Dependency-Check is an open source tool performing a best effort analysis of 3rd party dependencies; false positives and false negatives may exist in the analysis performed by the tool. Use of the tool and the reporting provided constitutes acceptance for use in an AS IS condition, and there are NO warranties, implied or otherwise, with regard to the analysis or its use. Any use of the tool and the reporting provided is at the user’s risk. In no event shall the copyright holder or OWASP be held liable for any damages whatsoever arising out of or in connection with the use of this tool, the analysis performed, or the resulting report.
Description:
Another JSON Schema Validator
License:
MITFile Path: /builds/ewizardjs/ewizard-cli/npm-shrinkwrap.json?table:4.0.2/ajv:^5.2.3
CVE-2020-15366 (OSSINDEX)
An issue was discovered in ajv.validate() in Ajv (aka Another JSON Schema Validator) 6.12.2. A carefully crafted JSON schema could be provided that allows execution of other code by prototype pollution. (While untrusted schemas are recommended against, the worst case of an untrusted schema should be a denial of service, not execution of code.) Sonatype's research suggests that this CVE's details differ from those defined at NVD. See https://ossindex.sonatype.org/vulnerability/CVE-2020-15366 for detailsCWE-1321 Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')
Vulnerable Software & Versions (OSSINDEX):
Description:
a CSS selector parser
License:
BSD-2-ClauseFile Path: /builds/ewizardjs/ewizard-cli/npm-shrinkwrap.json?/css-what:2.1.3
CVE-2022-21222 (OSSINDEX)
The package css-what before 2.1.3 are vulnerable to Regular Expression Denial of Service (ReDoS) due to the usage of insecure regular expression in the re_attr variable of index.js. The exploitation of this vulnerability could be triggered via the parse function. Sonatype's research suggests that this CVE's details differ from those defined at NVD. See https://ossindex.sonatype.org/vulnerability/CVE-2022-21222 for detailsCWE-1333 Inefficient Regular Expression Complexity
Vulnerable Software & Versions (OSSINDEX):
Description:
a CSS selector parser
License:
BSD-2-ClauseFile Path: /builds/ewizardjs/ewizard-cli/npm-shrinkwrap.json?/css-what:3.4.2
CVE-2022-21222 (OSSINDEX)
The package css-what before 2.1.3 are vulnerable to Regular Expression Denial of Service (ReDoS) due to the usage of insecure regular expression in the re_attr variable of index.js. The exploitation of this vulnerability could be triggered via the parse function. Sonatype's research suggests that this CVE's details differ from those defined at NVD. See https://ossindex.sonatype.org/vulnerability/CVE-2022-21222 for detailsCWE-1333 Inefficient Regular Expression Complexity
Vulnerable Software & Versions (OSSINDEX):
Description:
Strips glob magic from a string to provide the parent directory path
License:
ISCFile Path: /builds/ewizardjs/ewizard-cli/npm-shrinkwrap.json?chokidar:2.1.8/glob-parent:^3.1.0
CVE-2020-28469 (OSSINDEX)
This affects the package glob-parent before 5.1.2. The enclosure regex used to check for strings ending in enclosure containing path separator.CWE-400 Uncontrolled Resource Consumption
Vulnerable Software & Versions (OSSINDEX):
Description:
Simplified HTTP requests
License:
MITFile Path: /builds/ewizardjs/ewizard-cli/npm-shrinkwrap.json?/got:6.7.1
The got package before 12.1.0 (also fixed in 11.8.5) for Node.js allows a redirect to a UNIX socket.NVD-CWE-noinfo
Vulnerable Software & Versions:
License:
MITFile Path: /builds/ewizardjs/ewizard-cli/npm-shrinkwrap.json?socks:2.7.1/ip:^2.0.0
CVE-2023-42282 (OSSINDEX)
The ip package before 1.1.9 for Node.js might allow SSRF because some IP addresses (such as 0x7f.1) are improperly categorized as globally routable via isPublic.CWE-918 Server-Side Request Forgery (SSRF)
Vulnerable Software & Versions (OSSINDEX):
Description:
JSON Web Token implementation (symmetric and asymmetric)
License:
MITFile Path: /builds/ewizardjs/ewizard-cli/npm-shrinkwrap.json?/jsonwebtoken:8.5.1
Versions `<=8.5.1` of `jsonwebtoken` library could be misconfigured so that legacy, insecure key types are used for signature verification. For example, DSA keys could be used with the RS256 algorithm. You are affected if you are using an algorithm and a key type other than a combination listed in the GitHub Security Advisory as unaffected. This issue has been fixed, please update to version 9.0.0. This version validates for asymmetric key type and algorithm combinations. Please refer to the above mentioned algorithm / key type combinations for the valid secure configuration. After updating to version 9.0.0, if you still intend to continue with signing or verifying tokens using invalid key type/algorithm value combinations, you���ll need to set the `allowInvalidAsymmetricKeyTypes` option to `true` in the `sign()` and/or `verify()` functions.CWE-327 Use of a Broken or Risky Cryptographic Algorithm
Vulnerable Software & Versions:
In versions `<=8.5.1` of `jsonwebtoken` library, lack of algorithm definition in the `jwt.verify()` function can lead to signature validation bypass due to defaulting to the `none` algorithm for signature verification. Users are affected if you do not specify algorithms in the `jwt.verify()` function. This issue has been fixed, please update to version 9.0.0 which removes the default support for the none algorithm in the `jwt.verify()` method. There will be no impact, if you update to version 9.0.0 and you don���t need to allow for the `none` algorithm. If you need 'none' algorithm, you have to explicitly specify that in `jwt.verify()` options.CWE-347 Improper Verification of Cryptographic Signature, CWE-287 Improper Authentication
Vulnerable Software & Versions:
# Overview In versions <=8.5.1 of jsonwebtoken library, lack of algorithm definition and a falsy secret or key in the `jwt.verify()` function can lead to signature validation bypass due to defaulting to the `none` algorithm for signature verification. # Am I affected? You will be affected if all the following are true in the `jwt.verify()` function: - a token with no signature is received - no algorithms are specified - a falsy (e.g. null, false, undefined) secret or key is passed # How do I fix it? Update to version 9.0.0 which removes the default support for the none algorithm in the `jwt.verify()` method. # Will the fix impact my users? There will be no impact, if you update to version 9.0.0 and you don’t need to allow for the `none` algorithm. If you need 'none' algorithm, you have to explicitly specify that in `jwt.verify()` options.CWE-347 Improper Verification of Cryptographic Signature, CWE-327 Use of a Broken or Risky Cryptographic Algorithm, CWE-287 Improper Authentication
Vulnerable Software & Versions (NPM):
jsonwebtoken is an implementation of JSON Web Tokens. Versions `<= 8.5.1` of `jsonwebtoken` library can be misconfigured so that passing a poorly implemented key retrieval function referring to the `secretOrPublicKey` argument from the readme link will result in incorrect verification of tokens. There is a possibility of using a different algorithm and key combination in verification, other than the one that was used to sign the tokens. Specifically, tokens signed with an asymmetric public key could be verified with a symmetric HS256 algorithm. This can lead to successful validation of forged tokens. If your application is supporting usage of both symmetric key and asymmetric key in jwt.verify() implementation with the same key retrieval function. This issue has been patched, please update to version 9.0.0.NVD-CWE-Other, CWE-1259 Improper Restriction of Security Token Assignment, CWE-287 Improper Authentication
Vulnerable Software & Versions:
