From 5a5d1882b7de0967c83099f03fb7e6f34f8a8106 Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" <41898282+github-actions[bot]@users.noreply.github.com> Date: Wed, 24 Jul 2024 16:54:02 -0500 Subject: [PATCH 01/16] Release: Merge back 2.36.5 into bugfix from: master-into-bugfix/2.36.5-2.37.0-dev (#10627) * Update versions in application files * Update versions in application files --------- Co-authored-by: DefectDojo release bot Co-authored-by: Cody Maffucci <46459665+Maffooch@users.noreply.github.com> --- helm/defectdojo/Chart.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/helm/defectdojo/Chart.yaml b/helm/defectdojo/Chart.yaml index 00d482acf72..be5afccbdca 100644 --- a/helm/defectdojo/Chart.yaml +++ b/helm/defectdojo/Chart.yaml @@ -2,7 +2,7 @@ apiVersion: v2 appVersion: "2.37.0-dev" description: A Helm chart for Kubernetes to install DefectDojo name: defectdojo -version: 1.6.142-dev +version: 1.6.143-dev icon: https://www.defectdojo.org/img/favicon.ico maintainers: - name: madchap From 9b991c65305ca2c2dedbea4d13d976ce19f9387b Mon Sep 17 00:00:00 2001 From: Cody Maffucci <46459665+Maffooch@users.noreply.github.com> Date: Thu, 25 Jul 2024 13:40:09 -0500 Subject: [PATCH 02/16] Listing Tables: Add toggle switch in system settings (#10617) * Listing Tables: Add toggle switch in system settings * Fixing ruff * Update help text * Remove missed italics --- dojo/components/views.py | 1 + ...ettings_enable_ui_table_based_searching.py | 18 ++ dojo/engagement/views.py | 2 + dojo/finding/views.py | 4 +- dojo/models.py | 5 + dojo/product/views.py | 3 + dojo/templates/dojo/components.html | 98 +++++----- dojo/templates/dojo/engagements_all.html | 76 ++++---- .../templates/dojo/findings_list_snippet.html | 90 ++++----- dojo/templates/dojo/product.html | 182 +++++++++--------- dojo/templates/dojo/product_components.html | 98 +++++----- .../dojo/snippets/engagement_list.html | 126 ++++++------ dojo/templates/dojo/view_finding.html | 98 +++++----- dojo/templates/dojo/view_risk_acceptance.html | 66 ++++--- dojo/templates/dojo/view_test.html | 104 +++++----- dojo/test/views.py | 1 + 16 files changed, 511 insertions(+), 461 deletions(-) create mode 100644 dojo/db_migrations/0213_system_settings_enable_ui_table_based_searching.py diff --git a/dojo/components/views.py b/dojo/components/views.py index d4a7490fbb9..9b88e144e1c 100644 --- a/dojo/components/views.py +++ b/dojo/components/views.py @@ -70,5 +70,6 @@ def components(request): "filter": comp_filter, "result": result, "component_words": sorted(set(component_words)), + "enable_table_filtering": get_system_setting("enable_ui_table_based_searching"), }, ) diff --git a/dojo/db_migrations/0213_system_settings_enable_ui_table_based_searching.py b/dojo/db_migrations/0213_system_settings_enable_ui_table_based_searching.py new file mode 100644 index 00000000000..3bfea2fed56 --- /dev/null +++ b/dojo/db_migrations/0213_system_settings_enable_ui_table_based_searching.py @@ -0,0 +1,18 @@ +# Generated by Django 4.2.13 on 2024-07-23 19:53 + +from django.db import migrations, models + + +class Migration(migrations.Migration): + + dependencies = [ + ('dojo', '0212_sla_configuration_enforce_critical_and_more'), + ] + + operations = [ + migrations.AddField( + model_name='system_settings', + name='enable_ui_table_based_searching', + field=models.BooleanField(default=True, help_text='With this setting enabled, table headings will contain sort buttons for the current page of data in addition to sorting buttons that consider data from all pages.', verbose_name='Enable UI Table Based Filtering/Sorting'), + ), + ] diff --git a/dojo/engagement/views.py b/dojo/engagement/views.py index f0c542e2d96..f03d28dde34 100644 --- a/dojo/engagement/views.py +++ b/dojo/engagement/views.py @@ -257,6 +257,7 @@ def engagements_all(request): 'filter_form': filtered.form, 'name_words': sorted(set(name_words)), 'eng_words': sorted(set(eng_words)), + "enable_table_filtering": get_system_setting("enable_ui_table_based_searching"), }) @@ -1435,6 +1436,7 @@ def view_edit_risk_acceptance(request, eid, raid, edit_mode=False): 'request': request, 'add_findings': add_fpage, 'return_url': get_return_url(request), + "enable_table_filtering": get_system_setting("enable_ui_table_based_searching"), }) diff --git a/dojo/finding/views.py b/dojo/finding/views.py index 98ae7d31bed..5eca36a277a 100644 --- a/dojo/finding/views.py +++ b/dojo/finding/views.py @@ -376,6 +376,7 @@ def get_initial_context(self, request: HttpRequest): "jira_project": None, "github_config": None, "bulk_edit_form": FindingBulkUpdateForm(request.GET), + "enable_table_filtering": get_system_setting("enable_ui_table_based_searching"), "title_words": get_words_for_field(Finding, "title"), "component_words": get_words_for_field(Finding, "component_name"), } @@ -742,6 +743,7 @@ def get_initial_context(self, request: HttpRequest, finding: Finding, user: Dojo "files": finding.files.all(), "note_type_activation": note_type_activation, "available_note_types": available_note_types, + "enable_table_filtering": get_system_setting("enable_ui_table_based_searching"), "product_tab": Product_Tab( finding.test.engagement.product, title="View Finding", tab="findings" ) @@ -1736,7 +1738,7 @@ def request_finding_review(request, fid): return render( request, "dojo/review_finding.html", - {"finding": finding, "product_tab": product_tab, "user": user, "form": form}, + {"finding": finding, "product_tab": product_tab, "user": user, "form": form, "enable_table_filtering": get_system_setting("enable_ui_table_based_searching"), }, ) diff --git a/dojo/models.py b/dojo/models.py index 5de06d42743..f252084d10d 100644 --- a/dojo/models.py +++ b/dojo/models.py @@ -514,6 +514,11 @@ class System_Settings(models.Model): blank=False, verbose_name=_('Enable Finding Groups'), help_text=_("With this setting turned off, the Finding Groups will be disabled.")) + enable_ui_table_based_searching = models.BooleanField( + default=True, + blank=False, + verbose_name=_('Enable UI Table Based Filtering/Sorting'), + help_text=_("With this setting enabled, table headings will contain sort buttons for the current page of data in addition to sorting buttons that consider data from all pages.")) enable_calendar = models.BooleanField( default=True, blank=False, diff --git a/dojo/product/views.py b/dojo/product/views.py index 72b2b2b198c..0e34d6f05c1 100644 --- a/dojo/product/views.py +++ b/dojo/product/views.py @@ -152,6 +152,7 @@ def product(request): 'prod_list': prod_list, 'prod_filter': prod_filter, 'name_words': sorted(set(name_words)), + "enable_table_filtering": get_system_setting("enable_ui_table_based_searching"), 'user': request.user}) @@ -336,6 +337,7 @@ def view_product_components(request, pid): 'filter': comp_filter, 'product_tab': product_tab, 'result': result, + "enable_table_filtering": get_system_setting("enable_ui_table_based_searching"), 'component_words': sorted(set(component_words)) }) @@ -795,6 +797,7 @@ def view_engagements(request, pid): 'inactive_engs_count': result_inactive_engs.paginator.count, 'inactive_engs_filter': inactive_engs_filter, 'recent_test_day_count': recent_test_day_count, + "enable_table_filtering": get_system_setting("enable_ui_table_based_searching"), 'user': request.user}) diff --git a/dojo/templates/dojo/components.html b/dojo/templates/dojo/components.html index 1d1667de233..f7045656ee9 100644 --- a/dojo/templates/dojo/components.html +++ b/dojo/templates/dojo/components.html @@ -122,55 +122,57 @@

}; // Mapping of table columns to objects for proper cleanup and data formatting - var dojoTable = $('#components').DataTable({ - drawCallback: function(){ - $('#components .has-popover').hover( - function() { $(this).popover('show'); }, // hover - function() { $(this).popover('hide'); } // unhover - ); - }, - "columns": [ - { "data": "Component_name" }, - { "data": "Version" }, - { "data": "Active" }, - { "data": "Duplicate" }, - { "data": "Total" }, - ], - order: [], - columnDefs: [ - { - "orderable": false, + {% if enable_table_filtering %} + var dojoTable = $('#components').DataTable({ + drawCallback: function(){ + $('#components .has-popover').hover( + function() { $(this).popover('show'); }, // hover + function() { $(this).popover('hide'); } // unhover + ); }, - ], - dom: 'Bfrtip', - paging: false, - info: false, - buttons: [ - { - extend: 'colvis', - columns: ':not(.noVis)' - }, - $.extend( true, {}, buttonCommon, { - extend: 'copy' - }), - $.extend( true, {}, buttonCommon, { - extend: 'excel', - autoFilter: true, - sheetName: 'Exported data', - }), - $.extend( true, {}, buttonCommon, { - extend: 'csv' - }), - $.extend( true, {}, buttonCommon, { - extend: 'pdf', - orientation: 'landscape', - pageSize: 'LETTER' - }), - $.extend( true, {}, buttonCommon, { - extend: 'print' - }), - ], - }); + "columns": [ + { "data": "Component_name" }, + { "data": "Version" }, + { "data": "Active" }, + { "data": "Duplicate" }, + { "data": "Total" }, + ], + order: [], + columnDefs: [ + { + "orderable": false, + }, + ], + dom: 'Bfrtip', + paging: false, + info: false, + buttons: [ + { + extend: 'colvis', + columns: ':not(.noVis)' + }, + $.extend( true, {}, buttonCommon, { + extend: 'copy' + }), + $.extend( true, {}, buttonCommon, { + extend: 'excel', + autoFilter: true, + sheetName: 'Exported data', + }), + $.extend( true, {}, buttonCommon, { + extend: 'csv' + }), + $.extend( true, {}, buttonCommon, { + extend: 'pdf', + orientation: 'landscape', + pageSize: 'LETTER' + }), + $.extend( true, {}, buttonCommon, { + extend: 'print' + }), + ], + }); + {% endif %} }); {% include "dojo/filter_js_snippet.html" %} diff --git a/dojo/templates/dojo/engagements_all.html b/dojo/templates/dojo/engagements_all.html index 80ae6c3092f..f5720e8bc89 100644 --- a/dojo/templates/dojo/engagements_all.html +++ b/dojo/templates/dojo/engagements_all.html @@ -238,43 +238,45 @@

}; // Mapping of table columns to objects for proper cleanup and data formatting - var dojoTable = $('#engagements').DataTable({ - colReorder: true, - columnDefs: [ - { - "orderable": false, - "targets": [0] - }, - ], - dom: 'Bfrtip', - paging: false, - info: false, - buttons: [ - { - extend: 'colvis', - columns: ':not(.noVis)' - }, - $.extend( true, {}, buttonCommon, { - extend: 'copy' - }), - $.extend( true, {}, buttonCommon, { - extend: 'excel', - autoFilter: true, - sheetName: 'Exported data', - }), - $.extend( true, {}, buttonCommon, { - extend: 'csv' - }), - $.extend( true, {}, buttonCommon, { - extend: 'pdf', - orientation: 'landscape', - pageSize: 'LETTER' - }), - $.extend( true, {}, buttonCommon, { - extend: 'print' - }), - ], - }); + {% if enable_table_filtering %} + var dojoTable = $('#engagements').DataTable({ + colReorder: true, + columnDefs: [ + { + "orderable": false, + "targets": [0] + }, + ], + dom: 'Bfrtip', + paging: false, + info: false, + buttons: [ + { + extend: 'colvis', + columns: ':not(.noVis)' + }, + $.extend( true, {}, buttonCommon, { + extend: 'copy' + }), + $.extend( true, {}, buttonCommon, { + extend: 'excel', + autoFilter: true, + sheetName: 'Exported data', + }), + $.extend( true, {}, buttonCommon, { + extend: 'csv' + }), + $.extend( true, {}, buttonCommon, { + extend: 'pdf', + orientation: 'landscape', + pageSize: 'LETTER' + }), + $.extend( true, {}, buttonCommon, { + extend: 'print' + }), + ], + }); + {% endif %} }); {% include "dojo/filter_js_snippet.html" %} diff --git a/dojo/templates/dojo/findings_list_snippet.html b/dojo/templates/dojo/findings_list_snippet.html index 68e29b1cafe..eb0c2d7135f 100644 --- a/dojo/templates/dojo/findings_list_snippet.html +++ b/dojo/templates/dojo/findings_list_snippet.html @@ -837,51 +837,53 @@

}; // Mapping of table columns to objects for proper cleanup and data formatting - var dojoTable = $('#open_findings').DataTable({ - drawCallback: function(){ - $('#open_findings .has-popover').hover( - function() { $(this).popover('show'); }, // hover - function() { $(this).popover('hide'); } // unhover - ); - }, - colReorder: true, - "columns": columns, - order: [], - columnDefs: [ - { - "orderable": false, - "targets": [0, 1] - }, - { - targets: [0, 1], - className: 'noVis' - }, - { - targets: 'severity-sort', - orderDataType: 'severity-asc' - }, - ], - dom: 'Bfrtip', - paging: false, - info: false, - buttons: [ - { - extend: 'colvis', - columns: ':not(.noVis)' + {% if enable_table_filtering %} + var dojoTable = $('#open_findings').DataTable({ + drawCallback: function(){ + $('#open_findings .has-popover').hover( + function() { $(this).popover('show'); }, // hover + function() { $(this).popover('hide'); } // unhover + ); }, - $.extend( true, {}, buttonCommon, { - extend: 'copy' - }), - $.extend( true, {}, buttonCommon, { - extend: 'pdf', - orientation: 'landscape', - pageSize: 'LETTER' - }), - $.extend( true, {}, buttonCommon, { - extend: 'print' - }), - ], - }); + colReorder: true, + "columns": columns, + order: [], + columnDefs: [ + { + "orderable": false, + "targets": [0, 1] + }, + { + targets: [0, 1], + className: 'noVis' + }, + { + targets: 'severity-sort', + orderDataType: 'severity-asc' + }, + ], + dom: 'Bfrtip', + paging: false, + info: false, + buttons: [ + { + extend: 'colvis', + columns: ':not(.noVis)' + }, + $.extend( true, {}, buttonCommon, { + extend: 'copy' + }), + $.extend( true, {}, buttonCommon, { + extend: 'pdf', + orientation: 'landscape', + pageSize: 'LETTER' + }), + $.extend( true, {}, buttonCommon, { + extend: 'print' + }), + ], + }); + {% endif %} }); {% include "dojo/filter_js_snippet.html" %} diff --git a/dojo/templates/dojo/product_components.html b/dojo/templates/dojo/product_components.html index 07b964afd22..5b5e7bee14b 100644 --- a/dojo/templates/dojo/product_components.html +++ b/dojo/templates/dojo/product_components.html @@ -120,55 +120,57 @@

}; // Mapping of table columns to objects for proper cleanup and data formatting - var dojoTable = $('#components-table').DataTable({ - drawCallback: function(){ - $('#components-table .has-popover').hover( - function() { $(this).popover('show'); }, // hover - function() { $(this).popover('hide'); } // unhover - ); - }, - "columns": [ - null, // Component_name - { "data": "Version" }, - null, // Active - null, // Duplicate - null, // Total - ], - order: [], - columnDefs: [ - { - "orderable": false, - }, - ], - dom: 'Bfrtip', - paging: false, - info: false, - buttons: [ - { - extend: 'colvis', - columns: ':not(.noVis)' + {% if enable_table_filtering %} + var dojoTable = $('#components-table').DataTable({ + drawCallback: function(){ + $('#components-table .has-popover').hover( + function() { $(this).popover('show'); }, // hover + function() { $(this).popover('hide'); } // unhover + ); }, - $.extend( true, {}, buttonCommon, { - extend: 'copy' - }), - $.extend( true, {}, buttonCommon, { - extend: 'excel', - autoFilter: true, - sheetName: 'Exported data', - }), - $.extend( true, {}, buttonCommon, { - extend: 'csv' - }), - $.extend( true, {}, buttonCommon, { - extend: 'pdf', - orientation: 'landscape', - pageSize: 'LETTER' - }), - $.extend( true, {}, buttonCommon, { - extend: 'print' - }), - ], - }); + "columns": [ + null, // Component_name + { "data": "Version" }, + null, // Active + null, // Duplicate + null, // Total + ], + order: [], + columnDefs: [ + { + "orderable": false, + }, + ], + dom: 'Bfrtip', + paging: false, + info: false, + buttons: [ + { + extend: 'colvis', + columns: ':not(.noVis)' + }, + $.extend( true, {}, buttonCommon, { + extend: 'copy' + }), + $.extend( true, {}, buttonCommon, { + extend: 'excel', + autoFilter: true, + sheetName: 'Exported data', + }), + $.extend( true, {}, buttonCommon, { + extend: 'csv' + }), + $.extend( true, {}, buttonCommon, { + extend: 'pdf', + orientation: 'landscape', + pageSize: 'LETTER' + }), + $.extend( true, {}, buttonCommon, { + extend: 'print' + }), + ], + }); + {% endif %} }); {% include "dojo/filter_js_snippet.html" %} diff --git a/dojo/templates/dojo/snippets/engagement_list.html b/dojo/templates/dojo/snippets/engagement_list.html index 72314eeca31..8b354563f46 100644 --- a/dojo/templates/dojo/snippets/engagement_list.html +++ b/dojo/templates/dojo/snippets/engagement_list.html @@ -295,68 +295,70 @@

{% if status == "open" %}Active{% elif status == "paused" %}Paused {% else }; // Mapping of table columns to objects for proper cleanup and data formatting - var dojoTable = $('#{{status}}').DataTable({ - colReorder: true, - "columns": [ - { "data": "action" }, - { "data": "eng_name" }, - { "data": "engagement_type" }, - { "data": "lead" }, - null, - { "data": "length", "type": "num", render: function(data, type, row) { - if(type === 'sort') { - data = data.split(' ')[0]; - } - return data - }}, - {% if system_settings.enable_jira %} - { "data": "jira" }, - {% endif %} - null, // "tests" - null, // "data" - { "data": "mitigated" }, - { "data": "accepted" }, - { "data": "all" }, - { "data": "dups" }, - {% if status == "paused" or status == "closed" %} - { "data": "status" }, - {% endif %} - ], - columnDefs: [ - { - "orderable": false, - "targets": [0] - }, - ], - dom: 'Bfrtip', - paging: false, - info: false, - buttons: [ - { - extend: 'colvis', - columns: ':not(.noVis)' - }, - $.extend( true, {}, buttonCommon, { - extend: 'copy' - }), - $.extend( true, {}, buttonCommon, { - extend: 'excel', - autoFilter: true, - sheetName: 'Exported data', - }), - $.extend( true, {}, buttonCommon, { - extend: 'csv' - }), - $.extend( true, {}, buttonCommon, { - extend: 'pdf', - orientation: 'landscape', - pageSize: 'LETTER' - }), - $.extend( true, {}, buttonCommon, { - extend: 'print' - }), - ], - }); + {% if enable_table_filtering %} + var dojoTable = $('#{{status}}').DataTable({ + colReorder: true, + "columns": [ + { "data": "action" }, + { "data": "eng_name" }, + { "data": "engagement_type" }, + { "data": "lead" }, + null, + { "data": "length", "type": "num", render: function(data, type, row) { + if(type === 'sort') { + data = data.split(' ')[0]; + } + return data + }}, + {% if system_settings.enable_jira %} + { "data": "jira" }, + {% endif %} + null, // "tests" + null, // "data" + { "data": "mitigated" }, + { "data": "accepted" }, + { "data": "all" }, + { "data": "dups" }, + {% if status == "paused" or status == "closed" %} + { "data": "status" }, + {% endif %} + ], + columnDefs: [ + { + "orderable": false, + "targets": [0] + }, + ], + dom: 'Bfrtip', + paging: false, + info: false, + buttons: [ + { + extend: 'colvis', + columns: ':not(.noVis)' + }, + $.extend( true, {}, buttonCommon, { + extend: 'copy' + }), + $.extend( true, {}, buttonCommon, { + extend: 'excel', + autoFilter: true, + sheetName: 'Exported data', + }), + $.extend( true, {}, buttonCommon, { + extend: 'csv' + }), + $.extend( true, {}, buttonCommon, { + extend: 'pdf', + orientation: 'landscape', + pageSize: 'LETTER' + }), + $.extend( true, {}, buttonCommon, { + extend: 'print' + }), + ], + }); + {% endif %} }); {% endblock %} diff --git a/dojo/templates/dojo/view_finding.html b/dojo/templates/dojo/view_finding.html index 5c1304c796f..03842eff781 100755 --- a/dojo/templates/dojo/view_finding.html +++ b/dojo/templates/dojo/view_finding.html @@ -1533,55 +1533,57 @@

Credential }; // Mapping of table columns to objects for proper cleanup and data formatting - var dojoTable = $('#similar_findings_table').DataTable({ - drawCallback: function(){ - $('#similar_findings_table .has-popover').hover( - function() { $(this).popover('show'); }, // hover - function() { $(this).popover('hide'); } // unhover - ); - }, - colReorder: true, - "columns": columns, - order: [], - columnDefs: [ - { - "orderable": false, - "targets": [0, 1] - }, - { - targets: [0, 1], - className: 'noVis' - } - ], - dom: 'Bfrtip', - paging: false, - info: false, - buttons: [ - { - extend: 'colvis', - columns: ':not(.noVis)' + {% if enable_table_filtering %} + var dojoTable = $('#similar_findings_table').DataTable({ + drawCallback: function(){ + $('#similar_findings_table .has-popover').hover( + function() { $(this).popover('show'); }, // hover + function() { $(this).popover('hide'); } // unhover + ); }, - $.extend( true, {}, buttonCommon, { - extend: 'copy' - }), - $.extend( true, {}, buttonCommon, { - extend: 'excel', - autoFilter: true, - sheetName: 'Exported data', - }), - $.extend( true, {}, buttonCommon, { - extend: 'csv' - }), - $.extend( true, {}, buttonCommon, { - extend: 'pdf', - orientation: 'landscape', - pageSize: 'LETTER' - }), - $.extend( true, {}, buttonCommon, { - extend: 'print' - }), - ], - }); + colReorder: true, + "columns": columns, + order: [], + columnDefs: [ + { + "orderable": false, + "targets": [0, 1] + }, + { + targets: [0, 1], + className: 'noVis' + } + ], + dom: 'Bfrtip', + paging: false, + info: false, + buttons: [ + { + extend: 'colvis', + columns: ':not(.noVis)' + }, + $.extend( true, {}, buttonCommon, { + extend: 'copy' + }), + $.extend( true, {}, buttonCommon, { + extend: 'excel', + autoFilter: true, + sheetName: 'Exported data', + }), + $.extend( true, {}, buttonCommon, { + extend: 'csv' + }), + $.extend( true, {}, buttonCommon, { + extend: 'pdf', + orientation: 'landscape', + pageSize: 'LETTER' + }), + $.extend( true, {}, buttonCommon, { + extend: 'print' + }), + ], + }); + {% endif %} }); diff --git a/dojo/templates/dojo/view_risk_acceptance.html b/dojo/templates/dojo/view_risk_acceptance.html index 69ae75d0564..2755d6ac337 100644 --- a/dojo/templates/dojo/view_risk_acceptance.html +++ b/dojo/templates/dojo/view_risk_acceptance.html @@ -398,39 +398,41 @@

Notes

observer.observe($table[0]); }; - setTimeout(function() { - var table = $('#findings_table').DataTable({ - "paging": false, - "searching": true, - "ordering": true, - "info": false, - scrollCollapse: true, - scrollY: '30vh', - columns: [ - { title: '' }, - { title: 'ID' }, - { title: 'Severity' }, - { title: 'Name' }, - { title: 'CWE' }, - { title: 'Vulnerability Id' }, - { title: 'EPSS Score' }, - { title: 'EPSS Precentile' }, - { - title: 'Date', - render: function(data) { - var date = new Date(data); - var year = date.getFullYear(); - var month = (1 + date.getMonth()).toString().padStart(2, '0'); - var day = date.getDate().toString().padStart(2, '0'); + {% if enable_table_filtering %} + setTimeout(function() { + var table = $('#findings_table').DataTable({ + "paging": false, + "searching": true, + "ordering": true, + "info": false, + scrollCollapse: true, + scrollY: '30vh', + columns: [ + { title: '' }, + { title: 'ID' }, + { title: 'Severity' }, + { title: 'Name' }, + { title: 'CWE' }, + { title: 'Vulnerability Id' }, + { title: 'EPSS Score' }, + { title: 'EPSS Precentile' }, + { + title: 'Date', + render: function(data) { + var date = new Date(data); + var year = date.getFullYear(); + var month = (1 + date.getMonth()).toString().padStart(2, '0'); + var day = date.getDate().toString().padStart(2, '0'); - return year + '-' + month + '-' + day; - } - }, - { title: 'Active' } - ] - }); - resizeHandler($('#findings_table')); - }, 0); + return year + '-' + month + '-' + day; + } + }, + { title: 'Active' } + ] + }); + resizeHandler($('#findings_table')); + }, 0); + {% endif %} }); {% endblock %} diff --git a/dojo/templates/dojo/view_test.html b/dojo/templates/dojo/view_test.html index a516a7df150..55bcb4ff8de 100644 --- a/dojo/templates/dojo/view_test.html +++ b/dojo/templates/dojo/view_test.html @@ -1681,58 +1681,60 @@

