You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
npm dependencies https-proxy-agent, npm-packlist, yargs-parser, request, dot-prop, and execa are not updated in years and the package versions that npm cli using are having security vulnerabilities.
https-proxy-agent - The https-proxy-agent package is vulnerable to Man-in-the-Middle. The ondata and onsocket functions in index.js does not upgrade TLS connections like it normally does when connecting to a proxy that doesn't return a 200 response to the initial CONNECT request. Consequently, a MitM listening to this could potentially view sensitive data that would have otherwise been hidden by TLS.
npm-packlist - Versions of the npm CLI prior to 6.13.3 are vulnerable to an Arbitrary File Write. It is possible for packages to create symlinks to files outside of thenode_modules folder through the bin field upon installation. A properly constructed entry in the package.json bin field would allow a package publisher to create a symlink pointing to arbitrary files on a user's system when the package is installed. This behavior is still possible through install scripts. This vulnerability bypasses a user using the --ignore-scripts install option. npm-packlist - Versions of the npm CLI prior to 6.13.3 are vulnerable to an Arbitrary File Write. It fails to prevent access to folders outside of the intended node_modules folder through the bin field. A properly constructed entry in the package.json bin field would allow a package publisher to modify and/or gain access to arbitrary files on a user's system when the package is installed. This behavior is still possible through install scripts. This vulnerability bypasses a user using the --ignore-scripts install option.
yargs-parser - The yargs-parser package is vulnerable to Prototype Pollution. The setKey() function in the index.js file allows users to modify object prototypes by leveraging the proto property. A remote attacker can exploit this behavior to obtain information, cause a Denial of Service (DoS) condition, or to perform Remote Code Execution (RCE) depending on the context under which the affected object prototype is used by the application.
request - The request package is vulnerable to Weak Authentication Algorithm. The function function in oauth.js uses SHA-1 for authentication which is no longer considered cryptographically secure. With enough resources an attacker might be able to crack the authentication mechanism and cause security attacks.
dot-prop - The dot-prop package is vulnerable to Prototype Pollution attacks. The getPathSegments() function in the index.js file fails to restrict access to the prototypes of base objects and, consequently, allows for the modification of prototype behavior. An attacker can exploit this vulnerability by supplying data that overrides the base object's prototype's behavior which, depending on it's usage within the application, may allow the attacker to obtain sensitive information, perform a Denial of Service (DoS) attack, or execute malicious code.
execa - The execa package is vulnerable to Command Injection attacks. When using execa.shell(), execa.shellSync(), or execa() with shell=true, embedded parameters in the command string can be interpreted as additional OS commands. A remote attacker can exploit this behavior by submitting a crafted request that propagates a command to a parameter embedded in the input string for one of the aforementioned functions. Attackers may leverage this vulnerability to run arbitrary commands on the application server and setup a reverse shell.
When
Refer the links provided above, seems these issues exist from long time. But not addressed yet. We observed these issues as part of a security scan on nodejs docker image which internally uses npm CLI and it's dependencies.
Update the dependency packages mentioned above to nonvulnerable versions (refer FIX AVAILABLE VERSION column).
https-proxy-agent : 2.2.4 to 3.0.0
npm-packlist : 1.4.8 to 2.0.2
yargs-parser : 9.0.2 to 13.1.2
execa : 0.7.0 to 2.0.1
dot-prop : 4.2.0 to 5.1.1
request : 2.88.0 and fix is not available from request module at this point.
The text was updated successfully, but these errors were encountered:
juppala
changed the title
[BUG] Security vulnerabilities in deps https-proxy-agent, npm-packlist, and yargs-parser
[BUG] Security vulnerabilities in deps https-proxy-agent, npm-packlist, yargs-parser, request, dot-prop, and execa
Jul 8, 2020
What / Why
When
nodejs
docker image which internally usesnpm
CLI and it's dependencies.Where
How
Current Behavior
VULNERABILITY | CVSS SCORE | COMPONENT : VERSION | FIX AVAILABLE VERSION
sonatype-2019-0419 | 5.9 | https-proxy-agent : 2.2.4 | 3.0.0+
CVE-2019-16776 | 8.1 | npm-packlist : 1.4.8 | 2.0.2
CVE-2020-7608 | 7.5 | yargs-parser : 9.0.2 | 13.1.2
CVE-2019-16775 | 6.5 | npm-packlist : 1.4.8 | 2.0.2
sonatype-2019-0206 | 9.8 | execa : 0.7.0 | 2.0.1+
sonatype-2020-0018 | 9.8 | dot-prop : 4.2.0 | 5.1.1
sonatype-2017-0655 | 5.9 | request : 2.88.0 | Not available
Steps to Reproduce
Expected Behavior
https-proxy-agent : 2.2.4 to 3.0.0
npm-packlist : 1.4.8 to 2.0.2
yargs-parser : 9.0.2 to 13.1.2
execa : 0.7.0 to 2.0.1
dot-prop : 4.2.0 to 5.1.1
request : 2.88.0 and fix is not available from request module at this point.
Who
References
Attachments with scan details
npm-vulnerabilities.zip
The text was updated successfully, but these errors were encountered: