>fsevents>nan>node-gyp>make-fetch-happen>http-cache-semantics","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>@jest/core>jest-runtime>@jest/globals>@jest/expect>jest-snapshot>@jest/transform>jest-haste-map>fsevents>nan>node-gyp>make-fetch-happen>http-cache-semantics","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>@jest/core>jest-runner>jest-runtime>@jest/globals>@jest/expect>jest-snapshot>@jest/transform>jest-haste-map>fsevents>nan>node-gyp>make-fetch-happen>http-cache-semantics","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>jest-cli>@jest/core>jest-runner>jest-runtime>@jest/globals>@jest/expect>jest-snapshot>@jest/transform>jest-haste-map>fsevents>nan>node-gyp>make-fetch-happen>http-cache-semantics","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>jest-cli>@jest/core>jest-config>jest-runner>jest-runtime>@jest/globals>@jest/expect>jest-snapshot>@jest/transform>jest-haste-map>fsevents>nan>node-gyp>make-fetch-happen>http-cache-semantics"]}],"metadata":null,"vulnerable_versions":"<4.1.1","module_name":"http-cache-semantics","severity":"high","github_advisory_id":"GHSA-rc47-6667-2j5j","cves":["CVE-2022-25881"],"access":"public","patched_versions":">=4.1.1","cvss":{"score":7.5,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},"updated":"2023-06-22T17:26:15.000Z","recommendation":"Upgrade to version 4.1.1 or later","cwe":["CWE-1333"],"found_by":null,"deleted":null,"id":1092316,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2022-25881\n- https://github.com/kornelski/http-cache-semantics/blob/master/index.js%23L83\n- https://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-3253332\n- https://security.snyk.io/vuln/SNYK-JS-HTTPCACHESEMANTICS-3248783\n- https://github.com/kornelski/http-cache-semantics/commit/560b2d8ef452bbba20ffed69dc155d63ac757b74\n- https://security.netapp.com/advisory/ntap-20230622-0008/\n- https://github.com/advisories/GHSA-rc47-6667-2j5j","created":"2023-01-31T06:30:26.000Z","reported_by":null,"title":"http-cache-semantics vulnerable to Regular Expression Denial of Service","npm_advisory_id":null,"overview":"http-cache semantics contains an Inefficient Regular Expression Complexity , leading to Denial of Service. This affects versions of the package http-cache-semantics before 4.1.1. The issue can be exploited via malicious request header values sent to a server, when that server reads the cache policy from the request using this library.","url":"https://github.com/advisories/GHSA-rc47-6667-2j5j"},"1092430":{"findings":[{"version":"10.11.0","paths":["mochawesome-report-generator>validator","mochawesome>mochawesome-report-generator>validator"]}],"metadata":null,"vulnerable_versions":"<13.7.0","module_name":"validator","severity":"moderate","github_advisory_id":"GHSA-qgmg-gppg-76g5","cves":["CVE-2021-3765"],"access":"public","patched_versions":">=13.7.0","cvss":{"score":5.3,"vectorString":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"},"updated":"2023-07-07T21:50:05.000Z","recommendation":"Upgrade to version 13.7.0 or later","cwe":["CWE-1333"],"found_by":null,"deleted":null,"id":1092430,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2021-3765\n- https://github.com/validatorjs/validator.js/commit/496fc8b2a7f5997acaaec33cc44d0b8dba5fb5e1\n- https://huntr.dev/bounties/c37e975c-21a3-4c5f-9b57-04d63b28cfc9\n- https://github.com/advisories/GHSA-qgmg-gppg-76g5","created":"2021-11-03T17:34:45.000Z","reported_by":null,"title":"Inefficient Regular Expression Complexity in validator.js","npm_advisory_id":null,"overview":"validator.js prior to 13.7.0 is vulnerable to Inefficient Regular Expression Complexity","url":"https://github.com/advisories/GHSA-qgmg-gppg-76g5"},"1092470":{"findings":[{"version":"2.5.0","paths":["protractor-screenshot-utils>protractor>webdriver-manager>request>tough-cookie"]}],"metadata":null,"vulnerable_versions":"<4.1.3","module_name":"tough-cookie","severity":"moderate","github_advisory_id":"GHSA-72xf-g2v4-qvf3","cves":["CVE-2023-26136"],"access":"public","patched_versions":">=4.1.3","cvss":{"score":6.5,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N"},"updated":"2023-07-11T13:44:36.000Z","recommendation":"Upgrade to version 4.1.3 or later","cwe":["CWE-1321"],"found_by":null,"deleted":null,"id":1092470,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2023-26136\n- https://github.com/salesforce/tough-cookie/issues/282\n- https://github.com/salesforce/tough-cookie/commit/12d474791bb856004e858fdb1c47b7608d09cf6e\n- https://github.com/salesforce/tough-cookie/releases/tag/v4.1.3\n- https://security.snyk.io/vuln/SNYK-JS-TOUGHCOOKIE-5672873\n- https://lists.debian.org/debian-lts-announce/2023/07/msg00010.html\n- https://github.com/advisories/GHSA-72xf-g2v4-qvf3","created":"2023-07-01T06:30:16.000Z","reported_by":null,"title":"tough-cookie Prototype Pollution vulnerability","npm_advisory_id":null,"overview":"Versions of the package tough-cookie before 4.1.3 are vulnerable to Prototype Pollution due to improper handling of Cookies when using CookieJar in `rejectPublicSuffixes=false` mode. This issue arises from the manner in which the objects are initialized.","url":"https://github.com/advisories/GHSA-72xf-g2v4-qvf3"},"1092636":{"findings":[{"version":"1.28.1","paths":["@hmcts/rpx-xui-node-lib>openid-client>jose"]}],"metadata":null,"vulnerable_versions":">=1.0.0 <=1.28.1","module_name":"jose","severity":"moderate","github_advisory_id":"GHSA-jv3g-j58f-9mq9","cves":["CVE-2022-36083"],"access":"public","patched_versions":">=1.28.2","cvss":{"score":5.3,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"},"updated":"2023-07-21T21:33:36.000Z","recommendation":"Upgrade to version 1.28.2 or later","cwe":["CWE-400","CWE-834"],"found_by":null,"deleted":null,"id":1092636,"references":"- https://github.com/panva/jose/security/advisories/GHSA-jv3g-j58f-9mq9\n- https://nvd.nist.gov/vuln/detail/CVE-2022-36083\n- https://github.com/panva/jose/commit/03d6d013bf6e070e85adfe5731f526978e3e8e4d\n- https://github.com/panva/jose/releases/tag/v4.9.2\n- https://github.com/advisories/GHSA-jv3g-j58f-9mq9","created":"2022-09-16T17:44:42.000Z","reported_by":null,"title":"JOSE vulnerable to resource exhaustion via specifically crafted JWE","npm_advisory_id":null,"overview":"The PBKDF2-based JWE key management algorithms expect a JOSE Header Parameter named `p2c` ([PBES2 Count](https://www.rfc-editor.org/rfc/rfc7518.html#section-4.8.1.2)), which determines how many PBKDF2 iterations must be executed in order to derive a CEK wrapping key. The purpose of this parameter is to intentionally slow down the key derivation function in order to make password brute-force and dictionary attacks more expensive.\n\nThis makes the PBES2 algorithms unsuitable for situations where the JWE is coming from an untrusted source: an adversary can intentionally pick an extremely high PBES2 Count value, that will initiate a CPU-bound computation that may take an unreasonable amount of time to finish.\n\n### Impact\n\nUnder certain conditions (see below) it is possible to have the user's environment consume unreasonable amount of CPU time.\n\n### Affected users\n\nThe impact is limited only to users utilizing the JWE decryption APIs with symmetric secrets to decrypt JWEs from untrusted parties who do not limit the accepted JWE Key Management Algorithms (`alg` Header Parameter) using the `keyManagementAlgorithms` (or `algorithms` in v1.x) decryption option or through other means.\n\nThe PBKDF2-based JWE Key Management Algorithm Identifiers are\n\n- `PBES2-HS256+A128KW`\n- `PBES2-HS384+A192KW`\n- `PBES2-HS512+A256KW`\n\ne.g.\n\n```js\nconst secret = new Uint8Array(16)\nconst jwe = '...' // JWE from an untrusted party\n\nawait jose.compactDecrypt(jwe, secret)\n```\n\nYou are NOT affected if any of the following applies to you\n\n- Your code does not use the JWE APIs\n- Your code only produces JWE tokens\n- Your code only decrypts JWEs using an asymmetric JWE Key Management Algorithm (this means you're providing an asymmetric key object to the JWE decryption API)\n- Your code only accepts JWEs produced by trusted sources\n- Your code limits the accepted JWE Key Management Algorithms using the `keyManagementAlgorithms` decryption option not including any of the PBKDF2-based JWE key management algorithms\n\n### Patches\n\n`v1.28.2`, `v2.0.6`, `v3.20.4`, and `v4.9.2` releases limit the maximum PBKDF2 iteration count to `10000` by default. It is possible to adjust this limit with a newly introduced `maxPBES2Count` decryption option.\n\n### Workarounds\n\nAll users should be able to upgrade given all stable semver major release lines have had new a patch release introduced which limits the PBKDF2 iteration count to `10000` by default. This removes the ability to craft JWEs that would consume unreasonable amount of CPU time.\n\nIf users are unable to upgrade their required library version they have two options depending on whether they expect to receive JWEs using any of the three PBKDF2-based JWE key management algorithms.\n\n- they can use the `keyManagementAlgorithms` decryption option to disable accepting PBKDF2 altogether\n- they can inspect the JOSE Header prior to using the decryption API and limit the PBKDF2 iteration count (`p2c` Header Parameter)\n\n### For more information\nIf you have any questions or comments about this advisory:\n* Open an discussion in the project's [repository](https://github.com/panva/jose/discussions/new?category=q-a&title=GHSA-jv3g-j58f-9mq9%20advisory%20question)\n* Email me at [panva.ip@gmail.com](mailto:panva.ip@gmail.com)\n","url":"https://github.com/advisories/GHSA-jv3g-j58f-9mq9"},"1092964":{"findings":[{"version":"0.7.0","paths":["ngx-md>marked"]}],"metadata":null,"vulnerable_versions":"<4.0.10","module_name":"marked","severity":"high","github_advisory_id":"GHSA-5v2h-r2cx-5xgj","cves":["CVE-2022-21681"],"access":"public","patched_versions":">=4.0.10","cvss":{"score":7.5,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},"updated":"2023-08-14T05:04:30.000Z","recommendation":"Upgrade to version 4.0.10 or later","cwe":["CWE-1333"],"found_by":null,"deleted":null,"id":1092964,"references":"- https://github.com/markedjs/marked/security/advisories/GHSA-5v2h-r2cx-5xgj\n- https://nvd.nist.gov/vuln/detail/CVE-2022-21681\n- https://github.com/markedjs/marked/commit/8f806573a3f6c6b7a39b8cdb66ab5ebb8d55a5f5\n- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/AIXDMC3CSHYW3YWVSQOXAWLUYQHAO5UX/\n- https://github.com/advisories/GHSA-5v2h-r2cx-5xgj","created":"2022-01-14T21:04:46.000Z","reported_by":null,"title":"Inefficient Regular Expression Complexity in marked","npm_advisory_id":null,"overview":"### Impact\n\n_What kind of vulnerability is it?_\n\nDenial of service.\n\nThe regular expression `inline.reflinkSearch` may cause catastrophic backtracking against some strings.\nPoC is the following.\n\n```javascript\nimport * as marked from 'marked';\n\nconsole.log(marked.parse(`[x]: x\n\n\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](`));\n```\n\n_Who is impacted?_\n\nAnyone who runs untrusted markdown through marked and does not use a worker with a time limit.\n\n### Patches\n\n_Has the problem been patched?_\n\nYes\n\n_What versions should users upgrade to?_\n\n4.0.10\n\n### Workarounds\n\n_Is there a way for users to fix or remediate the vulnerability without upgrading?_\n\nDo not run untrusted markdown through marked or run marked on a [worker](https://marked.js.org/using_advanced#workers) thread and set a reasonable time limit to prevent draining resources.\n\n### References\n\n_Are there any links users can visit to find out more?_\n\n- https://marked.js.org/using_advanced#workers\n- https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS\n\n### For more information\n\nIf you have any questions or comments about this advisory:\n\n* Open an issue in [marked](https://github.com/markedjs/marked)\n","url":"https://github.com/advisories/GHSA-5v2h-r2cx-5xgj"},"1092969":{"findings":[{"version":"0.7.0","paths":["ngx-md>marked"]}],"metadata":null,"vulnerable_versions":"<4.0.10","module_name":"marked","severity":"high","github_advisory_id":"GHSA-rrrm-qjm4-v8hf","cves":["CVE-2022-21680"],"access":"public","patched_versions":">=4.0.10","cvss":{"score":7.5,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},"updated":"2023-08-14T05:03:59.000Z","recommendation":"Upgrade to version 4.0.10 or later","cwe":["CWE-400","CWE-1333"],"found_by":null,"deleted":null,"id":1092969,"references":"- https://github.com/markedjs/marked/security/advisories/GHSA-rrrm-qjm4-v8hf\n- https://nvd.nist.gov/vuln/detail/CVE-2022-21680\n- https://github.com/markedjs/marked/commit/c4a3ccd344b6929afa8a1d50ac54a721e57012c0\n- https://github.com/markedjs/marked/releases/tag/v4.0.10\n- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/AIXDMC3CSHYW3YWVSQOXAWLUYQHAO5UX/\n- https://github.com/advisories/GHSA-rrrm-qjm4-v8hf","created":"2022-01-14T21:04:41.000Z","reported_by":null,"title":"Inefficient Regular Expression Complexity in marked","npm_advisory_id":null,"overview":"### Impact\n\n_What kind of vulnerability is it?_\n\nDenial of service.\n\nThe regular expression `block.def` may cause catastrophic backtracking against some strings.\nPoC is the following.\n\n```javascript\nimport * as marked from \"marked\";\n\nmarked.parse(`[x]:${' '.repeat(1500)}x ${' '.repeat(1500)} x`);\n```\n\n_Who is impacted?_\n\nAnyone who runs untrusted markdown through marked and does not use a worker with a time limit.\n\n### Patches\n\n_Has the problem been patched?_\n\nYes\n\n_What versions should users upgrade to?_\n\n4.0.10\n\n### Workarounds\n\n_Is there a way for users to fix or remediate the vulnerability without upgrading?_\n\nDo not run untrusted markdown through marked or run marked on a [worker](https://marked.js.org/using_advanced#workers) thread and set a reasonable time limit to prevent draining resources.\n\n### References\n\n_Are there any links users can visit to find out more?_\n\n- https://marked.js.org/using_advanced#workers\n- https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS\n\n### For more information\n\nIf you have any questions or comments about this advisory:\n\n* Open an issue in [marked](https://github.com/markedjs/marked)\n","url":"https://github.com/advisories/GHSA-rrrm-qjm4-v8hf"},"1092972":{"findings":[{"version":"2.88.2","paths":["protractor-screenshot-utils>protractor>webdriver-manager>request"]}],"metadata":null,"vulnerable_versions":"<=2.88.2","module_name":"request","severity":"moderate","github_advisory_id":"GHSA-p8p7-x288-28g6","cves":["CVE-2023-28155"],"access":"public","patched_versions":"<0.0.0","cvss":{"score":6.1,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},"updated":"2023-08-14T20:53:47.000Z","recommendation":"None","cwe":["CWE-918"],"found_by":null,"deleted":null,"id":1092972,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2023-28155\n- https://github.com/request/request/issues/3442\n- https://github.com/request/request/pull/3444\n- https://doyensec.com/resources/Doyensec_Advisory_RequestSSRF_Q12023.pdf\n- https://security.netapp.com/advisory/ntap-20230413-0007/\n- https://github.com/github/advisory-database/pull/2500\n- https://github.com/cypress-io/request/blob/master/lib/redirect.js#L116\n- https://github.com/request/request/blob/master/lib/redirect.js#L111\n- https://github.com/cypress-io/request/pull/28\n- https://github.com/cypress-io/request/commit/c5bcf21d40fb61feaff21a0e5a2b3934a440024f\n- https://github.com/cypress-io/request/releases/tag/v3.0.0\n- https://github.com/advisories/GHSA-p8p7-x288-28g6","created":"2023-03-16T15:30:19.000Z","reported_by":null,"title":"Server-Side Request Forgery in Request","npm_advisory_id":null,"overview":"The `request` package through 2.88.2 for Node.js and the `@cypress/request` package prior to 3.0.0 allow a bypass of SSRF mitigations via an attacker-controller server that does a cross-protocol redirect (HTTP to HTTPS, or HTTPS to HTTP).\n\nNOTE: The `request` package is no longer supported by the maintainer.","url":"https://github.com/advisories/GHSA-p8p7-x288-28g6"},"1093264":{"findings":[{"version":"7.3.8","paths":["codeceptjs>semver","@hmcts/nodejs-healthcheck>superagent>semver","applicationinsights>continuation-local-storage>async-listener>semver","@hmcts/rpx-xui-node-lib>jest-mock-axios>@jest/globals>@jest/expect>jest-snapshot>semver","@hmcts/rpx-xui-node-lib>jest-mock-axios>@jest/globals>@jest/expect>jest-snapshot>@babel/core>semver","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>@jest/core>jest-resolve-dependencies>jest-snapshot>@babel/core>semver","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>jest-cli>@jest/core>jest-resolve-dependencies>jest-snapshot>@babel/core>semver","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>@jest/core>jest-runtime>@jest/globals>@jest/expect>jest-snapshot>@babel/core>semver","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>@jest/core>jest-runner>jest-runtime>@jest/globals>@jest/expect>jest-snapshot>@babel/core>semver","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>jest-cli>@jest/core>jest-runner>jest-runtime>@jest/globals>@jest/expect>jest-snapshot>@babel/core>semver","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>jest-cli>@jest/core>jest-config>jest-runner>jest-runtime>@jest/globals>@jest/expect>jest-snapshot>@babel/core>semver","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>jest-cli>@jest/core>jest-config>jest-runner>jest-runtime>@jest/globals>@jest/expect>jest-snapshot>@jest/transform>@babel/core>semver","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>jest-cli>@jest/core>jest-runner>jest-runtime>@jest/globals>@jest/expect>jest-snapshot>@jest/transform>babel-plugin-istanbul>istanbul-lib-instrument>@babel/core>semver","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>jest-cli>@jest/core>jest-config>jest-runner>jest-runtime>@jest/globals>@jest/expect>jest-snapshot>@jest/transform>babel-plugin-istanbul>istanbul-lib-instrument>@babel/core>semver","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>jest-cli>@jest/core>jest-config>jest-runner>jest-runtime>@jest/globals>@jest/expect>jest-snapshot>@jest/transform>jest-haste-map>fsevents>nan>node-gyp>semver"]}],"metadata":null,"vulnerable_versions":">=7.0.0 <7.5.2","module_name":"semver","severity":"moderate","github_advisory_id":"GHSA-c2qf-rxjj-qqgw","cves":["CVE-2022-25883"],"access":"public","patched_versions":">=7.5.2","cvss":{"score":5.3,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"},"updated":"2023-09-01T23:43:55.000Z","recommendation":"Upgrade to version 7.5.2 or later","cwe":["CWE-1333"],"found_by":null,"deleted":null,"id":1093264,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2022-25883\n- https://github.com/npm/node-semver/pull/564\n- https://github.com/npm/node-semver/commit/717534ee353682f3bcf33e60a8af4292626d4441\n- https://security.snyk.io/vuln/SNYK-JS-SEMVER-3247795\n- https://github.com/npm/node-semver/blob/main/classes/range.js#L97-L104\n- https://github.com/npm/node-semver/blob/main/internal/re.js#L138\n- https://github.com/npm/node-semver/blob/main/internal/re.js#L160\n- https://github.com/npm/node-semver/pull/585\n- https://github.com/npm/node-semver/commit/928e56d21150da0413a3333a3148b20e741a920c\n- https://github.com/npm/node-semver/pull/593\n- https://github.com/npm/node-semver/commit/2f8fd41487acf380194579ecb6f8b1bbfe116be0\n- https://github.com/advisories/GHSA-c2qf-rxjj-qqgw","created":"2023-06-21T06:30:28.000Z","reported_by":null,"title":"semver vulnerable to Regular Expression Denial of Service","npm_advisory_id":null,"overview":"Versions of the package semver before 7.5.2 on the 7.x branch, before 6.3.1 on the 6.x branch, and all other versions before 5.7.2 are vulnerable to Regular Expression Denial of Service (ReDoS) via the function new Range, when untrusted user data is provided as a range.","url":"https://github.com/advisories/GHSA-c2qf-rxjj-qqgw"},"1093296":{"findings":[{"version":"3.10.1","paths":["lodash","@edium/fsm>lodash","codeceptjs>inquirer>lodash","codeceptjs>chai-deep-match>lodash-pickdeep>lodash"]}],"metadata":null,"vulnerable_versions":"<4.17.21","module_name":"lodash","severity":"moderate","github_advisory_id":"GHSA-29mw-wpgm-hmr9","cves":["CVE-2020-28500"],"access":"public","patched_versions":">=4.17.21","cvss":{"score":5.3,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"},"updated":"2023-09-05T22:58:26.000Z","recommendation":"Upgrade to version 4.17.21 or later","cwe":["CWE-400","CWE-1333"],"found_by":null,"deleted":null,"id":1093296,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2020-28500\n- https://github.com/lodash/lodash/pull/5065\n- https://github.com/lodash/lodash/pull/5065/commits/02906b8191d3c100c193fe6f7b27d1c40f200bb7\n- https://github.com/lodash/lodash/blob/npm/trimEnd.js%23L8\n- https://security.netapp.com/advisory/ntap-20210312-0006/\n- https://snyk.io/vuln/SNYK-JS-LODASH-1018905\n- https://snyk.io/vuln/SNYK-JAVA-ORGFUJIONWEBJARS-1074896\n- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARS-1074894\n- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-1074892\n- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWERGITHUBLODASH-1074895\n- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1074893\n- https://www.oracle.com//security-alerts/cpujul2021.html\n- https://www.oracle.com/security-alerts/cpuoct2021.html\n- https://www.oracle.com/security-alerts/cpujan2022.html\n- https://www.oracle.com/security-alerts/cpujul2022.html\n- https://cert-portal.siemens.com/productcert/pdf/ssa-637483.pdf\n- https://github.com/lodash/lodash/commit/c4847ebe7d14540bb28a8b932a9ce1b9ecbfee1a\n- https://github.com/advisories/GHSA-29mw-wpgm-hmr9","created":"2022-01-06T20:30:46.000Z","reported_by":null,"title":"Regular Expression Denial of Service (ReDoS) in lodash","npm_advisory_id":null,"overview":"All versions of package lodash prior to 4.17.21 are vulnerable to Regular Expression Denial of Service (ReDoS) via the `toNumber`, `trim` and `trimEnd` functions. \n\nSteps to reproduce (provided by reporter Liyuan Chen):\n```js\nvar lo = require('lodash');\n\nfunction build_blank(n) {\n var ret = \"1\"\n for (var i = 0; i < n; i++) {\n ret += \" \"\n }\n return ret + \"1\";\n}\nvar s = build_blank(50000) var time0 = Date.now();\nlo.trim(s) var time_cost0 = Date.now() - time0;\nconsole.log(\"time_cost0: \" + time_cost0) var time1 = Date.now();\nlo.toNumber(s) var time_cost1 = Date.now() - time1;\nconsole.log(\"time_cost1: \" + time_cost1) var time2 = Date.now();\nlo.trimEnd(s) var time_cost2 = Date.now() - time2;\nconsole.log(\"time_cost2: \" + time_cost2)\n```","url":"https://github.com/advisories/GHSA-29mw-wpgm-hmr9"},"1093314":{"findings":[{"version":"3.10.1","paths":["lodash","@edium/fsm>lodash","codeceptjs>inquirer>lodash","codeceptjs>chai-deep-match>lodash-pickdeep>lodash"]}],"metadata":null,"vulnerable_versions":"<4.17.12","module_name":"lodash","severity":"critical","github_advisory_id":"GHSA-jf85-cpcp-j695","cves":["CVE-2019-10744"],"access":"public","patched_versions":">=4.17.12","cvss":{"score":9.1,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H"},"updated":"2023-09-05T22:24:56.000Z","recommendation":"Upgrade to version 4.17.12 or later","cwe":["CWE-20"],"found_by":null,"deleted":null,"id":1093314,"references":"- https://github.com/lodash/lodash/pull/4336\n- https://nvd.nist.gov/vuln/detail/CVE-2019-10744\n- https://snyk.io/vuln/SNYK-JS-LODASH-450202\n- https://www.npmjs.com/advisories/1065\n- https://access.redhat.com/errata/RHSA-2019:3024\n- https://security.netapp.com/advisory/ntap-20191004-0005/\n- https://support.f5.com/csp/article/K47105354?utm_source=f5support&utm_medium=RSS\n- https://www.oracle.com/security-alerts/cpujan2021.html\n- https://www.oracle.com/security-alerts/cpuoct2020.html\n- https://github.com/advisories/GHSA-jf85-cpcp-j695","created":"2019-07-10T19:45:23.000Z","reported_by":null,"title":"Prototype Pollution in lodash","npm_advisory_id":null,"overview":"Versions of `lodash` before 4.17.12 are vulnerable to Prototype Pollution. The function `defaultsDeep` allows a malicious user to modify the prototype of `Object` via `{constructor: {prototype: {...