}; // Mapping of table columns to objects for proper cleanup and data formatting - var dojoTable = $('#test_findings').DataTable({ - drawCallback: function(){ - $('#test_findings .has-popover').hover( - function() { $(this).popover('show'); }, // hover - function() { $(this).popover('hide'); } // unhover - ); - }, - colReorder: true, - "columns": columns, - columnDefs: [ - { - "orderable": false, - "targets": [0] - }, - { - targets: [0, 1], - className: 'noVis' - }, - { - targets: 'severity-sort', - orderDataType: 'severity-asc' - }, - ], - dom: 'Bfrtip', - paging: false, - info: false, - buttons: [ - { - extend: 'colvis', - columns: ':not(.noVis)' + {% if enable_table_filtering %} + var dojoTable = $('#test_findings').DataTable({ + drawCallback: function(){ + $('#test_findings .has-popover').hover( + function() { $(this).popover('show'); }, // hover + function() { $(this).popover('hide'); } // unhover + ); }, - $.extend( true, {}, buttonCommon, { - extend: 'copy' - }), - $.extend( true, {}, buttonCommon, { - extend: 'excel', - autoFilter: true, - sheetName: 'Exported data', - }), - $.extend( true, {}, buttonCommon, { - extend: 'csv' - }), - $.extend( true, {}, buttonCommon, { - extend: 'pdf', - orientation: 'landscape', - pageSize: 'LETTER' - }), - $.extend( true, {}, buttonCommon, { - extend: 'print' - }), - ], - }); + colReorder: true, + "columns": columns, + columnDefs: [ + { + "orderable": false, + "targets": [0] + }, + { + targets: [0, 1], + className: 'noVis' + }, + { + targets: 'severity-sort', + orderDataType: 'severity-asc' + }, + ], + dom: 'Bfrtip', + paging: false, + info: false, + buttons: [ + { + extend: 'colvis', + columns: ':not(.noVis)' + }, + $.extend( true, {}, buttonCommon, { + extend: 'copy' + }), + $.extend( true, {}, buttonCommon, { + extend: 'excel', + autoFilter: true, + sheetName: 'Exported data', + }), + $.extend( true, {}, buttonCommon, { + extend: 'csv' + }), + $.extend( true, {}, buttonCommon, { + extend: 'pdf', + orientation: 'landscape', + pageSize: 'LETTER' + }), + $.extend( true, {}, buttonCommon, { + extend: 'print' + }), + ], + }); + {% endif %} }); $(function () { diff --git a/dojo/test/views.py b/dojo/test/views.py index d15d518863d..a9d90ced713 100644 --- a/dojo/test/views.py +++ b/dojo/test/views.py @@ -207,6 +207,7 @@ def get_initial_context(self, request: HttpRequest, test: Test): "bulk_edit_form": FindingBulkUpdateForm(request.GET), 'finding_groups': test.finding_group_set.all().prefetch_related("findings", "jira_issue", "creator", "findings__vulnerability_id_set"), 'finding_group_by_options': Finding_Group.GROUP_BY_OPTIONS, + "enable_table_filtering": get_system_setting("enable_ui_table_based_searching"), } # Set the form using the context, and then update the context From 711705f55b9dc4710215db3dfc9dc3f8e761bb7d Mon Sep 17 00:00:00 2001 From: manuelsommer <47991713+manuel-sommer@users.noreply.github.com> Date: Mon, 29 Jul 2024 15:04:11 +0200 Subject: [PATCH 03/16] :bug: extend aqua format issue #10611 (#10616) * :bug: extend aqua format issue #10611 * :bug: fix according to comment * ruff --- dojo/tools/aqua/parser.py | 41 +- .../scans/aqua/aqua_devops_issue_10611.json | 4055 +++++++++++++++++ unittests/scans/aqua/empty_aquadevops.json | 1 + unittests/tools/test_aqua_parser.py | 12 + 4 files changed, 4092 insertions(+), 17 deletions(-) create mode 100644 unittests/scans/aqua/aqua_devops_issue_10611.json create mode 100644 unittests/scans/aqua/empty_aquadevops.json diff --git a/dojo/tools/aqua/parser.py b/dojo/tools/aqua/parser.py index d6056f892f2..baea1b674cb 100644 --- a/dojo/tools/aqua/parser.py +++ b/dojo/tools/aqua/parser.py @@ -18,25 +18,32 @@ def get_findings(self, json_output, test): return self.get_items(tree, test) def get_items(self, tree, test): - items = {} - if "resources" in tree: - vulnerabilityTree = tree["resources"] - - for node in vulnerabilityTree: - resource = node.get("resource") - vulnerabilities = node.get("vulnerabilities", []) - if vulnerabilities is None: - vulnerabilities = [] - for vuln in vulnerabilities: - item = get_item(resource, vuln, test) - unique_key = resource.get("cpe") + vuln.get("name", "None") + resource.get("path", "None") - items[unique_key] = item - elif "cves" in tree: + self.items = {} + if isinstance(tree, list): # Aqua Scan Report coming from Azure Devops jobs. + if tree: + vulnerabilitytree = tree[0]["results"]["resources"] + else: + vulnerabilitytree = [] + self.vulnerability_tree(vulnerabilitytree, test) + elif "resources" in tree: # Aqua Scan Report not from Azure Devops jobs. + vulnerabilitytree = tree["resources"] + self.vulnerability_tree(vulnerabilitytree, test) + elif "cves" in tree: # Aqua Scan Report not from Azure Devops jobs. for cve in tree["cves"]: unique_key = cve.get("file") + cve.get("name") - items[unique_key] = get_item_v2(cve, test) - - return list(items.values()) + self.items[unique_key] = get_item_v2(cve, test) + return list(self.items.values()) + + def vulnerability_tree(self, vulnerabilitytree, test): + for node in vulnerabilitytree: + resource = node.get("resource") + vulnerabilities = node.get("vulnerabilities", []) + if vulnerabilities is None: + vulnerabilities = [] + for vuln in vulnerabilities: + item = get_item(resource, vuln, test) + unique_key = resource.get("cpe") + vuln.get("name", "None") + resource.get("path", "None") + self.items[unique_key] = item def get_item(resource, vuln, test): diff --git a/unittests/scans/aqua/aqua_devops_issue_10611.json b/unittests/scans/aqua/aqua_devops_issue_10611.json new file mode 100644 index 00000000000..4e056369bf9 --- /dev/null +++ b/unittests/scans/aqua/aqua_devops_issue_10611.json @@ -0,0 +1,4055 @@ +[ + { "image_name": "test:latest", + "results": + { + "image": "test:latest", + "registry": "myregistry", + "scan_started": { + "seconds": 1721416289, + "nanos": 744607040 + }, + "scan_duration": 53, + "digest": "sha256:97a847b2a0230e01116e00d8b988a4d150b49ee2662032456ab5c46e39ccba1d", + "metadata": {}, + "os": "debian", + "version": "11.7", + "resources": [ + { + "resource": { + "format": "npm", + "path": "/juice-shop/node_modules/@babel/traverse", + "name": "@babel/traverse", + "version": "7.22.15", + "cpe": "pkg:/npm:*:@babel/traverse:7.22.15", + "license": "MIT", + "layer": "COPY /juice-shop . # buildkit", + "layer_digest": "sha256:69c661528fdd4ef0a0f4fdbd62ec988b9efb5c1a4d11651adb877a13a40da37d" + }, + "scanned": true, + "vulnerabilities": [ + { + "name": "CVE-2023-45133", + "type": "vulnerability", + "description": "Babel is a compiler for writingJavaScript. In `@babel/traverse` prior to versions 7.23.2 and 8.0.0-alpha.4 and all versions of `babel-traverse`, using Babel to compile code that was specifically crafted by an attacker can lead to arbitrary code execution during compilation, when using plugins that rely on the `path.evaluate()`or `path.evaluateTruthy()` internal Babel methods. Known affected plugins are `@babel/plugin-transform-runtime`; `@babel/preset-env` when using its `useBuiltIns` option; and any \"polyfill provider\" plugin that depends on `@babel/helper-define-polyfill-provider`, such as `babel-plugin-polyfill-corejs3`, `babel-plugin-polyfill-corejs2`, `babel-plugin-polyfill-es-shims`, `babel-plugin-polyfill-regenerator`. No other plugins under the `@babel/` namespace are impacted, but third-party plugins might be. Users that only compile trusted code are not impacted. The vulnerability has been fixed in `@babel/traverse@7.23.2` and `@babel/traverse@8.0.0-alpha.4`. Those who cannot upgrade `@babel/traverse` and are using one of the affected packages mentioned above should upgrade them to their latest version to avoid triggering the vulnerable code path in affected `@babel/traverse` versions: `@babel/plugin-transform-runtime` v7.23.2, `@babel/preset-env` v7.23.2, `@babel/helper-define-polyfill-provider` v0.4.3, `babel-plugin-polyfill-corejs2` v0.4.6, `babel-plugin-polyfill-corejs3` v0.8.5, `babel-plugin-polyfill-es-shims` v0.10.0, `babel-plugin-polyfill-regenerator` v0.5.3.", + "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2023-45133", + "publish_date": "2023-10-12", + "modification_date": "2023-10-24", + "fix_version": "7.23.2, 8.0.0-alpha.4", + "solution": "Upgrade package @babel/traverse to version 8.0.0-alpha.4, 7.23.2 or above.", + "nvd_score_v3": 8.8, + "nvd_vectors_v3": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", + "nvd_severity_v3": "high", + "aqua_score": 8.8, + "aqua_severity": "high", + "aqua_vectors": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", + "aqua_scoring_system": "CVSS V3", + "heuristic_ref_id": 265547, + "aqua_severity_classification": "NVD CVSS V3 Score: 8.8", + "aqua_score_classification": "NVD CVSS V3 Score: 8.8", + "cwe_info": [ + { + "Id": "CWE-697", + "name": "Incorrect Comparison" + }, + { + "Id": "CWE-184", + "name": "Incomplete List of Disallowed Inputs" + } + ], + "epss_score": 0.0006, + "epss_percentile": 0.23474, + "epss_date": "2024-01-22" + } + ] + }, + { + "resource": { + "format": "npm", + "path": "/juice-shop/node_modules/@cypress/request", + "name": "@cypress/request", + "version": "2.88.12", + "cpe": "pkg:/npm:*:@cypress/request:2.88.12", + "license": "Apache-2.0", + "layer": "COPY /juice-shop . # buildkit", + "layer_digest": "sha256:69c661528fdd4ef0a0f4fdbd62ec988b9efb5c1a4d11651adb877a13a40da37d" + }, + "scanned": true, + "vulnerabilities": [ + { + "name": "CVE-2023-28155", + "type": "vulnerability", + "description": "The Request package through 2.88.1 for Node.js allows a bypass of SSRF mitigations via an attacker-controller server that does a cross-protocol redirect (HTTP to HTTPS, or HTTPS to HTTP). NOTE: This vulnerability only affects products that are no longer supported by the maintainer.", + "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2023-28155", + "publish_date": "2023-03-16", + "modification_date": "2024-05-17", + "fix_version": "3.0.0", + "solution": "Upgrade package @cypress/request to version 3.0.0 or above.", + "nvd_score_v3": 6.1, + "nvd_vectors_v3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", + "nvd_severity_v3": "medium", + "aqua_score": 6.1, + "aqua_severity": "medium", + "aqua_vectors": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", + "aqua_scoring_system": "CVSS V3", + "heuristic_ref_id": 265547, + "aqua_severity_classification": "NVD CVSS V3 Score: 6.1", + "aqua_score_classification": "NVD CVSS V3 Score: 6.1", + "cwe_info": [ + { + "Id": "CWE-918", + "name": "Server-Side Request Forgery (SSRF)" + } + ], + "epss_score": 0.00063, + "epss_percentile": 0.24994, + "epss_date": "2024-01-22" + } + ] + }, + { + "resource": { + "format": "npm", + "path": "/juice-shop/node_modules/braces", + "name": "braces", + "version": "2.3.2", + "cpe": "pkg:/npm:*:braces:2.3.2", + "license": "MIT", + "layer": "COPY /juice-shop . # buildkit", + "layer_digest": "sha256:69c661528fdd4ef0a0f4fdbd62ec988b9efb5c1a4d11651adb877a13a40da37d" + }, + "scanned": true, + "vulnerabilities": [ + { + "name": "CVE-2024-4068", + "type": "vulnerability", + "description": "The NPM package `braces`, versions prior to 3.0.3, fails to limit the number of characters it can handle, which could lead to Memory Exhaustion. In `lib/parse.js,` if a malicious user sends \"imbalanced braces\" as input, the parsing will enter a loop, which will cause the program to start allocating heap memory without freeing it at any moment of the loop. Eventually, the JavaScript heap limit is reached, and the program will crash.", + "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2024-4068", + "publish_date": "2024-05-14", + "modification_date": "2024-07-03", + "fix_version": "3.0.3", + "solution": "Upgrade package braces to version 3.0.3 or above.", + "nvd_score_v3": 7.5, + "nvd_vectors_v3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "nvd_severity_v3": "high", + "aqua_score": 7.5, + "aqua_severity": "high", + "aqua_vectors": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "aqua_scoring_system": "CVSS V3", + "heuristic_ref_id": 265547, + "aqua_severity_classification": "NVD CVSS V3 Score: 7.5", + "aqua_score_classification": "NVD CVSS V3 Score: 7.5", + "cwe_info": [ + { + "Id": "CWE-1050", + "name": "Excessive Platform Resource Consumption within a Loop" + }, + { + "Id": "CWE-400", + "name": "Uncontrolled Resource Consumption" + } + ] + } + ] + }, + { + "resource": { + "format": "npm", + "path": "/juice-shop/node_modules/fast-glob/node_modules/braces", + "name": "braces", + "version": "3.0.2", + "cpe": "pkg:/npm:*:braces:3.0.2", + "license": "MIT", + "layer": "COPY /juice-shop . # buildkit", + "layer_digest": "sha256:69c661528fdd4ef0a0f4fdbd62ec988b9efb5c1a4d11651adb877a13a40da37d" + }, + "scanned": true, + "vulnerabilities": [ + { + "name": "CVE-2024-4068", + "type": "vulnerability", + "description": "The NPM package `braces`, versions prior to 3.0.3, fails to limit the number of characters it can handle, which could lead to Memory Exhaustion. In `lib/parse.js,` if a malicious user sends \"imbalanced braces\" as input, the parsing will enter a loop, which will cause the program to start allocating heap memory without freeing it at any moment of the loop. Eventually, the JavaScript heap limit is reached, and the program will crash.", + "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2024-4068", + "publish_date": "2024-05-14", + "modification_date": "2024-07-03", + "fix_version": "3.0.3", + "solution": "Upgrade package braces to version 3.0.3 or above.", + "nvd_score_v3": 7.5, + "nvd_vectors_v3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "nvd_severity_v3": "high", + "aqua_score": 7.5, + "aqua_severity": "high", + "aqua_vectors": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "aqua_scoring_system": "CVSS V3", + "heuristic_ref_id": 265547, + "aqua_severity_classification": "NVD CVSS V3 Score: 7.5", + "aqua_score_classification": "NVD CVSS V3 Score: 7.5", + "cwe_info": [ + { + "Id": "CWE-1050", + "name": "Excessive Platform Resource Consumption within a Loop" + }, + { + "Id": "CWE-400", + "name": "Uncontrolled Resource Consumption" + } + ] + } + ] + }, + { + "resource": { + "format": "npm", + "path": "/juice-shop/node_modules/liftup/node_modules/braces", + "name": "braces", + "version": "3.0.2", + "cpe": "pkg:/npm:*:braces:3.0.2", + "license": "MIT", + "layer": "COPY /juice-shop . # buildkit", + "layer_digest": "sha256:69c661528fdd4ef0a0f4fdbd62ec988b9efb5c1a4d11651adb877a13a40da37d" + }, + "scanned": true, + "vulnerabilities": [ + { + "name": "CVE-2024-4068", + "type": "vulnerability", + "description": "The NPM package `braces`, versions prior to 3.0.3, fails to limit the number of characters it can handle, which could lead to Memory Exhaustion. In `lib/parse.js,` if a malicious user sends \"imbalanced braces\" as input, the parsing will enter a loop, which will cause the program to start allocating heap memory without freeing it at any moment of the loop. Eventually, the JavaScript heap limit is reached, and the program will crash.", + "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2024-4068", + "publish_date": "2024-05-14", + "modification_date": "2024-07-03", + "fix_version": "3.0.3", + "solution": "Upgrade package braces to version 3.0.3 or above.", + "nvd_score_v3": 7.5, + "nvd_vectors_v3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "nvd_severity_v3": "high", + "aqua_score": 7.5, + "aqua_severity": "high", + "aqua_vectors": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "aqua_scoring_system": "CVSS V3", + "heuristic_ref_id": 265547, + "aqua_severity_classification": "NVD CVSS V3 Score: 7.5", + "aqua_score_classification": "NVD CVSS V3 Score: 7.5", + "cwe_info": [ + { + "Id": "CWE-1050", + "name": "Excessive Platform Resource Consumption within a Loop" + }, + { + "Id": "CWE-400", + "name": "Uncontrolled Resource Consumption" + } + ] + } + ] + }, + { + "resource": { + "format": "npm", + "path": "/juice-shop/node_modules/jest-config/node_modules/braces", + "name": "braces", + "version": "3.0.2", + "cpe": "pkg:/npm:*:braces:3.0.2", + "license": "MIT", + "layer": "COPY /juice-shop . # buildkit", + "layer_digest": "sha256:69c661528fdd4ef0a0f4fdbd62ec988b9efb5c1a4d11651adb877a13a40da37d" + }, + "scanned": true, + "vulnerabilities": [ + { + "name": "CVE-2024-4068", + "type": "vulnerability", + "description": "The NPM package `braces`, versions prior to 3.0.3, fails to limit the number of characters it can handle, which could lead to Memory Exhaustion. In `lib/parse.js,` if a malicious user sends \"imbalanced braces\" as input, the parsing will enter a loop, which will cause the program to start allocating heap memory without freeing it at any moment of the loop. Eventually, the JavaScript heap limit is reached, and the program will crash.", + "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2024-4068", + "publish_date": "2024-05-14", + "modification_date": "2024-07-03", + "fix_version": "3.0.3", + "solution": "Upgrade package braces to version 3.0.3 or above.", + "nvd_score_v3": 7.5, + "nvd_vectors_v3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "nvd_severity_v3": "high", + "aqua_score": 7.5, + "aqua_severity": "high", + "aqua_vectors": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "aqua_scoring_system": "CVSS V3", + "heuristic_ref_id": 265547, + "aqua_severity_classification": "NVD CVSS V3 Score: 7.5", + "aqua_score_classification": "NVD CVSS V3 Score: 7.5", + "cwe_info": [ + { + "Id": "CWE-1050", + "name": "Excessive Platform Resource Consumption within a Loop" + }, + { + "Id": "CWE-400", + "name": "Uncontrolled Resource Consumption" + } + ] + } + ] + }, + { + "resource": { + "format": "npm", + "path": "/juice-shop/node_modules/chokidar/node_modules/braces", + "name": "braces", + "version": "3.0.2", + "cpe": "pkg:/npm:*:braces:3.0.2", + "license": "MIT", + "layer": "COPY /juice-shop . # buildkit", + "layer_digest": "sha256:69c661528fdd4ef0a0f4fdbd62ec988b9efb5c1a4d11651adb877a13a40da37d" + }, + "scanned": true, + "vulnerabilities": [ + { + "name": "CVE-2024-4068", + "type": "vulnerability", + "description": "The NPM package `braces`, versions prior to 3.0.3, fails to limit the number of characters it can handle, which could lead to Memory Exhaustion. In `lib/parse.js,` if a malicious user sends \"imbalanced braces\" as input, the parsing will enter a loop, which will cause the program to start allocating heap memory without freeing it at any moment of the loop. Eventually, the JavaScript heap limit is reached, and the program will crash.", + "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2024-4068", + "publish_date": "2024-05-14", + "modification_date": "2024-07-03", + "fix_version": "3.0.3", + "solution": "Upgrade package braces to version 3.0.3 or above.", + "nvd_score_v3": 7.5, + "nvd_vectors_v3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "nvd_severity_v3": "high", + "aqua_score": 7.5, + "aqua_severity": "high", + "aqua_vectors": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "aqua_scoring_system": "CVSS V3", + "heuristic_ref_id": 265547, + "aqua_severity_classification": "NVD CVSS V3 Score: 7.5", + "aqua_score_classification": "NVD CVSS V3 Score: 7.5", + "cwe_info": [ + { + "Id": "CWE-1050", + "name": "Excessive Platform Resource Consumption within a Loop" + }, + { + "Id": "CWE-400", + "name": "Uncontrolled Resource Consumption" + } + ] + } + ] + }, + { + "resource": { + "format": "npm", + "path": "/juice-shop/node_modules/@jest/transform/node_modules/braces", + "name": "braces", + "version": "3.0.2", + "cpe": "pkg:/npm:*:braces:3.0.2", + "license": "MIT", + "layer": "COPY /juice-shop . # buildkit", + "layer_digest": "sha256:69c661528fdd4ef0a0f4fdbd62ec988b9efb5c1a4d11651adb877a13a40da37d" + }, + "scanned": true, + "vulnerabilities": [ + { + "name": "CVE-2024-4068", + "type": "vulnerability", + "description": "The NPM package `braces`, versions prior to 3.0.3, fails to limit the number of characters it can handle, which could lead to Memory Exhaustion. In `lib/parse.js,` if a malicious user sends \"imbalanced braces\" as input, the parsing will enter a loop, which will cause the program to start allocating heap memory without freeing it at any moment of the loop. Eventually, the JavaScript heap limit is reached, and the program will crash.", + "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2024-4068", + "publish_date": "2024-05-14", + "modification_date": "2024-07-03", + "fix_version": "3.0.3", + "solution": "Upgrade package braces to version 3.0.3 or above.", + "nvd_score_v3": 7.5, + "nvd_vectors_v3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "nvd_severity_v3": "high", + "aqua_score": 7.5, + "aqua_severity": "high", + "aqua_vectors": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "aqua_scoring_system": "CVSS V3", + "heuristic_ref_id": 265547, + "aqua_severity_classification": "NVD CVSS V3 Score: 7.5", + "aqua_score_classification": "NVD CVSS V3 Score: 7.5", + "cwe_info": [ + { + "Id": "CWE-1050", + "name": "Excessive Platform Resource Consumption within a Loop" + }, + { + "Id": "CWE-400", + "name": "Uncontrolled Resource Consumption" + } + ] + } + ] + }, + { + "resource": { + "format": "npm", + "path": "/juice-shop/node_modules/grunt/node_modules/braces", + "name": "braces", + "version": "3.0.2", + "cpe": "pkg:/npm:*:braces:3.0.2", + "license": "MIT", + "layer": "COPY /juice-shop . # buildkit", + "layer_digest": "sha256:69c661528fdd4ef0a0f4fdbd62ec988b9efb5c1a4d11651adb877a13a40da37d" + }, + "scanned": true, + "vulnerabilities": [ + { + "name": "CVE-2024-4068", + "type": "vulnerability", + "description": "The NPM package `braces`, versions prior to 3.0.3, fails to limit the number of characters it can handle, which could lead to Memory Exhaustion. In `lib/parse.js,` if a malicious user sends \"imbalanced braces\" as input, the parsing will enter a loop, which will cause the program to start allocating heap memory without freeing it at any moment of the loop. Eventually, the JavaScript heap limit is reached, and the program will crash.", + "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2024-4068", + "publish_date": "2024-05-14", + "modification_date": "2024-07-03", + "fix_version": "3.0.3", + "solution": "Upgrade package braces to version 3.0.3 or above.", + "nvd_score_v3": 7.5, + "nvd_vectors_v3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "nvd_severity_v3": "high", + "aqua_score": 7.5, + "aqua_severity": "high", + "aqua_vectors": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "aqua_scoring_system": "CVSS V3", + "heuristic_ref_id": 265547, + "aqua_severity_classification": "NVD CVSS V3 Score: 7.5", + "aqua_score_classification": "NVD CVSS V3 Score: 7.5", + "cwe_info": [ + { + "Id": "CWE-1050", + "name": "Excessive Platform Resource Consumption within a Loop" + }, + { + "Id": "CWE-400", + "name": "Uncontrolled Resource Consumption" + } + ] + } + ] + }, + { + "resource": { + "format": "npm", + "path": "/juice-shop/node_modules/jest-message-util/node_modules/braces", + "name": "braces", + "version": "3.0.2", + "cpe": "pkg:/npm:*:braces:3.0.2", + "license": "MIT", + "layer": "COPY /juice-shop . # buildkit", + "layer_digest": "sha256:69c661528fdd4ef0a0f4fdbd62ec988b9efb5c1a4d11651adb877a13a40da37d" + }, + "scanned": true, + "vulnerabilities": [ + { + "name": "CVE-2024-4068", + "type": "vulnerability", + "description": "The NPM package `braces`, versions prior to 3.0.3, fails to limit the number of characters it can handle, which could lead to Memory Exhaustion. In `lib/parse.js,` if a malicious user sends \"imbalanced braces\" as input, the parsing will enter a loop, which will cause the program to start allocating heap memory without freeing it at any moment of the loop. Eventually, the JavaScript heap limit is reached, and the program will crash.", + "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2024-4068", + "publish_date": "2024-05-14", + "modification_date": "2024-07-03", + "fix_version": "3.0.3", + "solution": "Upgrade package braces to version 3.0.3 or above.", + "nvd_score_v3": 7.5, + "nvd_vectors_v3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "nvd_severity_v3": "high", + "aqua_score": 7.5, + "aqua_severity": "high", + "aqua_vectors": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "aqua_scoring_system": "CVSS V3", + "heuristic_ref_id": 265547, + "aqua_severity_classification": "NVD CVSS V3 Score: 7.5", + "aqua_score_classification": "NVD CVSS V3 Score: 7.5", + "cwe_info": [ + { + "Id": "CWE-1050", + "name": "Excessive Platform Resource Consumption within a Loop" + }, + { + "Id": "CWE-400", + "name": "Uncontrolled Resource Consumption" + } + ] + } + ] + }, + { + "resource": { + "format": "npm", + "path": "/juice-shop/node_modules/jest-haste-map/node_modules/braces", + "name": "braces", + "version": "3.0.2", + "cpe": "pkg:/npm:*:braces:3.0.2", + "license": "MIT", + "layer": "COPY /juice-shop . # buildkit", + "layer_digest": "sha256:69c661528fdd4ef0a0f4fdbd62ec988b9efb5c1a4d11651adb877a13a40da37d" + }, + "scanned": true, + "vulnerabilities": [ + { + "name": "CVE-2024-4068", + "type": "vulnerability", + "description": "The NPM package `braces`, versions prior to 3.0.3, fails to limit the number of characters it can handle, which could lead to Memory Exhaustion. In `lib/parse.js,` if a malicious user sends \"imbalanced braces\" as input, the parsing will enter a loop, which will cause the program to start allocating heap memory without freeing it at any moment of the loop. Eventually, the JavaScript heap limit is reached, and the program will crash.", + "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2024-4068", + "publish_date": "2024-05-14", + "modification_date": "2024-07-03", + "fix_version": "3.0.3", + "solution": "Upgrade package braces to version 3.0.3 or above.", + "nvd_score_v3": 7.5, + "nvd_vectors_v3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "nvd_severity_v3": "high", + "aqua_score": 7.5, + "aqua_severity": "high", + "aqua_vectors": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "aqua_scoring_system": "CVSS V3", + "heuristic_ref_id": 265547, + "aqua_severity_classification": "NVD CVSS V3 Score: 7.5", + "aqua_score_classification": "NVD CVSS V3 Score: 7.5", + "cwe_info": [ + { + "Id": "CWE-1050", + "name": "Excessive Platform Resource Consumption within a Loop" + }, + { + "Id": "CWE-400", + "name": "Uncontrolled Resource Consumption" + } + ] + } + ] + }, + { + "resource": { + "format": "npm", + "path": "/juice-shop/node_modules/@jest/core/node_modules/braces", + "name": "braces", + "version": "3.0.2", + "cpe": "pkg:/npm:*:braces:3.0.2", + "license": "MIT", + "layer": "COPY /juice-shop . # buildkit", + "layer_digest": "sha256:69c661528fdd4ef0a0f4fdbd62ec988b9efb5c1a4d11651adb877a13a40da37d" + }, + "scanned": true, + "vulnerabilities": [ + { + "name": "CVE-2024-4068", + "type": "vulnerability", + "description": "The NPM package `braces`, versions prior to 3.0.3, fails to limit the number of characters it can handle, which could lead to Memory Exhaustion. In `lib/parse.js,` if a malicious user sends \"imbalanced braces\" as input, the parsing will enter a loop, which will cause the program to start allocating heap memory without freeing it at any moment of the loop. Eventually, the JavaScript heap limit is reached, and the program will crash.", + "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2024-4068", + "publish_date": "2024-05-14", + "modification_date": "2024-07-03", + "fix_version": "3.0.3", + "solution": "Upgrade package braces to version 3.0.3 or above.", + "nvd_score_v3": 7.5, + "nvd_vectors_v3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "nvd_severity_v3": "high", + "aqua_score": 7.5, + "aqua_severity": "high", + "aqua_vectors": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "aqua_scoring_system": "CVSS V3", + "heuristic_ref_id": 265547, + "aqua_severity_classification": "NVD CVSS V3 Score: 7.5", + "aqua_score_classification": "NVD CVSS V3 Score: 7.5", + "cwe_info": [ + { + "Id": "CWE-1050", + "name": "Excessive Platform Resource Consumption within a Loop" + }, + { + "Id": "CWE-400", + "name": "Uncontrolled Resource Consumption" + } + ] + } + ] + }, + { + "resource": { + "format": "npm", + "path": "/juice-shop/node_modules/jest-util/node_modules/braces", + "name": "braces", + "version": "3.0.2", + "cpe": "pkg:/npm:*:braces:3.0.2", + "license": "MIT", + "layer": "COPY /juice-shop . # buildkit", + "layer_digest": "sha256:69c661528fdd4ef0a0f4fdbd62ec988b9efb5c1a4d11651adb877a13a40da37d" + }, + "scanned": true, + "vulnerabilities": [ + { + "name": "CVE-2024-4068", + "type": "vulnerability", + "description": "The NPM package `braces`, versions prior to 3.0.3, fails to limit the number of characters it can handle, which could lead to Memory Exhaustion. In `lib/parse.js,` if a malicious user sends \"imbalanced braces\" as input, the parsing will enter a loop, which will cause the program to start allocating heap memory without freeing it at any moment of the loop. Eventually, the JavaScript heap limit is reached, and the program will crash.", + "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2024-4068", + "publish_date": "2024-05-14", + "modification_date": "2024-07-03", + "fix_version": "3.0.3", + "solution": "Upgrade package braces to version 3.0.3 or above.", + "nvd_score_v3": 7.5, + "nvd_vectors_v3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "nvd_severity_v3": "high", + "aqua_score": 7.5, + "aqua_severity": "high", + "aqua_vectors": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "aqua_scoring_system": "CVSS V3", + "heuristic_ref_id": 265547, + "aqua_severity_classification": "NVD CVSS V3 Score: 7.5", + "aqua_score_classification": "NVD CVSS V3 Score: 7.5", + "cwe_info": [ + { + "Id": "CWE-1050", + "name": "Excessive Platform Resource Consumption within a Loop" + }, + { + "Id": "CWE-400", + "name": "Uncontrolled Resource Consumption" + } + ] + } + ] + }, + { + "resource": { + "format": "npm", + "path": "/juice-shop/node_modules/crypto-js", + "name": "crypto-js", + "version": "3.3.0", + "cpe": "pkg:/npm:*:crypto-js:3.3.0", + "license": "MIT", + "layer": "COPY /juice-shop . # buildkit", + "layer_digest": "sha256:69c661528fdd4ef0a0f4fdbd62ec988b9efb5c1a4d11651adb877a13a40da37d" + }, + "scanned": true, + "vulnerabilities": [ + { + "name": "CVE-2023-46233", + "type": "vulnerability", + "description": "crypto-js is a JavaScript library of crypto standards. Prior to version 4.2.0, crypto-js PBKDF2 is 1,000 times weaker than originally specified in 1993, and at least 1,300,000 times weaker than current industry standard. This is because it both defaults to SHA1, a cryptographic hash algorithm considered insecure since at least 2005, and defaults to one single iteration, a 'strength' or 'difficulty' value specified at 1,000 when specified in 1993. PBKDF2 relies on iteration count as a countermeasure to preimage and collision attacks. If used to protect passwords, the impact is high. If used to generate signatures, the impact is high. Version 4.2.0 contains a patch for this issue. As a workaround, configure crypto-js to use SHA256 with at least 250,000 iterations.", + "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2023-46233", + "publish_date": "2023-10-25", + "modification_date": "2023-11-27", + "fix_version": "4.2.0", + "solution": "Upgrade package crypto-js to version 4.2.0 or above.", + "nvd_score_v3": 9.1, + "nvd_vectors_v3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", + "nvd_severity_v3": "critical", + "aqua_score": 9.1, + "aqua_severity": "critical", + "aqua_vectors": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", + "aqua_scoring_system": "CVSS V3", + "heuristic_ref_id": 265547, + "aqua_severity_classification": "NVD CVSS V3 Score: 9.1", + "aqua_score_classification": "NVD CVSS V3 Score: 9.1", + "cwe_info": [ + { + "Id": "CWE-327", + "name": "Use of a Broken or Risky Cryptographic Algorithm" + }, + { + "Id": "CWE-328", + "name": "Use of Weak Hash" + }, + { + "Id": "CWE-916", + "name": "Use of Password Hash With Insufficient Computational Effort" + } + ], + "epss_score": 0.00067, + "epss_percentile": 0.27721, + "epss_date": "2024-01-22" + } + ] + }, + { + "resource": { + "format": "npm", + "path": "/juice-shop/node_modules/ecstatic", + "name": "ecstatic", + "version": "3.3.2", + "cpe": "pkg:/npm:*:ecstatic:3.3.2", + "license": "MIT", + "layer": "COPY /juice-shop . # buildkit", + "layer_digest": "sha256:69c661528fdd4ef0a0f4fdbd62ec988b9efb5c1a4d11651adb877a13a40da37d" + }, + "scanned": true, + "vulnerabilities": [ + { + "name": "CVE-2019-10775", + "type": "vulnerability", + "description": "ecstatic have a denial of service vulnerability. Successful exploitation could lead to crash of an application.", + "nvd_score": 5, + "nvd_vectors": "AV:N/AC:L/Au:N/C:N/I:N/A:P", + "nvd_severity": "medium", + "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2019-10775", + "publish_date": "2020-01-02", + "modification_date": "2020-01-08", + "fix_version": "4.1.3", + "solution": "Upgrade package ecstatic to version 4.1.3 or above.", + "nvd_score_v3": 7.5, + "nvd_vectors_v3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "nvd_severity_v3": "high", + "aqua_score": 7.5, + "aqua_severity": "high", + "aqua_vectors": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "aqua_scoring_system": "CVSS V3", + "heuristic_ref_id": 265547, + "aqua_severity_classification": "NVD CVSS V3 Score: 7.5", + "aqua_score_classification": "NVD CVSS V3 Score: 7.5", + "cwe_info": [ + { + "Id": "CWE-400", + "name": "Uncontrolled Resource Consumption" + } + ], + "epss_score": 0.00103, + "epss_percentile": 