# Overview Versions `<=8.5.1` of `jsonwebtoken` library can be misconfigured so that passing a poorly implemented key retrieval function (referring to the `secretOrPublicKey` argument from the [readme link](https://github.com/auth0/node-jsonwebtoken#jwtverifytoken-secretorpublickey-options-callback)) will result in incorrect verification of tokens. There is a possibility of using a different algorithm and key combination in verification than the one that was used to sign the tokens. Specifically, tokens signed with an asymmetric public key could be verified with a symmetric HS256 algorithm. This can lead to successful validation of forged tokens. # Am I affected? You will be affected if your application is supporting usage of both symmetric key and asymmetric key in jwt.verify() implementation with the same key retrieval function. # How do I fix it? Update to version 9.0.0. # Will the fix impact my users? There is no impact for end usersCWE-287 Improper Authentication
Vulnerable Software & Versions (NPM):
# Overview Versions `<=8.5.1` of `jsonwebtoken` library could be misconfigured so that legacy, insecure key types are used for signature verification. For example, DSA keys could be used with the RS256 algorithm. # Am I affected? You are affected if you are using an algorithm and a key type other than the combinations mentioned below | Key type | algorithm | |----------|------------------------------------------| | ec | ES256, ES384, ES512 | | rsa | RS256, RS384, RS512, PS256, PS384, PS512 | | rsa-pss | PS256, PS384, PS512 | And for Elliptic Curve algorithms: | `alg` | Curve | |-------|------------| | ES256 | prime256v1 | | ES384 | secp384r1 | | ES512 | secp521r1 | # How do I fix it? Update to version 9.0.0. This version validates for asymmetric key type and algorithm combinations. Please refer to the above mentioned algorithm / key type combinations for the valid secure configuration. After updating to version 9.0.0, If you still intend to continue with signing or verifying tokens using invalid key type/algorithm value combinations, you’ll need to set the `allowInvalidAsymmetricKeyTypes` option to `true` in the `sign()` and/or `verify()` functions. # Will the fix impact my users? There will be no impact, if you update to version 9.0.0 and you already use a valid secure combination of key type and algorithm. Otherwise, use the `allowInvalidAsymmetricKeyTypes` option to `true` in the `sign()` and `verify()` functions to continue usage of invalid key type/algorithm combination in 9.0.0 for legacy compatibility.CWE-327 Use of a Broken or Risky Cryptographic Algorithm
Vulnerable Software & Versions (NPM):
Description:
Keycloak Connect Middleware
License:
Apache-2.0File Path: /builds/ewizardjs/ewizard-cli/npm-shrinkwrap.json?/keycloak-connect:6.0.1
CVE-2022-2237 (OSSINDEX)
A flaw was found in the Keycloak Node.js Adapter. This flaw allows an attacker to benefit from an Open Redirect vulnerability in the checkSso function. Sonatype's research suggests that this CVE's details differ from those defined at NVD. See https://ossindex.sonatype.org/vulnerability/CVE-2022-2237 for detailsCWE-601 URL Redirection to Untrusted Site ('Open Redirect')
Vulnerable Software & Versions (OSSINDEX):
There is an Open Redirect vulnerability in the Node.js adapter when forwarding requests to Keycloak using `checkSSO` with query param `prompt=none`.CWE-601 URL Redirection to Untrusted Site ('Open Redirect')
Vulnerable Software & Versions (NPM):
CVE-2020-1694 (OSSINDEX)
A flaw was found in all versions of Keycloak before 10.0.0, where the NodeJS adapter did not support the verify-token-audience. This flaw results in some users having access to sensitive information outside of their permissions. Sonatype's research suggests that this CVE's details differ from those defined at NVD. See https://ossindex.sonatype.org/vulnerability/CVE-2020-1694 for detailsCWE-732 Incorrect Permission Assignment for Critical Resource
Vulnerable Software & Versions (OSSINDEX):
Description:
performant nth-check parser & compiler
License:
BSD-2-ClauseFile Path: /builds/ewizardjs/ewizard-cli/npm-shrinkwrap.json?css-select:2.1.0/nth-check:^1.0.2
nth-check is vulnerable to Inefficient Regular Expression ComplexityCWE-1333 Inefficient Regular Expression Complexity
Vulnerable Software & Versions:
Description:
Opens stuff, like webpages and files and executables, cross-platform
License:
(WTFPL OR MIT)File Path: /builds/ewizardjs/ewizard-cli/npm-shrinkwrap.json?webpack-bundle-analyzer:4.10.1/opener:^1.5.2
An out-of-bounds write vulnerability exists in the GetAttributeList attribute_count_request functionality of EIP Stack Group OpENer development commit 58ee13c. A specially crafted EtherNet/IP request can lead to an out-of-bounds write, potentially causing the server to crash or allow for remote code execution. An attacker can send a series of EtherNet/IP requests to trigger this vulnerability.CWE-787 Out-of-bounds Write
Vulnerable Software & Versions:
An out-of-bounds write vulnerability exists in the SetAttributeList attribute_count_request functionality of EIP Stack Group OpENer development commit 58ee13c. A specially crafted EtherNet/IP request can lead to an out of bounds write, potentially causing the server to crash or allow for remote code execution. An attacker can send a series of EtherNet/IP requests to trigger this vulnerability.CWE-787 Out-of-bounds Write
Vulnerable Software & Versions:
A specifically crafted packet sent by an attacker to EIPStackGroup OpENer EtherNet/IP commits and versions prior to Feb 10, 2021 may cause a denial-of-service condition.CWE-681 Incorrect Conversion between Numeric Types
Vulnerable Software & Versions:
A specifically crafted packet sent by an attacker to EIPStackGroup OpENer EtherNet/IP commits and versions prior to Feb 10, 2021 may allow the attacker to read arbitrary data.CWE-125 Out-of-bounds Read
Vulnerable Software & Versions:
A specifically crafted packet sent by an attacker to EIPStackGroup OpENer EtherNet/IP commits and versions prior to Feb 10, 2021 may result in a denial-of-service condition.CWE-617 Reachable Assertion
Vulnerable Software & Versions:
A specifically crafted packet sent by an attacker to EIPStackGroup OpENer EtherNet/IP commits and versions prior to Feb 10, 2021 may result in a denial-of-service condition.CWE-617 Reachable Assertion
Vulnerable Software & Versions:
A use-of-uninitialized-pointer vulnerability exists in the Forward Open connection_management_entry functionality of EIP Stack Group OpENer development commit 58ee13c. A specially-crafted EtherNet/IP request can lead to use of a null pointer, causing the server to crash. An attacker can send a series of EtherNet/IP requests to trigger this vulnerability.CWE-824 Access of Uninitialized Pointer
Vulnerable Software & Versions:
Description:
An advanced url parser supporting git urls too.
License:
MITFile Path: /builds/ewizardjs/ewizard-cli/npm-shrinkwrap.json?/parse-url:7.0.2
Server-Side Request Forgery (SSRF) in GitHub repository ionicabizau/parse-url prior to 8.1.0.CWE-918 Server-Side Request Forgery (SSRF)
Vulnerable Software & Versions:
Misinterpretation of Input in GitHub repository ionicabizau/parse-url prior to 8.1.0.CWE-115 Misinterpretation of Input
Vulnerable Software & Versions:
Description:
Tool for transforming styles with JS plugins
License:
MITFile Path: /builds/ewizardjs/ewizard-cli/npm-shrinkwrap.json?/postcss:7.0.39
An issue was discovered in PostCSS before 8.4.31. The vulnerability affects linters using PostCSS to parse external untrusted CSS. An attacker can prepare CSS in such a way that it will contains parts parsed by PostCSS as a CSS comment. After processing by PostCSS, it will be included in the PostCSS output in CSS nodes (rules, properties) despite being included in a comment.CWE-74 Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
Vulnerable Software & Versions:
Description:
A practical functional library for JavaScript programmers.
License:
MITFile Path: /builds/ewizardjs/ewizard-cli/npm-shrinkwrap.json?/ramda:0.26.1
Prototype poisoning in function mapObjIndexed in Ramda 0.27.0 and earlier allows attackers to compromise integrity or availability of application via supplying a crafted object (that contains an own property "__proto__") as an argument to the function. NOTE: the vendor disputes this because the observed behavior only means that a user can create objects that the user didn't know would contain custom prototypesCWE-1321 Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')
Vulnerable Software & Versions:
Description:
Simplified HTTP request client.
License:
Apache-2.0File Path: /builds/ewizardjs/ewizard-cli/npm-shrinkwrap.json?/request:2.88.2
CVE-2023-28155 (OSSINDEX)
The Request package through 2.88.1 for Node.js allows a bypass of SSRF mitigations via an attacker-controller server that does a cross-protocol redirect (HTTP to HTTPS, or HTTPS to HTTP). NOTE: This vulnerability only affects products that are no longer supported by the maintainer.CWE-918 Server-Side Request Forgery (SSRF)
Vulnerable Software & Versions (OSSINDEX):
The `request` package through 2.88.2 for Node.js and the `@cypress/request` package prior to 3.0.0 allow a bypass of SSRF mitigations via an attacker-controller server that does a cross-protocol redirect (HTTP to HTTPS, or HTTPS to HTTP). NOTE: The `request` package is no longer supported by the maintainer.CWE-918 Server-Side Request Forgery (SSRF)
Vulnerable Software & Versions (NPM):
Description:
A tokenzier for Sass' SCSS syntax
License:
MITFile Path: /builds/ewizardjs/ewizard-cli/npm-shrinkwrap.json?/scss-tokenizer:0.4.3
All versions of package scss-tokenizer are vulnerable to Regular Expression Denial of Service (ReDoS) via the loadAnnotation() function, due to the usage of insecure regex.CWE-1333 Inefficient Regular Expression Complexity
Vulnerable Software & Versions:
Description:
A simple http server to serve static resource files from a local directory.
License:
MITFile Path: /builds/ewizardjs/ewizard-cli/npm-shrinkwrap.json?/static-server:2.2.1
CVE-2023-26152 (OSSINDEX)
All versions of the package static-server are vulnerable to Directory Traversal due to improper input sanitization passed via the validPath function of server.js. Sonatype's research suggests that this CVE's details differ from those defined at NVD. See https://ossindex.sonatype.org/vulnerability/CVE-2023-26152 for detailsCWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Vulnerable Software & Versions (OSSINDEX):
Description:
RFC6265 Cookies and Cookie Jar for node.js
License:
BSD-3-ClauseFile Path: /builds/ewizardjs/ewizard-cli/npm-shrinkwrap.json?/tough-cookie:2.5.0
Versions of the package tough-cookie before 4.1.3 are vulnerable to Prototype Pollution due to improper handling of Cookies when using CookieJar in rejectPublicSuffixes=false mode. This issue arises from the manner in which the objects are initialized.CWE-1321 Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')
Vulnerable Software & Versions:
Description:
Packs CommonJs/AMD modules for the browser. Allows to split your codebase into multiple bundles, which can be loaded on demand. Support loaders to preprocess files, i.e. json, jsx, es7, css, less, ... and your custom stuff.
License:
MITFile Path: /builds/ewizardjs/ewizard-cli/npm-shrinkwrap.json?/webpack:4.47.0
CVE-2023-28154 (OSSINDEX)
Webpack 5 before 5.76.0 does not avoid cross-realm object access. ImportParserPlugin.js mishandles the magic comment feature. An attacker who controls a property of an untrusted object can obtain access to the real global object. Sonatype's research suggests that this CVE's details differ from those defined at NVD. See https://ossindex.sonatype.org/vulnerability/CVE-2023-28154 for detailsCWE-noinfo
Vulnerable Software & Versions (OSSINDEX):