Skip to content

Commit

Permalink
regenerate suppressions again
Browse files Browse the repository at this point in the history
  • Loading branch information
@peterpilgrim
peterpilgrim committed Mar 6, 2024
1 parent bb64e9c commit 36450fb
Showing 1 changed file with 117 additions and 1 deletion.
118 changes: 117 additions & 1 deletion yarn-audit-known-issues
View file
Original file line number Diff line number Diff line change
@@ -1 +1,117 @@
{"actions":[],"advisories":{"1095102":{"findings":[{"version":"2.5.0","paths":["tough-cookie","jira-client>postman-request>tough-cookie"]}],"metadata":null,"vulnerable_versions":"<4.1.3","module_name":"tough-cookie","severity":"moderate","github_advisory_id":"GHSA-72xf-g2v4-qvf3","cves":["CVE-2023-26136"],"access":"public","patched_versions":">=4.1.3","cvss":{"score":6.5,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N"},"updated":"2023-11-29T22:32:01.000Z","recommendation":"Upgrade to version 4.1.3 or later","cwe":["CWE-1321"],"found_by":null,"deleted":null,"id":1095102,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2023-26136\n- https://github.com/salesforce/tough-cookie/issues/282\n- https://github.com/salesforce/tough-cookie/commit/12d474791bb856004e858fdb1c47b7608d09cf6e\n- https://github.com/salesforce/tough-cookie/releases/tag/v4.1.3\n- https://security.snyk.io/vuln/SNYK-JS-TOUGHCOOKIE-5672873\n- https://lists.debian.org/debian-lts-announce/2023/07/msg00010.html\n- https://github.com/advisories/GHSA-72xf-g2v4-qvf3","created":"2023-07-01T06:30:16.000Z","reported_by":null,"title":"tough-cookie Prototype Pollution vulnerability","npm_advisory_id":null,"overview":"Versions of the package tough-cookie before 4.1.3 are vulnerable to Prototype Pollution due to improper handling of Cookies when using CookieJar in `rejectPublicSuffixes=false` mode. This issue arises from the manner in which the objects are initialized.","url":"https://github.com/advisories/GHSA-72xf-g2v4-qvf3"},"1096571":{"findings":[{"version":"2.0.0","paths":["ip","db-migrate>tunnel-ssh>ssh2>nan>node-gyp>make-fetch-happen>socks-proxy-agent>socks>ip","db-migrate>tunnel-ssh>ssh2>cpu-features>nan>node-gyp>make-fetch-happen>socks-proxy-agent>socks>ip"]}],"metadata":null,"vulnerable_versions":"=2.0.0","module_name":"ip","severity":"moderate","github_advisory_id":"GHSA-78xj-cgh5-2h22","cves":["CVE-2023-42282"],"access":"public","patched_versions":">=2.0.1","cvss":{"score":0,"vectorString":null},"updated":"2024-02-20T18:30:41.000Z","recommendation":"Upgrade to version 2.0.1 or later","cwe":["CWE-918"],"found_by":null,"deleted":null,"id":1096571,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2023-42282\n- https://cosmosofcyberspace.github.io/npm_ip_cve/npm_ip_cve.html\n- https://github.com/JoshGlazebrook/socks/issues/93#issue-2128357447\n- https://github.com/github/advisory-database/pull/3504#issuecomment-1937179999\n- https://github.com/indutny/node-ip/pull/138\n- https://github.com/indutny/node-ip/commit/32f468f1245574785ec080705737a579be1223aa\n- https://github.com/indutny/node-ip/commit/6a3ada9b471b09d5f0f5be264911ab564bf67894\n- https://github.com/advisories/GHSA-78xj-cgh5-2h22","created":"2024-02-08T18:30:39.000Z","reported_by":null,"title":"NPM IP package incorrectly identifies some private IP addresses as public","npm_advisory_id":null,"overview":"The `isPublic()` function in the NPM package `ip` doesn't correctly identify certain private IP addresses in uncommon formats such as `0x7F.1` as private. Instead, it reports them as public by returning `true`. This can lead to security issues such as Server-Side Request Forgery (SSRF) if `isPublic()` is used to protect sensitive code paths when passed user input. Versions 1.1.9 and 2.0.1 fix the issue.","url":"https://github.com/advisories/GHSA-78xj-cgh5-2h22"}},"muted":[],"metadata":{"vulnerabilities":{"info":0,"low":0,"moderate":5,"high":0,"critical":0},"dependencies":324,"devDependencies":0,"optionalDependencies":0,"totalDependencies":324}}