0.41937, + "epss_date": "2024-01-22" + } + ] + }, + { + "resource": { + "format": "npm", + "path": "/juice-shop/node_modules/engine.io", + "name": "engine.io", + "version": "4.1.2", + "cpe": "pkg:/npm:*:engine.io:4.1.2", + "license": "MIT", + "layer": "COPY /juice-shop . # buildkit", + "layer_digest": "sha256:69c661528fdd4ef0a0f4fdbd62ec988b9efb5c1a4d11651adb877a13a40da37d" + }, + "scanned": true, + "vulnerabilities": [ + { + "name": "CVE-2022-41940", + "type": "vulnerability", + "description": "Engine.IO is the implementation of transport-based cross-browser/cross-device bi-directional communication layer for Socket.IO. A specially crafted HTTP request can trigger an uncaught exception on the Engine.IO server, thus killing the Node.js process. This impacts all the users of the engine.io package, including those who uses depending packages like socket.io. There is no known workaround except upgrading to a safe version. There are patches for this issue released in versions 3.6.1 and 6.2.1.", + "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2022-41940", + "publish_date": "2022-11-22", + "modification_date": "2022-11-26", + "fix_version": "3.6.1, 6.2.1", + "solution": "Upgrade package engine.io to version 6.2.1, 3.6.1 or above.", + "nvd_score_v3": 6.5, + "nvd_vectors_v3": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "nvd_severity_v3": "medium", + "aqua_score": 6.5, + "aqua_severity": "medium", + "aqua_vectors": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "aqua_scoring_system": "CVSS V3", + "heuristic_ref_id": 265547, + "aqua_severity_classification": "NVD CVSS V3 Score: 6.5", + "aqua_score_classification": "NVD CVSS V3 Score: 6.5", + "cwe_info": [ + { + "Id": "CWE-248", + "name": "Uncaught Exception" + } + ], + "epss_score": 0.00079, + "epss_percentile": 0.32771, + "epss_date": "2024-01-22" + } + ] + }, + { + "resource": { + "format": "npm", + "path": "/juice-shop/node_modules/express", + "name": "express", + "version": "4.18.2", + "cpe": "pkg:/npm:*:express:4.18.2", + "license": "MIT", + "layer": "COPY /juice-shop . # buildkit", + "layer_digest": "sha256:69c661528fdd4ef0a0f4fdbd62ec988b9efb5c1a4d11651adb877a13a40da37d" + }, + "scanned": true, + "vulnerabilities": [ + { + "name": "CVE-2024-29041", + "type": "vulnerability", + "description": "Express.js minimalist web framework for node. Versions of Express.js prior to 4.19.0 and all pre-release alpha and beta versions of 5.0 are affected by an open redirect vulnerability using malformed URLs. When a user of Express performs a redirect using a user-provided URL Express performs an encode [using `encodeurl`](https://github.com/pillarjs/encodeurl) on the contents before passing it to the `location` header. This can cause malformed URLs to be evaluated in unexpected ways by common redirect allow list implementations in Express applications, leading to an Open Redirect via bypass of a properly implemented allow list. The main method impacted is `res.location()` but this is also called from within `res.redirect()`. The vulnerability is fixed in 4.19.2 and 5.0.0-beta.3.", + "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2024-29041", + "publish_date": "2024-03-25", + "modification_date": "2024-03-26", + "fix_version": "4.19.2, 5.0.0-beta.3", + "solution": "Upgrade package express to version 5.0.0-beta.3, 4.19.2 or above.", + "nvd_score_v3": 6.1, + "nvd_vectors_v3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", + "nvd_severity_v3": "medium", + "aqua_score": 6.1, + "aqua_severity": "medium", + "aqua_vectors": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", + "aqua_scoring_system": "CVSS V3", + "heuristic_ref_id": 265547, + "aqua_severity_classification": "NVD CVSS V3 Score: 6.1", + "aqua_score_classification": "NVD CVSS V3 Score: 6.1", + "cwe_info": [ + { + "Id": "CWE-1286", + "name": "Improper Validation of Syntactic Correctness of Input" + }, + { + "Id": "CWE-601", + "name": "URL Redirection to Untrusted Site ('Open Redirect')" + } + ] + } + ] + }, + { + "resource": { + "format": "npm", + "path": "/juice-shop/node_modules/express-jwt", + "name": "express-jwt", + "version": "0.1.3", + "cpe": "pkg:/npm:*:express-jwt:0.1.3", + "layer": "COPY /juice-shop . # buildkit", + "layer_digest": "sha256:69c661528fdd4ef0a0f4fdbd62ec988b9efb5c1a4d11651adb877a13a40da37d" + }, + "scanned": true, + "vulnerabilities": [ + { + "name": "CVE-2020-15084", + "type": "vulnerability", + "description": "In express-jwt (NPM package) up and including version 5.3.3, the algorithms entry to be specified in the configuration is not being enforced. When algorithms is not specified in the configuration, with the combination of jwks-rsa, it may lead to authorization bypass. You are affected by this vulnerability if all of the following conditions apply: - You are using express-jwt - You do not have **algorithms** configured in your express-jwt configuration. - You are using libraries such as jwks-rsa as the **secret**. You can fix this by specifying **algorithms** in the express-jwt configuration. See linked GHSA for example. This is also fixed in version 6.0.0.", + "nvd_score": 4.3, + "nvd_vectors": "AV:N/AC:M/Au:N/C:N/I:P/A:N", + "nvd_severity": "medium", + "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2020-15084", + "publish_date": "2020-06-30", + "modification_date": "2022-10-21", + "fix_version": "6.0.0", + "solution": "Upgrade package express-jwt to version 6.0.0 or above.", + "nvd_score_v3": 9.1, + "nvd_vectors_v3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", + "nvd_severity_v3": "critical", + "aqua_score": 9.1, + "aqua_severity": "critical", + "aqua_vectors": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", + "aqua_scoring_system": "CVSS V3", + "heuristic_ref_id": 265547, + "aqua_severity_classification": "NVD CVSS V3 Score: 9.1", + "aqua_score_classification": "NVD CVSS V3 Score: 9.1", + "cwe_info": [ + { + "Id": "CWE-863", + "name": "Incorrect Authorization" + }, + { + "Id": "CWE-285", + "name": "Improper Authorization" + } + ], + "epss_score": 0.00197, + "epss_percentile": 0.57575, + "epss_date": "2024-01-22" + } + ] + }, + { + "resource": { + "format": "npm", + "path": "/juice-shop/node_modules/follow-redirects", + "name": "follow-redirects", + "version": "1.15.2", + "cpe": "pkg:/npm:*:follow-redirects:1.15.2", + "license": "MIT", + "layer": "COPY /juice-shop . # buildkit", + "layer_digest": "sha256:69c661528fdd4ef0a0f4fdbd62ec988b9efb5c1a4d11651adb877a13a40da37d" + }, + "scanned": true, + "vulnerabilities": [ + { + "name": "CVE-2024-28849", + "type": "vulnerability", + "description": "follow-redirects is an open source, drop-in replacement for Node's `http` and `https` modules that automatically follows redirects. In affected versions follow-redirects only clears authorization header during cross-domain redirect, but keep the proxy-authentication header which contains credentials too. This vulnerability may lead to credentials leak, but has been addressed in version 1.15.6. Users are advised to upgrade. There are no known workarounds for this vulnerability.", + "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2024-28849", + "publish_date": "2024-03-14", + "modification_date": "2024-03-23", + "fix_version": "1.15.6", + "solution": "Upgrade package follow-redirects to version 1.15.6 or above.", + "nvd_score_v3": 6.5, + "nvd_vectors_v3": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", + "nvd_severity_v3": "medium", + "aqua_score": 6.5, + "aqua_severity": "medium", + "aqua_vectors": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", + "aqua_scoring_system": "CVSS V3", + "heuristic_ref_id": 265547, + "aqua_severity_classification": "NVD CVSS V3 Score: 6.5", + "aqua_score_classification": "NVD CVSS V3 Score: 6.5", + "cwe_info": [ + { + "Id": "CWE-200", + "name": "Exposure of Sensitive Information to an Unauthorized Actor" + } + ] + }, + { + "name": "CVE-2023-26159", + "type": "vulnerability", + "description": "Versions of the package follow-redirects before 1.15.4 are vulnerable to Improper Input Validation due to the improper handling of URLs by the url.parse() function. When new URL() throws an error, it can be manipulated to misinterpret the hostname. An attacker could exploit this weakness to redirect traffic to a malicious site, potentially leading to information disclosure, phishing attacks, or other security breaches.", + "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2023-26159", + "publish_date": "2024-01-02", + "modification_date": "2024-01-23", + "fix_version": "1.15.4", + "solution": "Upgrade package follow-redirects to version 1.15.4 or above.", + "nvd_score_v3": 6.1, + "nvd_vectors_v3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", + "nvd_severity_v3": "medium", + "aqua_score": 6.1, + "aqua_severity": "medium", + "aqua_vectors": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", + "aqua_scoring_system": "CVSS V3", + "heuristic_ref_id": 265547, + "aqua_severity_classification": "NVD CVSS V3 Score: 6.1", + "aqua_score_classification": "NVD CVSS V3 Score: 6.1", + "cwe_info": [ + { + "Id": "CWE-601", + "name": "URL Redirection to Untrusted Site ('Open Redirect')" + }, + { + "Id": "CWE-20", + "name": "Improper Input Validation" + } + ], + "epss_score": 0.00051, + "epss_percentile": 0.17096, + "epss_date": "2024-01-22" + } + ] + }, + { + "resource": { + "format": "npm", + "path": "/juice-shop/node_modules/get-func-name", + "name": "get-func-name", + "version": "2.0.0", + "cpe": "pkg:/npm:*:get-func-name:2.0.0", + "license": "MIT", + "layer": "COPY /juice-shop . # buildkit", + "layer_digest": "sha256:69c661528fdd4ef0a0f4fdbd62ec988b9efb5c1a4d11651adb877a13a40da37d" + }, + "scanned": true, + "vulnerabilities": [ + { + "name": "CVE-2023-43646", + "type": "vulnerability", + "description": "get-func-name is a module to retrieve a function's name securely and consistently both in NodeJS and the browser. Versions prior to 2.0.1 are subject to a regular expression denial of service (redos) vulnerability which may lead to a denial of service when parsing malicious input. This vulnerability can be exploited when there is an imbalance in parentheses, which results in excessive backtracking and subsequently increases the CPU load and processing time significantly. This vulnerability can be triggered using the following input: '\\t'.repeat(54773) + '\\t/function/i'. This issue has been addressed in commit `f934b228b` which has been included in releases from 2.0.1. Users are advised to upgrade. There are no known workarounds for this vulnerability.", + "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2023-43646", + "publish_date": "2023-09-27", + "modification_date": "2023-10-02", + "fix_version": "2.0.1", + "solution": "Upgrade package get-func-name to version 2.0.1 or above.", + "nvd_score_v3": 7.5, + "nvd_vectors_v3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "nvd_severity_v3": "high", + "aqua_score": 7.5, + "aqua_severity": "high", + "aqua_vectors": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "aqua_scoring_system": "CVSS V3", + "heuristic_ref_id": 265547, + "aqua_severity_classification": "NVD CVSS V3 Score: 7.5", + "aqua_score_classification": "NVD CVSS V3 Score: 7.5", + "cwe_info": [ + { + "Id": "CWE-1333", + "name": "Inefficient Regular Expression Complexity" + }, + { + "Id": "CWE-400", + "name": "Uncontrolled Resource Consumption" + } + ], + "epss_score": 0.00044, + "epss_percentile": 0.10197, + "epss_date": "2024-01-22" + } + ] + }, + { + "resource": { + "format": "npm", + "path": "/juice-shop/node_modules/got", + "name": "got", + "version": "8.3.2", + "cpe": "pkg:/npm:*:got:8.3.2", + "license": "MIT", + "layer": "COPY /juice-shop . # buildkit", + "layer_digest": "sha256:69c661528fdd4ef0a0f4fdbd62ec988b9efb5c1a4d11651adb877a13a40da37d" + }, + "scanned": true, + "vulnerabilities": [ + { + "name": "CVE-2022-33987", + "type": "vulnerability", + "description": "The got package before 12.1.0 (also fixed in 11.8.5) for Node.js allows a redirect to a UNIX socket.", + "nvd_score": 5, + "nvd_vectors": "AV:N/AC:L/Au:N/C:N/I:P/A:N", + "nvd_severity": "medium", + "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2022-33987", + "publish_date": "2022-06-18", + "modification_date": "2022-06-28", + "fix_version": "11.8.5, 12.1.0", + "solution": "Upgrade package got to version 11.8.5, 12.1.0 or above.", + "nvd_score_v3": 5.3, + "nvd_vectors_v3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", + "nvd_severity_v3": "medium", + "aqua_score": 5.3, + "aqua_severity": "medium", + "aqua_vectors": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", + "aqua_scoring_system": "CVSS V3", + "heuristic_ref_id": 265547, + "aqua_severity_classification": "NVD CVSS V3 Score: 5.3", + "aqua_score_classification": "NVD CVSS V3 Score: 5.3", + "epss_score": 0.00071, + "epss_percentile": 0.29159, + "epss_date": "2024-01-22" + } + ] + }, + { + "resource": { + "format": "npm", + "path": "/juice-shop/node_modules/hoek", + "name": "hoek", + "version": "5.0.4", + "cpe": "pkg:/npm:*:hoek:5.0.4", + "license": "BSD-3-Clause", + "layer": "COPY /juice-shop . # buildkit", + "layer_digest": "sha256:69c661528fdd4ef0a0f4fdbd62ec988b9efb5c1a4d11651adb877a13a40da37d" + }, + "scanned": true, + "vulnerabilities": [ + { + "name": "CVE-2020-36604", + "type": "vulnerability", + "description": "hoek before 8.5.1 and 9.x before 9.0.3 allows prototype poisoning in the clone function.", + "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2020-36604", + "publish_date": "2022-09-23", + "modification_date": "2023-11-07", + "nvd_score_v3": 8.1, + "nvd_vectors_v3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "nvd_severity_v3": "high", + "aqua_score": 8.1, + "aqua_severity": "high", + "aqua_vectors": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "aqua_scoring_system": "CVSS V3", + "heuristic_ref_id": 265547, + "aqua_severity_classification": "NVD CVSS V3 Score: 8.1", + "aqua_score_classification": "NVD CVSS V3 Score: 8.1", + "cwe_info": [ + { + "Id": "CWE-1321", + "name": "Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')" + } + ], + "epss_score": 0.00187, + "epss_percentile": 0.56235, + "epss_date": "2024-01-22" + } + ] + }, + { + "resource": { + "format": "npm", + "path": "/juice-shop/node_modules/topo/node_modules/hoek", + "name": "hoek", + "version": "6.1.3", + "cpe": "pkg:/npm:*:hoek:6.1.3", + "license": "BSD-3-Clause", + "layer": "COPY /juice-shop . # buildkit", + "layer_digest": "sha256:69c661528fdd4ef0a0f4fdbd62ec988b9efb5c1a4d11651adb877a13a40da37d" + }, + "scanned": true, + "vulnerabilities": [ + { + "name": "CVE-2020-36604", + "type": "vulnerability", + "description": "hoek before 8.5.1 and 9.x before 9.0.3 allows prototype poisoning in the clone function.", + "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2020-36604", + "publish_date": "2022-09-23", + "modification_date": "2023-11-07", + "nvd_score_v3": 8.1, + "nvd_vectors_v3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "nvd_severity_v3": "high", + "aqua_score": 8.1, + "aqua_severity": "high", + "aqua_vectors": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "aqua_scoring_system": "CVSS V3", + "heuristic_ref_id": 265547, + "aqua_severity_classification": "NVD CVSS V3 Score: 8.1", + "aqua_score_classification": "NVD CVSS V3 Score: 8.1", + "cwe_info": [ + { + "Id": "CWE-1321", + "name": "Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')" + } + ], + "epss_score": 0.00187, + "epss_percentile": 0.56235, + "epss_date": "2024-01-22" + } + ] + }, + { + "resource": { + "format": "npm", + "path": "/juice-shop/node_modules/http-cache-semantics", + "name": "http-cache-semantics", + "version": "3.8.1", + "cpe": "pkg:/npm:*:http-cache-semantics:3.8.1", + "license": "BSD-2-Clause", + "layer": "COPY /juice-shop . # buildkit", + "layer_digest": "sha256:69c661528fdd4ef0a0f4fdbd62ec988b9efb5c1a4d11651adb877a13a40da37d" + }, + "scanned": true, + "vulnerabilities": [ + { + "name": "CVE-2022-25881", + "type": "vulnerability", + "description": "This affects versions of the package http-cache-semantics before 4.1.1. The issue can be exploited via malicious request header values sent to a server, when that server reads the cache policy from the request using this library.\r\r", + "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2022-25881", + "publish_date": "2023-01-31", + "modification_date": "2023-11-07", + "fix_version": "4.1.1", + "solution": "Upgrade package http-cache-semantics to version 4.1.1 or above.", + "nvd_score_v3": 7.5, + "nvd_vectors_v3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "nvd_severity_v3": "high", + "aqua_score": 7.5, + "aqua_severity": "high", + "aqua_vectors": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "aqua_scoring_system": "CVSS V3", + "heuristic_ref_id": 265547, + "aqua_severity_classification": "NVD CVSS V3 Score: 7.5", + "aqua_score_classification": "NVD CVSS V3 Score: 7.5", + "cwe_info": [ + { + "Id": "CWE-1333", + "name": "Inefficient Regular Expression Complexity" + } + ], + "epss_score": 0.00059, + "epss_percentile": 0.22992, + "epss_date": "2024-01-22" + } + ] + }, + { + "resource": { + "format": "npm", + "path": "/juice-shop/node_modules/ip", + "name": "ip", + "version": "1.1.8", + "cpe": "pkg:/npm:*:ip:1.1.8", + "license": "MIT", + "layer": "COPY /juice-shop . # buildkit", + "layer_digest": "sha256:69c661528fdd4ef0a0f4fdbd62ec988b9efb5c1a4d11651adb877a13a40da37d" + }, + "scanned": true, + "vulnerabilities": [ + { + "name": "CVE-2023-42282", + "type": "vulnerability", + "description": "The ip package before 1.1.9 for Node.js might allow SSRF because some IP addresses (such as 0x7f.1) are improperly categorized as globally routable via isPublic.", + "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2023-42282", + "publish_date": "2024-02-08", + "modification_date": "2024-07-03", + "fix_version": "1.1.9, 2.0.1", + "solution": "Upgrade package ip to version 2.0.1, 1.1.9 or above.", + "nvd_score_v3": 9.8, + "nvd_vectors_v3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "nvd_severity_v3": "critical", + "aqua_score": 9.8, + "aqua_severity": "critical", + "aqua_vectors": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "aqua_scoring_system": "CVSS V3", + "heuristic_ref_id": 265547, + "aqua_severity_classification": "NVD CVSS V3 Score: 9.8", + "aqua_score_classification": "NVD CVSS V3 Score: 9.8", + "cwe_info": [ + { + "Id": "CWE-918", + "name": "Server-Side Request Forgery (SSRF)" + } + ] + } + ] + }, + { + "resource": { + "format": "npm", + "path": "/juice-shop/node_modules/socks/node_modules/ip", + "name": "ip", + "version": "2.0.0", + "cpe": "pkg:/npm:*:ip:2.0.0", + "license": "MIT", + "layer": "COPY /juice-shop . # buildkit", + "layer_digest": "sha256:69c661528fdd4ef0a0f4fdbd62ec988b9efb5c1a4d11651adb877a13a40da37d" + }, + "scanned": true, + "vulnerabilities": [ + { + "name": "CVE-2023-42282", + "type": "vulnerability", + "description": "The ip package before 1.1.9 for Node.js might allow SSRF because some IP addresses (such as 0x7f.1) are improperly categorized as globally routable via isPublic.", + "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2023-42282", + "publish_date": "2024-02-08", + "modification_date": "2024-07-03", + "fix_version": "1.1.9, 2.0.1", + "solution": "Upgrade package ip to version 2.0.1, 1.1.9 or above.", + "nvd_score_v3": 9.8, + "nvd_vectors_v3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "nvd_severity_v3": "critical", + "aqua_score": 9.8, + "aqua_severity": "critical", + "aqua_vectors": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "aqua_scoring_system": "CVSS V3", + "heuristic_ref_id": 265547, + "aqua_severity_classification": "NVD CVSS V3 Score: 9.8", + "aqua_score_classification": "NVD CVSS V3 Score: 9.8", + "cwe_info": [ + { + "Id": "CWE-918", + "name": "Server-Side Request Forgery (SSRF)" + } + ] + } + ] + }, + { + "resource": { + "format": "npm", + "path": "/juice-shop/node_modules/tsconfig-paths/node_modules/json5", + "name": "json5", + "version": "1.0.2", + "cpe": "pkg:/npm:*:json5:1.0.2", + "license": "MIT", + "layer": "COPY /juice-shop . # buildkit", + "layer_digest": "sha256:69c661528fdd4ef0a0f4fdbd62ec988b9efb5c1a4d11651adb877a13a40da37d" + }, + "scanned": true, + "vulnerabilities": [ + { + "name": "CVE-2021-44906", + "type": "vulnerability", + "description": "Minimist \u003c=1.2.5 is vulnerable to Prototype Pollution via file index.js, function setKey() (lines 69-95).", + "nvd_score": 7.5, + "nvd_vectors": "AV:N/AC:L/Au:N/C:P/I:P/A:P", + "nvd_severity": "high", + "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2021-44906", + "publish_date": "2022-03-17", + "modification_date": "2024-06-21", + "fix_version": "2.2.1", + "solution": "Upgrade package json5 to version 2.2.1 or above.", + "nvd_score_v3": 9.8, + "nvd_vectors_v3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "nvd_severity_v3": "critical", + "aqua_score": 9.8, + "aqua_severity": "critical", + "aqua_vectors": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "aqua_scoring_system": "CVSS V3", + "heuristic_ref_id": 265547, + "aqua_severity_classification": "NVD CVSS V3 Score: 9.8", + "aqua_score_classification": "NVD CVSS V3 Score: 9.8", + "cwe_info": [ + { + "Id": "CWE-1321", + "name": "Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')" + } + ], + "epss_score": 0.01248, + "epss_percentile": 0.84066, + "epss_date": "2024-01-22" + } + ] + }, + { + "resource": { + "format": "npm", + "path": "/juice-shop/node_modules/express-jwt/node_modules/jsonwebtoken", + "name": "jsonwebtoken", + "version": "0.1.0", + "cpe": "pkg:/npm:*:jsonwebtoken:0.1.0", + "license": "MIT", + "layer": "COPY /juice-shop . # buildkit", + "layer_digest": "sha256:69c661528fdd4ef0a0f4fdbd62ec988b9efb5c1a4d11651adb877a13a40da37d" + }, + "scanned": true, + "vulnerabilities": [ + { + "name": "CVE-2015-9235", + "type": "vulnerability", + "description": "In jsonwebtoken node module before 4.2.2 it is possible for an attacker to bypass verification when a token digitally signed with an asymmetric key (RS/ES family) of algorithms but instead the attacker send a token digitally signed with a symmetric algorithm (HS* family).", + "nvd_score": 7.5, + "nvd_vectors": "AV:N/AC:L/Au:N/C:P/I:P/A:P", + "nvd_severity": "high", + "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2015-9235", + "publish_date": "2018-05-29", + "modification_date": "2019-10-09", + "fix_version": "4.2.2", + "solution": "Upgrade package jsonwebtoken to version 4.2.2 or above.", + "nvd_score_v3": 9.8, + "nvd_vectors_v3": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "nvd_severity_v3": "critical", + "aqua_score": 9.8, + "aqua_severity": "critical", + "aqua_vectors": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "aqua_scoring_system": "CVSS V3", + "heuristic_ref_id": 265547, + "aqua_severity_classification": "NVD CVSS V3 Score: 9.8", + "aqua_score_classification": "NVD CVSS V3 Score: 9.8", + "cwe_info": [ + { + "Id": "CWE-327", + "name": "Use of a Broken or Risky Cryptographic Algorithm" + }, + { + "Id": "CWE-20", + "name": "Improper Input Validation" + } + ], + "epss_score": 0.00559, + "epss_percentile": 0.75236, + "epss_date": "2024-01-22" + }, + { + "name": "CVE-2018-3745", + "type": "vulnerability", + "description": "atob 2.0.3 and earlier allocates uninitialized Buffers when number is passed in input on Node.js 4.x and below.", + "nvd_score": 6.4, + "nvd_vectors": "AV:N/AC:L/Au:N/C:P/I:N/A:P", + "nvd_severity": "medium", + "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2018-3745", + "publish_date": "2018-05-29", + "modification_date": "2023-06-22", + "fix_version": "8.4.0", + "solution": "Upgrade package jsonwebtoken to version 8.4.0 or above.", + "nvd_score_v3": 9.1, + "nvd_vectors_v3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H", + "nvd_severity_v3": "critical", + "aqua_score": 9.1, + "aqua_severity": "critical", + "aqua_vectors": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H", + "aqua_scoring_system": "CVSS V3", + "heuristic_ref_id": 265547, + "aqua_severity_classification": "NVD CVSS V3 Score: 9.1", + "aqua_score_classification": "NVD CVSS V3 Score: 9.1", + "cwe_info": [ + { + "Id": "CWE-125", + "name": "Out-of-bounds Read" + } + ], + "epss_score": 0.00604, + "epss_percentile": 0.76231, + "epss_date": "2024-01-22" + }, + { + "name": "CVE-2022-23539", + "type": "vulnerability", + "description": "Versions `\u003c=8.5.1` of `jsonwebtoken` library could be misconfigured so that legacy, insecure key types are used for signature verification. For example, DSA keys could be used with the RS256 algorithm. You are affected if you are using an algorithm and a key type other than a combination listed in the GitHub Security Advisory as unaffected. This issue has been fixed, please update to version 9.0.0. This version validates for asymmetric key type and algorithm combinations. Please refer to the above mentioned algorithm / key type combinations for the valid secure configuration. After updating to version 9.0.0, if you still intend to continue with signing or verifying tokens using invalid key type/algorithm value combinations, you’ll need to set the `allowInvalidAsymmetricKeyTypes` option to `true` in the `sign()` and/or `verify()` functions.", + "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23539", + "publish_date": "2022-12-23", + "modification_date": "2024-06-21", + "fix_version": "9.0.0", + "solution": "Upgrade package jsonwebtoken to version 9.0.0 or above.", + "nvd_score_v3": 8.1, + "nvd_vectors_v3": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N", + "nvd_severity_v3": "high", + "aqua_score": 8.1, + "aqua_severity": "high", + "aqua_vectors": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N", + "aqua_scoring_system": "CVSS V3", + "heuristic_ref_id": 265547, + "aqua_severity_classification": "NVD CVSS V3 Score: 8.1", + "aqua_score_classification": "NVD CVSS V3 Score: 8.1", + "cwe_info": [ + { + "Id": "CWE-327", + "name": "Use of a Broken or Risky Cryptographic Algorithm" + } + ], + "epss_score": 0.00062, + "epss_percentile": 0.24485, + "epss_date": "2024-01-22" + }, + { + "name": "CVE-2022-23540", + "type": "vulnerability", + "description": "In versions `\u003c=8.5.1` of `jsonwebtoken` library, lack of algorithm definition in the `jwt.verify()` function can lead to signature validation bypass due to defaulting to the `none` algorithm for signature verification. Users are affected if you do not specify algorithms in the `jwt.verify()` function. This issue has been fixed, please update to version 9.0.0 which removes the default support for the none algorithm in the `jwt.verify()` method. There will be no impact, if you update to version 9.0.0 and you don’t need to allow for the `none` algorithm. If you need 'none' algorithm, you have to explicitly specify that in `jwt.verify()` options.\n", + "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23540", + "publish_date": "2022-12-22", + "modification_date": "2024-06-21", + "fix_version": "9.0.0", + "solution": "Upgrade package jsonwebtoken to version 9.0.0 or above.", + "nvd_score_v3": 7.6, + "nvd_vectors_v3": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:L", + "nvd_severity_v3": "high", + "aqua_score": 7.6, + "aqua_severity": "high", + "aqua_vectors": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:L", + "aqua_scoring_system": "CVSS V3", + "heuristic_ref_id": 265547, + "aqua_severity_classification": "NVD CVSS V3 Score: 7.6", + "aqua_score_classification": "NVD CVSS V3 Score: 7.6", + "cwe_info": [ + { + "Id": "CWE-347", + "name": "Improper Verification of Cryptographic Signature" + }, + { + "Id": "CWE-287", + "name": "Improper Authentication" + } + ], + "epss_score": 0.00065, + "epss_percentile": 0.26758, + "epss_date": "2024-01-22" + }, + { + "name": "CVE-2022-23541", + "type": "vulnerability", + "description": "jsonwebtoken is an implementation of JSON Web Tokens. Versions `\u003c= 8.5.1` of `jsonwebtoken` library can be misconfigured so that passing a poorly implemented key retrieval function referring to the `secretOrPublicKey` argument from the readme link will result in incorrect verification of tokens. There is a possibility of using a different algorithm and key combination in verification, other than the one that was used to sign the tokens. Specifically, tokens signed with an asymmetric public key could be verified with a symmetric HS256 algorithm. This can lead to successful validation of forged tokens. If your application is supporting usage of both symmetric key and asymmetric key in jwt.verify() implementation with the same key retrieval function. This issue has been patched, please update to version 9.0.0.", + "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23541", + "publish_date": "2022-12-22", + "modification_date": "2024-06-21", + "fix_version": "9.0.0", + "solution": "Upgrade package jsonwebtoken to version 9.0.0 or above.", + "nvd_score_v3": 6.3, + "nvd_vectors_v3": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L", + "nvd_severity_v3": "medium", + "aqua_score": 6.3, + "aqua_severity": "medium", + "aqua_vectors": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L", + "aqua_scoring_system": "CVSS V3", + "heuristic_ref_id": 265547, + "aqua_severity_classification": "NVD CVSS V3 Score: 6.3", + "aqua_score_classification": "NVD CVSS V3 Score: 6.3", + "cwe_info": [ + { + "Id": "CWE-1259", + "name": "Improper Restriction of Security Token Assignment" + }, + { + "Id": "CWE-287", + "name": "Improper Authentication" + } + ], + "epss_score": 0.00079, + "epss_percentile": 0.32932, + "epss_date": "2024-01-22" + } + ] + }, + { + "resource": { + "format": "npm", + "path": "/juice-shop/node_modules/jsonwebtoken", + "name": "jsonwebtoken", + "version": "0.4.0", + "cpe": "pkg:/npm:*:jsonwebtoken:0.4.0", + "license": "MIT", + "layer": "COPY /juice-shop . # buildkit", + "layer_digest": "sha256:69c661528fdd4ef0a0f4fdbd62ec988b9efb5c1a4d11651adb877a13a40da37d" + }, + "scanned": true, + "vulnerabilities": [ + { + "name": "CVE-2018-3745", + "type": "vulnerability", + "description": "atob 2.0.3 and earlier allocates uninitialized Buffers when number is passed in input on Node.js 4.x and below.", + "nvd_score": 6.4, + "nvd_vectors": "AV:N/AC:L/Au:N/C:P/I:N/A:P", + "nvd_severity": "medium", + "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2018-3745", + "publish_date": "2018-05-29", + "modification_date": "2023-06-22", + "fix_version": "8.4.0", + "solution": "Upgrade package jsonwebtoken to version 8.4.0 or above.", + "nvd_score_v3": 9.1, + "nvd_vectors_v3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H", + "nvd_severity_v3": "critical", + "aqua_score": 9.1, + "aqua_severity": "critical", + "aqua_vectors": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H", + "aqua_scoring_system": "CVSS V3", + "heuristic_ref_id": 265547, + "aqua_severity_classification": "NVD CVSS V3 Score: 9.1", + "aqua_score_classification": "NVD CVSS V3 Score: 9.1", + "cwe_info": [ + { + "Id": "CWE-125", + "name": "Out-of-bounds Read" + } + ], + "epss_score": 0.00604, + "epss_percentile": 0.76231, + "epss_date": "2024-01-22" + }, + { + "name": "CVE-2015-9235", + "type": "vulnerability", + "description": "In jsonwebtoken node module before 4.2.2 it is possible for an attacker to bypass verification when a token digitally signed with an asymmetric key (RS/ES family) of algorithms but instead the attacker send a token digitally signed with a symmetric algorithm (HS* family).", + "nvd_score": 7.5, + "nvd_vectors": "AV:N/AC:L/Au:N/C:P/I:P/A:P", + "nvd_severity": "high", + "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2015-9235", + "publish_date": "2018-05-29", + "modification_date": "2019-10-09", + "fix_version": "4.2.2", + "solution": "Upgrade package jsonwebtoken to version 4.2.2 or above.", + "nvd_score_v3": 9.8, + "nvd_vectors_v3": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "nvd_severity_v3": "critical", + "aqua_score": 9.8, + "aqua_severity": "critical", + "aqua_vectors": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "aqua_scoring_system": "CVSS V3", + "heuristic_ref_id": 265547, + "aqua_severity_classification": "NVD CVSS V3 Score: 9.8", + "aqua_score_classification": "NVD CVSS V3 Score: 9.8", + "cwe_info": [ + { + "Id": "CWE-327", + "name": "Use of a Broken or Risky Cryptographic Algorithm" + }, + { + "Id": "CWE-20", + "name": "Improper Input Validation" + } + ], + "epss_score": 0.00559, + "epss_percentile": 0.75236, + "epss_date": "2024-01-22" + }, + { + "name": "CVE-2022-23539", + "type": "vulnerability", + "description": "Versions `\u003c=8.5.1` of `jsonwebtoken` library could be misconfigured so that legacy, insecure key types are used for signature verification. For example, DSA keys could be used with the RS256 algorithm. You are affected if you are using an algorithm and a key type other than a combination listed in the GitHub Security Advisory as unaffected. This issue has been fixed, please update to version 9.0.0. This version validates for asymmetric key type and algorithm combinations. Please refer to the above mentioned algorithm / key type combinations for the valid secure configuration. After updating to version 9.0.0, if you still intend to continue with signing or verifying tokens using invalid key type/algorithm value combinations, you’ll need to set the `allowInvalidAsymmetricKeyTypes` option to `true` in the `sign()` and/or `verify()` functions.", + "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23539", + "publish_date": "2022-12-23", + "modification_date": "2024-06-21", + "fix_version": "9.0.0", + "solution": "Upgrade package jsonwebtoken to version 9.0.0 or above.", + "nvd_score_v3": 8.1, + "nvd_vectors_v3": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N", + "nvd_severity_v3": "high", + "aqua_score": 8.1, + "aqua_severity": "high", + "aqua_vectors": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N", + "aqua_scoring_system": "CVSS V3", + "heuristic_ref_id": 265547, + "aqua_severity_classification": "NVD CVSS V3 Score: 8.1", + "aqua_score_classification": "NVD CVSS V3 Score: 8.1", + "cwe_info": [ + { + "Id": "CWE-327", + "name": "Use of a Broken or Risky Cryptographic Algorithm" + } + ], + "epss_score": 0.00062, + "epss_percentile": 0.24485, + "epss_date": "2024-01-22" + }, + { + "name": "CVE-2022-23540", + "type": "vulnerability", + "description": "In versions `\u003c=8.5.1` of `jsonwebtoken` library, lack of algorithm definition in the `jwt.verify()` function can lead to signature validation bypass due to defaulting to the `none` algorithm for signature verification. Users are affected if you do not specify algorithms in the `jwt.verify()` function. This issue has been fixed, please update to version 9.0.0 which removes the default support for the none algorithm in the `jwt.verify()` method. There will be no impact, if you update to version 9.0.0 and you don’t need to allow for the `none` algorithm. If you need 'none' algorithm, you have to explicitly specify that in `jwt.verify()` options.\n", + "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23540", + "publish_date": "2022-12-22", + "modification_date": "2024-06-21", + "fix_version": "9.0.0", + "solution": "Upgrade package jsonwebtoken to version 9.0.0 or above.", + "nvd_score_v3": 7.6, + "nvd_vectors_v3": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:L", + "nvd_severity_v3": "high", + "aqua_score": 7.6, + "aqua_severity": "high", + "aqua_vectors": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:L", + "aqua_scoring_system": "CVSS V3", + "heuristic_ref_id": 265547, + "aqua_severity_classification": "NVD CVSS V3 Score: 7.6", + "aqua_score_classification": "NVD CVSS V3 Score: 7.6", + "cwe_info": [ + { + "Id": "CWE-347", + "name": "Improper Verification of Cryptographic Signature" + }, + { + "Id": "CWE-287", + "name": "Improper Authentication" + } + ], + "epss_score": 0.00065, + "epss_percentile": 0.26758, + "epss_date": "2024-01-22" + }, + { + "name": "CVE-2022-23541", + "type": "vulnerability", + "description": "jsonwebtoken is an implementation of JSON Web Tokens. Versions `\u003c= 8.5.1` of `jsonwebtoken` library can be misconfigured so that passing a poorly implemented key retrieval function referring to the `secretOrPublicKey` argument from the readme link will result in incorrect verification of tokens. There is a possibility of using a different algorithm and key combination in verification, other than the one that was used to sign the tokens. Specifically, tokens signed with an asymmetric public key could be verified with a symmetric HS256 algorithm. This can lead to successful validation of forged tokens. If your application is supporting usage of both symmetric key and asymmetric key in jwt.verify() implementation with the same key retrieval function. This issue has been patched, please update to version 9.0.0.", + "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23541", + "publish_date": "2022-12-22", + "modification_date": "2024-06-21", + "fix_version": "9.0.0", + "solution": "Upgrade package jsonwebtoken to version 9.0.0 or above.", + "nvd_score_v3": 6.3, + "nvd_vectors_v3": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L", + "nvd_severity_v3": "medium", + "aqua_score": 6.3, + "aqua_severity": "medium", + "aqua_vectors": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L", + "aqua_scoring_system": "CVSS V3", + "heuristic_ref_id": 265547, + "aqua_severity_classification": "NVD CVSS V3 Score: 6.3", + "aqua_score_classification": "NVD CVSS V3 Score: 6.3", + "cwe_info": [ + { + "Id": "CWE-1259", + "name": "Improper Restriction of Security Token Assignment" + }, + { + "Id": "CWE-287", + "name": "Improper Authentication" + } + ], + "epss_score": 0.00079, + "epss_percentile": 0.32932, + "epss_date": "2024-01-22" + } + ] + }, + { + "resource": { + "format": "deb", + "name": "libc6", + "version": "2.31-13+deb11u6", + "arch": "amd64", + "cpe": "pkg:/debian:11.7:libc6:2.31-13+deb11u6", + "license": "LGPL-2.1,GPL-2", + "layer_digest": "sha256:c60b28d3f33cd1af8c56092e9fa1d94ab9a3d95fe5bd5dff6fe4489a1682dcfb", + "src_name": "glibc", + "src_version": "2.31" + }, + "scanned": true, + "vulnerabilities": [ + { + "name": "DSA-5514-1", + "description": "glibc - security update", + "publish_date": "2023-10-03", + "fix_version": "2.36-9+deb12u3", + "solution": "Upgrade package libc6 to version 2.36-9+deb12u3 or above.", + "ref_vulns": [ + { + "name": "CVE-2023-4911", + "type": "vulnerability", + "description": "A buffer overflow was discovered in the GNU C Library's dynamic loader ld.so while processing the GLIBC_TUNABLES environment variable. This issue could allow a local attacker to use maliciously crafted GLIBC_TUNABLES environment variables when launching binaries with SUID permission to execute code with elevated privileges.", + "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2023-4911", + "vendor_url": "https://security-tracker.debian.org/tracker/CVE-2023-4911", + "publish_date": "2023-10-03", + "modification_date": "2024-02-22", + "fix_version": "2.31-13+deb11u7", + "solution": "Upgrade package libc6 to version 2.31-13+deb11u7 or above.", + "nvd_score_v3": 7.8, + "nvd_vectors_v3": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", + "nvd_severity_v3": "high", + "aqua_score": 7.8, + "aqua_severity": "high", + "aqua_vectors": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", + "aqua_scoring_system": "CVSS V3", + "heuristic_ref_id": 5001442, + "ancestor_pkg": "glibc", + "aqua_severity_classification": "NVD CVSS V3 Score: 7.8", + "aqua_score_classification": "NVD CVSS V3 Score: 7.8", + "fix_publish_date": "2023-10-03", + "cwe_info": [ + { + "Id": "CWE-787", + "name": "Out-of-bounds Write" + }, + { + "Id": "CWE-122", + "name": "Heap-based Buffer Overflow" + } + ], + "cisa_publish_date": "2023-11-21", + "cisa_due_date": "2023-12-12", + "epss_score": 0.01715, + "epss_percentile": 0.865, + "epss_date": "2024-01-22" + } + ], + "nvd_score_v3": 7.8, + "nvd_vectors_v3": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", + "nvd_severity_v3": "high", + "aqua_score": 7.8, + "aqua_severity": "high", + "aqua_vectors": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", + "aqua_scoring_system": "CVSS V3", + "aqua_severity_classification": "NVD CVSS V3 Score: 7.8", + "aqua_score_classification": "NVD CVSS V3 Score: 7.8", + "vendor_publish_date": "2023-10-03" + }, + { + "name": "DSA-5678-1", + "description": "glibc - security update", + "publish_date": "2024-05-03", + "fix_version": "2.36-9+deb12u7", + "solution": "Upgrade package libc6 to version 2.36-9+deb12u7 or above.", + "ref_vulns": [ + { + "name": "CVE-2024-33602", + "type": "vulnerability", + "description": "nscd: netgroup cache assumes NSS callback uses in-buffer strings\n\nThe Name Service Cache Daemon's (nscd) netgroup cache can corrupt memory\nwhen the NSS callback does not store all strings in the provided buffer.\nThe flaw was introduced in glibc 2.15 when the cache was added to nscd.\n\nThis vulnerability is only present in the nscd binary.\n\n", + "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2024-33602", + "vendor_url": "https://security-tracker.debian.org/tracker/CVE-2024-33602", + "publish_date": "2024-05-06", + "modification_date": "2024-07-03", + "fix_version": "2.31-13+deb11u10", + "solution": "Upgrade package libc6 to version 2.31-13+deb11u10 or above.", + "nvd_score_v3": 8.6, + "nvd_vectors_v3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L", + "nvd_severity_v3": "high", + "aqua_score": 8.6, + "aqua_severity": "high", + "aqua_vectors": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L", + "aqua_scoring_system": "CVSS V3", + "heuristic_ref_id": 5281859, + "ancestor_pkg": "glibc", + "aqua_severity_classification": "NVD CVSS V3 Score: 8.6", + "aqua_score_classification": "NVD CVSS V3 Score: 8.6", + "fix_publish_date": "2024-05-04", + "cwe_info": [ + { + "Id": "CWE-466", + "name": "Return of Pointer Value Outside of Expected Range" + } + ] + }, + { + "name": "CVE-2024-33601", + "type": "vulnerability", + "description": "nscd: netgroup cache may terminate daemon on memory allocation failure\n\nThe Name Service Cache Daemon's (nscd) netgroup cache uses xmalloc or\nxrealloc and these functions may terminate the process due to a memory\nallocation failure resulting in a denial of service to the clients. The\nflaw was introduced in glibc 2.15 when the cache was added to nscd.\n\nThis vulnerability is only present in the nscd binary.\n\n", + "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2024-33601", + "vendor_url": "https://security-tracker.debian.org/tracker/CVE-2024-33601", + "publish_date": "2024-05-06", + "modification_date": "2024-07-03", + "fix_version": "2.31-13+deb11u10", + "solution": "Upgrade package libc6 to version 2.31-13+deb11u10 or above.", + "nvd_score_v3": 7.5, + "nvd_vectors_v3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "nvd_severity_v3": "high", + "aqua_score": 7.5, + "aqua_severity": "high", + "aqua_vectors": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "aqua_scoring_system": "CVSS V3", + "heuristic_ref_id": 5281862, + "ancestor_pkg": "glibc", + "aqua_severity_classification": "NVD CVSS V3 Score: 7.5", + "aqua_score_classification": "NVD CVSS V3 Score: 7.5", + "fix_publish_date": "2024-05-04", + "cwe_info": [ + { + "Id": "CWE-617", + "name": "Reachable Assertion" + } + ] + }, + { + "name": "CVE-2024-33599", + "type": "vulnerability", + "description": "nscd: Stack-based buffer overflow in netgroup cache\n\nIf the Name Service Cache Daemon's (nscd) fixed size cache is exhausted\nby client requests then a subsequent client request for netgroup data\nmay result in a stack-based buffer overflow. This flaw was introduced\nin glibc 2.15 when the cache was added to nscd.\n\nThis vulnerability is only present in the nscd binary.\n", + "vendor_url": "https://security-tracker.debian.org/tracker/CVE-2024-33599", + "publish_date": "2024-05-06", + "modification_date": "2024-06-30", + "fix_version": "2.31-13+deb11u10", + "solution": "Upgrade package libc6 to version 2.31-13+deb11u10 or above.", + "heuristic_ref_id": 5281866, + "ancestor_pkg": "glibc", + "fix_publish_date": "2024-05-04", + "cwe_info": [ + { + "Id": "CWE-121", + "name": "Stack-based Buffer Overflow" + } + ] + }, + { + "name": "CVE-2024-33600", + "type": "vulnerability", + "description": "nscd: Null pointer crashes after notfound response\n\nIf the Name Service Cache Daemon's (nscd) cache fails to add a not-found\nnetgroup response to the cache, the client request can result in a null\npointer dereference. This flaw was introduced in glibc 2.15 when the\ncache was added to nscd.\n\nThis vulnerability is only present in the nscd binary.\n\n", + "vendor_url": "https://security-tracker.debian.org/tracker/CVE-2024-33600", + "publish_date": "2024-05-06", + "modification_date": "2024-06-30", + "fix_version": "2.31-13+deb11u10", + "solution": "Upgrade package libc6 to version 2.31-13+deb11u10 or above.", + "heuristic_ref_id": 5281864, + "ancestor_pkg": "glibc", + "fix_publish_date": "2024-05-04", + "cwe_info": [ + { + "Id": "CWE-476", + "name": "NULL Pointer Dereference" + } + ] + } + ], + "nvd_score_v3": 8.6, + "nvd_vectors_v3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L", + "nvd_severity_v3": "high", + "aqua_score": 8.6, + "aqua_severity": "high", + "aqua_vectors": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L", + "aqua_scoring_system": "CVSS V3", + "aqua_severity_classification": "NVD CVSS V3 Score: 8.6", + "aqua_score_classification": "NVD CVSS V3 Score: 8.6", + "vendor_publish_date": "2024-05-03" + }, + { + "name": "DSA-5673-1", + "description": "glibc - security update", + "publish_date": "2024-04-23", + "fix_version": "2.36-9+deb12u6", + "solution": "Upgrade package libc6 to version 2.36-9+deb12u6 or above.", + "ref_vulns": [ + { + "name": "CVE-2024-2961", + "type": "vulnerability", + "description": "The iconv() function in the GNU C Library versions 2.39 and older may overflow the output buffer passed to it by up to 4 bytes when converting strings to the ISO-2022-CN-EXT character set, which may be used to crash an application or overwrite a neighbouring variable.\n", + "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2024-2961", + "vendor_url": "https://security-tracker.debian.org/tracker/CVE-2024-2961", + "publish_date": "2024-04-17", + "modification_date": "2024-07-03", + "fix_version": "2.31-13+deb11u9", + "solution": "Upgrade package libc6 to version 2.31-13+deb11u9 or above.", + "nvd_score_v3": 7.3, + "nvd_vectors_v3": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H", + "nvd_severity_v3": "high", + "aqua_score": 7.3, + "aqua_severity": "high", + "aqua_vectors": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H", + "aqua_scoring_system": "CVSS V3", + "heuristic_ref_id": 5246374, + "ancestor_pkg": "glibc", + "aqua_severity_classification": "NVD CVSS V3 Score: 7.3", + "aqua_score_classification": "NVD CVSS V3 Score: 7.3", + "fix_publish_date": "2024-04-23", + "cwe_info": [ + { + "Id": "CWE-787", + "name": "Out-of-bounds Write" + } + ] + } + ], + "nvd_score_v3": 7.3, + "nvd_vectors_v3": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H", + "nvd_severity_v3": "high", + "aqua_score": 7.3, + "aqua_severity": "high", + "aqua_vectors": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H", + "aqua_scoring_system": "CVSS V3", + "aqua_severity_classification": "NVD CVSS V3 Score: 7.3", + "aqua_score_classification": "NVD CVSS V3 Score: 7.3", + "vendor_publish_date": "2024-04-23" + } + ] + }, + { + "resource": { + "format": "deb", + "name": "libssl1.1", + "version": "1.1.1n-0+deb11u5", + "arch": "amd64", + "cpe": "pkg:/debian:11.7:libssl1.1:1.1.1n-0+deb11u5", + "license": "BSD-style", + "layer_digest": "sha256:1c47a89b8f417471ea2e6af631571f4632ba00772e2778cc7c15b72080f8da14", + "src_name": "openssl", + "src_version": "1.1.1n" + }, + "scanned": true, + "vulnerabilities": [ + { + "name": "CVE-2023-3446", + "type": "vulnerability", + "description": "Issue summary: Checking excessively long DH keys or parameters may be very slow.\n\nImpact summary: Applications that use the functions DH_check(), DH_check_ex()\nor EVP_PKEY_param_check() to check a DH key or DH parameters may experience long\ndelays. Where the key or parameters that are being checked have been obtained\nfrom an untrusted source this may lead to a Denial of Service.\n\nThe function DH_check() performs various checks on DH parameters. One of those\nchecks confirms that the modulus ('p' parameter) is not too large. Trying to use\na very large modulus is slow and OpenSSL will not normally use a modulus which\nis over 10,000 bits in length.\n\nHowever the DH_check() function checks numerous aspects of the key or parameters\nthat have been supplied. Some of those checks use the supplied modulus value\neven if it has already been found to be too large.\n\nAn application that calls DH_check() and supplies a key or parameters obtained\nfrom an untrusted source could be vulernable to a Denial of Service attack.\n\nThe function DH_check() is itself called by a number of other OpenSSL functions.\nAn application calling any of those other functions may similarly be affected.\nThe other functions affected by this are DH_check_ex() and\nEVP_PKEY_param_check().\n\nAlso vulnerable are the OpenSSL dhparam and pkeyparam command line applications\nwhen using the '-check' option.\n\nThe OpenSSL SSL/TLS implementation is not affected by this issue.\nThe OpenSSL 3.0 and 3.1 FIPS providers are not affected by this issue.", + "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2023-3446", + "vendor_url": "https://security-tracker.debian.org/tracker/CVE-2023-3446", + "publish_date": "2023-07-19", + "modification_date": "2024-06-10", + "fix_version": "1.1.1v-0~deb11u1", + "solution": "Upgrade package libssl1.1 to version 1.1.1v-0~deb11u1 or above.", + "nvd_score_v3": 5.3, + "nvd_vectors_v3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", + "nvd_severity_v3": "medium", + "aqua_score": 5.3, + "aqua_severity": "medium", + "aqua_vectors": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", + "aqua_scoring_system": "CVSS V3", + "heuristic_ref_id": 5003131, + "ancestor_pkg": "openssl", + "aqua_severity_classification": "NVD CVSS V3 Score: 5.3", + "aqua_score_classification": "NVD CVSS V3 Score: 5.3", + "fix_publish_date": "2023-10-07", + "cwe_info": [ + { + "Id": "CWE-1333", + "name": "Inefficient Regular Expression Complexity" + } + ], + "epss_score": 0.00208, + "epss_percentile": 0.58764, + "epss_date": "2024-01-22" + }, + { + "name": "CVE-2023-3817", + "type": "vulnerability", + "description": "Issue summary: Checking excessively long DH keys or parameters may be very slow.\n\nImpact summary: Applications that use the functions DH_check(), DH_check_ex()\nor EVP_PKEY_param_check() to check a DH key or DH parameters may experience long\ndelays. Where the key or parameters that are being checked have been obtained\nfrom an untrusted source this may lead to a Denial of Service.\n\nThe function DH_check() performs various checks on DH parameters. After fixing\nCVE-2023-3446 it was discovered that a large q parameter value can also trigger\nan overly long computation during some of these checks. A correct q value,\nif present, cannot be larger than the modulus p parameter, thus it is\nunnecessary to perform these checks if q is larger than p.\n\nAn application that calls DH_check() and supplies a key or parameters obtained\nfrom an untrusted source could be vulnerable to a Denial of Service attack.\n\nThe function DH_check() is itself called by a number of other OpenSSL functions.\nAn application calling any of those other functions may similarly be affected.\nThe other functions affected by this are DH_check_ex() and\nEVP_PKEY_param_check().\n\nAlso vulnerable are the OpenSSL dhparam and pkeyparam command line applications\nwhen using the \"-check\" option.\n\nThe OpenSSL SSL/TLS implementation is not affected by this issue.\n\nThe OpenSSL 3.0 and 3.1 FIPS providers are not affected by this issue.", + "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2023-3817", + "vendor_url": "https://security-tracker.debian.org/tracker/CVE-2023-3817", + "publish_date": "2023-07-31", + "modification_date": "2024-06-21", + "fix_version": "1.1.1v-0~deb11u1", + "solution": "Upgrade package libssl1.1 to version 1.1.1v-0~deb11u1 or above.", + "nvd_score_v3": 5.3, + "nvd_vectors_v3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", + "nvd_severity_v3": "medium", + "aqua_score": 5.3, + "aqua_severity": "medium", + "aqua_vectors": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", + "aqua_scoring_system": "CVSS V3", + "heuristic_ref_id": 5002949, + "ancestor_pkg": "openssl", + "aqua_severity_classification": "NVD CVSS V3 Score: 5.3", + "aqua_score_classification": "NVD CVSS V3 Score: 5.3", + "fix_publish_date": "2023-10-07", + "cwe_info": [ + { + "Id": "CWE-834", + "name": "Excessive Iteration" + } + ], + "epss_score": 0.0013, + "epss_percentile": 0.47743, + "epss_date": "2024-01-22" + } + ] + }, + { + "resource": { + "format": "npm", + "path": "/juice-shop/node_modules/libxmljs2", + "name": "libxmljs2", + "version": "0.32.0", + "cpe": "pkg:/npm:*:libxmljs2:0.32.0", + "license": "MIT", + "layer": "COPY /juice-shop . # buildkit", + "layer_digest": "sha256:69c661528fdd4ef0a0f4fdbd62ec988b9efb5c1a4d11651adb877a13a40da37d" + }, + "scanned": true, + "vulnerabilities": [ + { + "name": "CVE-2024-34393", + "type": "vulnerability", + "description": "libxmljs2 is vulnerable to a type confusion vulnerability when parsing a specially crafted XML while invoking a function on the result of attrs() that was called on a parsed node. This vulnerability might lead to denial of service (on both 32-bit systems and 64-bit systems), data leak, infinite loop and remote code execution (on 32-bit systems with the XML_PARSE_HUGE flag enabled).", + "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2024-34393", + "publish_date": "2024-05-02", + "modification_date": "2024-05-03", + "nvd_score_v3": 8.1, + "nvd_vectors_v3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "nvd_severity_v3": "high", + "aqua_score": 8.1, + "aqua_severity": "high", + "aqua_vectors": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "aqua_scoring_system": "CVSS V3", + "heuristic_ref_id": 265547, + "aqua_severity_classification": "NVD CVSS V3 Score: 8.1", + "aqua_score_classification": "NVD CVSS V3 Score: 8.1" + }, + { + "name": "CVE-2024-34394", + "type": "vulnerability", + "description": "libxmljs2 is vulnerable to a type confusion vulnerability when parsing a specially crafted XML while invoking the namespaces() function (which invokes XmlNode::get_local_namespaces()) on a grand-child of a node that refers to an entity. This vulnerability can lead to denial of service and remote code execution.", + "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2024-34394", + "publish_date": "2024-05-02", + "modification_date": "2024-05-03", + "nvd_score_v3": 8.1, + "nvd_vectors_v3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "nvd_severity_v3": "high", + "aqua_score": 8.1, + "aqua_severity": "high", + "aqua_vectors": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "aqua_scoring_system": "CVSS V3", + "heuristic_ref_id": 265547, + "aqua_severity_classification": "NVD CVSS V3 Score: 8.1", + "aqua_score_classification": "NVD CVSS V3 Score: 8.1" + } + ] + }, + { + "resource": { + "format": "npm", + "path": "/juice-shop/node_modules/sanitize-html/node_modules/lodash", + "name": "lodash", + "version": "2.4.2", + "cpe": "pkg:/npm:*:lodash:2.4.2", + "license": "MIT", + "layer": "COPY /juice-shop . # buildkit", + "layer_digest": "sha256:69c661528fdd4ef0a0f4fdbd62ec988b9efb5c1a4d11651adb877a13a40da37d" + }, + "scanned": true, + "vulnerabilities": [ + { + "name": "CVE-2019-10744", + "type": "vulnerability", + "description": "Versions of lodash lower than 4.17.12 are vulnerable to Prototype Pollution. The function defaultsDeep could be tricked into adding or modifying properties of Object.prototype using a constructor payload.", + "nvd_score": 6.4, + "nvd_vectors": "AV:N/AC:L/Au:N/C:N/I:P/A:P", + "nvd_severity": "medium", + "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2019-10744", + "publish_date": "2019-07-26", + "modification_date": "2024-01-21", + "fix_version": "4.17.12", + "solution": "Upgrade package lodash to version 4.17.12 or above.", + "nvd_score_v3": 9.1, + "nvd_vectors_v3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H", + "nvd_severity_v3": "critical", + "aqua_score": 9.1, + "aqua_severity": "critical", + "aqua_vectors": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H", + "aqua_scoring_system": "CVSS V3", + "heuristic_ref_id": 265547, + "aqua_severity_classification": "NVD CVSS V3 Score: 9.1", + "aqua_score_classification": "NVD CVSS V3 Score: 9.1", + "cwe_info": [ + { + "Id": "CWE-1321", + "name": "Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')" + } + ], + "epss_score": 0.01478, + "epss_percentile": 0.85417, + "epss_date": "2024-01-22" + }, + { + "name": "CVE-2021-23337", + "type": "vulnerability", + "description": "Lodash versions prior to 4.17.21 are vulnerable to Command Injection via the template function.", + "nvd_score": 6.5, + "nvd_vectors": "AV:N/AC:L/Au:S/C:P/I:P/A:P", + "nvd_severity": "medium", + "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2021-23337", + "publish_date": "2021-02-15", + "modification_date": "2022-09-13", + "fix_version": "4.17.21", + "solution": "Upgrade package lodash to version 4.17.21 or above.", + "nvd_score_v3": 7.2, + "nvd_vectors_v3": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", + "nvd_severity_v3": "high", + "aqua_score": 7.2, + "aqua_severity": "high", + "aqua_vectors": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", + "aqua_scoring_system": "CVSS V3", + "heuristic_ref_id": 265547, + "aqua_severity_classification": "NVD CVSS V3 Score: 7.2", + "aqua_score_classification": "NVD CVSS V3 Score: 7.2", + "cwe_info": [ + { + "Id": "CWE-94", + "name": "Improper Control of Generation of Code ('Code Injection')" + } + ], + "epss_score": 0.00606, + "epss_percentile": 0.76265, + "epss_date": "2024-01-22" + }, + { + "name": "CVE-2018-16487", + "type": "vulnerability", + "description": "A prototype pollution vulnerability was found in lodash \u003c4.17.11 where the functions merge, mergeWith, and defaultsDeep can be tricked into adding or modifying properties of Object.prototype.", + "nvd_score": 6.8, + "nvd_vectors": "AV:N/AC:M/Au:N/C:P/I:P/A:P", + "nvd_severity": "medium", + "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2018-16487", + "publish_date": "2019-02-01", + "modification_date": "2020-09-18", + "fix_version": "4.17.11", + "solution": "Upgrade package lodash to version 4.17.11 or above.", + "nvd_score_v3": 5.6, + "nvd_vectors_v3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L", + "nvd_severity_v3": "medium", + "aqua_score": 5.6, + "aqua_severity": "medium", + "aqua_vectors": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L", + "aqua_scoring_system": "CVSS V3", + "heuristic_ref_id": 265547, + "aqua_severity_classification": "NVD CVSS V3 Score: 5.6", + "aqua_score_classification": "NVD CVSS V3 Score: 5.6", + "cwe_info": [ + { + "Id": "CWE-400", + "name": "Uncontrolled Resource Consumption" + } + ], + "epss_score": 0.00117, + "epss_percentile": 0.45475, + "epss_date": "2024-01-22" + }, + { + "name": "CVE-2018-3721", + "type": "vulnerability", + "description": "lodash node module before 4.17.5 suffers from a Modification of Assumed-Immutable Data (MAID) vulnerability via defaultsDeep, merge, and mergeWith functions, which allows a malicious user to modify the prototype of \"Object\" via __proto__, causing the addition or modification of an existing property that will exist on all objects.", + "nvd_score": 4, + "nvd_vectors": "AV:N/AC:L/Au:S/C:N/I:P/A:N", + "nvd_severity": "medium", + "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2018-3721", + "publish_date": "2018-06-07", + "modification_date": "2024-02-16", + "fix_version": "4.17.5", + "solution": "Upgrade package lodash to version 4.17.5 or above.", + "nvd_score_v3": 6.5, + "nvd_vectors_v3": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N", + "nvd_severity_v3": "medium", + "aqua_score": 6.5, + "aqua_severity": "medium", + "aqua_vectors": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N", + "aqua_scoring_system": "CVSS V3", + "heuristic_ref_id": 265547, + "aqua_severity_classification": "NVD CVSS V3 Score: 6.5", + "aqua_score_classification": "NVD CVSS V3 Score: 6.5", + "cwe_info": [ + { + "Id": "CWE-1321", + "name": "Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')" + }, + { + "Id": "CWE-471", + "name": "Modification of Assumed-Immutable Data (MAID)" + } + ], + "epss_score": 0.00121, + "epss_percentile": 0.46288, + "epss_date": "2024-01-22" + }, + { + "name": "CVE-2019-1010266", + "type": "vulnerability", + "description": "lodash prior to 4.17.11 is affected by: CWE-400: Uncontrolled Resource Consumption. The impact is: Denial of service. The component is: Date handler. The attack vector is: Attacker provides very long strings, which the library attempts to match using a regular expression. The fixed version is: 4.17.11.", + "nvd_score": 4, + "nvd_vectors": "AV:N/AC:L/Au:S/C:N/I:N/A:P", + "nvd_severity": "medium", + "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2019-1010266", + "publish_date": "2019-07-17", + "modification_date": "2020-09-30", + "fix_version": "4.17.11", + "solution": "Upgrade package lodash to version 4.17.11 or above.", + "nvd_score_v3": 6.5, + "nvd_vectors_v3": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "nvd_severity_v3": "medium", + "aqua_score": 6.5, + "aqua_severity": "medium", + "aqua_vectors": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "aqua_scoring_system": "CVSS V3", + "heuristic_ref_id": 265547, + "aqua_severity_classification": "NVD CVSS V3 Score: 6.5", + "aqua_score_classification": "NVD CVSS V3 Score: 6.5", + "cwe_info": [ + { + "Id": "CWE-770", + "name": "Allocation of Resources Without Limits or Throttling" + }, + { + "Id": "CWE-400", + "name": "Uncontrolled Resource Consumption" + } + ], + "epss_score": 0.00317, + "epss_percentile": 0.67347, + "epss_date": "2024-01-22" + }, + { + "name": "CVE-2020-28500", + "type": "vulnerability", + "description": "Lodash versions prior to 4.17.21 are vulnerable to Regular Expression Denial of Service (ReDoS) via the toNumber, trim and trimEnd functions.", + "nvd_score": 5, + "nvd_vectors": "AV:N/AC:L/Au:N/C:N/I:N/A:P", + "nvd_severity": "medium", + "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2020-28500", + "publish_date": "2021-02-15", + "modification_date": "2022-09-13", + "fix_version": "4.17.21", + "solution": "Upgrade package lodash to version 4.17.21 or above.", + "nvd_score_v3": 5.3, + "nvd_vectors_v3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", + "nvd_severity_v3": "medium", + "aqua_score": 5.3, + "aqua_severity": "medium", + "aqua_vectors": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", + "aqua_scoring_system": "CVSS V3", + "heuristic_ref_id": 265547, + "aqua_severity_classification": "NVD CVSS V3 Score: 5.3", + "aqua_score_classification": "NVD CVSS V3 Score: 5.3", + "epss_score": 0.00231, + "epss_percentile": 0.61265, + "epss_date": "2024-01-22" + } + ] + }, + { + "resource": { + "format": "npm", + "path": "/juice-shop/node_modules/lodash.set", + "name": "lodash.set", + "version": "4.3.2", + "cpe": "pkg:/npm:*:lodash.set:4.3.2", + "license": "MIT", + "layer": "COPY /juice-shop . # buildkit", + "layer_digest": "sha256:69c661528fdd4ef0a0f4fdbd62ec988b9efb5c1a4d11651adb877a13a40da37d" + }, + "scanned": true, + "vulnerabilities": [ + { + "name": "CVE-2020-8203", + "type": "vulnerability", + "description": "Prototype pollution attack when using _.zipObjectDeep in lodash before 4.17.20.", + "nvd_score": 5.8, + "nvd_vectors": "AV:N/AC:M/Au:N/C:N/I:P/A:P", + "nvd_severity": "medium", + "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2020-8203", + "publish_date": "2020-07-15", + "modification_date": "2024-01-21", + "nvd_score_v3": 7.4, + "nvd_vectors_v3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:H", + "nvd_severity_v3": "high", + "aqua_score": 7.4, + "aqua_severity": "high", + "aqua_vectors": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:H", + "aqua_scoring_system": "CVSS V3", + "heuristic_ref_id": 265547, + "aqua_severity_classification": "NVD CVSS V3 Score: 7.4", + "aqua_score_classification": "NVD CVSS V3 Score: 7.4", + "cwe_info": [ + { + "Id": "CWE-1321", + "name": "Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')" + }, + { + "Id": "CWE-770", + "name": "Allocation of Resources Without Limits or Throttling" + } + ], + "epss_score": 0.01036, + "epss_percentile": 0.82286, + "epss_date": "2024-01-22" + } + ] + }, + { + "resource": { + "format": "npm", + "path": "/juice-shop/node_modules/mocha/node_modules/minimatch", + "name": "minimatch", + "version": "3.0.4", + "cpe": "pkg:/npm:*:minimatch:3.0.4", + "license": "ISC", + "layer": "COPY /juice-shop . # buildkit", + "layer_digest": "sha256:69c661528fdd4ef0a0f4fdbd62ec988b9efb5c1a4d11651adb877a13a40da37d" + }, + "scanned": true, + "vulnerabilities": [ + { + "name": "CVE-2022-3517", + "type": "vulnerability", + "description": "A vulnerability was found in the minimatch package. This flaw allows a Regular Expression Denial of Service (ReDoS) when calling the braceExpand function with specific arguments, resulting in a Denial of Service.", + "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2022-3517", + "publish_date": "2022-10-17", + "modification_date": "2023-11-07", + "fix_version": "3.0.5", + "solution": "Upgrade package minimatch to version 3.0.5 or above.", + "nvd_score_v3": 7.5, + "nvd_vectors_v3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "nvd_severity_v3": "high", + "aqua_score": 7.5, + "aqua_severity": "high", + "aqua_vectors": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "aqua_scoring_system": "CVSS V3", + "heuristic_ref_id": 265547, + "aqua_severity_classification": "NVD CVSS V3 Score: 7.5", + "aqua_score_classification": "NVD CVSS V3 Score: 7.5", + "cwe_info": [ + { + "Id": "CWE-1333", + "name": "Inefficient Regular Expression Complexity" + }, + { + "Id": "CWE-400", + "name": "Uncontrolled Resource Consumption" + } + ], + "epss_score": 0.00112, + "epss_percentile": 0.44402, + "epss_date": "2024-01-22" + } + ] + }, + { + "resource": { + "format": "npm", + "path": "/juice-shop/node_modules/bower-config/node_modules/minimist", + "name": "minimist", + "version": "0.2.4", + "cpe": "pkg:/npm:*:minimist:0.2.4", + "license": "MIT", + "layer": "COPY /juice-shop . # buildkit", + "layer_digest": "sha256:69c661528fdd4ef0a0f4fdbd62ec988b9efb5c1a4d11651adb877a13a40da37d" + }, + "scanned": true, + "vulnerabilities": [ + { + "name": "CVE-2021-44906", + "type": "vulnerability", + "description": "Minimist \u003c=1.2.5 is vulnerable to Prototype Pollution via file index.js, function setKey() (lines 69-95).", + "nvd_score": 7.5, + "nvd_vectors": "AV:N/AC:L/Au:N/C:P/I:P/A:P", + "nvd_severity": "high", + "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2021-44906", + "publish_date": "2022-03-17", + "modification_date": "2024-06-21", + "fix_version": "1.2.6", + "solution": "Upgrade package minimist to version 1.2.6 or above.", + "nvd_score_v3": 9.8, + "nvd_vectors_v3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "nvd_severity_v3": "critical", + "aqua_score": 9.8, + "aqua_severity": "critical", + "aqua_vectors": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "aqua_scoring_system": "CVSS V3", + "heuristic_ref_id": 265547, + "aqua_severity_classification": "NVD CVSS V3 Score: 9.8", + "aqua_score_classification": "NVD CVSS V3 Score: 9.8", + "cwe_info": [ + { + "Id": "CWE-1321", + "name": "Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')" + } + ], + "epss_score": 0.01248, + "epss_percentile": 0.84066, + "epss_date": "2024-01-22" + }, + { + "name": "CVE-2020-7598", + "type": "vulnerability", + "description": "minimist before 1.2.2 could be tricked into adding or modifying properties of Object.prototype using a \"constructor\" or \"__proto__\" payload.", + "nvd_score": 6.8, + "nvd_vectors": "AV:N/AC:M/Au:N/C:P/I:P/A:P", + "nvd_severity": "medium", + "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2020-7598", + "publish_date": "2020-03-11", + "modification_date": "2022-04-22", + "fix_version": "1.2.2", + "solution": "Upgrade package minimist to version 1.2.2 or above.", + "nvd_score_v3": 5.6, + "nvd_vectors_v3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L", + "nvd_severity_v3": "medium", + "aqua_score": 5.6, + "aqua_severity": "medium", + "aqua_vectors": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L", + "aqua_scoring_system": "CVSS V3", + "heuristic_ref_id": 265547, + "aqua_severity_classification": "NVD CVSS V3 Score: 5.6", + "aqua_score_classification": "NVD CVSS V3 Score: 5.6", + "cwe_info": [ + { + "Id": "CWE-1321", + "name": "Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')" + } + ], + "epss_score": 0.00105, + "epss_percentile": 0.42369, + "epss_date": "2024-01-22" + } + ] + }, + { + "resource": { + "format": "npm", + "path": "/juice-shop/node_modules/express-jwt/node_modules/moment", + "name": "moment", + "version": "2.0.0", + "cpe": "pkg:/npm:*:moment:2.0.0", + "layer": "COPY /juice-shop . # buildkit", + "layer_digest": "sha256:69c661528fdd4ef0a0f4fdbd62ec988b9efb5c1a4d11651adb877a13a40da37d" + }, + "scanned": true, + "vulnerabilities": [ + { + "name": "CVE-2017-18214", + "type": "vulnerability", + "description": "The moment module before 2.19.3 for Node.js is prone to a regular expression denial of service via a crafted date string, a different vulnerability than CVE-2016-4055.", + "nvd_score": 5, + "nvd_vectors": "AV:N/AC:L/Au:N/C:N/I:N/A:P", + "nvd_severity": "medium", + "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2017-18214", + "publish_date": "2018-03-04", + "modification_date": "2022-02-14", + "fix_version": "2.19.3", + "solution": "Upgrade package moment to version 2.19.3 or above.", + "nvd_score_v3": 7.5, + "nvd_vectors_v3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "nvd_severity_v3": "high", + "aqua_score": 7.5, + "aqua_severity": "high", + "aqua_vectors": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "aqua_scoring_system": "CVSS V3", + "heuristic_ref_id": 265547, + "aqua_severity_classification": "NVD CVSS V3 Score: 7.5", + "aqua_score_classification": "NVD CVSS V3 Score: 7.5", + "cwe_info": [ + { + "Id": "CWE-400", + "name": "Uncontrolled Resource Consumption" + } + ], + "epss_score": 0.00238, + "epss_percentile": 0.61919, + "epss_date": "2024-01-22" + }, + { + "name": "CVE-2022-24785", + "type": "vulnerability", + "description": "Moment.js is a JavaScript date library for parsing, validating, manipulating, and formatting dates. A path traversal vulnerability impacts npm (server) users of Moment.js between versions 1.0.1 and 2.29.1, especially if a user-provided locale string is directly used to switch moment locale. This problem is patched in 2.29.2, and the patch can be applied to all affected versions. As a workaround, sanitize the user-provided locale name before passing it to Moment.js.", + "nvd_score": 5, + "nvd_vectors": "AV:N/AC:L/Au:N/C:N/I:P/A:N", + "nvd_severity": "medium", + "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2022-24785", + "publish_date": "2022-04-04", + "modification_date": "2023-11-07", + "fix_version": "2.29.2", + "solution": "Upgrade package moment to version 2.29.2 or above.", + "nvd_score_v3": 7.5, + "nvd_vectors_v3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", + "nvd_severity_v3": "high", + "aqua_score": 7.5, + "aqua_severity": "high", + "aqua_vectors": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", + "aqua_scoring_system": "CVSS V3", + "heuristic_ref_id": 265547, + "aqua_severity_classification": "NVD CVSS V3 Score: 7.5", + "aqua_score_classification": "NVD CVSS V3 Score: 7.5", + "cwe_info": [ + { + "Id": "CWE-22", + "name": "Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')" + }, + { + "Id": "CWE-27", + "name": "Path Traversal" + } + ], + "epss_score": 0.0033, + "epss_percentile": 0.68031, + "epss_date": "2024-01-22" + }, + { + "name": "CVE-2016-4055", + "type": "vulnerability", + "description": "The duration function in the moment package before 2.11.2 for Node.js allows remote attackers to cause a denial of service (CPU consumption) via a long string, aka a \"regular expression Denial of Service (ReDoS).\"", + "nvd_score": 7.8, + "nvd_vectors": "AV:N/AC:L/Au:N/C:N/I:N/A:C", + "nvd_severity": "high", + "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2016-4055", + "publish_date": "2017-01-23", + "modification_date": "2023-11-07", + "fix_version": "2.11.2", + "solution": "Upgrade package moment to version 2.11.2 or above.", + "nvd_score_v3": 6.5, + "nvd_vectors_v3": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "nvd_severity_v3": "medium", + "aqua_score": 6.5, + "aqua_severity": "medium", + "aqua_vectors": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "aqua_scoring_system": "CVSS V3", + "heuristic_ref_id": 265547, + "aqua_severity_classification": "NVD CVSS V3 Score: 6.5", + "aqua_score_classification": "NVD CVSS V3 Score: 6.5", + "cwe_info": [ + { + "Id": "CWE-400", + "name": "Uncontrolled Resource Consumption" + } + ], + "epss_score": 0.00609, + "epss_percentile": 0.76325, + "epss_date": "2024-01-22" + } + ] + }, + { + "resource": { + "format": "javascript", + "path": "/juice-shop/node_modules/express-jwt/node_modules/moment/moment.js", + "name": "moment.js", + "version": "2.0.0", + "cpe": "pkg:/javascript:*:moment.js:2.0.0", + "layer": "COPY /juice-shop . # buildkit", + "layer_digest": "sha256:69c661528fdd4ef0a0f4fdbd62ec988b9efb5c1a4d11651adb877a13a40da37d" + }, + "scanned": true, + "vulnerabilities": [ + { + "name": "CVE-2022-24785", + "type": "vulnerability", + "description": "Moment.js is a JavaScript date library for parsing, validating, manipulating, and formatting dates. A path traversal vulnerability impacts npm (server) users of Moment.js between versions 1.0.1 and 2.29.1, especially if a user-provided locale string is directly used to switch moment locale. This problem is patched in 2.29.2, and the patch can be applied to all affected versions. As a workaround, sanitize the user-provided locale name before passing it to Moment.js.", + "nvd_score": 5, + "nvd_vectors": "AV:N/AC:L/Au:N/C:N/I:P/A:N", + "nvd_severity": "medium", + "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2022-24785", + "publish_date": "2022-04-04", + "modification_date": "2023-11-07", + "fix_version": "2.29.2", + "solution": "Upgrade package moment.js to version 2.29.2 or above.", + "nvd_score_v3": 7.5, + "nvd_vectors_v3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", + "nvd_severity_v3": "high", + "aqua_score": 7.5, + "aqua_severity": "high", + "aqua_vectors": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", + "aqua_scoring_system": "CVSS V3", + "heuristic_ref_id": 265547, + "aqua_severity_classification": "NVD CVSS V3 Score: 7.5", + "aqua_score_classification": "NVD CVSS V3 Score: 7.5", + "cwe_info": [ + { + "Id": "CWE-22", + "name": "Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')" + }, + { + "Id": "CWE-27", + "name": "Path Traversal" + } + ], + "epss_score": 0.0033, + "epss_percentile": 0.68031, + "epss_date": "2024-01-22" + }, + { + "name": "CVE-2017-18214", + "type": "vulnerability", + "description": "The moment module before 2.19.3 for Node.js is prone to a regular expression denial of service via a crafted date string, a different vulnerability than CVE-2016-4055.", + "nvd_score": 5, + "nvd_vectors": "AV:N/AC:L/Au:N/C:N/I:N/A:P", + "nvd_severity": "medium", + "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2017-18214", + "publish_date": "2018-03-04", + "modification_date": "2022-02-14", + "fix_version": "2.19.3", + "solution": "Upgrade package moment.js to version 2.19.3 or above.", + "nvd_score_v3": 7.5, + "nvd_vectors_v3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "nvd_severity_v3": "high", + "aqua_score": 7.5, + "aqua_severity": "high", + "aqua_vectors": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "aqua_scoring_system": "CVSS V3", + "heuristic_ref_id": 265547, + "aqua_severity_classification": "NVD CVSS V3 Score: 7.5", + "aqua_score_classification": "NVD CVSS V3 Score: 7.5", + "cwe_info": [ + { + "Id": "CWE-400", + "name": "Uncontrolled Resource Consumption" + } + ], + "epss_score": 0.00238, + "epss_percentile": 0.61919, + "epss_date": "2024-01-22" + }, + { + "name": "CVE-2016-4055", + "type": "vulnerability", + "description": "The duration function in the moment package before 2.11.2 for Node.js allows remote attackers to cause a denial of service (CPU consumption) via a long string, aka a \"regular expression Denial of Service (ReDoS).\"", + "nvd_score": 7.8, + "nvd_vectors": "AV:N/AC:L/Au:N/C:N/I:N/A:C", + "nvd_severity": "high", + "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2016-4055", + "publish_date": "2017-01-23", + "modification_date": "2023-11-07", + "fix_version": "2.11.2", + "solution": "Upgrade package moment.js to version 2.11.2 or above.", + "nvd_score_v3": 6.5, + "nvd_vectors_v3": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "nvd_severity_v3": "medium", + "aqua_score": 6.5, + "aqua_severity": "medium", + "aqua_vectors": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "aqua_scoring_system": "CVSS V3", + "heuristic_ref_id": 265547, + "aqua_severity_classification": "NVD CVSS V3 Score: 6.5", + "aqua_score_classification": "NVD CVSS V3 Score: 6.5", + "cwe_info": [ + { + "Id": "CWE-400", + "name": "Uncontrolled Resource Consumption" + } + ], + "epss_score": 0.00609, + "epss_percentile": 0.76325, + "epss_date": "2024-01-22" + } + ] + }, + { + "resource": { + "format": "npm", + "path": "/juice-shop/node_modules/nanoid", + "name": "nanoid", + "version": "3.1.20", + "cpe": "pkg:/npm:*:nanoid:3.1.20", + "license": "MIT", + "layer": "COPY /juice-shop . # buildkit", + "layer_digest": "sha256:69c661528fdd4ef0a0f4fdbd62ec988b9efb5c1a4d11651adb877a13a40da37d" + }, + "scanned": true, + "vulnerabilities": [ + { + "name": "CVE-2021-23566", + "type": "vulnerability", + "description": "The package nanoid from 3.0.0 and before 3.1.31 are vulnerable to Information Exposure via the valueOf() function which allows to reproduce the last id generated.", + "nvd_score": 2.1, + "nvd_vectors": "AV:L/AC:L/Au:N/C:P/I:N/A:N", + "nvd_severity": "low", + "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2021-23566", + "publish_date": "2022-01-14", + "modification_date": "2022-07-12", + "fix_version": "3.1.31", + "solution": "Upgrade package nanoid to version 3.1.31 or above.", + "nvd_score_v3": 5.5, + "nvd_vectors_v3": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", + "nvd_severity_v3": "medium", + "aqua_score": 5.5, + "aqua_severity": "medium", + "aqua_vectors": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", + "aqua_scoring_system": "CVSS V3", + "heuristic_ref_id": 265547, + "aqua_severity_classification": "NVD CVSS V3 Score: 5.5", + "aqua_score_classification": "NVD CVSS V3 Score: 5.5", + "cwe_info": [ + { + "Id": "CWE-704", + "name": "Incorrect Type Conversion or Cast" + } + ], + "epss_score": 0.00052, + "epss_percentile": 0.17545, + "epss_date": "2024-01-22" + } + ] + }, + { + "resource": { + "type": 2, + "path": "/nodejs/bin/node", + "name": "node.js", + "version": "18.17.1", + "cpe": "cpe:/a:nodejs:node.js:18.17.1", + "layer_digest": "sha256:55421bbff262b4f7da833e21332c102fdf25ffc72f2a7ec95acd092afad59fb7" + }, + "scanned": true, + "vulnerabilities": [ + { + "name": "CVE-2023-44487", + "type": "vulnerability", + "description": "The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023.", + "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2023-44487", + "publish_date": "2023-10-10", + "modification_date": "2024-06-27", + "fix_version": "18.18.2, 20.8.1", + "solution": "Upgrade package cpe:/a:nodejs:node.js to version 18.18.2,20.8.1 or above.", + "nvd_score_v3": 7.5, + "nvd_vectors_v3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "nvd_severity_v3": "high", + "aqua_score": 7.5, + "aqua_severity": "high", + "aqua_vectors": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "aqua_scoring_system": "CVSS V3", + "aqua_severity_classification": "NVD CVSS V3 Score: 7.5", + "aqua_score_classification": "NVD CVSS V3 Score: 7.5", + "cwe_info": [ + { + "Id": "CWE-400", + "name": "Uncontrolled Resource Consumption" + } + ], + "cisa_publish_date": "2023-10-10", + "cisa_due_date": "2023-10-31", + "epss_score": 0.64485, + "epss_percentile": 0.97598, + "epss_date": "2024-01-22" + }, + { + "name": "CVE-2023-38552", + "type": "vulnerability", + "description": "When the Node.js policy feature checks the integrity of a resource against a trusted manifest, the application can intercept the operation and return a forged checksum to the node's policy implementation, thus effectively disabling the integrity check.\nImpacts:\nThis vulnerability affects all users using the experimental policy mechanism in all active release lines: 18.x and, 20.x.\nPlease note that at the time this CVE was issued, the policy mechanism is an experimental feature of Node.js.", + "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2023-38552", + "publish_date": "2023-10-18", + "modification_date": "2024-02-16", + "nvd_score_v3": 7.5, + "nvd_vectors_v3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", + "nvd_severity_v3": "high", + "aqua_score": 7.5, + "aqua_severity": "high", + "aqua_vectors": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", + "aqua_scoring_system": "CVSS V3", + "aqua_severity_classification": "NVD CVSS V3 Score: 7.5", + "aqua_score_classification": "NVD CVSS V3 Score: 7.5", + "cwe_info": [ + { + "Id": "CWE-345", + "name": "Insufficient Verification of Data Authenticity" + } + ], + "epss_score": 0.00087, + "epss_percentile": 0.36472, + "epss_date": "2024-01-22" + } + ] + }, + { + "resource": { + "format": "deb", + "name": "nodejs", + "version": "18.17.1", + "arch": "amd64", + "cpe": "pkg:/debian:11.7:nodejs:18.17.1", + "layer_digest": "sha256:55421bbff262b4f7da833e21332c102fdf25ffc72f2a7ec95acd092afad59fb7", + "src_name": "nodejs", + "src_version": "18.17.1" + }, + "scanned": true, + "vulnerabilities": [ + { + "name": "CVE-2024-22019", + "type": "vulnerability", + "description": "A vulnerability in Node.js HTTP servers allows an attacker to send a specially crafted HTTP request with chunked encoding, leading to resource exhaustion and denial of service (DoS). The server reads an unbounded number of bytes from a single connection, exploiting the lack of limitations on chunk extension bytes. The issue can cause CPU and network bandwidth exhaustion, bypassing standard safeguards like timeouts and body size limits.", + "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2024-22019", + "vendor_url": "https://security-tracker.debian.org/tracker/CVE-2024-22019", + "publish_date": "2024-02-20", + "modification_date": "2024-05-01", + "fix_version": "18.19.1+dfsg-1", + "solution": "Upgrade operating system to debian version 13 (includes fixed versions of nodejs)", + "nvd_score_v3": 7.5, + "nvd_vectors_v3": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "nvd_severity_v3": "high", + "aqua_score": 7.5, + "aqua_severity": "high", + "aqua_vectors": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "aqua_scoring_system": "CVSS V3", + "heuristic_ref_id": 5162860, + "aqua_severity_classification": "NVD CVSS V3 Score: 7.5", + "aqua_score_classification": "NVD CVSS V3 Score: 7.5" + }, + { + "name": "CVE-2024-27983", + "type": "vulnerability", + "description": "An attacker can make the Node.js HTTP/2 server completely unavailable by sending a small amount of HTTP/2 frames packets with a few HTTP/2 frames inside. It is possible to leave some data in nghttp2 memory after reset when headers with HTTP/2 CONTINUATION frame are sent to the server and then a TCP connection is abruptly closed by the client triggering the Http2Session destructor while header frames are still being processed (and stored in memory) causing a race condition.", + "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2024-27983", + "vendor_url": "https://security-tracker.debian.org/tracker/CVE-2024-27983", + "publish_date": "2024-04-09", + "modification_date": "2024-06-10", + "fix_version": "18.20.1+dfsg-1", + "solution": "Upgrade operating system to debian version 13 (includes fixed versions of nodejs)", + "nvd_score_v3": 8.2, + "nvd_vectors_v3": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H", + "nvd_severity_v3": "high", + "aqua_score": 8.2, + "aqua_severity": "high", + "aqua_vectors": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H", + "aqua_scoring_system": "CVSS V3", + "heuristic_ref_id": 5223065, + "aqua_severity_classification": "NVD CVSS V3 Score: 8.2", + "aqua_score_classification": "NVD CVSS V3 Score: 8.2" + }, + { + "name": "CVE-2024-22025", + "type": "vulnerability", + "description": "A vulnerability in Node.js has been identified, allowing for a Denial of Service (DoS) attack through resource exhaustion when using the fetch() function to retrieve content from an untrusted URL.\nThe vulnerability stems from the fact that the fetch() function in Node.js always decodes Brotli, making it possible for an attacker to cause resource exhaustion when fetching content from an untrusted URL.\nAn attacker controlling the URL passed into fetch() can exploit this vulnerability to exhaust memory, potentially leading to process termination, depending on the system configuration.", + "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2024-22025", + "vendor_url": "https://security-tracker.debian.org/tracker/CVE-2024-22025", + "publish_date": "2024-03-19", + "modification_date": "2024-06-10", + "fix_version": "18.19.1+dfsg-1", + "solution": "Upgrade operating system to debian version 13 (includes fixed versions of nodejs)", + "nvd_score_v3": 6.5, + "nvd_vectors_v3": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", + "nvd_severity_v3": "medium", + "aqua_score": 6.5, + "aqua_severity": "medium", + "aqua_vectors": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", + "aqua_scoring_system": "CVSS V3", + "heuristic_ref_id": 5171294, + "aqua_severity_classification": "NVD CVSS V3 Score: 6.5", + "aqua_score_classification": "NVD CVSS V3 Score: 6.5" + }, + { + "name": "CVE-2024-22020", + "type": "vulnerability", + "description": "A security flaw in Node.js allows a bypass of network import restrictions.\nBy embedding non-network imports in data URLs, an attacker can execute arbitrary code, compromising system security.\nVerified on various platforms, the vulnerability is mitigated by forbidding data URLs in network imports.\nExploiting this flaw can violate network import security, posing a risk to developers and servers.", + "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2024-22020", + "vendor_url": "https://security-tracker.debian.org/tracker/CVE-2024-22020", + "publish_date": "2024-07-09", + "modification_date": "2024-07-11", + "nvd_score_v3": 6.5, + "nvd_vectors_v3": "CVSS:3.0/AV:L/AC:H/PR:N/UI:R/S:U/C:L/I:H/A:H", + "nvd_severity_v3": "medium", + "aqua_score": 6.5, + "aqua_severity": "medium", + "aqua_vectors": "CVSS:3.0/AV:L/AC:H/PR:N/UI:R/S:U/C:L/I:H/A:H", + "aqua_scoring_system": "CVSS V3", + "heuristic_ref_id": 5526427, + "aqua_severity_classification": "NVD CVSS V3 Score: 6.5", + "aqua_score_classification": "NVD CVSS V3 Score: 6.5", + "cwe_info": [ + { + "Id": "CWE-284", + "name": "Improper Access Control" + } + ] + }, + { + "name": "CVE-2024-27982", + "type": "vulnerability", + "description": "The team has identified a critical vulnerability in the http server of the most recent version of Node, where malformed headers can lead to HTTP request smuggling. Specifically, if a space is placed before a content-length header, it is not interpreted correctly, enabling attackers to smuggle in a second request within the body of the first.", + "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2024-27982", + "vendor_url": "https://security-tracker.debian.org/tracker/CVE-2024-27982", + "publish_date": "2024-05-07", + "modification_date": "2024-05-07", + "fix_version": "18.20.1+dfsg-1", + "solution": "Upgrade operating system to debian version 13 (includes fixed versions of nodejs)", + "nvd_score_v3": 6.5, + "nvd_vectors_v3": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L", + "nvd_severity_v3": "medium", + "aqua_score": 6.5, + "aqua_severity": "medium", + "aqua_vectors": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L", + "aqua_scoring_system": "CVSS V3", + "heuristic_ref_id": 5223072, + "aqua_severity_classification": "NVD CVSS V3 Score: 6.5", + "aqua_score_classification": "NVD CVSS V3 Score: 6.5" + }, + { + "name": "CVE-2024-22018", + "type": "vulnerability", + "description": "A vulnerability has been identified in Node.js, affecting users of the experimental permission model when the --allow-fs-read flag is used.\nThis flaw arises from an inadequate permission model that fails to restrict file stats through the fs.lstat API. As a result, malicious actors can retrieve stats from files that they do not have explicit read access to.\nThis vulnerability affects all users using the experimental permission model in Node.js 20 and Node.js 21.\nPlease note that at the time this CVE was issued, the permission model is an experimental feature of Node.js.", + "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2024-22018", + "vendor_url": "https://security-tracker.debian.org/tracker/CVE-2024-22018", + "publish_date": "2024-07-10", + "modification_date": "2024-07-11", + "nvd_score_v3": 2.9, + "nvd_vectors_v3": "CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N", + "nvd_severity_v3": "low", + "aqua_score": 2.9, + "aqua_severity": "low", + "aqua_vectors": "CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N", + "aqua_scoring_system": "CVSS V3", + "heuristic_ref_id": 5526411, + "aqua_severity_classification": "NVD CVSS V3 Score: 2.9", + "aqua_score_classification": "NVD CVSS V3 Score: 2.9" + } + ] + }, + { + "resource": { + "format": "npm", + "path": "/juice-shop/node_modules/notevil", + "name": "notevil", + "version": "1.3.3", + "cpe": "pkg:/npm:*:notevil:1.3.3", + "license": "MIT", + "layer": "COPY /juice-shop . # buildkit", + "layer_digest": "sha256:69c661528fdd4ef0a0f4fdbd62ec988b9efb5c1a4d11651adb877a13a40da37d" + }, + "scanned": true, + "vulnerabilities": [ + { + "name": "CVE-2021-23771", + "type": "vulnerability", + "description": "This affects all versions of package notevil; all versions of package argencoders-notevil. It is vulnerable to Sandbox Escape leading to Prototype pollution. The package fails to restrict access to the main context, allowing an attacker to add or modify an object's prototype. **Note:** This vulnerability derives from an incomplete fix in [SNYK-JS-NOTEVIL-608878](https://security.snyk.io/vuln/SNYK-JS-NOTEVIL-608878).", + "nvd_score": 6.4, + "nvd_vectors": "AV:N/AC:L/Au:N/C:P/I:P/A:N", + "nvd_severity": "medium", + "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2021-23771", + "publish_date": "2022-03-17", + "modification_date": "2022-03-24", + "nvd_score_v3": 6.5, + "nvd_vectors_v3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N", + "nvd_severity_v3": "medium", + "aqua_score": 6.5, + "aqua_severity": "medium", + "aqua_vectors": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N", + "aqua_scoring_system": "CVSS V3", + "heuristic_ref_id": 265547, + "aqua_severity_classification": "NVD CVSS V3 Score: 6.5", + "aqua_score_classification": "NVD CVSS V3 Score: 6.5", + "cwe_info": [ + { + "Id": "CWE-1321", + "name": "Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')" + } + ], + "epss_score": 0.00069, + "epss_percentile": 0.28632, + "epss_date": "2024-01-22" + } + ] + }, + { + "resource": { + "format": "deb", + "name": "openssl", + "version": "1.1.1n-0+deb11u5", + "arch": "amd64", + "cpe": "pkg:/debian:11.7:openssl:1.1.1n-0+deb11u5", + "license": "BSD-style", + "layer_digest": "sha256:6a1069d9378ceb8b9c68d24d0431f61ac711d50ba675e7f273279f768e3d5f9a", + "src_name": "openssl", + "src_version": "1.1.1n" + }, + "scanned": true, + "vulnerabilities": [ + { + "name": "CVE-2023-3446", + "type": "vulnerability", + "description": "Issue summary: Checking excessively long DH keys or parameters may be very slow.\n\nImpact summary: Applications that use the functions DH_check(), DH_check_ex()\nor EVP_PKEY_param_check() to check a DH key or DH parameters may experience long\ndelays. Where the key or parameters that are being checked have been obtained\nfrom an untrusted source this may lead to a Denial of Service.\n\nThe function DH_check() performs various checks on DH parameters. One of those\nchecks confirms that the modulus ('p' parameter) is not too large. Trying to use\na very large modulus is slow and OpenSSL will not normally use a modulus which\nis over 10,000 bits in length.\n\nHowever the DH_check() function checks numerous aspects of the key or parameters\nthat have been supplied. Some of those checks use the supplied modulus value\neven if it has already been found to be too large.\n\nAn application that calls DH_check() and supplies a key or parameters obtained\nfrom an untrusted source could be vulernable to a Denial of Service attack.\n\nThe function DH_check() is itself called by a number of other OpenSSL functions.\nAn application calling any of those other functions may similarly be affected.\nThe other functions affected by this are DH_check_ex() and\nEVP_PKEY_param_check().\n\nAlso vulnerable are the OpenSSL dhparam and pkeyparam command line applications\nwhen using the '-check' option.\n\nThe OpenSSL SSL/TLS implementation is not affected by this issue.\nThe OpenSSL 3.0 and 3.1 FIPS providers are not affected by this issue.", + "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2023-3446", + "vendor_url": "https://security-tracker.debian.org/tracker/CVE-2023-3446", + "publish_date": "2023-07-19", + "modification_date": "2024-06-10", + "fix_version": "1.1.1v-0~deb11u1", + "solution": "Upgrade package openssl to version 1.1.1v-0~deb11u1 or above.", + "nvd_score_v3": 5.3, + "nvd_vectors_v3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", + "nvd_severity_v3": "medium", + "aqua_score": 5.3, + "aqua_severity": "medium", + "aqua_vectors": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", + "aqua_scoring_system": "CVSS V3", + "heuristic_ref_id": 5003131, + "aqua_severity_classification": "NVD CVSS V3 Score: 5.3", + "aqua_score_classification": "NVD CVSS V3 Score: 5.3", + "fix_publish_date": "2023-10-07", + "cwe_info": [ + { + "Id": "CWE-1333", + "name": "Inefficient Regular Expression Complexity" + } + ], + "epss_score": 0.00208, + "epss_percentile": 0.58764, + "epss_date": "2024-01-22" + }, + { + "name": "CVE-2023-3817", + "type": "vulnerability", + "description": "Issue summary: Checking excessively long DH keys or parameters may be very slow.\n\nImpact summary: Applications that use the functions DH_check(), DH_check_ex()\nor EVP_PKEY_param_check() to check a DH key or DH parameters may experience long\ndelays. Where the key or parameters that are being checked have been obtained\nfrom an untrusted source this may lead to a Denial of Service.\n\nThe function DH_check() performs various checks on DH parameters. After fixing\nCVE-2023-3446 it was discovered that a large q parameter value can also trigger\nan overly long computation during some of these checks. A correct q value,\nif present, cannot be larger than the modulus p parameter, thus it is\nunnecessary to perform these checks if q is larger than p.\n\nAn application that calls DH_check() and supplies a key or parameters obtained\nfrom an untrusted source could be vulnerable to a Denial of Service attack.\n\nThe function DH_check() is itself called by a number of other OpenSSL functions.\nAn application calling any of those other functions may similarly be affected.\nThe other functions affected by this are DH_check_ex() and\nEVP_PKEY_param_check().\n\nAlso vulnerable are the OpenSSL dhparam and pkeyparam command line applications\nwhen using the \"-check\" option.\n\nThe OpenSSL SSL/TLS implementation is not affected by this issue.\n\nThe OpenSSL 3.0 and 3.1 FIPS providers are not affected by this issue.", + "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2023-3817", + "vendor_url": "https://security-tracker.debian.org/tracker/CVE-2023-3817", + "publish_date": "2023-07-31", + "modification_date": "2024-06-21", + "fix_version": "1.1.1v-0~deb11u1", + "solution": "Upgrade package openssl to version 1.1.1v-0~deb11u1 or above.", + "nvd_score_v3": 5.3, + "nvd_vectors_v3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", + "nvd_severity_v3": "medium", + "aqua_score": 5.3, + "aqua_severity": "medium", + "aqua_vectors": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", + "aqua_scoring_system": "CVSS V3", + "heuristic_ref_id": 5002949, + "aqua_severity_classification": "NVD CVSS V3 Score: 5.3", + "aqua_score_classification": "NVD CVSS V3 Score: 5.3", + "fix_publish_date": "2023-10-07", + "cwe_info": [ + { + "Id": "CWE-834", + "name": "Excessive Iteration" + } + ], + "epss_score": 0.0013, + "epss_percentile": 0.47743, + "epss_date": "2024-01-22" + } + ] + }, + { + "resource": { + "type": 2, + "path": "/usr/bin/openssl", + "name": "openssl", + "version": "1.1.1n", + "cpe": "cpe:/a:openssl:openssl:1.1.1n", + "layer_digest": "sha256:6a1069d9378ceb8b9c68d24d0431f61ac711d50ba675e7f273279f768e3d5f9a" + }, + "scanned": true, + "vulnerabilities": [ + { + "name": "CVE-2023-3817", + "type": "vulnerability", + "description": "Issue summary: Checking excessively long DH keys or parameters may be very slow.\n\nImpact summary: Applications that use the functions DH_check(), DH_check_ex()\nor EVP_PKEY_param_check() to check a DH key or DH parameters may experience long\ndelays. Where the key or parameters that are being checked have been obtained\nfrom an untrusted source this may lead to a Denial of Service.\n\nThe function DH_check() performs various checks on DH parameters. After fixing\nCVE-2023-3446 it was discovered that a large q parameter value can also trigger\nan overly long computation during some of these checks. A correct q value,\nif present, cannot be larger than the modulus p parameter, thus it is\nunnecessary to perform these checks if q is larger than p.\n\nAn application that calls DH_check() and supplies a key or parameters obtained\nfrom an untrusted source could be vulnerable to a Denial of Service attack.\n\nThe function DH_check() is itself called by a number of other OpenSSL functions.\nAn application calling any of those other functions may similarly be affected.\nThe other functions affected by this are DH_check_ex() and\nEVP_PKEY_param_check().\n\nAlso vulnerable are the OpenSSL dhparam and pkeyparam command line applications\nwhen using the \"-check\" option.\n\nThe OpenSSL SSL/TLS implementation is not affected by this issue.