diff --git a/UPGRADING.md b/UPGRADING.md index c65a3be4b9..e5debb7abd 100644 --- a/UPGRADING.md +++ b/UPGRADING.md @@ -185,3 +185,7 @@ Demand for the scanner was low and AngularJS (1.x) has been officially [deprecat ➡️ [Reference: #1649](https://github.com/secureCodeBox/secureCodeBox/pull/1649) +### Renamed the scanners ssh-scan and sslyze `hint` to `mitigation` +We added a new attribute to the finding format called `mitigation` which is used to store information about how to mitigate the finding/issue. The `hint` attribute of the findings of the scanners `ssh-scan` and `sslyze` has been renamed to `mitigation` to be more consistent with the other scanners. + +➡️ [Reference: #1639](https://github.com/secureCodeBox/secureCodeBox/pull/1639) diff --git a/parser-sdk/nodejs/findings-schema.json b/parser-sdk/nodejs/findings-schema.json index 97ead32c9f..8b683586a6 100644 --- a/parser-sdk/nodejs/findings-schema.json +++ b/parser-sdk/nodejs/findings-schema.json @@ -48,6 +48,11 @@ "HIGH" ] }, + "mitigation": { + "description": "Contains a short description of how to mitigate the issue.", + "type": "string", + "nullable": true + }, "attributes": { "description": "Attributes are not standardized. They differ from Scanner to Scanner.", "type": "object" diff --git a/scanners/ncrack/parser/parser.js b/scanners/ncrack/parser/parser.js index 6e51fcd115..dfb1698933 100644 --- a/scanners/ncrack/parser/parser.js +++ b/scanners/ncrack/parser/parser.js @@ -44,6 +44,7 @@ function transformToFindings (ncrackrun, publicKey) { location: `${portName}://${ipAddress}:${portid}`, osi_layer: 'APPLICATION', severity: 'HIGH', + mitigation: 'Use a more secure password or disable the service at ' + `${portName}://${ipAddress}:${portid}`, attributes: { port: portid, ip_address: ipAddress, diff --git a/scanners/ncrack/parser/parser.test.js b/scanners/ncrack/parser/parser.test.js index b577e88182..4befc13829 100644 --- a/scanners/ncrack/parser/parser.test.js +++ b/scanners/ncrack/parser/parser.test.js @@ -2,7 +2,7 @@ // // SPDX-License-Identifier: Apache-2.0 -const { parse } = require("./parser"); +const {parse} = require("./parser"); const fs = require("fs"); const crypto = require("crypto"); const { @@ -34,23 +34,24 @@ it("should return findings when ncrack found credentials", async () => { await expect(validateParser(findings)).resolves.toBeUndefined(); const [finding, ...otherFindings] = findings; expect(finding).toMatchInlineSnapshot(` -{ - "attributes": { - "ip_address": "192.168.0.1", - "password": "aaf076d4fe7cfb63fd1628df91", - "port": "22", - "protocol": "tcp", - "service": "ssh", - "username": "root", - }, - "category": "Discovered Credentials", - "description": "", - "location": "ssh://192.168.0.1:22", - "name": "Credentials for Service ssh://192.168.0.1:22 discovered via bruteforce.", - "osi_layer": "APPLICATION", - "severity": "HIGH", -} -`); + { + "attributes": { + "ip_address": "192.168.0.1", + "password": "aaf076d4fe7cfb63fd1628df91", + "port": "22", + "protocol": "tcp", + "service": "ssh", + "username": "root", + }, + "category": "Discovered Credentials", + "description": "", + "location": "ssh://192.168.0.1:22", + "mitigation": "Use a more secure password or disable the service at ssh://192.168.0.1:22", + "name": "Credentials for Service ssh://192.168.0.1:22 discovered via bruteforce.", + "osi_layer": "APPLICATION", + "severity": "HIGH", + } + `); expect(otherFindings.length).toBe(0); }); @@ -79,41 +80,43 @@ it("should return findings when ncrack found two credentials scanning two servic const findings = await parse(ncrackXML); await expect(validateParser(findings)).resolves.toBeUndefined(); expect(findings).toMatchInlineSnapshot(` -[ - { - "attributes": { - "ip_address": "192.168.0.2", - "password": "55994bcdabd8b0b69d4cb32919", - "port": "22", - "protocol": "tcp", - "service": "ssh", - "username": "root", - }, - "category": "Discovered Credentials", - "description": "", - "location": "ssh://192.168.0.2:22", - "name": "Credentials for Service ssh://192.168.0.2:22 discovered via bruteforce.", - "osi_layer": "APPLICATION", - "severity": "HIGH", - }, - { - "attributes": { - "ip_address": "192.168.0.1", - "password": "2a4707625af87d8d4302ad226d", - "port": "22", - "protocol": "tcp", - "service": "ssh", - "username": "root", - }, - "category": "Discovered Credentials", - "description": "", - "location": "ssh://192.168.0.1:22", - "name": "Credentials for Service ssh://192.168.0.1:22 discovered via bruteforce.", - "osi_layer": "APPLICATION", - "severity": "HIGH", - }, -] -`); + [ + { + "attributes": { + "ip_address": "192.168.0.2", + "password": "55994bcdabd8b0b69d4cb32919", + "port": "22", + "protocol": "tcp", + "service": "ssh", + "username": "root", + }, + "category": "Discovered Credentials", + "description": "", + "location": "ssh://192.168.0.2:22", + "mitigation": "Use a more secure password or disable the service at ssh://192.168.0.2:22", + "name": "Credentials for Service ssh://192.168.0.2:22 discovered via bruteforce.", + "osi_layer": "APPLICATION", + "severity": "HIGH", + }, + { + "attributes": { + "ip_address": "192.168.0.1", + "password": "2a4707625af87d8d4302ad226d", + "port": "22", + "protocol": "tcp", + "service": "ssh", + "username": "root", + }, + "category": "Discovered Credentials", + "description": "", + "location": "ssh://192.168.0.1:22", + "mitigation": "Use a more secure password or disable the service at ssh://192.168.0.1:22", + "name": "Credentials for Service ssh://192.168.0.1:22 discovered via bruteforce.", + "osi_layer": "APPLICATION", + "severity": "HIGH", + }, + ] + `); }); it("should encrypt findings when a public key is set", async () => { diff --git a/scanners/ssh-scan/parser/parser.js b/scanners/ssh-scan/parser/parser.js index 14bfb1272b..299514818d 100644 --- a/scanners/ssh-scan/parser/parser.js +++ b/scanners/ssh-scan/parser/parser.js @@ -102,7 +102,7 @@ function createPolicyViolationFinding({ osi_layer: "NETWORK", severity: "MEDIUM", reference: {}, - hint: recommendation, + mitigation: recommendation, location: hostname || ipAddress, attributes: { hostname: hostname, @@ -180,7 +180,7 @@ async function parse(fileContent) { osi_layer: "APPLICATION", severity: "INFORMATIONAL", reference: {}, - hint: "", + mitigation: null, location: location, attributes: { hostname: host.hostname || null, diff --git a/scanners/ssh-scan/parser/parser.test.js b/scanners/ssh-scan/parser/parser.test.js index d1de50840d..c9819e4356 100644 --- a/scanners/ssh-scan/parser/parser.test.js +++ b/scanners/ssh-scan/parser/parser.test.js @@ -86,9 +86,9 @@ test("ssh-scan parser parses a proper result to proper findings", async () => { }, "category": "SSH Service", "description": "SSH Service Information", - "hint": "", "identified_at": "2019-10-03T16:28:09.000Z", "location": "securecodebox.io", + "mitigation": null, "name": "SSH Service", "osi_layer": "APPLICATION", "reference": {}, @@ -104,8 +104,8 @@ test("ssh-scan parser parses a proper result to proper findings", async () => { }, "category": "SSH Policy Violation", "description": "Deprecated / discouraged SSH key algorithms are used", - "hint": "Remove these key exchange algorithms: diffie-hellman-group14-sha1", "location": "securecodebox.io", + "mitigation": "Remove these key exchange algorithms: diffie-hellman-group14-sha1", "name": "Insecure SSH Key Algorithms", "osi_layer": "NETWORK", "reference": {}, @@ -124,8 +124,8 @@ test("ssh-scan parser parses a proper result to proper findings", async () => { }, "category": "SSH Policy Violation", "description": "Deprecated / discouraged SSH MAC algorithms are used", - "hint": "Remove these MAC algorithms: umac-64-etm@openssh.com, hmac-sha1-etm@openssh.com, umac-64@openssh.com, hmac-sha1", "location": "securecodebox.io", + "mitigation": "Remove these MAC algorithms: umac-64-etm@openssh.com, hmac-sha1-etm@openssh.com, umac-64@openssh.com, hmac-sha1", "name": "Insecure SSH MAC Algorithms", "osi_layer": "NETWORK", "reference": {}, @@ -198,9 +198,9 @@ test("ssh-scan parser parses a result without a hostname into proper findings", }, "category": "SSH Service", "description": "SSH Service Information", - "hint": "", "identified_at": "2019-10-03T16:37:12.000Z", "location": "192.168.42.42", + "mitigation": null, "name": "SSH Service", "osi_layer": "APPLICATION", "reference": {}, @@ -216,8 +216,8 @@ test("ssh-scan parser parses a result without a hostname into proper findings", }, "category": "SSH Policy Violation", "description": "Deprecated / discouraged SSH key algorithms are used", - "hint": "Remove these key exchange algorithms: diffie-hellman-group14-sha1", "location": "192.168.42.42", + "mitigation": "Remove these key exchange algorithms: diffie-hellman-group14-sha1", "name": "Insecure SSH Key Algorithms", "osi_layer": "NETWORK", "reference": {}, @@ -236,8 +236,8 @@ test("ssh-scan parser parses a result without a hostname into proper findings", }, "category": "SSH Policy Violation", "description": "Deprecated / discouraged SSH MAC algorithms are used", - "hint": "Remove these MAC algorithms: umac-64-etm@openssh.com, hmac-sha1-etm@openssh.com, umac-64@openssh.com, hmac-sha1", "location": "192.168.42.42", + "mitigation": "Remove these MAC algorithms: umac-64-etm@openssh.com, hmac-sha1-etm@openssh.com, umac-64@openssh.com, hmac-sha1", "name": "Insecure SSH MAC Algorithms", "osi_layer": "NETWORK", "reference": {}, @@ -253,8 +253,8 @@ test("ssh-scan parser parses a result without a hostname into proper findings", }, "category": "SSH Policy Violation", "description": "Discouraged SSH authentication methods are used", - "hint": "Remove these authentication methods: password", "location": "192.168.42.42", + "mitigation": "Remove these authentication methods: password", "name": "Discouraged SSH authentication methods", "osi_layer": "NETWORK", "reference": {}, diff --git a/scanners/sslyze/parser/parser.js b/scanners/sslyze/parser/parser.js index 44adfaa2cd..1dd4e803bc 100644 --- a/scanners/sslyze/parser/parser.js +++ b/scanners/sslyze/parser/parser.js @@ -119,7 +119,7 @@ function generateInformationalServiceFinding(serverScanResult) { identified_at: serverScanResult.identified_at, category: "TLS Service Info", severity: "INFORMATIONAL", - hint: null, + mitigation: null, attributes: { tls_versions: getAllSupportedTlsVersions(serverScanResult), cipher_suites: getAllAcceptedCipherSuites(serverScanResult), @@ -141,7 +141,7 @@ function generateVulnerableTLSVersionFindings(serverScanResult) { description: "The server uses outdated or insecure tls versions.", identified_at: serverScanResult.identified_at, severity: "MEDIUM", - hint: "Upgrade to a higher tls version.", + mitigation: "Upgrade to a higher tls version.", attributes: { outdated_version: tlsVersion, }, @@ -197,7 +197,7 @@ function analyseCertificateDeployments(serverScanResult) { description: findingTemplate.description, identified_at: serverScanResult.identified_at, severity: "MEDIUM", - hint: null, + mitigation: null, attributes: {}, }; }); diff --git a/scanners/sslyze/parser/parser.test.js b/scanners/sslyze/parser/parser.test.js index 4820f483d4..37228ca441 100644 --- a/scanners/sslyze/parser/parser.test.js +++ b/scanners/sslyze/parser/parser.test.js @@ -52,9 +52,9 @@ test("parses result file for www.securecodebox.io correctly", async () => { }, "category": "TLS Service Info", "description": "", - "hint": null, "identified_at": "2021-12-22T13:07:17.614Z", "location": "www.securecodebox.io:443", + "mitigation": null, "name": "TLS Service", "osi_layer": "PRESENTATION", "reference": null, @@ -116,9 +116,9 @@ test("parses result file for tls-v1-0.badssl.com:1010 correctly", async () => { }, "category": "TLS Service Info", "description": "", - "hint": null, "identified_at": "2021-12-22T13:00:24.567Z", "location": "tls-v1-0.badssl.com:443", + "mitigation": null, "name": "TLS Service", "osi_layer": "PRESENTATION", "reference": null, @@ -133,9 +133,9 @@ test("parses result file for tls-v1-0.badssl.com:1010 correctly", async () => { }, "category": "Outdated TLS Version", "description": "The server uses outdated or insecure tls versions.", - "hint": "Upgrade to a higher tls version.", "identified_at": "2021-12-22T13:00:24.567Z", "location": "tls-v1-0.badssl.com:443", + "mitigation": "Upgrade to a higher tls version.", "name": "TLS Version TLS 1.0 is considered insecure", "osi_layer": "PRESENTATION", "reference": null, @@ -150,9 +150,9 @@ test("parses result file for tls-v1-0.badssl.com:1010 correctly", async () => { }, "category": "Outdated TLS Version", "description": "The server uses outdated or insecure tls versions.", - "hint": "Upgrade to a higher tls version.", "identified_at": "2021-12-22T13:00:24.567Z", "location": "tls-v1-0.badssl.com:443", + "mitigation": "Upgrade to a higher tls version.", "name": "TLS Version TLS 1.1 is considered insecure", "osi_layer": "PRESENTATION", "reference": null, @@ -216,9 +216,9 @@ test("parses result file for expired.badssl.com correctly", async () => { }, "category": "TLS Service Info", "description": "", - "hint": null, "identified_at": "2021-12-28T12:21:27.539Z", "location": "expired.badssl.com:443", + "mitigation": null, "name": "TLS Service", "osi_layer": "PRESENTATION", "reference": null, @@ -233,9 +233,9 @@ test("parses result file for expired.badssl.com correctly", async () => { }, "category": "Outdated TLS Version", "description": "The server uses outdated or insecure tls versions.", - "hint": "Upgrade to a higher tls version.", "identified_at": "2021-12-28T12:21:27.539Z", "location": "expired.badssl.com:443", + "mitigation": "Upgrade to a higher tls version.", "name": "TLS Version TLS 1.0 is considered insecure", "osi_layer": "PRESENTATION", "reference": null, @@ -250,9 +250,9 @@ test("parses result file for expired.badssl.com correctly", async () => { }, "category": "Outdated TLS Version", "description": "The server uses outdated or insecure tls versions.", - "hint": "Upgrade to a higher tls version.", "identified_at": "2021-12-28T12:21:27.539Z", "location": "expired.badssl.com:443", + "mitigation": "Upgrade to a higher tls version.", "name": "TLS Version TLS 1.1 is considered insecure", "osi_layer": "PRESENTATION", "reference": null, @@ -266,9 +266,9 @@ test("parses result file for expired.badssl.com correctly", async () => { }, "category": "Invalid Certificate", "description": "Certificate has expired", - "hint": null, "identified_at": "2021-12-28T12:21:27.539Z", "location": "expired.badssl.com:443", + "mitigation": null, "name": "Expired Certificate", "osi_layer": "PRESENTATION", "reference": null, @@ -329,9 +329,9 @@ test("parses result file for wrong.host.badssl.com correctly", async () => { }, "category": "TLS Service Info", "description": "", - "hint": null, "identified_at": "2021-12-22T13:06:29.937Z", "location": "wrong.host.badssl.com:443", + "mitigation": null, "name": "TLS Service", "osi_layer": "PRESENTATION", "reference": null, @@ -346,9 +346,9 @@ test("parses result file for wrong.host.badssl.com correctly", async () => { }, "category": "Outdated TLS Version", "description": "The server uses outdated or insecure tls versions.", - "hint": "Upgrade to a higher tls version.", "identified_at": "2021-12-22T13:06:29.937Z", "location": "wrong.host.badssl.com:443", + "mitigation": "Upgrade to a higher tls version.", "name": "TLS Version TLS 1.0 is considered insecure", "osi_layer": "PRESENTATION", "reference": null, @@ -363,9 +363,9 @@ test("parses result file for wrong.host.badssl.com correctly", async () => { }, "category": "Outdated TLS Version", "description": "The server uses outdated or insecure tls versions.", - "hint": "Upgrade to a higher tls version.", "identified_at": "2021-12-22T13:06:29.937Z", "location": "wrong.host.badssl.com:443", + "mitigation": "Upgrade to a higher tls version.", "name": "TLS Version TLS 1.1 is considered insecure", "osi_layer": "PRESENTATION", "reference": null, @@ -379,9 +379,9 @@ test("parses result file for wrong.host.badssl.com correctly", async () => { }, "category": "Invalid Certificate", "description": "Hostname of Server didn't match the certificates subject names", - "hint": null, "identified_at": "2021-12-22T13:06:29.937Z", "location": "wrong.host.badssl.com:443", + "mitigation": null, "name": "Invalid Hostname", "osi_layer": "PRESENTATION", "reference": null, @@ -445,9 +445,9 @@ test("parses result file for untrusted-root.badssl.com correctly", async () => { }, "category": "TLS Service Info", "description": "", - "hint": null, "identified_at": "2021-12-22T13:01:41.243Z", "location": "untrusted-root.badssl.com:443", + "mitigation": null, "name": "TLS Service", "osi_layer": "PRESENTATION", "reference": null, @@ -462,9 +462,9 @@ test("parses result file for untrusted-root.badssl.com correctly", async () => { }, "category": "Outdated TLS Version", "description": "The server uses outdated or insecure tls versions.", - "hint": "Upgrade to a higher tls version.", "identified_at": "2021-12-22T13:01:41.243Z", "location": "untrusted-root.badssl.com:443", + "mitigation": "Upgrade to a higher tls version.", "name": "TLS Version TLS 1.0 is considered insecure", "osi_layer": "PRESENTATION", "reference": null, @@ -479,9 +479,9 @@ test("parses result file for untrusted-root.badssl.com correctly", async () => { }, "category": "Outdated TLS Version", "description": "The server uses outdated or insecure tls versions.", - "hint": "Upgrade to a higher tls version.", "identified_at": "2021-12-22T13:01:41.243Z", "location": "untrusted-root.badssl.com:443", + "mitigation": "Upgrade to a higher tls version.", "name": "TLS Version TLS 1.1 is considered insecure", "osi_layer": "PRESENTATION", "reference": null, @@ -495,9 +495,9 @@ test("parses result file for untrusted-root.badssl.com correctly", async () => { }, "category": "Invalid Certificate", "description": "The certificate chain contains a certificate not trusted ", - "hint": null, "identified_at": "2021-12-22T13:01:41.243Z", "location": "untrusted-root.badssl.com:443", + "mitigation": null, "name": "Untrusted Certificate Root", "osi_layer": "PRESENTATION", "reference": null, @@ -558,9 +558,9 @@ test("parses result file for self-signed.badssl.com correctly", async () => { }, "category": "TLS Service Info", "description": "", - "hint": null, "identified_at": "2021-12-22T12:57:56.762Z", "location": "self-signed.badssl.com:443", + "mitigation": null, "name": "TLS Service", "osi_layer": "PRESENTATION", "reference": null, @@ -575,9 +575,9 @@ test("parses result file for self-signed.badssl.com correctly", async () => { }, "category": "Outdated TLS Version", "description": "The server uses outdated or insecure tls versions.", - "hint": "Upgrade to a higher tls version.", "identified_at": "2021-12-22T12:57:56.762Z", "location": "self-signed.badssl.com:443", + "mitigation": "Upgrade to a higher tls version.", "name": "TLS Version TLS 1.0 is considered insecure", "osi_layer": "PRESENTATION", "reference": null, @@ -592,9 +592,9 @@ test("parses result file for self-signed.badssl.com correctly", async () => { }, "category": "Outdated TLS Version", "description": "The server uses outdated or insecure tls versions.", - "hint": "Upgrade to a higher tls version.", "identified_at": "2021-12-22T12:57:56.762Z", "location": "self-signed.badssl.com:443", + "mitigation": "Upgrade to a higher tls version.", "name": "TLS Version TLS 1.1 is considered insecure", "osi_layer": "PRESENTATION", "reference": null, @@ -608,9 +608,9 @@ test("parses result file for self-signed.badssl.com correctly", async () => { }, "category": "Invalid Certificate", "description": "Certificate is self-signed", - "hint": null, "identified_at": "2021-12-22T12:57:56.762Z", "location": "self-signed.badssl.com:443", + "mitigation": null, "name": "Self-Signed Certificate", "osi_layer": "PRESENTATION", "reference": null, diff --git a/scanners/trivy/parser/__snapshots__/parser.test.js.snap b/scanners/trivy/parser/__snapshots__/parser.test.js.snap index 6c5024eecd..3aa933b91f 100644 --- a/scanners/trivy/parser/__snapshots__/parser.test.js.snap +++ b/scanners/trivy/parser/__snapshots__/parser.test.js.snap @@ -21,6 +21,7 @@ exports[`parses bkimminich/juice-shop:v10.2.0 result file into findings 1`] = ` "category": "Image Vulnerability", "description": "libfetch before 2021-07-26, as used in apk-tools, xbps, and other products, mishandles numeric strings for the FTP and HTTP protocols. The FTP passive mode implementation allows an out-of-bounds read because strtol is used to parse the relevant numbers into address bytes. It does not check if the line ends prematurely. If it does, the for-loop condition checks for the '\\0' terminator one byte too late.", "location": "bkimminich/juice-shop:v10.2.0", + "mitigation": "Update the affected package apk-tools to the fixed version: 2.10.7-r0 or remove the package from the image.", "name": "Vulnerability in Dependency apk-tools (2.10.4-r3)", "osi_layer": "NOT_APPLICABLE", "reference": { @@ -44,6 +45,7 @@ exports[`parses bkimminich/juice-shop:v10.2.0 result file into findings 1`] = ` "category": "Image Vulnerability", "description": "In Alpine Linux apk-tools before 2.12.5, the tarball parser allows a buffer overflow and crash.", "location": "bkimminich/juice-shop:v10.2.0", + "mitigation": "Update the affected package apk-tools to the fixed version: 2.10.6-r0 or remove the package from the image.", "name": "Vulnerability in Dependency apk-tools (2.10.4-r3)", "osi_layer": "NOT_APPLICABLE", "reference": { @@ -72,6 +74,7 @@ exports[`parses bkimminich/juice-shop:v10.2.0 result file into findings 1`] = ` "category": "Image Vulnerability", "description": "decompress_gunzip.c in BusyBox through 1.32.1 mishandles the error bit on the huft_build result pointer, with a resultant invalid free or segmentation fault, via malformed gzip data.", "location": "bkimminich/juice-shop:v10.2.0", + "mitigation": "Update the affected package busybox to the fixed version: 1.31.1-r10 or remove the package from the image.", "name": "busybox: invalid free or segmentation fault via malformed gzip data", "osi_layer": "NOT_APPLICABLE", "reference": { @@ -105,6 +108,7 @@ exports[`parses bkimminich/juice-shop:v10.2.0 result file into findings 1`] = ` "category": "Image Vulnerability", "description": "In order to decrypt SM2 encrypted data an application is expected to call the API function EVP_PKEY_decrypt(). Typically an application will call this function twice. The first time, on entry, the "out" parameter can be NULL and, on exit, the "outlen" parameter is populated with the buffer size required to hold the decrypted plaintext. The application can then allocate a sufficiently sized buffer and call EVP_PKEY_decrypt() again, but this time passing a non-NULL value for the "out" parameter. A bug in the implementation of the SM2 decryption code means that the calculation of the buffer size required to hold the plaintext returned by the first call to EVP_PKEY_decrypt() can be smaller than the actual size required by the second call. This can lead to a buffer overflow when EVP_PKEY_decrypt() is called by the application a second time with a buffer that is too small. A malicious attacker who is able present SM2 content for decryption to an application could cause attacker chosen data to overflow the buffer by up to a maximum of 62 bytes altering the contents of other data held after the buffer, possibly changing application behaviour or causing the application to crash. The location of the buffer is application dependent but is typically heap allocated. Fixed in OpenSSL 1.1.1l (Affected 1.1.1-1.1.1k).", "location": "bkimminich/juice-shop:v10.2.0", + "mitigation": "Update the affected package libcrypto1.1 to the fixed version: 1.1.1l-r0 or remove the package from the image.", "name": "openssl: SM2 Decryption Buffer Overflow", "osi_layer": "NOT_APPLICABLE", "reference": { @@ -160,6 +164,7 @@ exports[`parses bkimminich/juice-shop:v10.2.0 result file into findings 1`] = ` "category": "Image Vulnerability", "description": "Server or client applications that call the SSL_check_chain() function during or after a TLS 1.3 handshake may crash due to a NULL pointer dereference as a result of incorrect handling of the "signature_algorithms_cert" TLS extension. The crash occurs if an invalid or unrecognised signature algorithm is received from the peer. This could be exploited by a malicious peer in a Denial of Service attack. OpenSSL version 1.1.1d, 1.1.1e, and 1.1.1f are affected by this issue. This issue did not affect OpenSSL versions prior to 1.1.1d. Fixed in OpenSSL 1.1.1g (Affected 1.1.1d-1.1.1f).", "location": "bkimminich/juice-shop:v10.2.0", + "mitigation": "Update the affected package libcrypto1.1 to the fixed version: 1.1.1g-r0 or remove the package from the image.", "name": "openssl: Segmentation fault in SSL_check_chain causes denial of service", "osi_layer": "NOT_APPLICABLE", "reference": { @@ -202,6 +207,7 @@ exports[`parses bkimminich/juice-shop:v10.2.0 result file into findings 1`] = ` "category": "Image Vulnerability", "description": "Calls to EVP_CipherUpdate, EVP_EncryptUpdate and EVP_DecryptUpdate may overflow the output length argument in some cases where the input length is close to the maximum permissible length for an integer on the platform. In such cases the return value from the function call will be 1 (indicating success), but the output length value will be negative. This could cause applications to behave incorrectly or crash. OpenSSL versions 1.1.1i and below are affected by this issue. Users of these versions should upgrade to OpenSSL 1.1.1j. OpenSSL versions 1.0.2x and below are affected by this issue. However OpenSSL 1.0.2 is out of support and no longer receiving public updates. Premium support customers of OpenSSL 1.0.2 should upgrade to 1.0.2y. Other users should upgrade to 1.1.1j. Fixed in OpenSSL 1.1.1j (Affected 1.1.1-1.1.1i). Fixed in OpenSSL 1.0.2y (Affected 1.0.2-1.0.2x).", "location": "bkimminich/juice-shop:v10.2.0", + "mitigation": "Update the affected package libcrypto1.1 to the fixed version: 1.1.1j-r0 or remove the package from the image.", "name": "openssl: integer overflow in CipherUpdate", "osi_layer": "NOT_APPLICABLE", "reference": { @@ -246,6 +252,7 @@ exports[`parses bkimminich/juice-shop:v10.2.0 result file into findings 1`] = ` "category": "Image Vulnerability", "description": "The X509_V_FLAG_X509_STRICT flag enables additional security checks of the certificates present in a certificate chain. It is not set by default. Starting from OpenSSL version 1.1.1h a check to disallow certificates in the chain that have explicitly encoded elliptic curve parameters was added as an additional strict check. An error in the implementation of this check meant that the result of a previous check to confirm that certificates in the chain are valid CA certificates was overwritten. This effectively bypasses the check that non-CA certificates must not be able to issue other certificates. If a "purpose" has been configured then there is a subsequent opportunity for checks that the certificate is a valid CA. All of the named "purpose" values implemented in libcrypto perform this check. Therefore, where a purpose is set the certificate chain will still be rejected even when the strict flag has been used. A purpose is set by default in libssl client and server certificate verification routines, but it can be overridden or removed by an application. In order to be affected, an application must explicitly set the X509_V_FLAG_X509_STRICT verification flag and either not set a purpose for the certificate verification or, in the case of TLS client or server applications, override the default purpose. OpenSSL versions 1.1.1h and newer are affected by this issue. Users of these versions should upgrade to OpenSSL 1.1.1k. OpenSSL 1.0.2 is not impacted by this issue. Fixed in OpenSSL 1.1.1k (Affected 1.1.1h-1.1.1j).", "location": "bkimminich/juice-shop:v10.2.0", + "mitigation": "Update the affected package libcrypto1.1 to the fixed version: 1.1.1k-r0 or remove the package from the image.", "name": "openssl: CA certificate check bypass with X509_V_FLAG_X509_STRICT", "osi_layer": "NOT_APPLICABLE", "reference": { @@ -286,6 +293,7 @@ exports[`parses bkimminich/juice-shop:v10.2.0 result file into findings 1`] = ` "category": "Image Vulnerability", "description": "ASN.1 strings are represented internally within OpenSSL as an ASN1_STRING structure which contains a buffer holding the string data and a field holding the buffer length. This contrasts with normal C strings which are repesented as a buffer for the string data which is terminated with a NUL (0) byte. Although not a strict requirement, ASN.1 strings that are parsed using OpenSSL's own "d2i" functions (and other similar parsing functions) as well as any string whose value has been set with the ASN1_STRING_set() function