Skip to main content
New to Testkube? Unleash the power of cloud native testing in Kubernetes with Testkube. Get Started >

mongosh-2.0.2_linux_amd64

digestsha256:7b8e72e74d6267e06a1555a5af3705a3e3ebcb258859c7bdf5f831685994c728
vulnerabilitiescritical: 5 high: 19 medium: 28 low: 5 unspecified: 11
size127 MB
packages674
critical: 2 high: 2 medium: 1 low: 0 unspecified: 1expat 2.5.0-r1 (apk)

pkg:apk/alpine/expat@2.5.0-r1?os_name=alpine&os_version=3.18
critical : CVE--2024--45492

Affected range<2.6.3-r0
Fixed version2.6.3-r0
EPSS Score0.09%
EPSS Percentile40th percentile
Description

critical : CVE--2024--45491

Affected range<2.6.3-r0
Fixed version2.6.3-r0
EPSS Score0.09%
EPSS Percentile40th percentile
Description

high : CVE--2024--45490

Affected range<2.6.3-r0
Fixed version2.6.3-r0
EPSS Score0.05%
EPSS Percentile18th percentile
Description

high : CVE--2023--52425

Affected range<2.6.0-r0
Fixed version2.6.0-r0
EPSS Score0.09%
EPSS Percentile39th percentile
Description

medium : CVE--2023--52426

Affected range<2.6.0-r0
Fixed version2.6.0-r0
EPSS Score0.05%
EPSS Percentile21st percentile
Description

unspecified : CVE--2024--28757

Affected range<2.6.2-r0
Fixed version2.6.2-r0
EPSS Score0.04%
EPSS Percentile11th percentile
Description
critical: 1 high: 7 medium: 3 low: 0 unspecified: 5stdlib 1.20.10 (golang)

pkg:golang/stdlib@1.20.10
critical : CVE--2024--24790

Affected range<1.21.11
Fixed version1.21.11
EPSS Score0.06%
EPSS Percentile28th percentile
Description

The various Is methods (IsPrivate, IsLoopback, etc) did not work as expected for IPv4-mapped IPv6 addresses, returning false for addresses which would return true in their traditional IPv4 forms.

high : CVE--2024--34158

Affected range<1.22.7
Fixed version1.22.7
EPSS Score0.04%
EPSS Percentile17th percentile
Description

Calling Parse on a "// +build" build tag line with deeply nested expressions can cause a panic due to stack exhaustion.

high : CVE--2024--34156

Affected range<1.22.7
Fixed version1.22.7
EPSS Score0.04%
EPSS Percentile17th percentile
Description

Calling Decoder.Decode on a message which contains deeply nested structures can cause a panic due to stack exhaustion. This is a follow-up to CVE-2022-30635.

high : CVE--2024--24791

Affected range<1.21.12
Fixed version1.21.12
EPSS Score0.04%
EPSS Percentile17th percentile
Description

The net/http HTTP/1.1 client mishandled the case where a server responds to a request with an "Expect: 100-continue" header with a non-informational (200 or higher) status. This mishandling could leave a client connection in an invalid state, where the next request sent on the connection will fail.

An attacker sending a request to a net/http/httputil.ReverseProxy proxy can exploit this mishandling to cause a denial of service by sending "Expect: 100-continue" requests which elicit a non-informational response from the backend. Each such request leaves the proxy with an invalid connection, and causes one subsequent request using that connection to fail.

high : CVE--2024--24784

Affected range<1.21.8
Fixed version1.21.8
EPSS Score0.04%
EPSS Percentile11th percentile
Description

The ParseAddressList function incorrectly handles comments (text within parentheses) within display names. Since this is a misalignment with conforming address parsers, it can result in different trust decisions being made by programs using different parsers.

high : CVE--2023--45288

Affected range<1.21.9
Fixed version1.21.9
EPSS Score0.04%
EPSS Percentile14th percentile
Description

An attacker may cause an HTTP/2 endpoint to read arbitrary amounts of header data by sending an excessive number of CONTINUATION frames.

Maintaining HPACK state requires parsing and processing all HEADERS and CONTINUATION frames on a connection. When a request's headers exceed MaxHeaderBytes, no memory is allocated to store the excess headers, but they are still parsed.

