truffle-5.11.5.tgz: 7 vulnerabilities (highest severity is: 7.5)

[mend-bolt-for-github]

Vulnerable Library - truffle-5.11.5.tgz

Path to dependency file: /blockchain_integration/pi_network/PiSure/contracts/package.json

Path to vulnerable library: /blockchain_integration/pi_network/contracts/PI-bank/node_modules/@ensdomains/ens/node_modules/yargs-parser/package.json,/blockchain_integration/pi_network/SpacePi/node_modules/solc/node_modules/yargs-parser/package.json,/blockchain_integration/pi_network/contracts/node_modules/solc/node_modules/yargs-parser/package.json,/blockchain_integration/pi_network/PiSure/contracts/node_modules/solc/node_modules/yargs-parser/package.json,/blockchain_integration/pi_network/node_modules/solc/node_modules/yargs-parser/package.json

Found in HEAD commit: d3541aa3e3fabe96b343bad4a2627e5d1fbf8c36

Vulnerabilities

CVE	Severity	CVSS	Dependency	Type	Fixed in (truffle version)	Remediation Possible**
WS-2023-0439	High	7.5	axios-1.5.0.tgz	Transitive	N/A*	❌
CVE-2024-48930	High	7.5	secp256k1-4.0.3.tgz	Transitive	N/A*	❌
CVE-2024-39338	High	7.5	axios-1.5.0.tgz	Transitive	N/A*	❌
CVE-2024-37890	High	7.5	ws-8.13.0.tgz	Transitive	N/A*	❌
CVE-2024-21505	High	7.5	web3-utils-1.10.0.tgz	Transitive	N/A*	❌
CVE-2023-45857	Medium	6.5	axios-1.5.0.tgz	Transitive	N/A*	❌
CVE-2020-7608	Medium	5.3	yargs-parser-2.4.1.tgz	Transitive	N/A*	❌

*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.

**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation

Details

WS-2023-0439

Vulnerable Library - axios-1.5.0.tgz

Library home page: https://registry.npmjs.org/axios/-/axios-1.5.0.tgz

Path to dependency file: /blockchain_integration/pi_network/contracts/PI-bank/package.json

Path to vulnerable library: /blockchain_integration/pi_network/contracts/PI-bank/node_modules/axios/package.json,/blockchain_integration/pi_network/SpacePi/node_modules/axios/package.json,/blockchain_integration/pi_network/PiSure/contracts/node_modules/axios/package.json,/blockchain_integration/pi_network/contracts/node_modules/axios/package.json,/blockchain_integration/pi_network/node_modules/axios/package.json

Dependency Hierarchy:

• truffle-5.11.5.tgz (Root Library)
  • db-2.0.36.tgz
    • config-1.3.61.tgz
      • events-0.1.25.tgz
        • dashboard-message-bus-client-0.1.12.tgz
          • ❌ axios-1.5.0.tgz (Vulnerable Library)

Found in HEAD commit: d3541aa3e3fabe96b343bad4a2627e5d1fbf8c36

Found in base branch: main

Vulnerability Details

Axios is vulnerable to Regular Expression Denial of Service (ReDoS). When a manipulated string is provided as input to the format method, the regular expression exhibits a time complexity of O(n^2). Server becomes unable to provide normal service due to the excessive cost and time wasted in processing vulnerable regular expressions.

Publish Date: 2023-10-25

URL: WS-2023-0439

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/WS-2023-0439

Release Date: 2023-10-25

Fix Resolution: axios - 1.6.3,0.20.0

Step up your Open Source Security Game with Mend here

CVE-2024-48930

Vulnerable Library - secp256k1-4.0.3.tgz

This module provides native bindings to ecdsa secp256k1 functions

Library home page: https://registry.npmjs.org/secp256k1/-/secp256k1-4.0.3.tgz

Path to dependency file: /blockchain_integration/pi_network/SpacePi/package.json

Path to vulnerable library: /blockchain_integration/pi_network/SpacePi/node_modules/ganache/node_modules/secp256k1/package.json,/blockchain_integration/pi_network/contracts/node_modules/ganache/node_modules/secp256k1/package.json,/blockchain_integration/pi_network/contracts/PI-bank/node_modules/ganache/node_modules/secp256k1/package.json,/blockchain_integration/pi_network/PiSure/contracts/node_modules/ganache/node_modules/secp256k1/package.json,/blockchain_integration/pi_network/node_modules/ganache/node_modules/secp256k1/package.json

Dependency Hierarchy:

• truffle-5.11.5.tgz (Root Library)
  • ganache-7.9.1.tgz
    • ❌ secp256k1-4.0.3.tgz (Vulnerable Library)

Found in HEAD commit: d3541aa3e3fabe96b343bad4a2627e5d1fbf8c36

Found in base branch: main

Vulnerability Details

secp256k1-node is a Node.js binding for an Optimized C library for EC operations on curve secp256k1. In elliptic-based version, loadUncompressedPublicKey has a check that the public key is on the curve. Prior to versions 5.0.1, 4.0.4, and 3.8.1, however, loadCompressedPublicKey is missing that check. That allows the attacker to use public keys on low-cardinality curves to extract enough information to fully restore the private key from as little as 11 ECDH sessions, and very cheaply on compute power. Other operations on public keys are also affected, including e.g. publicKeyVerify() incorrectly returning true on those invalid keys, and e.g. publicKeyTweakMul() also returning predictable outcomes allowing to restore the tweak. Versions 5.0.1, 4.0.4, and 3.8.1 contain a fix for the issue.