will additionally NUL terminate the byte array in the ASN1_STRING structure. However, it is possible for applications to directly construct valid ASN1_STRING structures which do not NUL terminate the byte array by directly setting the "data" and "length" fields in the ASN1_STRING array. This can also happen by using the ASN1_STRING_set0() function. Numerous OpenSSL functions that print ASN.1 data have been found to assume that the ASN1_STRING byte array will be NUL terminated, even though this is not guaranteed for strings that have been directly constructed. Where an application requests an ASN.1 structure to be printed, and where that ASN.1 structure contains ASN1_STRINGs that have been directly constructed by the application without NUL terminating the "data" field, then a read buffer overrun can occur. The same thing can also occur during name constraints processing of certificates (for example if a certificate has been directly constructed by the application instead of loading it via the OpenSSL parsing functions, and the certificate contains non NUL terminated ASN1_STRING structures). It can also occur in the X509_get1_email(), X509_REQ_get1_email() and X509_get1_ocsp() functions. If a malicious actor can cause an application to directly construct an ASN1_STRING and then process it through one of the affected OpenSSL functions then this issue could be hit. This might result in a crash (causing a Denial of Service attack). It could also result in the disclosure of private memory contents (such as private keys, or sensitive plaintext). Fixed in OpenSSL 1.1.1l (Affected 1.1.1-1.1.1k). Fixed in OpenSSL 1.0.2za (Affected 1.0.2-1.0.2y).", "location": "bkimminich/juice-shop:v10.2.0", + "mitigation": "Update the affected package libcrypto1.1 to the fixed version: 1.1.1l-r0 or remove the package from the image.", "name": "openssl: Read buffer overruns processing ASN.1 strings", "osi_layer": "NOT_APPLICABLE", "reference": { @@ -335,6 +343,7 @@ exports[`parses bkimminich/juice-shop:v10.2.0 result file into findings 1`] = ` "category": "Image Vulnerability", "description": "The X.509 GeneralName type is a generic type for representing different types of names. One of those name types is known as EDIPartyName. OpenSSL provides a function GENERAL_NAME_cmp which compares different instances of a GENERAL_NAME to see if they are equal or not. This function behaves incorrectly when both GENERAL_NAMEs contain an EDIPARTYNAME. A NULL pointer dereference and a crash may occur leading to a possible denial of service attack. OpenSSL itself uses the GENERAL_NAME_cmp function for two purposes: 1) Comparing CRL distribution point names between an available CRL and a CRL distribution point embedded in an X509 certificate 2) When verifying that a timestamp response token signer matches the timestamp authority name (exposed via the API functions TS_RESP_verify_response and TS_RESP_verify_token) If an attacker can control both items being compared then that attacker could trigger a crash. For example if the attacker can trick a client or server into checking a malicious certificate against a malicious CRL then this may occur. Note that some applications automatically download CRLs based on a URL embedded in a certificate. This checking happens prior to the signatures on the certificate and CRL being verified. OpenSSL's s_server, s_client and verify tools have support for the "-crl_download" option which implements automatic CRL downloading and this attack has been demonstrated to work against those tools. Note that an unrelated bug means that affected versions of OpenSSL cannot parse or construct correct encodings of EDIPARTYNAME. However it is possible to construct a malformed EDIPARTYNAME that OpenSSL's parser will accept and hence trigger this attack. All OpenSSL 1.1.1 and 1.0.2 versions are affected by this issue. Other OpenSSL releases are out of support and have not been checked. Fixed in OpenSSL 1.1.1i (Affected 1.1.1-1.1.1h). Fixed in OpenSSL 1.0.2x (Affected 1.0.2-1.0.2w).", "location": "bkimminich/juice-shop:v10.2.0", + "mitigation": "Update the affected package libcrypto1.1 to the fixed version: 1.1.1i-r0 or remove the package from the image.", "name": "openssl: EDIPARTYNAME NULL pointer de-reference", "osi_layer": "NOT_APPLICABLE", "reference": { @@ -380,6 +389,7 @@ exports[`parses bkimminich/juice-shop:v10.2.0 result file into findings 1`] = ` "category": "Image Vulnerability", "description": "The OpenSSL public API function X509_issuer_and_serial_hash() attempts to create a unique hash value based on the issuer and serial number data contained within an X509 certificate. However it fails to correctly handle any errors that may occur while parsing the issuer field (which might occur if the issuer field is maliciously constructed). This may subsequently result in a NULL pointer deref and a crash leading to a potential denial of service attack. The function X509_issuer_and_serial_hash() is never directly called by OpenSSL itself so applications are only vulnerable if they use this function directly and they use it on certificates that may have been obtained from untrusted sources. OpenSSL versions 1.1.1i and below are affected by this issue. Users of these versions should upgrade to OpenSSL 1.1.1j. OpenSSL versions 1.0.2x and below are affected by this issue. However OpenSSL 1.0.2 is out of support and no longer receiving public updates. Premium support customers of OpenSSL 1.0.2 should upgrade to 1.0.2y. Other users should upgrade to 1.1.1j. Fixed in OpenSSL 1.1.1j (Affected 1.1.1-1.1.1i). Fixed in OpenSSL 1.0.2y (Affected 1.0.2-1.0.2x).", "location": "bkimminich/juice-shop:v10.2.0", + "mitigation": "Update the affected package libcrypto1.1 to the fixed version: 1.1.1j-r0 or remove the package from the image.", "name": "openssl: NULL pointer dereference in X509_issuer_and_serial_hash()", "osi_layer": "NOT_APPLICABLE", "reference": { @@ -431,6 +441,7 @@ exports[`parses bkimminich/juice-shop:v10.2.0 result file into findings 1`] = ` "category": "Image Vulnerability", "description": "An OpenSSL TLS server may crash if sent a maliciously crafted renegotiation ClientHello message from a client. If a TLSv1.2 renegotiation ClientHello omits the signature_algorithms extension (where it was present in the initial ClientHello), but includes a signature_algorithms_cert extension then a NULL pointer dereference will result, leading to a crash and a denial of service attack. A server is only vulnerable if it has TLSv1.2 and renegotiation enabled (which is the default configuration). OpenSSL TLS clients are not impacted by this issue. All OpenSSL 1.1.1 versions are affected by this issue. Users of these versions should upgrade to OpenSSL 1.1.1k. OpenSSL 1.0.2 is not impacted by this issue. Fixed in OpenSSL 1.1.1k (Affected 1.1.1-1.1.1j).", "location": "bkimminich/juice-shop:v10.2.0", + "mitigation": "Update the affected package libcrypto1.1 to the fixed version: 1.1.1k-r0 or remove the package from the image.", "name": "openssl: NULL pointer dereference in signature_algorithms processing", "osi_layer": "NOT_APPLICABLE", "reference": { @@ -459,6 +470,7 @@ exports[`parses bkimminich/juice-shop:v10.2.0 result file into findings 1`] = ` "category": "Image Vulnerability", "description": "OpenSSL 1.0.2 supports SSLv2. If a client attempts to negotiate SSLv2 with a server that is configured to support both SSLv2 and more recent SSL and TLS versions then a check is made for a version rollback attack when unpadding an RSA signature. Clients that support SSL or TLS versions greater than SSLv2 are supposed to use a special form of padding. A server that supports greater than SSLv2 is supposed to reject connection attempts from a client where this special form of padding is present, because this indicates that a version rollback has occurred (i.e. both client and server support greater than SSLv2, and yet this is the version that is being requested). The implementation of this padding check inverted the logic so that the connection attempt is accepted if the padding is present, and rejected if it is absent. This means that such as server will accept a connection if a version rollback attack has occurred. Further the server will erroneously reject a connection if a normal SSLv2 connection attempt is made. Only OpenSSL 1.0.2 servers from version 1.0.2s to 1.0.2x are affected by this issue. In order to be vulnerable a 1.0.2 server must: 1) have configured SSLv2 support at compile time (this is off by default), 2) have configured SSLv2 support at runtime (this is off by default), 3) have configured SSLv2 ciphersuites (these are not in the default ciphersuite list) OpenSSL 1.1.1 does not have SSLv2 support and therefore is not vulnerable to this issue. The underlying error is in the implementation of the RSA_padding_check_SSLv23() function. This also affects the RSA_SSLV23_PADDING padding mode used by various other functions. Although 1.1.1 does not support SSLv2 the RSA_padding_check_SSLv23() function still exists, as does the RSA_SSLV23_PADDING padding mode. Applications that directly call that function or use that padding mode will encounter this issue. However since there is no support for the SSLv2 protocol in 1.1.1 this is considered a bug and not a security issue in that version. OpenSSL 1.0.2 is out of support and no longer receiving public updates. Premium support customers of OpenSSL 1.0.2 should upgrade to 1.0.2y. Other users should upgrade to 1.1.1j. Fixed in OpenSSL 1.0.2y (Affected 1.0.2s-1.0.2x).", "location": "bkimminich/juice-shop:v10.2.0", + "mitigation": "Update the affected package libcrypto1.1 to the fixed version: 1.1.1j-r0 or remove the package from the image.", "name": "openssl: incorrect SSLv2 rollback protection", "osi_layer": "NOT_APPLICABLE", "reference": { @@ -486,6 +498,7 @@ exports[`parses bkimminich/juice-shop:v10.2.0 result file into findings 1`] = ` "category": "Image Vulnerability", "description": "The POWER9 backend in GNU Compiler Collection (GCC) before version 10 could optimize multiple calls of the __builtin_darn intrinsic into a single call, thus reducing the entropy of the random number generator. This occurred because a volatile operation was not specified. For example, within a single execution of a program, the output of every __builtin_darn() call may be the same.", "location": "bkimminich/juice-shop:v10.2.0", + "mitigation": "Update the affected package libgcc to the fixed version: 9.3.0-r0 or remove the package from the image.", "name": "gcc: POWER9 "DARN" RNG intrinsic produces repeated output", "osi_layer": "NOT_APPLICABLE", "reference": { @@ -519,6 +532,7 @@ exports[`parses bkimminich/juice-shop:v10.2.0 result file into findings 1`] = ` "category": "Image Vulnerability", "description": "In order to decrypt SM2 encrypted data an application is expected to call the API function EVP_PKEY_decrypt(). Typically an application will call this function twice. The first time, on entry, the "out" parameter can be NULL and, on exit, the "outlen" parameter is populated with the buffer size required to hold the decrypted plaintext. The application can then allocate a sufficiently sized buffer and call EVP_PKEY_decrypt() again, but this time passing a non-NULL value for the "out" parameter. A bug in the implementation of the SM2 decryption code means that the calculation of the buffer size required to hold the plaintext returned by the first call to EVP_PKEY_decrypt() can be smaller than the actual size required by the second call. This can lead to a buffer overflow when EVP_PKEY_decrypt() is called by the application a second time with a buffer that is too small. A malicious attacker who is able present SM2 content for decryption to an application could cause attacker chosen data to overflow the buffer by up to a maximum of 62 bytes altering the contents of other data held after the buffer, possibly changing application behaviour or causing the application to crash. The location of the buffer is application dependent but is typically heap allocated. Fixed in OpenSSL 1.1.1l (Affected 1.1.1-1.1.1k).", "location": "bkimminich/juice-shop:v10.2.0", + "mitigation": "Update the affected package libssl1.1 to the fixed version: 1.1.1l-r0 or remove the package from the image.", "name": "openssl: SM2 Decryption Buffer Overflow", "osi_layer": "NOT_APPLICABLE", "reference": { @@ -574,6 +588,7 @@ exports[`parses bkimminich/juice-shop:v10.2.0 result file into findings 1`] = ` "category": "Image Vulnerability", "description": "Server or client applications that call the SSL_check_chain() function during or after a TLS 1.3 handshake may crash due to a NULL pointer dereference as a result of incorrect handling of the "signature_algorithms_cert" TLS extension. The crash occurs if an invalid or unrecognised signature algorithm is received from the peer. This could be exploited by a malicious peer in a Denial of Service attack. OpenSSL version 1.1.1d, 1.1.1e, and 1.1.1f are affected by this issue. This issue did not affect OpenSSL versions prior to 1.1.1d. Fixed in OpenSSL 1.1.1g (Affected 1.1.1d-1.1.1f).", "location": "bkimminich/juice-shop:v10.2.0", + "mitigation": "Update the affected package libssl1.1 to the fixed version: 1.1.1g-r0 or remove the package from the image.", "name": "openssl: Segmentation fault in SSL_check_chain causes denial of service", "osi_layer": "NOT_APPLICABLE", "reference": { @@ -616,6 +631,7 @@ exports[`parses bkimminich/juice-shop:v10.2.0 result file into findings 1`] = ` "category": "Image Vulnerability", "description": "Calls to EVP_CipherUpdate, EVP_EncryptUpdate and EVP_DecryptUpdate may overflow the output length argument in some cases where the input length is close to the maximum permissible length for an integer on the platform. In such cases the return value from the function call will be 1 (indicating success), but the output length value will be negative. This could cause applications to behave incorrectly or crash. OpenSSL versions 1.1.1i and below are affected by this issue. Users of these versions should upgrade to OpenSSL 1.1.1j. OpenSSL versions 1.0.2x and below are affected by this issue. However OpenSSL 1.0.2 is out of support and no longer receiving public updates. Premium support customers of OpenSSL 1.0.2 should upgrade to 1.0.2y. Other users should upgrade to 1.1.1j. Fixed in OpenSSL 1.1.1j (Affected 1.1.1-1.1.1i). Fixed in OpenSSL 1.0.2y (Affected 1.0.2-1.0.2x).", "location": "bkimminich/juice-shop:v10.2.0", + "mitigation": "Update the affected package libssl1.1 to the fixed version: 1.1.1j-r0 or remove the package from the image.", "name": "openssl: integer overflow in CipherUpdate", "osi_layer": "NOT_APPLICABLE", "reference": { @@ -660,6 +676,7 @@ exports[`parses bkimminich/juice-shop:v10.2.0 result file into findings 1`] = ` "category": "Image Vulnerability", "description": "The X509_V_FLAG_X509_STRICT flag enables additional security checks of the certificates present in a certificate chain. It is not set by default. Starting from OpenSSL version 1.1.1h a check to disallow certificates in the chain that have explicitly encoded elliptic curve parameters was added as an additional strict check. An error in the implementation of this check meant that the result of a previous check to confirm that certificates in the chain are valid CA certificates was overwritten. This effectively bypasses the check that non-CA certificates must not be able to issue other certificates. If a "purpose" has been configured then there is a subsequent opportunity for checks that the certificate is a valid CA. All of the named "purpose" values implemented in libcrypto perform this check. Therefore, where a purpose is set the certificate chain will still be rejected even when the strict flag has been used. A purpose is set by default in libssl client and server certificate verification routines, but it can be overridden or removed by an application. In order to be affected, an application must explicitly set the X509_V_FLAG_X509_STRICT verification flag and either not set a purpose for the certificate verification or, in the case of TLS client or server applications, override the default purpose. OpenSSL versions 1.1.1h and newer are affected by this issue. Users of these versions should upgrade to OpenSSL 1.1.1k. OpenSSL 1.0.2 is not impacted by this issue. Fixed in OpenSSL 1.1.1k (Affected 1.1.1h-1.1.1j).", "location": "bkimminich/juice-shop:v10.2.0", + "mitigation": "Update the affected package libssl1.1 to the fixed version: 1.1.1k-r0 or remove the package from the image.", "name": "openssl: CA certificate check bypass with X509_V_FLAG_X509_STRICT", "osi_layer": "NOT_APPLICABLE", "reference": { @@ -700,6 +717,7 @@ exports[`parses bkimminich/juice-shop:v10.2.0 result file into findings 1`] = ` "category": "Image Vulnerability", "description": "ASN.1 strings are represented internally within OpenSSL as an ASN1_STRING structure which contains a buffer holding the string data and a field holding the buffer length. This contrasts with normal C strings which are repesented as a buffer for the string data which is terminated with a NUL (0) byte. Although not a strict requirement, ASN.1 strings that are parsed using OpenSSL's own "d2i" functions (and other similar parsing functions) as well as any string whose value has been set with the ASN1_STRING_set() function will additionally NUL terminate the byte array in the ASN1_STRING structure. However, it is possible for applications to directly construct valid ASN1_STRING structures which do not NUL terminate the byte array by directly setting the "data" and "length" fields in the ASN1_STRING array. This can also happen by using the ASN1_STRING_set0() function. Numerous OpenSSL functions that print ASN.1 data have been found to assume that the ASN1_STRING byte array will be NUL terminated, even though this is not guaranteed for strings that have been directly constructed. Where an application requests an ASN.1 structure to be printed, and where that ASN.1 structure contains ASN1_STRINGs that have been directly constructed by the application without NUL terminating the "data" field, then a read buffer overrun can occur. The same thing can also occur during name constraints processing of certificates (for example if a certificate has been directly constructed by the application instead of loading it via the OpenSSL parsing functions, and the certificate contains non NUL terminated ASN1_STRING structures). It can also occur in the X509_get1_email(), X509_REQ_get1_email() and X509_get1_ocsp() functions. If a malicious actor can cause an application to directly construct an ASN1_STRING and then process it through one of the affected OpenSSL functions then this issue could be hit. This might result in a crash (causing a Denial of Service attack). It could also result in the disclosure of private memory contents (such as private keys, or sensitive plaintext). Fixed in OpenSSL 1.1.1l (Affected 1.1.1-1.1.1k). Fixed in OpenSSL 1.0.2za (Affected 1.0.2-1.0.2y).", "location": "bkimminich/juice-shop:v10.2.0", + "mitigation": "Update the affected package libssl1.1 to the fixed version: 1.1.1l-r0 or remove the package from the image.", "name": "openssl: Read buffer overruns processing ASN.1 strings", "osi_layer": "NOT_APPLICABLE", "reference": { @@ -749,6 +767,7 @@ exports[`parses bkimminich/juice-shop:v10.2.0 result file into findings 1`] = ` "category": "Image Vulnerability", "description": "The X.509 GeneralName type is a generic type for representing different types of names. One of those name types is known as EDIPartyName. OpenSSL provides a function GENERAL_NAME_cmp which compares different instances of a GENERAL_NAME to see if they are equal or not. This function behaves incorrectly when both GENERAL_NAMEs contain an EDIPARTYNAME. A NULL pointer dereference and a crash may occur leading to a possible denial of service attack. OpenSSL itself uses the GENERAL_NAME_cmp function for two purposes: 1) Comparing CRL distribution point names between an available CRL and a CRL distribution point embedded in an X509 certificate 2) When verifying that a timestamp response token signer matches the timestamp authority name (exposed via the API functions TS_RESP_verify_response and TS_RESP_verify_token) If an attacker can control both items being compared then that attacker could trigger a crash. For example if the attacker can trick a client or server into checking a malicious certificate against a malicious CRL then this may occur. Note that some applications automatically download CRLs based on a URL embedded in a certificate. This checking happens prior to the signatures on the certificate and CRL being verified. OpenSSL's s_server, s_client and verify tools have support for the "-crl_download" option which implements automatic CRL downloading and this attack has been demonstrated to work against those tools. Note that an unrelated bug means that affected versions of OpenSSL cannot parse or construct correct encodings of EDIPARTYNAME. However it is possible to construct a malformed EDIPARTYNAME that OpenSSL's parser will accept and hence trigger this attack. All OpenSSL 1.1.1 and 1.0.2 versions are affected by this issue. Other OpenSSL releases are out of support and have not been checked. Fixed in OpenSSL 1.1.1i (Affected 1.1.1-1.1.1h). Fixed in OpenSSL 1.0.2x (Affected 1.0.2-1.0.2w).", "location": "bkimminich/juice-shop:v10.2.0", + "mitigation": "Update the affected package libssl1.1 to the fixed version: 1.1.1i-r0 or remove the package from the image.", "name": "openssl: EDIPARTYNAME NULL pointer de-reference", "osi_layer": "NOT_APPLICABLE", "reference": { @@ -794,6 +813,7 @@ exports[`parses bkimminich/juice-shop:v10.2.0 result file into findings 1`] = ` "category": "Image Vulnerability", "description": "The OpenSSL public API function X509_issuer_and_serial_hash() attempts to create a unique hash value based on the issuer and serial number data contained within an X509 certificate. However it fails to correctly handle any errors that may occur while parsing the issuer field (which might occur if the issuer field is maliciously constructed). This may subsequently result in a NULL pointer deref and a crash leading to a potential denial of service attack. The function X509_issuer_and_serial_hash() is never directly called by OpenSSL itself so applications are only vulnerable if they use this function directly and they use it on certificates that may have been obtained from untrusted sources. OpenSSL versions 1.1.1i and below are affected by this issue. Users of these versions should upgrade to OpenSSL 1.1.1j. OpenSSL versions 1.0.2x and below are affected by this issue. However OpenSSL 1.0.2 is out of support and no longer receiving public updates. Premium support customers of OpenSSL 1.0.2 should upgrade to 1.0.2y. Other users should upgrade to 1.1.1j. Fixed in OpenSSL 1.1.1j (Affected 1.1.1-1.1.1i). Fixed in OpenSSL 1.0.2y (Affected 1.0.2-1.0.2x).", "location": "bkimminich/juice-shop:v10.2.0", + "mitigation": "Update the affected package libssl1.1 to the fixed version: 1.1.1j-r0 or remove the package from the image.", "name": "openssl: NULL pointer dereference in X509_issuer_and_serial_hash()", "osi_layer": "NOT_APPLICABLE", "reference": { @@ -845,6 +865,7 @@ exports[`parses bkimminich/juice-shop:v10.2.0 result file into findings 1`] = ` "category": "Image Vulnerability", "description": "An OpenSSL TLS server may crash if sent a maliciously crafted renegotiation ClientHello message from a client. If a TLSv1.2 renegotiation ClientHello omits the signature_algorithms extension (where it was present in the initial ClientHello), but includes a signature_algorithms_cert extension then a NULL pointer dereference will result, leading to a crash and a denial of service attack. A server is only vulnerable if it has TLSv1.2 and renegotiation enabled (which is the default configuration). OpenSSL TLS clients are not impacted by this issue. All OpenSSL 1.1.1 versions are affected by this issue. Users of these versions should upgrade to OpenSSL 1.1.1k. OpenSSL 1.0.2 is not impacted by this issue. Fixed in OpenSSL 1.1.1k (Affected 1.1.1-1.1.1j).", "location": "bkimminich/juice-shop:v10.2.0", + "mitigation": "Update the affected package libssl1.1 to the fixed version: 1.1.1k-r0 or remove the package from the image.", "name": "openssl: NULL pointer dereference in signature_algorithms processing", "osi_layer": "NOT_APPLICABLE", "reference": { @@ -873,6 +894,7 @@ exports[`parses bkimminich/juice-shop:v10.2.0 result file into findings 1`] = ` "category": "Image Vulnerability", "description": "OpenSSL 1.0.2 supports SSLv2. If a client attempts to negotiate SSLv2 with a server that is configured to support both SSLv2 and more recent SSL and TLS versions then a check is made for a version rollback attack when unpadding an RSA signature. Clients that support SSL or TLS versions greater than SSLv2 are supposed to use a special form of padding. A server that supports greater than SSLv2 is supposed to reject connection attempts from a client where this special form of padding is present, because this indicates that a version rollback has occurred (i.e. both client and server support greater than SSLv2, and yet this is the version that is being requested). The implementation of this padding check inverted the logic so that the connection attempt is accepted if the padding is present, and rejected if it is absent. This means that such as server will accept a connection if a version rollback attack has occurred. Further the server will erroneously reject a connection if a normal SSLv2 connection attempt is made. Only OpenSSL 1.0.2 servers from version 1.0.2s to 1.0.2x are affected by this issue. In order to be vulnerable a 1.0.2 server must: 1) have configured SSLv2 support at compile time (this is off by default), 2) have configured SSLv2 support at runtime (this is off by default), 3) have configured SSLv2 ciphersuites (these are not in the default ciphersuite list) OpenSSL 1.1.1 does not have SSLv2 support and therefore is not vulnerable to this issue. The underlying error is in the implementation of the RSA_padding_check_SSLv23() function. This also affects the RSA_SSLV23_PADDING padding mode used by various other functions. Although 1.1.1 does not support SSLv2 the RSA_padding_check_SSLv23() function still exists, as does the RSA_SSLV23_PADDING padding mode. Applications that directly call that function or use that padding mode will encounter this issue. However since there is no support for the SSLv2 protocol in 1.1.1 this is considered a bug and not a security issue in that version. OpenSSL 1.0.2 is out of support and no longer receiving public updates. Premium support customers of OpenSSL 1.0.2 should upgrade to 1.0.2y. Other users should upgrade to 1.1.1j. Fixed in OpenSSL 1.0.2y (Affected 1.0.2s-1.0.2x).", "location": "bkimminich/juice-shop:v10.2.0", + "mitigation": "Update the affected package libssl1.1 to the fixed version: 1.1.1j-r0 or remove the package from the image.", "name": "openssl: incorrect SSLv2 rollback protection", "osi_layer": "NOT_APPLICABLE", "reference": { @@ -900,6 +922,7 @@ exports[`parses bkimminich/juice-shop:v10.2.0 result file into findings 1`] = ` "category": "Image Vulnerability", "description": "The POWER9 backend in GNU Compiler Collection (GCC) before version 10 could optimize multiple calls of the __builtin_darn intrinsic into a single call, thus reducing the entropy of the random number generator. This occurred because a volatile operation was not specified. For example, within a single execution of a program, the output of every __builtin_darn() call may be the same.", "location": "bkimminich/juice-shop:v10.2.0", + "mitigation": "Update the affected package libstdc++ to the fixed version: 9.3.0-r0 or remove the package from the image.", "name": "gcc: POWER9 "DARN" RNG intrinsic produces repeated output", "osi_layer": "NOT_APPLICABLE", "reference": { @@ -931,6 +954,7 @@ exports[`parses bkimminich/juice-shop:v10.2.0 result file into findings 1`] = ` "category": "Image Vulnerability", "description": "In musl libc through 1.2.1, wcsnrtombs mishandles particular combinations of destination buffer size and source character limit, as demonstrated by an invalid write access (buffer overflow).", "location": "bkimminich/juice-shop:v10.2.0", + "mitigation": "Update the affected package musl to the fixed version: 1.1.24-r3 or remove the package from the image.", "name": "Vulnerability in Dependency musl (1.1.24-r2)", "osi_layer": "NOT_APPLICABLE", "reference": { @@ -962,6 +986,7 @@ exports[`parses bkimminich/juice-shop:v10.2.0 result file into findings 1`] = ` "category": "Image Vulnerability", "description": "In musl libc through 