This permits an attacker to cause an HTTP/2 endpoint to read arbitrary amounts of header data, all associated with a request which is going to be rejected. These headers can include Huffman-encoded data which is significantly more expensive for the receiver to decode than for an attacker to send.

The fix sets a limit on the amount of excess header frames we will process before closing a connection.

high : CVE--2023--45283

Affected range<1.20.11
Fixed version1.20.11
EPSS Score0.11%
EPSS Percentile46th percentile
Description

The filepath package does not recognize paths with a ??\ prefix as special.

On Windows, a path beginning with ??\ is a Root Local Device path equivalent to a path beginning with \?. Paths with a ??\ prefix may be used to access arbitrary locations on the system. For example, the path ??\c:\x is equivalent to the more common path c:\x.

Before fix, Clean could convert a rooted path such as \a..??\b into the root local device path ??\b. Clean will now convert this to .??\b.

Similarly, Join(, ??, b) could convert a seemingly innocent sequence of path elements into the root local device path ??\b. Join will now convert this to .??\b.

In addition, with fix, IsAbs now correctly reports paths beginning with ??\ as absolute, and VolumeName correctly reports the ??\ prefix as a volume name.

UPDATE: Go 1.20.11 and Go 1.21.4 inadvertently changed the definition of the volume name in Windows paths starting with ?, resulting in filepath.Clean(?\c:) returning ?\c: rather than ?\c:\ (among other effects). The previous behavior has been restored.

high : CVE--2022--30635

Affected range<1.22.7
Fixed version1.22.7
EPSS Score0.19%
EPSS Percentile56th percentile
Description

Calling Decoder.Decode on a message which contains deeply nested structures can cause a panic due to stack exhaustion. This is a follow-up to CVE-2022-30635.

medium : CVE--2024--24789

Affected range<1.21.11
Fixed version1.21.11
EPSS Score0.04%
EPSS Percentile11th percentile
Description

The archive/zip package's handling of certain types of invalid zip files differs from the behavior of most zip implementations. This misalignment could be exploited to create an zip file with contents that vary depending on the implementation reading the file. The archive/zip package now rejects files containing these errors.

medium : CVE--2023--45284

Affected range<1.20.11
Fixed version1.20.11
EPSS Score0.06%
EPSS Percentile26th percentile
Description

On Windows, The IsLocal function does not correctly detect reserved device names in some cases.

Reserved names followed by spaces, such as "COM1 ", and reserved names "COM" and "LPT" followed by superscript 1, 2, or 3, are incorrectly reported as local.

With fix, IsLocal now correctly reports these names as non-local.

medium : CVE--2023--39326

Affected range<1.20.12
Fixed version1.20.12
EPSS Score0.05%
EPSS Percentile21st percentile
Description

A malicious HTTP sender can use chunk extensions to cause a receiver reading from a request or response body to read many more bytes from the network than are in the body.

A malicious HTTP client can further exploit this to cause a server to automatically read a large amount of data (up to about 1GiB) when a handler fails to read the entire body of a request.

Chunk extensions are a little-used HTTP feature which permit including additional metadata in a request or response body sent using the chunked encoding. The net/http chunked encoding reader discards this metadata. A sender can exploit this by inserting a large metadata segment with each byte transferred. The chunk reader now produces an error if the ratio of real body to encoded bytes grows too small.

unspecified : CVE--2024--34155

Affected range<1.22.7
Fixed version1.22.7
EPSS Score0.04%
EPSS Percentile17th percentile
Description

Calling any of the Parse functions on Go source code which contains deeply nested literals can cause a panic due to stack exhaustion.

unspecified : CVE--2024--24785

Affected range<1.21.8
Fixed version1.21.8
EPSS Score0.04%
EPSS Percentile11th percentile
Description

If errors returned from MarshalJSON methods contain user controlled data, they may be used to break the contextual auto-escaping behavior of the html/template package, allowing for subsequent actions to inject unexpected content into templates.

unspecified : CVE--2024--24783

Affected range<1.21.8
Fixed version1.21.8
EPSS Score0.04%
EPSS Percentile11th percentile
Description

Verifying a certificate chain which contains a certificate with an unknown public key algorithm will cause Certificate.Verify to panic.

This affects all crypto/tls clients, and servers that set Config.ClientAuth to VerifyClientCertIfGiven or RequireAndVerifyClientCert. The default behavior is for TLS servers to not verify client certificates.

unspecified : CVE--2023--45290

Affected range<1.21.8
Fixed version1.21.8
EPSS Score0.04%
EPSS Percentile11th percentile
Description

When parsing a multipart form (either explicitly with Request.ParseMultipartForm or implicitly with Request.FormValue, Request.PostFormValue, or Request.FormFile), limits on the total size of the parsed form were not applied to the memory consumed while reading a single form line. This permits a maliciously crafted input containing very long lines to cause allocation of arbitrarily large amounts of memory, potentially leading to memory exhaustion.

With fix, the ParseMultipartForm function now correctly limits the maximum size of form lines.

unspecified : CVE--2023--45289

Affected range<1.21.8
Fixed version1.21.8
EPSS Score0.04%
EPSS Percentile11th percentile
Description

When following an HTTP redirect to a domain which is not a subdomain match or exact match of the initial domain, an http.Client does not forward sensitive headers such as "Authorization" or "Cookie". For example, a redirect from foo.com to www.foo.com will forward the Authorization header, but a redirect to bar.com will not.

A maliciously crafted HTTP redirect could cause sensitive headers to be unexpectedly forwarded.

critical: 1 high: 2 medium: 4 low: 0 unspecified: 4openssl 3.1.3-r0 (apk)

pkg:apk/alpine/openssl@3.1.3-r0?os_name=alpine&os_version=3.18
critical : CVE--2024--5535

Affected range<3.1.6-r0
Fixed version3.1.6-r0
EPSS Score0.04%
EPSS Percentile14th percentile
Description

high : CVE--2024--6119

Affected range<3.1.7-r0
Fixed version3.1.7-r0
EPSS Score0.04%
EPSS Percentile17th percentile
Description

high : CVE--2023--5363

Affected range<3.1.4-r0
Fixed version3.1.4-r0
EPSS Score0.06%
EPSS Percentile29th percentile
Description

medium : CVE--2023--6129

Affected range<3.1.4-r3
Fixed version3.1.4-r3
EPSS Score0.06%
EPSS Percentile27th percentile
Description

medium : CVE--2024--0727

Affected range<3.1.4-r5
Fixed version3.1.4-r5
EPSS Score0.23%
EPSS Percentile61st percentile
Description

medium : CVE--2024--4603

Affected range<3.1.5-r0
Fixed version3.1.5-r0
EPSS Score0.04%
EPSS Percentile17th percentile
Description

medium : CVE--2023--5678

Affected range<3.1.4-r1
Fixed version3.1.4-r1
EPSS Score0.08%
EPSS Percentile34th percentile
Description

unspecified : CVE--2024--9143

Affected range<3.1.7-r1
Fixed version3.1.7-r1
EPSS Score0.04%
EPSS Percentile11th percentile
Description

unspecified : CVE--2024--4741

Affected range<3.1.6-r0
Fixed version3.1.6-r0
Description

unspecified : CVE--2024--2511

Affected range<3.1.4-r6
Fixed version3.1.4-r6
EPSS Score0.04%
EPSS Percentile17th percentile
Description

unspecified : CVE--2023--6237

Affected range<3.1.4-r4
Fixed version3.1.4-r4
EPSS Score0.04%
EPSS Percentile17th percentile
Description
critical: 1 high: 2 medium: 0 low: 2 git 2.40.1-r0 (apk)

pkg:apk/alpine/git@2.40.1-r0?os_name=alpine&os_version=3.18
critical : CVE--2024--32002

Affected range<2.40.3-r0
Fixed version2.40.3-r0
EPSS Score0.15%
EPSS Percentile52nd percentile
Description

high : CVE--2024--32004

Affected range<2.40.3-r0
Fixed version2.40.3-r0
EPSS Score0.04%
EPSS Percentile11th percentile
Description

high : CVE--2024--32465

Affected range<2.40.3-r0
Fixed version2.40.3-r0
EPSS Score0.04%
EPSS Percentile11th percentile
Description

low : CVE--2024--32021

Affected range<2.40.3-r0
Fixed version2.40.3-r0
EPSS Score0.04%
EPSS Percentile17th percentile
Description

low : CVE--2024--32020

Affected range<2.40.3-r0
Fixed version2.40.3-r0
EPSS Score0.04%
EPSS Percentile17th percentile
Description
critical: 0 high: 2 medium: 5 low: 1 unspecified: 1curl 8.4.0-r0 (apk)

pkg:apk/alpine/curl@8.4.0-r0?os_name=alpine&os_version=3.18
high : CVE--2024--2398

