diff --git a/.yarn/install-state.gz b/.yarn/install-state.gz
index a38b0155e..f5aa88f5e 100644
Binary files a/.yarn/install-state.gz and b/.yarn/install-state.gz differ
diff --git a/client/templates/pool-management/pool-search/index.njk b/client/templates/pool-management/pool-search/index.njk
index 53ca97277..37addbe5b 100644
--- a/client/templates/pool-management/pool-search/index.njk
+++ b/client/templates/pool-management/pool-search/index.njk
@@ -82,7 +82,7 @@
           },
           {
             value: "HGH",
-            text: "High Court",
+            text: "High court",
             checked: advancedFields.afHigh
           }
         ]
diff --git a/yarn-audit-known-issues b/yarn-audit-known-issues
index 8833a109a..1f491a986 100644
--- a/yarn-audit-known-issues
+++ b/yarn-audit-known-issues
@@ -1 +1 @@
-{"actions":[],"advisories":{"1085674":{"findings":[{"version":"3.10.1","paths":["lodash","@hmcts/properties-volume>lodash","request-promise>request-promise-core>lodash"]}],"metadata":null,"vulnerable_versions":"<4.17.11","module_name":"lodash","severity":"moderate","github_advisory_id":"GHSA-x5rq-j2xg-h7qm","cves":["CVE-2019-1010266"],"access":"public","patched_versions":">=4.17.11","cvss":{"score":0,"vectorString":null},"updated":"2023-01-09T05:01:38.000Z","recommendation":"Upgrade to version 4.17.11 or later","cwe":["CWE-400"],"found_by":null,"deleted":null,"id":1085674,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2019-1010266\n- https://github.com/lodash/lodash/issues/3359\n- https://snyk.io/vuln/SNYK-JS-LODASH-73639\n- https://github.com/lodash/lodash/commit/5c08f18d365b64063bfbfa686cbb97cdd6267347\n- https://github.com/lodash/lodash/wiki/Changelog\n- https://security.netapp.com/advisory/ntap-20190919-0004/\n- https://github.com/advisories/GHSA-x5rq-j2xg-h7qm","created":"2019-07-19T16:13:07.000Z","reported_by":null,"title":"Regular Expression Denial of Service (ReDoS) in lodash","npm_advisory_id":null,"overview":"lodash prior to 4.7.11 is affected by: CWE-400: Uncontrolled Resource Consumption. The impact is: Denial of service. The component is: Date handler. The attack vector is: Attacker provides very long strings, which the library attempts to match using a regular expression. The fixed version is: 4.7.11.","url":"https://github.com/advisories/GHSA-x5rq-j2xg-h7qm"},"1085715":{"findings":[{"version":"1.8.5","paths":["nunjucks-async-loader>chokidar>braces","express-nunjucks>nunjucks-async-loader>chokidar>braces","nunjucks-async-loader>chokidar>anymatch>micromatch>braces","express-nunjucks>nunjucks-async-loader>chokidar>anymatch>micromatch>braces"]}],"metadata":null,"vulnerable_versions":"<2.3.1","module_name":"braces","severity":"low","github_advisory_id":"GHSA-g95f-p29q-9xw4","cves":[],"access":"public","patched_versions":">=2.3.1","cvss":{"score":3.7,"vectorString":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L"},"updated":"2023-01-09T05:01:42.000Z","recommendation":"Upgrade to version 2.3.1 or later","cwe":["CWE-185","CWE-400"],"found_by":null,"deleted":null,"id":1085715,"references":"- https://github.com/micromatch/braces/commit/abdafb0cae1e0c00f184abbadc692f4eaa98f451\n- https://www.npmjs.com/advisories/786\n- https://snyk.io/vuln/npm:braces:20180219\n- https://github.com/advisories/GHSA-g95f-p29q-9xw4","created":"2019-06-06T15:30:30.000Z","reported_by":null,"title":"Regular Expression Denial of Service in braces","npm_advisory_id":null,"overview":"Versions of `braces` prior to 2.3.1 are vulnerable to Regular Expression Denial of Service (ReDoS). Untrusted input may cause catastrophic backtracking while matching regular expressions. This can cause the application to be unresponsive leading to Denial of Service.\n\n\n## Recommendation\n\nUpgrade to version 2.3.1 or higher.","url":"https://github.com/advisories/GHSA-g95f-p29q-9xw4"},"1085724":{"findings":[{"version":"3.7.0","paths":["@hmcts/properties-volume>js-yaml"]}],"metadata":null,"vulnerable_versions":"<3.13.0","module_name":"js-yaml","severity":"moderate","github_advisory_id":"GHSA-2pr6-76vf-7546","cves":[],"access":"public","patched_versions":">=3.13.0","cvss":{"score":5.9,"vectorString":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H"},"updated":"2023-01-09T05:01:39.000Z","recommendation":"Upgrade to version 3.13.0 or later","cwe":["CWE-400"],"found_by":null,"deleted":null,"id":1085724,"references":"- https://github.com/nodeca/js-yaml/issues/475\n- https://github.com/nodeca/js-yaml/commit/a567ef3c6e61eb319f0bfc2671d91061afb01235\n- https://www.npmjs.com/advisories/788\n- https://www.npmjs.com/advisories/788/versions\n- https://snyk.io/vuln/SNYK-JS-JSYAML-173999\n- https://github.com/advisories/GHSA-2pr6-76vf-7546","created":"2019-06-05T14:35:29.000Z","reported_by":null,"title":"Denial of Service in js-yaml","npm_advisory_id":null,"overview":"Versions of `js-yaml` prior to 3.13.0 are vulnerable to Denial of Service. By parsing a carefully-crafted YAML file, the node process stalls and may exhaust system resources leading to a Denial of Service.\n\n\n## Recommendation\n\nUpgrade to version 3.13.0.","url":"https://github.com/advisories/GHSA-2pr6-76vf-7546"},"1085744":{"findings":[{"version":"0.4.3","paths":["request>tunnel-agent","request-promise>request>tunnel-agent","request-promise>request-promise-core>request>tunnel-agent"]}],"metadata":null,"vulnerable_versions":"<0.6.0","module_name":"tunnel-agent","severity":"moderate","github_advisory_id":"GHSA-xc7v-wxcw-j472","cves":[],"access":"public","patched_versions":">=0.6.0","cvss":{"score":0,"vectorString":null},"updated":"2023-01-09T05:01:22.000Z","recommendation":"Upgrade to version 0.6.0 or later","cwe":["CWE-200"],"found_by":null,"deleted":null,"id":1085744,"references":"- https://github.com/request/tunnel-agent/commit/9ca95ec7219daface8a6fc2674000653de0922c0\n- https://www.npmjs.com/advisories/598\n- https://gist.github.com/ChALkeR/fd6b2c445834244e7d440a043f9d2ff4\n- https://github.com/advisories/GHSA-xc7v-wxcw-j472","created":"2019-06-03T17:08:26.000Z","reported_by":null,"title":"Memory Exposure in tunnel-agent","npm_advisory_id":null,"overview":"Versions of `tunnel-agent` before 0.6.0 are vulnerable to memory exposure.\n\nThis is exploitable if user supplied input is provided to the auth value and is a number.\n\nProof-of-concept:\n```js\nrequire('request')({\n  method: 'GET',\n  uri: 'http://www.example.com',\n  tunnel: true,\n  proxy:{\n    protocol: 'http:',\n    host:'127.0.0.1',\n    port:8080,\n    auth:USERSUPPLIEDINPUT // number\n  }\n});\n```\n\n\n## Recommendation\n\nUpdate to version 0.6.0 or later.","url":"https://github.com/advisories/GHSA-xc7v-wxcw-j472"},"1087663":{"findings":[{"version":"3.10.1","paths":["lodash","@hmcts/properties-volume>lodash","request-promise>request-promise-core>lodash"]}],"metadata":null,"vulnerable_versions":"<4.17.5","module_name":"lodash","severity":"low","github_advisory_id":"GHSA-fvqr-27wr-82fm","cves":["CVE-2018-3721"],"access":"public","patched_versions":">=4.17.5","cvss":{"score":0,"vectorString":null},"updated":"2023-01-09T05:03:02.000Z","recommendation":"Upgrade to version 4.17.5 or later","cwe":["CWE-471"],"found_by":null,"deleted":null,"id":1087663,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2018-3721\n- https://hackerone.com/reports/310443\n- https://github.com/advisories/GHSA-fvqr-27wr-82fm\n- https://www.npmjs.com/advisories/577\n- https://github.com/lodash/lodash/commit/d8e069cc3410082e44eb18fcf8e7f3d08ebe1d4a\n- https://security.netapp.com/advisory/ntap-20190919-0004/","created":"2018-07-26T15:14:52.000Z","reported_by":null,"title":"Prototype Pollution in lodash","npm_advisory_id":null,"overview":"Versions of `lodash` before 4.17.5 are vulnerable to prototype pollution. \n\nThe vulnerable functions are 'defaultsDeep', 'merge', and 'mergeWith' which allow a malicious user to modify the prototype of `Object` via `__proto__` causing the addition or modification of an existing property that will exist on all objects.\n\n\n\n\n## Recommendation\n\nUpdate to version 4.17.5 or later.","url":"https://github.com/advisories/GHSA-fvqr-27wr-82fm"},"1089034":{"findings":[{"version":"5.5.2","paths":["request>har-validator>ajv","request-promise>request>har-validator>ajv","request-promise>request-promise-core>request>har-validator>ajv"]}],"metadata":null,"vulnerable_versions":"<6.12.3","module_name":"ajv","severity":"moderate","github_advisory_id":"GHSA-v88g-cgmw-v5xw","cves":["CVE-2020-15366"],"access":"public","patched_versions":">=6.12.3","cvss":{"score":5.6,"vectorString":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L"},"updated":"2023-01-27T05:08:06.000Z","recommendation":"Upgrade to version 6.12.3 or later","cwe":["CWE-915","CWE-1321"],"found_by":null,"deleted":null,"id":1089034,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2020-15366\n- https://github.com/ajv-validator/ajv/commit/65b2f7d76b190ac63a0d4e9154c712d7aa37049f\n- https://github.com/ajv-validator/ajv/releases/tag/v6.12.3\n- https://hackerone.com/bugs?subject=user&report_id=894259\n- https://github.com/ajv-validator/ajv/tags\n- https://github.com/advisories/GHSA-v88g-cgmw-v5xw","created":"2022-02-10T23:30:59.000Z","reported_by":null,"title":"Prototype Pollution in Ajv","npm_advisory_id":null,"overview":"An issue was discovered in ajv.validate() in Ajv (aka Another JSON Schema Validator) 6.12.2. A carefully crafted JSON schema could be provided that allows execution of other code by prototype pollution. (While untrusted schemas are recommended against, the worst case of an untrusted schema should be a denial of service, not execution of code.)","url":"https://github.com/advisories/GHSA-v88g-cgmw-v5xw"},"1089939":{"findings":[{"version":"1.8.5","paths":["nunjucks-async-loader>chokidar>braces","express-nunjucks>nunjucks-async-loader>chokidar>braces","nunjucks-async-loader>chokidar>anymatch>micromatch>braces","express-nunjucks>nunjucks-async-loader>chokidar>anymatch>micromatch>braces"]}],"metadata":null,"vulnerable_versions":"<2.3.1","module_name":"braces","severity":"low","github_advisory_id":"GHSA-cwfw-4gq5-mrqx","cves":["CVE-2018-1109"],"access":"public","patched_versions":">=2.3.1","cvss":{"score":0,"vectorString":null},"updated":"2023-02-01T05:05:12.000Z","recommendation":"Upgrade to version 2.3.1 or later","cwe":["CWE-400"],"found_by":null,"deleted":null,"id":1089939,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2018-1109\n- https://github.com/micromatch/braces/commit/abdafb0cae1e0c00f184abbadc692f4eaa98f451\n- https://bugzilla.redhat.com/show_bug.cgi?id=1547272\n- https://snyk.io/vuln/npm:braces:20180219\n- https://github.com/advisories/GHSA-cwfw-4gq5-mrqx","created":"2022-01-06T20:42:03.000Z","reported_by":null,"title":"Regular Expression Denial of Service (ReDoS) in braces","npm_advisory_id":null,"overview":"A vulnerability was found in Braces versions prior to 2.3.1. Affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS) attacks.","url":"https://github.com/advisories/GHSA-cwfw-4gq5-mrqx"},"1091775":{"findings":[{"version":"3.2.2","paths":["nunjucks"]}],"metadata":null,"vulnerable_versions":"<3.2.4","module_name":"nunjucks","severity":"moderate","github_advisory_id":"GHSA-x77j-w7wf-fjmw","cves":["CVE-2023-2142"],"access":"public","patched_versions":">=3.2.4","cvss":{"score":0,"vectorString":null},"updated":"2023-04-20T21:19:27.000Z","recommendation":"Upgrade to version 3.2.4 or later","cwe":["CWE-79"],"found_by":null,"deleted":null,"id":1091775,"references":"- https://github.com/mozilla/nunjucks/security/advisories/GHSA-x77j-w7wf-fjmw\n- https://github.com/mozilla/nunjucks/pull/1437\n- https://github.com/mozilla/nunjucks/commit/ec16d210e7e13f862eccdb0bc9af9f60ff6749d6\n- https://bugzilla.mozilla.org/show_bug.cgi?id=1825980\n- https://github.com/mozilla/nunjucks/releases/tag/v3.2.4\n- https://github.com/advisories/GHSA-x77j-w7wf-fjmw","created":"2023-04-20T21:19:24.000Z","reported_by":null,"title":"Nunjucks autoescape bypass leads to cross site scripting","npm_advisory_id":null,"overview":"### Impact\nIn Nunjucks versions prior to version 3.2.4, it was possible to bypass the restrictions which are provided by the autoescape functionality. If there are two user-controlled parameters on the same line used in the views, it was possible to inject cross site scripting payloads using the backslash `\\` character.\n\n#### Example\nIf the user-controlled parameters were used in the views similar to the following:\n```\n<script>\nlet testObject = { lang: '{{ lang }}', place: '{{ place }}' };\n</script>\n```\n\nIt is possible to inject XSS payload using the below parameters:\n```\nhttps://<application-url>/?lang=jp\\&place=};alert(document.domain)//\n```\n\n### Patches\nThe issue was patched in version 3.2.4.\n\n### References\n\n- https://bugzilla.mozilla.org/show_bug.cgi?id=1825980\n","url":"https://github.com/advisories/GHSA-x77j-w7wf-fjmw"},"1092972":{"findings":[{"version":"2.88.2","paths":["request","request-promise>request","request-promise>request-promise-core>request"]}],"metadata":null,"vulnerable_versions":"<=2.88.2","module_name":"request","severity":"moderate","github_advisory_id":"GHSA-p8p7-x288-28g6","cves":["CVE-2023-28155"],"access":"public","patched_versions":"<0.0.0","cvss":{"score":6.1,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},"updated":"2023-08-14T20:53:47.000Z","recommendation":"None","cwe":["CWE-918"],"found_by":null,"deleted":null,"id":1092972,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2023-28155\n- https://github.com/request/request/issues/3442\n- https://github.com/request/request/pull/3444\n- https://doyensec.com/resources/Doyensec_Advisory_RequestSSRF_Q12023.pdf\n- https://security.netapp.com/advisory/ntap-20230413-0007/\n- https://github.com/github/advisory-database/pull/2500\n- https://github.com/cypress-io/request/blob/master/lib/redirect.js#L116\n- https://github.com/request/request/blob/master/lib/redirect.js#L111\n- https://github.com/cypress-io/request/pull/28\n- https://github.com/cypress-io/request/commit/c5bcf21d40fb61feaff21a0e5a2b3934a440024f\n- https://github.com/cypress-io/request/releases/tag/v3.0.0\n- https://github.com/advisories/GHSA-p8p7-x288-28g6","created":"2023-03-16T15:30:19.000Z","reported_by":null,"title":"Server-Side Request Forgery in Request","npm_advisory_id":null,"overview":"The `request` package through 2.88.2 for Node.js and the `@cypress/request` package prior to 3.0.0 allow a bypass of SSRF mitigations via an attacker-controller server that does a cross-protocol redirect (HTTP to HTTPS, or HTTPS to HTTP).\n\nNOTE: The `request` package is no longer supported by the maintainer.","url":"https://github.com/advisories/GHSA-p8p7-x288-28g6"},"1094450":{"findings":[{"version":"3.10.1","paths":["lodash","@hmcts/properties-volume>lodash","request-promise>request-promise-core>lodash"]}],"metadata":null,"vulnerable_versions":">=3.7.0 <4.17.19","module_name":"lodash","severity":"high","github_advisory_id":"GHSA-p6mc-m468-83gw","cves":["CVE-2020-8203"],"access":"public","patched_versions":">=4.17.19","cvss":{"score":7.4,"vectorString":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:H"},"updated":"2023-10-24T20:51:25.000Z","recommendation":"Upgrade to version 4.17.19 or later","cwe":["CWE-770","CWE-1321"],"found_by":null,"deleted":null,"id":1094450,"references":"- https://github.com/lodash/lodash/issues/4744\n- https://github.com/lodash/lodash/commit/c84fe82760fb2d3e03a63379b297a1cc1a2fce12\n- https://nvd.nist.gov/vuln/detail/CVE-2020-8203\n- https://hackerone.com/reports/712065\n- https://github.com/lodash/lodash/issues/4874\n- https://github.com/github/advisory-database/pull/2884\n- https://hackerone.com/reports/864701\n- https://github.com/lodash/lodash/wiki/Changelog#v41719\n- https://web.archive.org/web/20210914001339/https://github.com/lodash/lodash/issues/4744\n- https://github.com/advisories/GHSA-p6mc-m468-83gw","created":"2020-07-15T19:15:48.000Z","reported_by":null,"title":"Prototype Pollution in lodash","npm_advisory_id":null,"overview":"Versions of lodash prior to 4.17.19 are vulnerable to Prototype Pollution. The functions `pick`, `set`, `setWith`, `update`, `updateWith`, and `zipObjectDeep` allow a malicious user to modify the prototype of Object if the property identifiers are user-supplied. Being affected by this issue requires manipulating objects based on user-provided property values or arrays.\n\nThis vulnerability causes the addition or modification of an existing property that will exist on all objects and may lead to Denial of Service or Code Execution under specific circumstances.","url":"https://github.com/advisories/GHSA-p6mc-m468-83gw"},"1094493":{"findings":[{"version":"3.10.1","paths":["lodash","@hmcts/properties-volume>lodash","request-promise>request-promise-core>lodash"]}],"metadata":null,"vulnerable_versions":"<4.17.12","module_name":"lodash","severity":"critical","github_advisory_id":"GHSA-jf85-cpcp-j695","cves":["CVE-2019-10744"],"access":"public","patched_versions":">=4.17.12","cvss":{"score":9.1,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H"},"updated":"2023-11-01T21:20:06.000Z","recommendation":"Upgrade to version 4.17.12 or later","cwe":["CWE-20"],"found_by":null,"deleted":null,"id":1094493,"references":"- https://github.com/lodash/lodash/pull/4336\n- https://nvd.nist.gov/vuln/detail/CVE-2019-10744\n- https://snyk.io/vuln/SNYK-JS-LODASH-450202\n- https://www.npmjs.com/advisories/1065\n- https://access.redhat.com/errata/RHSA-2019:3024\n- https://security.netapp.com/advisory/ntap-20191004-0005/\n- https://support.f5.com/csp/article/K47105354?utm_source=f5support&amp;utm_medium=RSS\n- https://www.oracle.com/security-alerts/cpujan2021.html\n- https://www.oracle.com/security-alerts/cpuoct2020.html\n- https://github.com/advisories/GHSA-jf85-cpcp-j695","created":"2019-07-10T19:45:23.000Z","reported_by":null,"title":"Prototype Pollution in lodash","npm_advisory_id":null,"overview":"Versions of `lodash` before 4.17.12 are vulnerable to Prototype Pollution.  The function `defaultsDeep` allows a malicious user to modify the prototype of `Object` via `{constructor: {prototype: {...}}}` causing the addition or modification of an existing property that will exist on all objects.\n\n## Recommendation\n\nUpdate to version 4.17.12 or later.","url":"https://github.com/advisories/GHSA-jf85-cpcp-j695"},"1094498":{"findings":[{"version":"3.10.1","paths":["lodash","@hmcts/properties-volume>lodash","request-promise>request-promise-core>lodash"]}],"metadata":null,"vulnerable_versions":"<4.17.21","module_name":"lodash","severity":"high","github_advisory_id":"GHSA-35jh-r3h4-6jhm","cves":["CVE-2021-23337"],"access":"public","patched_versions":">=4.17.21","cvss":{"score":7.2,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H"},"updated":"2023-11-01T23:19:58.000Z","recommendation":"Upgrade to version 4.17.21 or later","cwe":["CWE-77","CWE-94"],"found_by":null,"deleted":null,"id":1094498,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2021-23337\n- https://github.com/lodash/lodash/commit/3469357cff396a26c363f8c1b5a91dde28ba4b1c\n- https://security.netapp.com/advisory/ntap-20210312-0006/\n- https://snyk.io/vuln/SNYK-JS-LODASH-1040724\n- https://github.com/lodash/lodash/blob/ddfd9b11a0126db2302cb70ec9973b66baec0975/lodash.js#L14851\n- https://github.com/lodash/lodash/blob/ddfd9b11a0126db2302cb70ec9973b66baec0975/lodash.js%23L14851\n- https://snyk.io/vuln/SNYK-JAVA-ORGFUJIONWEBJARS-1074932\n- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARS-1074930\n- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-1074928\n- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWERGITHUBLODASH-1074931\n- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1074929\n- https://www.oracle.com//security-alerts/cpujul2021.html\n- https://www.oracle.com/security-alerts/cpuoct2021.html\n- https://www.oracle.com/security-alerts/cpujan2022.html\n- https://www.oracle.com/security-alerts/cpujul2022.html\n- https://cert-portal.siemens.com/productcert/pdf/ssa-637483.pdf\n- https://github.com/advisories/GHSA-35jh-r3h4-6jhm","created":"2021-05-06T16:05:51.000Z","reported_by":null,"title":"Command Injection in lodash","npm_advisory_id":null,"overview":"`lodash` versions prior to 4.17.21 are vulnerable to Command Injection via the template function.","url":"https://github.com/advisories/GHSA-35jh-r3h4-6jhm"},"1094499":{"findings":[{"version":"3.10.1","paths":["lodash","@hmcts/properties-volume>lodash","request-promise>request-promise-core>lodash"]}],"metadata":null,"vulnerable_versions":"<4.17.11","module_name":"lodash","severity":"high","github_advisory_id":"GHSA-4xc9-xhrj-v574","cves":["CVE-2018-16487"],"access":"public","patched_versions":">=4.17.11","cvss":{"score":0,"vectorString":null},"updated":"2023-11-01T23:00:56.000Z","recommendation":"Upgrade to version 4.17.11 or later","cwe":["CWE-400"],"found_by":null,"deleted":null,"id":1094499,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2018-16487\n- https://hackerone.com/reports/380873\n- https://github.com/advisories/GHSA-4xc9-xhrj-v574\n- https://www.npmjs.com/advisories/782\n- https://security.netapp.com/advisory/ntap-20190919-0004/\n- https://github.com/lodash/lodash/commit/90e6199a161b6445b01454517b40ef65ebecd2ad","created":"2019-02-07T18:16:48.000Z","reported_by":null,"title":"Prototype Pollution in lodash","npm_advisory_id":null,"overview":"Versions of `lodash` before 4.17.11 are vulnerable to prototype pollution. \n\nThe vulnerable functions are 'defaultsDeep', 'merge', and 'mergeWith' which allow a malicious user to modify the prototype of `Object` via `{constructor: {prototype: {...}}}` causing the addition or modification of an existing property that will exist on all objects.\n\n\n\n\n## Recommendation\n\nUpdate to version 4.17.11 or later.","url":"https://github.com/advisories/GHSA-4xc9-xhrj-v574"},"1094500":{"findings":[{"version":"3.10.1","paths":["lodash","@hmcts/properties-volume>lodash","request-promise>request-promise-core>lodash"]}],"metadata":null,"vulnerable_versions":"<4.17.21","module_name":"lodash","severity":"moderate","github_advisory_id":"GHSA-29mw-wpgm-hmr9","cves":["CVE-2020-28500"],"access":"public","patched_versions":">=4.17.21","cvss":{"score":5.3,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"},"updated":"2023-11-01T23:21:12.000Z","recommendation":"Upgrade to version 4.17.21 or later","cwe":["CWE-400","CWE-1333"],"found_by":null,"deleted":null,"id":1094500,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2020-28500\n- https://github.com/lodash/lodash/pull/5065\n- https://github.com/lodash/lodash/pull/5065/commits/02906b8191d3c100c193fe6f7b27d1c40f200bb7\n- https://github.com/lodash/lodash/blob/npm/trimEnd.js%23L8\n- https://security.netapp.com/advisory/ntap-20210312-0006/\n- https://snyk.io/vuln/SNYK-JS-LODASH-1018905\n- https://snyk.io/vuln/SNYK-JAVA-ORGFUJIONWEBJARS-1074896\n- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARS-1074894\n- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-1074892\n- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWERGITHUBLODASH-1074895\n- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1074893\n- https://www.oracle.com//security-alerts/cpujul2021.html\n- https://www.oracle.com/security-alerts/cpuoct2021.html\n- https://www.oracle.com/security-alerts/cpujan2022.html\n- https://www.oracle.com/security-alerts/cpujul2022.html\n- https://cert-portal.siemens.com/productcert/pdf/ssa-637483.pdf\n- https://github.com/lodash/lodash/commit/c4847ebe7d14540bb28a8b932a9ce1b9ecbfee1a\n- https://github.com/advisories/GHSA-29mw-wpgm-hmr9","created":"2022-01-06T20:30:46.000Z","reported_by":null,"title":"Regular Expression Denial of Service (ReDoS) in lodash","npm_advisory_id":null,"overview":"All versions of package lodash prior to 4.17.21 are vulnerable to Regular Expression Denial of Service (ReDoS) via the `toNumber`, `trim` and `trimEnd` functions. \n\nSteps to reproduce (provided by reporter Liyuan Chen):\n```js\nvar lo = require('lodash');\n\nfunction build_blank(n) {\n    var ret = \"1\"\n    for (var i = 0; i < n; i++) {\n        ret += \" \"\n    }\n    return ret + \"1\";\n}\nvar s = build_blank(50000) var time0 = Date.now();\nlo.trim(s) \nvar time_cost0 = Date.now() - time0;\nconsole.log(\"time_cost0: \" + time_cost0);\nvar time1 = Date.now();\nlo.toNumber(s) var time_cost1 = Date.now() - time1;\nconsole.log(\"time_cost1: \" + time_cost1);\nvar time2 = Date.now();\nlo.trimEnd(s);\nvar time_cost2 = Date.now() - time2;\nconsole.log(\"time_cost2: \" + time_cost2);\n```","url":"https://github.com/advisories/GHSA-29mw-wpgm-hmr9"},"1095007":{"findings":[{"version":"2.0.0","paths":["nunjucks-async-loader>chokidar>glob-parent","express-nunjucks>nunjucks-async-loader>chokidar>glob-parent","nunjucks-async-loader>chokidar>anymatch>micromatch>parse-glob>glob-base>glob-parent","express-nunjucks>nunjucks-async-loader>chokidar>anymatch>micromatch>parse-glob>glob-base>glob-parent"]}],"metadata":null,"vulnerable_versions":"<5.1.2","module_name":"glob-parent","severity":"high","github_advisory_id":"GHSA-ww39-953v-wcq6","cves":["CVE-2020-28469"],"access":"public","patched_versions":">=5.1.2","cvss":{"score":7.5,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},"updated":"2023-11-29T00:42:42.000Z","recommendation":"Upgrade to version 5.1.2 or later","cwe":["CWE-400"],"found_by":null,"deleted":null,"id":1095007,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2020-28469\n- https://github.com/gulpjs/glob-parent/pull/36\n- https://github.com/gulpjs/glob-parent/blob/6ce8d11f2f1ed8e80a9526b1dc8cf3aa71f43474/index.js%23L9\n- https://github.com/gulpjs/glob-parent/releases/tag/v5.1.2\n- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWERGITHUBES128-1059093\n- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1059092\n- https://snyk.io/vuln/SNYK-JS-GLOBPARENT-1016905\n- https://www.oracle.com/security-alerts/cpujan2022.html\n- https://github.com/gulpjs/glob-parent/pull/36/commits/c6db86422a9731d4f3d332ce4a81c27ea6b0ee46\n- https://github.com/advisories/GHSA-ww39-953v-wcq6","created":"2021-06-07T21:56:34.000Z","reported_by":null,"title":"glob-parent vulnerable to Regular Expression Denial of Service in enclosure regex","npm_advisory_id":null,"overview":"This affects the package glob-parent before 5.1.2. The enclosure regex used to check for strings ending in enclosure containing path separator.","url":"https://github.com/advisories/GHSA-ww39-953v-wcq6"},"1095049":{"findings":[{"version":"0.0.8","paths":["config>json5>minimist"]}],"metadata":null,"vulnerable_versions":"<0.2.1","module_name":"minimist","severity":"moderate","github_advisory_id":"GHSA-vh95-rmgr-6w4m","cves":["CVE-2020-7598"],"access":"public","patched_versions":">=0.2.1","cvss":{"score":5.6,"vectorString":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L"},"updated":"2023-11-29T20:53:47.000Z","recommendation":"Upgrade to version 0.2.1 or later","cwe":["CWE-1321"],"found_by":null,"deleted":null,"id":1095049,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2020-7598\n- https://snyk.io/vuln/SNYK-JS-MINIMIST-559764\n- http://lists.opensuse.org/opensuse-security-announce/2020-06/msg00024.html\n- https://www.npmjs.com/advisories/1179\n- https://github.com/minimistjs/minimist/commit/10bd4cdf49d9686d48214be9d579a9cdfda37c68\n- https://github.com/minimistjs/minimist/commit/38a4d1caead72ef99e824bb420a2528eec03d9ab\n- https://github.com/minimistjs/minimist/commit/4cf1354839cb972e38496d35e12f806eea92c11f#diff-a1e0ee62c91705696ddb71aa30ad4f95\n- https://github.com/minimistjs/minimist/commit/63e7ed05aa4b1889ec2f3b196426db4500cbda94\n- https://github.com/advisories/GHSA-vh95-rmgr-6w4m","created":"2020-04-03T21:48:32.000Z","reported_by":null,"title":"Prototype Pollution in minimist","npm_advisory_id":null,"overview":"Affected versions of `minimist` are vulnerable to prototype pollution. Arguments are not properly sanitized, allowing an attacker to modify the prototype of `Object`, causing the addition or modification of an existing property that will exist on all objects.  \nParsing the argument `--__proto__.y=Polluted` adds a `y` property with value `Polluted` to all objects. The argument `--__proto__=Polluted` raises and uncaught error and crashes the application.  \nThis is exploitable if attackers have control over the arguments being passed to `minimist`.\n\n\n\n## Recommendation\n\nUpgrade to versions 0.2.1, 1.2.3 or later.","url":"https://github.com/advisories/GHSA-vh95-rmgr-6w4m"},"1095058":{"findings":[{"version":"3.7.0","paths":["@hmcts/properties-volume>js-yaml"]}],"metadata":null,"vulnerable_versions":"<3.13.1","module_name":"js-yaml","severity":"high","github_advisory_id":"GHSA-8j8c-7jfh-h6hx","cves":[],"access":"public","patched_versions":">=3.13.1","cvss":{"score":0,"vectorString":null},"updated":"2023-11-29T20:43:52.000Z","recommendation":"Upgrade to version 3.13.1 or later","cwe":["CWE-94"],"found_by":null,"deleted":null,"id":1095058,"references":"- https://github.com/nodeca/js-yaml/pull/480\n- https://www.npmjs.com/advisories/813\n- https://github.com/nodeca/js-yaml/pull/480/commits/e18afbf1edcafb7add2c4c7b22abc8d6ebc2fa61\n- https://github.com/advisories/GHSA-8j8c-7jfh-h6hx","created":"2019-06-04T20:14:07.000Z","reported_by":null,"title":"Code Injection in js-yaml","npm_advisory_id":null,"overview":"Versions of `js-yaml` prior to 3.13.1 are vulnerable to Code Injection. The `load()` function may execute arbitrary code injected through a malicious YAML file. Objects that have `toString` as key, JavaScript code as value and are used as explicit mapping keys allow attackers to execute the supplied code through the `load()` function. The `safeLoad()` function is unaffected.\n\nAn example payload is \n`{ toString: !<tag:yaml.org,2002:js/function> 'function (){return Date.now()}' } : 1` \nwhich returns the object \n{\n  \"1553107949161\": 1\n}\n\n\n## Recommendation\n\nUpgrade to version 3.13.1.","url":"https://github.com/advisories/GHSA-8j8c-7jfh-h6hx"},"1095102":{"findings":[{"version":"2.5.0","paths":["request>tough-cookie","request-promise>request>tough-cookie","request-promise>request-promise-core>request>tough-cookie"]}],"metadata":null,"vulnerable_versions":"<4.1.3","module_name":"tough-cookie","severity":"moderate","github_advisory_id":"GHSA-72xf-g2v4-qvf3","cves":["CVE-2023-26136"],"access":"public","patched_versions":">=4.1.3","cvss":{"score":6.5,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N"},"updated":"2023-11-29T22:32:01.000Z","recommendation":"Upgrade to version 4.1.3 or later","cwe":["CWE-1321"],"found_by":null,"deleted":null,"id":1095102,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2023-26136\n- https://github.com/salesforce/tough-cookie/issues/282\n- https://github.com/salesforce/tough-cookie/commit/12d474791bb856004e858fdb1c47b7608d09cf6e\n- https://github.com/salesforce/tough-cookie/releases/tag/v4.1.3\n- https://security.snyk.io/vuln/SNYK-JS-TOUGHCOOKIE-5672873\n- https://lists.debian.org/debian-lts-announce/2023/07/msg00010.html\n- https://github.com/advisories/GHSA-72xf-g2v4-qvf3","created":"2023-07-01T06:30:16.000Z","reported_by":null,"title":"tough-cookie Prototype Pollution vulnerability","npm_advisory_id":null,"overview":"Versions of the package tough-cookie before 4.1.3 are vulnerable to Prototype Pollution due to improper handling of Cookies when using CookieJar in `rejectPublicSuffixes=false` mode. This issue arises from the manner in which the objects are initialized.","url":"https://github.com/advisories/GHSA-72xf-g2v4-qvf3"},"1095365":{"findings":[{"version":"4.3.6","paths":["jsonwebtoken>semver","@hmcts/properties-volume>@azure/identity>@azure/msal-node>jsonwebtoken>semver","nunjucks-async-loader>chokidar>fsevents>nan>node-gyp>semver","express-nunjucks>nunjucks-async-loader>chokidar>fsevents>nan>node-gyp>semver","nunjucks-async-loader>chokidar>fsevents>nan>node-gyp>make-fetch-happen>cacache>@npmcli/fs>semver","express-nunjucks>nunjucks-async-loader>chokidar>fsevents>nan>node-gyp>make-fetch-happen>cacache>@npmcli/fs>semver"]}],"metadata":null,"vulnerable_versions":"<5.7.2","module_name":"semver","severity":"moderate","github_advisory_id":"GHSA-c2qf-rxjj-qqgw","cves":["CVE-2022-25883"],"access":"public","patched_versions":">=5.7.2","cvss":{"score":5.3,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"},"updated":"2024-01-08T20:36:49.000Z","recommendation":"Upgrade to version 5.7.2 or later","cwe":["CWE-1333"],"found_by":null,"deleted":null,"id":1095365,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2022-25883\n- https://github.com/npm/node-semver/pull/564\n- https://github.com/npm/node-semver/commit/717534ee353682f3bcf33e60a8af4292626d4441\n- https://security.snyk.io/vuln/SNYK-JS-SEMVER-3247795\n- https://github.com/npm/node-semver/blob/main/classes/range.js#L97-L104\n- https://github.com/npm/node-semver/blob/main/internal/re.js#L138\n- https://github.com/npm/node-semver/blob/main/internal/re.js#L160\n- https://github.com/npm/node-semver/pull/585\n- https://github.com/npm/node-semver/commit/928e56d21150da0413a3333a3148b20e741a920c\n- https://github.com/npm/node-semver/pull/593\n- https://github.com/npm/node-semver/commit/2f8fd41487acf380194579ecb6f8b1bbfe116be0\n- https://github.com/advisories/GHSA-c2qf-rxjj-qqgw","created":"2023-06-21T06:30:28.000Z","reported_by":null,"title":"semver vulnerable to Regular Expression Denial of Service","npm_advisory_id":null,"overview":"Versions of the package semver before 7.5.2 on the 7.x branch, before 6.3.1 on the 6.x branch, and all other versions before 5.7.2 are vulnerable to Regular Expression Denial of Service (ReDoS) via the function new Range, when untrusted user data is provided as a range.","url":"https://github.com/advisories/GHSA-c2qf-rxjj-qqgw"},"1095423":{"findings":[{"version":"0.0.8","paths":["config>json5>minimist"]}],"metadata":null,"vulnerable_versions":"<0.2.4","module_name":"minimist","severity":"critical","github_advisory_id":"GHSA-xvch-5gv4-984h","cves":["CVE-2021-44906"],"access":"public","patched_versions":">=0.2.4","cvss":{"score":9.8,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},"updated":"2024-01-12T20:16:56.000Z","recommendation":"Upgrade to version 0.2.4 or later","cwe":["CWE-1321"],"found_by":null,"deleted":null,"id":1095423,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2021-44906\n- https://github.com/substack/minimist/issues/164\n- https://github.com/substack/minimist/blob/master/index.js#L69\n- https://snyk.io/vuln/SNYK-JS-MINIMIST-559764\n- https://stackoverflow.com/questions/8588563/adding-custom-properties-to-a-function/20278068#20278068\n- https://github.com/Marynk/JavaScript-vulnerability-detection/blob/main/minimist%20PoC.zip\n- https://github.com/minimistjs/minimist/issues/11\n- https://github.com/minimistjs/minimist/pull/24\n- https://github.com/minimistjs/minimist/commit/34e20b8461118608703d6485326abbb8e35e1703\n- https://github.com/minimistjs/minimist/commit/bc8ecee43875261f4f17eb20b1243d3ed15e70eb\n- https://github.com/minimistjs/minimist/commit/c2b981977fa834b223b408cfb860f933c9811e4d\n- https://github.com/minimistjs/minimist/commit/ef9153fc52b6cea0744b2239921c5dcae4697f11\n- https://github.com/minimistjs/minimist/commits/v0.2.4\n- https://github.com/advisories/GHSA-xvch-5gv4-984h","created":"2022-03-18T00:01:09.000Z","reported_by":null,"title":"Prototype Pollution in minimist","npm_advisory_id":null,"overview":"Minimist prior to 1.2.6 and 0.2.4 is vulnerable to Prototype Pollution via file `index.js`, function `setKey()` (lines 69-95).","url":"https://github.com/advisories/GHSA-xvch-5gv4-984h"}},"muted":[],"metadata":{"vulnerabilities":{"info":0,"low":11,"moderate":27,"high":14,"critical":4},"dependencies":400,"devDependencies":3,"optionalDependencies":0,"totalDependencies":403}}
+{"actions":[],"advisories":{"1085674":{"findings":[{"version":"3.10.1","paths":["lodash","@hmcts/properties-volume>lodash","request-promise>request-promise-core>lodash"]}],"metadata":null,"vulnerable_versions":"<4.17.11","module_name":"lodash","severity":"moderate","github_advisory_id":"GHSA-x5rq-j2xg-h7qm","cves":["CVE-2019-1010266"],"access":"public","patched_versions":">=4.17.11","cvss":{"score":0,"vectorString":null},"updated":"2023-01-09T05:01:38.000Z","recommendation":"Upgrade to version 4.17.11 or later","cwe":["CWE-400"],"found_by":null,"deleted":null,"id":1085674,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2019-1010266\n- https://github.com/lodash/lodash/issues/3359\n- https://snyk.io/vuln/SNYK-JS-LODASH-73639\n- https://github.com/lodash/lodash/commit/5c08f18d365b64063bfbfa686cbb97cdd6267347\n- https://github.com/lodash/lodash/wiki/Changelog\n- https://security.netapp.com/advisory/ntap-20190919-0004/\n- https://github.com/advisories/GHSA-x5rq-j2xg-h7qm","created":"2019-07-19T16:13:07.000Z","reported_by":null,"title":"Regular Expression Denial of Service (ReDoS) in lodash","npm_advisory_id":null,"overview":"lodash prior to 4.7.11 is affected by: CWE-400: Uncontrolled Resource Consumption. The impact is: Denial of service. The component is: Date handler. The attack vector is: Attacker provides very long strings, which the library attempts to match using a regular expression. The fixed version is: 4.7.11.","url":"https://github.com/advisories/GHSA-x5rq-j2xg-h7qm"},"1085715":{"findings":[{"version":"1.8.5","paths":["nunjucks-async-loader>chokidar>braces","express-nunjucks>nunjucks-async-loader>chokidar>braces","nunjucks-async-loader>chokidar>anymatch>micromatch>braces","express-nunjucks>nunjucks-async-loader>chokidar>anymatch>micromatch>braces"]}],"metadata":null,"vulnerable_versions":"<2.3.1","module_name":"braces","severity":"low","github_advisory_id":"GHSA-g95f-p29q-9xw4","cves":[],"access":"public","patched_versions":">=2.3.1","cvss":{"score":3.7,"vectorString":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L"},"updated":"2023-01-09T05:01:42.000Z","recommendation":"Upgrade to version 2.3.1 or later","cwe":["CWE-185","CWE-400"],"found_by":null,"deleted":null,"id":1085715,"references":"- https://github.com/micromatch/braces/commit/abdafb0cae1e0c00f184abbadc692f4eaa98f451\n- https://www.npmjs.com/advisories/786\n- https://snyk.io/vuln/npm:braces:20180219\n- https://github.com/advisories/GHSA-g95f-p29q-9xw4","created":"2019-06-06T15:30:30.000Z","reported_by":null,"title":"Regular Expression Denial of Service in braces","npm_advisory_id":null,"overview":"Versions of `braces` prior to 2.3.1 are vulnerable to Regular Expression Denial of Service (ReDoS). Untrusted input may cause catastrophic backtracking while matching regular expressions. This can cause the application to be unresponsive leading to Denial of Service.\n\n\n## Recommendation\n\nUpgrade to version 2.3.1 or higher.","url":"https://github.com/advisories/GHSA-g95f-p29q-9xw4"},"1085724":{"findings":[{"version":"3.7.0","paths":["@hmcts/properties-volume>js-yaml"]}],"metadata":null,"vulnerable_versions":"<3.13.0","module_name":"js-yaml","severity":"moderate","github_advisory_id":"GHSA-2pr6-76vf-7546","cves":[],"access":"public","patched_versions":">=3.13.0","cvss":{"score":5.9,"vectorString":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H"},"updated":"2023-01-09T05:01:39.000Z","recommendation":"Upgrade to version 3.13.0 or later","cwe":["CWE-400"],"found_by":null,"deleted":null,"id":1085724,"references":"- https://github.com/nodeca/js-yaml/issues/475\n- https://github.com/nodeca/js-yaml/commit/a567ef3c6e61eb319f0bfc2671d91061afb01235\n- https://www.npmjs.com/advisories/788\n- https://www.npmjs.com/advisories/788/versions\n- https://snyk.io/vuln/SNYK-JS-JSYAML-173999\n- https://github.com/advisories/GHSA-2pr6-76vf-7546","created":"2019-06-05T14:35:29.000Z","reported_by":null,"title":"Denial of Service in js-yaml","npm_advisory_id":null,"overview":"Versions of `js-yaml` prior to 3.13.0 are vulnerable to Denial of Service. By parsing a carefully-crafted YAML file, the node process stalls and may exhaust system resources leading to a Denial of Service.\n\n\n## Recommendation\n\nUpgrade to version 3.13.0.","url":"https://github.com/advisories/GHSA-2pr6-76vf-7546"},"1085744":{"findings":[{"version":"0.4.3","paths":["request>tunnel-agent","request-promise>request>tunnel-agent","request-promise>request-promise-core>request>tunnel-agent"]}],"metadata":null,"vulnerable_versions":"<0.6.0","module_name":"tunnel-agent","severity":"moderate","github_advisory_id":"GHSA-xc7v-wxcw-j472","cves":[],"access":"public","patched_versions":">=0.6.0","cvss":{"score":0,"vectorString":null},"updated":"2023-01-09T05:01:22.000Z","recommendation":"Upgrade to version 0.6.0 or later","cwe":["CWE-200"],"found_by":null,"deleted":null,"id":1085744,"references":"- https://github.com/request/tunnel-agent/commit/9ca95ec7219daface8a6fc2674000653de0922c0\n- https://www.npmjs.com/advisories/598\n- https://gist.github.com/ChALkeR/fd6b2c445834244e7d440a043f9d2ff4\n- https://github.com/advisories/GHSA-xc7v-wxcw-j472","created":"2019-06-03T17:08:26.000Z","reported_by":null,"title":"Memory Exposure in tunnel-agent","npm_advisory_id":null,"overview":"Versions of `tunnel-agent` before 0.6.0 are vulnerable to memory exposure.\n\nThis is exploitable if user supplied input is provided to the auth value and is a number.\n\nProof-of-concept:\n```js\nrequire('request')({\n  method: 'GET',\n  uri: 'http://www.example.com',\n  tunnel: true,\n  proxy:{\n    protocol: 'http:',\n    host:'127.0.0.1',\n    port:8080,\n    auth:USERSUPPLIEDINPUT // number\n  }\n});\n```\n\n\n## Recommendation\n\nUpdate to version 0.6.0 or later.","url":"https://github.com/advisories/GHSA-xc7v-wxcw-j472"},"1087663":{"findings":[{"version":"3.10.1","paths":["lodash","@hmcts/properties-volume>lodash","request-promise>request-promise-core>lodash"]}],"metadata":null,"vulnerable_versions":"<4.17.5","module_name":"lodash","severity":"low","github_advisory_id":"GHSA-fvqr-27wr-82fm","cves":["CVE-2018-3721"],"access":"public","patched_versions":">=4.17.5","cvss":{"score":0,"vectorString":null},"updated":"2023-01-09T05:03:02.000Z","recommendation":"Upgrade to version 4.17.5 or later","cwe":["CWE-471"],"found_by":null,"deleted":null,"id":1087663,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2018-3721\n- https://hackerone.com/reports/310443\n- https://github.com/advisories/GHSA-fvqr-27wr-82fm\n- https://www.npmjs.com/advisories/577\n- https://github.com/lodash/lodash/commit/d8e069cc3410082e44eb18fcf8e7f3d08ebe1d4a\n- https://security.netapp.com/advisory/ntap-20190919-0004/","created":"2018-07-26T15:14:52.000Z","reported_by":null,"title":"Prototype Pollution in lodash","npm_advisory_id":null,"overview":"Versions of `lodash` before 4.17.5 are vulnerable to prototype pollution. \n\nThe vulnerable functions are 'defaultsDeep', 'merge', and 'mergeWith' which allow a malicious user to modify the prototype of `Object` via `__proto__` causing the addition or modification of an existing property that will exist on all objects.\n\n\n\n\n## Recommendation\n\nUpdate to version 4.17.5 or later.","url":"https://github.com/advisories/GHSA-fvqr-27wr-82fm"},"1089034":{"findings":[{"version":"5.5.2","paths":["request>har-validator>ajv","request-promise>request>har-validator>ajv","request-promise>request-promise-core>request>har-validator>ajv"]}],"metadata":null,"vulnerable_versions":"<6.12.3","module_name":"ajv","severity":"moderate","github_advisory_id":"GHSA-v88g-cgmw-v5xw","cves":["CVE-2020-15366"],"access":"public","patched_versions":">=6.12.3","cvss":{"score":5.6,"vectorString":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L"},"updated":"2023-01-27T05:08:06.000Z","recommendation":"Upgrade to version 6.12.3 or later","cwe":["CWE-915","CWE-1321"],"found_by":null,"deleted":null,"id":1089034,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2020-15366\n- https://github.com/ajv-validator/ajv/commit/65b2f7d76b190ac63a0d4e9154c712d7aa37049f\n- https://github.com/ajv-validator/ajv/releases/tag/v6.12.3\n- https://hackerone.com/bugs?subject=user&report_id=894259\n- https://github.com/ajv-validator/ajv/tags\n- https://github.com/advisories/GHSA-v88g-cgmw-v5xw","created":"2022-02-10T23:30:59.000Z","reported_by":null,"title":"Prototype Pollution in Ajv","npm_advisory_id":null,"overview":"An issue was discovered in ajv.validate() in Ajv (aka Another JSON Schema Validator) 6.12.2. A carefully crafted JSON schema could be provided that allows execution of other code by prototype pollution. (While untrusted schemas are recommended against, the worst case of an untrusted schema should be a denial of service, not execution of code.)","url":"https://github.com/advisories/GHSA-v88g-cgmw-v5xw"},"1089939":{"findings":[{"version":"1.8.5","paths":["nunjucks-async-loader>chokidar>braces","express-nunjucks>nunjucks-async-loader>chokidar>braces","nunjucks-async-loader>chokidar>anymatch>micromatch>braces","express-nunjucks>nunjucks-async-loader>chokidar>anymatch>micromatch>braces"]}],"metadata":null,"vulnerable_versions":"<2.3.1","module_name":"braces","severity":"low","github_advisory_id":"GHSA-cwfw-4gq5-mrqx","cves":["CVE-2018-1109"],"access":"public","patched_versions":">=2.3.1","cvss":{"score":0,"vectorString":null},"updated":"2023-02-01T05:05:12.000Z","recommendation":"Upgrade to version 2.3.1 or later","cwe":["CWE-400"],"found_by":null,"deleted":null,"id":1089939,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2018-1109\n- https://github.com/micromatch/braces/commit/abdafb0cae1e0c00f184abbadc692f4eaa98f451\n- https://bugzilla.redhat.com/show_bug.cgi?id=1547272\n- https://snyk.io/vuln/npm:braces:20180219\n- https://github.com/advisories/GHSA-cwfw-4gq5-mrqx","created":"2022-01-06T20:42:03.000Z","reported_by":null,"title":"Regular Expression Denial of Service (ReDoS) in braces","npm_advisory_id":null,"overview":"A vulnerability was found in Braces versions prior to 2.3.1. Affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS) attacks.","url":"https://github.com/advisories/GHSA-cwfw-4gq5-mrqx"},"1092972":{"findings":[{"version":"2.88.2","paths":["request","request-promise>request","request-promise>request-promise-core>request"]}],"metadata":null,"vulnerable_versions":"<=2.88.2","module_name":"request","severity":"moderate","github_advisory_id":"GHSA-p8p7-x288-28g6","cves":["CVE-2023-28155"],"access":"public","patched_versions":"<0.0.0","cvss":{"score":6.1,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},"updated":"2023-08-14T20:53:47.000Z","recommendation":"None","cwe":["CWE-918"],"found_by":null,"deleted":null,"id":1092972,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2023-28155\n- https://github.com/request/request/issues/3442\n- https://github.com/request/request/pull/3444\n- https://doyensec.com/resources/Doyensec_Advisory_RequestSSRF_Q12023.pdf\n- https://security.netapp.com/advisory/ntap-20230413-0007/\n- https://github.com/github/advisory-database/pull/2500\n- https://github.com/cypress-io/request/blob/master/lib/redirect.js#L116\n- https://github.com/request/request/blob/master/lib/redirect.js#L111\n- https://github.com/cypress-io/request/pull/28\n- https://github.com/cypress-io/request/commit/c5bcf21d40fb61feaff21a0e5a2b3934a440024f\n- https://github.com/cypress-io/request/releases/tag/v3.0.0\n- https://github.com/advisories/GHSA-p8p7-x288-28g6","created":"2023-03-16T15:30:19.000Z","reported_by":null,"title":"Server-Side Request Forgery in Request","npm_advisory_id":null,"overview":"The `request` package through 2.88.2 for Node.js and the `@cypress/request` package prior to 3.0.0 allow a bypass of SSRF mitigations via an attacker-controller server that does a cross-protocol redirect (HTTP to HTTPS, or HTTPS to HTTP).\n\nNOTE: The `request` package is no longer supported by the maintainer.","url":"https://github.com/advisories/GHSA-p8p7-x288-28g6"},"1094493":{"findings":[{"version":"3.10.1","paths":["lodash","@hmcts/properties-volume>lodash","request-promise>request-promise-core>lodash"]}],"metadata":null,"vulnerable_versions":"<4.17.12","module_name":"lodash","severity":"critical","github_advisory_id":"GHSA-jf85-cpcp-j695","cves":["CVE-2019-10744"],"access":"public","patched_versions":">=4.17.12","cvss":{"score":9.1,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H"},"updated":"2023-11-01T21:20:06.000Z","recommendation":"Upgrade to version 4.17.12 or later","cwe":["CWE-20"],"found_by":null,"deleted":null,"id":1094493,"references":"- https://github.com/lodash/lodash/pull/4336\n- https://nvd.nist.gov/vuln/detail/CVE-2019-10744\n- https://snyk.io/vuln/SNYK-JS-LODASH-450202\n- https://www.npmjs.com/advisories/1065\n- https://access.redhat.com/errata/RHSA-2019:3024\n- https://security.netapp.com/advisory/ntap-20191004-0005/\n- https://support.f5.com/csp/article/K47105354?utm_source=f5support&amp;utm_medium=RSS\n- https://www.oracle.com/security-alerts/cpujan2021.html\n- https://www.oracle.com/security-alerts/cpuoct2020.html\n- https://github.com/advisories/GHSA-jf85-cpcp-j695","created":"2019-07-10T19:45:23.000Z","reported_by":null,"title":"Prototype Pollution in lodash","npm_advisory_id":null,"overview":"Versions of `lodash` before 4.17.12 are vulnerable to Prototype Pollution.  The function `defaultsDeep` allows a malicious user to modify the prototype of `Object` via `{constructor: {prototype: {...}}}` causing the addition or modification of an existing property that will exist on all objects.\n\n## Recommendation\n\nUpdate to version 4.17.12 or later.","url":"https://github.com/advisories/GHSA-jf85-cpcp-j695"},"1094498":{"findings":[{"version":"3.10.1","paths":["lodash","@hmcts/properties-volume>lodash","request-promise>request-promise-core>lodash"]}],"metadata":null,"vulnerable_versions":"<4.17.21","module_name":"lodash","severity":"high","github_advisory_id":"GHSA-35jh-r3h4-6jhm","cves":["CVE-2021-23337"],"access":"public","patched_versions":">=4.17.21","cvss":{"score":7.2,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H"},"updated":"2023-11-01T23:19:58.000Z","recommendation":"Upgrade to version 4.17.21 or later","cwe":["CWE-77","CWE-94"],"found_by":null,"deleted":null,"id":1094498,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2021-23337\n- https://github.com/lodash/lodash/commit/3469357cff396a26c363f8c1b5a91dde28ba4b1c\n- https://security.netapp.com/advisory/ntap-20210312-0006/\n- https://snyk.io/vuln/SNYK-JS-LODASH-1040724\n- https://github.com/lodash/lodash/blob/ddfd9b11a0126db2302cb70ec9973b66baec0975/lodash.js#L14851\n- https://github.com/lodash/lodash/blob/ddfd9b11a0126db2302cb70ec9973b66baec0975/lodash.js%23L14851\n- https://snyk.io/vuln/SNYK-JAVA-ORGFUJIONWEBJARS-1074932\n- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARS-1074930\n- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-1074928\n- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWERGITHUBLODASH-1074931\n- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1074929\n- https://www.oracle.com//security-alerts/cpujul2021.html\n- https://www.oracle.com/security-alerts/cpuoct2021.html\n- https://www.oracle.com/security-alerts/cpujan2022.html\n- https://www.oracle.com/security-alerts/cpujul2022.html\n- https://cert-portal.siemens.com/productcert/pdf/ssa-637483.pdf\n- https://github.com/advisories/GHSA-35jh-r3h4-6jhm","created":"2021-05-06T16:05:51.000Z","reported_by":null,"title":"Command Injection in lodash","npm_advisory_id":null,"overview":"`lodash` versions prior to 4.17.21 are vulnerable to Command Injection via the template function.","url":"https://github.com/advisories/GHSA-35jh-r3h4-6jhm"},"1094499":{"findings":[{"version":"3.10.1","paths":["lodash","@hmcts/properties-volume>lodash","request-promise>request-promise-core>lodash"]}],"metadata":null,"vulnerable_versions":"<4.17.11","module_name":"lodash","severity":"high","github_advisory_id":"GHSA-4xc9-xhrj-v574","cves":["CVE-2018-16487"],"access":"public","patched_versions":">=4.17.11","cvss":{"score":0,"vectorString":null},"updated":"2023-11-01T23:00:56.000Z","recommendation":"Upgrade to version 4.17.11 or later","cwe":["CWE-400"],"found_by":null,"deleted":null,"id":1094499,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2018-16487\n- https://hackerone.com/reports/380873\n- https://github.com/advisories/GHSA-4xc9-xhrj-v574\n- https://www.npmjs.com/advisories/782\n- https://security.netapp.com/advisory/ntap-20190919-0004/\n- https://github.com/lodash/lodash/commit/90e6199a161b6445b01454517b40ef65ebecd2ad","created":"2019-02-07T18:16:48.000Z","reported_by":null,"title":"Prototype Pollution in lodash","npm_advisory_id":null,"overview":"Versions of `lodash` before 4.17.11 are vulnerable to prototype pollution. \n\nThe vulnerable functions are 'defaultsDeep', 'merge', and 'mergeWith' which allow a malicious user to modify the prototype of `Object` via `{constructor: {prototype: {...}}}` causing the addition or modification of an existing property that will exist on all objects.\n\n\n\n\n## Recommendation\n\nUpdate to version 4.17.11 or later.","url":"https://github.com/advisories/GHSA-4xc9-xhrj-v574"},"1094500":{"findings":[{"version":"3.10.1","paths":["lodash","@hmcts/properties-volume>lodash","request-promise>request-promise-core>lodash"]}],"metadata":null,"vulnerable_versions":"<4.17.21","module_name":"lodash","severity":"moderate","github_advisory_id":"GHSA-29mw-wpgm-hmr9","cves":["CVE-2020-28500"],"access":"public","patched_versions":">=4.17.21","cvss":{"score":5.3,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"},"updated":"2023-11-01T23:21:12.000Z","recommendation":"Upgrade to version 4.17.21 or later","cwe":["CWE-400","CWE-1333"],"found_by":null,"deleted":null,"id":1094500,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2020-28500\n- https://github.com/lodash/lodash/pull/5065\n- https://github.com/lodash/lodash/pull/5065/commits/02906b8191d3c100c193fe6f7b27d1c40f200bb7\n- https://github.com/lodash/lodash/blob/npm/trimEnd.js%23L8\n- https://security.netapp.com/advisory/ntap-20210312-0006/\n- https://snyk.io/vuln/SNYK-JS-LODASH-1018905\n- https://snyk.io/vuln/SNYK-JAVA-ORGFUJIONWEBJARS-1074896\n- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARS-1074894\n- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-1074892\n- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWERGITHUBLODASH-1074895\n- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1074893\n- https://www.oracle.com//security-alerts/cpujul2021.html\n- https://www.oracle.com/security-alerts/cpuoct2021.html\n- https://www.oracle.com/security-alerts/cpujan2022.html\n- https://www.oracle.com/security-alerts/cpujul2022.html\n- https://cert-portal.siemens.com/productcert/pdf/ssa-637483.pdf\n- https://github.com/lodash/lodash/commit/c4847ebe7d14540bb28a8b932a9ce1b9ecbfee1a\n- https://github.com/advisories/GHSA-29mw-wpgm-hmr9","created":"2022-01-06T20:30:46.000Z","reported_by":null,"title":"Regular Expression Denial of Service (ReDoS) in lodash","npm_advisory_id":null,"overview":"All versions of package lodash prior to 4.17.21 are vulnerable to Regular Expression Denial of Service (ReDoS) via the `toNumber`, `trim` and `trimEnd` functions. \n\nSteps to reproduce (provided by reporter Liyuan Chen):\n```js\nvar lo = require('lodash');\n\nfunction build_blank(n) {\n    var ret = \"1\"\n    for (var i = 0; i < n; i++) {\n        ret += \" \"\n    }\n    return ret + \"1\";\n}\nvar s = build_blank(50000) var time0 = Date.now();\nlo.trim(s) \nvar time_cost0 = Date.now() - time0;\nconsole.log(\"time_cost0: \" + time_cost0);\nvar time1 = Date.now();\nlo.toNumber(s) var time_cost1 = Date.now() - time1;\nconsole.log(\"time_cost1: \" + time_cost1);\nvar time2 = Date.now();\nlo.trimEnd(s);\nvar time_cost2 = Date.now() - time2;\nconsole.log(\"time_cost2: \" + time_cost2);\n```","url":"https://github.com/advisories/GHSA-29mw-wpgm-hmr9"},"1095007":{"findings":[{"version":"2.0.0","paths":["nunjucks-async-loader>chokidar>glob-parent","express-nunjucks>nunjucks-async-loader>chokidar>glob-parent","nunjucks-async-loader>chokidar>anymatch>micromatch>parse-glob>glob-base>glob-parent","express-nunjucks>nunjucks-async-loader>chokidar>anymatch>micromatch>parse-glob>glob-base>glob-parent"]}],"metadata":null,"vulnerable_versions":"<5.1.2","module_name":"glob-parent","severity":"high","github_advisory_id":"GHSA-ww39-953v-wcq6","cves":["CVE-2020-28469"],"access":"public","patched_versions":">=5.1.2","cvss":{"score":7.5,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},"updated":"2023-11-29T00:42:42.000Z","recommendation":"Upgrade to version 5.1.2 or later","cwe":["CWE-400"],"found_by":null,"deleted":null,"id":1095007,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2020-28469\n- https://github.com/gulpjs/glob-parent/pull/36\n- https://github.com/gulpjs/glob-parent/blob/6ce8d11f2f1ed8e80a9526b1dc8cf3aa71f43474/index.js%23L9\n- https://github.com/gulpjs/glob-parent/releases/tag/v5.1.2\n- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWERGITHUBES128-1059093\n- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1059092\n- https://snyk.io/vuln/SNYK-JS-GLOBPARENT-1016905\n- https://www.oracle.com/security-alerts/cpujan2022.html\n- https://github.com/gulpjs/glob-parent/pull/36/commits/c6db86422a9731d4f3d332ce4a81c27ea6b0ee46\n- https://github.com/advisories/GHSA-ww39-953v-wcq6","created":"2021-06-07T21:56:34.000Z","reported_by":null,"title":"glob-parent vulnerable to Regular Expression Denial of Service in enclosure regex","npm_advisory_id":null,"overview":"This affects the package glob-parent before 5.1.2. The enclosure regex used to check for strings ending in enclosure containing path separator.","url":"https://github.com/advisories/GHSA-ww39-953v-wcq6"},"1095058":{"findings":[{"version":"3.7.0","paths":["@hmcts/properties-volume>js-yaml"]}],"metadata":null,"vulnerable_versions":"<3.13.1","module_name":"js-yaml","severity":"high","github_advisory_id":"GHSA-8j8c-7jfh-h6hx","cves":[],"access":"public","patched_versions":">=3.13.1","cvss":{"score":0,"vectorString":null},"updated":"2023-11-29T20:43:52.000Z","recommendation":"Upgrade to version 3.13.1 or later","cwe":["CWE-94"],"found_by":null,"deleted":null,"id":1095058,"references":"- https://github.com/nodeca/js-yaml/pull/480\n- https://www.npmjs.com/advisories/813\n- https://github.com/nodeca/js-yaml/pull/480/commits/e18afbf1edcafb7add2c4c7b22abc8d6ebc2fa61\n- https://github.com/advisories/GHSA-8j8c-7jfh-h6hx","created":"2019-06-04T20:14:07.000Z","reported_by":null,"title":"Code Injection in js-yaml","npm_advisory_id":null,"overview":"Versions of `js-yaml` prior to 3.13.1 are vulnerable to Code Injection. The `load()` function may execute arbitrary code injected through a malicious YAML file. Objects that have `toString` as key, JavaScript code as value and are used as explicit mapping keys allow attackers to execute the supplied code through the `load()` function. The `safeLoad()` function is unaffected.\n\nAn example payload is \n`{ toString: !<tag:yaml.org,2002:js/function> 'function (){return Date.now()}' } : 1` \nwhich returns the object \n{\n  \"1553107949161\": 1\n}\n\n\n## Recommendation\n\nUpgrade to version 3.13.1.","url":"https://github.com/advisories/GHSA-8j8c-7jfh-h6hx"},"1095102":{"findings":[{"version":"2.5.0","paths":["request>tough-cookie","request-promise>request>tough-cookie","request-promise>request-promise-core>request>tough-cookie"]}],"metadata":null,"vulnerable_versions":"<4.1.3","module_name":"tough-cookie","severity":"moderate","github_advisory_id":"GHSA-72xf-g2v4-qvf3","cves":["CVE-2023-26136"],"access":"public","patched_versions":">=4.1.3","cvss":{"score":6.5,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N"},"updated":"2023-11-29T22:32:01.000Z","recommendation":"Upgrade to version 4.1.3 or later","cwe":["CWE-1321"],"found_by":null,"deleted":null,"id":1095102,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2023-26136\n- https://github.com/salesforce/tough-cookie/issues/282\n- https://github.com/salesforce/tough-cookie/commit/12d474791bb856004e858fdb1c47b7608d09cf6e\n- https://github.com/salesforce/tough-cookie/releases/tag/v4.1.3\n- https://security.snyk.io/vuln/SNYK-JS-TOUGHCOOKIE-5672873\n- https://lists.debian.org/debian-lts-announce/2023/07/msg00010.html\n- https://github.com/advisories/GHSA-72xf-g2v4-qvf3","created":"2023-07-01T06:30:16.000Z","reported_by":null,"title":"tough-cookie Prototype Pollution vulnerability","npm_advisory_id":null,"overview":"Versions