1.2.1, wcsnrtombs mishandles particular combinations of destination buffer size and source character limit, as demonstrated by an invalid write access (buffer overflow).", "location": "bkimminich/juice-shop:v10.2.0", + "mitigation": "Update the affected package musl-utils to the fixed version: 1.1.24-r3 or remove the package from the image.", "name": "Vulnerability in Dependency musl-utils (1.1.24-r2)", "osi_layer": "NOT_APPLICABLE", "reference": { @@ -990,6 +1015,7 @@ exports[`parses bkimminich/juice-shop:v10.2.0 result file into findings 1`] = ` "category": "Image Vulnerability", "description": "decompress_gunzip.c in BusyBox through 1.32.1 mishandles the error bit on the huft_build result pointer, with a resultant invalid free or segmentation fault, via malformed gzip data.", "location": "bkimminich/juice-shop:v10.2.0", + "mitigation": "Update the affected package ssl_client to the fixed version: 1.31.1-r10 or remove the package from the image.", "name": "busybox: invalid free or segmentation fault via malformed gzip data", "osi_layer": "NOT_APPLICABLE", "reference": { @@ -1015,6 +1041,7 @@ exports[`parses bkimminich/juice-shop:v10.2.0 result file into findings 1`] = ` "category": "NPM Package Vulnerability", "description": "ansi-regex is vulnerable to Inefficient Regular Expression Complexity", "location": "bkimminich/juice-shop:v10.2.0", + "mitigation": "Update the affected package ansi-regex to the fixed version: 5.0.1, 6.0.1 or remove the package from the image.", "name": "nodejs-ansi-regex: Regular expression denial of service (ReDoS) matching ANSI escape codes", "osi_layer": "NOT_APPLICABLE", "reference": { @@ -1040,6 +1067,7 @@ exports[`parses bkimminich/juice-shop:v10.2.0 result file into findings 1`] = ` "category": "NPM Package Vulnerability", "description": "ansi-regex is vulnerable to Inefficient Regular Expression Complexity", "location": "bkimminich/juice-shop:v10.2.0", + "mitigation": "Update the affected package ansi-regex to the fixed version: 5.0.1, 6.0.1 or remove the package from the image.", "name": "nodejs-ansi-regex: Regular expression denial of service (ReDoS) matching ANSI escape codes", "osi_layer": "NOT_APPLICABLE", "reference": { @@ -1063,6 +1091,7 @@ exports[`parses bkimminich/juice-shop:v10.2.0 result file into findings 1`] = ` "category": "NPM Package Vulnerability", "description": "\`base64url\` allocates uninitialized Buffers when number is passed in input on Node.js 4.x and below", "location": "bkimminich/juice-shop:v10.2.0", + "mitigation": "Update the affected package base64url to the fixed version: >=3.0.0 or remove the package from the image.", "name": "Out-of-bounds Read", "osi_layer": "NOT_APPLICABLE", "reference": { @@ -1091,6 +1120,7 @@ exports[`parses bkimminich/juice-shop:v10.2.0 result file into findings 1`] = ` Update to version 3.0.0 or later.", "location": "bkimminich/juice-shop:v10.2.0", + "mitigation": "Update the affected package base64url to the fixed version: 3.0.0 or remove the package from the image.", "name": "Out-of-bounds Read in base64url", "osi_layer": "NOT_APPLICABLE", "reference": null, @@ -1115,6 +1145,7 @@ Update to version 3.0.0 or later.", "category": "NPM Package Vulnerability", "description": "A buffer over-read vulnerability exists in bl <4.0.3, <3.0.1, <2.2.1, and <1.2.3 which could allow an attacker to supply user input (even typed) that if it ends up in consume() argument and can become negative, the BufferList state can be corrupted, tricking it into exposing uninitialized memory via regular .slice() calls.", "location": "bkimminich/juice-shop:v10.2.0", + "mitigation": "Update the affected package bl to the fixed version: 2.2.1, 1.2.3, 4.0.3, 3.0.1 or remove the package from the image.", "name": "nodejs-bl: buffer over-read vulnerability leads to corrupted BufferList which can result in uninitialized memory being leaked", "osi_layer": "NOT_APPLICABLE", "reference": { @@ -1142,6 +1173,7 @@ Update to version 3.0.0 or later.", "category": "NPM Package Vulnerability", "description": "A buffer over-read vulnerability exists in bl <4.0.3, <3.0.1, <2.2.1, and <1.2.3 which could allow an attacker to supply user input (even typed) that if it ends up in consume() argument and can become negative, the BufferList state can be corrupted, tricking it into exposing uninitialized memory via regular .slice() calls.", "location": "bkimminich/juice-shop:v10.2.0", + "mitigation": "Update the affected package bl to the fixed version: 2.2.1, 1.2.3, 4.0.3, 3.0.1 or remove the package from the image.", "name": "nodejs-bl: buffer over-read vulnerability leads to corrupted BufferList which can result in uninitialized memory being leaked", "osi_layer": "NOT_APPLICABLE", "reference": { @@ -1170,6 +1202,7 @@ Update to version 3.0.0 or later.", "category": "NPM Package Vulnerability", "description": "A Regular Expression Denial of Service (ReDOS) vulnerability was discovered in Color-String version 1.5.5 and below which occurs when the application is provided and checks a crafted invalid HWB string.", "location": "bkimminich/juice-shop:v10.2.0", + "mitigation": "Update the affected package color-string to the fixed version: 1.5.5 or remove the package from the image.", "name": "nodejs-color-string: Regular expression denial of service when the application is provided and checks a crafted invalid HWB string", "osi_layer": "NOT_APPLICABLE", "reference": { @@ -1193,6 +1226,7 @@ Update to version 3.0.0 or later.", "category": "NPM Package Vulnerability", "description": "A vulnerability was found in diff before v3.5.0, the affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS) attacks.", "location": "bkimminich/juice-shop:v10.2.0", + "mitigation": "Update the affected package diff to the fixed version: 3.5.0 or remove the package from the image.", "name": "Regular Expression Denial of Service (ReDoS)", "osi_layer": "NOT_APPLICABLE", "reference": null, @@ -1218,6 +1252,7 @@ Update to version 3.0.0 or later.", "category": "NPM Package Vulnerability", "description": "Prototype pollution vulnerability in dot-prop npm package versions before 4.2.1 and versions 5.x before 5.1.1 allows an attacker to add arbitrary properties to JavaScript language constructs such as objects.", "location": "bkimminich/juice-shop:v10.2.0", + "mitigation": "Update the affected package dot-prop to the fixed version: 5.1.1, 4.2.1 or remove the package from the image.", "name": "nodejs-dot-prop: prototype pollution", "osi_layer": "NOT_APPLICABLE", "reference": { @@ -1243,6 +1278,7 @@ Update to version 3.0.0 or later.", "category": "NPM Package Vulnerability", "description": "In express-jwt (NPM package) up and including version 5.3.3, the algorithms entry to be specified in the configuration is not being enforced. When algorithms is not specified in the configuration, with the combination of jwks-rsa, it may lead to authorization bypass. You are affected by this vulnerability if all of the following conditions apply: - You are using express-jwt - You do not have **algorithms** configured in your express-jwt configuration. - You are using libraries such as jwks-rsa as the **secret**. You can fix this by specifying **algorithms** in the express-jwt configuration. See linked GHSA for example. This is also fixed in version 6.0.0.", "location": "bkimminich/juice-shop:v10.2.0", + "mitigation": "Update the affected package express-jwt to the fixed version: 6.0.0 or remove the package from the image.", "name": "Authorization bypass in express-jwt", "osi_layer": "NOT_APPLICABLE", "reference": { @@ -1268,6 +1304,7 @@ Update to version 3.0.0 or later.", "category": "NPM Package Vulnerability", "description": "Prototype pollution vulnerability in 'getobject' version 0.1.0 allows an attacker to cause a denial of service and may lead to remote code execution.", "location": "bkimminich/juice-shop:v10.2.0", + "mitigation": "Update the affected package getobject to the fixed version: 1.0.0 or remove the package from the image.", "name": "nodejs-getobject: Prototype pollution could result in DoS and RCE", "osi_layer": "NOT_APPLICABLE", "reference": { @@ -1295,6 +1332,7 @@ Update to version 3.0.0 or later.", "category": "NPM Package Vulnerability", "description": "Growl adds growl notification support to nodejs. Growl before 1.10.2 does not properly sanitize input before passing it to exec, allowing for arbitrary command execution.", "location": "bkimminich/juice-shop:v10.2.0", + "mitigation": "Update the affected package growl to the fixed version: 1.10.0 or remove the package from the image.", "name": "nodejs-growl: Does not properly sanitize input before passing it to exec", "osi_layer": "NOT_APPLICABLE", "reference": { @@ -1326,6 +1364,7 @@ Update to version 3.0.0 or later.", "category": "NPM Package Vulnerability", "description": "The package grunt before 1.3.0 are vulnerable to Arbitrary Code Execution due to the default usage of the function load() instead of its secure replacement safeLoad() of the package js-yaml inside grunt.file.readYAML.", "location": "bkimminich/juice-shop:v10.2.0", + "mitigation": "Update the affected package grunt to the fixed version: 1.3.0 or remove the package from the image.", "name": "Arbitrary Code Execution in grunt", "osi_layer": "NOT_APPLICABLE", "reference": { @@ -1357,6 +1396,7 @@ Update to version 3.0.0 or later.", "category": "NPM Package Vulnerability", "description": "The package hosted-git-info before 3.0.8 are vulnerable to Regular Expression Denial of Service (ReDoS) via regular expression shortcutMatch in the fromUrl function in index.js. The affected regular expression exhibits polynomial worst-case time complexity.", "location": "bkimminich/juice-shop:v10.2.0", + "mitigation": "Update the affected package hosted-git-info to the fixed version: 2.8.9, 3.0.8 or remove the package from the image.", "name": "nodejs-hosted-git-info: Regular Expression denial of service via shortcutMatch in fromUrl()", "osi_layer": "NOT_APPLICABLE", "reference": { @@ -1387,6 +1427,7 @@ Update to version 3.0.0 or later.", "category": "NPM Package Vulnerability", "description": "This affects the package ini before 1.3.6. If an attacker submits a malicious INI file to an application that parses it with ini.parse, they will pollute the prototype on the application. This can be exploited further depending on the context.", "location": "bkimminich/juice-shop:v10.2.0", + "mitigation": "Update the affected package ini to the fixed version: 1.3.6 or remove the package from the image.", "name": "nodejs-ini: Prototype pollution via malicious INI file", "osi_layer": "NOT_APPLICABLE", "reference": { @@ -1414,6 +1455,7 @@ Update to version 3.0.0 or later.", "category": "NPM Package Vulnerability", "description": "In jsonwebtoken node module before 4.2.2 it is possible for an attacker to bypass verification when a token digitally signed with an asymmetric key (RS/ES family) of algorithms but instead the attacker send a token digitally signed with a symmetric algorithm (HS* family).", "location": "bkimminich/juice-shop:v10.2.0", + "mitigation": "Update the affected package jsonwebtoken to the fixed version: 4.2.2 or remove the package from the image.", "name": "nodejs-jsonwebtoken: verification step bypass with an altered token", "osi_layer": "NOT_APPLICABLE", "reference": { @@ -1438,6 +1480,7 @@ Update to version 3.0.0 or later.", "category": "NPM Package Vulnerability", "description": "It is possible for an attacker to bypass verification when "a token digitally signed with an asymetric key (RS/ES family) of algorithms but instead the attacker send a token digitally signed with a symmetric algorithm (HS* family)" [1]", "location": "bkimminich/juice-shop:v10.2.0", + "mitigation": "Update the affected package jsonwebtoken to the fixed version: >=4.2.2 or remove the package from the image.", "name": "Verification Bypass", "osi_layer": "NOT_APPLICABLE", "reference": { @@ -1465,6 +1508,7 @@ Update to version 3.0.0 or later.", "category": "NPM Package Vulnerability", "description": "In jsonwebtoken node module before 4.2.2 it is possible for an attacker to bypass verification when a token digitally signed with an asymmetric key (RS/ES family) of algorithms but instead the attacker send a token digitally signed with a symmetric algorithm (HS* family).", "location": "bkimminich/juice-shop:v10.2.0", + "mitigation": "Update the affected package jsonwebtoken to the fixed version: 4.2.2 or remove the package from the image.", "name": "nodejs-jsonwebtoken: verification step bypass with an altered token", "osi_layer": "NOT_APPLICABLE", "reference": { @@ -1489,6 +1533,7 @@ Update to version 3.0.0 or later.", "category": "NPM Package Vulnerability", "description": "It is possible for an attacker to bypass verification when "a token digitally signed with an asymetric key (RS/ES family) of algorithms but instead the attacker send a token digitally signed with a symmetric algorithm (HS* family)" [1]", "location": "bkimminich/juice-shop:v10.2.0", + "mitigation": "Update the affected package jsonwebtoken to the fixed version: >=4.2.2 or remove the package from the image.", "name": "Verification Bypass", "osi_layer": "NOT_APPLICABLE", "reference": { @@ -1518,6 +1563,7 @@ In addition, there is the \`none\` algorithm to be concerned about. In versions *Edit ( 7/29/16 ): A previous version of this advisory incorrectly stated that the vulnerability was patched in version 2.0.0 instead of 3.0.0. The advisory has been updated to reflect this new information. Thanks to Fabien Catteau for reporting the error.*", "location": "bkimminich/juice-shop:v10.2.0", + "mitigation": "Update the affected package jws to the fixed version: 3.0.0 or remove the package from the image.", "name": "Forgeable Public/Private Tokens", "osi_layer": "NOT_APPLICABLE", "reference": { @@ -1547,6 +1593,7 @@ In addition, there is the \`none\` algorithm to be concerned about. In versions "category": "NPM Package Vulnerability", "description": "Versions of lodash lower than 4.17.12 are vulnerable to Prototype Pollution. The function defaultsDeep could be tricked into adding or modifying properties of Object.prototype using a constructor payload.", "location": "bkimminich/juice-shop:v10.2.0", + "mitigation": "Update the affected package lodash to the fixed version: 4.17.12 or remove the package from the image.", "name": "nodejs-lodash: prototype pollution in defaultsDeep function leading to modifying properties", "osi_layer": "NOT_APPLICABLE", "reference": { @@ -1577,6 +1624,7 @@ In addition, there is the \`none\` algorithm to be concerned about. In versions "category": "NPM Package Vulnerability", "description": "Prototype pollution attack when using _.zipObjectDeep in lodash before 4.17.20.", "location": "bkimminich/juice-shop:v10.2.0", + "mitigation": "Update the affected package lodash to the fixed version: 4.17.19 or remove the package from the image.", "name": "nodejs-lodash: prototype pollution in zipObjectDeep function", "osi_layer": "NOT_APPLICABLE", "reference": { @@ -1611,6 +1659,7 @@ In addition, there is the \`none\` algorithm to be concerned about. In versions "category": "NPM Package Vulnerability", "description": "Lodash versions prior to 4.17.21 are vulnerable to Command Injection via the template function.", "location": "bkimminich/juice-shop:v10.2.0", + "mitigation": "Update the affected package lodash to the fixed version: 4.17.21 or remove the package from the image.", "name": "nodejs-lodash: command injection via template", "osi_layer": "NOT_APPLICABLE", "reference": { @@ -1637,6 +1686,7 @@ In addition, there is the \`none\` algorithm to be concerned about. In versions "category": "NPM Package Vulnerability", "description": "A prototype pollution vulnerability was found in lodash <4.17.11 where the functions merge, mergeWith, and defaultsDeep can be tricked into adding or modifying properties of Object.prototype.", "location": "bkimminich/juice-shop:v10.2.0", + "mitigation": "Update the affected package lodash to the fixed version: 4.17.11 or remove the package from the image.", "name": "lodash: Prototype pollution in utilities function", "osi_layer": "NOT_APPLICABLE", "reference": { @@ -1666,6 +1716,7 @@ In addition, there is the \`none\` algorithm to be concerned about. In versions "category": "NPM Package Vulnerability", "description": "lodash node module before 4.17.5 suffers from a Modification of Assumed-Immutable Data (MAID) vulnerability via defaultsDeep, merge, and mergeWith functions, which allows a malicious user to modify the prototype of "Object" via __proto__, causing the addition or modification of an existing property that will exist on all objects.", "location": "bkimminich/juice-shop:v10.2.0", + "mitigation": "Update the affected package lodash to the fixed version: 4.17.5 or remove the package from the image.", "name": "lodash: Prototype pollution in utilities function", "osi_layer": "NOT_APPLICABLE", "reference": { @@ -1694,6 +1745,7 @@ In addition, there is the \`none\` algorithm to be concerned about. In versions "category": "NPM Package Vulnerability", "description": "lodash prior to 4.17.11 is affected by: CWE-400: Uncontrolled Resource Consumption. The impact is: Denial of service. The component is: Date handler. The attack vector is: Attacker provides very long strings, which the library attempts to match using a regular expression. The fixed version is: 4.17.11.", "location": "bkimminich/juice-shop:v10.2.0", + "mitigation": "Update the affected package lodash to the fixed version: 4.17.11 or remove the package from the image.", "name": "lodash: uncontrolled resource consumption in Data handler causing denial of service", "osi_layer": "NOT_APPLICABLE", "reference": { @@ -1723,6 +1775,7 @@ In addition, there is the \`none\` algorithm to be concerned about. In versions "category": "NPM Package Vulnerability", "description": "Versions of lodash lower than 4.17.12 are vulnerable to Prototype Pollution. The function defaultsDeep could be tricked into adding or modifying properties of Object.prototype using a constructor payload.", "location": "bkimminich/juice-shop:v10.2.0", + "mitigation": "Update the affected package lodash to the fixed version: 4.17.12 or remove the package from the image.", "name": "nodejs-lodash: prototype pollution in defaultsDeep function leading to modifying properties", "osi_layer": "NOT_APPLICABLE", "reference": { @@ -1753,6 +1806,7 @@ In addition, there is the \`none\` algorithm to be concerned about. In versions "category": "NPM Package Vulnerability", "description": "Prototype pollution attack when using _.zipObjectDeep in lodash before 4.17.20.", "location": "bkimminich/juice-shop:v10.2.0", + "mitigation": "Update the affected package lodash to the fixed version: 4.17.19 or remove the package from the image.", "name": "nodejs-lodash: prototype pollution in zipObjectDeep function", "osi_layer": "NOT_APPLICABLE", "reference": { @@ -1787,6 +1841,7 @@ In addition, there is the \`none\` algorithm to be concerned about. In versions "category": "NPM Package Vulnerability", "description": "Lodash versions prior to 4.17.21 are vulnerable to Command Injection via the template function.", "location": "bkimminich/juice-shop:v10.2.0", + "mitigation": "Update the affected package lodash to the fixed version: 4.17.21 or remove the package from the image.", "name": "nodejs-lodash: command injection via template", "osi_layer": "NOT_APPLICABLE", "reference": { @@ -1817,6 +1872,7 @@ In addition, there is the \`none\` algorithm to be concerned about. In versions "category": "NPM Package Vulnerability", "description": "Prototype pollution attack when using _.zipObjectDeep in lodash before 4.17.20.", "location": "bkimminich/juice-shop:v10.2.0", + "mitigation": "Update the affected package lodash to the fixed version: 4.17.19 or remove the package from the image.", "name": "nodejs-lodash: prototype pollution in zipObjectDeep function", "osi_layer": "NOT_APPLICABLE", "reference": { @@ -1851,6 +1907,7 @@ In addition, there is the \`none\` algorithm to be concerned about. In versions "category": "NPM Package Vulnerability", "description": "Lodash versions prior to 4.17.21 are vulnerable to Command Injection via the template function.", "location": "bkimminich/juice-shop:v10.2.0", + "mitigation": "Update the affected package lodash to the fixed version: 4.17.21 or remove the package from the image.", "name": "nodejs-lodash: command injection via template", "osi_layer": "NOT_APPLICABLE", "reference": { @@ -1875,6 +1932,7 @@ In addition, there is the \`none\` algorithm to be concerned about. In versions "category": "NPM Package Vulnerability", "description": "Prototype pollution attack (lodash)", "location": "bkimminich/juice-shop:v10.2.0", + "mitigation": "Update the affected package lodash to the fixed version: >=4.17.19 or remove the package from the image.", "name": "Allocation of Resources Without Limits or Throttling", "osi_layer": "NOT_APPLICABLE", "reference": { @@ -1903,6 +1961,7 @@ In addition, there is the \`none\` algorithm to be concerned about. In versions No fix is currently available. Consider using an alternative package until a fix is made available.", "location": "bkimminich/juice-shop:v10.2.0", + "mitigation": "Update the affected package marsdb to the fixed version: undefined or remove the package from the image.", "name": "Command Injection in marsdb", "osi_layer": "NOT_APPLICABLE", "reference": null, @@ -1927,6 +1986,7 @@ No fix is currently available. Consider using an alternative package until a fix "category": "NPM Package Vulnerability", "description": "minimist before 1.2.2 could be tricked into adding or modifying properties of Object.prototype using a "constructor" or "__proto__" payload.", "location": "bkimminich/juice-shop:v10.2.0", + "mitigation": "Update the affected package minimist to the fixed version: 1.2.3, 0.2.1 or remove the package from the image.", "name": "nodejs-minimist: prototype pollution allows adding or modifying properties of Object.prototype using a constructor or __proto__ payload", "osi_layer": "NOT_APPLICABLE", "reference": { @@ -1953,6 +2013,7 @@ No fix is currently available. Consider using an alternative package until a fix "category": "NPM Package Vulnerability", "description": "The moment module before 2.19.3 for Node.js is prone to a regular expression denial of service via a crafted date string, a different vulnerability than CVE-2016-4055.", "location": "bkimminich/juice-shop:v10.2.0", + "mitigation": "Update the affected package moment to the fixed version: 2.19.3 or remove the package from the image.", "name": "nodejs-moment: Regular expression denial of service", "osi_layer": "NOT_APPLICABLE", "reference": { @@ -1986,6 +2047,7 @@ No fix is currently available. Consider using an alternative package until a fix "category": "NPM Package Vulnerability", "description": "The duration function in the moment package before 2.11.2 for Node.js allows remote attackers to cause a denial of service (CPU consumption) via a long string, aka a "regular expression Denial of Service (ReDoS)."", "location": "bkimminich/juice-shop:v10.2.0", + "mitigation": "Update the affected package moment to the fixed version: 2.11.2 or remove the package from the image.", "name": "moment.js: regular expression denial of service", "osi_layer": "NOT_APPLICABLE", "reference": { @@ -2019,6 +2081,7 @@ No fix is currently available. Consider using an alternative package until a fix "category": "NPM Package Vulnerability", "description": "Versions of the npm CLI prior to 6.14.6 are vulnerable to an information exposure vulnerability through log files. The CLI supports URLs like "://[[:]@][:][:][/]". The password value is not redacted and is printed to stdout and also to any generated log files.", "location": "bkimminich/juice-shop:v10.2.0", + "mitigation": "Update the affected package npm to the fixed version: 6.14.6 or remove the package from the image.", "name": "npm: sensitive information exposure through logs", "osi_layer": "NOT_APPLICABLE", "reference": { @@ -2042,6 +2105,7 @@ No fix is currently available. Consider using an alternative package until a fix "category": "NPM Package Vulnerability", "description": "Affected versions of \`npm-registry-fetch\` are vulnerable to an information exposure vulnerability through log files. The cli supports URLs like \`://[[:]@][:][:][/]\`. The password value is not redacted and is printed to stdout and also to any generated log files.", "location": "bkimminich/juice-shop:v10.2.0", + "mitigation": "Update the affected package npm-registry-fetch to the fixed version: 8.1.1, 4.0.5 or remove the package from the image.", "name": "Sensitive information exposure through logs in npm-registry-fetch", "osi_layer": "NOT_APPLICABLE", "reference": null, @@ -2068,6 +2132,7 @@ No fix is currently available. Consider using an alternative package until a fix "category": "NPM Package Vulnerability", "description": "This affects the package npm-user-validate before 1.0.1. The regex that validates user emails took exponentially longer to process long input strings beginning with @ characters.", "location": "bkimminich/juice-shop:v10.2.0", + "mitigation": "Update the affected package npm-user-validate to the fixed version: 1.0.1 or remove the package from the image.", "name": "nodejs-npm-user-validate: improper input validation when validating user emails leads to ReDoS", "osi_layer": "NOT_APPLICABLE", "reference": { @@ -2100,6 +2165,7 @@ The issue is patched in version 1.0.1 by improving the regular expression used a ### Workarounds Restrict the character length to a reasonable degree before passing a value to \`.emal()\`; Also, consider doing a more rigorous sanitizing/validation beforehand.", "location": "bkimminich/juice-shop:v10.2.0", + "mitigation": "Update the affected package npm-user-validate to the fixed version: 1.0.1 or remove the package from the image.", "name": "Regular Expression Denial of Service in npm-user-validate", "osi_layer": "NOT_APPLICABLE", "reference": null, @@ -2126,6 +2192,7 @@ Restrict the character length to a reasonable degree before passing a value to \ "category": "NPM Package Vulnerability", "description": "All versions of package path-parse are vulnerable to Regular Expression Denial of Service (ReDoS) via splitDeviceRe, splitTailRe, and splitPathRe regular expressions. ReDoS exhibits polynomial worst-case time complexity.", "location": "bkimminich/juice-shop:v10.2.0", + "mitigation": "Update the affected package path-parse to the fixed version: 1.0.7 or remove the package from the image.", "name": "nodejs-path-parse: ReDoS via splitDeviceRe, splitTailRe and splitPathRe", "osi_layer": "NOT_APPLICABLE", "reference": { @@ -2156,6 +2223,7 @@ Restrict the character length to a reasonable degree before passing a value to \ "category": "NPM Package Vulnerability", "description": "Pug is an npm package which is a high-performance template engine. In pug before version 3.0.1, if a remote attacker was able to control the \`pretty\` option of the pug compiler, e.g. if you spread a user provided object such as the query parameters of a request into the pug template inputs, it was possible for them to achieve remote code execution on the node.js backend. This is fixed in version 3.0.1. This advisory applies to multiple pug packages including "pug", "pug-code-gen". pug-code-gen has a backported fix at version 2.0.3. This advisory is not exploitable if there is no way for un-trusted input to be passed to pug as the \`pretty\` option, e.g. if you compile templates in advance before applying user input to them, you do not need to upgrade.", "location": "bkimminich/juice-shop:v10.2.0", + "mitigation": "Update the affected package pug to the fixed version: 3.0.1 or remove the package from the image.", "name": "Remote code execution via the \`pretty\` option.", "osi_layer": "NOT_APPLICABLE", "reference": { @@ -2186,6 +2254,7 @@ Restrict the character length to a reasonable degree before passing a value to \ "category": "NPM Package Vulnerability", "description": "Pug is an npm package which is a high-performance template engine. In pug before version 3.0.1, if a remote attacker was able to control the \`pretty\` option of the pug compiler, e.g. if you spread a user provided object such as the query parameters of a request into the pug template inputs, it was possible for them to achieve remote code execution on the node.js backend. This is fixed in version 3.0.1. This advisory applies to multiple pug packages including "pug", "pug-code-gen". pug-code-gen has a backported fix at version 2.0.3. This advisory is not exploitable if there is no way for un-trusted input to be passed to pug as the \`pretty\` option, e.g. if you compile templates in advance before applying user input to them, you do not need to upgrade.", "location": "bkimminich/juice-shop:v10.2.0", + "mitigation": "Update the affected package pug-code-gen to the fixed version: 3.0.2, 2.0.3 or remove the package from the image.", "name": "Remote code execution via the \`pretty\` option.", "osi_layer": "NOT_APPLICABLE", "reference": { @@ -2212,6 +2281,7 @@ Restrict the character length to a reasonable degree before passing a value to \ "category": "NPM Package Vulnerability", "description": "sanitize-html before 1.4.3 has XSS.", "location": "bkimminich/juice-shop:v10.2.0", + "mitigation": "Update the affected package sanitize-html to the fixed version: 1.4.3 or remove the package from the image.", "name": "XSS - Sanitization not applied recursively", "osi_layer": "NOT_APPLICABLE", "reference": { @@ -2238,6 +2308,7 @@ Restrict the character length to a reasonable degree before passing a value to \ "category": "NPM Package Vulnerability", "description": "Sanitize-html is a library for scrubbing html input of malicious values. Versions 1.11.1 and below are vulnerable to cross site scripting (XSS) in certain scenarios: If allowed at least one nonTextTags, the result is a potential XSS vulnerability.", "location": "bkimminich/juice-shop:v10.2.0", + "mitigation": "Update the affected package sanitize-html to the fixed version: 1.11.4 or remove the package from the image.", "name": "Cross-Site Scripting in sanitize-html", "osi_layer": "NOT_APPLICABLE", "reference": { @@ -2264,6 +2335,7 @@ Restrict the character length to a reasonable degree before passing a value to \ "category": "NPM Package Vulnerability", "description": "Apostrophe Technologies sanitize-html before 2.3.1 does not properly handle internationalized domain name (IDN) which could allow an attacker to bypass hostname whitelist validation set by the "allowedIframeHostnames" option.", "location": "bkimminich/juice-shop:v10.2.0", + "mitigation": "Update the affected package sanitize-html to the fixed version: 2.3.1 or remove the package from the image.", "name": "sanitize-html: improper handling of internationalized domain name (IDN) can lead to bypass hostname whitelist validation", "osi_layer": "NOT_APPLICABLE", "reference": { @@ -2290,6 +2362,7 @@ Restrict the character length to a reasonable degree before passing a value to \ "category": "NPM Package Vulnerability", "description": "Apostrophe Technologies sanitize-html before 2.3.2 does not properly validate the hostnames set by the "allowedIframeHostnames" option when the "allowIframeRelativeUrls" is set to true, which allows attackers to bypass hostname whitelist for iframe element, related using an src value that starts with "/\\\\example.com".", "location": "bkimminich/juice-shop:v10.2.0", + "mitigation": "Update the affected package sanitize-html to the fixed version: 2.3.2 or remove the package from the image.", "name": "sanitize-html: improper validation of hostnames set by the "allowedIframeHostnames" option can lead to bypass hostname whitelist for iframe element", "osi_layer": "NOT_APPLICABLE", "reference": { @@ -2331,6 +2404,7 @@ console.log(clean); // !! \`\`\`", "location": "bkimminich/juice-shop:v10.2.0", + "mitigation": "Update the affected package sanitize-html to the fixed version: >=1.11.4 or remove the package from the image.", "name": "Cross Site Scripting", "osi_layer": "NOT_APPLICABLE", "reference": { @@ -2359,6 +2433,7 @@ console.log(clean); "category": "NPM Package Vulnerability", "description": "This affects the package set-value before <2.0.1, >=3.0.0 <4.0.1. A type confusion vulnerability can lead to a bypass of CVE-2019-10747 when the user-provided keys used in the path parameter are arrays.", "location": "bkimminich/juice-shop:v10.2.0", + "mitigation": "Update the affected package set-value to the fixed version: 4.0.1 or remove the package from the image.", "name": "nodejs-set-value: type confusion allows bypass of CVE-2019-10747", "osi_layer": "NOT_APPLICABLE", "reference": { @@ -2386,6 +2461,7 @@ console.log(clean); "category": "NPM Package Vulnerability", "description": "The package socket.io before 2.4.0 are vulnerable to Insecure Defaults due to CORS Misconfiguration. All domains are whitelisted by default.", "location": "bkimminich/juice-shop:v10.2.0", + "mitigation": "Update the affected package socket.io to the fixed version: 2.4.0 or remove the package from the image.", "name": "Insecure defaults due to CORS misconfiguration in socket.io", "osi_layer": "NOT_APPLICABLE", "reference": { @@ -2413,6 +2489,7 @@ console.log(clean); "category": "NPM Package Vulnerability", "description": "socket.io-parser before 3.4.1 allows attackers to cause a denial of service (memory consumption) via a large packet because a concatenation approach is used.", "location": "bkimminich/juice-shop:v10.2.0", + "mitigation": "Update the affected package socket.io-parser to the fixed version: 3.4.1, 3.3.2 or remove the package from the image.", "name": "yarnpkg-socket.io-parser: a denial of service (memory consumption) via a large packet because a concatenation approach is used", "osi_layer": "NOT_APPLICABLE", "reference": { @@ -2440,6 +2517,7 @@ console.log(clean); "category": "NPM Package Vulnerability", "description": "socket.io-parser before 3.4.1 allows attackers to cause a denial of service (memory consumption) via a large packet because a concatenation approach is used.", "location": "bkimminich/juice-shop:v10.2.0", + "mitigation": "Update the affected package socket.io-parser to the fixed version: 3.4.1, 3.3.2 or remove the package from the image.", "name": "yarnpkg-socket.io-parser: a denial of service (memory consumption) via a large packet because a concatenation approach is used", "osi_layer": "NOT_APPLICABLE", "reference": { @@ -2470,6 +2548,7 @@ console.log(clean); "category": "NPM Package Vulnerability", "description": "ssri 5.2.2-8.0.0, fixed in 8.0.1, processes SRIs using a regular expression which is vulnerable to a denial of service. Malicious SRIs could take an extremely long time to process, leading to denial of service. This issue only affects consumers using the strict option.", "location": "bkimminich/juice-shop:v10.2.0", + "mitigation": "Update the affected package ssri to the fixed version: 8.0.1, 7.1.1, 6.0.2 or remove the package from the image.", "name": "nodejs-ssri: Regular expression DoS (ReDoS) when parsing malicious SRI in strict mode", "osi_layer": "NOT_APPLICABLE", "reference": { @@ -2500,6 +2579,7 @@ console.log(clean); "category": "NPM Package Vulnerability", "description": "The npm package "tar" (aka node-tar) before versions 6.1.2, 5.0.7, 4.4.15, and 3.2.3 has an arbitrary File Creation/Overwrite vulnerability via insufficient symlink protection. \`node-tar\` aims to guarantee that any file whose location would be modified by a symbolic link is not extracted. This is, in part, achieved by ensuring that extracted directories are not symlinks. Additionally, in order to prevent unnecessary \`stat\` calls to determine whether a given path is a directory, paths are cached when directories are created. This logic was insufficient when extracting tar files that contained both a directory and a symlink with the same name as the directory. This order of operations resulted in the directory being created and added to the \`node-tar\` directory cache. When a directory is present in the directory cache, subsequent calls to mkdir for that directory are skipped. However, this is also where \`node-tar\` checks for symlinks occur. By first creating a directory, and then replacing that directory with a symlink, it was thus possible to bypass \`node-tar\` symlink checks on directories, essentially allowing an untrusted tar file to symlink into an arbitrary location and subsequently extracting arbitrary files into that location, thus allowing arbitrary file creation and overwrite. This issue was addressed in releases 3.2.3, 4.4.15, 5.0.7 and 6.1.2.", "location": "bkimminich/juice-shop:v10.2.0", + "mitigation": "Update the affected package tar to the fixed version: 6.1.2, 5.0.7, 4.4.15, 3.2.3 or remove the package from the image.", "name": "nodejs-tar: Insufficient symlink protection allowing arbitrary file creation and overwrite", "osi_layer": "NOT_APPLICABLE", "reference": { @@ -2530,6 +2610,7 @@ console.log(clean); "category": "NPM Package Vulnerability", "description": "The npm package "tar" (aka node-tar) before versions 6.1.1, 5.0.6, 4.4.14, and 3.3.2 has a arbitrary File Creation/Overwrite vulnerability due to insufficient absolute path sanitization. node-tar aims to prevent extraction of absolute file paths by turning absolute paths into relative paths when the \`preservePaths\` flag is not set to \`true\`. This is achieved by stripping the absolute path root from any absolute file paths contained in a tar file. For example \`/home/user/.bashrc\` would turn into \`home/user/.bashrc\`. This logic was insufficient when file paths contained repeated path roots such as \`////home/user/.bashrc\`. \`node-tar\` would only strip a single path root from such paths. When given an absolute file path with repeating path roots, the resulting path (e.g. \`///home/user/.bashrc\`) would still resolve to an absolute path, thus allowing arbitrary file creation and overwrite. This issue was addressed in releases 3.2.2, 4.4.14, 5.0.6 and 6.1.1. Users may work around this vulnerability without upgrading by creating a custom \`onentry\` method which sanitizes the \`entry.path\` or a \`filter\` method which removes entries with absolute paths. See referenced GitHub Advisory for details. Be aware of CVE-2021-32803 which fixes a similar bug in later versions of tar.", "location": "bkimminich/juice-shop:v10.2.0", + "mitigation": "Update the affected package tar to the fixed version: 6.1.1, 5.0.6, 4.4.14, 3.2.2 or remove the package from the image.", "name": "nodejs-tar: Insufficient absolute path sanitization allowing arbitrary file creation and overwrite", "osi_layer": "NOT_APPLICABLE", "reference": { @@ -2557,6 +2638,7 @@ console.log(clean); "category": "NPM Package Vulnerability", "description": "The npm package "tar" (aka node-tar) before versions 4.4.16, 5.0.8, and 6.1.7 has an arbitrary file creation/overwrite and arbitrary code execution vulnerability. node-tar aims to guarantee that any file whose location would be modified by a symbolic link is not extracted. This is, in part, achieved by ensuring that extracted directories are not symlinks. Additionally, in order to prevent unnecessary stat calls to determine whether a given path is a directory, paths are cached when directories are created. This logic was insufficient when extracting tar files that contained both a directory and a symlink with the same name as the directory, where the symlink and directory names in the archive entry used backslashes as a path separator on posix systems. The cache checking logic used both \`\\\` and \`/\` characters as path separators, however \`\\\` is a valid filename character on posix systems. By first creating a directory, and then replacing that directory with a symlink, it was thus possible to bypass node-tar symlink checks on directories, essentially allowing an untrusted tar file to symlink into an arbitrary location and subsequently extracting arbitrary files into that location, thus allowing arbitrary file creation and overwrite. Additionally, a similar confusion could arise on case-insensitive filesystems. If a tar archive contained a directory at \`FOO\`, followed by a symbolic link named \`foo\`, then on case-insensitive file systems, the creation of the symbolic link would remove the directory from the filesystem, but _not_ from the internal directory cache, as it would not be treated as a cache hit. A subsequent file entry within the \`FOO\` directory would then be placed in the target of the symbolic link, thinking that the directory had already been created. These issues were addressed in releases 4.4.16, 5.0.8 and 6.1.7. The v3 branch of node-tar has been deprecated and did not receive patches for these issues. If you are still using a v3 release we recommend you update to a more recent version of node-tar. If this is not possible, a workaround is available in the referenced GHSA-9r2w-394v-53qc.", "location": "bkimminich/juice-shop:v10.2.0", + "mitigation": "Update the affected package tar to the fixed version: 6.1.7, 5.0.8, 4.4.16 or remove the package from the image.", "name": "nodejs-tar: insufficient symlink protection due to directory cache poisoning using symbolic links allowing arbitrary file creation and overwrite", "osi_layer": "NOT_APPLICABLE", "reference": { @@ -2584,6 +2666,7 @@ console.log(clean); "category": "NPM Package Vulnerability", "description": "The npm package "tar" (aka node-tar) before versions 4.4.18, 5.0.10, and 6.1.9 has an arbitrary file creation/overwrite and arbitrary code execution vulnerability. node-tar aims to guarantee that any file whose location would be modified by a symbolic link is not extracted. This is, in part, achieved by ensuring that extracted directories are not symlinks. Additionally, in order to prevent unnecessary stat calls to determine whether a given path is a directory, paths are cached when directories are created. This logic was insufficient when extracting tar files that contained both a directory and a symlink with names containing unicode values that normalized to the same value. Additionally, on Windows systems, long path portions would resolve to the same file system entities as their 8.3 "short path" counterparts. A specially crafted tar archive could thus include a directory with one form of the path, followed by a symbolic link with a different string that resolves to the same file system entity, followed by a file using the first form. By first creating a directory, and then replacing that directory with a symlink that had a different apparent name that resolved to the same entry in the filesystem, it was thus possible to bypass node-tar symlink checks on directories, essentially allowing an untrusted tar file to symlink into an arbitrary location and subsequently extracting arbitrary files into that location, thus allowing arbitrary file creation and overwrite. These issues were addressed in releases 4.4.18, 5.0.10 and 6.1.9. The v3 branch of node-tar has been deprecated and did not receive patches for these issues. If you are still using a v3 release we recommend you update to a more recent version of node-tar. If this is not possible, a workaround is available in the referenced GHSA-qq89-hq3f-393p.", "location": "bkimminich/juice-shop:v10.2.0", + "mitigation": "Update the affected package tar to the fixed version: 6.1.9, 5.0.10, 4.4.18 or remove the package from the image.", "name": "nodejs-tar: insufficient symlink protection due to directory cache poisoning using symbolic links allowing arbitrary file creation and overwrite", "osi_layer": "NOT_APPLICABLE", "reference": { @@ -2610,6 +2693,7 @@ console.log(clean); "category": "NPM Package Vulnerability", "description": "The npm package "tar" (aka node-tar) before versions 4.4.18, 5.0.10, and 6.1.9 has an arbitrary file creation/overwrite and arbitrary code execution vulnerability. node-tar aims to guarantee that any file whose location would be outside of the extraction target directory is not extracted. This is, in part, accomplished by sanitizing absolute paths of entries within the archive, skipping archive entries that contain \`..\` path portions, and resolving the sanitized paths against the extraction target directory. This logic was insufficient on Windows systems when extracting tar files that contained a path that was not an absolute path, but specified a drive letter different from the extraction target, such as \`C:some\\path\`. If the drive letter does not match the extraction target, for example \`D:\\extraction\\dir\`, then the result of \`path.resolve(extractionDirectory, entryPath)\` would resolve against the current working directory on the \`C:\` drive, rather than the extraction target directory. Additionally, a \`..\` portion of the path could occur immediately after the drive letter, such as \`C:../foo\`, and was not properly sanitized by the logic that checked for \`..\` within the normalized and split portions of the path. This only affects users of \`node-tar\` on Windows systems. These issues were addressed in releases 4.4.18, 5.0.10 and 6.1.9. The v3 branch of node-tar has been deprecated and did not receive patches for these issues. If you are still using a v3 release we recommend you update to a more recent version of node-tar. There is no reasonable way to work around this issue without performing the same path normalization procedures that node-tar now does. Users are encouraged to upgrade to the latest patched versions of node-tar, rather than attempt to sanitize paths themselves.", "location": "bkimminich/juice-shop:v10.2.0", + "mitigation": "Update the affected package tar to the fixed version: 6.1.9, 5.0.10, 4.4.18 or remove the package from the image.", "name": "Arbitrary File Creation/Overwrite on Windows via insufficient relative path sanitization", "osi_layer": "NOT_APPLICABLE", "reference": { @@ -2635,6 +2719,7 @@ console.log(clean); "category": "NPM Package Vulnerability", "description": "The trim-newlines package before 3.0.1 and 4.x before 4.0.1 for Node.js has an issue related to regular expression denial-of-service (ReDoS) for the .end() method.", "location": "bkimminich/juice-shop:v10.2.0", + "mitigation": "Update the affected package trim-newlines to the fixed version: 4.0.1, 3.0.1 or remove the package from the image.", "name": "nodejs-trim-newlines: ReDoS in .end() method", "osi_layer": "NOT_APPLICABLE", "reference": { @@ -2660,6 +2745,7 @@ console.log(clean); "category": "NPM Package Vulnerability", "description": "validator.js is vulnerable to Inefficient Regular Expression Complexity", "location": "bkimminich/juice-shop:v10.2.0", + "mitigation": "Update the affected package validator to the fixed version: 13.7.0 or remove the package from the image.", "name": "Inefficient Regular Expression Complexity in validator.js", "osi_layer": "NOT_APPLICABLE", "reference": { @@ -2686,6 +2772,7 @@ console.log(clean); "category": "NPM Package Vulnerability", "description": "ws is an open source WebSocket client and server library for Node.js. A specially crafted value of the \`Sec-Websocket-Protocol\` header can be used to significantly slow down a ws server. The vulnerability has been fixed in ws@7.4.6 (https://github.com/websockets/ws/commit/00c425ec77993773d823f018f64a5c44e17023ff). In vulnerable versions of ws, the issue can be mitigated by reducing the maximum allowed length of the request headers using the [\`--max-http-header-size=size\`](https://nodejs.org/api/cli.html#cli_max_http_header_size_size) and/or the [\`maxHeaderSize\`](https://nodejs.org/api/http.html#http_http_createserver_options_requestlistener) options.", "location": "bkimminich/juice-shop:v10.2.0", + "mitigation": "Update the affected package ws to the fixed version: 5.2.3, 6.2.2, 7.4.6 or remove the package from the image.", "name": "nodejs-ws: Specially crafted value of the \`Sec-Websocket-Protocol\` header can be used to significantly slow down a ws server", "osi_layer": "NOT_APPLICABLE", "reference": { @@ -2712,6 +2799,7 @@ console.log(clean); "category": "NPM Package Vulnerability", "description": "ws is an open source WebSocket client and server library for Node.js. A specially crafted value of the \`Sec-Websocket-Protocol\` header can be used to significantly slow down a ws server. The vulnerability has been fixed in ws@7.4.6 (https://github.com/websockets/ws/commit/00c425ec77993773d823f018f64a5c44e17023ff). In vulnerable versions of ws, the issue can be mitigated by reducing the maximum allowed length of the request headers using the [\`--max-http-header-size=size\`](https://nodejs.org/api/cli.html#cli_max_http_header_size_size) and/or the [\`maxHeaderSize\`](https://nodejs.org/api/http.html#http_http_createserver_options_requestlistener) options.", "location": "bkimminich/juice-shop:v10.2.0", + "mitigation": "Update the affected package ws to the fixed version: 5.2.3, 6.2.2, 7.4.6 or remove the package from the image.", "name": "nodejs-ws: Specially crafted value of the \`Sec-Websocket-Protocol\` header can be used to significantly slow down a ws server", "osi_layer": "NOT_APPLICABLE", "reference": { @@ -2739,6 +2827,7 @@ console.log(clean); "category": "NPM Package Vulnerability", "description": "The xmlhttprequest-ssl package before 1.6.1 for Node.js disables SSL certificate validation by default, because rejectUnauthorized (when the property exists but is undefined) is considered to be false within the https.request function of Node.js. In other words, no certificate is ever rejected.", "location": "bkimminich/juice-shop:v10.2.0", + "mitigation": "Update the affected package xmlhttprequest-ssl to the fixed version: 1.6.1 or remove the package from the image.", "name": "xmlhttprequest-ssl: SSL certificate validation disabled by default", "osi_layer": "NOT_APPLICABLE", "reference": { @@ -2767,6 +2856,7 @@ console.log(clean); "category": "NPM Package Vulnerability", "description": "This affects the package xmlhttprequest before 1.7.0; all versions of package xmlhttprequest-ssl. Provided requests are sent synchronously (async=False on xhr.open), malicious user input flowing into xhr.send could result in arbitrary code being injected and run.", "location": "bkimminich/juice-shop:v10.2.0", + "mitigation": "Update the affected package xmlhttprequest-ssl to the fixed version: 1.6.2 or remove the package from the image.", "name": "nodejs-xmlhttprequest: Code injection through user input to xhr.send", "osi_layer": "NOT_APPLICABLE", "reference": { @@ -2797,6 +2887,7 @@ console.log(clean); "category": "NPM Package Vulnerability", "description": "This affects the package y18n before 3.2.2, 4.0.1 and 5.0.5. PoC by po6ix: const y18n = require('y18n')(); y18n.setLocale('__proto__'); y18n.updateLocale({polluted: true}); console.log(polluted); // true", "location": "bkimminich/juice-shop:v10.2.0", + "mitigation": "Update the affected package y18n to the fixed version: 5.0.5, 4.0.1, 3.2.2 or remove the package from the image.", "name": "nodejs-y18n: prototype pollution vulnerability", "osi_layer": "NOT_APPLICABLE", "reference": { @@ -2827,6 +2918,7 @@ console.log(clean); "category": "NPM Package Vulnerability", "description": "This affects the package y18n before 3.2.2, 4.0.1 and 5.0.5. PoC by po6ix: const y18n = require('y18n')(); y18n.setLocale('__proto__'); y18n.updateLocale({polluted: true}); console.log(polluted); // true", "location": "bkimminich/juice-shop:v10.2.0", + "mitigation": "Update the affected package y18n to the fixed version: 5.0.5, 4.0.1, 3.2.2 or remove the package from the image.", "name": "nodejs-y18n: prototype pollution vulnerability", "osi_layer": "NOT_APPLICABLE", "reference": { @@ -2853,6 +2945,7 @@ console.log(clean); "category": "NPM Package Vulnerability", "description": "yargs-parser could be tricked into adding or modifying properties of Object.prototype using a "__proto__" payload.", "location": "bkimminich/juice-shop:v10.2.0", + "mitigation": "Update the affected package yargs-parser to the fixed version: 5.0.1, 13.1.2, 18.1.2, 15.0.1 or remove the package from the image.", "name": "nodejs-yargs-parser: prototype pollution vulnerability", "osi_layer": "NOT_APPLICABLE", "reference": { @@ -2879,6 +2972,7 @@ console.log(clean); "category": "NPM Package Vulnerability", "description": "yargs-parser could be tricked into adding or modifying properties of Object.prototype using a "__proto__" payload.", "location": "bkimminich/juice-shop:v10.2.0", + "mitigation": "Update the affected package yargs-parser to the fixed version: 5.0.1, 13.1.2, 18.1.2, 15.0.1 or remove the package from the image.", "name": "nodejs-yargs-parser: prototype pollution vulnerability", "osi_layer": "NOT_APPLICABLE", "reference": { @@ -2909,6 +3003,7 @@ exports[`parses bkimminich/juice-shop:v12.10.2 result file into findings 1`] = ` "category": "NPM Package Vulnerability", "description": "ansi-regex is vulnerable to Inefficient Regular Expression Complexity", "location": "bkimminich/juice-shop:v12.10.2", + "mitigation": "Update the affected package ansi-regex to the fixed version: 5.0.1, 6.0.1 or remove the package from the image.", "name": "nodejs-ansi-regex: Regular expression denial of service (ReDoS) matching ANSI escape codes", "osi_layer": "NOT_APPLICABLE", "reference": { @@ -2934,6 +3029,7 @@ exports[`parses bkimminich/juice-shop:v12.10.2 result file into findings 1`] = ` "category": "NPM Package Vulnerability", "description": "ansi-regex is vulnerable to Inefficient Regular Expression Complexity", "location": "bkimminich/juice-shop:v12.10.2", + "mitigation": "Update the affected package ansi-regex to the fixed version: 5.0.1, 6.0.1 or remove the package from the image.", "name": "nodejs-ansi-regex: Regular expression denial of service (ReDoS) matching ANSI escape codes", "osi_layer": "NOT_APPLICABLE", "reference": { @@ -2957,6 +3053,7 @@ exports[`parses bkimminich/juice-shop:v12.10.2 result file into findings 1`] = ` "category": "NPM Package Vulnerability", "description": "\`base64url\` allocates uninitialized Buffers when number is passed in input on Node.js 4.x and below", "location": "bkimminich/juice-shop:v12.10.2", + "mitigation": "Update the affected package base64url to the fixed version: >=3.0.0 or remove the package from the image.", "name": "Out-of-bounds Read", "osi_layer": "NOT_APPLICABLE", "reference": { @@ -2985,6 +3082,7 @@ exports[`parses bkimminich/juice-shop:v12.10.2 result file into findings 1`] = ` Update to version 3.0.0 or later.", "location": "bkimminich/juice-shop:v12.10.2", + "mitigation": "Update the affected package base64url to the fixed version: 3.0.0 or remove the package from the image.", "name": "Out-of-bounds Read in base64url", "osi_layer": "NOT_APPLICABLE", "reference": null, @@ -3005,6 +3103,7 @@ Update to version 3.0.0 or later.", "category": "NPM Package Vulnerability", "description": "A vulnerability was found in diff before v3.5.0, the affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS) attacks.", "location": "bkimminich/juice-shop:v12.10.2", + "mitigation": "Update the affected package diff to the fixed version: 3.5.0 or remove the package from the image.", "name": "Regular Expression Denial of Service (ReDoS)", "osi_layer": "NOT_APPLICABLE", "reference": null, @@ -3027,6 +3126,7 @@ Update to version 3.0.0 or later.", "category": "NPM Package Vulnerability", "description": "In express-jwt (NPM package) up and including version 5.3.3, the algorithms entry to be specified in the configuration is not being enforced. When algorithms is not specified in the configuration, with the combination of jwks-rsa, it may lead to authorization bypass. You are affected by this vulnerability if all of the following conditions apply: - You are using express-jwt - You do not have **algorithms** configured in your express-jwt configuration. - You are using libraries such as jwks-rsa as the **secret**. You can fix this by specifying **algorithms** in the express-jwt configuration. See linked GHSA for example. This is also fixed in version 6.0.0.", "location": "bkimminich/juice-shop:v12.10.2", + "mitigation": "Update the affected package express-jwt to the fixed version: 6.0.0 or remove the package from the image.", "name": "Authorization bypass in express-jwt", "osi_layer": "NOT_APPLICABLE", "reference": { @@ -3054,6 +3154,7 @@ Update to version 3.0.0 or later.", "category": "NPM Package Vulnerability", "description": "Growl adds growl notification support to nodejs. Growl before 1.10.2 does not properly sanitize input before passing it to exec, allowing for arbitrary command execution.", "location": "bkimminich/juice-shop:v12.10.2", + "mitigation": "Update the affected package growl to the fixed version: 1.10.0 or remove the package from the image.", "name": "nodejs-growl: Does not properly sanitize input before passing it to exec", "osi_layer": "NOT_APPLICABLE", "reference": { @@ -3078,6 +3179,7 @@ Update to version 3.0.0 or later.", "category": "NPM Package Vulnerability", "description": "The npm hbs package is an Express view engine wrapper for Handlebars. Depending on usage, users of hbs may be vulnerable to a file disclosure vulnerability. There is currently no patch for this vulnerability. hbs mixes pure template data with engine configuration options through the Express render API. By overwriting internal configuration options a file disclosure vulnerability may be triggered in downstream applications. For an example PoC see the referenced GHSL-2021-020.", "location": "bkimminich/juice-shop:v12.10.2", + "mitigation": "Update the affected package hbs to the fixed version: undefined or remove the package from the image.", "name": "Insertion of Sensitive Information into Externally-Accessible File or Directory and Exposure of Sensitive Information to an Unauthorized Actor in hbs", "osi_layer": "NOT_APPLICABLE", "reference": { @@ -3105,6 +3207,7 @@ Update to version 3.0.0 or later.", "category": "NPM Package Vulnerability", "description": "In jsonwebtoken node module before 4.2.2 it is possible for an attacker to bypass verification when a token digitally signed with an asymmetric key (RS/ES family) of algorithms but instead the attacker send a token digitally signed with a symmetric algorithm (HS* family).", "location": "bkimminich/juice-shop:v12.10.2", + "mitigation": "Update the affected package jsonwebtoken to the fixed version: 4.2.2 or remove the package from the image.", "name": "nodejs-jsonwebtoken: verification step bypass with an altered token", "osi_layer": "NOT_APPLICABLE", "reference": { @@ -3129,6 +3232,7 @@ Update to version 3.0.0 or later.", "category": "NPM Package Vulnerability", "description": "It is possible for an attacker to bypass verification when "a token digitally signed with an asymetric key (RS/ES family) of algorithms but instead the attacker send a token digitally signed with a symmetric algorithm (HS* family)" [1]", "location": "bkimminich/juice-shop:v12.10.2", + "mitigation": "Update the affected package jsonwebtoken to the fixed version: >=4.2.2 or remove the package from the image.", "name": "Verification Bypass", "osi_layer": "NOT_APPLICABLE", "reference": { @@ -3156,6 +3260,7 @@ Update to version 3.0.0 or later.", "category": "NPM Package Vulnerability", "description": "In jsonwebtoken node module before 4.2.2 it is possible for an attacker to bypass verification when a token digitally signed with an asymmetric key (RS/ES family) of algorithms but instead the attacker send a token digitally signed with a symmetric algorithm (HS* family).", "location": "bkimminich/juice-shop:v12.10.2", + "mitigation": "Update the affected package jsonwebtoken to the fixed version: 4.2.2 or remove the package from the image.", "name": "nodejs-jsonwebtoken: verification step bypass with an altered token", "osi_layer": "NOT_APPLICABLE", "reference": { @@ -3180,6 +3285,7 @@ Update to version 3.0.0 or later.", "category": "NPM Package Vulnerability", "description": "It is possible for an attacker to bypass verification when "a token digitally signed with an asymetric key (RS/ES family) of algorithms but instead the attacker send a token digitally signed with a symmetric algorithm (HS* family)" [1]", "location": "bkimminich/juice-shop:v12.10.2", + "mitigation": "Update the affected package jsonwebtoken to the fixed version: >=4.2.2 or remove the package from the image.", "name": "Verification Bypass", "osi_layer": "NOT_APPLICABLE", "reference": { @@ -3209,6 +3315,7 @@ In addition, there is the \`none\` algorithm to be concerned about. In versions *Edit ( 7/29/16 ): A previous version of this advisory incorrectly stated that the vulnerability was patched in version 2.0.0 instead of 3.0.0. The advisory has been updated to reflect this new information. Thanks to Fabien Catteau for reporting the error.*", "location": "bkimminich/juice-shop:v12.10.2", + "mitigation": "Update the affected package jws to the fixed version: 3.0.0 or remove the package from the image.", "name": "Forgeable Public/Private Tokens", "osi_layer": "NOT_APPLICABLE", "reference": { @@ -3238,6 +3345,7 @@ In addition, there is the \`none\` algorithm to be concerned about. In versions "category": "NPM Package Vulnerability", "description": "Versions of lodash lower than 4.17.12 are vulnerable to Prototype Pollution. The function defaultsDeep could be tricked into adding or modifying properties of Object.prototype using a constructor payload.", "location": "bkimminich/juice-shop:v12.10.2", + "mitigation": "Update the affected package lodash to the fixed version: 4.17.12 or remove the package from the image.", "name": "nodejs-lodash: prototype pollution in defaultsDeep function leading to modifying properties", "osi_layer": "NOT_APPLICABLE", "reference": { @@ -3268,6 +3376,7 @@ In addition, there is the \`none\` algorithm to be concerned about. In versions "category": "NPM Package Vulnerability", "description": "Prototype pollution attack when using _.zipObjectDeep in lodash before 4.17.20.", "location": "bkimminich/juice-shop:v12.10.2", + "mitigation": "Update the affected package lodash to the fixed version: 4.17.19 or remove the package from the image.", "name": "nodejs-lodash: prototype pollution in zipObjectDeep function", "osi_layer": "NOT_APPLICABLE", "reference": { @@ -3302,6 +3411,7 @@ In addition, there is the \`none\` algorithm to be concerned about. In versions "category": "NPM Package Vulnerability", "description": "Lodash versions prior to 4.17.21 are vulnerable to Command Injection via the template function.", "location": "bkimminich/juice-shop:v12.10.2", + "mitigation": "Update the affected package lodash to the fixed version: 4.17.21 or remove the package from the image.", "name": "nodejs-lodash: command injection via template", "osi_layer": "NOT_APPLICABLE", "reference": { @@ -3328,6 +3438,7 @@ In addition, there is the \`none\` algorithm to be concerned about. In versions "category": "NPM Package Vulnerability", "description": "A prototype pollution vulnerability was found in lodash <4.17.11 where the functions merge, mergeWith, and defaultsDeep can be tricked into adding or modifying properties of Object.prototype.", "location": "bkimminich/juice-shop:v12.10.2", + "mitigation": "Update the affected package lodash to the fixed version: 4.17.11 or remove the package from the image.", "name": "lodash: Prototype pollution in utilities function", "osi_layer": "NOT_APPLICABLE", "reference": { @@ -3357,6 +3468,7 @@ In addition, there is the \`none\` algorithm to be concerned about. In versions "category": "NPM Package Vulnerability", "description": "lodash node module before 4.17.5 suffers from a Modification of Assumed-Immutable Data (MAID) vulnerability via defaultsDeep, merge, and mergeWith functions, which allows a malicious user to modify the prototype of "Object" via __proto__, causing the addition or modification of an existing property that will exist on all objects.", "location": "bkimminich/juice-shop:v12.10.2", + "mitigation": "Update the affected package lodash to the fixed version: 4.17.5 or remove the package from the image.", "name": "lodash: Prototype pollution in utilities function", "osi_layer": "NOT_APPLICABLE", "reference": { @@ -3385,6 +3497,7 @@ In addition, there is the \`none\` algorithm to be concerned about. In versions "category": "NPM Package Vulnerability", "description": "lodash prior to 4.17.11 is affected by: CWE-400: Uncontrolled Resource Consumption. The impact is: Denial of service. The component is: Date handler. The attack vector is: Attacker provides very long strings, which the library attempts to match using a regular expression. The fixed version is: 4.17.11.", "location": "bkimminich/juice-shop:v12.10.2", + "mitigation": "Update the affected package lodash to the fixed version: 4.17.11 or remove the package from the image.", "name": "lodash: uncontrolled resource consumption in Data handler causing denial of service", "osi_layer": "NOT_APPLICABLE", "reference": { @@ -3414,6 +3527,7 @@ In addition, there is the \`none\` algorithm to be concerned about. In versions "category": "NPM Package Vulnerability", "description": "Versions of lodash lower than 4.17.12 are vulnerable to Prototype Pollution. The function defaultsDeep could be tricked into adding or modifying properties of Object.prototype using a constructor payload.", "location": "bkimminich/juice-shop:v12.10.2", + "mitigation": "Update the affected package lodash to the fixed version: 4.17.12 or remove the package from the image.", "name": "nodejs-lodash: prototype pollution in defaultsDeep function leading to modifying properties", "osi_layer": "NOT_APPLICABLE", "reference": { @@ -3444,6 +3558,7 @@ In addition, there is the \`none\` algorithm to be concerned about. In versions "category": "NPM Package Vulnerability", "description": "Prototype pollution attack when using _.zipObjectDeep in lodash before 4.17.20.", "location": "bkimminich/juice-shop:v12.10.2", + "mitigation": "Update the affected package lodash to the fixed version: 4.17.19 or remove the package from the image.", "name": "nodejs-lodash: prototype pollution in zipObjectDeep function", "osi_layer": "NOT_APPLICABLE", "reference": { @@ -3478,6 +3593,7 @@ In addition, there is the \`none\` algorithm to be concerned about. In versions "category": "NPM Package Vulnerability", "description": "Lodash versions prior to 4.17.21 are vulnerable to Command Injection via the template function.", "location": "bkimminich/juice-shop:v12.10.2", + "mitigation": "Update the affected package lodash to the fixed version: 4.17.21 or remove the package from the image.", "name": "nodejs-lodash: command injection via template", "osi_layer": "NOT_APPLICABLE", "reference": { @@ -3506,6 +3622,7 @@ In addition, there is the \`none\` algorithm to be concerned about. In versions No fix is currently available. Consider using an alternative package until a fix is made available.", "location": "bkimminich/juice-shop:v12.10.2", + "mitigation": "Update the affected package marsdb to the fixed version: undefined or remove the package from the image.", "name": "Command Injection in marsdb", "osi_layer": "NOT_APPLICABLE", "reference": null, @@ -3529,6 +3646,7 @@ No fix is currently available. Consider using an alternative package until a fix "category": "NPM Package Vulnerability", "description": "The moment module before 2.19.3 for Node.js is prone to a regular expression denial of service via a crafted date string, a different vulnerability than CVE-2016-4055.", "location": "bkimminich/juice-shop:v12.10.2", + "mitigation": "Update the affected package moment to the fixed version: 2.19.3 or remove the package from the image.", "name": "nodejs-moment: Regular expression denial of service", "osi_layer": "NOT_APPLICABLE", "reference": { @@ -3562,6 +3680,7 @@ No fix is currently available. Consider using an alternative package until a fix "category": "NPM Package Vulnerability", "description": "The duration function in the moment package before 2.11.2 for Node.js allows remote attackers to cause a denial of service (CPU consumption) via a long string, aka a "regular expression Denial of Service (ReDoS)."", "location": "bkimminich/juice-shop:v12.10.2", + "mitigation": "Update the affected package moment to the fixed version: 2.11.2 or remove the package from the image.", "name": "moment.js: regular expression denial of service", "osi_layer": "NOT_APPLICABLE", "reference": { @@ -3588,6 +3707,7 @@ No fix is currently available. Consider using an alternative package until a fix "category": "NPM Package Vulnerability", "description": "sanitize-html before 1.4.3 has XSS.", "location": "bkimminich/juice-shop:v12.10.2", + "mitigation": "Update the affected package sanitize-html to the fixed version: 1.4.3 or remove the package from the image.", "name": "XSS - Sanitization not applied recursively", "osi_layer": "NOT_APPLICABLE", "reference": { @@ -3614,6 +3734,7 @@ No fix is currently available. Consider using an alternative package until a fix "category": "NPM Package Vulnerability", "description": "Sanitize-html is a library for scrubbing html input of malicious values. Versions 1.11.1 and below are vulnerable to cross site scripting (XSS) in certain scenarios: If allowed at least one nonTextTags, the result is a potential XSS vulnerability.", "location": "bkimminich/juice-shop:v12.10.2", + "mitigation": "Update the affected package sanitize-html to the fixed version: 1.11.4 or remove the package from the image.", "name": "Cross-Site Scripting in sanitize-html", "osi_layer": "NOT_APPLICABLE", "reference": { @@ -3640,6 +3761,7 @@ No fix is currently available. Consider using an alternative package until a fix "category": "NPM Package Vulnerability", "description": "Apostrophe Technologies sanitize-html before 2.3.1 does not properly handle internationalized domain name (IDN) which could allow an attacker to bypass hostname whitelist validation set by the "allowedIframeHostnames" option.", "location": "bkimminich/juice-shop:v12.10.2", + "mitigation": "Update the affected package sanitize-html to the fixed version: 2.3.1 or remove the package from the image.", "name": "sanitize-html: improper handling of internationalized domain name (IDN) can lead to bypass hostname whitelist validation", "osi_layer": "NOT_APPLICABLE", "reference": { @@ -3666,6 +3788,7 @@ No fix is currently available. Consider using an alternative package until a fix "category": "NPM Package Vulnerability", "description": "Apostrophe Technologies sanitize-html before 2.3.2 does not properly validate the hostnames set by the "allowedIframeHostnames" option when the "allowIframeRelativeUrls" is set to true, which allows attackers to bypass hostname whitelist for iframe element, related using an src value that starts with "/\\\\example.com".", "location": "bkimminich/juice-shop:v12.10.2", + "mitigation": "Update the affected package sanitize-html to the fixed version: 2.3.2 or remove the package from the image.", "name": "sanitize-html: improper validation of hostnames set by the "allowedIframeHostnames" option can lead to bypass hostname whitelist for iframe element", "osi_layer": "NOT_APPLICABLE", "reference": { @@ -3707,6 +3830,7 @@ console.log(clean); // !! \`\`\`", "location": "bkimminich/juice-shop:v12.10.2", + "mitigation": "Update the affected package sanitize-html to the fixed version: >=1.11.4 or remove the package from the image.", "name": "Cross Site Scripting", "osi_layer": "NOT_APPLICABLE", "reference": { @@ -3735,6 +3859,7 @@ console.log(clean); "category": "NPM Package Vulnerability", "description": "This affects the package set-value before <2.0.1, >=3.0.0 <4.0.1. A type confusion vulnerability can lead to a bypass of CVE-2019-10747 when the user-provided keys used in the path parameter are arrays.", "location": "bkimminich/juice-shop:v12.10.2", + "mitigation": "Update the affected package set-value to the fixed version: 4.0.1 or remove the package from the image.", "name": "nodejs-set-value: type confusion allows bypass of CVE-2019-10747", "osi_layer": "NOT_APPLICABLE", "reference": { @@ -3765,6 +3890,7 @@ console.log(clean); "category": "NPM Package Vulnerability", "description": "The npm package "tar" (aka node-tar) before versions 6.1.2, 5.0.7, 4.4.15, and 3.2.3 has an arbitrary File Creation/Overwrite vulnerability via insufficient symlink protection. \`node-tar\` aims to guarantee that any file whose location would be modified by a symbolic link is not extracted. This is, in part, achieved by ensuring that extracted directories are not symlinks. Additionally, in order to prevent unnecessary \`stat\` calls to determine whether a given path is a directory, paths are cached when directories are created. This logic was insufficient when extracting tar files that contained both a directory and a symlink with the same name as the directory. This order of operations resulted in the directory being created and added to the \`node-tar\` directory cache. When a directory is present in the directory cache, subsequent calls to mkdir for that directory are skipped. However, this is also where \`node-tar\` checks for symlinks occur. By first creating a directory, and then replacing that directory with a symlink, it was thus possible to bypass \`node-tar\` symlink checks on directories, essentially allowing an untrusted tar file to symlink into an arbitrary location and subsequently extracting arbitrary files into that location, thus allowing arbitrary file creation and overwrite. This issue was addressed in releases 3.2.3, 4.4.15, 5.0.7 and 6.1.2.", "location": "bkimminich/juice-shop:v12.10.2", + "mitigation": "Update the affected package tar to the fixed version: 6.1.2, 5.0.7, 4.4.15, 3.2.3 or remove the package from the image.", "name": "nodejs-tar: Insufficient symlink protection allowing arbitrary file creation and overwrite", "osi_layer": "NOT_APPLICABLE", "reference": { @@ -3795,6 +3921,7 @@ console.log(clean); "category": "NPM Package Vulnerability", "description": "The npm package "tar" (aka node-tar) before versions 6.1.1, 5.0.6, 4.4.14, and 3.3.2 has a arbitrary File Creation/Overwrite vulnerability due to insufficient absolute path sanitization. node-tar aims to prevent extraction of absolute file paths by turning absolute paths into relative paths when the \`preservePaths\` flag is not set to \`true\`. This is achieved by stripping the absolute path root from any absolute file paths contained in a tar file. For example \`/home/user/.bashrc\` would turn into \`home/user/.bashrc\`. This logic was insufficient when file paths contained repeated path roots such as \`////home/user/.bashrc\`. \`node-tar\` would only strip a single path root from such paths. When given an absolute file path with repeating path roots, the resulting path (e.g. \`///home/user/.bashrc\`) would still resolve to an absolute path, thus allowing arbitrary file creation and overwrite. This issue was addressed in releases 3.2.2, 4.4.14, 5.0.6 and 6.1.1. Users may work around this vulnerability without upgrading by creating a custom \`onentry\` method which sanitizes the \`entry.path\` or a \`filter\` method which removes entries with absolute paths. See referenced GitHub Advisory for details. Be aware of CVE-2021-32803 which fixes a similar bug in later versions of tar.", "location": "bkimminich/juice-shop:v12.10.2", + "mitigation": "Update the affected package tar to the fixed version: 6.1.1, 5.0.6, 4.4.14, 3.2.2 or remove the package from the image.", "name": "nodejs-tar: Insufficient absolute path sanitization allowing arbitrary file creation and overwrite", "osi_layer": "NOT_APPLICABLE", "reference": { @@ -3822,6 +3949,7 @@ console.log(clean); "category": "NPM Package Vulnerability", "description": "The npm package "tar" (aka node-tar) before versions 4.4.16, 5.0.8, and 6.1.7 has an arbitrary file creation/overwrite and arbitrary code execution vulnerability. node-tar aims to guarantee that any file whose location would be modified by a symbolic link is not extracted. This is, in part, achieved by ensuring that extracted directories are not symlinks. Additionally, in order to prevent unnecessary stat calls to determine whether a given path is a directory, paths are cached when directories are created. This logic was insufficient when extracting tar files that contained both a directory and a symlink with the same name as the directory, where the symlink and directory names in the archive entry used backslashes as a path separator on posix systems. The cache checking logic used both \`\\\` and \`/\` characters as path separators, however \`\\\` is a valid filename character on posix systems. By first creating a directory, and then replacing that directory with a symlink, it was thus possible to bypass node-tar symlink checks on directories, essentially allowing an untrusted tar file to symlink into an arbitrary location and subsequently extracting arbitrary files into that location, thus allowing arbitrary file creation and overwrite. Additionally, a similar confusion could arise on case-insensitive filesystems. If a tar archive contained a directory at \`FOO\`, followed by a symbolic link named \`foo\`, then on case-insensitive file systems, the creation of the symbolic link would remove the directory from the filesystem, but _not_ from the internal directory cache, as it would not be treated as a cache hit. A subsequent file entry within the \`FOO\` directory would then be placed in the target of the symbolic link, thinking that the directory had already been created. These issues were addressed in releases 4.4.16, 5.0.8 and 6.1.7. The v3 branch of node-tar has been deprecated and did not receive patches for these issues. If you are still using a v3 release we recommend you update to a more recent version of node-tar. If this is not possible, a workaround is available in the referenced GHSA-9r2w-394v-53qc.", "location": "bkimminich/juice-shop:v12.10.2", + "mitigation": "Update the affected package tar to the fixed version: 6.1.7, 5.0.8, 4.4.16 or remove the package from the image.", "name": "nodejs-tar: insufficient symlink protection due to directory cache poisoning using symbolic links allowing arbitrary file creation and overwrite", "osi_layer": "NOT_APPLICABLE", "reference": { @@ -3849,6 +3977,7 @@ console.log(clean); "category": "NPM Package Vulnerability", "description": "The npm package "tar" (aka node-tar) before versions 4.4.18, 5.0.10, and 6.1.9 has an arbitrary file creation/overwrite and arbitrary code execution vulnerability. node-tar aims to guarantee that any file whose location would be modified by a symbolic link is not extracted. This is, in part, achieved by ensuring that extracted directories are not symlinks. Additionally, in order to prevent unnecessary stat calls to determine whether a given path is a directory, paths are cached when directories are created. This logic was insufficient when extracting tar files that contained both a directory and a symlink with names containing unicode values that normalized to the same value. Additionally, on Windows systems, long path portions would resolve to the same file system entities as their 8.3 "short path" counterparts. A specially crafted tar archive could thus include a directory with one form of the path, followed by a symbolic link with a different string that resolves to the same file system entity, followed by a file using the first form. By first creating a directory, and then replacing that directory with a symlink that had a different apparent name that resolved to the same entry in the filesystem, it was thus possible to bypass node-tar symlink checks on directories, essentially allowing an untrusted tar file to symlink into an arbitrary location and subsequently extracting arbitrary files into that location, thus allowing arbitrary file creation and overwrite. These issues were addressed in releases 4.4.18, 5.0.10 and 6.1.9. The v3 branch of node-tar has been deprecated and did not receive patches for these issues. If you are still using a v3 release we recommend you update to a more recent version of node-tar. If this is not possible, a workaround is available in the referenced GHSA-qq89-hq3f-393p.", "location": "bkimminich/juice-shop:v12.10.2", + "mitigation": "Update the affected package tar to the fixed version: 6.1.9, 5.0.10, 4.4.18 or remove the package from the image.", "name": "nodejs-tar: insufficient symlink protection due to directory cache poisoning using symbolic links allowing arbitrary file creation and overwrite", "osi_layer": "NOT_APPLICABLE", "reference": { @@ -3875,6 +4004,7 @@ console.log(clean); "category": "NPM Package Vulnerability", "description": "The npm package "tar" (aka node-tar) before versions 4.4.18, 5.0.10, and 6.1.9 has an arbitrary file creation/overwrite and arbitrary code execution vulnerability. node-tar aims to guarantee that any file whose location would be outside of the extraction target directory is not extracted. This is, in part, accomplished by sanitizing absolute paths of entries within the archive, skipping archive entries that contain \`..\` path portions, and resolving the sanitized paths against the extraction target directory. This logic was insufficient on Windows systems when extracting tar files that contained a path that was not an absolute path, but specified a drive letter different from the extraction target, such as \`C:some\\path\`. If the drive letter does not match the extraction target, for example \`D:\\extraction\\dir\`, then the result of \`path.resolve(extractionDirectory, entryPath)\` would resolve against the current working directory on the \`C:\` drive, rather than the extraction target directory. Additionally, a \`..\` portion of the path could occur immediately after the drive letter, such as \`C:../foo\`, and was not properly sanitized by the logic that checked for \`..\` within the normalized and split portions of the path. This only affects users of \`node-tar\` on Windows systems. These issues were addressed in releases 4.4.18, 5.0.10 and 6.1.9. The v3 branch of node-tar has been deprecated and did not receive patches for these issues. If you are still using a v3 release we recommend you update to a more recent version of node-tar. There is no reasonable way to work around this issue without performing the same path normalization procedures that node-tar now does. Users are encouraged to upgrade to the latest patched versions of node-tar, rather than attempt to sanitize paths themselves.", "location": "bkimminich/juice-shop:v12.10.2", + "mitigation": "Update the affected package tar to the fixed version: 6.1.9, 5.0.10, 4.4.18 or remove the package from the image.", "name": "Arbitrary File Creation/Overwrite on Windows via insufficient relative path sanitization", "osi_layer": "NOT_APPLICABLE", "reference": { @@ -3900,6 +4030,7 @@ console.log(clean); "category": "NPM Package Vulnerability", "description": "validator.js is vulnerable to Inefficient Regular Expression Complexity", "location": "bkimminich/juice-shop:v12.10.2", + "mitigation": "Update the affected package validator to the fixed version: 13.7.0 or remove the package from the image.", "name": "Inefficient Regular Expression Complexity in validator.js", "osi_layer": "NOT_APPLICABLE", "reference": { @@ -3928,6 +4059,7 @@ console.log(clean); "category": "NPM Package Vulnerability", "description": "This affects the package vm2 before 3.9.4 via a Prototype Pollution attack vector, which can lead to execution of arbitrary code on the host machine.", "location": "bkimminich/juice-shop:v12.10.2", + "mitigation": "Update the affected package vm2 to the fixed version: 3.9.4 or remove the package from the image.", "name": "Prototype Pollution in vm2", "osi_layer": "NOT_APPLICABLE", "reference": { @@ -3957,6 +4089,7 @@ exports[`parses securecodebox:master result file into findings 1`] = ` "category": "Go Package Vulnerability", "description": "jwt-go before 4.0.0-preview1 allows attackers to bypass intended access restrictions in situations with []string{} for m["aud"] (which is allowed by the specification). Because the type assertion fails, "" is the value of aud. This is a security problem if the JWT token is presented to a service that lacks its own audience check.", "location": "https://github.com/secureCodeBox/secureCodeBox", + "mitigation": "Update the affected package github.com/dgrijalva/jwt-go to the fixed version: undefined or remove the package from the image.", "name": "jwt-go: access restriction bypass vulnerability", "osi_layer": "NOT_APPLICABLE", "reference": { @@ -3987,6 +4120,7 @@ exports[`parses securecodebox:master result file into findings 1`] = ` "category": "Go Package Vulnerability", "description": "An issue was discovered in GoGo Protobuf before 1.3.2. plugin/unmarshal/unmarshal.go lacks certain index validation, aka the "skippy peanut butter" issue.", "location": "https://github.com/secureCodeBox/secureCodeBox", + "mitigation": "Update the affected package github.com/gogo/protobuf to the fixed version: v1.3.2 or remove the package from the image.", "name": "gogo/protobuf: plugin/unmarshal/unmarshal.go lacks certain index validation", "osi_layer": "NOT_APPLICABLE", "reference": { @@ -4013,6 +4147,7 @@ exports[`parses securecodebox:master result file into findings 1`] = ` "category": "Go Package Vulnerability", "description": "The miekg Go DNS package before 1.1.25, as used in CoreDNS before 1.6.6 and other products, improperly generates random numbers because math/rand is used. The TXID becomes predictable, leading to response forgeries.", "location": "https://github.com/secureCodeBox/secureCodeBox", + "mitigation": "Update the affected package github.com/miekg/dns to the fixed version: v1.1.25-0.20191211073109-8ebf2e419df7 or remove the package from the image.", "name": "golang-github-miekg-dns: predictable TXID can lead to response forgeries", "osi_layer": "NOT_APPLICABLE", "reference": { @@ -4039,6 +4174,7 @@ exports[`parses securecodebox:master result file into findings 1`] = ` "category": "Go Package Vulnerability", "description": "A nil pointer dereference in the golang.org/x/crypto/ssh component through v0.0.0-20201203163018-be400aefbc4c for Go allows remote attackers to cause a denial of service against SSH servers.", "location": "https://github.com/secureCodeBox/secureCodeBox", + "mitigation": "Update the affected package golang.org/x/crypto to the fixed version: v0.0.0-20201216223049-8b5274cf687f or remove the package from the image.", "name": "golang: crypto/ssh: crafted authentication request can lead to nil pointer dereference", "osi_layer": "NOT_APPLICABLE", "reference": { @@ -4063,6 +4199,7 @@ exports[`parses securecodebox:master result file into findings 1`] = ` "category": "Go Package Vulnerability", "description": "jwt-go before 4.0.0-preview1 allows attackers to bypass intended access restrictions in situations with []string{} for m["aud"] (which is allowed by the specification). Because the type assertion fails, "" is the value of aud. This is a security problem if the JWT token is presented to a service that lacks its own audience check.", "location": "https://github.com/secureCodeBox/secureCodeBox", + "mitigation": "Update the affected package github.com/dgrijalva/jwt-go to the fixed version: undefined or remove the package from the image.", "name": "jwt-go: access restriction bypass vulnerability", "osi_layer": "NOT_APPLICABLE", "reference": { @@ -4093,6 +4230,7 @@ exports[`parses securecodebox:master result file into findings 1`] = ` "category": "Go Package Vulnerability", "description": "An issue was discovered in GoGo Protobuf before 1.3.2. plugin/unmarshal/unmarshal.go lacks certain index validation, aka the "skippy peanut butter" issue.", "location": "https://github.com/secureCodeBox/secureCodeBox", + "mitigation": "Update the affected package github.com/gogo/protobuf to the fixed version: v1.3.2 or remove the package from the image.", "name": "gogo/protobuf: plugin/unmarshal/unmarshal.go lacks certain index validation", "osi_layer": "NOT_APPLICABLE", "reference": { @@ -4119,6 +4257,7 @@ exports[`parses securecodebox:master result file into findings 1`] = ` "category": "Go Package Vulnerability", "description": "A nil pointer dereference in the golang.org/x/crypto/ssh component through v0.0.0-20201203163018-be400aefbc4c for Go allows remote attackers to cause a denial of service against SSH servers.", "location": "https://github.com/secureCodeBox/secureCodeBox", + "mitigation": "Update the affected package golang.org/x/crypto to the fixed version: v0.0.0-20201216223049-8b5274cf687f or remove the package from the image.", "name": "golang: crypto/ssh: crafted authentication request can lead to nil pointer dereference", "osi_layer": "NOT_APPLICABLE", "reference": { @@ -4147,6 +4286,7 @@ exports[`parses securecodebox:master result file into findings 1`] = ` "category": "Go Package Vulnerability", "description": "golang.org/x/crypto before v0.0.0-20200220183623-bac4c82f6975 for Go allows a panic during signature verification in the golang.org/x/crypto/ssh package. A client can attack an SSH server that accepts public keys. Also, a server can attack any SSH client.", "location": "https://github.com/secureCodeBox/secureCodeBox", + "mitigation": "Update the affected package golang.org/x/crypto to the fixed version: v0.0.0-20200220183623-bac4c82f6975 or remove the package from the image.", "name": "golang.org/x/crypto: Processing of crafted ssh-ed25519 public keys allows for panic", "osi_layer": "NOT_APPLICABLE", "reference": { @@ -4174,6 +4314,7 @@ exports[`parses securecodebox:master result file into findings 1`] = ` "category": "Go Package Vulnerability", "description": "The Kubernetes API Server component in versions 1.1-1.14, and versions prior to 1.15.10, 1.16.7 and 1.17.3 allows an authorized user who sends malicious YAML payloads to cause the kube-apiserver to consume excessive CPU cycles while parsing YAML.", "location": "https://github.com/secureCodeBox/secureCodeBox", + "mitigation": "Update the affected package gopkg.in/yaml.v2 to the fixed version: v2.2.8 or remove the package from the image.", "name": "kubernetes: Denial of service in API server via crafted YAML payloads by authorized users", "osi_layer": "NOT_APPLICABLE", "reference": { @@ -4201,6 +4342,7 @@ exports[`parses securecodebox:master result file into findings 1`] = ` "category": "Go Package Vulnerability", "description": "The Kubernetes client-go library logs request headers at verbosity levels of 7 or higher. This can disclose credentials to unauthorized users via logs or command output. Kubernetes components (such as kube-apiserver) prior to v1.16.0, which make use of basic or bearer token authentication, and run at high verbosity levels, are affected.", "location": "https://github.com/secureCodeBox/secureCodeBox", + "mitigation": "Update the affected package k8s.io/client-go to the fixed version: v0.17.0 or remove the package from the image.", "name": "kubernetes: Bearer tokens written to logs at high verbosity levels (>= 7)", "osi_layer": "NOT_APPLICABLE", "reference": { @@ -4226,6 +4368,7 @@ exports[`parses securecodebox:master result file into findings 1`] = ` "category": "Go Package Vulnerability", "description": "In Kubernetes, if the logging level is set to at least 9, authorization and bearer tokens will be written to log files. This can occur both in API server logs and client tool output like kubectl. This affects <= v1.19.3, <= v1.18.10, <= v1.17.13, < v1.20.0-alpha2.", "location": "https://github.com/secureCodeBox/secureCodeBox", + "mitigation": "Update the affected package k8s.io/client-go to the fixed version: v0.20.0-alpha.2 or remove the package from the image.", "name": "kubernetes: Incomplete fix for CVE-2019-11250 allows for token leak in logs when logLevel >= 9", "osi_layer": "NOT_APPLICABLE", "reference": { @@ -4250,6 +4393,7 @@ exports[`parses securecodebox:master result file into findings 1`] = ` "category": "Go Package Vulnerability", "description": "jwt-go before 4.0.0-preview1 allows attackers to bypass intended access restrictions in situations with []string{} for m["aud"] (which is allowed by the specification). Because the type assertion fails, "" is the value of aud. This is a security problem if the JWT token is presented to a service that lacks its own audience check.", "location": "https://github.com/secureCodeBox/secureCodeBox", + "mitigation": "Update the affected package github.com/dgrijalva/jwt-go to the fixed version: undefined or remove the package from the image.", "name": "jwt-go: access restriction bypass vulnerability", "osi_layer": "NOT_APPLICABLE", "reference": { @@ -4280,6 +4424,7 @@ exports[`parses securecodebox:master result file into findings 1`] = ` "category": "Go Package Vulnerability", "description": "An issue was discovered in GoGo Protobuf before 1.3.2. plugin/unmarshal/unmarshal.go lacks certain index validation, aka the "skippy peanut butter" issue.", "location": "https://github.com/secureCodeBox/secureCodeBox", + "mitigation": "Update the affected package github.com/gogo/protobuf to the fixed version: v1.3.2 or remove the package from the image.", "name": "gogo/protobuf: plugin/unmarshal/unmarshal.go lacks certain index validation", "osi_layer": "NOT_APPLICABLE", "reference": { @@ -4306,6 +4451,7 @@ exports[`parses securecodebox:master result file into findings 1`] = ` "category": "Go Package Vulnerability", "description": "The miekg Go DNS package before 1.1.25, as used in CoreDNS before 1.6.6 and other products, improperly generates random numbers because math/rand is used. The TXID becomes predictable, leading to response forgeries.", "location": "https://github.com/secureCodeBox/secureCodeBox", + "mitigation": "Update the affected package github.com/miekg/dns to the fixed version: v1.1.25-0.20191211073109-8ebf2e419df7 or remove the package from the image.", "name": "golang-github-miekg-dns: predictable TXID can lead to response forgeries", "osi_layer": "NOT_APPLICABLE", "reference": { @@ -4332,6 +4478,7 @@ exports[`parses securecodebox:master result file into findings 1`] = ` "category": "Go Package Vulnerability", "description": "A nil pointer dereference in the golang.org/x/crypto/ssh component through v0.0.0-20201203163018-be400aefbc4c for Go allows remote attackers to cause a denial of service against SSH servers.", "location": "https://github.com/secureCodeBox/secureCodeBox", + "mitigation": "Update the affected package golang.org/x/crypto to the fixed version: v0.0.0-20201216223049-8b5274cf687f or remove the package from the image.", "name": "golang: crypto/ssh: crafted authentication request can lead to nil pointer dereference", "osi_layer": "NOT_APPLICABLE", "reference": { diff --git a/scanners/trivy/parser/parser.js b/scanners/trivy/parser/parser.js index 36260551aa..00ab77f66f 100644 --- a/scanners/trivy/parser/parser.js +++ b/scanners/trivy/parser/parser.js @@ -44,6 +44,7 @@ async function parse(scanResults) { location: imageId, osi_layer: "NOT_APPLICABLE", severity: getAdjustedSeverity(vulnerability.Severity), + mitigation: "Update the affected package " + vulnerability.PkgName + " to the fixed version: " + vulnerability.FixedVersion + " or remove the package from the image.", reference, attributes: { installedVersion: vulnerability.InstalledVersion, diff --git a/scanners/typo3scan/parser/__snapshots__/parser.test.js.snap b/scanners/typo3scan/parser/__snapshots__/parser.test.js.snap index df525c9e6d..9954ef3b68 100644 --- a/scanners/typo3scan/parser/__snapshots__/parser.test.js.snap +++ b/scanners/typo3scan/parser/__snapshots__/parser.test.js.snap @@ -13,6 +13,7 @@ exports[`parser parses large json result with vulnerable extensions successfully "category": "Vulnerability", "description": "Vulnerability of type Insecure Deserialization found", "location": "http://localhost:80", + "mitigation": "Follow the instructions in the advisory https://typo3.org/security/advisory/typo3-core-sa-2019-026 to fix the vulnerability.", "name": "Insecure Deserialization", "osi_layer": "APPLICATION", "severity": "HIGH", @@ -28,6 +29,7 @@ exports[`parser parses large json result with vulnerable extensions successfully "category": "Vulnerability", "description": "Vulnerability of type SQL Injection found", "location": "http://localhost:80", + "mitigation": "Follow the instructions in the advisory https://typo3.org/security/advisory/typo3-core-sa-2019-025 to fix the vulnerability.", "name": "SQL Injection", "osi_layer": "APPLICATION", "severity": "HIGH", @@ -43,6 +45,7 @@ exports[`parser parses large json result with vulnerable extensions successfully "category": "Vulnerability", "description": "Vulnerability of type Directory Traversal found", "location": "http://localhost:80", + "mitigation": "Follow the instructions in the advisory https://typo3.org/security/advisory/typo3-core-sa-2019-024 to fix the vulnerability.", "name": "Directory Traversal", "osi_layer": "APPLICATION", "severity": "HIGH", @@ -58,6 +61,7 @@ exports[`parser parses large json result with vulnerable extensions successfully "category": "Vulnerability", "description": "Vulnerability of type Cross-Site Scripting found", "location": "http://localhost:80", + "mitigation": "Follow the instructions in the advisory https://typo3.org/security/advisory/typo3-core-sa-2019-023 to fix the vulnerability.", "name": "Cross-Site Scripting", "osi_layer": "APPLICATION", "severity": "HIGH", @@ -73,6 +77,7 @@ exports[`parser parses large json result with vulnerable extensions successfully "category": "Vulnerability", "description": "Vulnerability of type Cross-Site Scripting found", "location": "http://localhost:80", + "mitigation": "Follow the instructions in the advisory https://typo3.org/security/advisory/typo3-core-sa-2019-022 to fix the vulnerability.", "name": "Cross-Site Scripting", "osi_layer": "APPLICATION", "severity": "HIGH", @@ -88,6 +93,7 @@ exports[`parser parses large json result with vulnerable extensions successfully "category": "Vulnerability", "description": "Vulnerability of type Cross-Site Scripting found", "location": "http://localhost:80", + "mitigation": "Follow the instructions in the advisory https://typo3.org/security/advisory/typo3-core-sa-2019-021 to fix the vulnerability.", "name": "Cross-Site Scripting", "osi_layer": "APPLICATION", "severity": "HIGH", @@ -103,6 +109,7 @@ exports[`parser parses large json result with vulnerable extensions successfully "category": "Vulnerability", "description": "Vulnerability of type Insecure Deserialization found", "location": "http://localhost:80", + "mitigation": "Follow the instructions in the advisory https://typo3.org/security/advisory/typo3-core-sa-2019-020 to fix the vulnerability.", "name": "Insecure Deserialization", "osi_layer": "APPLICATION", "severity": "HIGH", @@ -118,6 +125,7 @@ exports[`parser parses large json result with vulnerable extensions successfully "category": "Vulnerability", "description": "Vulnerability of type Arbitrary Code Execution, Cross-Site Scripting found", "location": "http://localhost:80", + "mitigation": "Follow the instructions in the advisory https://typo3.org/security/advisory/typo3-core-sa-2019-019 to fix the vulnerability.", "name": "Arbitrary Code Execution, Cross-Site Scripting", "osi_layer": "APPLICATION", "severity": "HIGH", @@ -133,6 +141,7 @@ exports[`parser parses large json result with vulnerable extensions successfully "category": "Vulnerability", "description": "Vulnerability of type Security Misconfiguration found", "location": "http://localhost:80", + "mitigation": "Follow the instructions in the advisory https://typo3.org/security/advisory/typo3-core-sa-2019-018 to fix the vulnerability.", "name": "Security Misconfiguration", "osi_layer": "APPLICATION", "severity": "HIGH", @@ -148,6 +157,7 @@ exports[`parser parses large json result with vulnerable extensions successfully "category": "Vulnerability", "description": "Vulnerability of type Cross-Site Scripting found", "location": "http://localhost:80", + "mitigation": "Follow the instructions in the advisory https://typo3.org/security/advisory/typo3-core-sa-2019-015 to fix the vulnerability.", "name": "Cross-Site Scripting", "osi_layer": "APPLICATION", "severity": "HIGH", @@ -163,6 +173,7 @@ exports[`parser parses large json result with vulnerable extensions successfully "category": "Vulnerability", "description": "Vulnerability of type Information Disclosure found", "location": "http://localhost:80", + "mitigation": "Follow the instructions in the advisory https://typo3.org/security/advisory/typo3-core-sa-2019-014 to fix the vulnerability.", "name": "Information Disclosure", "osi_layer": "APPLICATION", "severity": "HIGH", @@ -178,6 +189,7 @@ exports[`parser parses large json result with vulnerable extensions successfully "category": "Vulnerability", "description": "Vulnerability of type Cross-Site Scripting found", "location": "http://localhost:80", + "mitigation": "Follow the instructions in the advisory https://typo3.org/security/advisory/typo3-core-sa-2019-013 to fix the vulnerability.", "name": "Cross-Site Scripting", "osi_layer": "APPLICATION", "severity": "HIGH", @@ -193,6 +205,7 @@ exports[`parser parses large json result with vulnerable extensions successfully "category": "Vulnerability", "description": "Vulnerability of type Arbitrary Code Execution found", "location": "http://localhost:80", + "mitigation": "Follow the instructions in the advisory https://typo3.org/security/advisory/typo3-core-sa-2019-012 to fix the vulnerability.", "name": "Arbitrary Code Execution", "osi_layer": "APPLICATION", "severity": "HIGH", @@ -208,6 +221,7 @@ exports[`parser parses large json result with vulnerable extensions successfully "category": "Vulnerability", "description": "Vulnerability of type Security Misconfiguration found", "location": "http://localhost:80", + "mitigation": "Follow the instructions in the advisory https://typo3.org/security/advisory/typo3-core-sa-2019-011 to fix the vulnerability.", "name": "Security Misconfiguration", "osi_layer": "APPLICATION", "severity": "HIGH", @@ -223,6 +237,7 @@ exports[`parser parses large json result with vulnerable extensions successfully "category": "Vulnerability", "description": "Vulnerability of type Arbitrary Code Execution found", "location": "http://localhost:80", + "mitigation": "Follow the instructions in the advisory https://typo3.org/security/advisory/typo3-core-sa-2019-008 to fix the vulnerability.", "name": "Arbitrary Code Execution", "osi_layer": "APPLICATION", "severity": "HIGH", @@ -238,6 +253,7 @@ exports[`parser parses large json result with vulnerable extensions successfully "category": "Vulnerability", "description": "Vulnerability of type Cross-Site Scripting found", "location": "http://localhost:80", + "mitigation": "Follow the instructions in the advisory https://typo3.org/security/advisory/typo3-core-sa-2019-007 to fix the vulnerability.", "name": "Cross-Site Scripting", "osi_layer": "APPLICATION", "severity": "HIGH", @@ -253,6 +269,7 @@ exports[`parser parses large json result with vulnerable extensions successfully "category": "Vulnerability", "description": "Vulnerability of type Cross-Site Scripting found", "location": "http://localhost:80", + "mitigation": "Follow the instructions in the advisory https://typo3.org/security/advisory/typo3-core-sa-2019-006 to fix the vulnerability.", "name": "Cross-Site Scripting", "osi_layer": "APPLICATION", "severity": "HIGH", @@ -268,6 +285,7 @@ exports[`parser parses large json result with vulnerable extensions successfully "category": "Vulnerability", "description": "Vulnerability of type Cross-Site Scripting found", "location": "http://localhost:80", + "mitigation": "Follow the instructions in the advisory https://typo3.org/security/advisory/typo3-core-sa-2019-005 to fix the vulnerability.", "name": "Cross-Site Scripting", "osi_layer": "APPLICATION", "severity": "HIGH", @@ -283,6 +301,7 @@ exports[`parser parses large json result with vulnerable extensions successfully "category": "Vulnerability", "description": "Vulnerability of type Broken Access Control found", "location": "http://localhost:80", + "mitigation": "Follow the instructions in the advisory https://typo3.org/security/advisory/typo3-core-sa-2019-003 to fix the vulnerability.", "name": "Broken Access Control", "osi_layer": "APPLICATION", "severity": "HIGH", @@ -298,6 +317,7 @@ exports[`parser parses large json result with vulnerable extensions successfully "category": "Vulnerability", "description": "Vulnerability of type Security Misconfiguration found", "location": "http://localhost:80", + "mitigation": "Follow the instructions in the advisory https://typo3.org/security/advisory/typo3-core-sa-2019-002 to fix the vulnerability.", "name": "Security Misconfiguration", "osi_layer": "APPLICATION", "severity": "HIGH", @@ -313,6 +333,7 @@ exports[`parser parses large json result with vulnerable extensions successfully "category": "Vulnerability", "description": "Vulnerability of type Information Disclosure found", "location": "http://localhost:80", + "mitigation": "Follow the instructions in the advisory https://typo3.org/security/advisory/typo3-core-sa-2019-001 to fix the vulnerability.", "name": "Information Disclosure", "osi_layer": "APPLICATION", "severity": "HIGH", @@ -328,6 +349,7 @@ exports[`parser parses large json result with vulnerable extensions successfully "category": "Vulnerability", "description": "Vulnerability of type Denial of Service found", "location": "http://localhost:80", + "mitigation": "Follow the instructions in the advisory https://typo3.org/security/advisory/typo3-core-sa-2018-012 to fix the vulnerability.", "name": "Denial of Service", "osi_layer": "APPLICATION", "severity": "HIGH", @@ -343,6 +365,7 @@ exports[`parser parses large json result with vulnerable extensions successfully "category": "Vulnerability", "description": "Vulnerability of type Denial of Service found", "location": "http://localhost:80", + "mitigation": "Follow the instructions in the advisory https://typo3.org/security/advisory/typo3-core-sa-2018-011 to fix the vulnerability.", "name": "Denial of Service", "osi_layer": "APPLICATION", "severity": "HIGH", @@ -358,6 +381,7 @@ exports[`parser parses large json result with vulnerable extensions successfully "category": "Vulnerability", "description": "Vulnerability of type Information Disclosure found", "location": "http://localhost:80", + "mitigation": "Follow the instructions in the advisory https://typo3.org/security/advisory/typo3-core-sa-2018-010 to fix the vulnerability.", "name": "Information Disclosure", "osi_layer": "APPLICATION", "severity": "HIGH", @@ -373,6 +397,7 @@ exports[`parser parses large json result with vulnerable extensions successfully "category": "Vulnerability", "description": "Vulnerability of type Security Misconfiguration found", "location": "http://localhost:80", + "mitigation": "Follow the instructions in the advisory https://typo3.org/security/advisory/typo3-core-sa-2018-009 to fix the vulnerability.", "name": "Security Misconfiguration", "osi_layer": "APPLICATION", "severity": "HIGH", @@ -388,6 +413,7 @@ exports[`parser parses large json result with vulnerable extensions successfully "category": "Vulnerability", "description": "Vulnerability of type Cross-Site Scripting found", "location": "http://localhost:80", + "mitigation": "Follow the instructions in the advisory https://typo3.org/security/advisory/typo3-core-sa-2018-008 to fix the vulnerability.", "name": "Cross-Site Scripting", "osi_layer": "APPLICATION", "severity": "HIGH", @@ -403,6 +429,7 @@ exports[`parser parses large json result with vulnerable extensions successfully "category": "Vulnerability", "description": "Vulnerability of type Cross-Site Scripting found", "location": "http://localhost:80", + "mitigation": "Follow the instructions in the advisory https://typo3.org/security/advisory/typo3-core-sa-2018-007 to fix the vulnerability.", "name": "Cross-Site Scripting", "osi_layer": "APPLICATION", "severity": "HIGH", @@ -418,6 +445,7 @@ exports[`parser parses large json result with vulnerable extensions successfully "category": "Vulnerability", "description": "Vulnerability of type Cross-Site Scripting found", "location": "http://localhost:80", + "mitigation": "Follow the instructions in the advisory https://typo3.org/security/advisory/typo3-core-sa-2018-006 to fix the vulnerability.", "name": "Cross-Site Scripting", "osi_layer": "APPLICATION", "severity": "HIGH", @@ -433,6 +461,7 @@ exports[`parser parses large json result with vulnerable extensions successfully "category": "Vulnerability", "description": "Vulnerability of type Cross-Site Scripting found", "location": "http://localhost:80", + "mitigation": "Follow the instructions in the advisory https://typo3.org/security/advisory/typo3-core-sa-2018-005 to fix the vulnerability.", "name": "Cross-Site Scripting", "osi_layer": "APPLICATION", "severity": "HIGH", @@ -448,6 +477,7 @@ exports[`parser parses large json result with vulnerable extensions successfully "category": "Vulnerability", "description": "Vulnerability of type Insecure Deserialization found", "location": "http://localhost:80", + "mitigation": "Follow the instructions in the advisory https://typo3.org/security/advisory/typo3-core-sa-2018-004 to fix the vulnerability.", "name": "Insecure Deserialization", "osi_layer": "APPLICATION", "severity": "HIGH", @@ -463,6 +493,7 @@ exports[`parser parses large json result with vulnerable extensions successfully "category": "Vulnerability", "description": "Vulnerability of type Privilege Escalation & SQL Injection found", "location": "http://localhost:80", + "mitigation": "Follow the instructions in the advisory https://typo3.org/security/advisory/typo3-core-sa-2018-003 to fix the vulnerability.", "name": "Privilege Escalation & SQL Injection", "osi_layer": "APPLICATION", "severity": "HIGH", @@ -478,6 +509,7 @@ exports[`parser parses large json result with vulnerable extensions successfully "category": "Vulnerability", "description": "Vulnerability of type Insecure Deserialization & Arbitrary Code Execution found", "location": "http://localhost:80", + "mitigation": "Follow the instructions in the advisory https://typo3.org/security/advisory/typo3-core-sa-2018-002 to fix the vulnerability.", "name": "Insecure Deserialization & Arbitrary Code Execution", "osi_layer": "APPLICATION", "severity": "HIGH", @@ -493,6 +525,7 @@ exports[`parser parses large json result with vulnerable extensions successfully "category": "Vulnerability", "description": "Vulnerability of type Authentication Bypass found", "location": "http://localhost:80", + "mitigation": "Follow the instructions in the advisory https://typo3.org/security/advisory/typo3-core-sa-2018-001 to fix the vulnerability.", "name": "Authentication Bypass", "osi_layer": "APPLICATION", "severity": "HIGH", @@ -508,6 +541,7 @@ exports[`parser parses large json result with vulnerable extensions successfully "category": "Vulnerability", "description": "Vulnerability of type Arbitrary Code Execution found", "location": "http://localhost:80", + "mitigation": "Follow the instructions in the advisory https://typo3.org/security/advisory/typo3-core-sa-2017-007 to fix the vulnerability.", "name": "Arbitrary Code Execution", "osi_layer": "APPLICATION", "severity": "HIGH", @@ -523,6 +557,7 @@ exports[`parser parses large json result with vulnerable extensions successfully "category": "Vulnerability", "description": "Vulnerability of type Information Disclosure found", "location": "http://localhost:80", + "mitigation": "Follow the instructions in the advisory https://typo3.org/security/advisory/typo3-core-sa-2017-005 to fix the vulnerability.", "name": "Information Disclosure", "osi_layer": "APPLICATION", "severity": "HIGH", @@ -538,6 +573,7 @@ exports[`parser parses large json result with vulnerable extensions successfully "category": "Vulnerability", "description": "Vulnerability of type Information Disclosure found", "location": "http://localhost:80", + "mitigation": "Follow the instructions in the advisory https://typo3.org/security/advisory/typo3-core-sa-2017-006 to fix the vulnerability.", "name": "Information Disclosure", "osi_layer": "APPLICATION", "severity": "HIGH", @@ -553,6 +589,7 @@ exports[`parser parses large json result with vulnerable extensions successfully "category": "Vulnerability", "description": "Vulnerability of type Cross-Site Scripting found", "location": "http://localhost:80", + "mitigation": "Follow the instructions in the advisory https://typo3.org/security/advisory/typo3-core-sa-2017-004 to fix the vulnerability.", "name": "Cross-Site Scripting", "osi_layer": "APPLICATION", "severity": "HIGH", @@ -568,6 +605,7 @@ exports[`parser parses large json result with vulnerable extensions successfully "category": "Vulnerability", "description": "Vulnerability of type Sensitive Data Exposure found", "location": "http://localhost:80", + "mitigation": "Follow the instructions in the advisory https://typo3.org/security/advisory/typo3-core-sa-2020-011 to fix the vulnerability.", "name": "Sensitive Data Exposure", "osi_layer": "APPLICATION", "severity": "HIGH", @@ -583,6 +621,7 @@ exports[`parser parses large json result with vulnerable extensions successfully "category": "Vulnerability", "description": "Vulnerability of type Cross-Site Scripting found", "location": "http://localhost:80", + "mitigation": "Follow the instructions in the advisory https://typo3.org/security/advisory/typo3-core-sa-2020-010 to fix the vulnerability.", "name": "Cross-Site Scripting", "osi_layer": "APPLICATION", "severity": "HIGH", @@ -598,6 +637,7 @@ exports[`parser parses large json result with vulnerable extensions successfully "category": "Vulnerability", "description": "Vulnerability of type Cross-Site Scripting found", "location": "http://localhost:80", + "mitigation": "Follow the instructions in the advisory https://typo3.org/security/advisory/typo3-core-sa-2020-009 to fix the vulnerability.", "name": "Cross-Site Scripting", "osi_layer": "APPLICATION", "severity": "HIGH", @@ -613,6 +653,7 @@ exports[`parser parses large json result with vulnerable extensions successfully "category": "Vulnerability", "description": "Vulnerability of type Cross-Site Scripting found", "location": "http://localhost:80", + "mitigation": "Follow the instructions in the advisory https://typo3.org/security/advisory/typo3-core-sa-2021-008 to fix the vulnerability.", "name": "Cross-Site Scripting", "osi_layer": "APPLICATION", "severity": "HIGH", @@ -628,6 +669,7 @@ exports[`parser parses large json result with vulnerable extensions successfully "category": "Vulnerability", "description": "Vulnerability of type Sensitive Data Exposure found", "location": "http://localhost:80", + "mitigation": "Follow the instructions in the advisory https://typo3.org/security/advisory/typo3-core-sa-2021-006 to fix the vulnerability.", "name": "Sensitive Data Exposure", "osi_layer": "APPLICATION", "severity": "HIGH", @@ -643,6 +685,7 @@ exports[`parser parses large json result with vulnerable extensions successfully "category": "Vulnerability", "description": "Vulnerability of type Broken Access Control found", "location": "http://localhost:80", + "mitigation": "Follow the instructions in the advisory https://typo3.org/security/advisory/typo3-core-sa-2021-003 to fix the vulnerability.", "name": "Broken Access Control", "osi_layer": "APPLICATION", "severity": "HIGH", @@ -658,6 +701,7 @@ exports[`parser parses large json result with vulnerable extensions successfully "category": "Vulnerability", "description": "Vulnerability of type Unrestricted File Upload found", "location": "http://localhost:80", + "mitigation": "Follow the instructions in the advisory https://typo3.org/security/advisory/typo3-core-sa-2021-002 to fix the vulnerability.", "name": "Unrestricted File Upload", "osi_layer": "APPLICATION", "severity": "HIGH", @@ -673,6 +717,7 @@ exports[`parser parses large json result with vulnerable extensions successfully "category": "Vulnerability", "description": "Vulnerability of type Open Redirection found", "location": "http://localhost:80", + "mitigation": "Follow the instructions in the advisory https://typo3.org/security/advisory/typo3-core-sa-2021-001 to fix the vulnerability.", "name": "Open Redirection", "osi_layer": "APPLICATION", "severity": "HIGH", @@ -688,6 +733,7 @@ exports[`parser parses large json result with vulnerable extensions successfully "category": "Vulnerability", "description": "Vulnerability of type Cross-Site-Scripting found", "location": "http://localhost:80", + "mitigation": "Follow the instructions in the advisory https://typo3.org/security/advisory/typo3-core-sa-2021-013 to fix the vulnerability.", "name": "Cross-Site-Scripting", "osi_layer": "APPLICATION", "severity": "HIGH", @@ -703,6 +749,7 @@ exports[`parser parses large json result with vulnerable extensions successfully "category": "Vulnerability", "description": "Vulnerability of type Information Disclosure found", "location": "http://localhost:80", + "mitigation": "Follow the instructions in the advisory https://typo3.org/security/advisory/typo3-core-sa-2021-012 to fix the vulnerability.", "name": "Information Disclosure", "osi_layer": "APPLICATION", "severity": "HIGH", @@ -718,6 +765,7 @@ exports[`parser parses large json result with vulnerable extensions successfully "category": "Vulnerability", "description": "Vulnerability of type Cross-Site Scripting found", "location": "http://localhost:80", + "mitigation": "Follow the instructions in the advisory https://typo3.org/security/advisory/typo3-core-sa-2021-011 to fix the vulnerability.", "name": "Cross-Site Scripting", "osi_layer": "APPLICATION", "severity": "HIGH", @@ -733,6 +781,7 @@ exports[`parser parses large json result with vulnerable extensions successfully "category": "Vulnerability", "description": "Vulnerability of type Cross-Site Scripting found", "location": "http://localhost:80", + "mitigation": "Follow the instructions in the advisory https://typo3.org/security/advisory/typo3-core-sa-2021-010 to fix the vulnerability.", "name": "Cross-Site Scripting", "osi_layer": "APPLICATION", "severity": "HIGH", @@ -880,6 +929,7 @@ exports[`parser parses large json result without vulnerable extensions successfu "category": "Vulnerability", "description": "Vulnerability of type Insecure Deserialization found", "location": "http://localhost:80", + "mitigation": "Follow the instructions in the advisory https://typo3.org/security/advisory/typo3-core-sa-2019-026 to fix the vulnerability.", "name": "Insecure Deserialization", "osi_layer": "APPLICATION", "severity": "HIGH", @@ -895,6 +945,7 @@ exports[`parser parses large json result without vulnerable extensions successfu "category": "Vulnerability", "description": "Vulnerability of type SQL Injection found", "location": "http://localhost:80", + "mitigation": "Follow the instructions in the advisory https://typo3.org/security/advisory/typo3-core-sa-2019-025 to fix the vulnerability.", "name": "SQL Injection", "osi_layer": "APPLICATION", "severity": "HIGH", @@ -910,6 +961,7 @@ exports[`parser parses large json result without vulnerable extensions successfu "category": "Vulnerability", "description": "Vulnerability of type Directory Traversal found", "location": "http://localhost:80", + "mitigation": "Follow the instructions in the advisory https://typo3.org/security/advisory/typo3-core-sa-2019-024 to fix the vulnerability.", "name": "Directory Traversal", "osi_layer": "APPLICATION", "severity": "HIGH", @@ -925,6 +977,7 @@ exports[`parser parses large json result without vulnerable extensions successfu "category": "Vulnerability", "description": "Vulnerability of type Cross-Site Scripting found", "location": "http://localhost:80", + "mitigation": "Follow the instructions in the advisory https://typo3.org/security/advisory/typo3-core-sa-2019-023 to fix the vulnerability.", "name": "Cross-Site Scripting", "osi_layer": "APPLICATION", "severity": "HIGH", @@ -940,6 +993,7 @@ exports[`parser parses large json result without vulnerable extensions successfu "category": "Vulnerability", "description": "Vulnerability of type Cross-Site Scripting found", "location": "http://localhost:80", + "mitigation": "Follow the instructions in the advisory https://typo3.org/security/advisory/typo3-core-sa-2019-022 to fix the vulnerability.", "name": "Cross-Site Scripting", "osi_layer": "APPLICATION", "severity": "HIGH", @@ -955,6 +1009,7 @@ exports[`parser parses large json result without vulnerable extensions successfu "category": "Vulnerability", "description": "Vulnerability of type Cross-Site Scripting found", "location": "http://localhost:80", + "mitigation": "Follow the instructions in the advisory https://typo3.org/security/advisory/typo3-core-sa-2019-021 to fix the vulnerability.", "name": "Cross-Site Scripting", "osi_layer": "APPLICATION", "severity": "HIGH", @@ -970,6 +1025,7 @@ exports[`parser parses large json result without vulnerable extensions successfu "category": "Vulnerability", "description": "Vulnerability of type Insecure Deserialization found", "location": "http://localhost:80", + "mitigation": "Follow the instructions in the advisory https://typo3.org/security/advisory/typo3-core-sa-2019-020 to fix the vulnerability.", "name": "Insecure Deserialization", "osi_layer": "APPLICATION", "severity": "HIGH", @@ -985,6 +1041,7 @@ exports[`parser parses large json result without vulnerable extensions successfu "category": "Vulnerability", "description": "Vulnerability of type Arbitrary Code Execution, Cross-Site Scripting found", "location": "http://localhost:80", + "mitigation": "Follow the instructions in the advisory https://typo3.org/security/advisory/typo3-core-sa-2019-019 to fix the vulnerability.", "name": "Arbitrary Code Execution, Cross-Site Scripting", "osi_layer": "APPLICATION", "severity": "HIGH", @@ -1000,6 +1057,7 @@ exports[`parser parses large json result without vulnerable extensions successfu "category": "Vulnerability", "description": "Vulnerability of type Security Misconfiguration found", "location": "http://localhost:80", + "mitigation": "Follow the instructions in the advisory https://typo3.org/security/advisory/typo3-core-sa-2019-018 to fix the vulnerability.", "name": "Security Misconfiguration", "osi_layer": "APPLICATION", "severity": "HIGH", @@ -1015,6 +1073,7 @@ exports[`parser parses large json result without vulnerable extensions successfu "category": "Vulnerability", "description": "Vulnerability of type Cross-Site Scripting found", "location": "http://localhost:80", + "mitigation": "Follow the instructions in the advisory https://typo3.org/security/advisory/typo3-core-sa-2019-015 to fix the vulnerability.", "name": "Cross-Site Scripting", "osi_layer": "APPLICATION", "severity": "HIGH", @@ -1030,6 +1089,7 @@ exports[`parser parses large json result without vulnerable extensions successfu "category": "Vulnerability", "description": "Vulnerability of type Information Disclosure found", "location": "http://localhost:80", + "mitigation": "Follow the instructions in the advisory https://typo3.org/security/advisory/typo3-core-sa-2019-014 to fix the vulnerability.", "name": "Information Disclosure", "osi_layer": "APPLICATION", "severity": "HIGH", @@ -1045,6 +1105,7 @@ exports[`parser parses large json result without vulnerable extensions successfu "category": "Vulnerability", "description": "Vulnerability of type Cross-Site Scripting found", "location": "http://localhost:80", + "mitigation": "Follow the instructions in the advisory https://typo3.org/security/advisory/typo3-core-sa-2019-013 to fix the vulnerability.", "name": "Cross-Site Scripting", "osi_layer": "APPLICATION", "severity": "HIGH", @@ -1060,6 +1121,7 @@ exports[`parser parses large json result without vulnerable extensions successfu "category": "Vulnerability", "description": "Vulnerability of type Arbitrary Code Execution found", "location": "http://localhost:80", + "mitigation": "Follow the instructions in the advisory https://typo3.org/security/advisory/typo3-core-sa-2019-012 to fix the vulnerability.", "name": "Arbitrary Code Execution", "osi_layer": "APPLICATION", "severity": "HIGH", @@ -1075,6 +1137,7 @@ exports[`parser parses large json result without vulnerable extensions successfu "category": "Vulnerability", "description": "Vulnerability of type Security Misconfiguration found", "location": "http://localhost:80", + "mitigation": "Follow the instructions in the advisory https://typo3.org/security/advisory/typo3-core-sa-2019-011 to fix the vulnerability.", "name": "Security Misconfiguration", "osi_layer": "APPLICATION", "severity": "HIGH", @@ -1090,6 +1153,7 @@ exports[`parser parses large json result without vulnerable extensions successfu "category": "Vulnerability", "description": "Vulnerability of type Arbitrary Code Execution found", "location": "http://localhost:80", + "mitigation": "Follow the instructions in the advisory https://typo3.org/security/advisory/typo3-core-sa-2019-008 to fix the vulnerability.", "name": "Arbitrary Code Execution", "osi_layer": "APPLICATION", "severity": "HIGH", @@ -1105,6 +1169,7 @@ exports[`parser parses large json result without vulnerable extensions successfu "category": "Vulnerability", "description": "Vulnerability of type Cross-Site Scripting found", "location": "http://localhost:80", + "mitigation": "Follow the instructions in the advisory https://typo3.org/security/advisory/typo3-core-sa-2019-007 to fix the vulnerability.", "name": "Cross-Site Scripting", "osi_layer": "APPLICATION", "severity": "HIGH", @@ -1120,6 +1185,7 @@ exports[`parser parses large json result without vulnerable extensions successfu "category": "Vulnerability", "description": "Vulnerability of type Cross-Site Scripting found", "location": "http://localhost:80", + "mitigation": "Follow the instructions in the advisory https://typo3.org/security/advisory/typo3-core-sa-2019-006 to fix the vulnerability.", "name": "Cross-Site Scripting", "osi_layer": "APPLICATION", "severity": "HIGH", @@ -1135,6 +1201,7 @@ exports[`parser parses large json result without vulnerable extensions successfu "category": "Vulnerability", "description": "Vulnerability of type Cross-Site Scripting found", "location": "http://localhost:80", + "mitigation": "Follow the instructions in the advisory https://typo3.org/security/advisory/typo3-core-sa-2019-005 to fix the vulnerability.", "name": "Cross-Site Scripting", "osi_layer": "APPLICATION", "severity": "HIGH", @@ -1150,6 +1217,7 @@ exports[`parser parses large json result without vulnerable extensions successfu "category": "Vulnerability", "description": "Vulnerability of type Broken Access Control found", "location": "http://localhost:80", + "mitigation": "Follow the instructions in the advisory https://typo3.org/security/advisory/typo3-core-sa-2019-003 to fix the vulnerability.", "name": "Broken Access Control", "osi_layer": "APPLICATION", "severity": "HIGH", @@ -1165,6 +1233,7 @@ exports[`parser parses large json result without vulnerable extensions successfu "category": "Vulnerability", "description": "Vulnerability of type Security Misconfiguration found", "location": "http://localhost:80", + "mitigation": "Follow the instructions in the advisory https://typo3.org/security/advisory/typo3-core-sa-2019-002 to fix the vulnerability.", "name": "Security Misconfiguration", "osi_layer": "APPLICATION", "severity": "HIGH", @@ -1180,6 +1249,7 @@ exports[`parser parses large json result without vulnerable extensions successfu "category": "Vulnerability", "description": "Vulnerability of type Information Disclosure found", "location": "http://localhost:80", + "mitigation": "Follow the instructions in the advisory https://typo3.org/security/advisory/typo3-core-sa-2019-001 to fix the vulnerability.", "name": "Information Disclosure", "osi_layer": "APPLICATION", "severity": "HIGH", @@ -1195,6 +1265,7 @@ exports[`parser parses large json result without vulnerable extensions successfu "category": "Vulnerability", "description": "Vulnerability of type Denial of Service found", "location": "http://localhost:80", + "mitigation": "Follow the instructions in the advisory https://typo3.org/security/advisory/typo3-core-sa-2018-012 to fix the vulnerability.", "name": "Denial of Service", "osi_layer": "APPLICATION", "severity": "HIGH", @@ -1210,6 +1281,7 @@ exports[`parser parses large json result without vulnerable extensions successfu "category": "Vulnerability", "description": "Vulnerability of type Denial of Service found", "location": "http://localhost:80", + "mitigation": "Follow the instructions in the advisory https://typo3.org/security/advisory/typo3-core-sa-2018-011 to fix the vulnerability.", "name": "Denial of Service", "osi_layer": "APPLICATION", "severity": "HIGH", @@ -1225,6 +1297,7 @@ exports[`parser parses large json result without vulnerable extensions successfu "category": "Vulnerability", "description": "Vulnerability of type Information Disclosure found", "location": "http://localhost:80", + "mitigation": "Follow the instructions in the advisory https://typo3.org/security/advisory/typo3-core-sa-2018-010 to fix the vulnerability.", "name": "Information Disclosure", "osi_layer": "APPLICATION", "severity": "HIGH", @@ -1240,6 +1313,7 @@ exports[`parser parses large json result without vulnerable extensions successfu "category": "Vulnerability", "description": "Vulnerability of type Security Misconfiguration found", "location": "http://localhost:80", + "mitigation": "Follow the instructions in the advisory https://typo3.org/security/advisory/typo3-core-sa-2018-009 to fix the vulnerability.", "name": "Security Misconfiguration", "osi_layer": "APPLICATION", "severity": "HIGH", @@ -1255,6 +1329,7 @@ exports[`parser parses large json result without vulnerable extensions successfu "category": "Vulnerability", "description": "Vulnerability of type Cross-Site Scripting found", "location": "http://localhost:80", + "mitigation": "Follow the instructions in the advisory https://typo3.org/security/advisory/typo3-core-sa-2018-008 to fix the vulnerability.", "name": "Cross-Site Scripting", "osi_layer": "APPLICATION", "severity": "HIGH", @@ -1270,6 +1345,7 @@ exports[`parser parses large json result without vulnerable extensions successfu "category": "Vulnerability", "description": "Vulnerability of type Cross-Site Scripting found", "location": "http://localhost:80", + "mitigation": "Follow the instructions in the advisory https://typo3.org/security/advisory/typo3-core-sa-2018-007 to fix the vulnerability.", "name": "Cross-Site Scripting", "osi_layer": "APPLICATION", "severity": "HIGH", @@ -1285,6 +1361,7 @@ exports[`parser parses large json result without vulnerable extensions successfu "category": "Vulnerability", "description": "Vulnerability of type Cross-Site Scripting found", "location": "http://localhost:80", + "mitigation": "Follow the instructions in the advisory https://typo3.org/security/advisory/typo3-core-sa-2018-006 to fix the vulnerability.", "name": "Cross-Site Scripting", "osi_layer": "APPLICATION", "severity": "HIGH", @@ -1300,6 +1377,7 @@ exports[`parser parses large json result without vulnerable extensions successfu "category": "Vulnerability", "description": "Vulnerability of type Cross-Site Scripting found", "location": "http://localhost:80", + "mitigation": "Follow the instructions in the advisory https://typo3.org/security/advisory/typo3-core-sa-2018-005 to fix the vulnerability.", "name": "Cross-Site Scripting", "osi_layer": "APPLICATION", "severity": "HIGH", @@ -1315,6 +1393,7 @@ exports[`parser parses large json result without vulnerable extensions successfu "category": "Vulnerability", "description": "Vulnerability of type Insecure Deserialization found", "location": "http://localhost:80", + "mitigation": "Follow the instructions in the advisory https://typo3.org/security/advisory/typo3-core-sa-2018-004 to fix the vulnerability.", "name": "Insecure Deserialization", "osi_layer": "APPLICATION", "severity": "HIGH", @@ -1330,6 +1409,7 @@ exports[`parser parses large json result without vulnerable extensions successfu "category": "Vulnerability", "description": "Vulnerability of type Privilege Escalation & SQL Injection found", "location": "http://localhost:80", + "mitigation": "Follow the instructions in the advisory https://typo3.org/security/advisory/typo3-core-sa-2018-003 to fix the vulnerability.", "name": "Privilege Escalation & SQL Injection", "osi_layer": "APPLICATION", "severity": "HIGH", @@ -1345,6 +1425,7 @@ exports[`parser parses large json result without vulnerable extensions successfu "category": "Vulnerability", "description": "Vulnerability of type Insecure Deserialization & Arbitrary Code Execution found", "location": "http://localhost:80", + "mitigation": "Follow the instructions in the advisory https://typo3.org/security/advisory/typo3-core-sa-2018-002 to fix the vulnerability.", "name": "Insecure Deserialization & Arbitrary Code Execution", "osi_layer": "APPLICATION", "severity": "HIGH", @@ -1360,6 +1441,7 @@ exports[`parser parses large json result without vulnerable extensions successfu "category": "Vulnerability", "description": "Vulnerability of type Authentication Bypass found", "location": "http://localhost:80", + "mitigation": "Follow the instructions in the advisory https://typo3.org/security/advisory/typo3-core-sa-2018-001 to fix the vulnerability.", "name": "Authentication Bypass", "osi_layer": "APPLICATION", "severity": "HIGH", @@ -1375,6 +1457,7 @@ exports[`parser parses large json result without vulnerable extensions successfu "category": "Vulnerability", "description": "Vulnerability of type Arbitrary Code Execution found", "location": "http://localhost:80", + "mitigation": "Follow the instructions in the advisory https://typo3.org/security/advisory/typo3-core-sa-2017-007 to fix the vulnerability.", "name": "Arbitrary Code Execution", "osi_layer": "APPLICATION", "severity": "HIGH", @@ -1390,6 +1473,7 @@ exports[`parser parses large json result without vulnerable extensions successfu "category": "Vulnerability", "description": "Vulnerability of type Information Disclosure found", "location": "http://localhost:80", + "mitigation": "Follow the instructions in the advisory https://typo3.org/security/advisory/typo3-core-sa-2017-005 to fix the vulnerability.", "name": "Information Disclosure", "osi_layer": "APPLICATION", "severity": "HIGH", @@ -1405,6 +1489,7 @@ exports[`parser parses large json result without vulnerable extensions successfu "category": "Vulnerability", "description": "Vulnerability of type Information Disclosure found", "location": "http://localhost:80", + "mitigation": "Follow the instructions in the advisory https://typo3.org/security/advisory/typo3-core-sa-2017-006 to fix the vulnerability.", "name": "Information Disclosure", "osi_layer": "APPLICATION", "severity": "HIGH", @@ -1420,6 +1505,7 @@ exports[`parser parses large json result without vulnerable extensions successfu "category": "Vulnerability", "description": "Vulnerability of type Cross-Site Scripting found", "location": "http://localhost:80", + "mitigation": "Follow the instructions in the advisory https://typo3.org/security/advisory/typo3-core-sa-2017-004 to fix the vulnerability.", "name": "Cross-Site Scripting", "osi_layer": "APPLICATION", "severity": "HIGH", @@ -1435,6 +1521,7 @@ exports[`parser parses large json result without vulnerable extensions successfu "category": "Vulnerability", "description": "Vulnerability of type Sensitive Data Exposure found", "location": "http://localhost:80", + "mitigation": "Follow the instructions in the advisory https://typo3.org/security/advisory/typo3-core-sa-2020-011 to fix the vulnerability.", "name": "Sensitive Data Exposure", "osi_layer": "APPLICATION", "severity": "HIGH", @@ -1450,6 +1537,7 @@ exports[`parser parses large json result without vulnerable extensions successfu "category": "Vulnerability", "description": "Vulnerability of type Cross-Site Scripting found", "location": "http://localhost:80", + "mitigation": "Follow the instructions in the advisory https://typo3.org/security/advisory/typo3-core-sa-2020-010 to fix the vulnerability.", "name": "Cross-Site Scripting", "osi_layer": "APPLICATION", "severity": "HIGH", @@ -1465,6 +1553,7 @@ exports[`parser parses large json result without vulnerable extensions successfu "category": "Vulnerability", "description": "Vulnerability of type Cross-Site Scripting found", "location": "http://localhost:80", + "mitigation": "Follow the instructions in the advisory https://typo3.org/security/advisory/typo3-core-sa-2020-009 to fix the vulnerability.", "name": "Cross-Site Scripting", "osi_layer": "APPLICATION", "severity": "HIGH", @@ -1480,6 +1569,7 @@ exports[`parser parses large json result without vulnerable extensions successfu "category": "Vulnerability", "description": "Vulnerability of type Cross-Site Scripting found", "location": "http://localhost:80", + "mitigation": "Follow the instructions in the advisory https://typo3.org/security/advisory/typo3-core-sa-2021-008 to fix the vulnerability.", "name": "Cross-Site Scripting", "osi_layer": "APPLICATION", "severity": "HIGH", @@ -1495,6 +1585,7 @@ exports[`parser parses large json result without vulnerable extensions successfu "category": "Vulnerability", "description": "Vulnerability of type Sensitive Data Exposure found", "location": "http://localhost:80", + "mitigation": "Follow the instructions in the advisory https://typo3.org/security/advisory/typo3-core-sa-2021-006 to fix the vulnerability.", "name": "Sensitive Data Exposure", "osi_layer": "APPLICATION", "severity": "HIGH", @@ -1510,6 +1601,7 @@ exports[`parser parses large json result without vulnerable extensions successfu "category": "Vulnerability", "description": "Vulnerability of type Broken Access Control found", "location": "http://localhost:80", + "mitigation": "Follow the instructions in the advisory https://typo3.org/security/advisory/typo3-core-sa-2021-003 to fix the vulnerability.", "name": "Broken Access Control", "osi_layer": "APPLICATION", "severity": "HIGH", @@ -1525,6 +1617,7 @@ exports[`parser parses large json result without vulnerable extensions successfu "category": "Vulnerability", "description": "Vulnerability of type Unrestricted File Upload found", "location": "http://localhost:80", + "mitigation": "Follow the instructions in the advisory https://typo3.org/security/advisory/typo3-core-sa-2021-002 to fix the vulnerability.", "name": "Unrestricted File Upload", "osi_layer": "APPLICATION", "severity": "HIGH", @@ -1540,6 +1633,7 @@ exports[`parser parses large json result without vulnerable extensions successfu "category": "Vulnerability", "description": "Vulnerability of type Open Redirection found", "location": "http://localhost:80", + "mitigation": "Follow the instructions in the advisory https://typo3.org/security/advisory/typo3-core-sa-2021-001 to fix the vulnerability.", "name": "Open Redirection", "osi_layer": "APPLICATION", "severity": "HIGH", @@ -1555,6 +1649,7 @@ exports[`parser parses large json result without vulnerable extensions successfu "category": "Vulnerability", "description": "Vulnerability of type Cross-Site-Scripting found", "location": "http://localhost:80", + "mitigation": "Follow the instructions in the advisory https://typo3.org/security/advisory/typo3-core-sa-2021-013 to fix the vulnerability.", "name": "Cross-Site-Scripting", "osi_layer": "APPLICATION", "severity": "HIGH", @@ -1570,6 +1665,7 @@ exports[`parser parses large json result without vulnerable extensions successfu "category": "Vulnerability", "description": "Vulnerability of type Information Disclosure found", "location": "http://localhost:80", + "mitigation": "Follow the instructions in the advisory https://typo3.org/security/advisory/typo3-core-sa-2021-012 to fix the vulnerability.", "name": "Information Disclosure", "osi_layer": "APPLICATION", "severity": "HIGH", @@ -1585,6 +1681,7 @@ exports[`parser parses large json result without vulnerable extensions successfu "category": "Vulnerability", "description": "Vulnerability of type Cross-Site Scripting found", "location": "http://localhost:80", + "mitigation": "Follow the instructions in the advisory https://typo3.org/security/advisory/typo3-core-sa-2021-011 to fix the vulnerability.", "name": "Cross-Site Scripting", "osi_layer": "APPLICATION", "severity": "HIGH", @@ -1600,6 +1697,7 @@ exports[`parser parses large json result without vulnerable extensions successfu "category": "Vulnerability", "description": "Vulnerability of type Cross-Site Scripting found", "location": "http://localhost:80", + "mitigation": "Follow the instructions in the advisory https://typo3.org/security/advisory/typo3-core-sa-2021-010 to fix the vulnerability.", "name": "Cross-Site Scripting", "osi_layer": "APPLICATION", "severity": "HIGH", diff --git a/scanners/typo3scan/parser/parser.js b/scanners/typo3scan/parser/parser.js index 41f69946ca..30d7bf4d63 100644 --- a/scanners/typo3scan/parser/parser.js +++ b/scanners/typo3scan/parser/parser.js @@ -21,6 +21,7 @@ async function parse(findings) { location: domain, osi_layer: "APPLICATION", severity: "HIGH", + mitigation: "Follow the instructions in the advisory " + vuln['Advisory URL'] + " to fix the vulnerability.", attributes: { typo3_version: domain_findings.Version, advisory: vuln.Advisory, diff --git a/scanners/zap/parser/__snapshots__/parser.test.js.snap b/scanners/zap/parser/__snapshots__/parser.test.js.snap index a7ed1a3adf..4c51e11343 100644 --- a/scanners/zap/parser/__snapshots__/parser.test.js.snap +++ b/scanners/zap/parser/__snapshots__/parser.test.js.snap @@ -36,6 +36,7 @@ exports[`Parsing a bodgeit result. 1`] = ` "description": "A Content-Type of text/html was returned by the server.This is not one of the types expected to be returned by an API.Raised by the 'Alert on Unexpected Content Types' script", "hint": undefined, "location": "https://cwiki.apache.org", + "mitigation": null, "name": "Unexpected Content-Type was returned", "osi_layer": "APPLICATION", "severity": "LOW", @@ -67,6 +68,7 @@ exports[`Parsing a bodgeit result. 1`] = ` "description": "A Content-Type of text/html was returned by the server.This is not one of the types expected to be returned by an API.Raised by the 'Alert on Unexpected Content Types' script", "hint": undefined, "location": "http://wiki.apache.org", + "mitigation": null, "name": "Unexpected Content-Type was returned", "osi_layer": "APPLICATION", "severity": "LOW", @@ -98,6 +100,7 @@ exports[`Parsing a bodgeit result. 1`] = ` "description": "A Content-Type of binary/octet-stream was returned by the server.This is not one of the types expected to be returned by an API.Raised by the 'Alert on Unexpected Content Types' script", "hint": undefined, "location": "https://content-signature-2.cdn.mozilla.net", + "mitigation": null, "name": "Unexpected Content-Type was returned", "osi_layer": "APPLICATION", "severity": "LOW", @@ -150,6 +153,7 @@ exports[`Parsing a bodgeit result. 1`] = ` "description": "Content Security Policy (CSP) is an added layer of security that helps to detect and mitigate certain types of attacks, including Cross Site Scripting (XSS) and data injection attacks. These attacks are used for everything from data theft to site defacement or distribution of malware. CSP provides a set of standard HTTP headers that allow website owners to declare approved sources of content that browsers should be allowed to load on that page — covered types are JavaScript, CSS, HTML frames, fonts, images and embeddable objects such as Java applets, ActiveX, audio and video files.", "hint": undefined, "location": "http://bodgeit.securecodebox-demo.svc:8080", + "mitigation": "Ensure that your web server, application server, load balancer, etc. is configured to set the Content-Security-Policy header, to achieve optimal browser support: "Content-Security-Policy" for Chrome 25+, Firefox 23+ and Safari 7+, "X-Content-Security-Policy" for Firefox 4.0+ and Internet Explorer 10+, and "X-WebKit-CSP" for Chrome 14+ and Safari 6+.", "name": "Content Security Policy (CSP) Header Not Set", "osi_layer": "APPLICATION", "severity": "MEDIUM", @@ -202,6 +206,7 @@ exports[`Parsing a bodgeit result. 