}}}` causing the addition or modification of an existing property that will exist on all objects.\n\n## Recommendation\n\nUpdate to version 4.17.12 or later.","url":"https://github.com/advisories/GHSA-jf85-cpcp-j695"},"1093500":{"findings":[{"version":"0.15.6","paths":["xlsx"]}],"metadata":null,"vulnerable_versions":"<0.19.3","module_name":"xlsx","severity":"high","github_advisory_id":"GHSA-4r6h-8v6p-xvw6","cves":["CVE-2023-30533"],"access":"public","patched_versions":">=0.19.3","cvss":{"score":7.8,"vectorString":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"},"updated":"2023-09-07T21:28:03.000Z","recommendation":"Upgrade to version 0.19.3 or later","cwe":["CWE-1321"],"found_by":null,"deleted":null,"id":1093500,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2023-30533\n- https://cdn.sheetjs.com/advisories/CVE-2023-30533\n- https://git.sheetjs.com/sheetjs/sheetjs/src/branch/master/CHANGELOG.md\n- https://git.sheetjs.com/sheetjs/sheetjs/issues/2667\n- https://git.sheetjs.com/sheetjs/sheetjs/issues/2986\n- https://github.com/advisories/GHSA-4r6h-8v6p-xvw6","created":"2023-04-24T09:30:19.000Z","reported_by":null,"title":"Prototype Pollution in sheetJS","npm_advisory_id":null,"overview":"All versions of SheetJS CE through 0.19.2 are vulnerable to \"Prototype Pollution\" when reading specially crafted files. Workflows that do not read arbitrary files (for example, exporting data to spreadsheet files) are unaffected.\n\nA non-vulnerable version cannot be found via npm, as the repository hosted on GitHub and the npm package `xlsx` are no longer maintained.","url":"https://github.com/advisories/GHSA-4r6h-8v6p-xvw6"},"1093639":{"findings":[{"version":"0.4.1","paths":["@hmcts/rpx-xui-node-lib>passport"]}],"metadata":null,"vulnerable_versions":"<0.6.0","module_name":"passport","severity":"moderate","github_advisory_id":"GHSA-v923-w3x8-wh69","cves":["CVE-2022-25896"],"access":"public","patched_versions":">=0.6.0","cvss":{"score":4.8,"vectorString":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:L"},"updated":"2023-09-11T16:22:18.000Z","recommendation":"Upgrade to version 0.6.0 or later","cwe":["CWE-384"],"found_by":null,"deleted":null,"id":1093639,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2022-25896\n- https://github.com/jaredhanson/passport/pull/900\n- https://github.com/jaredhanson/passport/commit/7e9b9cf4d7be02428e963fc729496a45baeea608\n- https://snyk.io/vuln/SNYK-JS-PASSPORT-2840631\n- https://github.com/advisories/GHSA-v923-w3x8-wh69","created":"2022-07-02T00:00:19.000Z","reported_by":null,"title":"Passport vulnerable to session regeneration when a users logs in or out","npm_advisory_id":null,"overview":"This affects the package passport before 0.6.0. When a user logs in or logs out, the session is regenerated instead of being closed.","url":"https://github.com/advisories/GHSA-v923-w3x8-wh69"},"1094086":{"findings":[{"version":"1.2.5","paths":["codeceptjs>requireg>rc>minimist"]}],"metadata":null,"vulnerable_versions":">=1.0.0 <1.2.6","module_name":"minimist","severity":"critical","github_advisory_id":"GHSA-xvch-5gv4-984h","cves":["CVE-2021-44906"],"access":"public","patched_versions":">=1.2.6","cvss":{"score":9.8,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},"updated":"2023-09-21T22:07:42.000Z","recommendation":"Upgrade to version 1.2.6 or later","cwe":["CWE-1321"],"found_by":null,"deleted":null,"id":1094086,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2021-44906\n- https://github.com/substack/minimist/issues/164\n- https://github.com/substack/minimist/blob/master/index.js#L69\n- https://snyk.io/vuln/SNYK-JS-MINIMIST-559764\n- https://stackoverflow.com/questions/8588563/adding-custom-properties-to-a-function/20278068#20278068\n- https://github.com/Marynk/JavaScript-vulnerability-detection/blob/main/minimist%20PoC.zip\n- https://github.com/minimistjs/minimist/issues/11\n- https://github.com/minimistjs/minimist/pull/24\n- https://github.com/minimistjs/minimist/commit/34e20b8461118608703d6485326abbb8e35e1703\n- https://github.com/minimistjs/minimist/commit/bc8ecee43875261f4f17eb20b1243d3ed15e70eb\n- https://github.com/minimistjs/minimist/commit/c2b981977fa834b223b408cfb860f933c9811e4d\n- https://github.com/minimistjs/minimist/commit/ef9153fc52b6cea0744b2239921c5dcae4697f11\n- https://github.com/minimistjs/minimist/commits/v0.2.4\n- https://github.com/advisories/GHSA-xvch-5gv4-984h","created":"2022-03-18T00:01:09.000Z","reported_by":null,"title":"Prototype Pollution in minimist","npm_advisory_id":null,"overview":"Minimist prior to 1.2.6 and 0.2.4 is vulnerable to Prototype Pollution via file `index.js`, function `setKey()` (lines 69-95).","url":"https://github.com/advisories/GHSA-xvch-5gv4-984h"},"1094087":{"findings":[{"version":"0.2.0","paths":["http-proxy-middleware>micromatch>snapdragon>source-map-resolve>decode-uri-component","http-proxy-middleware>micromatch>braces>snapdragon>source-map-resolve>decode-uri-component","@hmcts/rpx-xui-node-lib>ts-auto-mock>micromatch>braces>snapdragon>source-map-resolve>decode-uri-component","@hmcts/rpx-xui-node-lib>jest-ts-auto-mock>ts-auto-mock>micromatch>braces>snapdragon>source-map-resolve>decode-uri-component","codeceptjs>mocha>chokidar>anymatch>micromatch>braces>snapdragon>source-map-resolve>decode-uri-component","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>@jest/core>jest-message-util>micromatch>braces>snapdragon>source-map-resolve>decode-uri-component","@hmcts/rpx-xui-node-lib>jest-mock-axios>@jest/globals>@jest/environment>@jest/fake-timers>jest-message-util>micromatch>braces>snapdragon>source-map-resolve>decode-uri-component","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>@jest/core>jest-runtime>@jest/fake-timers>jest-message-util>micromatch>braces>snapdragon>source-map-resolve>decode-uri-component","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>@jest/core>jest-runner>@jest/environment>@jest/fake-timers>jest-message-util>micromatch>braces>snapdragon>source-map-resolve>decode-uri-component","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>@jest/core>jest-runtime>@jest/globals>@jest/environment>@jest/fake-timers>jest-message-util>micromatch>braces>snapdragon>source-map-resolve>decode-uri-component","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>@jest/core>jest-runner>jest-runtime>@jest/globals>@jest/environment>@jest/fake-timers>jest-message-util>micromatch>braces>snapdragon>source-map-resolve>decode-uri-component","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>jest-cli>@jest/core>jest-runner>jest-runtime>@jest/globals>@jest/environment>@jest/fake-timers>jest-message-util>micromatch>braces>snapdragon>source-map-resolve>decode-uri-component","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>jest-cli>@jest/core>jest-config>jest-runner>jest-runtime>@jest/globals>@jest/environment>@jest/fake-timers>jest-message-util>micromatch>braces>snapdragon>source-map-resolve>decode-uri-component","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>jest-cli>@jest/core>jest-config>jest-runner>jest-runtime>@jest/globals>@jest/expect>jest-snapshot>expect>jest-message-util>micromatch>braces>snapdragon>source-map-resolve>decode-uri-component","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>jest-cli>@jest/core>jest-config>jest-runner>jest-runtime>@jest/globals>@jest/expect>jest-snapshot>@jest/transform>jest-haste-map>anymatch>micromatch>braces>snapdragon>source-map-resolve>decode-uri-component","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>jest-cli>@jest/core>jest-config>jest-runner>jest-runtime>@jest/globals>@jest/expect>jest-snapshot>@jest/transform>jest-haste-map>anymatch>micromatch>extglob>expand-brackets>snapdragon>source-map-resolve>decode-uri-component"]}],"metadata":null,"vulnerable_versions":"<0.2.1","module_name":"decode-uri-component","severity":"high","github_advisory_id":"GHSA-w573-4hg7-7wgq","cves":["CVE-2022-38900"],"access":"public","patched_versions":">=0.2.1","cvss":{"score":7.5,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},"updated":"2023-09-21T22:16:39.000Z","recommendation":"Upgrade to version 0.2.1 or later","cwe":["CWE-20"],"found_by":null,"deleted":null,"id":1094087,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2022-38900\n- https://github.com/SamVerschueren/decode-uri-component/issues/5\n- https://github.com/sindresorhus/query-string/issues/345\n- https://github.com/SamVerschueren/decode-uri-component/commit/746ca5dcb6667c5d364e782d53c542830e4c10b9\n- https://github.com/SamVerschueren/decode-uri-component/releases/tag/v0.2.1\n- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ERN6YE3DS7NBW7UH44SCJBMNC2NWQ7SM/\n- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KAC5KQ2SEWAMQ6UZAUBZ5KXKEOESH375/\n- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VNV2GNZXOTEDAJRFH3ZYWRUBGIVL7BSU/\n- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QABOUA2I542UTANVZIVFKWMRYVHLV32D/\n- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UW4SCMT3SEUFVIL7YIADQ5K36GJEO6I5/\n- https://github.com/advisories/GHSA-w573-4hg7-7wgq","created":"2022-11-28T15:30:24.000Z","reported_by":null,"title":"decode-uri-component vulnerable to Denial of Service (DoS)","npm_advisory_id":null,"overview":"decode-uri-component 0.2.0 is vulnerable to Improper Input Validation resulting in DoS.","url":"https://github.com/advisories/GHSA-w573-4hg7-7wgq"},"1094183":{"findings":[{"version":"2.0.0","paths":["codeceptjs>chai>get-func-name","codeceptjs>chai-deep-match>chai>get-func-name","codeceptjs>chai-deep-match>chai>loupe>get-func-name"]}],"metadata":null,"vulnerable_versions":"<2.0.1","module_name":"get-func-name","severity":"high","github_advisory_id":"GHSA-4q6p-r6v2-jvc5","cves":["CVE-2023-43646"],"access":"public","patched_versions":">=2.0.1","cvss":{"score":8.6,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H"},"updated":"2023-09-27T20:16:02.000Z","recommendation":"Upgrade to version 2.0.1 or later","cwe":["CWE-400","CWE-1333"],"found_by":null,"deleted":null,"id":1094183,"references":"- https://github.com/chaijs/get-func-name/security/advisories/GHSA-4q6p-r6v2-jvc5\n- https://nvd.nist.gov/vuln/detail/CVE-2023-43646\n- https://github.com/chaijs/get-func-name/commit/f934b228b5e2cb94d6c8576d3aac05493f667c69\n- https://github.com/chaijs/get-func-name/blob/78ad756441a83f3dc203e50f76c113ae3ac017dc/index.js#L15\n- https://github.com/advisories/GHSA-4q6p-r6v2-jvc5","created":"2023-09-27T20:16:00.000Z","reported_by":null,"title":"Chaijs/get-func-name vulnerable to ReDoS","npm_advisory_id":null,"overview":"The current regex implementation for parsing values in the module is susceptible to excessive backtracking, leading to potential DoS attacks. The regex implementation in question is as follows:\n\n```js\nconst functionNameMatch = /\\s*function(?:\\s|\\s*\\/\\*[^(?:*/)]+\\*\\/\\s*)*([^\\s(/]+)/;\n```\n\nThis vulnerability can be exploited when there is an imbalance in parentheses, which results in excessive backtracking and subsequently increases the CPU load and processing time significantly. This vulnerability can be triggered using the following input:\n\n```js\n'\\t'.repeat(54773) + '\\t/function/i'\n```\n\nHere is a simple PoC code to demonstrate the issue:\n\n```js\nconst protocolre = /\\sfunction(?:\\s|\\s/*[^(?:*\\/)]+*/\\s*)*([^\\(\\/]+)/;\n\nconst startTime = Date.now();\nconst maliciousInput = '\\t'.repeat(54773) + '\\t/function/i'\n\nprotocolre.test(maliciousInput);\n\nconst endTime = Date.now();\n\nconsole.log(\"process time: \", endTime - startTime, \"ms\");\n```","url":"https://github.com/advisories/GHSA-4q6p-r6v2-jvc5"}},"muted":[],"metadata":{"vulnerabilities":{"info":0,"low":5,"moderate":38,"high":50,"critical":8},"dependencies":1007,"devDependencies":8,"optionalDependencies":0,"totalDependencies":1015}} From 56778635e5438a28e7183b66d847e9741444d64c Mon Sep 17 00:00:00 2001 From: John Benjamin Date: Fri, 29 Sep 2023 09:01:58 +0100 Subject: [PATCH 19/23] EUI-8736 JRD e-Links API V2 --- api/prd/judicial/index.ts | 27 ++++++++++----------------- api/roleAccess/exclusionService.ts | 13 +++++++------ api/workAllocation/personService.ts | 13 +++++++------ config/default.json | 2 +- 4 files changed, 25 insertions(+), 30 deletions(-) diff --git a/api/prd/judicial/index.ts b/api/prd/judicial/index.ts index 41e8a863ad..76192e8413 100644 --- a/api/prd/judicial/index.ts +++ b/api/prd/judicial/index.ts @@ -10,8 +10,8 @@ import { transformToJudicialUserModel } from './models/judicialUser.model'; -const CONTENT_TYPE_V1 = 'application/json'; -const CONTENT_TYPE_V2 = 'application/vnd.jrd.api+json;Version=2.0'; +const HEADER_ACCEPT_V1 = 'application/json'; +const HEADER_ACCEPT_V2 = 'application/vnd.jrd.api+json;Version=2.0'; const prdUrl: string = getConfigValue(SERVICES_PRD_JUDICIAL_API); /** @@ -24,7 +24,10 @@ export async function searchJudicialUserByPersonalCodes(req: EnhancedRequest, re const markupPath: string = `${prdUrl}/refdata/judicial/users`; try { // Judicial User search API version to be used depends upon the config entry FEATURE_JRD_E_LINKS_V2_ENABLED's value - const headers = getHeadersBasedOnJudicialUserApiVersion(req); + req.headers.accept = showFeature(FEATURE_JRD_E_LINKS_V2_ENABLED) + ? HEADER_ACCEPT_V2 + : HEADER_ACCEPT_V1; + const headers = setHeaders(req); const { status, data }: { status: number, data: RawJudicialUserModel[] } = await http.post(markupPath, reqBody, { headers }); const result = data.map(transformToJudicialUserModel); res.status(status).send(result); @@ -43,23 +46,13 @@ export async function getJudicialUsersSearch(req: EnhancedRequest, res: Response const markupPath: string = `${prdUrl}/refdata/judicial/users/search`; try { // Judicial User search API version to be used depends upon the config entry FEATURE_JRD_E_LINKS_V2_ENABLED's value - const headers = getHeadersBasedOnJudicialUserApiVersion(req); + req.headers.accept = showFeature(FEATURE_JRD_E_LINKS_V2_ENABLED) + ? HEADER_ACCEPT_V2 + : HEADER_ACCEPT_V1; + const headers = setHeaders(req); const { status, data }: { status: number, data: JudicialUserModel[] } = await http.post(markupPath, reqBody, { headers }); res.status(status).send(data); } catch (error) { next(error); } } - -function getHeadersBasedOnJudicialUserApiVersion(req: EnhancedRequest): any { - // Set the request headers accept property based on the API version enabled - req.headers.accept = showFeature(FEATURE_JRD_E_LINKS_V2_ENABLED) - ? CONTENT_TYPE_V2 - : CONTENT_TYPE_V1; - // Set the request headers content type property based on the API version enabled - const headers = showFeature(FEATURE_JRD_E_LINKS_V2_ENABLED) - ? setHeaders(req, CONTENT_TYPE_V2) - : setHeaders(req, CONTENT_TYPE_V1); - // Return the updated request headers - return headers; -} diff --git a/api/roleAccess/exclusionService.ts b/api/roleAccess/exclusionService.ts index ffe38c0c2d..4e2b303c17 100644 --- a/api/roleAccess/exclusionService.ts +++ b/api/roleAccess/exclusionService.ts @@ -14,8 +14,8 @@ import { RoleCategory } from './models/allocate-role.enum'; import { CaseRoleRequestPayload, RoleExclusion } from './models/caseRoleRequestPayload'; import { release2ContentType } from './models/release2ContentType'; -const CONTENT_TYPE_V1 = 'application/json'; -const CONTENT_TYPE_V2 = 'application/vnd.jrd.api+json;Version=2.0'; +const HEADER_ACCEPT_V1 = 'application/json'; +const HEADER_ACCEPT_V2 = 'application/vnd.jrd.api+json;Version=2.0'; const baseRoleAccessUrl = getConfigValue(SERVICES_ROLE_ASSIGNMENT_API_PATH); const JUDICIAL_REF_URL = getConfigValue(SERVICES_CASE_JUDICIAL_REF_PATH); @@ -173,9 +173,10 @@ export function getCorrectRoleCategory(domain: string): RoleCategory { } export function getJudicialUsersFromApi(req: express.Request, ids: string[], serviceCode: string): Promise> { - // Judicial User search API version to be used depends on the config entry FEATURE_JRD_E_LINKS_V2_ENABLED's value - const headers = showFeature(FEATURE_JRD_E_LINKS_V2_ENABLED) - ? setHeaders(req, CONTENT_TYPE_V2) - : setHeaders(req, CONTENT_TYPE_V1); + // Judicial User search API version to be used depends upon the config entry FEATURE_JRD_E_LINKS_V2_ENABLED's value + req.headers.accept = showFeature(FEATURE_JRD_E_LINKS_V2_ENABLED) + ? HEADER_ACCEPT_V2 + : HEADER_ACCEPT_V1; + const headers = setHeaders(req); return http.post(`${JUDICIAL_REF_URL}/refdata/judicial/users`, { sidam_ids: ids, serviceCode }, { headers }); } diff --git a/api/workAllocation/personService.ts b/api/workAllocation/personService.ts index ec53398d26..baff915ed1 100644 --- a/api/workAllocation/personService.ts +++ b/api/workAllocation/personService.ts @@ -9,8 +9,8 @@ import { PERSON } from './constants/mock.data'; import { PersonRole } from './interfaces/person'; import { applySearchFilter } from './util'; -const CONTENT_TYPE_V1 = 'application/json'; -const CONTENT_TYPE_V2 = 'application/vnd.jrd.api+json;Version=2.0'; +const HEADER_ACCEPT_V1 = 'application/json'; +const HEADER_ACCEPT_V2 = 'application/vnd.jrd.api+json;Version=2.0'; const JUDICIAL_REF_URL = getConfigValue(SERVICES_CASE_JUDICIAL_REF_PATH); // judicial person search @@ -37,10 +37,11 @@ export async function postFindPersonSearch(req: EnhancedRequest, res: Response) if (domain === PersonRole.JUDICIAL) { try { for (const serviceCode of serviceCodes) { - // Judicial User search API version to be used depends on the config entry FEATURE_JRD_E_LINKS_V2_ENABLED's value - const headers = showFeature(FEATURE_JRD_E_LINKS_V2_ENABLED) - ? setHeaders(req, CONTENT_TYPE_V2) - : setHeaders(req, CONTENT_TYPE_V1); + // Judicial User search API version to be used depends upon the config entry FEATURE_JRD_E_LINKS_V2_ENABLED's value + req.headers.accept = showFeature(FEATURE_JRD_E_LINKS_V2_ENABLED) + ? HEADER_ACCEPT_V2 + : HEADER_ACCEPT_V1; + const headers = setHeaders(req); const body = { searchString, serviceCode }; const response = await http.post(`${JUDICIAL_REF_URL}/refdata/judicial/users/search`, body, { headers }); searchResult = response.data ? [...response.data, ...searchResult] : searchResult; diff --git a/config/default.json b/config/default.json index 853350fa6e..f7d96a8c15 100644 --- a/config/default.json +++ b/config/default.json @@ -187,7 +187,7 @@ "redisEnabled": false, "oidcEnabled": false, "workAllocationEnabled": false, - "jrdELinksV2Enabled": false, + "jrdELinksV2Enabled": true, "roleEnabled": false, "caseworkerRefEnabled": false, "substantiveRoleEnabled": true, From 217f7cc02a7691aa9e1da72be873b3d751dbcf89 Mon Sep 17 00:00:00 2001 From: John Benjamin Date: Fri, 29 Sep 2023 10:26:30 +0100 Subject: [PATCH 20/23] EUI-8736 JRD e-Links API V2 --- api/roleAccess/exclusionService.spec.ts | 5 +++++ config/default.json | 2 +- 2 files changed, 6 insertions(+), 1 deletion(-) diff --git a/api/roleAccess/exclusionService.spec.ts b/api/roleAccess/exclusionService.spec.ts index 5bc8a61a1d..3a1f457ec7 100644 --- a/api/roleAccess/exclusionService.spec.ts +++ b/api/roleAccess/exclusionService.spec.ts @@ -256,6 +256,11 @@ describe('getJudicialUsersFromApi', () => { }); it('should get the judicial users successfully', async () => { + req = mockReq({ + headers: { + accept: 'application/json' + } + }); const response = await getJudicialUsersFromApi(req, userIds, 'BFA1'); expect(response.data.length).to.equal(2); expect(response.data).to.deep.equal(data); diff --git a/config/default.json b/config/default.json index f7d96a8c15..853350fa6e 100644 --- a/config/default.json +++ b/config/default.json @@ -187,7 +187,7 @@ "redisEnabled": false, "oidcEnabled": false, "workAllocationEnabled": false, - "jrdELinksV2Enabled": true, + "jrdELinksV2Enabled": false, "roleEnabled": false, "caseworkerRefEnabled": false, "substantiveRoleEnabled": true, From 0757a71ab1cd89c3f8436397a522663affccd522 Mon Sep 17 00:00:00 2001 From: hmcts-jenkins-j-to-z <61242337+hmcts-jenkins-j-to-z[bot]@users.noreply.github.com> Date: Tue, 3 Oct 2023 08:49:35 +0000 Subject: [PATCH 21/23] Bumping chart version/ fixing aliases --- charts/xui-webapp/Chart.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/charts/xui-webapp/Chart.yaml b/charts/xui-webapp/Chart.yaml index d5077c67b7..24b8c960d3 100644 --- a/charts/xui-webapp/Chart.yaml +++ b/charts/xui-webapp/Chart.yaml @@ -1,7 +1,7 @@ apiVersion: v2 name: xui-webapp home: https://github.com/hmcts/rpx-xui-webapp -version: 1.0.10 +version: 1.0.11 description: Expert UI maintainers: - name: HMCTS RPX XUI From 4e7ca8632d2b72174d98c512a494272f3505e9aa Mon Sep 17 00:00:00 2001 From: John Benjamin Date: Tue, 3 Oct 2023 16:50:41 +0100 Subject: [PATCH 22/23] Update yarn-audit-known-issues --- yarn-audit-known-issues | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/yarn-audit-known-issues b/yarn-audit-known-issues index d7aaeee429..e7305db108 100644 --- a/yarn-audit-known-issues +++ b/yarn-audit-known-issues @@ -1 +1 @@ -{"actions":[],"advisories":{"1085674":{"findings":[{"version":"3.10.1","paths":["lodash","@edium/fsm>lodash","codeceptjs>inquirer>lodash","codeceptjs>chai-deep-match>lodash-pickdeep>lodash"]}],"metadata":null,"vulnerable_versions":"<4.17.11","module_name":"lodash","severity":"moderate","github_advisory_id":"GHSA-x5rq-j2xg-h7qm","cves":["CVE-2019-1010266"],"access":"public","patched_versions":">=4.17.11","cvss":{"score":0,"vectorString":null},"updated":"2023-01-09T05:01:38.000Z","recommendation":"Upgrade to version 4.17.11 or later","cwe":["CWE-400"],"found_by":null,"deleted":null,"id":1085674,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2019-1010266\n- https://github.com/lodash/lodash/issues/3359\n- https://snyk.io/vuln/SNYK-JS-LODASH-73639\n- https://github.com/lodash/lodash/commit/5c08f18d365b64063bfbfa686cbb97cdd6267347\n- https://github.com/lodash/lodash/wiki/Changelog\n- https://security.netapp.com/advisory/ntap-20190919-0004/\n- https://github.com/advisories/GHSA-x5rq-j2xg-h7qm","created":"2019-07-19T16:13:07.000Z","reported_by":null,"title":"Regular Expression Denial of Service (ReDoS) in lodash","npm_advisory_id":null,"overview":"lodash prior to 4.7.11 is affected by: CWE-400: Uncontrolled Resource Consumption. The impact is: Denial of service. The component is: Date handler. The attack vector is: Attacker provides very long strings, which the library attempts to match using a regular expression. The fixed version is: 4.7.11.","url":"https://github.com/advisories/GHSA-x5rq-j2xg-h7qm"},"1087627":{"findings":[{"version":"3.10.1","paths":["lodash","@edium/fsm>lodash","codeceptjs>inquirer>lodash","codeceptjs>chai-deep-match>lodash-pickdeep>lodash"]}],"metadata":null,"vulnerable_versions":"<4.17.11","module_name":"lodash","severity":"high","github_advisory_id":"GHSA-4xc9-xhrj-v574","cves":["CVE-2018-16487"],"access":"public","patched_versions":">=4.17.11","cvss":{"score":0,"vectorString":null},"updated":"2023-01-09T05:02:32.000Z","recommendation":"Upgrade to version 4.17.11 or later","cwe":["CWE-400"],"found_by":null,"deleted":null,"id":1087627,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2018-16487\n- https://hackerone.com/reports/380873\n- https://github.com/advisories/GHSA-4xc9-xhrj-v574\n- https://www.npmjs.com/advisories/782\n- https://security.netapp.com/advisory/ntap-20190919-0004/","created":"2019-02-07T18:16:48.000Z","reported_by":null,"title":"Prototype Pollution in lodash","npm_advisory_id":null,"overview":"Versions of `lodash` before 4.17.5 are vulnerable to prototype pollution. \n\nThe vulnerable functions are 'defaultsDeep', 'merge', and 'mergeWith' which allow a malicious user to modify the prototype of `Object` via `{constructor: {prototype: {...}}}` causing the addition or modification of an existing property that will exist on all objects.\n\n\n\n\n## Recommendation\n\nUpdate to version 4.17.11 or later.","url":"https://github.com/advisories/GHSA-4xc9-xhrj-v574"},"1087663":{"findings":[{"version":"3.10.1","paths":["lodash","@edium/fsm>lodash","codeceptjs>inquirer>lodash","codeceptjs>chai-deep-match>lodash-pickdeep>lodash"]}],"metadata":null,"vulnerable_versions":"<4.17.5","module_name":"lodash","severity":"low","github_advisory_id":"GHSA-fvqr-27wr-82fm","cves":["CVE-2018-3721"],"access":"public","patched_versions":">=4.17.5","cvss":{"score":0,"vectorString":null},"updated":"2023-01-09T05:03:02.000Z","recommendation":"Upgrade to version 4.17.5 or later","cwe":["CWE-471"],"found_by":null,"deleted":null,"id":1087663,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2018-3721\n- https://hackerone.com/reports/310443\n- https://github.com/advisories/GHSA-fvqr-27wr-82fm\n- https://www.npmjs.com/advisories/577\n- https://github.com/lodash/lodash/commit/d8e069cc3410082e44eb18fcf8e7f3d08ebe1d4a\n- https://security.netapp.com/advisory/ntap-20190919-0004/","created":"2018-07-26T15:14:52.000Z","reported_by":null,"title":"Prototype Pollution in lodash","npm_advisory_id":null,"overview":"Versions of `lodash` before 4.17.5 are vulnerable to prototype pollution. \n\nThe vulnerable functions are 'defaultsDeep', 'merge', and 'mergeWith' which allow a malicious user to modify the prototype of `Object` via `__proto__` causing the addition or modification of an existing property that will exist on all objects.\n\n\n\n\n## Recommendation\n\nUpdate to version 4.17.5 or later.","url":"https://github.com/advisories/GHSA-fvqr-27wr-82fm"},"1088208":{"findings":[{"version":"0.8.4","paths":["git-rev-sync>shelljs"]}],"metadata":null,"vulnerable_versions":"<0.8.5","module_name":"shelljs","severity":"moderate","github_advisory_id":"GHSA-64g7-mvw6-v9qj","cves":[],"access":"public","patched_versions":">=0.8.5","cvss":{"score":0,"vectorString":null},"updated":"2023-01-11T05:03:39.000Z","recommendation":"Upgrade to version 0.8.5 or later","cwe":["CWE-269"],"found_by":null,"deleted":null,"id":1088208,"references":"- https://github.com/shelljs/shelljs/security/advisories/GHSA-64g7-mvw6-v9qj\n- https://huntr.dev/bounties/50996581-c08e-4eed-a90e-c0bac082679c/\n- https://github.com/advisories/GHSA-64g7-mvw6-v9qj","created":"2022-01-14T21:09:50.000Z","reported_by":null,"title":"Improper Privilege Management in shelljs","npm_advisory_id":null,"overview":"### Impact\nOutput from the synchronous version of `shell.exec()` may be visible to other users on the same system. You may be affected if you execute `shell.exec()` in multi-user Mac, Linux, or WSL environments, or if you execute `shell.exec()` as the root user.\n\nOther shelljs functions (including the asynchronous version of `shell.exec()`) are not impacted.\n\n### Patches\nPatched in shelljs 0.8.5\n\n### Workarounds\nRecommended action is to upgrade to 0.8.5.\n\n### References\nhttps://huntr.dev/bounties/50996581-c08e-4eed-a90e-c0bac082679c/\n\n### For more information\nIf you have any questions or comments about this advisory:\n* Ask at https://github.com/shelljs/shelljs/issues/1058\n* Open an issue at https://github.com/shelljs/shelljs/issues/new\n","url":"https://github.com/advisories/GHSA-64g7-mvw6-v9qj"},"1088402":{"findings":[{"version":"0.5.34","paths":["moment-timezone"]}],"metadata":null,"vulnerable_versions":">=0.1.0 <0.5.35","module_name":"moment-timezone","severity":"low","github_advisory_id":"GHSA-56x4-j7p9-fcf9","cves":[],"access":"public","patched_versions":">=0.5.35","cvss":{"score":0,"vectorString":null},"updated":"2023-01-12T05:07:32.000Z","recommendation":"Upgrade to version 0.5.35 or later","cwe":[],"found_by":null,"deleted":null,"id":1088402,"references":"- https://github.com/moment/moment-timezone/security/advisories/GHSA-56x4-j7p9-fcf9\n- https://github.com/moment/moment-timezone/commit/ce955a301ff372e8e9fb3a5b516620c60e7a082a\n- https://github.com/advisories/GHSA-56x4-j7p9-fcf9","created":"2022-08-30T20:31:21.000Z","reported_by":null,"title":"Command Injection in moment-timezone","npm_advisory_id":null,"overview":"### Impact\n\nAll versions of moment-timezone from 0.1.0 contain build tasks vulnerable to command injection.\n\n* if Alice uses tzdata pipeline to package moment-timezone on her own (for example via `grunt data:2014d`, where `2014d` stands for the version of the tzdata to be used from IANA's website),\n* and Alice let's Mallory select the version (`2014d` in our example), then Mallory can execute arbitrary commands on the machine running the grunt task, with the same privilege as the grunt task\n\n#### Am I affected?\n\n##### Do you build custom versions of moment-timezone with grunt?\n\nIf no, you're not affected.\n\n##### Do you allow a third party to specify which particular version you want build?\n\nIf yes, you're vulnerable to command injection -- third party may execute arbitrary commands on the system running grunt task with the same privileges as grunt task.\n\n### Description\n\n#### Command Injection via grunt-zdownload.js and MITM on iana's ftp endpoint\n\nThe `tasks/data-download.js` script takes in a parameter from grunt and uses it to form a command line which is then executed:\n\n```\n6 module.exports = function (grunt) {\n7 grunt.registerTask('data-download', '1. Download data from iana.org/time-zones.', function (version) {\n8 version = version || 'latest';\n\n10 var done = this.async(),\n11 src = 'ftp://ftp.iana.org/tz/tzdata-latest.tar.gz',\n12 curl = path.resolve('temp/curl', version, 'data.tar.gz'),\n13 dest = path.resolve('temp/download', version);\n...\n24 exec('curl ' + src + ' -o ' + curl + ' && cd ' + dest + ' && gzip -dc ' + curl + ' | tar -xf -', function (err) {\n```\n\nOrdinarily, one one run this script using something like `grunt data-download:2014d`, in which case version would have the value `2014d`. However, if an attacker were to provide additional content on the command line, they would be able to execute arbitrary code\n\n```\nroot@e94ba0490b65:/usr/src/app/moment-timezone# grunt 'data-download:2014d ; echo flag>/tmp/foo #'\n\\Running \"data-download:2014d ; echo flag>/tmp/foo #\" (data-download) task\n>> Downloading https://data.iana.org/time-zones/releases/tzdata2014d ; echo flag>/tmp/foo #.tar.gz\n>> Downloaded https://data.iana.org/time-zones/releases/tzdata2014d ; echo flag>/tmp/foo #.tar.gz\n\nDone.\nroot@e94ba0490b65:/usr/src/app/moment-timezone# cat /tmp/foo\nflag\n```\n\n#### Command Injection via data-zdump.js\n\nThe `tasks/data-zdump.js` script reads a list of files present in a temporary directory (created by previous tasks), and for each one, assembles and executes a command line without sanitization. As a result, an attacker able to influence the contents of that directory could gain code execution. This attack is exacerbated by timezone data being downloaded via cleartext FTP (described above), but beyond that, an attacker at iana.org able to modify the timezone files could disrupt any systems that build moment-timezone.\n\n```\n15 files = grunt.file.expand({ filter : 'isFile', cwd : 'temp/zic/' + version }, '**/*');\n...\n27 function next () {\n...\n33 var file = files.pop(),\n34 src = path.join(zicBase, file),\n35 dest = path.join(zdumpBase, file);\n36 exec('zdump -v ' + src, { maxBuffer: 20*1024*1024 }, function (err, stdout) {\n```\n\nIn this case, an attacker able to add a file to `temp/zic/2014d` (for example) with a filename like `Z; curl www.example.com` would influence the called to exec on line 36 and run arbitrary code. There are a few minor challenges in exploiting this, since the string needs to be a valid filename.\n\n#### Command Injection via data-zic.js\n\nSimilar to the vulnerability in /tasks/data-download.js, the /tasks/data-zic.js script takes a version from the command line and uses it as part of a command line, executed without sanitization.\n\n```\n10 var done = this.async(),\n11 dest = path.resolve('temp/zic', version),\n...\n22 var file = files.shift(),\n23 src = path.resolve('temp/download', version, file);\n24\n25 exec('zic -d ' + dest + ' ' + src, function (err) {\n```\n\nAs a result, an attacker able to influence that string can run arbitrary commands. Of course, it requires an attacker able to influence the command passed to grunt, so may be unlikely in practice.\n\n```\nroot@e94ba0490b65:/usr/src/app/moment-timezone# grunt 'data-zic:2014d; echo hi > /tmp/evil; echo '\nRunning \"data-zic:2014d; echo hi > /tmp/evil; echo \" (data-zic) task\nexec: zid -d /usr/src/app/moment-timezone/temp/zic/2014d; echo hi > /tmp/evil; echo /usr/src/app/moment-timezone/temp/download/2014d; echo hi > /tmp/evil; echo /africa\n...\n\nroot@e94ba0490b65:/usr/src/app/moment-timezone# cat /tmp/evil\nhi\n```\n\n### Patches\n\nThe supplied patch on top of 0.5.34 is applicable with minor tweaks to all affected versions. It switches `exec` to `execFile` so arbitrary bash fragments won't be executed any more.\n\n### References\n\n* https://knowledge-base.secureflag.com/vulnerabilities/code_injection/os_command_injection_nodejs.html\n* https://auth0.com/blog/preventing-command-injection-attacks-in-node-js-apps/","url":"https://github.com/advisories/GHSA-56x4-j7p9-fcf9"},"1088403":{"findings":[{"version":"0.5.34","paths":["moment-timezone"]}],"metadata":null,"vulnerable_versions":">=0.1.0 <0.5.35","module_name":"moment-timezone","severity":"moderate","github_advisory_id":"GHSA-v78c-4p63-2j6c","cves":[],"access":"public","patched_versions":">=0.5.35","cvss":{"score":0,"vectorString":null},"updated":"2023-01-12T05:07:10.000Z","recommendation":"Upgrade to version 0.5.35 or later","cwe":["CWE-319"],"found_by":null,"deleted":null,"id":1088403,"references":"- https://github.com/moment/moment-timezone/security/advisories/GHSA-v78c-4p63-2j6c\n- https://github.com/moment/moment-timezone/commit/7915ac567ab19700e44ad6b5d8ef0b85e48a9e75\n- https://github.com/advisories/GHSA-v78c-4p63-2j6c","created":"2022-08-30T20:28:43.000Z","reported_by":null,"title":"Cleartext Transmission of Sensitive Information in moment-timezone","npm_advisory_id":null,"overview":"### Impact\n\n* if Alice uses `grunt data` (or `grunt release`) to prepare a custom-build, moment-timezone with the latest tzdata from IANA's website\n* and Mallory intercepts the request to IANA's unencrypted ftp server, Mallory can serve data which might exploit further stages of the moment-timezone tzdata pipeline, or potentially produce a tainted version of moment-timezone (practicality of such attacks is not proved)\n\n### Patches\nProblem has been patched in version 0.5.35, patch should be applicable with minor modifications to all affected versions. The patch includes changing the FTP endpoint with an HTTPS endpoint.\n\n### Workarounds\nSpecify the exact version of tzdata (like `2014d`, full command being `grunt data:2014d`, then run the rest of the release tasks by hand), or just apply the patch before issuing the grunt command.\n","url":"https://github.com/advisories/GHSA-v78c-4p63-2j6c"},"1088659":{"findings":[{"version":"2.1.3","paths":["@hmcts/nodejs-healthcheck>superagent>cookiejar"]}],"metadata":null,"vulnerable_versions":"<2.1.4","module_name":"cookiejar","severity":"moderate","github_advisory_id":"GHSA-h452-7996-h45h","cves":["CVE-2022-25901"],"access":"public","patched_versions":">=2.1.4","cvss":{"score":5.3,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"},"updated":"2023-01-23T16:59:53.000Z","recommendation":"Upgrade to version 2.1.4 or later","cwe":["CWE-1333"],"found_by":null,"deleted":null,"id":1088659,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2022-25901\n- https://github.com/bmeck/node-cookiejar/pull/39\n- https://github.com/bmeck/node-cookiejar/pull/39/commits/eaa00021caf6ae09449dde826108153b578348e5\n- https://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-3176681\n- https://security.snyk.io/vuln/SNYK-JS-COOKIEJAR-3149984\n- https://github.com/bmeck/node-cookiejar/blob/master/cookiejar.js#23L73\n- https://github.com/advisories/GHSA-h452-7996-h45h","created":"2023-01-18T06:31:03.000Z","reported_by":null,"title":"cookiejar Regular Expression Denial of Service via Cookie.parse function","npm_advisory_id":null,"overview":"Versions of the package cookiejar before 2.1.4 are vulnerable to Regular Expression Denial of Service (ReDoS) via the `Cookie.parse` function and other aspects of the API, which use an insecure regular expression for parsing cookie values. Applications could be stalled for extended periods of time if untrusted input is passed to cookie values or attempted to parse from request headers.\n\nProof of concept:\n\n```\nts\\nconst { CookieJar } = require(\"cookiejar\");\n\nconst jar = new CookieJar();\n\nconst start = performance.now();\n\nconst attack = \"a\" + \"t\".repeat(50_000);\njar.setCookie(attack);\n\nconsole.log(`CookieJar.setCookie(): ${performance.now() - start}ms`);\n\n```\n\n```\nCookieJar.setCookie(): 2963.214399999939ms\n```","url":"https://github.com/advisories/GHSA-h452-7996-h45h"},"1088948":{"findings":[{"version":"9.6.0","paths":["@hmcts/rpx-xui-node-lib>openid-client>got"]}],"metadata":null,"vulnerable_versions":"<11.8.5","module_name":"got","severity":"moderate","github_advisory_id":"GHSA-pfrx-2q88-qq97","cves":["CVE-2022-33987"],"access":"public","patched_versions":">=11.8.5","cvss":{"score":5.3,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"},"updated":"2023-01-27T05:05:01.000Z","recommendation":"Upgrade to version 11.8.5 or later","cwe":[],"found_by":null,"deleted":null,"id":1088948,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2022-33987\n- https://github.com/sindresorhus/got/pull/2047\n- https://github.com/sindresorhus/got/compare/v12.0.3...v12.1.0\n- https://github.com/sindresorhus/got/commit/861ccd9ac2237df762a9e2beed7edd88c60782dc\n- https://github.com/sindresorhus/got/releases/tag/v11.8.5\n- https://github.com/sindresorhus/got/releases/tag/v12.1.0\n- https://github.com/advisories/GHSA-pfrx-2q88-qq97","created":"2022-06-19T00:00:21.000Z","reported_by":null,"title":"Got allows a redirect to a UNIX socket","npm_advisory_id":null,"overview":"The got package before 11.8.5 and 12.1.0 for Node.js allows a redirect to a UNIX socket.","url":"https://github.com/advisories/GHSA-pfrx-2q88-qq97"},"1089152":{"findings":[{"version":"4.1.1","paths":["codeceptjs>mocha>yargs-unparser>flat","codeceptjs>mocha-junit-reporter>mocha>yargs-unparser>flat"]}],"metadata":null,"vulnerable_versions":"<5.0.1","module_name":"flat","severity":"critical","github_advisory_id":"GHSA-2j2x-2gpw-g8fm","cves":["CVE-2020-36632"],"access":"public","patched_versions":">=5.0.1","cvss":{"score":9.8,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},"updated":"2023-01-29T05:01:29.000Z","recommendation":"Upgrade to version 5.0.1 or later","cwe":["CWE-1321"],"found_by":null,"deleted":null,"id":1089152,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2020-36632\n- https://github.com/hughsk/flat/issues/105\n- https://github.com/hughsk/flat/pull/106\n- https://github.com/hughsk/flat/commit/20ef0ef55dfa028caddaedbcb33efbdb04d18e13\n- https://github.com/hughsk/flat/releases/tag/5.0.1\n- https://vuldb.com/?ctiid.216777\n- https://vuldb.com/?id.216777\n- https://github.com/advisories/GHSA-2j2x-2gpw-g8fm","created":"2022-12-25T21:30:22.000Z","reported_by":null,"title":"flat vulnerable to Prototype Pollution","npm_advisory_id":null,"overview":"flat helps flatten/unflatten nested Javascript objects. A vulnerability, which was classified as critical, was found in hughsk flat up to 5.0.0. This affects the function unflatten of the file index.js. The manipulation leads to improperly controlled modification of object prototype attributes ('prototype pollution'). It is possible to initiate the attack remotely. Upgrading to version 5.0.1 can address this issue. The name of the patch is 20ef0ef55dfa028caddaedbcb33efbdb04d18e13. It is recommended to upgrade the affected component. The identifier VDB-216777 was assigned to this vulnerability.","url":"https://github.com/advisories/GHSA-2j2x-2gpw-g8fm"},"1089270":{"findings":[{"version":"2.7.4","paths":["ejs"]}],"metadata":null,"vulnerable_versions":"<3.1.7","module_name":"ejs","severity":"critical","github_advisory_id":"GHSA-phwq-j96m-2c2q","cves":["CVE-2022-29078"],"access":"public","patched_versions":">=3.1.7","cvss":{"score":9.8,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},"updated":"2023-01-30T05:02:57.000Z","recommendation":"Upgrade to version 3.1.7 or later","cwe":["CWE-74"],"found_by":null,"deleted":null,"id":1089270,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2022-29078\n- https://eslam.io/posts/ejs-server-side-template-injection-rce/\n- https://github.com/mde/ejs/commit/15ee698583c98dadc456639d6245580d17a24baf\n- https://github.com/mde/ejs/releases\n- https://security.netapp.com/advisory/ntap-20220804-0001/\n- https://github.com/advisories/GHSA-phwq-j96m-2c2q","created":"2022-04-26T00:00:40.000Z","reported_by":null,"title":"ejs template injection vulnerability","npm_advisory_id":null,"overview":"The ejs (aka Embedded JavaScript templates) package 3.1.6 for Node.js allows server-side template injection in settings[view options][outputFunctionName]. This is parsed as an internal option, and overwrites the outputFunctionName option with an arbitrary OS command (which is executed upon template compilation).","url":"https://github.com/advisories/GHSA-phwq-j96m-2c2q"},"1089698":{"findings":[{"version":"0.15.6","paths":["xlsx"]}],"metadata":null,"vulnerable_versions":"<0.17.0","module_name":"xlsx","severity":"moderate","github_advisory_id":"GHSA-g973-978j-2c3p","cves":["CVE-2021-32014"],"access":"public","patched_versions":">=0.17.0","cvss":{"score":5.5,"vectorString":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H"},"updated":"2023-02-01T05:05:54.000Z","recommendation":"Upgrade to version 0.17.0 or later","cwe":["CWE-345","CWE-400"],"found_by":null,"deleted":null,"id":1089698,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2021-32014\n- https://floqast.com/engineering-blog/post/fuzzing-and-parsing-securely/\n- https://sheetjs.com/pro\n- https://www.npmjs.com/package/xlsx/v/0.17.0\n- https://www.oracle.com/security-alerts/cpujan2022.html\n- https://github.com/advisories/GHSA-g973-978j-2c3p","created":"2021-07-22T19:47:15.000Z","reported_by":null,"title":"Denial of Service in SheetJS Pro","npm_advisory_id":null,"overview":"SheetJS Pro through 0.16.9 allows attackers to cause a denial of service (CPU consumption) via a crafted .xlsx document that is mishandled when read by xlsx.js.","url":"https://github.com/advisories/GHSA-g973-978j-2c3p"},"1089699":{"findings":[{"version":"0.15.6","paths":["xlsx"]}],"metadata":null,"vulnerable_versions":"<0.17.0","module_name":"xlsx","severity":"moderate","github_advisory_id":"GHSA-3x9f-74h4-2fqr","cves":["CVE-2021-32012"],"access":"public","patched_versions":">=0.17.0","cvss":{"score":5.5,"vectorString":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H"},"updated":"2023-02-01T05:06:10.000Z","recommendation":"Upgrade to version 0.17.0 or later","cwe":["CWE-400"],"found_by":null,"deleted":null,"id":1089699,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2021-32012\n- https://floqast.com/engineering-blog/post/fuzzing-and-parsing-securely/\n- https://sheetjs.com/pro\n- https://www.npmjs.com/package/xlsx/v/0.17.0\n- https://www.oracle.com/security-alerts/cpujan2022.html\n- https://github.com/advisories/GHSA-3x9f-74h4-2fqr","created":"2021-07-22T19:48:17.000Z","reported_by":null,"title":"Denial of Service in SheetJS Pro","npm_advisory_id":null,"overview":"SheetJS Pro through 0.16.9 allows attackers to cause a denial of service (memory consumption) via a crafted .xlsx document that is mishandled when read by xlsx.js (issue 1 of 2).","url":"https://github.com/advisories/GHSA-3x9f-74h4-2fqr"},"1089700":{"findings":[{"version":"0.15.6","paths":["xlsx"]}],"metadata":null,"vulnerable_versions":"<0.17.0","module_name":"xlsx","severity":"moderate","github_advisory_id":"GHSA-8vcr-vxm8-293m","cves":["CVE-2021-32013"],"access":"public","patched_versions":">=0.17.0","cvss":{"score":5.5,"vectorString":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H"},"updated":"2023-02-01T05:06:00.000Z","recommendation":"Upgrade to version 0.17.0 or later","cwe":["CWE-400"],"found_by":null,"deleted":null,"id":1089700,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2021-32013\n- https://floqast.com/engineering-blog/post/fuzzing-and-parsing-securely/\n- https://sheetjs.com/pro\n- https://www.npmjs.com/package/xlsx/v/0.17.0\n- https://www.oracle.com/security-alerts/cpujan2022.html\n- https://github.com/advisories/GHSA-8vcr-vxm8-293m","created":"2021-07-22T19:48:13.000Z","reported_by":null,"title":"Denial of Service in SheetsJS Pro","npm_advisory_id":null,"overview":"SheetJS Pro through 0.16.9 allows attackers to cause a denial of service (memory consumption) via a crafted .xlsx document that is mishandled when read by xlsx.js (issue 2 of 2).","url":"https://github.com/advisories/GHSA-8vcr-vxm8-293m"},"1091181":{"findings":[{"version":"3.1.0","paths":["codeceptjs>mocha>chokidar>glob-parent","codeceptjs>mocha-junit-reporter>mocha>chokidar>glob-parent"]}],"metadata":null,"vulnerable_versions":"<5.1.2","module_name":"glob-parent","severity":"high","github_advisory_id":"GHSA-ww39-953v-wcq6","cves":["CVE-2020-28469"],"access":"public","patched_versions":">=5.1.2","cvss":{"score":7.5,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},"updated":"2023-02-28T22:39:43.000Z","recommendation":"Upgrade to version 5.1.2 or later","cwe":["CWE-400"],"found_by":null,"deleted":null,"id":1091181,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2020-28469\n- https://github.com/gulpjs/glob-parent/pull/36\n- https://github.com/gulpjs/glob-parent/blob/6ce8d11f2f1ed8e80a9526b1dc8cf3aa71f43474/index.js%23L9\n- https://github.com/gulpjs/glob-parent/releases/tag/v5.1.2\n- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWERGITHUBES128-1059093\n- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1059092\n- https://snyk.io/vuln/SNYK-JS-GLOBPARENT-1016905\n- https://www.oracle.com/security-alerts/cpujan2022.html\n- https://github.com/gulpjs/glob-parent/pull/36/commits/c6db86422a9731d4f3d332ce4a81c27ea6b0ee46\n- https://github.com/advisories/GHSA-ww39-953v-wcq6","created":"2021-06-07T21:56:34.000Z","reported_by":null,"title":"glob-parent before 5.1.2 vulnerable to Regular Expression Denial of Service in enclosure regex","npm_advisory_id":null,"overview":"This affects the package glob-parent before 5.1.2. The enclosure regex used to check for strings ending in enclosure containing path separator.","url":"https://github.com/advisories/GHSA-ww39-953v-wcq6"},"1091307":{"findings":[{"version":"3.10.1","paths":["lodash","@edium/fsm>lodash","codeceptjs>inquirer>lodash","codeceptjs>chai-deep-match>lodash-pickdeep>lodash"]}],"metadata":null,"vulnerable_versions":"<4.17.20","module_name":"lodash","severity":"high","github_advisory_id":"GHSA-p6mc-m468-83gw","cves":["CVE-2020-8203"],"access":"public","patched_versions":">=4.17.20","cvss":{"score":7.4,"vectorString":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:H"},"updated":"2023-03-08T05:05:35.000Z","recommendation":"Upgrade to version 4.17.20 or later","cwe":["CWE-770","CWE-1321"],"found_by":null,"deleted":null,"id":1091307,"references":"- https://github.com/lodash/lodash/issues/4744\n- https://github.com/lodash/lodash/commit/c84fe82760fb2d3e03a63379b297a1cc1a2fce12\n- https://www.npmjs.com/advisories/1523\n- https://nvd.nist.gov/vuln/detail/CVE-2020-8203\n- https://hackerone.com/reports/712065\n- https://security.netapp.com/advisory/ntap-20200724-0006/\n- https://github.com/lodash/lodash/issues/4874\n- https://www.oracle.com/security-alerts/cpuApr2021.html\n- https://www.oracle.com//security-alerts/cpujul2021.html\n- https://www.oracle.com/security-alerts/cpuoct2021.html\n- https://www.oracle.com/security-alerts/cpujan2022.html\n- https://www.oracle.com/security-alerts/cpuapr2022.html\n- https://github.com/advisories/GHSA-p6mc-m468-83gw","created":"2020-07-15T19:15:48.000Z","reported_by":null,"title":"Prototype Pollution in lodash","npm_advisory_id":null,"overview":"Versions of lodash prior to 4.17.19 are vulnerable to Prototype Pollution. The function zipObjectDeep allows a malicious user to modify the prototype of Object if the property identifiers are user-supplied. Being affected by this issue requires zipping objects based on user-provided property arrays.\n\nThis vulnerability causes the addition or modification of an existing property that will exist on all objects and may lead to Denial of Service or Code Execution under specific circumstances.","url":"https://github.com/advisories/GHSA-p6mc-m468-83gw"},"1091453":{"findings":[{"version":"0.8.4","paths":["git-rev-sync>shelljs"]}],"metadata":null,"vulnerable_versions":"<0.8.5","module_name":"shelljs","severity":"high","github_advisory_id":"GHSA-4rq4-32rv-6wp6","cves":["CVE-2022-0144"],"access":"public","patched_versions":">=0.8.5","cvss":{"score":7.1,"vectorString":"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H"},"updated":"2023-03-21T20:10:17.000Z","recommendation":"Upgrade to version 0.8.5 or later","cwe":["CWE-269"],"found_by":null,"deleted":null,"id":1091453,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2022-0144\n- https://github.com/shelljs/shelljs/commit/d919d22dd6de385edaa9d90313075a77f74b338c\n- https://huntr.dev/bounties/50996581-c08e-4eed-a90e-c0bac082679c\n- https://github.com/advisories/GHSA-4rq4-32rv-6wp6","created":"2022-01-21T23:37:28.000Z","reported_by":null,"title":"Improper Privilege Management in shelljs","npm_advisory_id":null,"overview":"shelljs is vulnerable to Improper Privilege Management","url":"https://github.com/advisories/GHSA-4rq4-32rv-6wp6"},"1091832":{"findings":[{"version":"3.10.1","paths":["lodash","@edium/fsm>lodash","codeceptjs>inquirer>lodash","codeceptjs>chai-deep-match>lodash-pickdeep>lodash"]}],"metadata":null,"vulnerable_versions":"<4.17.21","module_name":"lodash","severity":"high","github_advisory_id":"GHSA-35jh-r3h4-6jhm","cves":["CVE-2021-23337"],"access":"public","patched_versions":">=4.17.21","cvss":{"score":7.2,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H"},"updated":"2023-04-26T17:56:06.000Z","recommendation":"Upgrade to version 4.17.21 or later","cwe":["CWE-77","CWE-94"],"found_by":null,"deleted":null,"id":1091832,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2021-23337\n- https://github.com/lodash/lodash/commit/3469357cff396a26c363f8c1b5a91dde28ba4b1c\n- https://security.netapp.com/advisory/ntap-20210312-0006/\n- https://snyk.io/vuln/SNYK-JS-LODASH-1040724\n- https://github.com/lodash/lodash/blob/ddfd9b11a0126db2302cb70ec9973b66baec0975/lodash.js#L14851\n- https://github.com/lodash/lodash/blob/ddfd9b11a0126db2302cb70ec9973b66baec0975/lodash.js%23L14851\n- https://snyk.io/vuln/SNYK-JAVA-ORGFUJIONWEBJARS-1074932\n- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARS-1074930\n- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-1074928\n- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWERGITHUBLODASH-1074931\n- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1074929\n- https://www.oracle.com//security-alerts/cpujul2021.html\n- https://www.oracle.com/security-alerts/cpuoct2021.html\n- https://www.oracle.com/security-alerts/cpujan2022.html\n- https://www.oracle.com/security-alerts/cpujul2022.html\n- https://cert-portal.siemens.com/productcert/pdf/ssa-637483.pdf\n- https://github.com/advisories/GHSA-35jh-r3h4-6jhm","created":"2021-05-06T16:05:51.000Z","reported_by":null,"title":"Command Injection in lodash","npm_advisory_id":null,"overview":"`lodash` versions prior to 4.17.21 are vulnerable to Command Injection via the template function.","url":"https://github.com/advisories/GHSA-35jh-r3h4-6jhm"},"1092174":{"findings":[{"version":"4.0.5","paths":["@hmcts/media-viewer>socket.io-client>socket.io-parser"]}],"metadata":null,"vulnerable_versions":">=4.0.4 <4.2.3","module_name":"socket.io-parser","severity":"high","github_advisory_id":"GHSA-cqmj-92xf-r6r9","cves":["CVE-2023-32695"],"access":"public","patched_versions":">=4.2.3","cvss":{"score":7.3,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L"},"updated":"2023-06-05T21:07:58.000Z","recommendation":"Upgrade to version 4.2.3 or later","cwe":["CWE-20","CWE-754"],"found_by":null,"deleted":null,"id":1092174,"references":"- https://github.com/socketio/socket.io-parser/security/advisories/GHSA-cqmj-92xf-r6r9\n- https://github.com/socketio/socket.io-parser/commit/2dc3c92622dad113b8676be06f23b1ed46b02ced\n- https://github.com/socketio/socket.io-parser/commit/3b78117bf6ba7e99d7a5cfc1ba54d0477554a7f3\n- https://github.com/socketio/socket.io-parser/commit/1c220ddbf45ea4b44bc8dbf6f9ae245f672ba1b9\n- https://nvd.nist.gov/vuln/detail/CVE-2023-32695\n- https://github.com/socketio/socket.io-parser/releases/tag/4.2.3\n- https://github.com/advisories/GHSA-cqmj-92xf-r6r9","created":"2023-05-23T19:55:13.000Z","reported_by":null,"title":"Insufficient validation when decoding a Socket.IO packet","npm_advisory_id":null,"overview":"### Impact\n\nA specially crafted Socket.IO packet can trigger an uncaught exception on the Socket.IO server, thus killing the Node.js process.\n\n```\nTypeError: Cannot convert object to primitive value\n at Socket.emit (node:events:507:25)\n at .../node_modules/socket.io/lib/socket.js:531:14\n```\n\n### Patches\n\nA fix has been released today (2023/05/22):\n\n- https://github.com/socketio/socket.io-parser/commit/3b78117bf6ba7e99d7a5cfc1ba54d0477554a7f3, included in `socket.io-parser@4.2.3`\n- https://github.com/socketio/socket.io-parser/commit/2dc3c92622dad113b8676be06f23b1ed46b02ced, included in `socket.io-parser@3.4.3`\n\n| `socket.io` version | `socket.io-parser` version | Needs minor update? |\n|---------------------|---------------------------------------------------------------------------------------------------------|--------------------------------------|\n| `4.5.2...latest` | `~4.2.0` ([ref](https://github.com/socketio/socket.io/commit/9890b036cf942f6b6ad2afeb6a8361c32cd5d528)) | `npm audit fix` should be sufficient |\n| `4.1.3...4.5.1` | `~4.1.1` ([ref](https://github.com/socketio/socket.io/commit/7c44893d7878cd5bba1eff43150c3e664f88fb57)) | Please upgrade to `socket.io@4.6.x` |\n| `3.0.5...4.1.2` | `~4.0.3` ([ref](https://github.com/socketio/socket.io/commit/752dfe3b1e5fecda53dae899b4a39e6fed5a1a17)) | Please upgrade to `socket.io@4.6.x` |\n| `3.0.0...3.0.4` | `~4.0.1` ([ref](https://github.com/socketio/socket.io/commit/1af3267e3f5f7884214cf2ca4d5282d620092fb0)) | Please upgrade to `socket.io@4.6.x` |\n| `2.3.0...2.5.0` | `~3.4.0` ([ref](https://github.com/socketio/socket.io/commit/cf39362014f5ff13a17168b74772c43920d6e4fd)) | `npm audit fix` should be sufficient |\n\n\n### Workarounds\n\nThere is no known workaround except upgrading to a safe version.\n\n### For more information\n\nIf you have any questions or comments about this advisory:\n\n- Open a discussion [here](https://github.com/socketio/socket.io/discussions)\n\nThanks to [@rafax00](https://github.com/rafax00) for the responsible disclosure.\n","url":"https://github.com/advisories/GHSA-cqmj-92xf-r6r9"},"1092301":{"findings":[{"version":"0.4.23","paths":["protractor-screenshot-utils>protractor>selenium-webdriver>xml2js","protractor-screenshot-utils>protractor>webdriver-js-extender>selenium-webdriver>xml2js"]}],"metadata":null,"vulnerable_versions":"<0.5.0","module_name":"xml2js","severity":"moderate","github_advisory_id":"GHSA-776f-qx25-q3cc","cves":["CVE-2023-0842"],"access":"public","patched_versions":">=0.5.0","cvss":{"score":5.3,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"},"updated":"2023-06-21T18:11:17.000Z","recommendation":"Upgrade to version 0.5.0 or later","cwe":["CWE-1321"],"found_by":null,"deleted":null,"id":1092301,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2023-0842\n- https://fluidattacks.com/advisories/myers/\n- https://github.com/Leonidas-from-XIV/node-xml2js/issues/663\n- https://github.com/Leonidas-from-XIV/node-xml2js/pull/603/commits/581b19a62d88f8a3c068b5a45f4542c2d6a495a5\n- https://github.com/advisories/GHSA-776f-qx25-q3cc","created":"2023-04-05T21:30:24.000Z","reported_by":null,"title":"xml2js is vulnerable to prototype pollution","npm_advisory_id":null,"overview":"xml2js versions before 0.5.0 allows an external attacker to edit or add new properties to an object. This is possible because the application does not properly validate incoming JSON keys, thus allowing the `__proto__` property to be edited.","url":"https://github.com/advisories/GHSA-776f-qx25-q3cc"},"1092316":{"findings":[{"version":"4.1.0","paths":["@hmcts/rpx-xui-node-lib>openid-client>got>cacheable-request>http-cache-semantics","codeceptjs>mocha>chokidar>fsevents>nan>node-gyp>make-fetch-happen>http-cache-semantics","codeceptjs>mocha-junit-reporter>mocha>chokidar>fsevents>nan>node-gyp>make-fetch-happen>http-cache-semantics","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>@jest/core>jest-haste-map>fsevents>nan>node-gyp>make-fetch-happen>http-cache-semantics","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>@jest/core>@jest/transform>jest-haste-map>fsevents>nan>node-gyp>make-fetch-happen>http-cache-semantics","@hmcts/rpx-xui-node-lib>jest-mock-axios>@jest/globals>@jest/expect>jest-snapshot>@jest/transform>jest-haste-map>fsevents>nan>node-gyp>make-fetch-happen>http-cache-semantics","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>@jest/core>jest-resolve-dependencies>jest-snapshot>@jest/transform>jest-haste-map>fsevents>nan>node-gyp>make-fetch-happen>http-cache-semantics","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>jest-cli>@jest/core>jest-resolve-dependencies>jest-snapshot>@jest/transform>jest-haste-map>fsevents>nan>node-gyp>make-fetch-happen>http-cache-semantics","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>@jest/core>jest-runtime>@jest/globals>@jest/expect>jest-snapshot>@jest/transform>jest-haste-map>fsevents>nan>node-gyp>make-fetch-happen>http-cache-semantics","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>@jest/core>jest-runner>jest-runtime>@jest/globals>@jest/expect>jest-snapshot>@jest/transform>jest-haste-map>fsevents>nan>node-gyp>make-fetch-happen>http-cache-semantics","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>jest-cli>@jest/core>jest-runner>jest-runtime>@jest/globals>@jest/expect>jest-snapshot>@jest/transform>jest-haste-map>fsevents>nan>node-gyp>make-fetch-happen>http-cache-semantics","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>jest-cli>@jest/core>jest-config>jest-runner>jest-runtime>@jest/globals>@jest/expect>jest-snapshot>@jest/transform>jest-haste-map>fsevents>nan>node-gyp>make-fetch-happen>http-cache-semantics"]}],"metadata":null,"vulnerable_versions":"<4.1.1","module_name":"http-cache-semantics","severity":"high","github_advisory_id":"GHSA-rc47-6667-2j5j","cves":["CVE-2022-25881"],"access":"public","patched_versions":">=4.1.1","cvss":{"score":7.5,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},"updated":"2023-06-22T17:26:15.000Z","recommendation":"Upgrade to version 4.1.1 or later","cwe":["CWE-1333"],"found_by":null,"deleted":null,"id":1092316,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2022-25881\n- https://github.com/kornelski/http-cache-semantics/blob/master/index.js%23L83\n- https://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-3253332\n- https://security.snyk.io/vuln/SNYK-JS-HTTPCACHESEMANTICS-3248783\n- https://github.com/kornelski/http-cache-semantics/commit/560b2d8ef452bbba20ffed69dc155d63ac757b74\n- https://security.netapp.com/advisory/ntap-20230622-0008/\n- https://github.com/advisories/GHSA-rc47-6667-2j5j","created":"2023-01-31T06:30:26.000Z","reported_by":null,"title":"http-cache-semantics vulnerable to Regular Expression Denial of Service","npm_advisory_id":null,"overview":"http-cache semantics contains an Inefficient Regular Expression Complexity , leading to Denial of Service. This affects versions of the package http-cache-semantics before 4.1.1. The issue can be exploited via malicious request header values sent to a server, when that server reads the cache policy from the request using this library.","url":"https://github.com/advisories/GHSA-rc47-6667-2j5j"},"1092430":{"findings":[{"version":"10.11.0","paths":["mochawesome-report-generator>validator","mochawesome>mochawesome-report-generator>validator"]}],"metadata":null,"vulnerable_versions":"<13.7.0","module_name":"validator","severity":"moderate","github_advisory_id":"GHSA-qgmg-gppg-76g5","cves":["CVE-2021-3765"],"access":"public","patched_versions":">=13.7.0","cvss":{"score":5.3,"vectorString":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"},"updated":"2023-07-07T21:50:05.000Z","recommendation":"Upgrade to version 13.7.0 or later","cwe":["CWE-1333"],"found_by":null,"deleted":null,"id":1092430,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2021-3765\n- https://github.com/validatorjs/validator.js/commit/496fc8b2a7f5997acaaec33cc44d0b8dba5fb5e1\n- https://huntr.dev/bounties/c37e975c-21a3-4c5f-9b57-04d63b28cfc9\n- https://github.com/advisories/GHSA-qgmg-gppg-76g5","created":"2021-11-03T17:34:45.000Z","reported_by":null,"title":"Inefficient Regular Expression Complexity in validator.js","npm_advisory_id":null,"overview":"validator.js prior to 13.7.0 is vulnerable to Inefficient Regular Expression Complexity","url":"https://github.com/advisories/GHSA-qgmg-gppg-76g5"},"1092470":{"findings":[{"version":"2.5.0","paths":["protractor-screenshot-utils>protractor>webdriver-manager>request>tough-cookie"]}],"metadata":null,"vulnerable_versions":"<4.1.3","module_name":"tough-cookie","severity":"moderate","github_advisory_id":"GHSA-72xf-g2v4-qvf3","cves":["CVE-2023-26136"],"access":"public","patched_versions":">=4.1.3","cvss":{"score":6.5,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N"},"updated":"2023-07-11T13:44:36.000Z","recommendation":"Upgrade to version 4.1.3 or later","cwe":["CWE-1321"],"found_by":null,"deleted":null,"id":1092470,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2023-26136\n- https://github.com/salesforce/tough-cookie/issues/282\n- https://github.com/salesforce/tough-cookie/commit/12d474791bb856004e858fdb1c47b7608d09cf6e\n- https://github.com/salesforce/tough-cookie/releases/tag/v4.1.3\n- https://security.snyk.io/vuln/SNYK-JS-TOUGHCOOKIE-5672873\n- https://lists.debian.org/debian-lts-announce/2023/07/msg00010.html\n- https://github.com/advisories/GHSA-72xf-g2v4-qvf3","created":"2023-07-01T06:30:16.000Z","reported_by":null,"title":"tough-cookie Prototype Pollution vulnerability","npm_advisory_id":null,"overview":"Versions of the package tough-cookie before 4.1.3 are vulnerable to Prototype Pollution due to improper handling of Cookies when using CookieJar in `rejectPublicSuffixes=false` mode. This issue arises from the manner in which the objects are initialized.","url":"https://github.com/advisories/GHSA-72xf-g2v4-qvf3"},"1092636":{"findings":[{"version":"1.28.1","paths":["@hmcts/rpx-xui-node-lib>openid-client>jose"]}],"metadata":null,"vulnerable_versions":">=1.0.0 <=1.28.1","module_name":"jose","severity":"moderate","github_advisory_id":"GHSA-jv3g-j58f-9mq9","cves":["CVE-2022-36083"],"access":"public","patched_versions":">=1.28.2","cvss":{"score":5.3,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"},"updated":"2023-07-21T21:33:36.000Z","recommendation":"Upgrade to version 1.28.2 or later","cwe":["CWE-400","CWE-834"],"found_by":null,"deleted":null,"id":1092636,"references":"- https://github.com/panva/jose/security/advisories/GHSA-jv3g-j58f-9mq9\n- https://nvd.nist.gov/vuln/detail/CVE-2022-36083\n- https://github.com/panva/jose/commit/03d6d013bf6e070e85adfe5731f526978e3e8e4d\n- https://github.com/panva/jose/releases/tag/v4.9.2\n- https://github.com/advisories/GHSA-jv3g-j58f-9mq9","created":"2022-09-16T17:44:42.000Z","reported_by":null,"title":"JOSE vulnerable to resource exhaustion via specifically crafted JWE","npm_advisory_id":null,"overview":"The PBKDF2-based JWE key management algorithms expect a JOSE Header Parameter named `p2c` ([PBES2 Count](https://www.rfc-editor.org/rfc/rfc7518.html#section-4.8.1.2)), which determines how many PBKDF2 iterations must be executed in order to derive a CEK wrapping key. The purpose of this parameter is to intentionally slow down the key derivation function in order to make password brute-force and dictionary attacks more expensive.\n\nThis makes the PBES2 algorithms unsuitable for situations where the JWE is coming from an untrusted source: an adversary can intentionally pick an extremely high PBES2 Count value, that will initiate a CPU-bound computation that may take an unreasonable amount of time to finish.\n\n### Impact\n\nUnder certain conditions (see below) it is possible to have the user's environment consume unreasonable amount of CPU time.\n\n### Affected users\n\nThe impact is limited only to users utilizing the JWE decryption APIs with symmetric secrets to decrypt JWEs from untrusted parties who do not limit the accepted JWE Key Management Algorithms (`alg` Header Parameter) using the `keyManagementAlgorithms` (or `algorithms` in v1.x) decryption option or through other means.\n\nThe PBKDF2-based JWE Key Management Algorithm Identifiers are\n\n- `PBES2-HS256+A128KW`\n- `PBES2-HS384+A192KW`\n- `PBES2-HS512+A256KW`\n\ne.g.\n\n```js\nconst secret = new Uint8Array(16)\nconst jwe = '...' // JWE from an untrusted party\n\nawait jose.compactDecrypt(jwe, secret)\n```\n\nYou are NOT affected if any of the following applies to you\n\n- Your code does not use the JWE APIs\n- Your code only produces JWE tokens\n- Your code only decrypts JWEs using an asymmetric JWE Key Management Algorithm (this means you're providing an asymmetric key object to the JWE decryption API)\n- Your code only accepts JWEs produced by trusted sources\n- Your code limits the accepted JWE Key Management Algorithms using the `keyManagementAlgorithms` decryption option not including any of the PBKDF2-based JWE key management algorithms\n\n### Patches\n\n`v1.28.2`, `v2.0.6`, `v3.20.4`, and `v4.9.2` releases limit the maximum PBKDF2 iteration count to `10000` by default. It is possible to adjust this limit with a newly introduced `maxPBES2Count` decryption option.\n\n### Workarounds\n\nAll users should be able to upgrade given all stable semver major release lines have had new a patch release introduced which limits the PBKDF2 iteration count to `10000` by default. This removes the ability to craft JWEs that would consume unreasonable amount of CPU time.\n\nIf users are unable to upgrade their required library version they have two options depending on whether they expect to receive JWEs using any of the three PBKDF2-based JWE key management algorithms.\n\n- they can use the `keyManagementAlgorithms` decryption option to disable accepting PBKDF2 altogether\n- they can inspect the JOSE Header prior to using the decryption API and limit the PBKDF2 iteration count (`p2c` Header Parameter)\n\n### For more information\nIf you have any questions or comments about this advisory:\n* Open an discussion in the project's [repository](https://github.com/panva/jose/discussions/new?category=q-a&title=GHSA-jv3g-j58f-9mq9%20advisory%20question)\n* Email me at [panva.ip@gmail.com](mailto:panva.ip@gmail.com)\n","url":"https://github.com/advisories/GHSA-jv3g-j58f-9mq9"},"1092964":{"findings":[{"version":"0.7.0","paths":["ngx-md>marked"]}],"metadata":null,"vulnerable_versions":"<4.0.10","module_name":"marked","severity":"high","github_advisory_id":"GHSA-5v2h-r2cx-5xgj","cves":["CVE-2022-21681"],"access":"public","patched_versions":">=4.0.10","cvss":{"score":7.5,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},"updated":"2023-08-14T05:04:30.000Z","recommendation":"Upgrade to version 4.0.10 or later","cwe":["CWE-1333"],"found_by":null,"deleted":null,"id":1092964,"references":"- https://github.com/markedjs/marked/security/advisories/GHSA-5v2h-r2cx-5xgj\n- https://nvd.nist.gov/vuln/detail/CVE-2022-21681\n- https://github.com/markedjs/marked/commit/8f806573a3f6c6b7a39b8cdb66ab5ebb8d55a5f5\n- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/AIXDMC3CSHYW3YWVSQOXAWLUYQHAO5UX/\n- https://github.com/advisories/GHSA-5v2h-r2cx-5xgj","created":"2022-01-14T21:04:46.000Z","reported_by":null,"title":"Inefficient Regular Expression Complexity in marked","npm_advisory_id":null,"overview":"### Impact\n\n_What kind of vulnerability is it?_\n\nDenial of service.\n\nThe regular expression `inline.reflinkSearch` may cause catastrophic backtracking against some strings.\nPoC is the following.\n\n```javascript\nimport * as marked from 'marked';\n\nconsole.log(marked.parse(`[x]: x\n\n\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](`));\n```\n\n_Who is impacted?_\n\nAnyone who runs untrusted markdown through marked and does not use a worker with a time limit.\n\n### Patches\n\n_Has the problem been patched?_\n\nYes\n\n_What versions should users upgrade to?_\n\n4.0.10\n\n### Workarounds\n\n_Is there a way for users to fix or remediate the vulnerability without upgrading?_\n\nDo not run untrusted markdown through marked or run marked on a [worker](https://marked.js.org/using_advanced#workers) thread and set a reasonable time limit to prevent draining resources.\n\n### References\n\n_Are there any links users can visit to find out more?_\n\n- https://marked.js.org/using_advanced#workers\n- https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS\n\n### For more information\n\nIf you have any questions or comments about this advisory:\n\n* Open an issue in [marked](https://github.com/markedjs/marked)\n","url":"https://github.com/advisories/GHSA-5v2h-r2cx-5xgj"},"1092969":{"findings":[{"version":"0.7.0","paths":["ngx-md>marked"]}],"metadata":null,"vulnerable_versions":"<4.0.10","module_name":"marked","severity":"high","github_advisory_id":"GHSA-rrrm-qjm4-v8hf","cves":["CVE-2022-21680"],"access":"public","patched_versions":">=4.0.10","cvss":{"score":7.5,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},"updated":"2023-08-14T05:03:59.000Z","recommendation":"Upgrade to version 4.0.10 or later","cwe":["CWE-400","CWE-1333"],"found_by":null,"deleted":null,"id":1092969,"references":"- https://github.com/markedjs/marked/security/advisories/GHSA-rrrm-qjm4-v8hf\n- https://nvd.nist.gov/vuln/detail/CVE-2022-21680\n- https://github.com/markedjs/marked/commit/c4a3ccd344b6929afa8a1d50ac54a721e57012c0\n- https://github.com/markedjs/marked/releases/tag/v4.0.10\n- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/AIXDMC3CSHYW3YWVSQOXAWLUYQHAO5UX/\n- https://github.com/advisories/GHSA-rrrm-qjm4-v8hf","created":"2022-01-14T21:04:41.000Z","reported_by":null,"title":"Inefficient Regular Expression Complexity in marked","npm_advisory_id":null,"overview":"### Impact\n\n_What kind of vulnerability is it?_\n\nDenial of service.\n\nThe regular expression `block.def` may cause catastrophic backtracking against some strings.\nPoC is the following.\n\n```javascript\nimport * as marked from \"marked\";\n\nmarked.parse(`[x]:${' '.repeat(1500)}x ${' '.repeat(1500)} x`);\n```\n\n_Who is impacted?_\n\nAnyone who runs untrusted markdown through marked and does not use a worker with a time limit.\n\n### Patches\n\n_Has the problem been patched?_\n\nYes\n\n_What versions should users upgrade to?_\n\n4.0.10\n\n### Workarounds\n\n_Is there a way for users to fix or remediate the vulnerability without upgrading?_\n\nDo not run untrusted markdown through marked or run marked on a [worker](https://marked.js.org/using_advanced#workers) thread and set a reasonable time limit to prevent draining resources.\n\n### References\n\n_Are there any links users can visit to find out more?