of the package tough-cookie before 4.1.3 are vulnerable to Prototype Pollution due to improper handling of Cookies when using CookieJar in `rejectPublicSuffixes=false` mode. This issue arises from the manner in which the objects are initialized.","url":"https://github.com/advisories/GHSA-72xf-g2v4-qvf3"},"1095365":{"findings":[{"version":"4.3.6","paths":["jsonwebtoken>semver","@hmcts/properties-volume>@azure/identity>@azure/msal-node>jsonwebtoken>semver","nunjucks-async-loader>chokidar>fsevents>nan>node-gyp>semver","express-nunjucks>nunjucks-async-loader>chokidar>fsevents>nan>node-gyp>semver","nunjucks-async-loader>chokidar>fsevents>nan>node-gyp>make-fetch-happen>cacache>@npmcli/fs>semver","express-nunjucks>nunjucks-async-loader>chokidar>fsevents>nan>node-gyp>make-fetch-happen>cacache>@npmcli/fs>semver"]}],"metadata":null,"vulnerable_versions":"<5.7.2","module_name":"semver","severity":"moderate","github_advisory_id":"GHSA-c2qf-rxjj-qqgw","cves":["CVE-2022-25883"],"access":"public","patched_versions":">=5.7.2","cvss":{"score":5.3,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"},"updated":"2024-01-08T20:36:49.000Z","recommendation":"Upgrade to version 5.7.2 or later","cwe":["CWE-1333"],"found_by":null,"deleted":null,"id":1095365,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2022-25883\n- https://github.com/npm/node-semver/pull/564\n- https://github.com/npm/node-semver/commit/717534ee353682f3bcf33e60a8af4292626d4441\n- https://security.snyk.io/vuln/SNYK-JS-SEMVER-3247795\n- https://github.com/npm/node-semver/blob/main/classes/range.js#L97-L104\n- https://github.com/npm/node-semver/blob/main/internal/re.js#L138\n- https://github.com/npm/node-semver/blob/main/internal/re.js#L160\n- https://github.com/npm/node-semver/pull/585\n- https://github.com/npm/node-semver/commit/928e56d21150da0413a3333a3148b20e741a920c\n- https://github.com/npm/node-semver/pull/593\n- https://github.com/npm/node-semver/commit/2f8fd41487acf380194579ecb6f8b1bbfe116be0\n- https://github.com/advisories/GHSA-c2qf-rxjj-qqgw","created":"2023-06-21T06:30:28.000Z","reported_by":null,"title":"semver vulnerable to Regular Expression Denial of Service","npm_advisory_id":null,"overview":"Versions of the package semver before 7.5.2 on the 7.x branch, before 6.3.1 on the 6.x branch, and all other versions before 5.7.2 are vulnerable to Regular Expression Denial of Service (ReDoS) via the function new Range, when untrusted user data is provided as a range.","url":"https://github.com/advisories/GHSA-c2qf-rxjj-qqgw"},"1095500":{"findings":[{"version":"3.10.1","paths":["lodash","@hmcts/properties-volume>lodash","request-promise>request-promise-core>lodash"]}],"metadata":null,"vulnerable_versions":">=3.7.0 <4.17.19","module_name":"lodash","severity":"high","github_advisory_id":"GHSA-p6mc-m468-83gw","cves":["CVE-2020-8203"],"access":"public","patched_versions":">=4.17.19","cvss":{"score":7.4,"vectorString":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:H"},"updated":"2024-01-23T19:52:39.000Z","recommendation":"Upgrade to version 4.17.19 or later","cwe":["CWE-770","CWE-1321"],"found_by":null,"deleted":null,"id":1095500,"references":"- https://github.com/lodash/lodash/issues/4744\n- https://github.com/lodash/lodash/commit/c84fe82760fb2d3e03a63379b297a1cc1a2fce12\n- https://nvd.nist.gov/vuln/detail/CVE-2020-8203\n- https://hackerone.com/reports/712065\n- https://github.com/lodash/lodash/issues/4874\n- https://github.com/github/advisory-database/pull/2884\n- https://hackerone.com/reports/864701\n- https://github.com/lodash/lodash/wiki/Changelog#v41719\n- https://web.archive.org/web/20210914001339/https://github.com/lodash/lodash/issues/4744\n- https://security.netapp.com/advisory/ntap-20200724-0006/\n- https://github.com/advisories/GHSA-p6mc-m468-83gw","created":"2020-07-15T19:15:48.000Z","reported_by":null,"title":"Prototype Pollution in lodash","npm_advisory_id":null,"overview":"Versions of lodash prior to 4.17.19 are vulnerable to Prototype Pollution. The functions `pick`, `set`, `setWith`, `update`, `updateWith`, and `zipObjectDeep` allow a malicious user to modify the prototype of Object if the property identifiers are user-supplied. Being affected by this issue requires manipulating objects based on user-provided property values or arrays.\n\nThis vulnerability causes the addition or modification of an existing property that will exist on all objects and may lead to Denial of Service or Code Execution under specific circumstances.","url":"https://github.com/advisories/GHSA-p6mc-m468-83gw"},"1095524":{"findings":[{"version":"0.0.8","paths":["config>json5>minimist"]}],"metadata":null,"vulnerable_versions":"<0.2.1","module_name":"minimist","severity":"moderate","github_advisory_id":"GHSA-vh95-rmgr-6w4m","cves":["CVE-2020-7598"],"access":"public","patched_versions":">=0.2.1","cvss":{"score":5.6,"vectorString":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L"},"updated":"2024-01-23T21:27:45.000Z","recommendation":"Upgrade to version 0.2.1 or later","cwe":["CWE-1321"],"found_by":null,"deleted":null,"id":1095524,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2020-7598\n- https://snyk.io/vuln/SNYK-JS-MINIMIST-559764\n- http://lists.opensuse.org/opensuse-security-announce/2020-06/msg00024.html\n- https://www.npmjs.com/advisories/1179\n- https://github.com/minimistjs/minimist/commit/10bd4cdf49d9686d48214be9d579a9cdfda37c68\n- https://github.com/minimistjs/minimist/commit/38a4d1caead72ef99e824bb420a2528eec03d9ab\n- https://github.com/minimistjs/minimist/commit/4cf1354839cb972e38496d35e12f806eea92c11f#diff-a1e0ee62c91705696ddb71aa30ad4f95\n- https://github.com/minimistjs/minimist/commit/63e7ed05aa4b1889ec2f3b196426db4500cbda94\n- https://github.com/advisories/GHSA-vh95-rmgr-6w4m","created":"2020-04-03T21:48:32.000Z","reported_by":null,"title":"Prototype Pollution in minimist","npm_advisory_id":null,"overview":"Affected versions of `minimist` are vulnerable to prototype pollution. Arguments are not properly sanitized, allowing an attacker to modify the prototype of `Object`, causing the addition or modification of an existing property that will exist on all objects.  \nParsing the argument `--__proto__.y=Polluted` adds a `y` property with value `Polluted` to all objects. The argument `--__proto__=Polluted` raises and uncaught error and crashes the application.  \nThis is exploitable if attackers have control over the arguments being passed to `minimist`.\n\n\n## Recommendation\n\nUpgrade to versions 0.2.1, 1.2.3 or later.","url":"https://github.com/advisories/GHSA-vh95-rmgr-6w4m"},"1095525":{"findings":[{"version":"0.0.8","paths":["config>json5>minimist"]}],"metadata":null,"vulnerable_versions":"<0.2.4","module_name":"minimist","severity":"critical","github_advisory_id":"GHSA-xvch-5gv4-984h","cves":["CVE-2021-44906"],"access":"public","patched_versions":">=0.2.4","cvss":{"score":9.8,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},"updated":"2024-01-23T21:24:44.000Z","recommendation":"Upgrade to version 0.2.4 or later","cwe":["CWE-1321"],"found_by":null,"deleted":null,"id":1095525,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2021-44906\n- https://github.com/substack/minimist/issues/164\n- https://github.com/substack/minimist/blob/master/index.js#L69\n- https://snyk.io/vuln/SNYK-JS-MINIMIST-559764\n- https://stackoverflow.com/questions/8588563/adding-custom-properties-to-a-function/20278068#20278068\n- https://github.com/Marynk/JavaScript-vulnerability-detection/blob/main/minimist%20PoC.zip\n- https://github.com/minimistjs/minimist/issues/11\n- https://github.com/minimistjs/minimist/pull/24\n- https://github.com/minimistjs/minimist/commit/34e20b8461118608703d6485326abbb8e35e1703\n- https://github.com/minimistjs/minimist/commit/bc8ecee43875261f4f17eb20b1243d3ed15e70eb\n- https://github.com/minimistjs/minimist/commit/c2b981977fa834b223b408cfb860f933c9811e4d\n- https://github.com/minimistjs/minimist/commit/ef9153fc52b6cea0744b2239921c5dcae4697f11\n- https://github.com/minimistjs/minimist/commits/v0.2.4\n- https://github.com/advisories/GHSA-xvch-5gv4-984h","created":"2022-03-18T00:01:09.000Z","reported_by":null,"title":"Prototype Pollution in minimist","npm_advisory_id":null,"overview":"Minimist prior to 1.2.6 and 0.2.4 is vulnerable to Prototype Pollution via file `index.js`, function `setKey()` (lines 69-95).","url":"https://github.com/advisories/GHSA-xvch-5gv4-984h"}},"muted":[],"metadata":{"vulnerabilities":{"info":0,"low":11,"moderate":26,"high":14,"critical":4},"dependencies":400,"devDependencies":3,"optionalDependencies":0,"totalDependencies":403}}