Publish Date: 2024-10-21

URL: CVE-2024-48930

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: None
  • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-584q-6j8j-r5pm

Release Date: 2024-10-21

Fix Resolution: secp256k1 - 3.8.1,4.0.4,5.0.1

Step up your Open Source Security Game with Mend here

CVE-2024-39338

Vulnerable Library - axios-1.5.0.tgz

Library home page: https://registry.npmjs.org/axios/-/axios-1.5.0.tgz

Path to dependency file: /blockchain_integration/pi_network/contracts/PI-bank/package.json

Path to vulnerable library: /blockchain_integration/pi_network/contracts/PI-bank/node_modules/axios/package.json,/blockchain_integration/pi_network/SpacePi/node_modules/axios/package.json,/blockchain_integration/pi_network/PiSure/contracts/node_modules/axios/package.json,/blockchain_integration/pi_network/contracts/node_modules/axios/package.json,/blockchain_integration/pi_network/node_modules/axios/package.json

Dependency Hierarchy:

• truffle-5.11.5.tgz (Root Library)
  • db-2.0.36.tgz
    • config-1.3.61.tgz
      • events-0.1.25.tgz
        • dashboard-message-bus-client-0.1.12.tgz
          • ❌ axios-1.5.0.tgz (Vulnerable Library)

Found in HEAD commit: d3541aa3e3fabe96b343bad4a2627e5d1fbf8c36

Found in base branch: main

Vulnerability Details

axios 1.7.2 allows SSRF via unexpected behavior where requests for path relative URLs get processed as protocol relative URLs.

Publish Date: 2024-08-09

URL: CVE-2024-39338

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: None
  • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-8hc4-vh64-cxmj

Release Date: 2024-08-09

Fix Resolution: axios - 1.7.4

Step up your Open Source Security Game with Mend here

CVE-2024-37890

Vulnerable Library - ws-8.13.0.tgz

Library home page: https://registry.npmjs.org/ws/-/ws-8.13.0.tgz

Path to dependency file: /blockchain_integration/pi_network/contracts/package.json

Path to vulnerable library: /blockchain_integration/pi_network/contracts/node_modules/ganache/node_modules/@trufflesuite/uws-js-unofficial/node_modules/ws/package.json,/blockchain_integration/pi_network/contracts/PI-bank/node_modules/ganache/node_modules/@trufflesuite/uws-js-unofficial/node_modules/ws/package.json,/blockchain_integration/pi_network/node_modules/ganache/node_modules/@trufflesuite/uws-js-unofficial/node_modules/ws/package.json,/blockchain_integration/pi_network/SpacePi/node_modules/ganache/node_modules/@trufflesuite/uws-js-unofficial/node_modules/ws/package.json,/blockchain_integration/pi_network/PiSure/contracts/node_modules/ganache/node_modules/@trufflesuite/uws-js-unofficial/node_modules/ws/package.json

Dependency Hierarchy:

• truffle-5.11.5.tgz (Root Library)
  • ganache-7.9.1.tgz
    • uws-js-unofficial-20.30.0-unofficial.0.tgz
      • ❌ ws-8.13.0.tgz (Vulnerable Library)

Found in HEAD commit: d3541aa3e3fabe96b343bad4a2627e5d1fbf8c36

Found in base branch: main

Vulnerability Details

ws is an open source WebSocket client and server for Node.js. A request with a number of headers exceeding theserver.maxHeadersCount threshold could be used to crash a ws server. The vulnerability was fixed in [email protected] (e55e510) and backported to [email protected] (22c2876), [email protected] (eeb76d3), and [email protected] (4abd8f6). In vulnerable versions of ws, the issue can be mitigated in the following ways: 1. Reduce the maximum allowed length of the request headers using the --max-http-header-size=size and/or the maxHeaderSize options so that no more headers than the server.maxHeadersCount limit can be sent. 2. Set server.maxHeadersCount to 0 so that no limit is applied.

Publish Date: 2024-06-17

URL: CVE-2024-37890

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-3h5v-q93c-6h6q

Release Date: 2024-06-17

Fix Resolution: ws - 5.2.4,6.2.3,7.5.10,8.17.1

Step up your Open Source Security Game with Mend here

CVE-2024-21505

Vulnerable Library - web3-utils-1.10.0.tgz

Library home page: https://registry.npmjs.org/web3-utils/-/web3-utils-1.10.0.tgz

Path to dependency file: /blockchain_integration/pi_network/contracts/PI-bank/package.json

Path to vulnerable library: /blockchain_integration/pi_network/contracts/PI-bank/node_modules/web3-utils/package.json,/blockchain_integration/pi_network/PiSure/contracts/node_modules/web3-utils/package.json,/blockchain_integration/pi_network/contracts/node_modules/web3-utils/package.json,/blockchain_integration/pi_network/node_modules/web3-utils/package.json,/blockchain_integration/pi_network/SpacePi/node_modules/web3-utils/package.json

Dependency Hierarchy:

• truffle-5.11.5.tgz (Root Library)
  • db-2.0.36.tgz
    • ❌ web3-utils-1.10.0.tgz (Vulnerable Library)

Found in HEAD commit: d3541aa3e3fabe96b343bad4a2627e5d1fbf8c36

Found in base branch: main

Vulnerability Details

Versions of the package web3-utils before 4.2.1 are vulnerable to Prototype Pollution via the utility functions format and mergeDeep, due to insecure recursive merge.
An attacker can manipulate an object's prototype, potentially leading to the alteration of the behavior of all objects inheriting from the affected prototype by passing specially crafted input to these functions.

Publish Date: 2024-03-25

URL: CVE-2024-21505

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://www.cve.org/CVERecord?id=CVE-2024-21505

Release Date: 2024-03-25

Fix Resolution: web3-utils - 4.2.1

Step up your Open Source Security Game with Mend here

CVE-2023-45857

Vulnerable Library - axios-1.5.0.tgz

Library home page: https://registry.npmjs.org/axios/-/axios-1.5.0.tgz

Path to dependency file: /blockchain_integration/pi_network/contracts/PI-bank/package.json

Path to vulnerable library: /blockchain_integration/pi_network/contracts/PI-bank/node_modules/axios/package.json,/blockchain_integration/pi_network/SpacePi/node_modules/axios/package.json,/blockchain_integration/pi_network/PiSure/contracts/node_modules/axios/package.json,/blockchain_integration/pi_network/contracts/node_modules/axios/package.json,/blockchain_integration/pi_network/node_modules/axios/package.json

Dependency Hierarchy:

• truffle-5.11.5.tgz (Root Library)
  • db-2.0.36.tgz
    • config-1.3.61.tgz
      • events-0.1.25.tgz
        • dashboard-message-bus-client-0.1.12.tgz
          • ❌ axios-1.5.0.tgz (Vulnerable Library)

Found in HEAD commit: d3541aa3e3fabe96b343bad4a2627e5d1fbf8c36

Found in base branch: main

Vulnerability Details

An issue discovered in Axios 1.5.1 inadvertently reveals the confidential XSRF-TOKEN stored in cookies by including it in the HTTP header X-XSRF-TOKEN for every request made to any host allowing attackers to view sensitive information.

Publish Date: 2023-11-08

URL: CVE-2023-45857

CVSS 3 Score Details (6.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: None
  • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2023-11-08

Fix Resolution: axios - 1.6.0

Step up your Open Source Security Game with Mend here

CVE-2020-7608

Vulnerable Library - yargs-parser-2.4.1.tgz

the mighty option parser used by yargs

Library home page: https://registry.npmjs.org/yargs-parser/-/yargs-parser-2.4.1.tgz

Path to dependency file: /blockchain_integration/pi_network/contracts/PI-bank/package.json

Path to vulnerable library: /blockchain_integration/pi_network/contracts/PI-bank/node_modules/@ensdomains/ens/node_modules/yargs-parser/package.json,/blockchain_integration/pi_network/SpacePi/node_modules/solc/node_modules/yargs-parser/package.json,/blockchain_integration/pi_network/contracts/node_modules/solc/node_modules/yargs-parser/package.json,/blockchain_integration/pi_network/PiSure/contracts/node_modules/solc/node_modules/yargs-parser/package.json,/blockchain_integration/pi_network/node_modules/solc/node_modules/yargs-parser/package.json

Dependency Hierarchy:

• truffle-5.11.5.tgz (Root Library)
  • debugger-12.1.5.tgz
    • ensjs-2.1.0.tgz
      • ens-0.4.5.tgz
        • solc-0.4.26.tgz
          • yargs-4.8.1.tgz
            • ❌ yargs-parser-2.4.1.tgz (Vulnerable Library)

Found in HEAD commit: d3541aa3e3fabe96b343bad4a2627e5d1fbf8c36

Found in base branch: main

Vulnerability Details

yargs-parser could be tricked into adding or modifying properties of Object.prototype using a "proto" payload.

Publish Date: 2020-03-16

URL: CVE-2020-7608

CVSS 3 Score Details (5.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Local
  • Attack Complexity: Low
  • Privileges Required: Low
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2020-03-16

Fix Resolution: 5.0.1;13.1.2;15.0.1;18.1.1

Step up your Open Source Security Game with Mend here

[mend-bolt-for-github]

✔️ This issue was automatically closed by Mend because the vulnerable library in the specific branch(es) was either marked as ignored or it is no longer part of the Mend inventory.

[mend-bolt-for-github]

ℹ️ This issue was automatically re-opened by Mend because the vulnerable library in the specific branch(es) has been detected in the Mend inventory.