_\n\n- https://marked.js.org/using_advanced#workers\n- https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS\n\n### For more information\n\nIf you have any questions or comments about this advisory:\n\n* Open an issue in [marked](https://github.com/markedjs/marked)\n","url":"https://github.com/advisories/GHSA-rrrm-qjm4-v8hf"},"1092972":{"findings":[{"version":"2.88.2","paths":["protractor-screenshot-utils>protractor>webdriver-manager>request"]}],"metadata":null,"vulnerable_versions":"<=2.88.2","module_name":"request","severity":"moderate","github_advisory_id":"GHSA-p8p7-x288-28g6","cves":["CVE-2023-28155"],"access":"public","patched_versions":"<0.0.0","cvss":{"score":6.1,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},"updated":"2023-08-14T20:53:47.000Z","recommendation":"None","cwe":["CWE-918"],"found_by":null,"deleted":null,"id":1092972,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2023-28155\n- https://github.com/request/request/issues/3442\n- https://github.com/request/request/pull/3444\n- https://doyensec.com/resources/Doyensec_Advisory_RequestSSRF_Q12023.pdf\n- https://security.netapp.com/advisory/ntap-20230413-0007/\n- https://github.com/github/advisory-database/pull/2500\n- https://github.com/cypress-io/request/blob/master/lib/redirect.js#L116\n- https://github.com/request/request/blob/master/lib/redirect.js#L111\n- https://github.com/cypress-io/request/pull/28\n- https://github.com/cypress-io/request/commit/c5bcf21d40fb61feaff21a0e5a2b3934a440024f\n- https://github.com/cypress-io/request/releases/tag/v3.0.0\n- https://github.com/advisories/GHSA-p8p7-x288-28g6","created":"2023-03-16T15:30:19.000Z","reported_by":null,"title":"Server-Side Request Forgery in Request","npm_advisory_id":null,"overview":"The `request` package through 2.88.2 for Node.js and the `@cypress/request` package prior to 3.0.0 allow a bypass of SSRF mitigations via an attacker-controller server that does a cross-protocol redirect (HTTP to HTTPS, or HTTPS to HTTP).\n\nNOTE: The `request` package is no longer supported by the maintainer.","url":"https://github.com/advisories/GHSA-p8p7-x288-28g6"},"1093264":{"findings":[{"version":"7.3.8","paths":["codeceptjs>semver","@hmcts/nodejs-healthcheck>superagent>semver","applicationinsights>continuation-local-storage>async-listener>semver","@hmcts/rpx-xui-node-lib>jest-mock-axios>@jest/globals>@jest/expect>jest-snapshot>semver","@hmcts/rpx-xui-node-lib>jest-mock-axios>@jest/globals>@jest/expect>jest-snapshot>@babel/core>semver","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>@jest/core>jest-resolve-dependencies>jest-snapshot>@babel/core>semver","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>jest-cli>@jest/core>jest-resolve-dependencies>jest-snapshot>@babel/core>semver","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>@jest/core>jest-runtime>@jest/globals>@jest/expect>jest-snapshot>@babel/core>semver","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>@jest/core>jest-runner>jest-runtime>@jest/globals>@jest/expect>jest-snapshot>@babel/core>semver","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>jest-cli>@jest/core>jest-runner>jest-runtime>@jest/globals>@jest/expect>jest-snapshot>@babel/core>semver","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>jest-cli>@jest/core>jest-config>jest-runner>jest-runtime>@jest/globals>@jest/expect>jest-snapshot>@babel/core>semver","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>jest-cli>@jest/core>jest-config>jest-runner>jest-runtime>@jest/globals>@jest/expect>jest-snapshot>@jest/transform>@babel/core>semver","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>jest-cli>@jest/core>jest-runner>jest-runtime>@jest/globals>@jest/expect>jest-snapshot>@jest/transform>babel-plugin-istanbul>istanbul-lib-instrument>@babel/core>semver","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>jest-cli>@jest/core>jest-config>jest-runner>jest-runtime>@jest/globals>@jest/expect>jest-snapshot>@jest/transform>babel-plugin-istanbul>istanbul-lib-instrument>@babel/core>semver","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>jest-cli>@jest/core>jest-config>jest-runner>jest-runtime>@jest/globals>@jest/expect>jest-snapshot>@jest/transform>jest-haste-map>fsevents>nan>node-gyp>semver"]}],"metadata":null,"vulnerable_versions":">=7.0.0 <7.5.2","module_name":"semver","severity":"moderate","github_advisory_id":"GHSA-c2qf-rxjj-qqgw","cves":["CVE-2022-25883"],"access":"public","patched_versions":">=7.5.2","cvss":{"score":5.3,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"},"updated":"2023-09-01T23:43:55.000Z","recommendation":"Upgrade to version 7.5.2 or later","cwe":["CWE-1333"],"found_by":null,"deleted":null,"id":1093264,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2022-25883\n- https://github.com/npm/node-semver/pull/564\n- https://github.com/npm/node-semver/commit/717534ee353682f3bcf33e60a8af4292626d4441\n- https://security.snyk.io/vuln/SNYK-JS-SEMVER-3247795\n- https://github.com/npm/node-semver/blob/main/classes/range.js#L97-L104\n- https://github.com/npm/node-semver/blob/main/internal/re.js#L138\n- https://github.com/npm/node-semver/blob/main/internal/re.js#L160\n- https://github.com/npm/node-semver/pull/585\n- https://github.com/npm/node-semver/commit/928e56d21150da0413a3333a3148b20e741a920c\n- https://github.com/npm/node-semver/pull/593\n- https://github.com/npm/node-semver/commit/2f8fd41487acf380194579ecb6f8b1bbfe116be0\n- https://github.com/advisories/GHSA-c2qf-rxjj-qqgw","created":"2023-06-21T06:30:28.000Z","reported_by":null,"title":"semver vulnerable to Regular Expression Denial of Service","npm_advisory_id":null,"overview":"Versions of the package semver before 7.5.2 on the 7.x branch, before 6.3.1 on the 6.x branch, and all other versions before 5.7.2 are vulnerable to Regular Expression Denial of Service (ReDoS) via the function new Range, when untrusted user data is provided as a range.","url":"https://github.com/advisories/GHSA-c2qf-rxjj-qqgw"},"1093296":{"findings":[{"version":"3.10.1","paths":["lodash","@edium/fsm>lodash","codeceptjs>inquirer>lodash","codeceptjs>chai-deep-match>lodash-pickdeep>lodash"]}],"metadata":null,"vulnerable_versions":"<4.17.21","module_name":"lodash","severity":"moderate","github_advisory_id":"GHSA-29mw-wpgm-hmr9","cves":["CVE-2020-28500"],"access":"public","patched_versions":">=4.17.21","cvss":{"score":5.3,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"},"updated":"2023-09-05T22:58:26.000Z","recommendation":"Upgrade to version 4.17.21 or later","cwe":["CWE-400","CWE-1333"],"found_by":null,"deleted":null,"id":1093296,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2020-28500\n- https://github.com/lodash/lodash/pull/5065\n- https://github.com/lodash/lodash/pull/5065/commits/02906b8191d3c100c193fe6f7b27d1c40f200bb7\n- https://github.com/lodash/lodash/blob/npm/trimEnd.js%23L8\n- https://security.netapp.com/advisory/ntap-20210312-0006/\n- https://snyk.io/vuln/SNYK-JS-LODASH-1018905\n- https://snyk.io/vuln/SNYK-JAVA-ORGFUJIONWEBJARS-1074896\n- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARS-1074894\n- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-1074892\n- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWERGITHUBLODASH-1074895\n- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1074893\n- https://www.oracle.com//security-alerts/cpujul2021.html\n- https://www.oracle.com/security-alerts/cpuoct2021.html\n- https://www.oracle.com/security-alerts/cpujan2022.html\n- https://www.oracle.com/security-alerts/cpujul2022.html\n- https://cert-portal.siemens.com/productcert/pdf/ssa-637483.pdf\n- https://github.com/lodash/lodash/commit/c4847ebe7d14540bb28a8b932a9ce1b9ecbfee1a\n- https://github.com/advisories/GHSA-29mw-wpgm-hmr9","created":"2022-01-06T20:30:46.000Z","reported_by":null,"title":"Regular Expression Denial of Service (ReDoS) in lodash","npm_advisory_id":null,"overview":"All versions of package lodash prior to 4.17.21 are vulnerable to Regular Expression Denial of Service (ReDoS) via the `toNumber`, `trim` and `trimEnd` functions. \n\nSteps to reproduce (provided by reporter Liyuan Chen):\n```js\nvar lo = require('lodash');\n\nfunction build_blank(n) {\n var ret = \"1\"\n for (var i = 0; i < n; i++) {\n ret += \" \"\n }\n return ret + \"1\";\n}\nvar s = build_blank(50000) var time0 = Date.now();\nlo.trim(s) var time_cost0 = Date.now() - time0;\nconsole.log(\"time_cost0: \" + time_cost0) var time1 = Date.now();\nlo.toNumber(s) var time_cost1 = Date.now() - time1;\nconsole.log(\"time_cost1: \" + time_cost1) var time2 = Date.now();\nlo.trimEnd(s) var time_cost2 = Date.now() - time2;\nconsole.log(\"time_cost2: \" + time_cost2)\n```","url":"https://github.com/advisories/GHSA-29mw-wpgm-hmr9"},"1093314":{"findings":[{"version":"3.10.1","paths":["lodash","@edium/fsm>lodash","codeceptjs>inquirer>lodash","codeceptjs>chai-deep-match>lodash-pickdeep>lodash"]}],"metadata":null,"vulnerable_versions":"<4.17.12","module_name":"lodash","severity":"critical","github_advisory_id":"GHSA-jf85-cpcp-j695","cves":["CVE-2019-10744"],"access":"public","patched_versions":">=4.17.12","cvss":{"score":9.1,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H"},"updated":"2023-09-05T22:24:56.000Z","recommendation":"Upgrade to version 4.17.12 or later","cwe":["CWE-20"],"found_by":null,"deleted":null,"id":1093314,"references":"- https://github.com/lodash/lodash/pull/4336\n- https://nvd.nist.gov/vuln/detail/CVE-2019-10744\n- https://snyk.io/vuln/SNYK-JS-LODASH-450202\n- https://www.npmjs.com/advisories/1065\n- https://access.redhat.com/errata/RHSA-2019:3024\n- https://security.netapp.com/advisory/ntap-20191004-0005/\n- https://support.f5.com/csp/article/K47105354?utm_source=f5support&utm_medium=RSS\n- https://www.oracle.com/security-alerts/cpujan2021.html\n- https://www.oracle.com/security-alerts/cpuoct2020.html\n- https://github.com/advisories/GHSA-jf85-cpcp-j695","created":"2019-07-10T19:45:23.000Z","reported_by":null,"title":"Prototype Pollution in lodash","npm_advisory_id":null,"overview":"Versions of `lodash` before 4.17.12 are vulnerable to Prototype Pollution. The function `defaultsDeep` allows a malicious user to modify the prototype of `Object` via `{constructor: {prototype: {...}}}` causing the addition or modification of an existing property that will exist on all objects.\n\n## Recommendation\n\nUpdate to version 4.17.12 or later.","url":"https://github.com/advisories/GHSA-jf85-cpcp-j695"},"1093500":{"findings":[{"version":"0.15.6","paths":["xlsx"]}],"metadata":null,"vulnerable_versions":"<0.19.3","module_name":"xlsx","severity":"high","github_advisory_id":"GHSA-4r6h-8v6p-xvw6","cves":["CVE-2023-30533"],"access":"public","patched_versions":">=0.19.3","cvss":{"score":7.8,"vectorString":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"},"updated":"2023-09-07T21:28:03.000Z","recommendation":"Upgrade to version 0.19.3 or later","cwe":["CWE-1321"],"found_by":null,"deleted":null,"id":1093500,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2023-30533\n- https://cdn.sheetjs.com/advisories/CVE-2023-30533\n- https://git.sheetjs.com/sheetjs/sheetjs/src/branch/master/CHANGELOG.md\n- https://git.sheetjs.com/sheetjs/sheetjs/issues/2667\n- https://git.sheetjs.com/sheetjs/sheetjs/issues/2986\n- https://github.com/advisories/GHSA-4r6h-8v6p-xvw6","created":"2023-04-24T09:30:19.000Z","reported_by":null,"title":"Prototype Pollution in sheetJS","npm_advisory_id":null,"overview":"All versions of SheetJS CE through 0.19.2 are vulnerable to \"Prototype Pollution\" when reading specially crafted files. Workflows that do not read arbitrary files (for example, exporting data to spreadsheet files) are unaffected.\n\nA non-vulnerable version cannot be found via npm, as the repository hosted on GitHub and the npm package `xlsx` are no longer maintained.","url":"https://github.com/advisories/GHSA-4r6h-8v6p-xvw6"},"1093639":{"findings":[{"version":"0.4.1","paths":["@hmcts/rpx-xui-node-lib>passport"]}],"metadata":null,"vulnerable_versions":"<0.6.0","module_name":"passport","severity":"moderate","github_advisory_id":"GHSA-v923-w3x8-wh69","cves":["CVE-2022-25896"],"access":"public","patched_versions":">=0.6.0","cvss":{"score":4.8,"vectorString":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:L"},"updated":"2023-09-11T16:22:18.000Z","recommendation":"Upgrade to version 0.6.0 or later","cwe":["CWE-384"],"found_by":null,"deleted":null,"id":1093639,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2022-25896\n- https://github.com/jaredhanson/passport/pull/900\n- https://github.com/jaredhanson/passport/commit/7e9b9cf4d7be02428e963fc729496a45baeea608\n- https://snyk.io/vuln/SNYK-JS-PASSPORT-2840631\n- https://github.com/advisories/GHSA-v923-w3x8-wh69","created":"2022-07-02T00:00:19.000Z","reported_by":null,"title":"Passport vulnerable to session regeneration when a users logs in or out","npm_advisory_id":null,"overview":"This affects the package passport before 0.6.0. When a user logs in or logs out, the session is regenerated instead of being closed.","url":"https://github.com/advisories/GHSA-v923-w3x8-wh69"},"1094086":{"findings":[{"version":"1.2.5","paths":["codeceptjs>requireg>rc>minimist"]}],"metadata":null,"vulnerable_versions":">=1.0.0 <1.2.6","module_name":"minimist","severity":"critical","github_advisory_id":"GHSA-xvch-5gv4-984h","cves":["CVE-2021-44906"],"access":"public","patched_versions":">=1.2.6","cvss":{"score":9.8,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},"updated":"2023-09-21T22:07:42.000Z","recommendation":"Upgrade to version 1.2.6 or later","cwe":["CWE-1321"],"found_by":null,"deleted":null,"id":1094086,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2021-44906\n- https://github.com/substack/minimist/issues/164\n- https://github.com/substack/minimist/blob/master/index.js#L69\n- https://snyk.io/vuln/SNYK-JS-MINIMIST-559764\n- https://stackoverflow.com/questions/8588563/adding-custom-properties-to-a-function/20278068#20278068\n- https://github.com/Marynk/JavaScript-vulnerability-detection/blob/main/minimist%20PoC.zip\n- https://github.com/minimistjs/minimist/issues/11\n- https://github.com/minimistjs/minimist/pull/24\n- https://github.com/minimistjs/minimist/commit/34e20b8461118608703d6485326abbb8e35e1703\n- https://github.com/minimistjs/minimist/commit/bc8ecee43875261f4f17eb20b1243d3ed15e70eb\n- https://github.com/minimistjs/minimist/commit/c2b981977fa834b223b408cfb860f933c9811e4d\n- https://github.com/minimistjs/minimist/commit/ef9153fc52b6cea0744b2239921c5dcae4697f11\n- https://github.com/minimistjs/minimist/commits/v0.2.4\n- https://github.com/advisories/GHSA-xvch-5gv4-984h","created":"2022-03-18T00:01:09.000Z","reported_by":null,"title":"Prototype Pollution in minimist","npm_advisory_id":null,"overview":"Minimist prior to 1.2.6 and 0.2.4 is vulnerable to Prototype Pollution via file `index.js`, function `setKey()` (lines 69-95).","url":"https://github.com/advisories/GHSA-xvch-5gv4-984h"},"1094087":{"findings":[{"version":"0.2.0","paths":["http-proxy-middleware>micromatch>snapdragon>source-map-resolve>decode-uri-component","http-proxy-middleware>micromatch>braces>snapdragon>source-map-resolve>decode-uri-component","@hmcts/rpx-xui-node-lib>ts-auto-mock>micromatch>braces>snapdragon>source-map-resolve>decode-uri-component","@hmcts/rpx-xui-node-lib>jest-ts-auto-mock>ts-auto-mock>micromatch>braces>snapdragon>source-map-resolve>decode-uri-component","codeceptjs>mocha>chokidar>anymatch>micromatch>braces>snapdragon>source-map-resolve>decode-uri-component","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>@jest/core>jest-message-util>micromatch>braces>snapdragon>source-map-resolve>decode-uri-component","@hmcts/rpx-xui-node-lib>jest-mock-axios>@jest/globals>@jest/environment>@jest/fake-timers>jest-message-util>micromatch>braces>snapdragon>source-map-resolve>decode-uri-component","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>@jest/core>jest-runtime>@jest/fake-timers>jest-message-util>micromatch>braces>snapdragon>source-map-resolve>decode-uri-component","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>@jest/core>jest-runner>@jest/environment>@jest/fake-timers>jest-message-util>micromatch>braces>snapdragon>source-map-resolve>decode-uri-component","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>@jest/core>jest-runtime>@jest/globals>@jest/environment>@jest/fake-timers>jest-message-util>micromatch>braces>snapdragon>source-map-resolve>decode-uri-component","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>@jest/core>jest-runner>jest-runtime>@jest/globals>@jest/environment>@jest/fake-timers>jest-message-util>micromatch>braces>snapdragon>source-map-resolve>decode-uri-component","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>jest-cli>@jest/core>jest-runner>jest-runtime>@jest/globals>@jest/environment>@jest/fake-timers>jest-message-util>micromatch>braces>snapdragon>source-map-resolve>decode-uri-component","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>jest-cli>@jest/core>jest-config>jest-runner>jest-runtime>@jest/globals>@jest/environment>@jest/fake-timers>jest-message-util>micromatch>braces>snapdragon>source-map-resolve>decode-uri-component","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>jest-cli>@jest/core>jest-config>jest-runner>jest-runtime>@jest/globals>@jest/expect>jest-snapshot>expect>jest-message-util>micromatch>braces>snapdragon>source-map-resolve>decode-uri-component","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>jest-cli>@jest/core>jest-config>jest-runner>jest-runtime>@jest/globals>@jest/expect>jest-snapshot>@jest/transform>jest-haste-map>anymatch>micromatch>braces>snapdragon>source-map-resolve>decode-uri-component","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>jest-cli>@jest/core>jest-config>jest-runner>jest-runtime>@jest/globals>@jest/expect>jest-snapshot>@jest/transform>jest-haste-map>anymatch>micromatch>extglob>expand-brackets>snapdragon>source-map-resolve>decode-uri-component"]}],"metadata":null,"vulnerable_versions":"<0.2.1","module_name":"decode-uri-component","severity":"high","github_advisory_id":"GHSA-w573-4hg7-7wgq","cves":["CVE-2022-38900"],"access":"public","patched_versions":">=0.2.1","cvss":{"score":7.5,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},"updated":"2023-09-21T22:16:39.000Z","recommendation":"Upgrade to version 0.2.1 or later","cwe":["CWE-20"],"found_by":null,"deleted":null,"id":1094087,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2022-38900\n- https://github.com/SamVerschueren/decode-uri-component/issues/5\n- https://github.com/sindresorhus/query-string/issues/345\n- https://github.com/SamVerschueren/decode-uri-component/commit/746ca5dcb6667c5d364e782d53c542830e4c10b9\n- https://github.com/SamVerschueren/decode-uri-component/releases/tag/v0.2.1\n- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ERN6YE3DS7NBW7UH44SCJBMNC2NWQ7SM/\n- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KAC5KQ2SEWAMQ6UZAUBZ5KXKEOESH375/\n- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VNV2GNZXOTEDAJRFH3ZYWRUBGIVL7BSU/\n- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QABOUA2I542UTANVZIVFKWMRYVHLV32D/\n- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UW4SCMT3SEUFVIL7YIADQ5K36GJEO6I5/\n- https://github.com/advisories/GHSA-w573-4hg7-7wgq","created":"2022-11-28T15:30:24.000Z","reported_by":null,"title":"decode-uri-component vulnerable to Denial of Service (DoS)","npm_advisory_id":null,"overview":"decode-uri-component 0.2.0 is vulnerable to Improper Input Validation resulting in DoS.","url":"https://github.com/advisories/GHSA-w573-4hg7-7wgq"},"1094183":{"findings":[{"version":"2.0.0","paths":["codeceptjs>chai>get-func-name","codeceptjs>chai-deep-match>chai>get-func-name","codeceptjs>chai-deep-match>chai>loupe>get-func-name"]}],"metadata":null,"vulnerable_versions":"<2.0.1","module_name":"get-func-name","severity":"high","github_advisory_id":"GHSA-4q6p-r6v2-jvc5","cves":["CVE-2023-43646"],"access":"public","patched_versions":">=2.0.1","cvss":{"score":8.6,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H"},"updated":"2023-09-27T20:16:02.000Z","recommendation":"Upgrade to version 2.0.1 or later","cwe":["CWE-400","CWE-1333"],"found_by":null,"deleted":null,"id":1094183,"references":"- https://github.com/chaijs/get-func-name/security/advisories/GHSA-4q6p-r6v2-jvc5\n- https://nvd.nist.gov/vuln/detail/CVE-2023-43646\n- https://github.com/chaijs/get-func-name/commit/f934b228b5e2cb94d6c8576d3aac05493f667c69\n- https://github.com/chaijs/get-func-name/blob/78ad756441a83f3dc203e50f76c113ae3ac017dc/index.js#L15\n- https://github.com/advisories/GHSA-4q6p-r6v2-jvc5","created":"2023-09-27T20:16:00.000Z","reported_by":null,"title":"Chaijs/get-func-name vulnerable to ReDoS","npm_advisory_id":null,"overview":"The current regex implementation for parsing values in the module is susceptible to excessive backtracking, leading to potential DoS attacks. The regex implementation in question is as follows:\n\n```js\nconst functionNameMatch = /\\s*function(?:\\s|\\s*\\/\\*[^(?:*/)]+\\*\\/\\s*)*([^\\s(/]+)/;\n```\n\nThis vulnerability can be exploited when there is an imbalance in parentheses, which results in excessive backtracking and subsequently increases the CPU load and processing time significantly. This vulnerability can be triggered using the following input:\n\n```js\n'\\t'.repeat(54773) + '\\t/function/i'\n```\n\nHere is a simple PoC code to demonstrate the issue:\n\n```js\nconst protocolre = /\\sfunction(?:\\s|\\s/*[^(?:*\\/)]+*/\\s*)*([^\\(\\/]+)/;\n\nconst startTime = Date.now();\nconst maliciousInput = '\\t'.repeat(54773) + '\\t/function/i'\n\nprotocolre.test(maliciousInput);\n\nconst endTime = Date.now();\n\nconsole.log(\"process time: \", endTime - startTime, \"ms\");\n```","url":"https://github.com/advisories/GHSA-4q6p-r6v2-jvc5"}},"muted":[],"metadata":{"vulnerabilities":{"info":0,"low":5,"moderate":38,"high":50,"critical":8},"dependencies":1007,"devDependencies":8,"optionalDependencies":0,"totalDependencies":1015}} +{"actions":[],"advisories":{"1085674":{"findings":[{"version":"3.10.1","paths":["lodash","@edium/fsm>lodash","codeceptjs>inquirer>lodash","codeceptjs>chai-deep-match>lodash-pickdeep>lodash"]}],"metadata":null,"vulnerable_versions":"<4.17.11","module_name":"lodash","severity":"moderate","github_advisory_id":"GHSA-x5rq-j2xg-h7qm","cves":["CVE-2019-1010266"],"access":"public","patched_versions":">=4.17.11","cvss":{"score":0,"vectorString":null},"updated":"2023-01-09T05:01:38.000Z","recommendation":"Upgrade to version 4.17.11 or later","cwe":["CWE-400"],"found_by":null,"deleted":null,"id":1085674,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2019-1010266\n- https://github.com/lodash/lodash/issues/3359\n- https://snyk.io/vuln/SNYK-JS-LODASH-73639\n- https://github.com/lodash/lodash/commit/5c08f18d365b64063bfbfa686cbb97cdd6267347\n- https://github.com/lodash/lodash/wiki/Changelog\n- https://security.netapp.com/advisory/ntap-20190919-0004/\n- https://github.com/advisories/GHSA-x5rq-j2xg-h7qm","created":"2019-07-19T16:13:07.000Z","reported_by":null,"title":"Regular Expression Denial of Service (ReDoS) in lodash","npm_advisory_id":null,"overview":"lodash prior to 4.7.11 is affected by: CWE-400: Uncontrolled Resource Consumption. The impact is: Denial of service. The component is: Date handler. The attack vector is: Attacker provides very long strings, which the library attempts to match using a regular expression. The fixed version is: 4.7.11.","url":"https://github.com/advisories/GHSA-x5rq-j2xg-h7qm"},"1087627":{"findings":[{"version":"3.10.1","paths":["lodash","@edium/fsm>lodash","codeceptjs>inquirer>lodash","codeceptjs>chai-deep-match>lodash-pickdeep>lodash"]}],"metadata":null,"vulnerable_versions":"<4.17.11","module_name":"lodash","severity":"high","github_advisory_id":"GHSA-4xc9-xhrj-v574","cves":["CVE-2018-16487"],"access":"public","patched_versions":">=4.17.11","cvss":{"score":0,"vectorString":null},"updated":"2023-01-09T05:02:32.000Z","recommendation":"Upgrade to version 4.17.11 or later","cwe":["CWE-400"],"found_by":null,"deleted":null,"id":1087627,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2018-16487\n- https://hackerone.com/reports/380873\n- https://github.com/advisories/GHSA-4xc9-xhrj-v574\n- https://www.npmjs.com/advisories/782\n- https://security.netapp.com/advisory/ntap-20190919-0004/","created":"2019-02-07T18:16:48.000Z","reported_by":null,"title":"Prototype Pollution in lodash","npm_advisory_id":null,"overview":"Versions of `lodash` before 4.17.5 are vulnerable to prototype pollution. \n\nThe vulnerable functions are 'defaultsDeep', 'merge', and 'mergeWith' which allow a malicious user to modify the prototype of `Object` via `{constructor: {prototype: {...