Affected range<8.7.1-r0
Fixed version8.7.1-r0
EPSS Score0.05%
EPSS Percentile18th percentile
Description

high : CVE--2024--6197

Affected range<8.9.0-r0
Fixed version8.9.0-r0
EPSS Score0.07%
EPSS Percentile31st percentile
Description

medium : CVE--2024--2466

Affected range<8.7.1-r0
Fixed version8.7.1-r0
EPSS Score0.04%
EPSS Percentile14th percentile
Description

medium : CVE--2023--46218

Affected range<8.5.0-r0
Fixed version8.5.0-r0
EPSS Score0.07%
EPSS Percentile32nd percentile
Description

medium : CVE--2024--0853

Affected range<8.6.0-r0
Fixed versionNot Fixed
EPSS Score0.06%
EPSS Percentile25th percentile
Description

medium : CVE--2023--46219

Affected range<8.5.0-r0
Fixed version8.5.0-r0
EPSS Score0.05%
EPSS Percentile21st percentile
Description

medium : CVE--2024--6874

Affected range<8.9.0-r0
Fixed version8.9.0-r0
EPSS Score0.08%
EPSS Percentile35th percentile
Description

low : CVE--2024--2004

Affected range<8.7.1-r0
Fixed version8.7.1-r0
EPSS Score0.05%
EPSS Percentile18th percentile
Description

unspecified : CVE--2024--2379

Affected range<8.7.1-r0
Fixed version8.7.1-r0
EPSS Score0.04%
EPSS Percentile14th percentile
Description
critical: 0 high: 1 medium: 0 low: 1 ip 2.0.0 (npm)

pkg:npm/ip@2.0.0
high 8.1: CVE--2024--29415 Server-Side Request Forgery (SSRF)

Affected range<=2.0.1
Fixed versionNot Fixed
CVSS Score8.1
CVSS VectorCVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Description

The ip package through 2.0.1 for Node.js might allow SSRF because some IP addresses (such as 127.1, 01200034567, 012.1.2.3, 000:0:0000::01, and ::fFFf:127.0.0.1) are improperly categorized as globally routable via isPublic. NOTE: this issue exists because of an incomplete fix for CVE-2023-42282.

low : CVE--2023--42282 Server-Side Request Forgery (SSRF)

Affected range
>=2.0.0
<2.0.1
Fixed version2.0.1
EPSS Score0.08%
EPSS Percentile37th percentile
Description

The isPublic() function in the NPM package ip doesn't correctly identify certain private IP addresses in uncommon formats such as 0x7F.1 as private. Instead, it reports them as public by returning true. This can lead to security issues such as Server-Side Request Forgery (SSRF) if isPublic() is used to protect sensitive code paths when passed user input. Versions 1.1.9 and 2.0.1 fix the issue.

critical: 0 high: 1 medium: 0 low: 0 path-to-regexp 0.1.7 (npm)

pkg:npm/path-to-regexp@0.1.7
high 7.5: CVE--2024--45296 Inefficient Regular Expression Complexity

Affected range<0.1.10
Fixed version0.1.10
CVSS Score7.5
CVSS VectorCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:P
EPSS Score0.04%
EPSS Percentile17th percentile
Description

Impact

A bad regular expression is generated any time you have two parameters within a single segment, separated by something that is not a period (.). For example, /:a-:b.

Patches

For users of 0.1, upgrade to 0.1.10. All other users should upgrade to 8.0.0.

These versions add backtrack protection when a custom regex pattern is not provided:

They do not protect against vulnerable user supplied capture groups. Protecting against explicit user patterns is out of scope for old versions and not considered a vulnerability.

Version 7.1.0 can enable strict: true and get an error when the regular expression might be bad.

Version 8.0.0 removes the features that can cause a ReDoS.

Workarounds

All versions can be patched by providing a custom regular expression for parameters after the first in a single segment. As long as the custom regular expression does not match the text before the parameter, you will be safe. For example, change /:a-:b to /:a-:b([^-/]+).

If paths cannot be rewritten and versions cannot be upgraded, another alternative is to limit the URL length. For example, halving the attack string improves performance by 4x faster.

Details

Using /:a-:b will produce the regular expression /^\/([^\/]+?)-([^\/]+?)\/?$/. This can be exploited by a path such as /a${'-a'.repeat(8_000)}/a. OWASP has a good example of why this occurs, but the TL;DR is the /a at the end ensures this route would never match but due to naive backtracking it will still attempt every combination of the :a-:b on the repeated 8,000 -a.

Because JavaScript is single threaded and regex matching runs on the main thread, poor performance will block the event loop and can lead to a DoS. In local benchmarks, exploiting the unsafe regex will result in performance that is over 1000x worse than the safe regex. In a more realistic environment using Express v4 and 10 concurrent connections, this translated to average latency of ~600ms vs 1ms.

References

critical: 0 high: 1 medium: 0 low: 0 body-parser 1.20.1 (npm)

pkg:npm/body-parser@1.20.1
high 7.5: CVE--2024--45590 Asymmetric Resource Consumption (Amplification)

Affected range<1.20.3
Fixed version1.20.3
CVSS Score7.5
CVSS VectorCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
EPSS Score0.05%
EPSS Percentile18th percentile
Description

Impact

body-parser <1.20.3 is vulnerable to denial of service when url encoding is enabled. A malicious actor using a specially crafted payload could flood the server with a large number of requests, resulting in denial of service.

Patches

this issue is patched in 1.20.3

References

critical: 0 high: 1 medium: 0 low: 0 golang.org/x/text 0.3.7 (golang)

pkg:golang/golang.org/x/text@0.3.7
high 7.5: CVE--2022--32149 Missing Release of Resource after Effective Lifetime

Affected range<0.3.8
Fixed version0.3.8
CVSS Score7.5
CVSS VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS Score0.24%
EPSS Percentile62nd percentile
Description

The BCP 47 tag parser has quadratic time complexity due to inherent aspects of its design. Since the parser is, by design, exposed to untrusted user input, this can be leveraged to force a program to consume significant time parsing Accept-Language headers. The parser cannot be easily rewritten to fix this behavior for various reasons. Instead the solution implemented in this CL is to limit the total complexity of tags passed into ParseAcceptLanguage by limiting the number of dashes in the string to 1000. This should be more than enough for the majority of real world use cases, where the number of tags being sent is likely to be in the single digits.

Specific Go Packages Affected

golang.org/x/text/language

critical: 0 high: 0 medium: 4 low: 0 busybox 1.36.1-r2 (apk)

pkg:apk/alpine/busybox@1.36.1-r2?os_name=alpine&os_version=3.18
medium : CVE--2023--42366

Affected range<1.36.1-r6
Fixed version1.36.1-r6
EPSS Score0.04%
EPSS Percentile14th percentile
Description

medium : CVE--2023--42365

Affected range<1.36.1-r7
Fixed version1.36.1-r7
EPSS Score0.04%
EPSS Percentile14th percentile
Description

medium : CVE--2023--42364

Affected range<1.36.1-r7
Fixed version1.36.1-r7
EPSS Score0.04%
EPSS Percentile14th percentile
Description

medium : CVE--2023--42363

Affected range<1.36.1-r7
Fixed version1.36.1-r7
EPSS Score0.04%
EPSS Percentile14th percentile
Description
critical: 0 high: 0 medium: 2 low: 0 follow-redirects 1.15.3 (npm)

pkg:npm/follow-redirects@1.15.3
medium 6.5: CVE--2024--28849 Exposure of Sensitive Information to an Unauthorized Actor

Affected range<=1.15.5
Fixed version1.15.6
CVSS Score6.5
CVSS VectorCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
EPSS Score0.04%
EPSS Percentile11th percentile
Description

When using axios, its dependency follow-redirects only clears authorization header during cross-domain redirect, but allows the proxy-authentication header which contains credentials too.