{
"actions":
[],
"advisories":
{
"1095102":
{
"findings":
[
{
"version": "2.5.0",
"paths":
[
"tough-cookie",
"jira-client>postman-request>tough-cookie"
]
}
],
"metadata": null,
"vulnerable_versions": "<4.1.3",
"module_name": "tough-cookie",
"severity": "moderate",
"github_advisory_id": "GHSA-72xf-g2v4-qvf3",
"cves":
[
"CVE-2023-26136"
],
"access": "public",
"patched_versions": ">=4.1.3",
"cvss":
{
"score": 6.5,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N"
},
"updated": "2023-11-29T22:32:01.000Z",
"recommendation": "Upgrade to version 4.1.3 or later",
"cwe":
[
"CWE-1321"
],
"found_by": null,
"deleted": null,
"id": 1095102,
"references": "- https://nvd.nist.gov/vuln/detail/CVE-2023-26136\n- https://github.com/salesforce/tough-cookie/issues/282\n- https://github.com/salesforce/tough-cookie/commit/12d474791bb856004e858fdb1c47b7608d09cf6e\n- https://github.com/salesforce/tough-cookie/releases/tag/v4.1.3\n- https://security.snyk.io/vuln/SNYK-JS-TOUGHCOOKIE-5672873\n- https://lists.debian.org/debian-lts-announce/2023/07/msg00010.html\n- https://github.com/advisories/GHSA-72xf-g2v4-qvf3",
"created": "2023-07-01T06:30:16.000Z",
"reported_by": null,
"title": "tough-cookie Prototype Pollution vulnerability",
"npm_advisory_id": null,
"overview": "Versions of the package tough-cookie before 4.1.3 are vulnerable to Prototype Pollution due to improper handling of Cookies when using CookieJar in `rejectPublicSuffixes=false` mode. This issue arises from the manner in which the objects are initialized.",
"url": "https://github.com/advisories/GHSA-72xf-g2v4-qvf3"
},
"1096571":
{
"findings":
[
{
"version": "2.0.0",
"paths":
[
"ip",
"db-migrate>tunnel-ssh>ssh2>nan>node-gyp>make-fetch-happen>socks-proxy-agent>socks>ip",
"db-migrate>tunnel-ssh>ssh2>cpu-features>nan>node-gyp>make-fetch-happen>socks-proxy-agent>socks>ip"
]
}
],
"metadata": null,
"vulnerable_versions": "=2.0.0",
"module_name": "ip",
"severity": "moderate",
"github_advisory_id": "GHSA-78xj-cgh5-2h22",
"cves":
[
"CVE-2023-42282"
],
"access": "public",
"patched_versions": ">=2.0.1",
"cvss":
{
"score": 0,
"vectorString": null
},
"updated": "2024-02-20T18:30:41.000Z",
"recommendation": "Upgrade to version 2.0.1 or later",
"cwe":
[
"CWE-918"
],
"found_by": null,
"deleted": null,
"id": 1096571,
"references": "- https://nvd.nist.gov/vuln/detail/CVE-2023-42282\n- https://cosmosofcyberspace.github.io/npm_ip_cve/npm_ip_cve.html\n- https://github.com/JoshGlazebrook/socks/issues/93#issue-2128357447\n- https://github.com/github/advisory-database/pull/3504#issuecomment-1937179999\n- https://github.com/indutny/node-ip/pull/138\n- https://github.com/indutny/node-ip/commit/32f468f1245574785ec080705737a579be1223aa\n- https://github.com/indutny/node-ip/commit/6a3ada9b471b09d5f0f5be264911ab564bf67894\n- https://github.com/advisories/GHSA-78xj-cgh5-2h22",
"created": "2024-02-08T18:30:39.000Z",
"reported_by": null,
"title": "NPM IP package incorrectly identifies some private IP addresses as public",
"npm_advisory_id": null,
"overview": "The `isPublic()` function in the NPM package `ip` doesn't correctly identify certain private IP addresses in uncommon formats such as `0x7F.1` as private. Instead, it reports them as public by returning `true`. This can lead to security issues such as Server-Side Request Forgery (SSRF) if `isPublic()` is used to protect sensitive code paths when passed user input. Versions 1.1.9 and 2.0.1 fix the issue.",
"url": "https://github.com/advisories/GHSA-78xj-cgh5-2h22"
}
},
"muted":
[],
"metadata":
{
"vulnerabilities":
{
"info": 0,
"low": 0,
"moderate": 5,
"high": 0,
"critical": 0
},
"dependencies": 324,
"devDependencies": 0,
"optionalDependencies": 0,
"totalDependencies": 324
}
}

0 comments on commit 36450fb

Please sign in to comment.