}}}` causing the addition or modification of an existing property that will exist on all objects.\n\n\n\n\n## Recommendation\n\nUpdate to version 4.17.11 or later.","url":"https://github.com/advisories/GHSA-4xc9-xhrj-v574"},"1087663":{"findings":[{"version":"3.10.1","paths":["lodash","@edium/fsm>lodash","codeceptjs>inquirer>lodash","codeceptjs>chai-deep-match>lodash-pickdeep>lodash"]}],"metadata":null,"vulnerable_versions":"<4.17.5","module_name":"lodash","severity":"low","github_advisory_id":"GHSA-fvqr-27wr-82fm","cves":["CVE-2018-3721"],"access":"public","patched_versions":">=4.17.5","cvss":{"score":0,"vectorString":null},"updated":"2023-01-09T05:03:02.000Z","recommendation":"Upgrade to version 4.17.5 or later","cwe":["CWE-471"],"found_by":null,"deleted":null,"id":1087663,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2018-3721\n- https://hackerone.com/reports/310443\n- https://github.com/advisories/GHSA-fvqr-27wr-82fm\n- https://www.npmjs.com/advisories/577\n- https://github.com/lodash/lodash/commit/d8e069cc3410082e44eb18fcf8e7f3d08ebe1d4a\n- https://security.netapp.com/advisory/ntap-20190919-0004/","created":"2018-07-26T15:14:52.000Z","reported_by":null,"title":"Prototype Pollution in lodash","npm_advisory_id":null,"overview":"Versions of `lodash` before 4.17.5 are vulnerable to prototype pollution. \n\nThe vulnerable functions are 'defaultsDeep', 'merge', and 'mergeWith' which allow a malicious user to modify the prototype of `Object` via `__proto__` causing the addition or modification of an existing property that will exist on all objects.\n\n\n\n\n## Recommendation\n\nUpdate to version 4.17.5 or later.","url":"https://github.com/advisories/GHSA-fvqr-27wr-82fm"},"1088208":{"findings":[{"version":"0.8.4","paths":["git-rev-sync>shelljs"]}],"metadata":null,"vulnerable_versions":"<0.8.5","module_name":"shelljs","severity":"moderate","github_advisory_id":"GHSA-64g7-mvw6-v9qj","cves":[],"access":"public","patched_versions":">=0.8.5","cvss":{"score":0,"vectorString":null},"updated":"2023-01-11T05:03:39.000Z","recommendation":"Upgrade to version 0.8.5 or later","cwe":["CWE-269"],"found_by":null,"deleted":null,"id":1088208,"references":"- https://github.com/shelljs/shelljs/security/advisories/GHSA-64g7-mvw6-v9qj\n- https://huntr.dev/bounties/50996581-c08e-4eed-a90e-c0bac082679c/\n- https://github.com/advisories/GHSA-64g7-mvw6-v9qj","created":"2022-01-14T21:09:50.000Z","reported_by":null,"title":"Improper Privilege Management in shelljs","npm_advisory_id":null,"overview":"### Impact\nOutput from the synchronous version of `shell.exec()` may be visible to other users on the same system. You may be affected if you execute `shell.exec()` in multi-user Mac, Linux, or WSL environments, or if you execute `shell.exec()` as the root user.\n\nOther shelljs functions (including the asynchronous version of `shell.exec()`) are not impacted.\n\n### Patches\nPatched in shelljs 0.8.5\n\n### Workarounds\nRecommended action is to upgrade to 0.8.5.\n\n### References\nhttps://huntr.dev/bounties/50996581-c08e-4eed-a90e-c0bac082679c/\n\n### For more information\nIf you have any questions or comments about this advisory:\n* Ask at https://github.com/shelljs/shelljs/issues/1058\n* Open an issue at https://github.com/shelljs/shelljs/issues/new\n","url":"https://github.com/advisories/GHSA-64g7-mvw6-v9qj"},"1088402":{"findings":[{"version":"0.5.34","paths":["moment-timezone"]}],"metadata":null,"vulnerable_versions":">=0.1.0 <0.5.35","module_name":"moment-timezone","severity":"low","github_advisory_id":"GHSA-56x4-j7p9-fcf9","cves":[],"access":"public","patched_versions":">=0.5.35","cvss":{"score":0,"vectorString":null},"updated":"2023-01-12T05:07:32.000Z","recommendation":"Upgrade to version 0.5.35 or later","cwe":[],"found_by":null,"deleted":null,"id":1088402,"references":"- https://github.com/moment/moment-timezone/security/advisories/GHSA-56x4-j7p9-fcf9\n- https://github.com/moment/moment-timezone/commit/ce955a301ff372e8e9fb3a5b516620c60e7a082a\n- https://github.com/advisories/GHSA-56x4-j7p9-fcf9","created":"2022-08-30T20:31:21.000Z","reported_by":null,"title":"Command Injection in moment-timezone","npm_advisory_id":null,"overview":"### Impact\n\nAll versions of moment-timezone from 0.1.0 contain build tasks vulnerable to command injection.\n\n* if Alice uses tzdata pipeline to package moment-timezone on her own (for example via `grunt data:2014d`, where `2014d` stands for the version of the tzdata to be used from IANA's website),\n* and Alice let's Mallory select the version (`2014d` in our example), then Mallory can execute arbitrary commands on the machine running the grunt task, with the same privilege as the grunt task\n\n#### Am I affected?\n\n##### Do you build custom versions of moment-timezone with grunt?\n\nIf no, you're not affected.\n\n##### Do you allow a third party to specify which particular version you want build?\n\nIf yes, you're vulnerable to command injection -- third party may execute arbitrary commands on the system running grunt task with the same privileges as grunt task.\n\n### Description\n\n#### Command Injection via grunt-zdownload.js and MITM on iana's ftp endpoint\n\nThe `tasks/data-download.js` script takes in a parameter from grunt and uses it to form a command line which is then executed:\n\n```\n6 module.exports = function (grunt) {\n7 grunt.registerTask('data-download', '1. Download data from iana.org/time-zones.', function (version) {\n8 version = version || 'latest';\n\n10 var done = this.async(),\n11 src = 'ftp://ftp.iana.org/tz/tzdata-latest.tar.gz',\n12 curl = path.resolve('temp/curl', version, 'data.tar.gz'),\n13 dest = path.resolve('temp/download', version);\n...\n24 exec('curl ' + src + ' -o ' + curl + ' && cd ' + dest + ' && gzip -dc ' + curl + ' | tar -xf -', function (err) {\n```\n\nOrdinarily, one one run this script using something like `grunt data-download:2014d`, in which case version would have the value `2014d`. However, if an attacker were to provide additional content on the command line, they would be able to execute arbitrary code\n\n```\nroot@e94ba0490b65:/usr/src/app/moment-timezone# grunt 'data-download:2014d ; echo flag>/tmp/foo #'\n\\Running \"data-download:2014d ; echo flag>/tmp/foo #\" (data-download) task\n>> Downloading https://data.iana.org/time-zones/releases/tzdata2014d ; echo flag>/tmp/foo #.tar.gz\n>> Downloaded https://data.iana.org/time-zones/releases/tzdata2014d ; echo flag>/tmp/foo #.tar.gz\n\nDone.\nroot@e94ba0490b65:/usr/src/app/moment-timezone# cat /tmp/foo\nflag\n```\n\n#### Command Injection via data-zdump.js\n\nThe `tasks/data-zdump.js` script reads a list of files present in a temporary directory (created by previous tasks), and for each one, assembles and executes a command line without sanitization. As a result, an attacker able to influence the contents of that directory could gain code execution. This attack is exacerbated by timezone data being downloaded via cleartext FTP (described above), but beyond that, an attacker at iana.org able to modify the timezone files could disrupt any systems that build moment-timezone.\n\n```\n15 files = grunt.file.expand({ filter : 'isFile', cwd : 'temp/zic/' + version }, '**/*');\n...\n27 function next () {\n...\n33 var file = files.pop(),\n34 src = path.join(zicBase, file),\n35 dest = path.join(zdumpBase, file);\n36 exec('zdump -v ' + src, { maxBuffer: 20*1024*1024 }, function (err, stdout) {\n```\n\nIn this case, an attacker able to add a file to `temp/zic/2014d` (for example) with a filename like `Z; curl www.example.com` would influence the called to exec on line 36 and run arbitrary code. There are a few minor challenges in exploiting this, since the string needs to be a valid filename.\n\n#### Command Injection via data-zic.js\n\nSimilar to the vulnerability in /tasks/data-download.js, the /tasks/data-zic.js script takes a version from the command line and uses it as part of a command line, executed without sanitization.\n\n```\n10 var done = this.async(),\n11 dest = path.resolve('temp/zic', version),\n...\n22 var file = files.shift(),\n23 src = path.resolve('temp/download', version, file);\n24\n25 exec('zic -d ' + dest + ' ' + src, function (err) {\n```\n\nAs a result, an attacker able to influence that string can run arbitrary commands. Of course, it requires an attacker able to influence the command passed to grunt, so may be unlikely in practice.\n\n```\nroot@e94ba0490b65:/usr/src/app/moment-timezone# grunt 'data-zic:2014d; echo hi > /tmp/evil; echo '\nRunning \"data-zic:2014d; echo hi > /tmp/evil; echo \" (data-zic) task\nexec: zid -d /usr/src/app/moment-timezone/temp/zic/2014d; echo hi > /tmp/evil; echo /usr/src/app/moment-timezone/temp/download/2014d; echo hi > /tmp/evil; echo /africa\n...\n\nroot@e94ba0490b65:/usr/src/app/moment-timezone# cat /tmp/evil\nhi\n```\n\n### Patches\n\nThe supplied patch on top of 0.5.34 is applicable with minor tweaks to all affected versions. It switches `exec` to `execFile` so arbitrary bash fragments won't be executed any more.\n\n### References\n\n* https://knowledge-base.secureflag.com/vulnerabilities/code_injection/os_command_injection_nodejs.html\n* https://auth0.com/blog/preventing-command-injection-attacks-in-node-js-apps/","url":"https://github.com/advisories/GHSA-56x4-j7p9-fcf9"},"1088403":{"findings":[{"version":"0.5.34","paths":["moment-timezone"]}],"metadata":null,"vulnerable_versions":">=0.1.0 <0.5.35","module_name":"moment-timezone","severity":"moderate","github_advisory_id":"GHSA-v78c-4p63-2j6c","cves":[],"access":"public","patched_versions":">=0.5.35","cvss":{"score":0,"vectorString":null},"updated":"2023-01-12T05:07:10.000Z","recommendation":"Upgrade to version 0.5.35 or later","cwe":["CWE-319"],"found_by":null,"deleted":null,"id":1088403,"references":"- https://github.com/moment/moment-timezone/security/advisories/GHSA-v78c-4p63-2j6c\n- https://github.com/moment/moment-timezone/commit/7915ac567ab19700e44ad6b5d8ef0b85e48a9e75\n- https://github.com/advisories/GHSA-v78c-4p63-2j6c","created":"2022-08-30T20:28:43.000Z","reported_by":null,"title":"Cleartext Transmission of Sensitive Information in moment-timezone","npm_advisory_id":null,"overview":"### Impact\n\n* if Alice uses `grunt data` (or `grunt release`) to prepare a custom-build, moment-timezone with the latest tzdata from IANA's website\n* and Mallory intercepts the request to IANA's unencrypted ftp server, Mallory can serve data which might exploit further stages of the moment-timezone tzdata pipeline, or potentially produce a tainted version of moment-timezone (practicality of such attacks is not proved)\n\n### Patches\nProblem has been patched in version 0.5.35, patch should be applicable with minor modifications to all affected versions. The patch includes changing the FTP endpoint with an HTTPS endpoint.\n\n### Workarounds\nSpecify the exact version of tzdata (like `2014d`, full command being `grunt data:2014d`, then run the rest of the release tasks by hand), or just apply the patch before issuing the grunt command.\n","url":"https://github.com/advisories/GHSA-v78c-4p63-2j6c"},"1088659":{"findings":[{"version":"2.1.3","paths":["@hmcts/nodejs-healthcheck>superagent>cookiejar"]}],"metadata":null,"vulnerable_versions":"<2.1.4","module_name":"cookiejar","severity":"moderate","github_advisory_id":"GHSA-h452-7996-h45h","cves":["CVE-2022-25901"],"access":"public","patched_versions":">=2.1.4","cvss":{"score":5.3,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"},"updated":"2023-01-23T16:59:53.000Z","recommendation":"Upgrade to version 2.1.4 or later","cwe":["CWE-1333"],"found_by":null,"deleted":null,"id":1088659,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2022-25901\n- https://github.com/bmeck/node-cookiejar/pull/39\n- https://github.com/bmeck/node-cookiejar/pull/39/commits/eaa00021caf6ae09449dde826108153b578348e5\n- https://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-3176681\n- https://security.snyk.io/vuln/SNYK-JS-COOKIEJAR-3149984\n- https://github.com/bmeck/node-cookiejar/blob/master/cookiejar.js#23L73\n- https://github.com/advisories/GHSA-h452-7996-h45h","created":"2023-01-18T06:31:03.000Z","reported_by":null,"title":"cookiejar Regular Expression Denial of Service via Cookie.parse function","npm_advisory_id":null,"overview":"Versions of the package cookiejar before 2.1.4 are vulnerable to Regular Expression Denial of Service (ReDoS) via the `Cookie.parse` function and other aspects of the API, which use an insecure regular expression for parsing cookie values. Applications could be stalled for extended periods of time if untrusted input is passed to cookie values or attempted to parse from request headers.\n\nProof of concept:\n\n```\nts\\nconst { CookieJar } = require(\"cookiejar\");\n\nconst jar = new CookieJar();\n\nconst start = performance.now();\n\nconst attack = \"a\" + \"t\".repeat(50_000);\njar.setCookie(attack);\n\nconsole.log(`CookieJar.setCookie(): ${performance.now() - start}ms`);\n\n```\n\n```\nCookieJar.setCookie(): 2963.214399999939ms\n```","url":"https://github.com/advisories/GHSA-h452-7996-h45h"},"1088948":{"findings":[{"version":"9.6.0","paths":["@hmcts/rpx-xui-node-lib>openid-client>got"]}],"metadata":null,"vulnerable_versions":"<11.8.5","module_name":"got","severity":"moderate","github_advisory_id":"GHSA-pfrx-2q88-qq97","cves":["CVE-2022-33987"],"access":"public","patched_versions":">=11.8.5","cvss":{"score":5.3,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"},"updated":"2023-01-27T05:05:01.000Z","recommendation":"Upgrade to version 11.8.5 or later","cwe":[],"found_by":null,"deleted":null,"id":1088948,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2022-33987\n- https://github.com/sindresorhus/got/pull/2047\n- https://github.com/sindresorhus/got/compare/v12.0.3...v12.1.0\n- https://github.com/sindresorhus/got/commit/861ccd9ac2237df762a9e2beed7edd88c60782dc\n- https://github.com/sindresorhus/got/releases/tag/v11.8.5\n- https://github.com/sindresorhus/got/releases/tag/v12.1.0\n- https://github.com/advisories/GHSA-pfrx-2q88-qq97","created":"2022-06-19T00:00:21.000Z","reported_by":null,"title":"Got allows a redirect to a UNIX socket","npm_advisory_id":null,"overview":"The got package before 11.8.5 and 12.1.0 for Node.js allows a redirect to a UNIX socket.","url":"https://github.com/advisories/GHSA-pfrx-2q88-qq97"},"1089152":{"findings":[{"version":"4.1.1","paths":["codeceptjs>mocha>yargs-unparser>flat","codeceptjs>mocha-junit-reporter>mocha>yargs-unparser>flat"]}],"metadata":null,"vulnerable_versions":"<5.0.1","module_name":"flat","severity":"critical","github_advisory_id":"GHSA-2j2x-2gpw-g8fm","cves":["CVE-2020-36632"],"access":"public","patched_versions":">=5.0.1","cvss":{"score":9.8,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},"updated":"2023-01-29T05:01:29.000Z","recommendation":"Upgrade to version 5.0.1 or later","cwe":["CWE-1321"],"found_by":null,"deleted":null,"id":1089152,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2020-36632\n- https://github.com/hughsk/flat/issues/105\n- https://github.com/hughsk/flat/pull/106\n- https://github.com/hughsk/flat/commit/20ef0ef55dfa028caddaedbcb33efbdb04d18e13\n- https://github.com/hughsk/flat/releases/tag/5.0.1\n- https://vuldb.com/?ctiid.216777\n- https://vuldb.com/?id.216777\n- https://github.com/advisories/GHSA-2j2x-2gpw-g8fm","created":"2022-12-25T21:30:22.000Z","reported_by":null,"title":"flat vulnerable to Prototype Pollution","npm_advisory_id":null,"overview":"flat helps flatten/unflatten nested Javascript objects. A vulnerability, which was classified as critical, was found in hughsk flat up to 5.0.0. This affects the function unflatten of the file index.js. The manipulation leads to improperly controlled modification of object prototype attributes ('prototype pollution'). It is possible to initiate the attack remotely. Upgrading to version 5.0.1 can address this issue. The name of the patch is 20ef0ef55dfa028caddaedbcb33efbdb04d18e13. It is recommended to upgrade the affected component. The identifier VDB-216777 was assigned to this vulnerability.","url":"https://github.com/advisories/GHSA-2j2x-2gpw-g8fm"},"1089270":{"findings":[{"version":"2.7.4","paths":["ejs"]}],"metadata":null,"vulnerable_versions":"<3.1.7","module_name":"ejs","severity":"critical","github_advisory_id":"GHSA-phwq-j96m-2c2q","cves":["CVE-2022-29078"],"access":"public","patched_versions":">=3.1.7","cvss":{"score":9.8,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},"updated":"2023-01-30T05:02:57.000Z","recommendation":"Upgrade to version 3.1.7 or later","cwe":["CWE-74"],"found_by":null,"deleted":null,"id":1089270,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2022-29078\n- https://eslam.io/posts/ejs-server-side-template-injection-rce/\n- https://github.com/mde/ejs/commit/15ee698583c98dadc456639d6245580d17a24baf\n- https://github.com/mde/ejs/releases\n- https://security.netapp.com/advisory/ntap-20220804-0001/\n- https://github.com/advisories/GHSA-phwq-j96m-2c2q","created":"2022-04-26T00:00:40.000Z","reported_by":null,"title":"ejs template injection vulnerability","npm_advisory_id":null,"overview":"The ejs (aka Embedded JavaScript templates) package 3.1.6 for Node.js allows server-side template injection in settings[view options][outputFunctionName]. This is parsed as an internal option, and overwrites the outputFunctionName option with an arbitrary OS command (which is executed upon template compilation).","url":"https://github.com/advisories/GHSA-phwq-j96m-2c2q"},"1089698":{"findings":[{"version":"0.15.6","paths":["xlsx"]}],"metadata":null,"vulnerable_versions":"<0.17.0","module_name":"xlsx","severity":"moderate","github_advisory_id":"GHSA-g973-978j-2c3p","cves":["CVE-2021-32014"],"access":"public","patched_versions":">=0.17.0","cvss":{"score":5.5,"vectorString":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H"},"updated":"2023-02-01T05:05:54.000Z","recommendation":"Upgrade to version 0.17.0 or later","cwe":["CWE-345","CWE-400"],"found_by":null,"deleted":null,"id":1089698,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2021-32014\n- https://floqast.com/engineering-blog/post/fuzzing-and-parsing-securely/\n- https://sheetjs.com/pro\n- https://www.npmjs.com/package/xlsx/v/0.17.0\n- https://www.oracle.com/security-alerts/cpujan2022.html\n- https://github.com/advisories/GHSA-g973-978j-2c3p","created":"2021-07-22T19:47:15.000Z","reported_by":null,"title":"Denial of Service in SheetJS Pro","npm_advisory_id":null,"overview":"SheetJS Pro through 0.16.9 allows attackers to cause a denial of service (CPU consumption) via a crafted .xlsx document that is mishandled when read by xlsx.js.","url":"https://github.com/advisories/GHSA-g973-978j-2c3p"},"1089699":{"findings":[{"version":"0.15.6","paths":["xlsx"]}],"metadata":null,"vulnerable_versions":"<0.17.0","module_name":"xlsx","severity":"moderate","github_advisory_id":"GHSA-3x9f-74h4-2fqr","cves":["CVE-2021-32012"],"access":"public","patched_versions":">=0.17.0","cvss":{"score":5.5,"vectorString":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H"},"updated":"2023-02-01T05:06:10.000Z","recommendation":"Upgrade to version 0.17.0 or later","cwe":["CWE-400"],"found_by":null,"deleted":null,"id":1089699,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2021-32012\n- https://floqast.com/engineering-blog/post/fuzzing-and-parsing-securely/\n- https://sheetjs.com/pro\n- https://www.npmjs.com/package/xlsx/v/0.17.0\n- https://www.oracle.com/security-alerts/cpujan2022.html\n- https://github.com/advisories/GHSA-3x9f-74h4-2fqr","created":"2021-07-22T19:48:17.000Z","reported_by":null,"title":"Denial of Service in SheetJS Pro","npm_advisory_id":null,"overview":"SheetJS Pro through 0.16.9 allows attackers to cause a denial of service (memory consumption) via a crafted .xlsx document that is mishandled when read by xlsx.js (issue 1 of 2).","url":"https://github.com/advisories/GHSA-3x9f-74h4-2fqr"},"1089700":{"findings":[{"version":"0.15.6","paths":["xlsx"]}],"metadata":null,"vulnerable_versions":"<0.17.0","module_name":"xlsx","severity":"moderate","github_advisory_id":"GHSA-8vcr-vxm8-293m","cves":["CVE-2021-32013"],"access":"public","patched_versions":">=0.17.0","cvss":{"score":5.5,"vectorString":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H"},"updated":"2023-02-01T05:06:00.000Z","recommendation":"Upgrade to version 0.17.0 or later","cwe":["CWE-400"],"found_by":null,"deleted":null,"id":1089700,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2021-32013\n- https://floqast.com/engineering-blog/post/fuzzing-and-parsing-securely/\n- https://sheetjs.com/pro\n- https://www.npmjs.com/package/xlsx/v/0.17.0\n- https://www.oracle.com/security-alerts/cpujan2022.html\n- https://github.com/advisories/GHSA-8vcr-vxm8-293m","created":"2021-07-22T19:48:13.000Z","reported_by":null,"title":"Denial of Service in SheetsJS Pro","npm_advisory_id":null,"overview":"SheetJS Pro through 0.16.9 allows attackers to cause a denial of service (memory consumption) via a crafted .xlsx document that is mishandled when read by xlsx.js (issue 2 of 2).","url":"https://github.com/advisories/GHSA-8vcr-vxm8-293m"},"1091181":{"findings":[{"version":"3.1.0","paths":["codeceptjs>mocha>chokidar>glob-parent","codeceptjs>mocha-junit-reporter>mocha>chokidar>glob-parent"]}],"metadata":null,"vulnerable_versions":"<5.1.2","module_name":"glob-parent","severity":"high","github_advisory_id":"GHSA-ww39-953v-wcq6","cves":["CVE-2020-28469"],"access":"public","patched_versions":">=5.1.2","cvss":{"score":7.5,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},"updated":"2023-02-28T22:39:43.000Z","recommendation":"Upgrade to version 5.1.2 or later","cwe":["CWE-400"],"found_by":null,"deleted":null,"id":1091181,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2020-28469\n- https://github.com/gulpjs/glob-parent/pull/36\n- https://github.com/gulpjs/glob-parent/blob/6ce8d11f2f1ed8e80a9526b1dc8cf3aa71f43474/index.js%23L9\n- https://github.com/gulpjs/glob-parent/releases/tag/v5.1.2\n- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWERGITHUBES128-1059093\n- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1059092\n- https://snyk.io/vuln/SNYK-JS-GLOBPARENT-1016905\n- https://www.oracle.com/security-alerts/cpujan2022.html\n- https://github.com/gulpjs/glob-parent/pull/36/commits/c6db86422a9731d4f3d332ce4a81c27ea6b0ee46\n- https://github.com/advisories/GHSA-ww39-953v-wcq6","created":"2021-06-07T21:56:34.000Z","reported_by":null,"title":"glob-parent before 5.1.2 vulnerable to Regular Expression Denial of Service in enclosure regex","npm_advisory_id":null,"overview":"This affects the package glob-parent before 5.1.2. The enclosure regex used to check for strings ending in enclosure containing path separator.","url":"https://github.com/advisories/GHSA-ww39-953v-wcq6"},"1091307":{"findings":[{"version":"3.10.1","paths":["lodash","@edium/fsm>lodash","codeceptjs>inquirer>lodash","codeceptjs>chai-deep-match>lodash-pickdeep>lodash"]}],"metadata":null,"vulnerable_versions":"<4.17.20","module_name":"lodash","severity":"high","github_advisory_id":"GHSA-p6mc-m468-83gw","cves":["CVE-2020-8203"],"access":"public","patched_versions":">=4.17.20","cvss":{"score":7.4,"vectorString":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:H"},"updated":"2023-03-08T05:05:35.000Z","recommendation":"Upgrade to version 4.17.20 or later","cwe":["CWE-770","CWE-1321"],"found_by":null,"deleted":null,"id":1091307,"references":"- https://github.com/lodash/lodash/issues/4744\n- https://github.com/lodash/lodash/commit/c84fe82760fb2d3e03a63379b297a1cc1a2fce12\n- https://www.npmjs.com/advisories/1523\n- https://nvd.nist.gov/vuln/detail/CVE-2020-8203\n- https://hackerone.com/reports/712065\n- https://security.netapp.com/advisory/ntap-20200724-0006/\n- https://github.com/lodash/lodash/issues/4874\n- https://www.oracle.com/security-alerts/cpuApr2021.html\n- https://www.oracle.com//security-alerts/cpujul2021.html\n- https://www.oracle.com/security-alerts/cpuoct2021.html\n- https://www.oracle.com/security-alerts/cpujan2022.html\n- https://www.oracle.com/security-alerts/cpuapr2022.html\n- https://github.com/advisories/GHSA-p6mc-m468-83gw","created":"2020-07-15T19:15:48.000Z","reported_by":null,"title":"Prototype Pollution in lodash","npm_advisory_id":null,"overview":"Versions of lodash prior to 4.17.19 are vulnerable to Prototype Pollution. The function zipObjectDeep allows a malicious user to modify the prototype of Object if the property identifiers are user-supplied. Being affected by this issue requires zipping objects based on user-provided property arrays.\n\nThis vulnerability causes the addition or modification of an existing property that will exist on all objects and may lead to Denial of Service or Code Execution under specific circumstances.","url":"https://github.com/advisories/GHSA-p6mc-m468-83gw"},"1091453":{"findings":[{"version":"0.8.4","paths":["git-rev-sync>shelljs"]}],"metadata":null,"vulnerable_versions":"<0.8.5","module_name":"shelljs","severity":"high","github_advisory_id":"GHSA-4rq4-32rv-6wp6","cves":["CVE-2022-0144"],"access":"public","patched_versions":">=0.8.5","cvss":{"score":7.1,"vectorString":"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H"},"updated":"2023-03-21T20:10:17.000Z","recommendation":"Upgrade to version 0.8.5 or later","cwe":["CWE-269"],"found_by":null,"deleted":null,"id":1091453,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2022-0144\n- https://github.com/shelljs/shelljs/commit/d919d22dd6de385edaa9d90313075a77f74b338c\n- https://huntr.dev/bounties/50996581-c08e-4eed-a90e-c0bac082679c\n- https://github.com/advisories/GHSA-4rq4-32rv-6wp6","created":"2022-01-21T23:37:28.000Z","reported_by":null,"title":"Improper Privilege Management in shelljs","npm_advisory_id":null,"overview":"shelljs is vulnerable to Improper Privilege Management","url":"https://github.com/advisories/GHSA-4rq4-32rv-6wp6"},"1091832":{"findings":[{"version":"3.10.1","paths":["lodash","@edium/fsm>lodash","codeceptjs>inquirer>lodash","codeceptjs>chai-deep-match>lodash-pickdeep>lodash"]}],"metadata":null,"vulnerable_versions":"<4.17.21","module_name":"lodash","severity":"high","github_advisory_id":"GHSA-35jh-r3h4-6jhm","cves":["CVE-2021-23337"],"access":"public","patched_versions":">=4.17.21","cvss":{"score":7.2,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H"},"updated":"2023-04-26T17:56:06.000Z","recommendation":"Upgrade to version 4.17.21 or later","cwe":["CWE-77","CWE-94"],"found_by":null,"deleted":null,"id":1091832,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2021-23337\n- https://github.com/lodash/lodash/commit/3469357cff396a26c363f8c1b5a91dde28ba4b1c\n- https://security.netapp.com/advisory/ntap-20210312-0006/\n- https://snyk.io/vuln/SNYK-JS-LODASH-1040724\n- https://github.com/lodash/lodash/blob/ddfd9b11a0126db2302cb70ec9973b66baec0975/lodash.js#L14851\n- https://github.com/lodash/lodash/blob/ddfd9b11a0126db2302cb70ec9973b66baec0975/lodash.js%23L14851\n- https://snyk.io/vuln/SNYK-JAVA-ORGFUJIONWEBJARS-1074932\n- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARS-1074930\n- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-1074928\n- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWERGITHUBLODASH-1074931\n- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1074929\n- https://www.oracle.com//security-alerts/cpujul2021.html\n- https://www.oracle.com/security-alerts/cpuoct2021.html\n- https://www.oracle.com/security-alerts/cpujan2022.html\n- https://www.oracle.com/security-alerts/cpujul2022.html\n- https://cert-portal.siemens.com/productcert/pdf/ssa-637483.pdf\n- https://github.com/advisories/GHSA-35jh-r3h4-6jhm","created":"2021-05-06T16:05:51.000Z","reported_by":null,"title":"Command Injection in lodash","npm_advisory_id":null,"overview":"`lodash` versions prior to 4.17.21 are vulnerable to Command Injection via the template function.","url":"https://github.com/advisories/GHSA-35jh-r3h4-6jhm"},"1092174":{"findings":[{"version":"4.0.5","paths":["@hmcts/media-viewer>socket.io-client>socket.io-parser"]}],"metadata":null,"vulnerable_versions":">=4.0.4 <4.2.3","module_name":"socket.io-parser","severity":"high","github_advisory_id":"GHSA-cqmj-92xf-r6r9","cves":["CVE-2023-32695"],"access":"public","patched_versions":">=4.2.3","cvss":{"score":7.3,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L"},"updated":"2023-06-05T21:07:58.000Z","recommendation":"Upgrade to version 4.2.3 or later","cwe":["CWE-20","CWE-754"],"found_by":null,"deleted":null,"id":1092174,"references":"- https://github.com/socketio/socket.io-parser/security/advisories/GHSA-cqmj-92xf-r6r9\n- https://github.com/socketio/socket.io-parser/commit/2dc3c92622dad113b8676be06f23b1ed46b02ced\n- https://github.com/socketio/socket.io-parser/commit/3b78117bf6ba7e99d7a5cfc1ba54d0477554a7f3\n- https://github.com/socketio/socket.io-parser/commit/1c220ddbf45ea4b44bc8dbf6f9ae245f672ba1b9\n- https://nvd.nist.gov/vuln/detail/CVE-2023-32695\n- https://github.com/socketio/socket.io-parser/releases/tag/4.2.3\n- https://github.com/advisories/GHSA-cqmj-92xf-r6r9","created":"2023-05-23T19:55:13.000Z","reported_by":null,"title":"Insufficient validation when decoding a Socket.IO packet","npm_advisory_id":null,"overview":"### Impact\n\nA specially crafted Socket.IO packet can trigger an uncaught exception on the Socket.IO server, thus killing the Node.js process.\n\n```\nTypeError: Cannot convert object to primitive value\n at Socket.emit (node:events:507:25)\n at .../node_modules/socket.io/lib/socket.js:531:14\n```\n\n### Patches\n\nA fix has been released today (2023/05/22):\n\n- https://github.com/socketio/socket.io-parser/commit/3b78117bf6ba7e99d7a5cfc1ba54d0477554a7f3, included in `socket.io-parser@4.2.3`\n- https://github.com/socketio/socket.io-parser/commit/2dc3c92622dad113b8676be06f23b1ed46b02ced, included in `socket.io-parser@3.4.3`\n\n| `socket.io` version | `socket.io-parser` version | Needs minor update? |\n|---------------------|---------------------------------------------------------------------------------------------------------|--------------------------------------|\n| `4.5.2...latest` | `~4.2.0` ([ref](https://github.com/socketio/socket.io/commit/9890b036cf942f6b6ad2afeb6a8361c32cd5d528)) | `npm audit fix` should be sufficient |\n| `4.1.3...4.5.1` | `~4.1.1` ([ref](https://github.com/socketio/socket.io/commit/7c44893d7878cd5bba1eff43150c3e664f88fb57)) | Please upgrade to `socket.io@4.6.x` |\n| `3.0.5...4.1.2` | `~4.0.3` ([ref](https://github.com/socketio/socket.io/commit/752dfe3b1e5fecda53dae899b4a39e6fed5a1a17)) | Please upgrade to `socket.io@4.6.x` |\n| `3.0.0...3.0.4` | `~4.0.1` ([ref](https://github.com/socketio/socket.io/commit/1af3267e3f5f7884214cf2ca4d5282d620092fb0)) | Please upgrade to `socket.io@4.6.x` |\n| `2.3.0...2.5.0` | `~3.4.0` ([ref](https://github.com/socketio/socket.io/commit/cf39362014f5ff13a17168b74772c43920d6e4fd)) | `npm audit fix` should be sufficient |\n\n\n### Workarounds\n\nThere is no known workaround except upgrading to a safe version.\n\n### For more information\n\nIf you have any questions or comments about this advisory:\n\n- Open a discussion [here](https://github.com/socketio/socket.io/discussions)\n\nThanks to [@rafax00](https://github.com/rafax00) for the responsible disclosure.\n","url":"https://github.com/advisories/GHSA-cqmj-92xf-r6r9"},"1092301":{"findings":[{"version":"0.4.23","paths":["protractor-screenshot-utils>protractor>selenium-webdriver>xml2js","protractor-screenshot-utils>protractor>webdriver-js-extender>selenium-webdriver>xml2js"]}],"metadata":null,"vulnerable_versions":"<0.5.0","module_name":"xml2js","severity":"moderate","github_advisory_id":"GHSA-776f-qx25-q3cc","cves":["CVE-2023-0842"],"access":"public","patched_versions":">=0.5.0","cvss":{"score":5.3,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"},"updated":"2023-06-21T18:11:17.000Z","recommendation":"Upgrade to version 0.5.0 or later","cwe":["CWE-1321"],"found_by":null,"deleted":null,"id":1092301,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2023-0842\n- https://fluidattacks.com/advisories/myers/\n- https://github.com/Leonidas-from-XIV/node-xml2js/issues/663\n- https://github.com/Leonidas-from-XIV/node-xml2js/pull/603/commits/581b19a62d88f8a3c068b5a45f4542c2d6a495a5\n- https://github.com/advisories/GHSA-776f-qx25-q3cc","created":"2023-04-05T21:30:24.000Z","reported_by":null,"title":"xml2js is vulnerable to prototype pollution","npm_advisory_id":null,"overview":"xml2js versions before 0.5.0 allows an external attacker to edit or add new properties to an object. This is possible because the application does not properly validate incoming JSON keys, thus allowing the `__proto__` property to be edited.","url":"https://github.com/advisories/GHSA-776f-qx25-q3cc"},"1092316":{"findings":[{"version":"4.1.0","paths":["@hmcts/rpx-xui-node-lib>openid-client>got>cacheable-request>http-cache-semantics","codeceptjs>mocha>chokidar>fsevents>nan>node-gyp>make-fetch-happen>http-cache-semantics","codeceptjs>mocha-junit-reporter>mocha>chokidar>fsevents>nan>node-gyp>make-fetch-happen>http-cache-semantics","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>@jest/core>jest-haste-map>fsevents>nan>node-gyp>make-fetch-happen>http-cache-semantics","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>@jest/core>@jest/transform>jest-haste-map>fsevents>nan>node-gyp>make-fetch-happen>http-cache-semantics","@hmcts/rpx-xui-node-lib>jest-mock-axios>@jest/globals>@jest/expect>jest-snapshot>@jest/transform>jest-haste-map>fsevents>nan>node-gyp>make-fetch-happen>http-cache-semantics","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>@jest/core>jest-resolve-dependencies>jest-snapshot>@jest/transform>jest-haste-map>fsevents>nan>node-gyp>make-fetch-happen>http-cache-semantics","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>jest-cli>@jest/core>jest-resolve-dependencies>jest-snapshot>@jest/transform>jest-haste-map>fsevents>nan>node-gyp>make-fetch-happen>http-cache-semantics","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>@jest/core>jest-runtime>@jest/globals>@jest/expect>jest-snapshot>@jest/transform>jest-haste-map>fsevents>nan>node-gyp>make-fetch-happen>http-cache-semantics","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>@jest/core>jest-runner>jest-runtime>@jest/globals>@jest/expect>jest-snapshot>@jest/transform>jest-haste-map>fsevents>nan>node-gyp>make-fetch-happen>http-cache-semantics","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>jest-cli>@jest/core>jest-runner>jest-runtime>@jest/globals>@jest/expect>jest-snapshot>@jest/transform>jest-haste-map>fsevents>nan>node-gyp>make-fetch-happen>http-cache-semantics","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>jest-cli>@jest/core>jest-config>jest-runner>jest-runtime>@jest/globals>@jest/expect>jest-snapshot>@jest/transform>jest-haste-map>fsevents>nan>node-gyp>make-fetch-happen>http-cache-semantics"]}],"metadata":null,"vulnerable_versions":"<4.1.1","module_name":"http-cache-semantics","severity":"high","github_advisory_id":"GHSA-rc47-6667-2j5j","cves":["CVE-2022-25881"],"access":"public","patched_versions":">=4.1.1","cvss":{"score":7.5,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},"updated":"2023-06-22T17:26:15.000Z","recommendation":"Upgrade to version 4.1.1 or later","cwe":["CWE-1333"],"found_by":null,"deleted":null,"id":1092316,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2022-25881\n- https://github.com/kornelski/http-cache-semantics/blob/master/index.js%23L83\n- https://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-3253332\n- https://security.snyk.io/vuln/SNYK-JS-HTTPCACHESEMANTICS-3248783\n- https://github.com/kornelski/http-cache-semantics/commit/560b2d8ef452bbba20ffed69dc155d63ac757b74\n- https://security.netapp.com/advisory/ntap-20230622-0008/\n- https://github.com/advisories/GHSA-rc47-6667-2j5j","created":"2023-01-31T06:30:26.000Z","reported_by":null,"title":"http-cache-semantics vulnerable to Regular Expression Denial of Service","npm_advisory_id":null,"overview":"http-cache semantics contains an Inefficient Regular Expression Complexity , leading to Denial of Service. This affects versions of the package http-cache-semantics before 4.1.1. The issue can be exploited via malicious request header values sent to a server, when that server reads the cache policy from the request using this library.","url":"https://github.com/advisories/GHSA-rc47-6667-2j5j"},"1092430":{"findings":[{"version":"10.11.0","paths":["mochawesome-report-generator>validator","mochawesome>mochawesome-report-generator>validator"]}],"metadata":null,"vulnerable_versions":"<13.7.0","module_name":"validator","severity":"moderate","github_advisory_id":"GHSA-qgmg-gppg-76g5","cves":["CVE-2021-3765"],"access":"public","patched_versions":">=13.7.0","cvss":{"score":5.3,"vectorString":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"},"updated":"2023-07-07T21:50:05.000Z","recommendation":"Upgrade to version 13.7.0 or later","cwe":["CWE-1333"],"found_by":null,"deleted":null,"id":1092430,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2021-3765\n- https://github.com/validatorjs/validator.js/commit/496fc8b2a7f5997acaaec33cc44d0b8dba5fb5e1\n- https://huntr.dev/bounties/c37e975c-21a3-4c5f-9b57-04d63b28cfc9\n- https://github.com/advisories/GHSA-qgmg-gppg-76g5","created":"2021-11-03T17:34:45.000Z","reported_by":null,"title":"Inefficient Regular Expression Complexity in validator.js","npm_advisory_id":null,"overview":"validator.js prior to 13.7.0 is vulnerable to Inefficient Regular Expression Complexity","url":"https://github.com/advisories/GHSA-qgmg-gppg-76g5"},"1092470":{"findings":[{"version":"2.5.0","paths":["protractor-screenshot-utils>protractor>webdriver-manager>request>tough-cookie"]}],"metadata":null,"vulnerable_versions":"<4.1.3","module_name":"tough-cookie","severity":"moderate","github_advisory_id":"GHSA-72xf-g2v4-qvf3","cves":["CVE-2023-26136"],"access":"public","patched_versions":">=4.1.3","cvss":{"score":6.5,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N"},"updated":"2023-07-11T13:44:36.000Z","recommendation":"Upgrade to version 4.1.3 or later","cwe":["CWE-1321"],"found_by":null,"deleted":null,"id":1092470,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2023-26136\n- https://github.com/salesforce/tough-cookie/issues/282\n- https://github.com/salesforce/tough-cookie/commit/12d474791bb856004e858fdb1c47b7608d09cf6e\n- https://github.com/salesforce/tough-cookie/releases/tag/v4.1.3\n- https://security.snyk.io/vuln/SNYK-JS-TOUGHCOOKIE-5672873\n- https://lists.debian.org/debian-lts-announce/2023/07/msg00010.html\n- https://github.com/advisories/GHSA-72xf-g2v4-qvf3","created":"2023-07-01T06:30:16.000Z","reported_by":null,"title":"tough-cookie Prototype Pollution vulnerability","npm_advisory_id":null,"overview":"Versions of the package tough-cookie before 4.1.3 are vulnerable to Prototype Pollution due to improper handling of Cookies when using CookieJar in `rejectPublicSuffixes=false` mode. This issue arises from the manner in which the objects are initialized.","url":"https://github.com/advisories/GHSA-72xf-g2v4-qvf3"},"1092636":{"findings":[{"version":"1.28.1","paths":["@hmcts/rpx-xui-node-lib>openid-client>jose"]}],"metadata":null,"vulnerable_versions":">=1.0.0 <=1.28.1","module_name":"jose","severity":"moderate","github_advisory_id":"GHSA-jv3g-j58f-9mq9","cves":["CVE-2022-36083"],"access":"public","patched_versions":">=1.28.2","cvss":{"score":5.3,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"},"updated":"2023-07-21T21:33:36.000Z","recommendation":"Upgrade to version 1.28.2 or later","cwe":["CWE-400","CWE-834"],"found_by":null,"deleted":null,"id":1092636,"references":"- https://github.com/panva/jose/security/advisories/GHSA-jv3g-j58f-9mq9\n- https://nvd.nist.gov/vuln/detail/CVE-2022-36083\n- https://github.com/panva/jose/commit/03d6d013bf6e070e85adfe5731f526978e3e8e4d\n- https://github.com/panva/jose/releases/tag/v4.9.2\n- https://github.com/advisories/GHSA-jv3g-j58f-9mq9","created":"2022-09-16T17:44:42.000Z","reported_by":null,"title":"JOSE vulnerable to resource exhaustion via specifically crafted JWE","npm_advisory_id":null,"overview":"The PBKDF2-based JWE key management algorithms expect a JOSE Header Parameter named `p2c` ([PBES2 Count](https://www.rfc-editor.org/rfc/rfc7518.html#section-4.8.1.2)), which determines how many PBKDF2 iterations must be executed in order to derive a CEK wrapping key. The purpose of this parameter is to intentionally slow down the key derivation function in order to make password brute-force and dictionary attacks more expensive.\n\nThis makes the PBES2 algorithms unsuitable for situations where the JWE is coming from an untrusted source: an adversary can intentionally pick an extremely high PBES2 Count value, that will initiate a CPU-bound computation that may take an unreasonable amount of time to finish.\n\n### Impact\n\nUnder certain conditions (see below) it is possible to have the user's environment consume unreasonable amount of CPU time.\n\n### Affected users\n\nThe impact is limited only to users utilizing the JWE decryption APIs with symmetric secrets to decrypt JWEs from untrusted parties who do not limit the accepted JWE Key Management Algorithms (`alg` Header Parameter) using the `keyManagementAlgorithms` (or `algorithms` in v1.x) decryption option or through other means.\n\nThe PBKDF2-based JWE Key Management Algorithm Identifiers are\n\n- `PBES2-HS256+A128KW`\n- `PBES2-HS384+A192KW`\n- `PBES2-HS512+A256KW`\n\ne.g.\n\n```js\nconst secret = new Uint8Array(16)\nconst jwe = '...' // JWE from an untrusted party\n\nawait jose.compactDecrypt(jwe, secret)\n```\n\nYou are NOT affected if any of the following applies to you\n\n- Your code does not use the JWE APIs\n- Your code only produces JWE tokens\n- Your code only decrypts JWEs using an asymmetric JWE Key Management Algorithm (this means you're providing an asymmetric key object to the JWE decryption API)\n- Your code only accepts JWEs produced by trusted sources\n- Your code limits the accepted JWE Key Management Algorithms using the `keyManagementAlgorithms` decryption option not including any of the PBKDF2-based JWE key management algorithms\n\n### Patches\n\n`v1.28.2`, `v2.0.6`, `v3.20.4`, and `v4.9.2` releases limit the maximum PBKDF2 iteration count to `10000` by default. It is possible to adjust this limit with a newly introduced `maxPBES2Count` decryption option.\n\n### Workarounds\n\nAll users should be able to upgrade given all stable semver major release lines have had new a patch release introduced which limits the PBKDF2 iteration count to `10000` by default. This removes the ability to craft JWEs that would consume unreasonable amount of CPU time.\n\nIf users are unable to upgrade their required library version they have two options depending on whether they expect to receive JWEs using any of the three PBKDF2-based JWE key management algorithms.\n\n- they can use the `keyManagementAlgorithms` decryption option to disable accepting PBKDF2 altogether\n- they can inspect the JOSE Header prior to using the decryption API and limit the PBKDF2 iteration count (`p2c` Header Parameter)\n\n### For more information\nIf you have any questions or comments about this advisory:\n* Open an discussion in the project's [repository](https://github.com/panva/jose/discussions/new?category=q-a&title=GHSA-jv3g-j58f-9mq9%20advisory%20question)\n* Email me at [panva.ip@gmail.com](mailto:panva.ip@gmail.com)\n","url":"https://github.com/advisories/GHSA-jv3g-j58f-9mq9"},"1092964":{"findings":[{"version":"0.7.0","paths":["ngx-md>marked"]}],"metadata":null,"vulnerable_versions":"<4.0.10","module_name":"marked","severity":"high","github_advisory_id":"GHSA-5v2h-r2cx-5xgj","cves":["CVE-2022-21681"],"access":"public","patched_versions":">=4.0.10","cvss":{"score":7.5,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},"updated":"2023-08-14T05:04:30.000Z","recommendation":"Upgrade to version 4.0.10 or later","cwe":["CWE-1333"],"found_by":null,"deleted":null,"id":1092964,"references":"- https://github.com/markedjs/marked/security/advisories/GHSA-5v2h-r2cx-5xgj\n- https://nvd.nist.gov/vuln/detail/CVE-2022-21681\n- https://github.com/markedjs/marked/commit/8f806573a3f6c6b7a39b8cdb66ab5ebb8d55a5f5\n- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/AIXDMC3CSHYW3YWVSQOXAWLUYQHAO5UX/\n- https://github.com/advisories/GHSA-5v2h-r2cx-5xgj","created":"2022-01-14T21:04:46.000Z","reported_by":null,"title":"Inefficient Regular Expression Complexity in marked","npm_advisory_id":null,"overview":"### Impact\n\n_What kind of vulnerability is it?_\n\nDenial of service.\n\nThe regular expression `inline.reflinkSearch` may cause catastrophic backtracking against some strings.\nPoC is the following.\n\n```javascript\nimport * as marked from 'marked';\n\nconsole.log(marked.parse(`[x]: x\n\n\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](`));\n```\n\n_Who is impacted?_\n\nAnyone who runs untrusted markdown through marked and does not use a worker with a time limit.\n\n### Patches\n\n_Has the problem been patched?_\n\nYes\n\n_What versions should users upgrade to?_\n\n4.0.10\n\n### Workarounds\n\n_Is there a way for users to fix or remediate the vulnerability without upgrading?_\n\nDo not run untrusted markdown through marked or run marked on a [worker](https://marked.js.org/using_advanced#workers) thread and set a reasonable time limit to prevent draining resources.\n\n### References\n\n_Are there any links users can visit to find out more?_\n\n- https://marked.js.org/using_advanced#workers\n- https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS\n\n### For more information\n\nIf you have any questions or comments about this advisory:\n\n* Open an issue in [marked](https://github.com/markedjs/marked)\n","url":"https://github.com/advisories/GHSA-5v2h-r2cx-5xgj"},"1092969":{"findings":[{"version":"0.7.0","paths":["ngx-md>marked"]}],"metadata":null,"vulnerable_versions":"<4.0.10","module_name":"marked","severity":"high","github_advisory_id":"GHSA-rrrm-qjm4-v8hf","cves":["CVE-2022-21680"],"access":"public","patched_versions":">=4.0.10","cvss":{"score":7.5,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},"updated":"2023-08-14T05:03:59.000Z","recommendation":"Upgrade to version 4.0.10 or later","cwe":["CWE-400","CWE-1333"],"found_by":null,"deleted":null,"id":1092969,"references":"- https://github.com/markedjs/marked/security/advisories/GHSA-rrrm-qjm4-v8hf\n- https://nvd.nist.gov/vuln/detail/CVE-2022-21680\n- https://github.com/markedjs/marked/commit/c4a3ccd344b6929afa8a1d50ac54a721e57012c0\n- https://github.com/markedjs/marked/releases/tag/v4.0.10\n- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/AIXDMC3CSHYW3YWVSQOXAWLUYQHAO5UX/\n- https://github.com/advisories/GHSA-rrrm-qjm4-v8hf","created":"2022-01-14T21:04:41.000Z","reported_by":null,"title":"Inefficient Regular Expression Complexity in marked","npm_advisory_id":null,"overview":"### Impact\n\n_What kind of vulnerability is it?_\n\nDenial of service.