Steps To Reproduce & PoC

Test code:

const axios = require('axios');

axios.get('http://127.0.0.1:10081/', {
headers: {
'AuThorization': 'Rear Test',
'ProXy-AuthoriZation': 'Rear Test',
'coOkie': 't=1'
}
})
.then((response) => {
console.log(response);
})

When I meet the cross-domain redirect, the sensitive headers like authorization and cookie are cleared, but proxy-authentication header is kept.

Impact

This vulnerability may lead to credentials leak.

Recommendations

Remove proxy-authentication header during cross-domain redirect

follow-redirects/index.js:464

- removeMatchingHeaders(/^(?:authorization|cookie)$/i, this._options.headers);
+ removeMatchingHeaders(/^(?:authorization|proxy-authorization|cookie)$/i, this._options.headers);

medium 6.1: CVE--2023--26159 Improper Input Validation

Affected range<1.15.4
Fixed version1.15.4
CVSS Score6.1
CVSS VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
EPSS Score0.05%
EPSS Percentile21st percentile
Description

Versions of the package follow-redirects before 1.15.4 are vulnerable to Improper Input Validation due to the improper handling of URLs by the url.parse() function. When new URL() throws an error, it can be manipulated to misinterpret the hostname. An attacker could exploit this weakness to redirect traffic to a malicious site, potentially leading to information disclosure, phishing attacks, or other security breaches.

critical: 0 high: 0 medium: 2 low: 0 express 4.18.2 (npm)

pkg:npm/express@4.18.2
medium 6.1: CVE--2024--29041 Improper Validation of Syntactic Correctness of Input

Affected range<4.19.2
Fixed version4.19.2
CVSS Score6.1
CVSS VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
EPSS Score0.04%
EPSS Percentile11th percentile
Description

Impact

Versions of Express.js prior to 4.19.2 and pre-release alpha and beta versions before 5.0.0-beta.3 are affected by an open redirect vulnerability using malformed URLs.

When a user of Express performs a redirect using a user-provided URL Express performs an encode using encodeurl on the contents before passing it to the location header. This can cause malformed URLs to be evaluated in unexpected ways by common redirect allow list implementations in Express applications, leading to an Open Redirect via bypass of a properly implemented allow list.

The main method impacted is res.location() but this is also called from within res.redirect().

Patches

https://github.com/expressjs/express/commit/0867302ddbde0e9463d0564fea5861feb708c2dd https://github.com/expressjs/express/commit/0b746953c4bd8e377123527db11f9cd866e39f94

An initial fix went out with express@4.19.0, we then patched a feature regression in 4.19.1 and added improved handling for the bypass in 4.19.2.

Workarounds

The fix for this involves pre-parsing the url string with either require('node:url').parse or new URL. These are steps you can take on your own before passing the user input string to res.location or res.redirect.

References

https://github.com/expressjs/express/pull/5539 https://github.com/koajs/koa/issues/1800 https://expressjs.com/en/4x/api.html#res.location

medium 5.0: CVE--2024--43796 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Affected range<4.20.0
Fixed version4.20.0
CVSS Score5
CVSS VectorCVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:L
EPSS Score0.05%
EPSS Percentile18th percentile
Description

Impact

In express <4.20.0, passing untrusted user input - even after sanitizing it - to response.redirect() may execute untrusted code

Patches

this issue is patched in express 4.20.0

Workarounds

users are encouraged to upgrade to the patched version of express, but otherwise can workaround this issue by making sure any untrusted inputs are safe, ideally by validating them against an explicit allowlist

Details

successful exploitation of this vector requires the following:

  1. The attacker MUST control the input to response.redirect()
  2. express MUST NOT redirect before the template appears
  3. the browser MUST NOT complete redirection before:
  4. the user MUST click on the link in the template
critical: 0 high: 0 medium: 1 low: 0 tar 6.1.15 (npm)

pkg:npm/tar@6.1.15
medium 6.5: CVE--2024--28863 Uncontrolled Resource Consumption

Affected range<6.2.1
Fixed version6.2.1
CVSS Score6.5
CVSS VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
EPSS Score0.04%
EPSS Percentile17th percentile
Description

Description:

During some analysis today on npm's node-tar package I came across the folder creation process, Basicly if you provide node-tar with a path like this ./a/b/c/foo.txt it would create every folder and sub-folder here a, b and c until it reaches the last folder to create foo.txt, In-this case I noticed that there's no validation at all on the amount of folders being created, that said we're actually able to CPU and memory consume the system running node-tar and even crash the nodejs client within few seconds of running it using a path with too many sub-folders inside

Steps To Reproduce:

You can reproduce this issue by downloading the tar file I provided in the resources and using node-tar to extract it, you should get the same behavior as the video

Proof Of Concept:

Here's a video show-casing the exploit:

Impact

Denial of service by crashing the nodejs client when attempting to parse a tar archive, make it run out of heap memory and consuming server CPU and memory resources

Report resources

payload.txt archeive.tar.gz

Note

This report was originally reported to GitHub bug bounty program, they asked me to report it to you a month ago

critical: 0 high: 0 medium: 1 low: 0 serve-static 1.15.0 (npm)

pkg:npm/serve-static@1.15.0
medium 5.0: CVE--2024--43800 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Affected range<1.16.0
Fixed version1.16.0
CVSS Score5
CVSS VectorCVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:L
EPSS Score0.05%
EPSS Percentile22nd percentile
Description

Impact

passing untrusted user input - even after sanitizing it - to redirect() may execute untrusted code

Patches

this issue is patched in serve-static 1.16.0

Workarounds

users are encouraged to upgrade to the patched version of express, but otherwise can workaround this issue by making sure any untrusted inputs are safe, ideally by validating them against an explicit allowlist

Details

successful exploitation of this vector requires the following:

  1. The attacker MUST control the input to response.redirect()
  2. express MUST NOT redirect before the template appears
  3. the browser MUST NOT complete redirection before:
  4. the user MUST click on the link in the template
critical: 0 high: 0 medium: 1 low: 0 axios 0.21.4 (npm)

pkg:npm/axios@0.21.4
medium 6.5: CVE--2023--45857 Cross-Site Request Forgery (CSRF)

Affected range
>=0.8.1
<0.28.0
Fixed version1.6.0
CVSS Score6.5
CVSS VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
EPSS Score0.06%
EPSS Percentile29th percentile
Description

An issue discovered in Axios 0.8.1 through 1.5.1 inadvertently reveals the confidential XSRF-TOKEN stored in cookies by including it in the HTTP header X-XSRF-TOKEN for every request made to any host allowing attackers to view sensitive information.

critical: 0 high: 0 medium: 1 low: 0 send 0.18.0 (npm)

pkg:npm/send@0.18.0
medium 5.0: CVE--2024--43799 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Affected range<0.19.0
Fixed version0.19.0
CVSS Score5
CVSS VectorCVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:L
EPSS Score0.05%
EPSS Percentile18th percentile
Description

Impact

passing untrusted user input - even after sanitizing it - to SendStream.redirect() may execute untrusted code

Patches

this issue is patched in send 0.19.0

Workarounds

users are encouraged to upgrade to the patched version of express, but otherwise can workaround this issue by making sure any untrusted inputs are safe, ideally by validating them against an explicit allowlist

Details

successful exploitation of this vector requires the following:

  1. The attacker MUST control the input to response.redirect()
  2. express MUST NOT redirect before the template appears
  3. the browser MUST NOT complete redirection before:
  4. the user MUST click on the link in the template
critical: 0 high: 0 medium: 1 low: 0 jose 4.15.4 (npm)

pkg:npm/jose@4.15.4
medium 5.3: CVE--2024--28176 Uncontrolled Resource Consumption

Affected range
>=3.0.0
<=4.15.4
Fixed version4.15.5
CVSS Score5.3
CVSS VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
EPSS Score0.04%
EPSS Percentile14th percentile
Description

A vulnerability has been identified in the JSON Web Encryption (JWE) decryption interfaces, specifically related to the support for decompressing plaintext after its decryption. This allows an adversary to exploit specific scenarios where the compression ratio becomes exceptionally high. As a result, the length of the JWE token, which is determined by the compressed content's size, can land below application-defined limits. In such cases, other existing application level mechanisms for preventing resource exhaustion may be rendered ineffective.

