Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

bull-4.9.0.tgz: 3 vulnerabilities (highest severity is: 7.5) #414

Open
mend-bolt-for-github bot opened this issue Jan 7, 2023 · 0 comments
Open

bull-4.9.0.tgz: 3 vulnerabilities (highest severity is: 7.5) #414

mend-bolt-for-github bot opened this issue Jan 7, 2023 · 0 comments
Labels
Mend: dependency security vulnerability Security vulnerability detected by Mend

Comments

@mend-bolt-for-github
Copy link

mend-bolt-for-github bot commented Jan 7, 2023
edited
Loading

Vulnerable Library - bull-4.9.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Found in HEAD commit: 69dcf397ab80cb4df4a7de7af9bec441aa22589e

Vulnerabilities

CVE Severity CVSS Dependency Type Fixed in (bull version) Remediation Possible**
CVE-2023-22467 High 7.5 luxon-1.28.0.tgz Transitive 4.10.0
CVE-2023-52079 Medium 6.8 msgpackr-1.6.1.tgz Transitive 4.10.0
CVE-2022-25883 Medium 5.3 semver-7.3.7.tgz Transitive 4.11.0

**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation

Details

CVE-2023-22467

Vulnerable Library - luxon-1.28.0.tgz

Immutable date wrapper

Library home page: https://registry.npmjs.org/luxon/-/luxon-1.28.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Dependency Hierarchy:

  • bull-4.9.0.tgz (Root Library)
    • cron-parser-4.4.0.tgz
      • luxon-1.28.0.tgz (Vulnerable Library)

Found in HEAD commit: 69dcf397ab80cb4df4a7de7af9bec441aa22589e

Found in base branch: next

Vulnerability Details

Luxon is a library for working with dates and times in JavaScript. On the 1.x branch prior to 1.38.1, the 2.x branch prior to 2.5.2, and the 3.x branch on 3.2.1, Luxon's `DateTime.fromRFC2822() has quadratic (N^2) complexity on some specific inputs. This causes a noticeable slowdown for inputs with lengths above 10k characters. Users providing untrusted data to this method are therefore vulnerable to (Re)DoS attacks. This issue also appears in Moment as CVE-2022-31129. Versions 1.38.1, 2.5.2, and 3.2.1 contain patches for this issue. As a workaround, limit the length of the input.

Publish Date: 2023-01-04

URL: CVE-2023-22467

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-3xq5-wjfh-ppjc

Release Date: 2023-01-04

Fix Resolution (luxon): 1.28.1

Direct dependency fix Resolution (bull): 4.10.0

Step up your Open Source Security Game with Mend here

CVE-2023-52079

Vulnerable Library - msgpackr-1.6.1.tgz

Ultra-fast MessagePack implementation with extensions for records and structured cloning

Library home page: https://registry.npmjs.org/msgpackr/-/msgpackr-1.6.1.tgz

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Dependency Hierarchy:

  • bull-4.9.0.tgz (Root Library)
    • msgpackr-1.6.1.tgz (Vulnerable Library)

Found in HEAD commit: 69dcf397ab80cb4df4a7de7af9bec441aa22589e

Found in base branch: next

Vulnerability Details

msgpackr is a fast MessagePack NodeJS/JavaScript implementation. Prior to 1.10.1, when decoding user supplied MessagePack messages, users can trigger stuck threads by crafting messages that keep the decoder stuck in a loop. The fix is available in v1.10.1.
Exploits seem to require structured cloning, replacing the 0x70 extension with your own (that throws an error or does something other than recursive referencing) should mitigate the issue.

Publish Date: 2023-12-28

URL: CVE-2023-52079

CVSS 3 Score Details (6.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: High
    • Privileges Required: None
    • User Interaction: None
    • Scope: Changed
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://www.cve.org/CVERecord?id=CVE-2023-52079

Release Date: 2023-12-28

Fix Resolution (msgpackr): 1.10.1

Direct dependency fix Resolution (bull): 4.10.0

Step up your Open Source Security Game with Mend here

CVE-2022-25883

Vulnerable Library - semver-7.3.7.tgz

The semantic version parser used by npm.

Library home page: https://registry.npmjs.org/semver/-/semver-7.3.7.tgz

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Dependency Hierarchy:

  • bull-4.9.0.tgz (Root Library)
    • semver-7.3.7.tgz (Vulnerable Library)

Found in HEAD commit: 69dcf397ab80cb4df4a7de7af9bec441aa22589e

Found in base branch: next

Vulnerability Details

Versions of the package semver before 7.5.2 are vulnerable to Regular Expression Denial of Service (ReDoS) via the function new Range, when untrusted user data is provided as a range.

Publish Date: 2023-06-21

URL: CVE-2022-25883

CVSS 3 Score Details (5.3)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-c2qf-rxjj-qqgw

Release Date: 2023-06-21

Fix Resolution (semver): 7.5.2

Direct dependency fix Resolution (bull): 4.11.0

Step up your Open Source Security Game with Mend here
@mend-bolt-for-github mend-bolt-for-github bot added the Mend: dependency security vulnerability Security vulnerability detected by Mend label Jan 7, 2023
@mend-bolt-for-github mend-bolt-for-github bot changed the title bull-4.9.0.tgz: 1 vulnerabilities (highest severity is: 7.5) bull-4.9.0.tgz: 2 vulnerabilities (highest severity is: 7.5) Dec 7, 2023
@mend-bolt-for-github mend-bolt-for-github bot changed the title bull-4.9.0.tgz: 2 vulnerabilities (highest severity is: 7.5) bull-4.9.0.tgz: 3 vulnerabilities (highest severity is: 7.5) Dec 31, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Mend: dependency security vulnerability Security vulnerability detected by Mend
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
0 participants