\n\nThe regular expression `block.def` may cause catastrophic backtracking against some strings.\nPoC is the following.\n\n```javascript\nimport * as marked from \"marked\";\n\nmarked.parse(`[x]:${' '.repeat(1500)}x ${' '.repeat(1500)} x`);\n```\n\n_Who is impacted?_\n\nAnyone who runs untrusted markdown through marked and does not use a worker with a time limit.\n\n### Patches\n\n_Has the problem been patched?_\n\nYes\n\n_What versions should users upgrade to?_\n\n4.0.10\n\n### Workarounds\n\n_Is there a way for users to fix or remediate the vulnerability without upgrading?_\n\nDo not run untrusted markdown through marked or run marked on a [worker](https://marked.js.org/using_advanced#workers) thread and set a reasonable time limit to prevent draining resources.\n\n### References\n\n_Are there any links users can visit to find out more?_\n\n- https://marked.js.org/using_advanced#workers\n- https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS\n\n### For more information\n\nIf you have any questions or comments about this advisory:\n\n* Open an issue in [marked](https://github.com/markedjs/marked)\n","url":"https://github.com/advisories/GHSA-rrrm-qjm4-v8hf"},"1092972":{"findings":[{"version":"2.88.2","paths":["protractor-screenshot-utils>protractor>webdriver-manager>request"]}],"metadata":null,"vulnerable_versions":"<=2.88.2","module_name":"request","severity":"moderate","github_advisory_id":"GHSA-p8p7-x288-28g6","cves":["CVE-2023-28155"],"access":"public","patched_versions":"<0.0.0","cvss":{"score":6.1,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},"updated":"2023-08-14T20:53:47.000Z","recommendation":"None","cwe":["CWE-918"],"found_by":null,"deleted":null,"id":1092972,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2023-28155\n- https://github.com/request/request/issues/3442\n- https://github.com/request/request/pull/3444\n- https://doyensec.com/resources/Doyensec_Advisory_RequestSSRF_Q12023.pdf\n- https://security.netapp.com/advisory/ntap-20230413-0007/\n- https://github.com/github/advisory-database/pull/2500\n- https://github.com/cypress-io/request/blob/master/lib/redirect.js#L116\n- https://github.com/request/request/blob/master/lib/redirect.js#L111\n- https://github.com/cypress-io/request/pull/28\n- https://github.com/cypress-io/request/commit/c5bcf21d40fb61feaff21a0e5a2b3934a440024f\n- https://github.com/cypress-io/request/releases/tag/v3.0.0\n- https://github.com/advisories/GHSA-p8p7-x288-28g6","created":"2023-03-16T15:30:19.000Z","reported_by":null,"title":"Server-Side Request Forgery in Request","npm_advisory_id":null,"overview":"The `request` package through 2.88.2 for Node.js and the `@cypress/request` package prior to 3.0.0 allow a bypass of SSRF mitigations via an attacker-controller server that does a cross-protocol redirect (HTTP to HTTPS, or HTTPS to HTTP).\n\nNOTE: The `request` package is no longer supported by the maintainer.","url":"https://github.com/advisories/GHSA-p8p7-x288-28g6"},"1093264":{"findings":[{"version":"7.3.8","paths":["codeceptjs>semver","@hmcts/nodejs-healthcheck>superagent>semver","applicationinsights>continuation-local-storage>async-listener>semver","@hmcts/rpx-xui-node-lib>jest-mock-axios>@jest/globals>@jest/expect>jest-snapshot>semver","@hmcts/rpx-xui-node-lib>jest-mock-axios>@jest/globals>@jest/expect>jest-snapshot>@babel/core>semver","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>@jest/core>jest-resolve-dependencies>jest-snapshot>@babel/core>semver","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>jest-cli>@jest/core>jest-resolve-dependencies>jest-snapshot>@babel/core>semver","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>@jest/core>jest-runtime>@jest/globals>@jest/expect>jest-snapshot>@babel/core>semver","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>@jest/core>jest-runner>jest-runtime>@jest/globals>@jest/expect>jest-snapshot>@babel/core>semver","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>jest-cli>@jest/core>jest-runner>jest-runtime>@jest/globals>@jest/expect>jest-snapshot>@babel/core>semver","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>jest-cli>@jest/core>jest-config>jest-runner>jest-runtime>@jest/globals>@jest/expect>jest-snapshot>@babel/core>semver","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>jest-cli>@jest/core>jest-config>jest-runner>jest-runtime>@jest/globals>@jest/expect>jest-snapshot>@jest/transform>@babel/core>semver","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>jest-cli>@jest/core>jest-runner>jest-runtime>@jest/globals>@jest/expect>jest-snapshot>@jest/transform>babel-plugin-istanbul>istanbul-lib-instrument>@babel/core>semver","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>jest-cli>@jest/core>jest-config>jest-runner>jest-runtime>@jest/globals>@jest/expect>jest-snapshot>@jest/transform>babel-plugin-istanbul>istanbul-lib-instrument>@babel/core>semver","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>jest-cli>@jest/core>jest-config>jest-runner>jest-runtime>@jest/globals>@jest/expect>jest-snapshot>@jest/transform>jest-haste-map>fsevents>nan>node-gyp>semver"]}],"metadata":null,"vulnerable_versions":">=7.0.0 <7.5.2","module_name":"semver","severity":"moderate","github_advisory_id":"GHSA-c2qf-rxjj-qqgw","cves":["CVE-2022-25883"],"access":"public","patched_versions":">=7.5.2","cvss":{"score":5.3,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"},"updated":"2023-09-01T23:43:55.000Z","recommendation":"Upgrade to version 7.5.2 or later","cwe":["CWE-1333"],"found_by":null,"deleted":null,"id":1093264,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2022-25883\n- https://github.com/npm/node-semver/pull/564\n- https://github.com/npm/node-semver/commit/717534ee353682f3bcf33e60a8af4292626d4441\n- https://security.snyk.io/vuln/SNYK-JS-SEMVER-3247795\n- https://github.com/npm/node-semver/blob/main/classes/range.js#L97-L104\n- https://github.com/npm/node-semver/blob/main/internal/re.js#L138\n- https://github.com/npm/node-semver/blob/main/internal/re.js#L160\n- https://github.com/npm/node-semver/pull/585\n- https://github.com/npm/node-semver/commit/928e56d21150da0413a3333a3148b20e741a920c\n- https://github.com/npm/node-semver/pull/593\n- https://github.com/npm/node-semver/commit/2f8fd41487acf380194579ecb6f8b1bbfe116be0\n- https://github.com/advisories/GHSA-c2qf-rxjj-qqgw","created":"2023-06-21T06:30:28.000Z","reported_by":null,"title":"semver vulnerable to Regular Expression Denial of Service","npm_advisory_id":null,"overview":"Versions of the package semver before 7.5.2 on the 7.x branch, before 6.3.1 on the 6.x branch, and all other versions before 5.7.2 are vulnerable to Regular Expression Denial of Service (ReDoS) via the function new Range, when untrusted user data is provided as a range.","url":"https://github.com/advisories/GHSA-c2qf-rxjj-qqgw"},"1093296":{"findings":[{"version":"3.10.1","paths":["lodash","@edium/fsm>lodash","codeceptjs>inquirer>lodash","codeceptjs>chai-deep-match>lodash-pickdeep>lodash"]}],"metadata":null,"vulnerable_versions":"<4.17.21","module_name":"lodash","severity":"moderate","github_advisory_id":"GHSA-29mw-wpgm-hmr9","cves":["CVE-2020-28500"],"access":"public","patched_versions":">=4.17.21","cvss":{"score":5.3,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"},"updated":"2023-09-05T22:58:26.000Z","recommendation":"Upgrade to version 4.17.21 or later","cwe":["CWE-400","CWE-1333"],"found_by":null,"deleted":null,"id":1093296,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2020-28500\n- https://github.com/lodash/lodash/pull/5065\n- https://github.com/lodash/lodash/pull/5065/commits/02906b8191d3c100c193fe6f7b27d1c40f200bb7\n- https://github.com/lodash/lodash/blob/npm/trimEnd.js%23L8\n- https://security.netapp.com/advisory/ntap-20210312-0006/\n- https://snyk.io/vuln/SNYK-JS-LODASH-1018905\n- https://snyk.io/vuln/SNYK-JAVA-ORGFUJIONWEBJARS-1074896\n- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARS-1074894\n- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-1074892\n- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWERGITHUBLODASH-1074895\n- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1074893\n- https://www.oracle.com//security-alerts/cpujul2021.html\n- https://www.oracle.com/security-alerts/cpuoct2021.html\n- https://www.oracle.com/security-alerts/cpujan2022.html\n- https://www.oracle.com/security-alerts/cpujul2022.html\n- https://cert-portal.siemens.com/productcert/pdf/ssa-637483.pdf\n- https://github.com/lodash/lodash/commit/c4847ebe7d14540bb28a8b932a9ce1b9ecbfee1a\n- https://github.com/advisories/GHSA-29mw-wpgm-hmr9","created":"2022-01-06T20:30:46.000Z","reported_by":null,"title":"Regular Expression Denial of Service (ReDoS) in lodash","npm_advisory_id":null,"overview":"All versions of package lodash prior to 4.17.21 are vulnerable to Regular Expression Denial of Service (ReDoS) via the `toNumber`, `trim` and `trimEnd` functions. \n\nSteps to reproduce (provided by reporter Liyuan Chen):\n```js\nvar lo = require('lodash');\n\nfunction build_blank(n) {\n var ret = \"1\"\n for (var i = 0; i < n; i++) {\n ret += \" \"\n }\n return ret + \"1\";\n}\nvar s = build_blank(50000) var time0 = Date.now();\nlo.trim(s) var time_cost0 = Date.now() - time0;\nconsole.log(\"time_cost0: \" + time_cost0) var time1 = Date.now();\nlo.toNumber(s) var time_cost1 = Date.now() - time1;\nconsole.log(\"time_cost1: \" + time_cost1) var time2 = Date.now();\nlo.trimEnd(s) var time_cost2 = Date.now() - time2;\nconsole.log(\"time_cost2: \" + time_cost2)\n```","url":"https://github.com/advisories/GHSA-29mw-wpgm-hmr9"},"1093314":{"findings":[{"version":"3.10.1","paths":["lodash","@edium/fsm>lodash","codeceptjs>inquirer>lodash","codeceptjs>chai-deep-match>lodash-pickdeep>lodash"]}],"metadata":null,"vulnerable_versions":"<4.17.12","module_name":"lodash","severity":"critical","github_advisory_id":"GHSA-jf85-cpcp-j695","cves":["CVE-2019-10744"],"access":"public","patched_versions":">=4.17.12","cvss":{"score":9.1,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H"},"updated":"2023-09-05T22:24:56.000Z","recommendation":"Upgrade to version 4.17.12 or later","cwe":["CWE-20"],"found_by":null,"deleted":null,"id":1093314,"references":"- https://github.com/lodash/lodash/pull/4336\n- https://nvd.nist.gov/vuln/detail/CVE-2019-10744\n- https://snyk.io/vuln/SNYK-JS-LODASH-450202\n- https://www.npmjs.com/advisories/1065\n- https://access.redhat.com/errata/RHSA-2019:3024\n- https://security.netapp.com/advisory/ntap-20191004-0005/\n- https://support.f5.com/csp/article/K47105354?utm_source=f5support&utm_medium=RSS\n- https://www.oracle.com/security-alerts/cpujan2021.html\n- https://www.oracle.com/security-alerts/cpuoct2020.html\n- https://github.com/advisories/GHSA-jf85-cpcp-j695","created":"2019-07-10T19:45:23.000Z","reported_by":null,"title":"Prototype Pollution in lodash","npm_advisory_id":null,"overview":"Versions of `lodash` before 4.17.12 are vulnerable to Prototype Pollution. The function `defaultsDeep` allows a malicious user to modify the prototype of `Object` via `{constructor: {prototype: {...}}}` causing the addition or modification of an existing property that will exist on all objects.\n\n## Recommendation\n\nUpdate to version 4.17.12 or later.","url":"https://github.com/advisories/GHSA-jf85-cpcp-j695"},"1093500":{"findings":[{"version":"0.15.6","paths":["xlsx"]}],"metadata":null,"vulnerable_versions":"<0.19.3","module_name":"xlsx","severity":"high","github_advisory_id":"GHSA-4r6h-8v6p-xvw6","cves":["CVE-2023-30533"],"access":"public","patched_versions":">=0.19.3","cvss":{"score":7.8,"vectorString":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"},"updated":"2023-09-07T21:28:03.000Z","recommendation":"Upgrade to version 0.19.3 or later","cwe":["CWE-1321"],"found_by":null,"deleted":null,"id":1093500,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2023-30533\n- https://cdn.sheetjs.com/advisories/CVE-2023-30533\n- https://git.sheetjs.com/sheetjs/sheetjs/src/branch/master/CHANGELOG.md\n- https://git.sheetjs.com/sheetjs/sheetjs/issues/2667\n- https://git.sheetjs.com/sheetjs/sheetjs/issues/2986\n- https://github.com/advisories/GHSA-4r6h-8v6p-xvw6","created":"2023-04-24T09:30:19.000Z","reported_by":null,"title":"Prototype Pollution in sheetJS","npm_advisory_id":null,"overview":"All versions of SheetJS CE through 0.19.2 are vulnerable to \"Prototype Pollution\" when reading specially crafted files. Workflows that do not read arbitrary files (for example, exporting data to spreadsheet files) are unaffected.\n\nA non-vulnerable version cannot be found via npm, as the repository hosted on GitHub and the npm package `xlsx` are no longer maintained.","url":"https://github.com/advisories/GHSA-4r6h-8v6p-xvw6"},"1093639":{"findings":[{"version":"0.4.1","paths":["@hmcts/rpx-xui-node-lib>passport"]}],"metadata":null,"vulnerable_versions":"<0.6.0","module_name":"passport","severity":"moderate","github_advisory_id":"GHSA-v923-w3x8-wh69","cves":["CVE-2022-25896"],"access":"public","patched_versions":">=0.6.0","cvss":{"score":4.8,"vectorString":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:L"},"updated":"2023-09-11T16:22:18.000Z","recommendation":"Upgrade to version 0.6.0 or later","cwe":["CWE-384"],"found_by":null,"deleted":null,"id":1093639,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2022-25896\n- https://github.com/jaredhanson/passport/pull/900\n- https://github.com/jaredhanson/passport/commit/7e9b9cf4d7be02428e963fc729496a45baeea608\n- https://snyk.io/vuln/SNYK-JS-PASSPORT-2840631\n- https://github.com/advisories/GHSA-v923-w3x8-wh69","created":"2022-07-02T00:00:19.000Z","reported_by":null,"title":"Passport vulnerable to session regeneration when a users logs in or out","npm_advisory_id":null,"overview":"This affects the package passport before 0.6.0. When a user logs in or logs out, the session is regenerated instead of being closed.","url":"https://github.com/advisories/GHSA-v923-w3x8-wh69"},"1094086":{"findings":[{"version":"1.2.5","paths":["codeceptjs>requireg>rc>minimist"]}],"metadata":null,"vulnerable_versions":">=1.0.0 <1.2.6","module_name":"minimist","severity":"critical","github_advisory_id":"GHSA-xvch-5gv4-984h","cves":["CVE-2021-44906"],"access":"public","patched_versions":">=1.2.6","cvss":{"score":9.8,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},"updated":"2023-09-21T22:07:42.000Z","recommendation":"Upgrade to version 1.2.6 or later","cwe":["CWE-1321"],"found_by":null,"deleted":null,"id":1094086,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2021-44906\n- https://github.com/substack/minimist/issues/164\n- https://github.com/substack/minimist/blob/master/index.js#L69\n- https://snyk.io/vuln/SNYK-JS-MINIMIST-559764\n- https://stackoverflow.com/questions/8588563/adding-custom-properties-to-a-function/20278068#20278068\n- https://github.com/Marynk/JavaScript-vulnerability-detection/blob/main/minimist%20PoC.zip\n- https://github.com/minimistjs/minimist/issues/11\n- https://github.com/minimistjs/minimist/pull/24\n- https://github.com/minimistjs/minimist/commit/34e20b8461118608703d6485326abbb8e35e1703\n- https://github.com/minimistjs/minimist/commit/bc8ecee43875261f4f17eb20b1243d3ed15e70eb\n- https://github.com/minimistjs/minimist/commit/c2b981977fa834b223b408cfb860f933c9811e4d\n- https://github.com/minimistjs/minimist/commit/ef9153fc52b6cea0744b2239921c5dcae4697f11\n- https://github.com/minimistjs/minimist/commits/v0.2.4\n- https://github.com/advisories/GHSA-xvch-5gv4-984h","created":"2022-03-18T00:01:09.000Z","reported_by":null,"title":"Prototype Pollution in minimist","npm_advisory_id":null,"overview":"Minimist prior to 1.2.6 and 0.2.4 is vulnerable to Prototype Pollution via file `index.js`, function `setKey()` (lines 69-95).","url":"https://github.com/advisories/GHSA-xvch-5gv4-984h"},"1094087":{"findings":[{"version":"0.2.0","paths":["http-proxy-middleware>micromatch>snapdragon>source-map-resolve>decode-uri-component","http-proxy-middleware>micromatch>braces>snapdragon>source-map-resolve>decode-uri-component","@hmcts/rpx-xui-node-lib>ts-auto-mock>micromatch>braces>snapdragon>source-map-resolve>decode-uri-component","@hmcts/rpx-xui-node-lib>jest-ts-auto-mock>ts-auto-mock>micromatch>braces>snapdragon>source-map-resolve>decode-uri-component","codeceptjs>mocha>chokidar>anymatch>micromatch>braces>snapdragon>source-map-resolve>decode-uri-component","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>@jest/core>jest-message-util>micromatch>braces>snapdragon>source-map-resolve>decode-uri-component","@hmcts/rpx-xui-node-lib>jest-mock-axios>@jest/globals>@jest/environment>@jest/fake-timers>jest-message-util>micromatch>braces>snapdragon>source-map-resolve>decode-uri-component","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>@jest/core>jest-runtime>@jest/fake-timers>jest-message-util>micromatch>braces>snapdragon>source-map-resolve>decode-uri-component","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>@jest/core>jest-runner>@jest/environment>@jest/fake-timers>jest-message-util>micromatch>braces>snapdragon>source-map-resolve>decode-uri-component","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>@jest/core>jest-runtime>@jest/globals>@jest/environment>@jest/fake-timers>jest-message-util>micromatch>braces>snapdragon>source-map-resolve>decode-uri-component","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>@jest/core>jest-runner>jest-runtime>@jest/globals>@jest/environment>@jest/fake-timers>jest-message-util>micromatch>braces>snapdragon>source-map-resolve>decode-uri-component","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>jest-cli>@jest/core>jest-runner>jest-runtime>@jest/globals>@jest/environment>@jest/fake-timers>jest-message-util>micromatch>braces>snapdragon>source-map-resolve>decode-uri-component","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>jest-cli>@jest/core>jest-config>jest-runner>jest-runtime>@jest/globals>@jest/environment>@jest/fake-timers>jest-message-util>micromatch>braces>snapdragon>source-map-resolve>decode-uri-component","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>jest-cli>@jest/core>jest-config>jest-runner>jest-runtime>@jest/globals>@jest/expect>jest-snapshot>expect>jest-message-util>micromatch>braces>snapdragon>source-map-resolve>decode-uri-component","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>jest-cli>@jest/core>jest-config>jest-runner>jest-runtime>@jest/globals>@jest/expect>jest-snapshot>@jest/transform>jest-haste-map>anymatch>micromatch>braces>snapdragon>source-map-resolve>decode-uri-component","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>jest-cli>@jest/core>jest-config>jest-runner>jest-runtime>@jest/globals>@jest/expect>jest-snapshot>@jest/transform>jest-haste-map>anymatch>micromatch>extglob>expand-brackets>snapdragon>source-map-resolve>decode-uri-component"]}],"metadata":null,"vulnerable_versions":"<0.2.1","module_name":"decode-uri-component","severity":"high","github_advisory_id":"GHSA-w573-4hg7-7wgq","cves":["CVE-2022-38900"],"access":"public","patched_versions":">=0.2.1","cvss":{"score":7.5,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},"updated":"2023-09-21T22:16:39.000Z","recommendation":"Upgrade to version 0.2.1 or later","cwe":["CWE-20"],"found_by":null,"deleted":null,"id":1094087,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2022-38900\n- https://github.com/SamVerschueren/decode-uri-component/issues/5\n- https://github.com/sindresorhus/query-string/issues/345\n- https://github.com/SamVerschueren/decode-uri-component/commit/746ca5dcb6667c5d364e782d53c542830e4c10b9\n- https://github.com/SamVerschueren/decode-uri-component/releases/tag/v0.2.1\n- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ERN6YE3DS7NBW7UH44SCJBMNC2NWQ7SM/\n- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KAC5KQ2SEWAMQ6UZAUBZ5KXKEOESH375/\n- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VNV2GNZXOTEDAJRFH3ZYWRUBGIVL7BSU/\n- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QABOUA2I542UTANVZIVFKWMRYVHLV32D/\n- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UW4SCMT3SEUFVIL7YIADQ5K36GJEO6I5/\n- https://github.com/advisories/GHSA-w573-4hg7-7wgq","created":"2022-11-28T15:30:24.000Z","reported_by":null,"title":"decode-uri-component vulnerable to Denial of Service (DoS)","npm_advisory_id":null,"overview":"decode-uri-component 0.2.0 is vulnerable to Improper Input Validation resulting in DoS.","url":"https://github.com/advisories/GHSA-w573-4hg7-7wgq"},"1094228":{"findings":[{"version":"2.0.0","paths":["codeceptjs>chai>get-func-name","codeceptjs>chai-deep-match>chai>get-func-name","codeceptjs>chai-deep-match>chai>loupe>get-func-name"]}],"metadata":null,"vulnerable_versions":"<2.0.1","module_name":"get-func-name","severity":"high","github_advisory_id":"GHSA-4q6p-r6v2-jvc5","cves":["CVE-2023-43646"],"access":"public","patched_versions":">=2.0.1","cvss":{"score":7.5,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},"updated":"2023-10-02T21:05:48.000Z","recommendation":"Upgrade to version 2.0.1 or later","cwe":["CWE-400","CWE-1333"],"found_by":null,"deleted":null,"id":1094228,"references":"- https://github.com/chaijs/get-func-name/security/advisories/GHSA-4q6p-r6v2-jvc5\n- https://nvd.nist.gov/vuln/detail/CVE-2023-43646\n- https://github.com/chaijs/get-func-name/commit/f934b228b5e2cb94d6c8576d3aac05493f667c69\n- https://github.com/chaijs/get-func-name/blob/78ad756441a83f3dc203e50f76c113ae3ac017dc/index.js#L15\n- https://github.com/advisories/GHSA-4q6p-r6v2-jvc5","created":"2023-09-27T20:16:00.000Z","reported_by":null,"title":"Chaijs/get-func-name vulnerable to ReDoS","npm_advisory_id":null,"overview":"The current regex implementation for parsing values in the module is susceptible to excessive backtracking, leading to potential DoS attacks. The regex implementation in question is as follows:\n\n```js\nconst functionNameMatch = /\\s*function(?:\\s|\\s*\\/\\*[^(?:*/)]+\\*\\/\\s*)*([^\\s(/]+)/;\n```\n\nThis vulnerability can be exploited when there is an imbalance in parentheses, which results in excessive backtracking and subsequently increases the CPU load and processing time significantly. This vulnerability can be triggered using the following input:\n\n```js\n'\\t'.repeat(54773) + '\\t/function/i'\n```\n\nHere is a simple PoC code to demonstrate the issue:\n\n```js\nconst protocolre = /\\sfunction(?:\\s|\\s/*[^(?:*\\/)]+*/\\s*)*([^\\(\\/]+)/;\n\nconst startTime = Date.now();\nconst maliciousInput = '\\t'.repeat(54773) + '\\t/function/i'\n\nprotocolre.test(maliciousInput);\n\nconst endTime = Date.now();\n\nconsole.log(\"process time: \", endTime - startTime, \"ms\");\n```","url":"https://github.com/advisories/GHSA-4q6p-r6v2-jvc5"}},"muted":[],"metadata":{"vulnerabilities":{"info":0,"low":5,"moderate":38,"high":50,"critical":8},"dependencies":1007,"devDependencies":8,"optionalDependencies":0,"totalDependencies":1015}} From e3018e40726fbc6219c2ddef89b7c2f20f3f5359 Mon Sep 17 00:00:00 2001 From: sreekanthpuligadda Date: Thu, 12 Oct 2023 09:35:55 +0100 Subject: [PATCH 23/23] Test update using new case id as old case removed from system in backend --- test_codecept/e2e/features/app/globalSearch/searchPage.feature | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/test_codecept/e2e/features/app/globalSearch/searchPage.feature b/test_codecept/e2e/features/app/globalSearch/searchPage.feature index 2b0bd5a649..45b2afff65 100644 --- a/test_codecept/e2e/features/app/globalSearch/searchPage.feature +++ b/test_codecept/e2e/features/app/globalSearch/searchPage.feature @@ -32,5 +32,5 @@ Feature: Global search When I navigate to Expert UI Url Given I am logged into Expert UI with test user identified as "IAC_CaseOfficer_R2" When If env is "demo", I find "1662020492250902" from case ref in header 16 digit ref search - When If env is "aat", I find "1546883526751282" from case ref in header 16 digit ref search + When If env is "aat", I find "1694099310761276" from case ref in header 16 digit ref search Then I see case details page