Note that as per RFC 8725 compression of data SHOULD NOT be done before encryption, because such compressed data often reveals information about the plaintext. For this reason the v5.x major version of jose removed support for compressed payloads entirely and is therefore NOT affected by this advisory.

Impact

Under certain conditions it is possible to have the user's environment consume unreasonable amount of CPU time or memory during JWE Decryption operations.

Affected users

The impact is limited only to Node.js users utilizing the JWE decryption APIs to decrypt JWEs from untrusted sources.

You are NOT affected if any of the following applies to you

  • Your code uses jose version v5.x where JWE Compression is not supported anymore
  • Your code runs in an environment other than Node.js (e.g. Deno, CF Workers), which is the only runtime where JWE Compression is implemented out of the box
  • Your code does not use the JWE decryption APIs
  • Your code only accepts JWEs produced by trusted sources

Patches

v2.0.7 and v4.15.5 releases limit the decompression routine to only allow decompressing up to 250 kB of plaintext. In v4.x it is possible to further adjust this limit via the inflateRaw decryption option implementation. In v2.x it is possible to further adjust this limit via the inflateRawSyncLimit decryption option.

Workarounds

If you cannot upgrade and do not want to support compressed JWEs you may detect and reject these tokens early by checking the token's protected header

const { zip } = jose.decodeProtectedHeader(token)
if (zip !== undefined) {
throw new Error('JWE Compression is not supported')
}

If you wish to continue supporting JWEs with compressed payloads in these legacy release lines you must upgrade (v1.x and v2.x to version v2.0.7, v3.x and v4.x to version v4.15.5) and review the limits put forth by the patched releases.

For more information

If you have any questions or comments about this advisory please open a discussion in the project's repository

critical: 0 high: 0 medium: 1 low: 0 krb5 1.20.1-r1 (apk)

pkg:apk/alpine/krb5@1.20.1-r1?os_name=alpine&os_version=3.18
medium : CVE--2023--36054

Affected range<1.20.2-r0
Fixed version1.20.2-r0
EPSS Score0.43%
EPSS Percentile75th percentile
Description
critical: 0 high: 0 medium: 1 low: 0 tar 6.2.0 (npm)

pkg:npm/tar@6.2.0
medium 6.5: CVE--2024--28863 Uncontrolled Resource Consumption

Affected range<6.2.1
Fixed version6.2.1
CVSS Score6.5
CVSS VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
EPSS Score0.04%
EPSS Percentile17th percentile
Description

Description:

During some analysis today on npm's node-tar package I came across the folder creation process, Basicly if you provide node-tar with a path like this ./a/b/c/foo.txt it would create every folder and sub-folder here a, b and c until it reaches the last folder to create foo.txt, In-this case I noticed that there's no validation at all on the amount of folders being created, that said we're actually able to CPU and memory consume the system running node-tar and even crash the nodejs client within few seconds of running it using a path with too many sub-folders inside

Steps To Reproduce:

You can reproduce this issue by downloading the tar file I provided in the resources and using node-tar to extract it, you should get the same behavior as the video

Proof Of Concept:

Here's a video show-casing the exploit:

Impact

Denial of service by crashing the nodejs client when attempting to parse a tar archive, make it run out of heap memory and consuming server CPU and memory resources

Report resources

payload.txt archeive.tar.gz

Note

This report was originally reported to GitHub bug bounty program, they asked me to report it to you a month ago

critical: 0 high: 0 medium: 0 low: 1 cookie 0.5.0 (npm)

pkg:npm/cookie@0.5.0
low : CVE--2024--47764 Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

Affected range<0.7.0
Fixed version0.7.0
EPSS Score0.04%
EPSS Percentile17th percentile
Description

Impact

The cookie name could be used to set other fields of the cookie, resulting in an unexpected cookie value. For example, serialize("userName=<script>alert('XSS3')</script>; Max-Age=2592000; a", value) would result in "userName=<script>alert('XSS3')</script>; Max-Age=2592000; a=test", setting userName cookie to <script> and ignoring value.

A similar escape can be used for path and domain, which could be abused to alter other fields of the cookie.

Patches

Upgrade to 0.7.0, which updates the validation for name, path, and domain.

Workarounds

Avoid passing untrusted or arbitrary values for these fields, ensure they are set by the application instead of user input.

References