\n\nThe OpenSSL 3.0 and 3.1 FIPS providers are not affected by this issue.", + "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2023-3817", + "publish_date": "2023-07-31", + "modification_date": "2024-06-21", + "nvd_score_v3": 5.3, + "nvd_vectors_v3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", + "nvd_severity_v3": "medium", + "aqua_score": 5.3, + "aqua_severity": "medium", + "aqua_vectors": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", + "aqua_scoring_system": "CVSS V3", + "aqua_severity_classification": "NVD CVSS V3 Score: 5.3", + "aqua_score_classification": "NVD CVSS V3 Score: 5.3", + "cwe_info": [ + { + "Id": "CWE-834", + "name": "Excessive Iteration" + } + ], + "epss_score": 0.0013, + "epss_percentile": 0.47743, + "epss_date": "2024-01-22" + } + ] + }, + { + "resource": { + "type": 1, + "path": "/juice-shop/node_modules/express-jwt/node_modules/jsonwebtoken/test/priv.pem", + "name": "priv.pem", + "cpe": "file:/eb4dfc7a875e49e963fb2d2ad42fe24e4ce370b4", + "hash": "sha1:eb4dfc7a875e49e963fb2d2ad42fe24e4ce370b4", + "sensitive_items": [ + "RSA PRIVATE KEY" + ], + "layer": "COPY /juice-shop . # buildkit", + "layer_digest": "sha256:69c661528fdd4ef0a0f4fdbd62ec988b9efb5c1a4d11651adb877a13a40da37d" + }, + "scanned": true, + "sensitive_data_items": [ + { + "type": "RSA PRIVATE KEY" + } + ] + }, + { + "resource": { + "type": 1, + "path": "/juice-shop/node_modules/jsonwebtoken/test/priv.pem", + "name": "priv.pem", + "cpe": "file:/eb4dfc7a875e49e963fb2d2ad42fe24e4ce370b4", + "hash": "sha1:eb4dfc7a875e49e963fb2d2ad42fe24e4ce370b4", + "sensitive_items": [ + "RSA PRIVATE KEY" + ], + "layer": "COPY /juice-shop . # buildkit", + "layer_digest": "sha256:69c661528fdd4ef0a0f4fdbd62ec988b9efb5c1a4d11651adb877a13a40da37d" + }, + "scanned": true, + "sensitive_data_items": [ + { + "type": "RSA PRIVATE KEY" + }, + { + "type": "RSA PRIVATE KEY" + } + ] + }, + { + "resource": { + "format": "npm", + "path": "/juice-shop/node_modules/pug", + "name": "pug", + "version": "3.0.2", + "cpe": "pkg:/npm:*:pug:3.0.2", + "license": "MIT", + "layer": "COPY /juice-shop . # buildkit", + "layer_digest": "sha256:69c661528fdd4ef0a0f4fdbd62ec988b9efb5c1a4d11651adb877a13a40da37d" + }, + "scanned": true, + "vulnerabilities": [ + { + "name": "CVE-2024-36361", + "type": "vulnerability", + "description": "Pug through 3.0.2 allows JavaScript code execution if an application accepts untrusted input for the name option of the compileClient, compileFileClient, or compileClientWithDependenciesTracked function. NOTE: these functions are for compiling Pug templates into JavaScript, and there would typically be no reason to allow untrusted callers.", + "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2024-36361", + "publish_date": "2024-05-24", + "modification_date": "2024-07-03", + "fix_version": "3.0.3", + "solution": "Upgrade package pug to version 3.0.3 or above.", + "nvd_score_v3": 6.8, + "nvd_vectors_v3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N", + "nvd_severity_v3": "medium", + "aqua_score": 6.8, + "aqua_severity": "medium", + "aqua_vectors": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N", + "aqua_scoring_system": "CVSS V3", + "heuristic_ref_id": 265547, + "aqua_severity_classification": "NVD CVSS V3 Score: 6.8", + "aqua_score_classification": "NVD CVSS V3 Score: 6.8", + "cwe_info": [ + { + "Id": "CWE-94", + "name": "Improper Control of Generation of Code ('Code Injection')" + } + ] + } + ] + }, + { + "resource": { + "format": "npm", + "path": "/juice-shop/node_modules/sanitize-html", + "name": "sanitize-html", + "version": "1.4.2", + "cpe": "pkg:/npm:*:sanitize-html:1.4.2", + "license": "MIT", + "layer": "COPY /juice-shop . # buildkit", + "layer_digest": "sha256:69c661528fdd4ef0a0f4fdbd62ec988b9efb5c1a4d11651adb877a13a40da37d" + }, + "scanned": true, + "vulnerabilities": [ + { + "name": "CVE-2022-25887", + "type": "vulnerability", + "description": "The package sanitize-html before 2.7.1 are vulnerable to Regular Expression Denial of Service (ReDoS) due to insecure global regular expression replacement logic of HTML comment removal.", + "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2022-25887", + "publish_date": "2022-08-30", + "modification_date": "2023-08-08", + "fix_version": "2.7.1", + "solution": "Upgrade package sanitize-html to version 2.7.1 or above.", + "nvd_score_v3": 7.5, + "nvd_vectors_v3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "nvd_severity_v3": "high", + "aqua_score": 7.5, + "aqua_severity": "high", + "aqua_vectors": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "aqua_scoring_system": "CVSS V3", + "heuristic_ref_id": 265547, + "aqua_severity_classification": "NVD CVSS V3 Score: 7.5", + "aqua_score_classification": "NVD CVSS V3 Score: 7.5", + "cwe_info": [ + { + "Id": "CWE-1333", + "name": "Inefficient Regular Expression Complexity" + } + ], + "epss_score": 0.00112, + "epss_percentile": 0.44477, + "epss_date": "2024-01-22" + }, + { + "name": "CVE-2021-26540", + "type": "vulnerability", + "description": "Apostrophe Technologies sanitize-html before 2.3.2 does not properly validate the hostnames set by the \"allowedIframeHostnames\" option when the \"allowIframeRelativeUrls\" is set to true, which allows attackers to bypass hostname whitelist for iframe element, related using an src value that starts with \"/\\\\example.com\".", + "nvd_score": 5, + "nvd_vectors": "AV:N/AC:L/Au:N/C:N/I:P/A:N", + "nvd_severity": "medium", + "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2021-26540", + "publish_date": "2021-02-08", + "modification_date": "2021-04-01", + "fix_version": "2.3.2", + "solution": "Upgrade package sanitize-html to version 2.3.2 or above.", + "nvd_score_v3": 5.3, + "nvd_vectors_v3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", + "nvd_severity_v3": "medium", + "aqua_score": 5.3, + "aqua_severity": "medium", + "aqua_vectors": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", + "aqua_scoring_system": "CVSS V3", + "heuristic_ref_id": 265547, + "aqua_severity_classification": "NVD CVSS V3 Score: 5.3", + "aqua_score_classification": "NVD CVSS V3 Score: 5.3", + "epss_score": 0.00137, + "epss_percentile": 0.4898, + "epss_date": "2024-01-22" + }, + { + "name": "CVE-2024-21501", + "type": "vulnerability", + "description": "Versions of the package sanitize-html before 2.12.1 are vulnerable to Information Exposure when used on the backend and with the style attribute allowed, allowing enumeration of files in the system (including project dependencies). An attacker could exploit this vulnerability to gather details about the file system structure and dependencies of the targeted server.", + "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2024-21501", + "publish_date": "2024-02-24", + "modification_date": "2024-06-10", + "fix_version": "2.12.1", + "solution": "Upgrade package sanitize-html to version 2.12.1 or above.", + "nvd_score_v3": 5.3, + "nvd_vectors_v3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", + "nvd_severity_v3": "medium", + "aqua_score": 5.3, + "aqua_severity": "medium", + "aqua_vectors": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", + "aqua_scoring_system": "CVSS V3", + "heuristic_ref_id": 265547, + "aqua_severity_classification": "NVD CVSS V3 Score: 5.3", + "aqua_score_classification": "NVD CVSS V3 Score: 5.3", + "cwe_info": [ + { + "Id": "CWE-200", + "name": "Exposure of Sensitive Information to an Unauthorized Actor" + } + ] + }, + { + "name": "CVE-2016-1000237", + "type": "vulnerability", + "description": "sanitize-html before 1.4.3 has XSS.", + "nvd_score": 4.3, + "nvd_vectors": "AV:N/AC:M/Au:N/C:N/I:P/A:N", + "nvd_severity": "medium", + "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2016-1000237", + "publish_date": "2020-01-23", + "modification_date": "2020-01-24", + "fix_version": "1.4.3", + "solution": "Upgrade package sanitize-html to version 1.4.3 or above.", + "nvd_score_v3": 6.1, + "nvd_vectors_v3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", + "nvd_severity_v3": "medium", + "aqua_score": 6.1, + "aqua_severity": "medium", + "aqua_vectors": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", + "aqua_scoring_system": "CVSS V3", + "heuristic_ref_id": 265547, + "aqua_severity_classification": "NVD CVSS V3 Score: 6.1", + "aqua_score_classification": "NVD CVSS V3 Score: 6.1", + "cwe_info": [ + { + "Id": "CWE-79", + "name": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')" + } + ], + "epss_score": 0.00132, + "epss_percentile": 0.48183, + "epss_date": "2024-01-22" + }, + { + "name": "CVE-2021-26539", + "type": "vulnerability", + "description": "Apostrophe Technologies sanitize-html before 2.3.1 does not properly handle internationalized domain name (IDN) which could allow an attacker to bypass hostname whitelist validation set by the \"allowedIframeHostnames\" option.", + "nvd_score": 5, + "nvd_vectors": "AV:N/AC:L/Au:N/C:N/I:P/A:N", + "nvd_severity": "medium", + "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2021-26539", + "publish_date": "2021-02-08", + "modification_date": "2022-04-26", + "fix_version": "2.3.1", + "solution": "Upgrade package sanitize-html to version 2.3.1 or above.", + "nvd_score_v3": 5.3, + "nvd_vectors_v3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", + "nvd_severity_v3": "medium", + "aqua_score": 5.3, + "aqua_severity": "medium", + "aqua_vectors": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", + "aqua_scoring_system": "CVSS V3", + "heuristic_ref_id": 265547, + "aqua_severity_classification": "NVD CVSS V3 Score: 5.3", + "aqua_score_classification": "NVD CVSS V3 Score: 5.3", + "epss_score": 0.00137, + "epss_percentile": 0.4898, + "epss_date": "2024-01-22" + }, + { + "name": "CVE-2017-16016", + "type": "vulnerability", + "description": "Sanitize-html is a library for scrubbing html input of malicious values. Versions 1.11.1 and below are vulnerable to cross site scripting (XSS) in certain scenarios: If allowed at least one nonTextTags, the result is a potential XSS vulnerability.", + "nvd_score": 4.3, + "nvd_vectors": "AV:N/AC:M/Au:N/C:N/I:P/A:N", + "nvd_severity": "medium", + "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2017-16016", + "publish_date": "2018-06-04", + "modification_date": "2019-10-09", + "fix_version": "1.11.4", + "solution": "Upgrade package sanitize-html to version 1.11.4 or above.", + "nvd_score_v3": 6.1, + "nvd_vectors_v3": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", + "nvd_severity_v3": "medium", + "aqua_score": 6.1, + "aqua_severity": "medium", + "aqua_vectors": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", + "aqua_scoring_system": "CVSS V3", + "heuristic_ref_id": 265547, + "aqua_severity_classification": "NVD CVSS V3 Score: 6.1", + "aqua_score_classification": "NVD CVSS V3 Score: 6.1", + "cwe_info": [ + { + "Id": "CWE-79", + "name": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')" + } + ], + "epss_score": 0.00084, + "epss_percentile": 0.3482, + "epss_date": "2024-01-22" + } + ] + }, + { + "resource": { + "type": 1, + "path": "/juice-shop/node_modules/node-gyp/test/fixtures/server.key", + "name": "server.key", + "cpe": "file:/49e5988d6e1501e35786c52e9ef4f2c78d08db86", + "hash": "sha1:49e5988d6e1501e35786c52e9ef4f2c78d08db86", + "sensitive_items": [ + "RSA PRIVATE KEY" + ], + "layer": "COPY /juice-shop . # buildkit", + "layer_digest": "sha256:69c661528fdd4ef0a0f4fdbd62ec988b9efb5c1a4d11651adb877a13a40da37d" + }, + "scanned": true, + "sensitive_data_items": [ + { + "type": "RSA PRIVATE KEY" + } + ] + }, + { + "resource": { + "format": "npm", + "path": "/juice-shop/node_modules/socket.io", + "name": "socket.io", + "version": "3.1.2", + "cpe": "pkg:/npm:*:socket.io:3.1.2", + "license": "MIT", + "layer": "COPY /juice-shop . # buildkit", + "layer_digest": "sha256:69c661528fdd4ef0a0f4fdbd62ec988b9efb5c1a4d11651adb877a13a40da37d" + }, + "scanned": true, + "vulnerabilities": [ + { + "name": "CVE-2024-38355", + "type": "vulnerability", + "description": "Socket.IO is an open source, real-time, bidirectional, event-based, communication framework. A specially crafted Socket.IO packet can trigger an uncaught exception on the Socket.IO server, thus killing the Node.js process. This issue is fixed by commit `15af22fc22` which has been included in `socket.io@4.6.2` (released in May 2023). The fix was backported in the 2.x branch as well with commit `d30630ba10`. Users are advised to upgrade. Users unable to upgrade may attach a listener for the \"error\" event to catch these errors.\n", + "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2024-38355", + "publish_date": "2024-06-19", + "modification_date": "2024-06-20", + "fix_version": "2.5.1, 4.6.2", + "solution": "Upgrade package socket.io to version 4.6.2, 2.5.1 or above.", + "nvd_score_v3": 7.3, + "nvd_vectors_v3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", + "nvd_severity_v3": "high", + "aqua_score": 7.3, + "aqua_severity": "high", + "aqua_vectors": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", + "aqua_scoring_system": "CVSS V3", + "heuristic_ref_id": 265547, + "aqua_severity_classification": "NVD CVSS V3 Score: 7.3", + "aqua_score_classification": "NVD CVSS V3 Score: 7.3", + "cwe_info": [ + { + "Id": "CWE-20", + "name": "Improper Input Validation" + }, + { + "Id": "CWE-754", + "name": "Improper Check for Unusual or Exceptional Conditions" + } + ] + } + ] + }, + { + "resource": { + "format": "npm", + "path": "/juice-shop/node_modules/socket.io-parser", + "name": "socket.io-parser", + "version": "4.0.5", + "cpe": "pkg:/npm:*:socket.io-parser:4.0.5", + "license": "MIT", + "layer": "COPY /juice-shop . # buildkit", + "layer_digest": "sha256:69c661528fdd4ef0a0f4fdbd62ec988b9efb5c1a4d11651adb877a13a40da37d" + }, + "scanned": true, + "vulnerabilities": [ + { + "name": "CVE-2023-32695", + "type": "vulnerability", + "description": "socket.io parser is a socket.io encoder and decoder written in JavaScript complying with version 5 of socket.io-protocol. A specially crafted Socket.IO packet can trigger an uncaught exception on the Socket.IO server, thus killing the Node.js process. A patch has been released in version 4.2.3.\n\n", + "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2023-32695", + "publish_date": "2023-05-27", + "modification_date": "2023-06-05", + "fix_version": "3.4.3, 4.2.3", + "solution": "Upgrade package socket.io-parser to version 4.2.3, 3.4.3 or above.", + "nvd_score_v3": 7.5, + "nvd_vectors_v3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "nvd_severity_v3": "high", + "aqua_score": 7.5, + "aqua_severity": "high", + "aqua_vectors": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "aqua_scoring_system": "CVSS V3", + "heuristic_ref_id": 265547, + "aqua_severity_classification": "NVD CVSS V3 Score: 7.5", + "aqua_score_classification": "NVD CVSS V3 Score: 7.5", + "cwe_info": [ + { + "Id": "CWE-754", + "name": "Improper Check for Unusual or Exceptional Conditions" + }, + { + "Id": "CWE-20", + "name": "Improper Input Validation" + } + ], + "epss_score": 0.0011, + "epss_percentile": 0.43898, + "epss_date": "2024-01-22" + } + ] + }, + { + "resource": { + "format": "npm", + "path": "/juice-shop/node_modules/node-pre-gyp/node_modules/tar", + "name": "tar", + "version": "4.4.19", + "cpe": "pkg:/npm:*:tar:4.4.19", + "license": "ISC", + "layer": "COPY /juice-shop . # buildkit", + "layer_digest": "sha256:69c661528fdd4ef0a0f4fdbd62ec988b9efb5c1a4d11651adb877a13a40da37d" + }, + "scanned": true, + "vulnerabilities": [ + { + "name": "CVE-2024-28863", + "type": "vulnerability", + "description": "node-tar is a Tar for Node.js. node-tar prior to version 6.2.1 has no limit on the number of sub-folders created in the folder creation process. An attacker who generates a large number of sub-folders can consume memory on the system running node-tar and even crash the Node.js client within few seconds of running it using a path with too many sub-folders inside. Version 6.2.1 fixes this issue by preventing extraction in excessively deep sub-folders.", + "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2024-28863", + "publish_date": "2024-03-21", + "modification_date": "2024-06-10", + "fix_version": "6.2.1", + "solution": "Upgrade package tar to version 6.2.1 or above.", + "nvd_score_v3": 6.5, + "nvd_vectors_v3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", + "nvd_severity_v3": "medium", + "aqua_score": 6.5, + "aqua_severity": "medium", + "aqua_vectors": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", + "aqua_scoring_system": "CVSS V3", + "heuristic_ref_id": 265547, + "aqua_severity_classification": "NVD CVSS V3 Score: 6.5", + "aqua_score_classification": "NVD CVSS V3 Score: 6.5", + "cwe_info": [ + { + "Id": "CWE-400", + "name": "Uncontrolled Resource Consumption" + }, + { + "Id": "CWE-770", + "name": "Allocation of Resources Without Limits or Throttling" + } + ] + }, + { + "name": "CVE-2020-8244", + "type": "vulnerability", + "description": "A buffer over-read vulnerability exists in bl \u003c4.0.3, \u003c3.0.1, \u003c2.2.1, and \u003c1.2.3 which could allow an attacker to supply user input (even typed) that if it ends up in consume() argument and can become negative, the BufferList state can be corrupted, tricking it into exposing uninitialized memory via regular .slice() calls.", + "nvd_score": 6.4, + "nvd_vectors": "AV:N/AC:L/Au:N/C:P/I:N/A:P", + "nvd_severity": "medium", + "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2020-8244", + "publish_date": "2020-08-30", + "modification_date": "2022-05-24", + "fix_version": "6.1.12", + "solution": "Upgrade package tar to version 6.1.12 or above.", + "nvd_score_v3": 6.5, + "nvd_vectors_v3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L", + "nvd_severity_v3": "medium", + "aqua_score": 6.5, + "aqua_severity": "medium", + "aqua_vectors": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L", + "aqua_scoring_system": "CVSS V3", + "heuristic_ref_id": 265547, + "aqua_severity_classification": "NVD CVSS V3 Score: 6.5", + "aqua_score_classification": "NVD CVSS V3 Score: 6.5", + "cwe_info": [ + { + "Id": "CWE-125", + "name": "Out-of-bounds Read" + }, + { + "Id": "CWE-126", + "name": "Buffer Over-read" + } + ], + "epss_score": 0.00147, + "epss_percentile": 0.50647, + "epss_date": "2024-01-22" + } + ] + }, + { + "resource": { + "format": "npm", + "path": "/juice-shop/node_modules/tar", + "name": "tar", + "version": "6.2.0", + "cpe": "pkg:/npm:*:tar:6.2.0", + "license": "ISC", + "layer": "COPY /juice-shop . # buildkit", + "layer_digest": "sha256:69c661528fdd4ef0a0f4fdbd62ec988b9efb5c1a4d11651adb877a13a40da37d" + }, + "scanned": true, + "vulnerabilities": [ + { + "name": "CVE-2024-28863", + "type": "vulnerability", + "description": "node-tar is a Tar for Node.js. node-tar prior to version 6.2.1 has no limit on the number of sub-folders created in the folder creation process. An attacker who generates a large number of sub-folders can consume memory on the system running node-tar and even crash the Node.js client within few seconds of running it using a path with too many sub-folders inside. Version 6.2.1 fixes this issue by preventing extraction in excessively deep sub-folders.", + "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2024-28863", + "publish_date": "2024-03-21", + "modification_date": "2024-06-10", + "fix_version": "6.2.1", + "solution": "Upgrade package tar to version 6.2.1 or above.", + "nvd_score_v3": 6.5, + "nvd_vectors_v3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", + "nvd_severity_v3": "medium", + "aqua_score": 6.5, + "aqua_severity": "medium", + "aqua_vectors": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", + "aqua_scoring_system": "CVSS V3", + "heuristic_ref_id": 265547, + "aqua_severity_classification": "NVD CVSS V3 Score: 6.5", + "aqua_score_classification": "NVD CVSS V3 Score: 6.5", + "cwe_info": [ + { + "Id": "CWE-400", + "name": "Uncontrolled Resource Consumption" + }, + { + "Id": "CWE-770", + "name": "Allocation of Resources Without Limits or Throttling" + } + ] + } + ] + }, + { + "resource": { + "format": "npm", + "path": "/juice-shop/node_modules/request/node_modules/tough-cookie", + "name": "tough-cookie", + "version": "2.5.0", + "cpe": "pkg:/npm:*:tough-cookie:2.5.0", + "license": "BSD-3-Clause", + "layer": "COPY /juice-shop . # buildkit", + "layer_digest": "sha256:69c661528fdd4ef0a0f4fdbd62ec988b9efb5c1a4d11651adb877a13a40da37d" + }, + "scanned": true, + "vulnerabilities": [ + { + "name": "CVE-2023-26136", + "type": "vulnerability", + "description": "Versions of the package tough-cookie before 4.1.3 are vulnerable to Prototype Pollution due to improper handling of Cookies when using CookieJar in rejectPublicSuffixes=false mode. This issue arises from the manner in which the objects are initialized.", + "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2023-26136", + "publish_date": "2023-07-01", + "modification_date": "2024-06-21", + "fix_version": "4.1.3", + "solution": "Upgrade package tough-cookie to version 4.1.3 or above.", + "nvd_score_v3": 9.8, + "nvd_vectors_v3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "nvd_severity_v3": "critical", + "aqua_score": 9.8, + "aqua_severity": "critical", + "aqua_vectors": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "aqua_scoring_system": "CVSS V3", + "heuristic_ref_id": 265547, + "aqua_severity_classification": "NVD CVSS V3 Score: 9.8", + "aqua_score_classification": "NVD CVSS V3 Score: 9.8", + "cwe_info": [ + { + "Id": "CWE-1321", + "name": "Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')" + } + ], + "epss_score": 0.0016, + "epss_percentile": 0.52588, + "epss_date": "2024-01-22" + } + ] + }, + { + "resource": { + "format": "npm", + "path": "/juice-shop/node_modules/vm2", + "name": "vm2", + "version": "3.9.17", + "cpe": "pkg:/npm:*:vm2:3.9.17", + "license": "MIT", + "layer": "COPY /juice-shop . # buildkit", + "layer_digest": "sha256:69c661528fdd4ef0a0f4fdbd62ec988b9efb5c1a4d11651adb877a13a40da37d" + }, + "scanned": true, + "vulnerabilities": [ + { + "name": "CVE-2023-32314", + "type": "vulnerability", + "description": "vm2 is a sandbox that can run untrusted code with Node's built-in modules. A sandbox escape vulnerability exists in vm2 for versions up to and including 3.9.17. It abuses an unexpected creation of a host object based on the specification of `Proxy`. As a result a threat actor can bypass the sandbox protections to gain remote code execution rights on the host running the sandbox. This vulnerability was patched in the release of version `3.9.18` of `vm2`. Users are advised to upgrade. There are no known workarounds for this vulnerability.", + "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2023-32314", + "publish_date": "2023-05-15", + "modification_date": "2023-05-24", + "fix_version": "3.9.18", + "solution": "Upgrade package vm2 to version 3.9.18 or above.", + "nvd_score_v3": 10, + "nvd_vectors_v3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", + "nvd_severity_v3": "critical", + "aqua_score": 10, + "aqua_severity": "critical", + "aqua_vectors": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", + "aqua_scoring_system": "CVSS V3", + "heuristic_ref_id": 265547, + "aqua_severity_classification": "NVD CVSS V3 Score: 10.0", + "aqua_score_classification": "NVD CVSS V3 Score: 10.0", + "cwe_info": [ + { + "Id": "CWE-74", + "name": "Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')" + } + ], + "epss_score": 0.00456, + "epss_percentile": 0.72626, + "epss_date": "2024-01-22" + }, + { + "name": "CVE-2023-37466", + "type": "vulnerability", + "description": "vm2 is an advanced vm/sandbox for Node.js. The library contains critical security issues and should not be used for production. The maintenance of the project has been discontinued. In vm2 for versions up to 3.9.19, `Promise` handler sanitization can be bypassed with the `@@species` accessor property allowing attackers to escape the sandbox and run arbitrary code, potentially allowing remote code execution inside the context of vm2 sandbox.", + "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2023-37466", + "publish_date": "2023-07-14", + "modification_date": "2024-02-01", + "nvd_score_v3": 10, + "nvd_vectors_v3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", + "nvd_severity_v3": "critical", + "aqua_score": 10, + "aqua_severity": "critical", + "aqua_vectors": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", + "aqua_scoring_system": "CVSS V3", + "heuristic_ref_id": 265547, + "aqua_severity_classification": "NVD CVSS V3 Score: 10.0", + "aqua_score_classification": "NVD CVSS V3 Score: 10.0", + "cwe_info": [ + { + "Id": "CWE-94", + "name": "Improper Control of Generation of Code ('Code Injection')" + } + ], + "epss_score": 0.0024, + "epss_percentile": 0.62072, + "epss_date": "2024-01-22" + }, + { + "name": "CVE-2023-37903", + "type": "vulnerability", + "description": "vm2 is an open source vm/sandbox for Node.js. In vm2 for versions up to and including 3.9.19, Node.js custom inspect function allows attackers to escape the sandbox and run arbitrary code. This may result in Remote Code Execution, assuming the attacker has arbitrary code execution primitive inside the context of vm2 sandbox. There are no patches and no known workarounds. Users are advised to find an alternative software.", + "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2023-37903", + "publish_date": "2023-07-21", + "modification_date": "2024-02-01", + "nvd_score_v3": 10, + "nvd_vectors_v3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", + "nvd_severity_v3": "critical", + "aqua_score": 10, + "aqua_severity": "critical", + "aqua_vectors": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", + "aqua_scoring_system": "CVSS V3", + "heuristic_ref_id": 265547, + "aqua_severity_classification": "NVD CVSS V3 Score: 10.0", + "aqua_score_classification": "NVD CVSS V3 Score: 10.0", + "cwe_info": [ + { + "Id": "CWE-78", + "name": "Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')" + } + ], + "epss_score": 0.00267, + "epss_percentile": 0.64246, + "epss_date": "2024-01-22" + }, + { + "name": "CVE-2023-32313", + "type": "vulnerability", + "description": "vm2 is a sandbox that can run untrusted code with Node's built-in modules. In versions 3.9.17 and lower of vm2 it was possible to get a read-write reference to the node `inspect` method and edit options for `console.log`. As a result a threat actor can edit options for the `console.log` command. This vulnerability was patched in the release of version `3.9.18` of `vm2`. Users are advised to upgrade. Users unable to upgrade may make the `inspect` method readonly with `vm.readonly(inspect)` after creating a vm.", + "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2023-32313", + "publish_date": "2023-05-15", + "modification_date": "2023-05-24", + "fix_version": "3.9.18", + "solution": "Upgrade package vm2 to version 3.9.18 or above.", + "nvd_score_v3": 5.3, + "nvd_vectors_v3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", + "nvd_severity_v3": "medium", + "aqua_score": 5.3, + "aqua_severity": "medium", + "aqua_vectors": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", + "aqua_scoring_system": "CVSS V3", + "heuristic_ref_id": 265547, + "aqua_severity_classification": "NVD CVSS V3 Score: 5.3", + "aqua_score_classification": "NVD CVSS V3 Score: 5.3", + "cwe_info": [ + { + "Id": "CWE-74", + "name": "Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')" + } + ], + "epss_score": 0.00052, + "epss_percentile": 0.17659, + "epss_date": "2024-01-22" + } + ] + }, + { + "resource": { + "format": "npm", + "path": "/juice-shop/node_modules/web3-utils", + "name": "web3-utils", + "version": "4.0.5", + "cpe": "pkg:/npm:*:web3-utils:4.0.5", + "license": "LGPL-3.0", + "layer": "COPY /juice-shop . # buildkit", + "layer_digest": "sha256:69c661528fdd4ef0a0f4fdbd62ec988b9efb5c1a4d11651adb877a13a40da37d" + }, + "scanned": true, + "vulnerabilities": [ + { + "name": "CVE-2024-21505", + "type": "vulnerability", + "description": "Versions of the package web3-utils before 4.2.1 are vulnerable to Prototype Pollution via the utility functions format and mergeDeep, due to insecure recursive merge.\rAn attacker can manipulate an object's prototype, potentially leading to the alteration of the behavior of all objects inheriting from the affected prototype by passing specially crafted input to these functions.", + "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2024-21505", + "publish_date": "2024-03-25", + "modification_date": "2024-03-25", + "fix_version": "4.2.1", + "solution": "Upgrade package web3-utils to version 4.2.1 or above.", + "nvd_score_v3": 7.5, + "nvd_vectors_v3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "nvd_severity_v3": "high", + "aqua_score": 7.5, + "aqua_severity": "high", + "aqua_vectors": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "aqua_scoring_system": "CVSS V3", + "heuristic_ref_id": 265547, + "aqua_severity_classification": "NVD CVSS V3 Score: 7.5", + "aqua_score_classification": "NVD CVSS V3 Score: 7.5", + "cwe_info": [ + { + "Id": "CWE-1321", + "name": "Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')" + } + ] + } + ] + }, + { + "resource": { + "format": "npm", + "path": "/juice-shop/node_modules/jsdom/node_modules/ws", + "name": "ws", + "version": "7.5.9", + "cpe": "pkg:/npm:*:ws:7.5.9", + "license": "MIT", + "layer": "COPY /juice-shop . # buildkit", + "layer_digest": "sha256:69c661528fdd4ef0a0f4fdbd62ec988b9efb5c1a4d11651adb877a13a40da37d" + }, + "scanned": true, + "vulnerabilities": [ + { + "name": "CVE-2024-37890", + "type": "vulnerability", + "description": "ws is an open source WebSocket client and server for Node.js. A request with a number of headers exceeding theserver.maxHeadersCount threshold could be used to crash a ws server. The vulnerability was fixed in ws@8.17.1 (e55e510) and backported to ws@7.5.10 (22c2876), ws@6.2.3 (eeb76d3), and ws@5.2.4 (4abd8f6). In vulnerable versions of ws, the issue can be mitigated in the following ways: 1. Reduce the maximum allowed length of the request headers using the --max-http-header-size=size and/or the maxHeaderSize options so that no more headers than the server.maxHeadersCount limit can be sent. 2. Set server.maxHeadersCount to 0 so that no limit is applied.", + "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2024-37890", + "publish_date": "2024-06-17", + "modification_date": "2024-06-20", + "fix_version": "5.2.4, 6.2.3, 7.5.10, 8.17.1", + "solution": "Upgrade package ws to version 7.5.10, 6.2.3, 5.2.4, 8.17.1 or above.", + "nvd_score_v3": 7.5, + "nvd_vectors_v3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "nvd_severity_v3": "high", + "aqua_score": 7.5, + "aqua_severity": "high", + "aqua_vectors": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "aqua_scoring_system": "CVSS V3", + "heuristic_ref_id": 265547, + "aqua_severity_classification": "NVD CVSS V3 Score: 7.5", + "aqua_score_classification": "NVD CVSS V3 Score: 7.5", + "cwe_info": [ + { + "Id": "CWE-476", + "name": "NULL Pointer Dereference" + } + ] + } + ] + }, + { + "resource": { + "format": "npm", + "path": "/juice-shop/node_modules/engine.io/node_modules/ws", + "name": "ws", + "version": "7.4.6", + "cpe": "pkg:/npm:*:ws:7.4.6", + "license": "MIT", + "layer": "COPY /juice-shop . # buildkit", + "layer_digest": "sha256:69c661528fdd4ef0a0f4fdbd62ec988b9efb5c1a4d11651adb877a13a40da37d" + }, + "scanned": true, + "vulnerabilities": [ + { + "name": "CVE-2024-37890", + "type": "vulnerability", + "description": "ws is an open source WebSocket client and server for Node.js. A request with a number of headers exceeding theserver.maxHeadersCount threshold could be used to crash a ws server. The vulnerability was fixed in ws@8.17.1 (e55e510) and backported to ws@7.5.10 (22c2876), ws@6.2.3 (eeb76d3), and ws@5.2.4 (4abd8f6). In vulnerable versions of ws, the issue can be mitigated in the following ways: 1. Reduce the maximum allowed length of the request headers using the --max-http-header-size=size and/or the maxHeaderSize options so that no more headers than the server.maxHeadersCount limit can be sent. 2. Set server.maxHeadersCount to 0 so that no limit is applied.", + "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2024-37890", + "publish_date": "2024-06-17", + "modification_date": "2024-06-20", + "fix_version": "5.2.4, 6.2.3, 7.5.10, 8.17.1", + "solution": "Upgrade package ws to version 7.5.10, 6.2.3, 5.2.4, 8.17.1 or above.", + "nvd_score_v3": 7.5, + "nvd_vectors_v3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "nvd_severity_v3": "high", + "aqua_score": 7.5, + "aqua_severity": "high", + "aqua_vectors": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "aqua_scoring_system": "CVSS V3", + "heuristic_ref_id": 265547, + "aqua_severity_classification": "NVD CVSS V3 Score: 7.5", + "aqua_score_classification": "NVD CVSS V3 Score: 7.5", + "cwe_info": [ + { + "Id": "CWE-476", + "name": "NULL Pointer Dereference" + } + ] + } + ] + }, + { + "resource": { + "format": "npm", + "path": "/juice-shop/node_modules/engine.io-client/node_modules/ws", + "name": "ws", + "version": "7.4.6", + "cpe": "pkg:/npm:*:ws:7.4.6", + "license": "MIT", + "layer": "COPY /juice-shop . # buildkit", + "layer_digest": "sha256:69c661528fdd4ef0a0f4fdbd62ec988b9efb5c1a4d11651adb877a13a40da37d" + }, + "scanned": true, + "vulnerabilities": [ + { + "name": "CVE-2024-37890", + "type": "vulnerability", + "description": "ws is an open source WebSocket client and server for Node.js. A request with a number of headers exceeding theserver.maxHeadersCount threshold could be used to crash a ws server. The vulnerability was fixed in ws@8.17.1 (e55e510) and backported to ws@7.5.10 (22c2876), ws@6.2.3 (eeb76d3), and ws@5.2.4 (4abd8f6). In vulnerable versions of ws, the issue can be mitigated in the following ways: 1. Reduce the maximum allowed length of the request headers using the --max-http-header-size=size and/or the maxHeaderSize options so that no more headers than the server.maxHeadersCount limit can be sent. 2. Set server.maxHeadersCount to 0 so that no limit is applied.", + "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2024-37890", + "publish_date": "2024-06-17", + "modification_date": "2024-06-20", + "fix_version": "5.2.4, 6.2.3, 7.5.10, 8.17.1", + "solution": "Upgrade package ws to version 7.5.10, 6.2.3, 5.2.4, 8.17.1 or above.", + "nvd_score_v3": 7.5, + "nvd_vectors_v3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "nvd_severity_v3": "high", + "aqua_score": 7.5, + "aqua_severity": "high", + "aqua_vectors": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "aqua_scoring_system": "CVSS V3", + "heuristic_ref_id": 265547, + "aqua_severity_classification": "NVD CVSS V3 Score: 7.5", + "aqua_score_classification": "NVD CVSS V3 Score: 7.5", + "cwe_info": [ + { + "Id": "CWE-476", + "name": "NULL Pointer Dereference" + } + ] + } + ] + }, + { + "resource": { + "format": "npm", + "path": "/juice-shop/node_modules/ws", + "name": "ws", + "version": "8.5.0", + "cpe": "pkg:/npm:*:ws:8.5.0", + "license": "MIT", + "layer": "COPY /juice-shop . # buildkit", + "layer_digest": "sha256:69c661528fdd4ef0a0f4fdbd62ec988b9efb5c1a4d11651adb877a13a40da37d" + }, + "scanned": true, + "vulnerabilities": [ + { + "name": "CVE-2024-37890", + "type": "vulnerability", + "description": "ws is an open source WebSocket client and server for Node.js. A request with a number of headers exceeding theserver.maxHeadersCount threshold could be used to crash a ws server. The vulnerability was fixed in ws@8.17.1 (e55e510) and backported to ws@7.5.10 (22c2876), ws@6.2.3 (eeb76d3), and ws@5.2.4 (4abd8f6). In vulnerable versions of ws, the issue can be mitigated in the following ways: 1. Reduce the maximum allowed length of the request headers using the --max-http-header-size=size and/or the maxHeaderSize options so that no more headers than the server.maxHeadersCount limit can be sent. 2. Set server.maxHeadersCount to 0 so that no limit is applied.", + "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2024-37890", + "publish_date": "2024-06-17", + "modification_date": "2024-06-20", + "fix_version": "5.2.4, 6.2.3, 7.5.10, 8.17.1", + "solution": "Upgrade package ws to version 7.5.10, 6.2.3, 5.2.4, 8.17.1 or above.", + "nvd_score_v3": 7.5, + "nvd_vectors_v3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "nvd_severity_v3": "high", + "aqua_score": 7.5, + "aqua_severity": "high", + "aqua_vectors": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "aqua_scoring_system": "CVSS V3", + "heuristic_ref_id": 265547, + "aqua_severity_classification": "NVD CVSS V3 Score: 7.5", + "aqua_score_classification": "NVD CVSS V3 Score: 7.5", + "cwe_info": [ + { + "Id": "CWE-476", + "name": "NULL Pointer Dereference" + } + ] + } + ] + }, + { + "resource": { + "format": "npm", + "path": "/juice-shop/node_modules/web3-providers-ws/node_modules/ws", + "name": "ws", + "version": "8.14.0", + "cpe": "pkg:/npm:*:ws:8.14.0", + "license": "MIT", + "layer": "COPY /juice-shop . # buildkit", + "layer_digest": "sha256:69c661528fdd4ef0a0f4fdbd62ec988b9efb5c1a4d11651adb877a13a40da37d" + }, + "scanned": true, + "vulnerabilities": [ + { + "name": "CVE-2024-37890", + "type": "vulnerability", + "description": "ws is an open source WebSocket client and server for Node.js. A request with a number of headers exceeding theserver.maxHeadersCount threshold could be used to crash a ws server. The vulnerability was fixed in ws@8.17.1 (e55e510) and backported to ws@7.5.10 (22c2876), ws@6.2.3 (eeb76d3), and ws@5.2.4 (4abd8f6). In vulnerable versions of ws, the issue can be mitigated in the following ways: 1. Reduce the maximum allowed length of the request headers using the --max-http-header-size=size and/or the maxHeaderSize options so that no more headers than the server.maxHeadersCount limit can be sent. 2. Set server.maxHeadersCount to 0 so that no limit is applied.", + "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2024-37890", + "publish_date": "2024-06-17", + "modification_date": "2024-06-20", + "fix_version": "5.2.4, 6.2.3, 7.5.10, 8.17.1", + "solution": "Upgrade package ws to version 7.5.10, 6.2.3, 5.2.4, 8.17.1 or above.", + "nvd_score_v3": 7.5, + "nvd_vectors_v3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "nvd_severity_v3": "high", + "aqua_score": 7.5, + "aqua_severity": "high", + "aqua_vectors": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "aqua_scoring_system": "CVSS V3", + "heuristic_ref_id": 265547, + "aqua_severity_classification": "NVD CVSS V3 Score: 7.5", + "aqua_score_classification": "NVD CVSS V3 Score: 7.5", + "cwe_info": [ + { + "Id": "CWE-476", + "name": "NULL Pointer Dereference" + } + ] + } + ] + }, + { + "resource": { + "format": "npm", + "path": "/juice-shop/node_modules/zod", + "name": "zod", + "version": "3.22.2", + "cpe": "pkg:/npm:*:zod:3.22.2", + "license": "MIT", + "layer": "COPY /juice-shop . # buildkit", + "layer_digest": "sha256:69c661528fdd4ef0a0f4fdbd62ec988b9efb5c1a4d11651adb877a13a40da37d" + }, + "scanned": true, + "vulnerabilities": [ + { + "name": "CVE-2023-4316", + "type": "vulnerability", + "description": "Zod in versions 3.21.0 up to and including 3.22.3 allows an attacker to perform a denial of service while validating emails.\n\n", + "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2023-4316", + "publish_date": "2023-09-28", + "modification_date": "2024-04-04", + "fix_version": "3.22.3", + "solution": "Upgrade package zod to version 3.22.3 or above.", + "nvd_score_v3": 7.5, + "nvd_vectors_v3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "nvd_severity_v3": "high", + "aqua_score": 7.5, + "aqua_severity": "high", + "aqua_vectors": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "aqua_scoring_system": "CVSS V3", + "heuristic_ref_id": 265547, + "aqua_severity_classification": "NVD CVSS V3 Score: 7.5", + "aqua_score_classification": "NVD CVSS V3 Score: 7.5", + "cwe_info": [ + { + "Id": "CWE-1333", + "name": "Inefficient Regular Expression Complexity" + }, + { + "Id": "CWE-20", + "name": "Improper Input Validation" + } + ], + "epss_score": 0.00046, + "epss_percentile": 0.13737, + "epss_date": "2024-01-22" + } + ] + } + ], + "image_assurance_results": { + "checks_performed": [ + { + "policy_id": 6, + "policy_name": "Malware-Default-Policy", + "control": "malware", + "malware_file_scanned": 2057 + } + ] + }, + "vulnerability_summary": { + "total": 98, + "critical": 15, + "high": 47, + "medium": 35, + "low": 1, + "negligible": 38, + "sensitive": 3, + "score_average": 7.2989764 + }, + "scan_options": { + "scan_executables": true, + "scan_sensitive_data": true, + "scan_malware": true, + "scan_files": true, + "scan_timeout": 3600000000000, + "manual_pull_fallback": true, + "save_adhoc_scans": true, + "use_cvss3": true, + "dockerless": true, + "system_image_platform": "amd64:::", + "enable_fast_scanning": true, + "memoryThrottling": true, + "suggest_os_upgrade": true, + "adhoc_scan_retention": 30, + "enable_diff_ids": true, + "is_trivy_enabled": true, + "register_image": true, + "socket": "docker" + }, + "initiating_user": "myuser", + "pull_name": "test:latest", + "original_registry": "myregistry", + "scan_id": 1060, + "required_image_platform": "amd64:::", + "scanned_image_platform": ":::", + "security_feeds_used": { + "executables": "12345" + }, + "image_id": 45, + "internal_digest_id": { + "id": 276 + }, + "local": true, + "isAdhocRegister": true, + "OriginFromHostImage": true, + "FileHashEncoding": "zlib", + "registryType": 6 + } + } + ] + \ No newline at end of file diff --git a/unittests/scans/aqua/empty_aquadevops.json b/unittests/scans/aqua/empty_aquadevops.json new file mode 100644 index 00000000000..0637a088a01 --- /dev/null +++ b/unittests/scans/aqua/empty_aquadevops.json @@ -0,0 +1 @@ +[] \ No newline at end of file diff --git a/unittests/tools/test_aqua_parser.py b/unittests/tools/test_aqua_parser.py index 96d07bd3dca..15cea5df521 100644 --- a/unittests/tools/test_aqua_parser.py +++ b/unittests/tools/test_aqua_parser.py @@ -98,3 +98,15 @@ def test_aqua_parser_issue_10585(self): parser = AquaParser() findings = parser.get_findings(testfile, Test()) self.assertEqual(0, len(findings)) + + def test_aqua_parser_aqua_devops_issue_10611(self): + with open("unittests/scans/aqua/aqua_devops_issue_10611.json") as testfile: + parser = AquaParser() + findings = parser.get_findings(testfile, Test()) + self.assertEqual(95, len(findings)) + + def test_aqua_parser_aqua_devops_empty(self): + with open("unittests/scans/aqua/empty_aquadevops.json") as testfile: + parser = AquaParser() + findings = parser.get_findings(testfile, Test()) + self.assertEqual(0, len(findings)) From 04f5e0807f0dff5b77f5dbe0ad7b8296d41cf259 Mon Sep 17 00:00:00 2001 From: Cody Maffucci <46459665+Maffooch@users.noreply.github.com> Date: Mon, 29 Jul 2024 08:05:40 -0500 Subject: [PATCH 04/16] Update Qualys WebApp parser to use DefusedXML (#10637) * Update Qualys WebApp parser to use DefusedXML * Correct ruff errors --- dojo/tools/qualys_webapp/parser.py | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/dojo/tools/qualys_webapp/parser.py b/dojo/tools/qualys_webapp/parser.py index 729fc76d282..83a6a785c83 100644 --- a/dojo/tools/qualys_webapp/parser.py +++ b/dojo/tools/qualys_webapp/parser.py @@ -1,8 +1,9 @@ import base64 import re -import xml.etree.ElementTree from datetime import datetime +from defusedxml import ElementTree + from dojo.models import Endpoint, Finding try: @@ -418,7 +419,7 @@ def qualys_webapp_parser(qualys_xml_file, test, unique, enable_weakness=False): # supposed to be safe against XEE: # https://docs.python.org/3/library/xml.html#xml-vulnerabilities - tree = xml.etree.ElementTree.parse(qualys_xml_file) + tree = ElementTree.parse(qualys_xml_file) is_app_report = tree.getroot().tag == "WAS_WEBAPP_REPORT" if is_app_report: From 3e36b713aaf4da31e883d3fad30df5ea23823c65 Mon Sep 17 00:00:00 2001 From: Cody Maffucci <46459665+Maffooch@users.noreply.github.com> Date: Mon, 29 Jul 2024 08:06:30 -0500 Subject: [PATCH 05/16] Uploaded File Management: Centralize file serving and bolster error handling (#10638) * Uploaded File Management: Centralize file serving and embolster error handling * Correct ruff errors --- dojo/api_v2/views.py | 46 ++++------------------------------------ dojo/engagement/views.py | 8 +++---- dojo/utils.py | 28 +++++++++++++++++++++++- dojo/views.py | 29 ++++++++++++++++--------- 4 files changed, 54 insertions(+), 57 deletions(-) diff --git a/dojo/api_v2/views.py b/dojo/api_v2/views.py index da20e0e1931..42feb3a50e4 100644 --- a/dojo/api_v2/views.py +++ b/dojo/api_v2/views.py @@ -164,6 +164,7 @@ from dojo.user.utils import get_configuration_permissions_codenames from dojo.utils import ( async_delete, + generate_file_response, get_setting, get_system_setting, ) @@ -646,21 +647,8 @@ def download_file(self, request, file_id, pk=None): {"error": "File ID not associated with Engagement"}, status=status.HTTP_404_NOT_FOUND, ) - # Get the path of the file in media root - file_path = f"{settings.MEDIA_ROOT}/{file_object.file.url.lstrip(settings.MEDIA_URL)}" - file_handle = open(file_path, "rb") # send file - response = FileResponse( - file_handle, - content_type=f"{mimetypes.guess_type(file_path)}", - status=status.HTTP_200_OK, - ) - response["Content-Length"] = file_object.file.size - response[ - "Content-Disposition" - ] = f'attachment; filename="{file_object.file.name}"' - - return response + return generate_file_response(file_object) class RiskAcceptanceViewSet( @@ -1156,21 +1144,8 @@ def download_file(self, request, file_id, pk=None): {"error": "File ID not associated with Finding"}, status=status.HTTP_404_NOT_FOUND, ) - # Get the path of the file in media root - file_path = f"{settings.MEDIA_ROOT}/{file_object.file.url.lstrip(settings.MEDIA_URL)}" - file_handle = open(file_path, "rb") # send file - response = FileResponse( - file_handle, - content_type=f"{mimetypes.guess_type(file_path)}", - status=status.HTTP_200_OK, - ) - response["Content-Length"] = file_object.file.size - response[ - "Content-Disposition" - ] = f'attachment; filename="{file_object.file.name}"' - - return response + return generate_file_response(file_object) @extend_schema( request=serializers.FindingNoteSerializer, @@ -2320,21 +2295,8 @@ def download_file(self, request, file_id, pk=None): {"error": "File ID not associated with Test"}, status=status.HTTP_404_NOT_FOUND, ) - # Get the path of the file in media root - file_path = f"{settings.MEDIA_ROOT}/{file_object.file.url.lstrip(settings.MEDIA_URL)}" - file_handle = open(file_path, "rb") # send file - response = FileResponse( - file_handle, - content_type=f"{mimetypes.guess_type(file_path)}", - status=status.HTTP_200_OK, - ) - response["Content-Length"] = file_object.file.size - response[ - "Content-Disposition" - ] = f'attachment; filename="{file_object.file.name}"' - - return response + return generate_file_response(file_object) # Authorization: authenticated, configuration diff --git a/dojo/engagement/views.py b/dojo/engagement/views.py index f03d28dde34..6eb4d7cf876 100644 --- a/dojo/engagement/views.py +++ b/dojo/engagement/views.py @@ -1,5 +1,6 @@ import csv import logging +import mimetypes import operator import re from datetime import datetime @@ -1481,12 +1482,11 @@ def delete_risk_acceptance(request, eid, raid): @user_is_authorized(Engagement, Permissions.Engagement_View, 'eid') def download_risk_acceptance(request, eid, raid): - import mimetypes - mimetypes.init() - risk_acceptance = get_object_or_404(Risk_Acceptance, pk=raid) - + # Ensure the risk acceptance is under the supplied engagement + if not Engagement.objects.filter(risk_acceptance=risk_acceptance, id=eid).exists(): + raise PermissionDenied response = StreamingHttpResponse( FileIterWrapper( open(settings.MEDIA_ROOT + "/" + risk_acceptance.path.name, mode='rb'))) diff --git a/dojo/utils.py b/dojo/utils.py index 6c0b16bbdfa..24866a88fc8 100644 --- a/dojo/utils.py +++ b/dojo/utils.py @@ -26,7 +26,7 @@ from django.db.models.query import QuerySet from django.db.models.signals import post_save from django.dispatch import receiver -from django.http import HttpResponseRedirect +from django.http import FileResponse, HttpResponseRedirect from django.urls import get_resolver, get_script_prefix, reverse from django.utils import timezone from django.utils.translation import gettext as _ @@ -48,6 +48,7 @@ Dojo_User, Endpoint, Engagement, + FileUpload, Finding, Finding_Group, Finding_Template, @@ -2588,3 +2589,28 @@ def get_open_findings_burndown(product): past_90_days['y_min'] = running_min return past_90_days + + +def generate_file_response(file_object: FileUpload) -> FileResponse: + """Serve an uploaded file in a uniformed way. + + This function assumes all permissions have previously validated/verified + by the caller of this function. + """ + # Quick check to ensure we have the right type of object + if not isinstance(file_object, FileUpload): + msg = f"FileUpload object expected but type <{type(file_object)}> received." + raise TypeError(msg) + # Determine the path of the file on disk within the MEDIA_ROOT + file_path = f'{settings.MEDIA_ROOT}/{file_object.file.url.lstrip(settings.MEDIA_URL)}' + _, file_extension = os.path.splitext(file_path) + # Generate the FileResponse + response = FileResponse( + open(file_path, "rb"), + filename=f"{file_object.title}{file_extension}", + content_type=f"{mimetypes.guess_type(file_path)}", + ) + # Add some important headers + response["Content-Disposition"] = f'attachment; filename="{file_object.title}{file_extension}"' + response["Content-Length"] = file_object.file.size + return response diff --git a/dojo/views.py b/dojo/views.py index 09a0dcad73e..c59619621b9 100644 --- a/dojo/views.py +++ b/dojo/views.py @@ -7,10 +7,9 @@ from django.contrib.auth.decorators import login_required from django.contrib.contenttypes.models import ContentType from django.core.exceptions import ObjectDoesNotExist, PermissionDenied -from django.http import FileResponse, Http404, HttpResponseRedirect +from django.http import Http404, HttpResponseRedirect from django.shortcuts import get_object_or_404, render from django.urls import reverse -from django.views.static import serve from dojo.authorization.authorization import ( user_has_configuration_permission_or_403, @@ -21,7 +20,7 @@ from dojo.filters import LogEntryFilter from dojo.forms import ManageFileFormSet from dojo.models import Endpoint, Engagement, FileUpload, Finding, Product, Test -from dojo.utils import Product_Tab, get_page_items +from dojo.utils import Product_Tab, generate_file_response, get_page_items logger = logging.getLogger(__name__) @@ -189,13 +188,16 @@ def manage_files(request, oid, obj_type): }) -# Serve the file only after verifying the user is supposed to see the file @login_required def protected_serve(request, path, document_root=None, show_indexes=False): + """Serve the file only after verifying the user is supposed to see the file.""" file = FileUpload.objects.get(file=path) if not file: raise Http404 object_set = list(file.engagement_set.all()) + list(file.test_set.all()) + list(file.finding_set.all()) + # Determine if there is an object to query permission checks from + if len(object_set) == 0: + raise Http404 # Should only one item (but not sure what type) in the list, so O(n=1) for obj in object_set: if isinstance(obj, Engagement): @@ -204,23 +206,30 @@ def protected_serve(request, path, document_root=None, show_indexes=False): user_has_permission_or_403(request.user, obj, Permissions.Test_View) elif isinstance(obj, Finding): user_has_permission_or_403(request.user, obj, Permissions.Finding_View) - return serve(request, path, document_root, show_indexes) + + return generate_file_response(file) def access_file(request, fid, oid, obj_type, url=False): + def check_file_belongs_to_object(file, object_manager, object_id): + if not object_manager.filter(id=object_id).exists(): + raise PermissionDenied + + file = get_object_or_404(FileUpload, pk=fid) if obj_type == 'Engagement': obj = get_object_or_404(Engagement, pk=oid) user_has_permission_or_403(request.user, obj, Permissions.Engagement_View) + obj_manager = file.engagement_set elif obj_type == 'Test': obj = get_object_or_404(Test, pk=oid) user_has_permission_or_403(request.user, obj, Permissions.Test_View) + obj_manager = file.test_set elif obj_type == 'Finding': obj = get_object_or_404(Finding, pk=oid) user_has_permission_or_403(request.user, obj, Permissions.Finding_View) + obj_manager = file.finding_set else: raise Http404 - # If reaching this far, user must have permission to get file - file = get_object_or_404(FileUpload, pk=fid) - redirect_url = f'{settings.MEDIA_ROOT}/{file.file.url.lstrip(settings.MEDIA_URL)}' - print(redirect_url) - return FileResponse(open(redirect_url, "rb")) + check_file_belongs_to_object(file, obj_manager, obj.id) + + return generate_file_response(file) From bb4bb104f172fce65e38422fb0d983099e514db3 Mon Sep 17 00:00:00 2001 From: Cody Maffucci <46459665+Maffooch@users.noreply.github.com> Date: Mon, 29 Jul 2024 08:07:21 -0500 Subject: [PATCH 06/16] Engagement: Add missing permission check to view an Engagement (#10639) --- dojo/engagement/views.py | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/dojo/engagement/views.py b/dojo/engagement/views.py index 6eb4d7cf876..8aa2f266d79 100644 --- a/dojo/engagement/views.py +++ b/dojo/engagement/views.py @@ -440,6 +440,8 @@ def get_filtered_tests( def get(self, request, eid, *args, **kwargs): eng = get_object_or_404(Engagement, id=eid) + # Make sure the user is authorized + user_has_permission_or_403(request.user, eng, Permissions.Engagement_View) tests = eng.test_set.all().order_by('test_type__name', '-updated') default_page_num = 10 tests_filter = self.get_filtered_tests(request, tests, eng) @@ -508,6 +510,8 @@ def get(self, request, eid, *args, **kwargs): def post(self, request, eid, *args, **kwargs): eng = get_object_or_404(Engagement, id=eid) + # Make sure the user is authorized + user_has_permission_or_403(request.user, eng, Permissions.Engagement_View) tests = eng.test_set.all().order_by('test_type__name', '-updated') default_page_num = 10 From a780a8f2970bbc58be49bbcabe31b29e8eaf47e0 Mon Sep 17 00:00:00 2001 From: dogboat Date: Mon, 29 Jul 2024 10:28:56 -0400 Subject: [PATCH 07/16] Finding notes cascading deletes (#10636) * finding-notes-cascading-deletes first pass at cascading deletes for notes/notehistory * finding-notes-cascading-deletes remove unused code * finding-notes-cascading-deletes linter cleanup * finding-notes-cascading-deletes retrigger actions --- dojo/apps.py | 5 +++++ dojo/benchmark/signals.py | 14 ++++++++++++++ dojo/cred/signals.py | 14 ++++++++++++++ dojo/engagement/signals.py | 8 +++++++- dojo/finding/helper.py | 3 ++- dojo/notes/helper.py | 11 +++++++++++ dojo/notes/signals.py | 18 ++++++++++++++++++ dojo/risk_acceptance/helper.py | 3 --- dojo/risk_acceptance/signals.py | 14 ++++++++++++++ dojo/test/signals.py | 8 +++++++- dojo/tool_product/signals.py | 14 ++++++++++++++ 11 files changed, 106 insertions(+), 6 deletions(-) create mode 100644 dojo/benchmark/signals.py create mode 100644 dojo/cred/signals.py create mode 100644 dojo/notes/helper.py create mode 100644 dojo/notes/signals.py create mode 100644 dojo/risk_acceptance/signals.py create mode 100644 dojo/tool_product/signals.py diff --git a/dojo/apps.py b/dojo/apps.py index e12ea7459be..4b54e92691f 100644 --- a/dojo/apps.py +++ b/dojo/apps.py @@ -72,14 +72,19 @@ def ready(self): # Load any signals here that will be ready for runtime # Importing the signals file is good enough if using the reciever decorator import dojo.announcement.signals # noqa: F401 + import dojo.benchmark.signals # noqa: F401 + import dojo.cred.signals # noqa: F401 import dojo.endpoint.signals # noqa: F401 import dojo.engagement.signals # noqa: F401 import dojo.finding_group.signals # noqa: F401 + import dojo.notes.signals # noqa: F401 import dojo.product.signals # noqa: F401 import dojo.product_type.signals # noqa: F401 + import dojo.risk_acceptance.signals # noqa: F401 import dojo.sla_config.helpers # noqa: F401 import dojo.tags_signals # noqa: F401 import dojo.test.signals # noqa: F401 + import dojo.tool_product.signals # noqa: F401 def get_model_fields_with_extra(model, extra_fields=()): diff --git a/dojo/benchmark/signals.py b/dojo/benchmark/signals.py new file mode 100644 index 00000000000..6f87fa320cd --- /dev/null +++ b/dojo/benchmark/signals.py @@ -0,0 +1,14 @@ +import logging + +from django.db.models.signals import pre_delete +from django.dispatch import receiver + +from dojo.models import Benchmark_Product +from dojo.notes.helper import delete_related_notes + +logger = logging.getLogger(__name__) + + +@receiver(pre_delete, sender=Benchmark_Product) +def benchmark_product_pre_delete(sender, instance, **kwargs): + delete_related_notes(instance) diff --git a/dojo/cred/signals.py b/dojo/cred/signals.py new file mode 100644 index 00000000000..9cf72fdd5c0 --- /dev/null +++ b/dojo/cred/signals.py @@ -0,0 +1,14 @@ +import logging + +from django.db.models.signals import pre_delete +from django.dispatch import receiver + +from dojo.models import Cred_User +from dojo.notes.helper import delete_related_notes + +logger = logging.getLogger(__name__) + + +@receiver(pre_delete, sender=Cred_User) +def cred_user_pre_delete(sender, instance, **kwargs): + delete_related_notes(instance) diff --git a/dojo/engagement/signals.py b/dojo/engagement/signals.py index f8863ee8620..a094a84f359 100644 --- a/dojo/engagement/signals.py +++ b/dojo/engagement/signals.py @@ -1,12 +1,13 @@ from auditlog.models import LogEntry from django.conf import settings from django.contrib.contenttypes.models import ContentType -from django.db.models.signals import post_delete, post_save, pre_save +from django.db.models.signals import post_delete, post_save, pre_delete, pre_save from django.dispatch import receiver from django.urls import reverse from django.utils.translation import gettext as _ from dojo.models import Engagement +from dojo.notes.helper import delete_related_notes from dojo.notifications.helper import create_notification @@ -55,3 +56,8 @@ def engagement_post_delete(sender, instance, using, origin, **kwargs): url=reverse('view_product', args=(instance.product.id, )), recipients=[instance.lead], icon="exclamation-triangle") + + +@receiver(pre_delete, sender=Engagement) +def engagement_pre_delete(sender, instance, **kwargs): + delete_related_notes(instance) diff --git a/dojo/finding/helper.py b/dojo/finding/helper.py index 571e6407900..7620ace1242 100644 --- a/dojo/finding/helper.py +++ b/dojo/finding/helper.py @@ -23,6 +23,7 @@ Vulnerability_Id, Vulnerability_Id_Template, ) +from dojo.notes.helper import delete_related_notes from dojo.utils import get_current_user, mass_model_updater, to_str_typed logger = logging.getLogger(__name__) @@ -402,8 +403,8 @@ def finding_pre_delete(sender, instance, **kwargs): logger.debug('finding pre_delete: %d', instance.id) # this shouldn't be necessary as Django should remove any Many-To-Many entries automatically, might be a bug in Django? # https://code.djangoproject.com/ticket/154 - instance.found_by.clear() + delete_related_notes(instance) def finding_delete(instance, **kwargs): diff --git a/dojo/notes/helper.py b/dojo/notes/helper.py new file mode 100644 index 00000000000..f4153818387 --- /dev/null +++ b/dojo/notes/helper.py @@ -0,0 +1,11 @@ +import logging + +logger = logging.getLogger(__name__) + + +def delete_related_notes(obj): + if not hasattr(obj, 'notes'): + logger.warning(f"Attempted to delete notes from object type {type(obj)} without 'notes' attribute.") + return + logging.debug(f"Deleting {obj.notes.count()} notes for {type(obj).__name__} {obj.id}") + obj.notes.all().delete() diff --git a/dojo/notes/signals.py b/dojo/notes/signals.py new file mode 100644 index 00000000000..222efba832f --- /dev/null +++ b/dojo/notes/signals.py @@ -0,0 +1,18 @@ +import logging + +from django.db.models.signals import pre_delete +from django.dispatch import receiver + +from dojo.models import Notes + +logger = logging.getLogger(__name__) + + +def delete_note_history(note): + logging.debug(f"Deleting history for note {note.id}") + note.history.all().delete() + + +@receiver(pre_delete, sender=Notes) +def note_pre_delete(sender, instance, **kwargs): + delete_note_history(instance) diff --git a/dojo/risk_acceptance/helper.py b/dojo/risk_acceptance/helper.py index 9ceedfaab47..45638fced3f 100644 --- a/dojo/risk_acceptance/helper.py +++ b/dojo/risk_acceptance/helper.py @@ -98,9 +98,6 @@ def delete(eng, risk_acceptance): eng.risk_acceptance.remove(risk_acceptance) eng.save() - for note in risk_acceptance.notes.all(): - note.delete() - risk_acceptance.path.delete() risk_acceptance.delete() diff --git a/dojo/risk_acceptance/signals.py b/dojo/risk_acceptance/signals.py new file mode 100644 index 00000000000..38e3cb2be6d --- /dev/null +++ b/dojo/risk_acceptance/signals.py @@ -0,0 +1,14 @@ +import logging + +from django.db.models.signals import pre_delete +from django.dispatch import receiver + +from dojo.models import Risk_Acceptance +from dojo.notes.helper import delete_related_notes + +logger = logging.getLogger(__name__) + + +@receiver(pre_delete, sender=Risk_Acceptance) +def risk_acceptance_pre_delete(sender, instance, **kwargs): + delete_related_notes(instance) diff --git a/dojo/test/signals.py b/dojo/test/signals.py index 47d4fdffb8e..f84aacdb07b 100644 --- a/dojo/test/signals.py +++ b/dojo/test/signals.py @@ -3,12 +3,13 @@ from auditlog.models import LogEntry from django.conf import settings from django.contrib.contenttypes.models import ContentType -from django.db.models.signals import post_delete, pre_save +from django.db.models.signals import post_delete, pre_delete, pre_save from django.dispatch import receiver from django.urls import reverse from django.utils.translation import gettext as _ from dojo.models import Finding, Test +from dojo.notes.helper import delete_related_notes from dojo.notifications.helper import create_notification @@ -49,3 +50,8 @@ def update_found_by_for_findings(sender, instance, **kwargs): for find in findings: find.found_by.remove(old_test_type) find.found_by.add(new_test_type) + + +@receiver(pre_delete, sender=Test) +def test_pre_delete(sender, instance, **kwargs): + delete_related_notes(instance) diff --git a/dojo/tool_product/signals.py b/dojo/tool_product/signals.py new file mode 100644 index 00000000000..96dd881ff45 --- /dev/null +++ b/dojo/tool_product/signals.py @@ -0,0 +1,14 @@ +import logging + +from django.db.models.signals import pre_delete +from django.dispatch import receiver + +from dojo.models import Tool_Product_Settings +from dojo.notes.helper import delete_related_notes + +logger = logging.getLogger(__name__) + + +@receiver(pre_delete, sender=Tool_Product_Settings) +def tool_product_settings_pre_delete(sender, instance, **kwargs): + delete_related_notes(instance) From 18e18377a7b6bd1c1bece66fd11cc44769f53d04 Mon Sep 17 00:00:00 2001 From: Cody Maffucci <46459665+Maffooch@users.noreply.github.com> Date: Mon, 29 Jul 2024 10:28:44 -0500 Subject: [PATCH 08/16] Benchmarks: Add additional permissions for AJAX calls (#10640) --- dojo/benchmark/views.py | 2 ++ 1 file changed, 2 insertions(+) diff --git a/dojo/benchmark/views.py b/dojo/benchmark/views.py index 2169fd34d0c..c2a085a2d87 100644 --- a/dojo/benchmark/views.py +++ b/dojo/benchmark/views.py @@ -43,6 +43,7 @@ def add_benchmark(queryset, product): pass +@user_is_authorized(Product, Permissions.Benchmark_Edit, "pid") def update_benchmark(request, pid, _type): if request.method == "POST": bench_id = request.POST.get("bench_id") @@ -90,6 +91,7 @@ def update_benchmark(request, pid, _type): ) +@user_is_authorized(Product, Permissions.Benchmark_Edit, "pid") def update_benchmark_summary(request, pid, _type, summary): if request.method == "POST": field = request.POST.get("field") From e342639f4286ab3a158f774fa0f09710902a55ac Mon Sep 17 00:00:00 2001 From: Cody Maffucci <46459665+Maffooch@users.noreply.github.com> Date: Mon, 29 Jul 2024 10:29:20 -0500 Subject: [PATCH 09/16] Refresh Helm Cart Lock File: The removal (#10641) The refresh helm chart lock file action uses the `pull_request_target` trigger, which can lead to leaking secret. Because the helm chart lock file is updated on each modification to the chart.yml file by renovate/dependabot, the easiest solution is to remove this action. --- .github/workflows/refresh_helm_lock_file.yaml | 40 ------------------- 1 file changed, 40 deletions(-) delete mode 100644 .github/workflows/refresh_helm_lock_file.yaml diff --git a/.github/workflows/refresh_helm_lock_file.yaml b/.github/workflows/refresh_helm_lock_file.yaml deleted file mode 100644 index 2a795b65179..00000000000 --- a/.github/workflows/refresh_helm_lock_file.yaml +++ /dev/null @@ -1,40 +0,0 @@ -name: 'Referesh Chart.lock' -on: - pull_request_target: - branches: - - dev - paths: - - 'helm/defectdojo/Chart.yaml' -permissions: - contents: write -jobs: - update-chart-lock: - runs-on: ubuntu-latest - - steps: - - name: Checkout bitnami/charts - uses: actions/checkout@v4 - with: - ref: ${{github.event.pull_request.head.ref}} - repository: ${{github.event.pull_request.head.repo.full_name}} - path: charts - token: ${{ secrets.GITHUB_TOKEN }} - - name: Set up Helm - uses: azure/setup-helm@v4 - with: - version: v3.4.0 - - - name: Execute generate new Chart.lock file - run: | - helm repo add bitnami https://charts.bitnami.com/bitnami - helm dependency list ./charts/helm/defectdojo - helm dependency update ./charts/helm/defectdojo - - name: Push changes - run: | - # Push all the changes - cd charts - if git status -s | grep helm; then - git config user.name "DefectDojo" - git config user.email "defectdojo-project@owasp.org" - git add . && git commit -am "Update helm lock file" --signoff && git push - fi From bb24b6fd5677343ac6aedb3cca9eb0c3f343d07b Mon Sep 17 00:00:00 2001 From: dogboat Date: Mon, 29 Jul 2024 12:51:07 -0400 Subject: [PATCH 10/16] creds-notes-fixes Some updates to creds/cred-related notes: Show "Add Note" button on cred notes page; show delete note button for note creator and fix note deletion; fix "Associated Products" header to have less spacing around it; fix credential deletion (#10644) --- dojo/cred/views.py | 7 +- dojo/notes/views.py | 9 +- dojo/templates/dojo/view_cred_details.html | 102 ++++++++++----------- 3 files changed, 61 insertions(+), 57 deletions(-) diff --git a/dojo/cred/views.py b/dojo/cred/views.py index 26d5d62f875..97f9205247e 100644 --- a/dojo/cred/views.py +++ b/dojo/cred/views.py @@ -112,7 +112,8 @@ def view_cred_details(request, ttid): 'cred': cred, 'form': form, 'notes': notes, - 'cred_products': cred_products + 'cred_products': cred_products, + 'person': request.user.username, }) @@ -650,7 +651,7 @@ def delete_cred_controller(request, destination_url, id, ttid): if id: product = None if destination_url == "all_cred_product": - product = get_object_or_404(Product, id) + product = get_object_or_404(Product, id=id) elif destination_url == "view_engagement": engagement = get_object_or_404(Engagement, id=id) product = engagement.product @@ -669,7 +670,7 @@ def delete_cred_controller(request, destination_url, id, ttid): @user_is_authorized(Cred_User, Permissions.Credential_Delete, 'ttid') def delete_cred(request, ttid): - return delete_cred_controller(request, "cred", 0, ttid) + return delete_cred_controller(request, "cred", 0, ttid=ttid) @user_is_authorized(Product, Permissions.Product_Edit, 'pid') diff --git a/dojo/notes/views.py b/dojo/notes/views.py index 3ccb8ae1f80..ed8a34e7eca 100644 --- a/dojo/notes/views.py +++ b/dojo/notes/views.py @@ -15,7 +15,7 @@ # Local application/library imports from dojo.forms import DeleteNoteForm, NoteForm, TypedNoteForm -from dojo.models import Engagement, Finding, Note_Type, NoteHistory, Notes, Test +from dojo.models import Cred_User, Engagement, Finding, Note_Type, NoteHistory, Notes, Test logger = logging.getLogger(__name__) @@ -37,6 +37,11 @@ def delete_note(request, id, page, objid): object = get_object_or_404(Finding, id=objid) object_id = object.id reverse_url = "view_finding" + elif page == "cred": + object = get_object_or_404(Cred_User, id=objid) + object_id = object.id + reverse_url = "view_cred_details" + form = DeleteNoteForm(request.POST, instance=note) if page is None: @@ -53,7 +58,7 @@ def delete_note(request, id, page, objid): else: messages.add_message(request, messages.SUCCESS, - _('Note was not succesfully deleted.'), + _('Note was not successfully deleted.'), extra_tags='alert-danger') return HttpResponseRedirect(reverse(reverse_url, args=(object_id, ))) diff --git a/dojo/templates/dojo/view_cred_details.html b/dojo/templates/dojo/view_cred_details.html index 4d43d7d8f83..6b066fc7d8b 100644 --- a/dojo/templates/dojo/view_cred_details.html +++ b/dojo/templates/dojo/view_cred_details.html @@ -99,11 +99,7 @@

Login Details

-
-
-

Associated Products

-
-
+

Associated Products

{% if cred_products %} @@ -142,56 +138,58 @@

Associated Products

Notes

- {% if notes %} - - - - - - - - - - {% for note in notes %} +
+ {% if notes %} +
UserDateNote
+ - - - + + + - {% endfor %} - - -
- {{ note.author.username }} - - {{ note.date }} - - {{ note }} - {% if person == note.author.username %} - - - - {% endif %} - UserDateNote
- {% else %} - -

No notes found.

- {% endif %} -
- -
{% csrf_token %} - {% include "dojo/form_fields.html" with form=form %} -
-
- - + + + {% for note in notes %} + + + {{ note.author.username }} + + + {{ note.date }} + + + {{ note }} + {% if person == note.author.username %} +
+ + {% csrf_token %} + + + +
+ {% endif %} + + + {% endfor %} + + + {% else %} +

No notes found.

+ {% endif %} +
+
{% csrf_token %} + {% include "dojo/form_fields.html" with form=form %} +
+
+ +
-
- -
-
+ +
{% endblock %} From c9abc65986de5117e1b0407ed09c4fc0ab74ba95 Mon Sep 17 00:00:00 2001 From: Cody Maffucci <46459665+Maffooch@users.noreply.github.com> Date: Mon, 29 Jul 2024 12:57:41 -0500 Subject: [PATCH 11/16] Importer: Correct logic bug for empty scan reports (#10645) * Importer: Correct logic bug for empty scan reports When importing an empty scan report through the import endpoint, it is possible for two tests to be created during a single request * Separate logic based on import vs reimport --- dojo/importers/base_importer.py | 13 +++++-------- dojo/importers/default_importer.py | 18 ++++++++++++++++++ dojo/importers/default_reimporter.py | 18 ++++++++++++++++++ 3 files changed, 41 insertions(+), 8 deletions(-) diff --git a/dojo/importers/base_importer.py b/dojo/importers/base_importer.py index b2ff46e8f1b..56250646c0a 100644 --- a/dojo/importers/base_importer.py +++ b/dojo/importers/base_importer.py @@ -212,15 +212,12 @@ def parse_findings( """ Determine how to parse the findings based on the presence of the `get_tests` function on the parser object + + This function will vary by importer, so it is marked as + abstract with a prohibitive exception raised if the + method is attempted to to be used by the BaseImporter class """ - # Attempt any preprocessing before generating findings - if len(self.parsed_findings) == 0 or self.test is None: - scan = self.process_scan_file(scan) - if hasattr(parser, 'get_tests'): - self.parsed_findings = self.parse_findings_dynamic_test_type(scan, parser) - else: - self.parsed_findings = self.parse_findings_static_test_type(scan, parser) - return self.parsed_findings + self.check_child_implementation_exception() def sync_process_findings( self, diff --git a/dojo/importers/default_importer.py b/dojo/importers/default_importer.py index 0371b5d0ad3..78ffb0ba0af 100644 --- a/dojo/importers/default_importer.py +++ b/dojo/importers/default_importer.py @@ -293,6 +293,24 @@ def close_old_findings( return old_findings + def parse_findings( + self, + scan: TemporaryUploadedFile, + parser: Parser, + ) -> List[Finding]: + """ + Determine how to parse the findings based on the presence of the + `get_tests` function on the parser object + """ + # Attempt any preprocessing before generating findings + if len(self.parsed_findings) == 0 and self.test is None: + scan = self.process_scan_file(scan) + if hasattr(parser, 'get_tests'): + self.parsed_findings = self.parse_findings_dynamic_test_type(scan, parser) + else: + self.parsed_findings = self.parse_findings_static_test_type(scan, parser) + return self.parsed_findings + def parse_findings_static_test_type( self, scan: TemporaryUploadedFile, diff --git a/dojo/importers/default_reimporter.py b/dojo/importers/default_reimporter.py index e3a28e7f348..24fd14be84d 100644 --- a/dojo/importers/default_reimporter.py +++ b/dojo/importers/default_reimporter.py @@ -277,6 +277,24 @@ def close_old_findings( return mitigated_findings + def parse_findings( + self, + scan: TemporaryUploadedFile, + parser: Parser, + ) -> List[Finding]: + """ + Determine how to parse the findings based on the presence of the + `get_tests` function on the parser object + """ + # Attempt any preprocessing before generating findings + if len(self.parsed_findings) == 0 or self.test is None: + scan = self.process_scan_file(scan) + if hasattr(parser, 'get_tests'): + self.parsed_findings = self.parse_findings_dynamic_test_type(scan, parser) + else: + self.parsed_findings = self.parse_findings_static_test_type(scan, parser) + return self.parsed_findings + def parse_findings_static_test_type( self, scan: TemporaryUploadedFile, From 2bc434b0a7a0a8055cae008301359db2be3fd2f9 Mon Sep 17 00:00:00 2001 From: Cody Maffucci <46459665+Maffooch@users.noreply.github.com> Date: Mon, 29 Jul 2024 13:11:02 -0500 Subject: [PATCH 12/16] Report ToC: Expand on whitespace escaping (#10646) --- dojo/templates/dojo/custom_html_toc.html | 2 +- dojo/templates/dojo/endpoint_pdf_report.html | 2 +- dojo/templates/dojo/engagement_pdf_report.html | 2 +- dojo/templates/dojo/finding_pdf_report.html | 2 +- dojo/templates/dojo/product_endpoint_pdf_report.html | 2 +- dojo/templates/dojo/product_pdf_report.html | 2 +- dojo/templates/dojo/product_type_pdf_report.html | 2 +- dojo/templates/dojo/test_pdf_report.html | 2 +- 8 files changed, 8 insertions(+), 8 deletions(-) diff --git a/dojo/templates/dojo/custom_html_toc.html b/dojo/templates/dojo/custom_html_toc.html index ebe60946ce7..e6598514600 100644 --- a/dojo/templates/dojo/custom_html_toc.html +++ b/dojo/templates/dojo/custom_html_toc.html @@ -40,7 +40,7 @@

{{ heading }}

level = parseInt(openLevel); - var anchor = titleText.trim().replace(/ /g, "_"); + var anchor = titleText.trim().replace(/\s/g, "_"); if(tags) { diff --git a/dojo/templates/dojo/endpoint_pdf_report.html b/dojo/templates/dojo/endpoint_pdf_report.html index 55322e80eef..b214afadb35 100644 --- a/dojo/templates/dojo/endpoint_pdf_report.html +++ b/dojo/templates/dojo/endpoint_pdf_report.html @@ -378,7 +378,7 @@
Notes
level = parseInt(openLevel); - var anchor = titleText.trim().replace(/ /g, "_"); + var anchor = titleText.trim().replace(/\s/g, "_"); if(tags) { diff --git a/dojo/templates/dojo/engagement_pdf_report.html b/dojo/templates/dojo/engagement_pdf_report.html index 108cb4fc8d9..a9c8ac8101c 100644 --- a/dojo/templates/dojo/engagement_pdf_report.html +++ b/dojo/templates/dojo/engagement_pdf_report.html @@ -528,7 +528,7 @@
Notes
level = parseInt(openLevel); - var anchor = titleText.trim().replace(/ /g, "_"); + var anchor = titleText.trim().replace(/\s/g, "_"); if(tags) { diff --git a/dojo/templates/dojo/finding_pdf_report.html b/dojo/templates/dojo/finding_pdf_report.html index 2b809deb71f..6d376c15bcb 100644 --- a/dojo/templates/dojo/finding_pdf_report.html +++ b/dojo/templates/dojo/finding_pdf_report.html @@ -358,7 +358,7 @@
Notes
level = parseInt(openLevel); - var anchor = titleText.trim().replace(/ /g, "_"); + var anchor = titleText.trim().replace(/\s/g, "_"); if(tags) { diff --git a/dojo/templates/dojo/product_endpoint_pdf_report.html b/dojo/templates/dojo/product_endpoint_pdf_report.html index 372b2873ee6..614fa0f00f4 100644 --- a/dojo/templates/dojo/product_endpoint_pdf_report.html +++ b/dojo/templates/dojo/product_endpoint_pdf_report.html @@ -506,7 +506,7 @@
Notes
level = parseInt(openLevel); - var anchor = titleText.trim().replace(/ /g, "_"); + var anchor = titleText.trim().replace(/\s/g, "_"); if(tags) { diff --git a/dojo/templates/dojo/product_pdf_report.html b/dojo/templates/dojo/product_pdf_report.html index cf142acd7c3..b02b2609de6 100644 --- a/dojo/templates/dojo/product_pdf_report.html +++ b/dojo/templates/dojo/product_pdf_report.html @@ -524,7 +524,7 @@
Notes
level = parseInt(openLevel); - var anchor = titleText.trim().replace(/ /g, "_"); + var anchor = titleText.trim().replace(/\s/g, "_"); if(tags) { diff --git a/dojo/templates/dojo/product_type_pdf_report.html b/dojo/templates/dojo/product_type_pdf_report.html index a2ff7b4ae04..4b0fc48d9fc 100644 --- a/dojo/templates/dojo/product_type_pdf_report.html +++ b/dojo/templates/dojo/product_type_pdf_report.html @@ -408,7 +408,7 @@
Notes
level = parseInt(openLevel); - var anchor = titleText.trim().replace(/ /g, "_"); + var anchor = titleText.trim().replace(/\s/g, "_"); if(tags) { diff --git a/dojo/templates/dojo/test_pdf_report.html b/dojo/templates/dojo/test_pdf_report.html index 7885ba119ef..e9ec79d6aa9 100644 --- a/dojo/templates/dojo/test_pdf_report.html +++ b/dojo/templates/dojo/test_pdf_report.html @@ -543,7 +543,7 @@
Notes
level = parseInt(openLevel); - var anchor = titleText.trim().replace(/ /g, "_"); + var anchor = titleText.trim().replace(/\s/g, "_"); if(tags) { From 272802411d3ad1f12c5648d5675b3a32bc5950b9 Mon Sep 17 00:00:00 2001 From: DefectDojo release bot Date: Mon, 29 Jul 2024 18:22:36 +0000 Subject: [PATCH 13/16] Update versions in application files --- components/package.json | 2 +- dojo/__init__.py | 2 +- helm/defectdojo/Chart.yaml | 4 ++-- 3 files changed, 4 insertions(+), 4 deletions(-) diff --git a/components/package.json b/components/package.json index ab3201e6a41..00b56f81882 100644 --- a/components/package.json +++ b/components/package.json @@ -1,6 +1,6 @@ { "name": "defectdojo", - "version": "2.37.0-dev", + "version": "2.36.6", "license" : "BSD-3-Clause", "private": true, "dependencies": { diff --git a/dojo/__init__.py b/dojo/__init__.py index 707177ee3ee..d01a8d9ffc5 100644 --- a/dojo/__init__.py +++ b/dojo/__init__.py @@ -4,6 +4,6 @@ # Django starts so that shared_task will use this app. from .celery import app as celery_app # noqa: F401 -__version__ = '2.37.0-dev' +__version__ = '2.36.6' __url__ = 'https://github.com/DefectDojo/django-DefectDojo' __docs__ = 'https://documentation.defectdojo.com' diff --git a/helm/defectdojo/Chart.yaml b/helm/defectdojo/Chart.yaml index be5afccbdca..61d9e19baa4 100644 --- a/helm/defectdojo/Chart.yaml +++ b/helm/defectdojo/Chart.yaml @@ -1,8 +1,8 @@ apiVersion: v2 -appVersion: "2.37.0-dev" +appVersion: "2.36.6" description: A Helm chart for Kubernetes to install DefectDojo name: defectdojo -version: 1.6.143-dev +version: 1.6.143 icon: https://www.defectdojo.org/img/favicon.ico maintainers: - name: madchap From 0fd5be0c4694cc0f2b61af885968a2a1dcf7c5bd Mon Sep 17 00:00:00 2001 From: DefectDojo release bot Date: Mon, 29 Jul 2024 18:52:59 +0000 Subject: [PATCH 14/16] Update versions in application files --- components/package.json | 2 +- dojo/__init__.py | 2 +- helm/defectdojo/Chart.yaml | 4 ++-- 3 files changed, 4 insertions(+), 4 deletions(-) diff --git a/components/package.json b/components/package.json index 00b56f81882..ab3201e6a41 100644 --- a/components/package.json +++ b/components/package.json @@ -1,6 +1,6 @@ { "name": "defectdojo", - "version": "2.36.6", + "version": "2.37.0-dev", "license" : "BSD-3-Clause", "private": true, "dependencies": { diff --git a/dojo/__init__.py b/dojo/__init__.py index d01a8d9ffc5..707177ee3ee 100644 --- a/dojo/__init__.py +++ b/dojo/__init__.py @@ -4,6 +4,6 @@ # Django starts so that shared_task will use this app. from .celery import app as celery_app # noqa: F401 -__version__ = '2.36.6' +__version__ = '2.37.0-dev' __url__ = 'https://github.com/DefectDojo/django-DefectDojo' __docs__ = 'https://documentation.defectdojo.com' diff --git a/helm/defectdojo/Chart.yaml b/helm/defectdojo/Chart.yaml index 61d9e19baa4..a05a5537864 100644 --- a/helm/defectdojo/Chart.yaml +++ b/helm/defectdojo/Chart.yaml @@ -1,8 +1,8 @@ apiVersion: v2 -appVersion: "2.36.6" +appVersion: "2.37.0-dev" description: A Helm chart for Kubernetes to install DefectDojo name: defectdojo -version: 1.6.143 +version: 1.6.144-dev icon: https://www.defectdojo.org/img/favicon.ico maintainers: - name: madchap From 322f4b5dd7b1a8b22c07cbc6aca82913568729f8 Mon Sep 17 00:00:00 2001 From: DefectDojo Date: Mon, 29 Jul 2024 19:04:12 +0000 Subject: [PATCH 15/16] Update helm lock file Signed-off-by: DefectDojo --- helm/defectdojo/Chart.lock | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/helm/defectdojo/Chart.lock b/helm/defectdojo/Chart.lock index 863278dbd1a..d4ecf45a6d2 100644 --- a/helm/defectdojo/Chart.lock +++ b/helm/defectdojo/Chart.lock @@ -4,7 +4,7 @@ dependencies: version: 9.19.1 - name: postgresql repository: https://charts.bitnami.com/bitnami - version: 15.5.19 + version: 15.5.20 - name: postgresql-ha repository: https://charts.bitnami.com/bitnami version: 9.4.11 @@ -13,6 +13,6 @@ dependencies: version: 14.4.6 - name: redis repository: https://charts.bitnami.com/bitnami - version: 19.6.3 -digest: sha256:942a170aa6f701a66667834296e9ee5acd46b6c9e87d8b92680da49b751f5412 -generated: "2024-07-24T21:55:36.092350817Z" + version: 19.6.4 +digest: sha256:51a41f1abaef44a584f055e4a2fd38994ce5c926dec1f80bd8f3fc605d0dd6e6 +generated: "2024-07-29T19:04:01.647095512Z" From 11171d86368af23503556cdd3fdb5ef5a2fc07ee Mon Sep 17 00:00:00 2001 From: Cody Maffucci <46459665+Maffooch@users.noreply.github.com> Date: Mon, 29 Jul 2024 14:08:44 -0500 Subject: [PATCH 16/16] Fixing ruff --- dojo/finding/views.py | 2 +- dojo/importers/default_importer.py | 2 +- dojo/importers/default_reimporter.py | 2 +- dojo/models.py | 2 +- dojo/notes/helper.py | 2 +- dojo/utils.py | 2 +- 6 files changed, 6 insertions(+), 6 deletions(-) diff --git a/dojo/finding/views.py b/dojo/finding/views.py index 95b8760ab36..f40cc11ff84 100644 --- a/dojo/finding/views.py +++ b/dojo/finding/views.py @@ -1738,7 +1738,7 @@ def request_finding_review(request, fid): return render( request, "dojo/review_finding.html", - {"finding": finding, "product_tab": product_tab, "user": user, "form": form, "enable_table_filtering": get_system_setting("enable_ui_table_based_searching"), }, + {"finding": finding, "product_tab": product_tab, "user": user, "form": form, "enable_table_filtering": get_system_setting("enable_ui_table_based_searching")}, ) diff --git a/dojo/importers/default_importer.py b/dojo/importers/default_importer.py index 4eefc5c5bc2..92a63ec025f 100644 --- a/dojo/importers/default_importer.py +++ b/dojo/importers/default_importer.py @@ -305,7 +305,7 @@ def parse_findings( # Attempt any preprocessing before generating findings if len(self.parsed_findings) == 0 and self.test is None: scan = self.process_scan_file(scan) - if hasattr(parser, 'get_tests'): + if hasattr(parser, "get_tests"): self.parsed_findings = self.parse_findings_dynamic_test_type(scan, parser) else: self.parsed_findings = self.parse_findings_static_test_type(scan, parser) diff --git a/dojo/importers/default_reimporter.py b/dojo/importers/default_reimporter.py index d3ffc82492c..cdbe6a0671c 100644 --- a/dojo/importers/default_reimporter.py +++ b/dojo/importers/default_reimporter.py @@ -289,7 +289,7 @@ def parse_findings( # Attempt any preprocessing before generating findings if len(self.parsed_findings) == 0 or self.test is None: scan = self.process_scan_file(scan) - if hasattr(parser, 'get_tests'): + if hasattr(parser, "get_tests"): self.parsed_findings = self.parse_findings_dynamic_test_type(scan, parser) else: self.parsed_findings = self.parse_findings_static_test_type(scan, parser) diff --git a/dojo/models.py b/dojo/models.py index 0141cc33137..87fd37de497 100644 --- a/dojo/models.py +++ b/dojo/models.py @@ -517,7 +517,7 @@ class System_Settings(models.Model): enable_ui_table_based_searching = models.BooleanField( default=True, blank=False, - verbose_name=_('Enable UI Table Based Filtering/Sorting'), + verbose_name=_("Enable UI Table Based Filtering/Sorting"), help_text=_("With this setting enabled, table headings will contain sort buttons for the current page of data in addition to sorting buttons that consider data from all pages.")) enable_calendar = models.BooleanField( default=True, diff --git a/dojo/notes/helper.py b/dojo/notes/helper.py index f4153818387..80f6f80a2a8 100644 --- a/dojo/notes/helper.py +++ b/dojo/notes/helper.py @@ -4,7 +4,7 @@ def delete_related_notes(obj): - if not hasattr(obj, 'notes'): + if not hasattr(obj, "notes"): logger.warning(f"Attempted to delete notes from object type {type(obj)} without 'notes' attribute.") return logging.debug(f"Deleting {obj.notes.count()} notes for {type(obj).__name__} {obj.id}") diff --git a/dojo/utils.py b/dojo/utils.py index 7a421ef90ee..4a3bf96736d 100644 --- a/dojo/utils.py +++ b/dojo/utils.py @@ -2597,7 +2597,7 @@ def generate_file_response(file_object: FileUpload) -> FileResponse: msg = f"FileUpload object expected but type <{type(file_object)}> received." raise TypeError(msg) # Determine the path of the file on disk within the MEDIA_ROOT - file_path = f'{settings.MEDIA_ROOT}/{file_object.file.url.lstrip(settings.MEDIA_URL)}' + file_path = f"{settings.MEDIA_ROOT}/{file_object.file.url.lstrip(settings.MEDIA_URL)}" _, file_extension = os.path.splitext(file_path) # Generate the FileResponse response = FileResponse(