1`] = ` "description": "This method was originally intended for file managemant operations. It is now most commonly used in REST services, PUT is most-often utilized for **update** capabilities, PUT-ing to a known resource URI with the request body containing the newly-updated representation of the original resource..", "hint": undefined, "location": "http://bodgeit.securecodebox-demo.svc:8080", + "mitigation": "TBA", "name": "Insecure HTTP Method - PUT", "osi_layer": "APPLICATION", "severity": "MEDIUM", @@ -233,6 +238,7 @@ exports[`Parsing a bodgeit result. 1`] = ` "description": "The response does not include either Content-Security-Policy with 'frame-ancestors' directive or X-Frame-Options to protect against 'ClickJacking' attacks.", "hint": undefined, "location": "http://bodgeit.securecodebox-demo.svc:8080", + "mitigation": "Modern Web browsers support the Content-Security-Policy and X-Frame-Options HTTP headers. Ensure one of them is set on all web pages returned by your site/app.If you expect the page to be framed only by pages on your server (e.g. it's part of a FRAMESET) then you'll want to use SAMEORIGIN, otherwise if you never expect the page to be framed, you should use DENY. Alternatively consider implementing Content Security Policy's "frame-ancestors" directive.", "name": "Missing Anti-clickjacking Header", "osi_layer": "APPLICATION", "severity": "MEDIUM", @@ -292,6 +298,7 @@ exports[`Parsing a bodgeit result. 1`] = ` "description": "A response code of 501 was returned by the server.This may indicate that the application is failing to handle unexpected input correctly.Raised by the 'Alert on HTTP Response Code Error' script", "hint": undefined, "location": "http://bodgeit.securecodebox-demo.svc:8080", + "mitigation": null, "name": "A Server Error response code was returned by the server", "osi_layer": "APPLICATION", "severity": "LOW", @@ -344,6 +351,7 @@ exports[`Parsing a bodgeit result. 1`] = ` "description": "The web/application server is leaking version information via the "Server" HTTP response header. Access to such information may facilitate attackers identifying other vulnerabilities your web/application server is subject to.", "hint": undefined, "location": "http://bodgeit.securecodebox-demo.svc:8080", + "mitigation": "Ensure that your web server, application server, load balancer, etc. is configured to suppress the "Server" header or provide generic details.", "name": "Server Leaks Version Information via "Server" HTTP Response Header Field", "osi_layer": "APPLICATION", "severity": "LOW", @@ -1103,6 +1111,7 @@ exports[`Parsing a bodgeit result. 1`] = ` "description": "A Content-Type of text/html was returned by the server.This is not one of the types expected to be returned by an API.Raised by the 'Alert on Unexpected Content Types' script", "hint": undefined, "location": "http://bodgeit.securecodebox-demo.svc:8080", + "mitigation": null, "name": "Unexpected Content-Type was returned", "osi_layer": "APPLICATION", "severity": "LOW", @@ -1134,6 +1143,7 @@ exports[`Parsing a bodgeit result. 1`] = ` "description": "The Anti-MIME-Sniffing header X-Content-Type-Options was not set to 'nosniff'. This allows older versions of Internet Explorer and Chrome to perform MIME-sniffing on the response body, potentially causing the response body to be interpreted and displayed as a content type other than the declared content type. Current (early 2014) and legacy versions of Firefox will use the declared content type (if one is set), rather than performing MIME-sniffing.", "hint": undefined, "location": "http://bodgeit.securecodebox-demo.svc:8080", + "mitigation": "Ensure that the application/web server sets the Content-Type header appropriately, and that it sets the X-Content-Type-Options header to 'nosniff' for all web pages.If possible, ensure that the end user uses a standards-compliant and modern web browser that does not perform MIME-sniffing at all, or that can be directed by the web application/web server to not perform MIME-sniffing.", "name": "X-Content-Type-Options Header Missing", "osi_layer": "APPLICATION", "severity": "LOW", @@ -1725,6 +1735,7 @@ exports[`Parsing a bodgeit result. 1`] = ` "description": "A response code of 404 was returned by the server.This may indicate that the application is failing to handle unexpected input correctly.Raised by the 'Alert on HTTP Response Code Error' script", "hint": undefined, "location": "http://bodgeit.securecodebox-demo.svc:8080", + "mitigation": null, "name": "A Client Error response code was returned by the server", "osi_layer": "APPLICATION", "severity": "INFORMATIONAL", @@ -1748,6 +1759,7 @@ exports[`Parsing a bodgeit result. 1`] = ` "description": "The site is only served under HTTP and not HTTPS.", "hint": undefined, "location": "http://bodgeit.securecodebox-demo.svc:8080", + "mitigation": "Configure your web or application server to use SSL (https).", "name": "HTTP Only Site", "osi_layer": "APPLICATION", "severity": "MEDIUM", @@ -1787,6 +1799,7 @@ exports[`Parsing a nginx result. 1`] = ` "description": "X-Frame-Options header is not included in the HTTP response to protect against 'ClickJacking' attacks.", "hint": undefined, "location": "http://nginx.demo-targets.svc", + "mitigation": "Most modern Web browsers support the X-Frame-Options HTTP header. Ensure it's set on all web pages returned by your site (if you expect the page to be framed only by pages on your server (e.g. it's part of a FRAMESET) then you'll want to use SAMEORIGIN, otherwise if you never expect the page to be framed, you should use DENY. ALLOW-FROM allows specific websites to frame the web page in supported web browsers).", "name": "X-Frame-Options Header Not Set", "osi_layer": "APPLICATION", "severity": "MEDIUM", @@ -1831,6 +1844,7 @@ exports[`Parsing a nginx result. 1`] = ` "description": "The web/application server is leaking version information via the "Server" HTTP response header. Access to such information may facilitate attackers identifying other vulnerabilities your web/application server is subject to.", "hint": undefined, "location": "http://nginx.demo-targets.svc", + "mitigation": "Ensure that your web server, application server, load balancer, etc. is configured to suppress the "Server" header or provide generic details.", "name": "Server Leaks Version Information via "Server" HTTP Response Header Field", "osi_layer": "APPLICATION", "severity": "LOW", @@ -1865,6 +1879,7 @@ exports[`Parsing a nginx result. 1`] = ` "description": "The Anti-MIME-Sniffing header X-Content-Type-Options was not set to 'nosniff'. This allows older versions of Internet Explorer and Chrome to perform MIME-sniffing on the response body, potentially causing the response body to be interpreted and displayed as a content type other than the declared content type. Current (early 2014) and legacy versions of Firefox will use the declared content type (if one is set), rather than performing MIME-sniffing.", "hint": undefined, "location": "http://nginx.demo-targets.svc", + "mitigation": "Ensure that the application/web server sets the Content-Type header appropriately, and that it sets the X-Content-Type-Options header to 'nosniff' for all web pages.If possible, ensure that the end user uses a standards-compliant and modern web browser that does not perform MIME-sniffing at all, or that can be directed by the web application/web server to not perform MIME-sniffing.", "name": "X-Content-Type-Options Header Missing", "osi_layer": "APPLICATION", "severity": "LOW", @@ -1905,6 +1920,7 @@ exports[`Parsing a nginx result. 1`] = ` "description": "Content Security Policy (CSP) is an added layer of security that helps to detect and mitigate certain types of attacks, including Cross Site Scripting (XSS) and data injection attacks. These attacks are used for everything from data theft to site defacement or distribution of malware. CSP provides a set of standard HTTP headers that allow website owners to declare approved sources of content that browsers should be allowed to load on that page — covered types are JavaScript, CSS, HTML frames, fonts, images and embeddable objects such as Java applets, ActiveX, audio and video files.", "hint": undefined, "location": "http://nginx.demo-targets.svc", + "mitigation": "Ensure that your web server, application server, load balancer, etc. is configured to set the Content-Security-Policy header, to achieve optimal browser support: "Content-Security-Policy" for Chrome 25+, Firefox 23+ and Safari 7+, "X-Content-Security-Policy" for Firefox 4.0+ and Internet Explorer 10+, and "X-WebKit-CSP" for Chrome 14+ and Safari 6+.", "name": "Content Security Policy (CSP) Header Not Set", "osi_layer": "APPLICATION", "severity": "LOW", @@ -2034,6 +2050,7 @@ exports[`Parsing the docs.securecodebox.io results. 1`] = ` "description": "A timestamp was disclosed by the application/web server - Unix", "hint": undefined, "location": "https://docs.securecodebox.io", + "mitigation": "Manually confirm that the timestamp data is not sensitive, and that the data cannot be aggregated to disclose exploitable patterns.", "name": "Timestamp Disclosure - Unix", "osi_layer": "APPLICATION", "severity": "INFORMATIONAL", @@ -2158,6 +2175,7 @@ exports[`Parsing the docs.securecodebox.io results. 1`] = ` "description": "The Anti-MIME-Sniffing header X-Content-Type-Options was not set to 'nosniff'. This allows older versions of Internet Explorer and Chrome to perform MIME-sniffing on the response body, potentially causing the response body to be interpreted and displayed as a content type other than the declared content type. Current (early 2014) and legacy versions of Firefox will use the declared content type (if one is set), rather than performing MIME-sniffing.", "hint": undefined, "location": "https://docs.securecodebox.io", + "mitigation": "Ensure that the application/web server sets the Content-Type header appropriately, and that it sets the X-Content-Type-Options header to 'nosniff' for all web pages.If possible, ensure that the end user uses a standards-compliant and modern web browser that does not perform MIME-sniffing at all, or that can be directed by the web application/web server to not perform MIME-sniffing.", "name": "X-Content-Type-Options Header Missing", "osi_layer": "APPLICATION", "severity": "LOW", @@ -2262,6 +2280,7 @@ exports[`Parsing the docs.securecodebox.io results. 1`] = ` "description": "Content Security Policy (CSP) is an added layer of security that helps to detect and mitigate certain types of attacks, including Cross Site Scripting (XSS) and data injection attacks. These attacks are used for everything from data theft to site defacement or distribution of malware. CSP provides a set of standard HTTP headers that allow website owners to declare approved sources of content that browsers should be allowed to load on that page — covered types are JavaScript, CSS, HTML frames, fonts, images and embeddable objects such as Java applets, ActiveX, audio and video files.", "hint": undefined, "location": "https://docs.securecodebox.io", + "mitigation": "Ensure that your web server, application server, load balancer, etc. is configured to set the Content-Security-Policy header, to achieve optimal browser support: "Content-Security-Policy" for Chrome 25+, Firefox 23+ and Safari 7+, "X-Content-Security-Policy" for Firefox 4.0+ and Internet Explorer 10+, and "X-WebKit-CSP" for Chrome 14+ and Safari 6+.", "name": "Content Security Policy (CSP) Header Not Set", "osi_layer": "APPLICATION", "severity": "LOW", @@ -2386,6 +2405,7 @@ exports[`Parsing the docs.securecodebox.io results. 1`] = ` "description": "The content was retrieved from a shared cache. If the response data is sensitive, personal or user-specific, this may result in sensitive information being leaked. In some cases, this may even result in a user gaining complete control of the session of another user, depending on the configuration of the caching components in use in their environment. This is primarily an issue where caching servers such as "proxy" caches are configured on the local network. This configuration is typically found in corporate or educational environments, for instance. ", "hint": undefined, "location": "https://docs.securecodebox.io", + "mitigation": "Validate that the response does not contain sensitive, personal or user-specific information. If it does, consider the use of the following HTTP response headers, to limit, or prevent the content being stored and retrieved from the cache by another user:Cache-Control: no-cache, no-store, must-revalidate, privatePragma: no-cacheExpires: 0This configuration directs both HTTP 1.0 and HTTP 1.1 compliant caching servers to not store the response, and to not retrieve the response (without validation) from the cache, in response to a similar request.", "name": "Retrieved from Cache", "osi_layer": "APPLICATION", "severity": "INFORMATIONAL", @@ -2530,6 +2550,7 @@ exports[`Parsing the docs.securecodebox.io results. 1`] = ` "description": "The cache-control and pragma HTTP header have not been set properly or are missing allowing the browser and proxies to cache content.", "hint": undefined, "location": "https://docs.securecodebox.io", + "mitigation": "Whenever possible ensure the cache-control HTTP header is set with no-cache, no-store, must-revalidate; and that the pragma HTTP header is set with no-cache.", "name": "Incomplete or No Cache-control and Pragma HTTP Header Set", "osi_layer": "APPLICATION", "severity": "LOW", @@ -2649,6 +2670,7 @@ exports[`Parsing the docs.securecodebox.io results. 1`] = ` "description": "A private IP (such as 10.x.x.x, 172.x.x.x, 192.168.x.x) or an Amazon EC2 private hostname (for example, ip-10-0-56-78) has been found in the HTTP response body. This information might be helpful for further attacks targeting internal systems.", "hint": undefined, "location": "https://docs.securecodebox.io", + "mitigation": "Remove the private IP address from the HTTP response body. For comments, use JSP/ASP/PHP comment instead of HTML/JavaScript comment which can be seen by client browsers.", "name": "Private IP Disclosure", "osi_layer": "APPLICATION", "severity": "LOW", @@ -2773,6 +2795,7 @@ exports[`Parsing the docs.securecodebox.io results. 1`] = ` "description": "The application appears to be a modern web application. If you need to explore it automatically then the Ajax Spider may well be more effective than the standard one.", "hint": undefined, "location": "https://docs.securecodebox.io", + "mitigation": "This is an informational alert and so no changes are required.", "name": "Modern Web Application", "osi_layer": "APPLICATION", "severity": "INFORMATIONAL", @@ -2877,6 +2900,7 @@ exports[`Parsing the docs.securecodebox.io results. 1`] = ` "description": "The server has responded with a redirect that seems to provide a large response. This may indicate that although the server sent a redirect it also responded with body content (which may include sensitive details, PII, etc.).", "hint": undefined, "location": "https://docs.securecodebox.io", + "mitigation": "Ensure that no sensitive information is leaked via redirect responses. Redirect responses should have almost no content.", "name": "Big Redirect Detected (Potential Sensitive Information Leak)", "osi_layer": "APPLICATION", "severity": "LOW", @@ -2981,6 +3005,7 @@ exports[`Parsing the docs.securecodebox.io results. 1`] = ` "description": "The response appears to contain suspicious comments which may help an attacker. Note: Matches made within script blocks or files are against the entire content not only comments.", "hint": undefined, "location": "https://docs.securecodebox.io", + "mitigation": "Remove all comments that return information that may help an attacker and fix any underlying problems they refer to.", "name": "Information Disclosure - Suspicious Comments", "osi_layer": "APPLICATION", "severity": "INFORMATIONAL", @@ -3105,6 +3130,7 @@ exports[`Parsing the docs.securecodebox.io results. 1`] = ` "description": "X-Frame-Options header is not included in the HTTP response to protect against 'ClickJacking' attacks.", "hint": undefined, "location": "https://docs.securecodebox.io", + "mitigation": "Most modern Web browsers support the X-Frame-Options HTTP header. Ensure it's set on all web pages returned by your site (if you expect the page to be framed only by pages on your server (e.g. it's part of a FRAMESET) then you'll want to use SAMEORIGIN, otherwise if you never expect the page to be framed, you should use DENY. ALLOW-FROM allows specific websites to frame the web page in supported web browsers).", "name": "X-Frame-Options Header Not Set", "osi_layer": "APPLICATION", "severity": "MEDIUM", @@ -3139,6 +3165,7 @@ exports[`Parsing the docs.securecodebox.io results. 1`] = ` "description": "This page contains an error/warning message that may disclose sensitive information like the location of the file that produced the unhandled exception. This information can be used to launch further attacks against the web application. The alert could be a false positive if the error message is found inside a documentation page.", "hint": undefined, "location": "https://docs.securecodebox.io", + "mitigation": "Review the source code of this page. Implement custom error pages. Consider implementing a mechanism to provide a unique error reference/identifier to the client (browser) while logging the details on the server side and not exposing them to the user.", "name": "Application Error Disclosure", "osi_layer": "APPLICATION", "severity": "MEDIUM", @@ -3187,6 +3214,7 @@ exports[`Parsing the docs.securecodebox.io results. 1`] = ` "description": "HTTP Strict Transport Security (HSTS) is a web security policy mechanism whereby a web server declares that complying user agents (such as a web browser) are to interact with it using only secure HTTPS connections (i.e. HTTP layered over TLS/SSL). HSTS is an IETF standards track protocol and is specified in RFC 6797.", "hint": undefined, "location": "https://docs.securecodebox.io", + "mitigation": "Ensure that your web server, application server, load balancer, etc. is configured to enforce Strict-Transport-Security.", "name": "Strict-Transport-Security Header Not Set", "osi_layer": "APPLICATION", "severity": "LOW", @@ -3236,6 +3264,7 @@ exports[`Parsing the example.com results. 1`] = ` "description": "The web/application server is leaking version information via the "Server" HTTP response header. Access to such information may facilitate attackers identifying other vulnerabilities your web/application server is subject to.", "hint": undefined, "location": "http://example.com", + "mitigation": "Ensure that your web server, application server, load balancer, etc. is configured to suppress the "Server" header or provide generic details.", "name": "Server Leaks Version Information via "Server" HTTP Response Header Field", "osi_layer": "APPLICATION", "severity": "LOW", @@ -3280,6 +3309,7 @@ exports[`Parsing the example.com results. 1`] = ` "description": "The content was retrieved from a shared cache. If the response data is sensitive, personal or user-specific, this may result in sensitive information being leaked. In some cases, this may even result in a user gaining complete control of the session of another user, depending on the configuration of the caching components in use in their environment. This is primarily an issue where caching servers such as "proxy" caches are configured on the local network. This configuration is typically found in corporate or educational environments, for instance. ", "hint": undefined, "location": "http://example.com", + "mitigation": "Validate that the response does not contain sensitive, personal or user-specific information. If it does, consider the use of the following HTTP response headers, to limit, or prevent the content being stored and retrieved from the cache by another user:Cache-Control: no-cache, no-store, must-revalidate, privatePragma: no-cacheExpires: 0This configuration directs both HTTP 1.0 and HTTP 1.1 compliant caching servers to not store the response, and to not retrieve the response (without validation) from the cache, in response to a similar request.", "name": "Retrieved from Cache", "osi_layer": "APPLICATION", "severity": "INFORMATIONAL", @@ -3320,6 +3350,7 @@ exports[`Parsing the example.com results. 1`] = ` "description": "Content Security Policy (CSP) is an added layer of security that helps to detect and mitigate certain types of attacks, including Cross Site Scripting (XSS) and data injection attacks. These attacks are used for everything from data theft to site defacement or distribution of malware. CSP provides a set of standard HTTP headers that allow website owners to declare approved sources of content that browsers should be allowed to load on that page — covered types are JavaScript, CSS, HTML frames, fonts, images and embeddable objects such as Java applets, ActiveX, audio and video files.", "hint": undefined, "location": "http://example.com", + "mitigation": "Ensure that your web server, application server, load balancer, etc. is configured to set the Content-Security-Policy header, to achieve optimal browser support: "Content-Security-Policy" for Chrome 25+, Firefox 23+ and Safari 7+, "X-Content-Security-Policy" for Firefox 4.0+ and Internet Explorer 10+, and "X-WebKit-CSP" for Chrome 14+ and Safari 6+.", "name": "Content Security Policy (CSP) Header Not Set", "osi_layer": "APPLICATION", "severity": "LOW", @@ -3354,6 +3385,7 @@ exports[`Parsing the example.com results. 1`] = ` "description": "The Anti-MIME-Sniffing header X-Content-Type-Options was not set to 'nosniff'. This allows older versions of Internet Explorer and Chrome to perform MIME-sniffing on the response body, potentially causing the response body to be interpreted and displayed as a content type other than the declared content type. Current (early 2014) and legacy versions of Firefox will use the declared content type (if one is set), rather than performing MIME-sniffing.", "hint": undefined, "location": "http://example.com", + "mitigation": "Ensure that the application/web server sets the Content-Type header appropriately, and that it sets the X-Content-Type-Options header to 'nosniff' for all web pages.If possible, ensure that the end user uses a standards-compliant and modern web browser that does not perform MIME-sniffing at all, or that can be directed by the web application/web server to not perform MIME-sniffing.", "name": "X-Content-Type-Options Header Missing", "osi_layer": "APPLICATION", "severity": "LOW", @@ -3388,6 +3420,7 @@ exports[`Parsing the example.com results. 1`] = ` "description": "X-Frame-Options header is not included in the HTTP response to protect against 'ClickJacking' attacks.", "hint": undefined, "location": "http://example.com", + "mitigation": "Most modern Web browsers support the X-Frame-Options HTTP header. Ensure it's set on all web pages returned by your site (if you expect the page to be framed only by pages on your server (e.g. it's part of a FRAMESET) then you'll want to use SAMEORIGIN, otherwise if you never expect the page to be framed, you should use DENY. ALLOW-FROM allows specific websites to frame the web page in supported web browsers).", "name": "X-Frame-Options Header Not Set", "osi_layer": "APPLICATION", "severity": "MEDIUM", @@ -3517,6 +3550,7 @@ exports[`Parsing the juice-shop results. 1`] = ` "description": "Web browser data loading may be possible, due to a Cross Origin Resource Sharing (CORS) misconfiguration on the web server", "hint": undefined, "location": "http://juice-shop:3000", + "mitigation": "Ensure that sensitive data is not available in an unauthenticated manner (using IP address white-listing, for instance).Configure the "Access-Control-Allow-Origin" HTTP header to a more restrictive set of domains, or remove all CORS headers entirely, to allow the web browser to enforce the Same Origin Policy (SOP) in a more restrictive manner.", "name": "Cross-Domain Misconfiguration", "osi_layer": "APPLICATION", "severity": "MEDIUM", @@ -3636,6 +3670,7 @@ exports[`Parsing the juice-shop results. 1`] = ` "description": "This check looks at user-supplied input in query string parameters and POST data to identify where cookie parameters might be controlled. This is called a cookie poisoning attack, and becomes exploitable when an attacker can manipulate the cookie in various ways. In some cases this will not be exploitable, however, allowing URL parameters to set cookie values is generally considered a bug.", "hint": undefined, "location": "http://juice-shop:3000", + "mitigation": "Do not allow user input to control cookie names and values. If some query string parameters must be set in cookie values, be sure to filter out semicolon's that can serve as name/value pair delimiters.", "name": "Cookie Poisoning", "osi_layer": "APPLICATION", "severity": "INFORMATIONAL", @@ -3760,6 +3795,7 @@ exports[`Parsing the juice-shop results. 1`] = ` "description": "A timestamp was disclosed by the application/web server - Unix", "hint": undefined, "location": "http://juice-shop:3000", + "mitigation": "Manually confirm that the timestamp data is not sensitive, and that the data cannot be aggregated to disclose exploitable patterns.", "name": "Timestamp Disclosure - Unix", "osi_layer": "APPLICATION", "severity": "INFORMATIONAL", @@ -3904,6 +3940,7 @@ exports[`Parsing the juice-shop results. 1`] = ` "description": "URL rewrite is used to track user session ID. The session ID may be disclosed via cross-site referer header. In addition, the session ID might be stored in browser history or server logs.", "hint": undefined, "location": "http://juice-shop:3000", + "mitigation": "For secure content, put session ID in a cookie. To be even more secure consider using a combination of cookie and URL rewrite.", "name": "Session ID in URL Rewrite", "osi_layer": "APPLICATION", "severity": "MEDIUM", @@ -3963,6 +4000,7 @@ exports[`Parsing the juice-shop results. 1`] = ` "description": "The application appears to be a modern web application. If you need to explore it automatically then the Ajax Spider may well be more effective than the standard one.", "hint": undefined, "location": "http://juice-shop:3000", + "mitigation": "This is an informational alert and so no changes are required.", "name": "Modern Web Application", "osi_layer": "APPLICATION", "severity": "INFORMATIONAL", @@ -4067,6 +4105,7 @@ exports[`Parsing the juice-shop results. 1`] = ` "description": "Cookies can be scoped by domain or path. This check is only concerned with domain scope.The domain scope applied to a cookie determines which domains can access it. For example, a cookie can be scoped strictly to a subdomain e.g. www.nottrusted.com, or loosely scoped to a parent domain e.g. nottrusted.com. In the latter case, any subdomain of nottrusted.com can access the cookie. Loosely scoped cookies are common in mega-applications like google.com and live.com. Cookies set from a subdomain like app.foo.bar are transmitted only to that domain by the browser. However, cookies scoped to a parent-level domain may be transmitted to the parent, or any subdomain of the parent.", "hint": undefined, "location": "http://juice-shop:3000", + "mitigation": "Always scope cookies to a FQDN (Fully Qualified Domain Name).", "name": "Loosely Scoped Cookie", "osi_layer": "APPLICATION", "severity": "INFORMATIONAL", @@ -4191,6 +4230,7 @@ exports[`Parsing the juice-shop results. 1`] = ` "description": "The Anti-MIME-Sniffing header X-Content-Type-Options was not set to 'nosniff'. This allows older versions of Internet Explorer and Chrome to perform MIME-sniffing on the response body, potentially causing the response body to be interpreted and displayed as a content type other than the declared content type. Current (early 2014) and legacy versions of Firefox will use the declared content type (if one is set), rather than performing MIME-sniffing.", "hint": undefined, "location": "http://juice-shop:3000", + "mitigation": "Ensure that the application/web server sets the Content-Type header appropriately, and that it sets the X-Content-Type-Options header to 'nosniff' for all web pages.If possible, ensure that the end user uses a standards-compliant and modern web browser that does not perform MIME-sniffing at all, or that can be directed by the web application/web server to not perform MIME-sniffing.", "name": "X-Content-Type-Options Header Missing", "osi_layer": "APPLICATION", "severity": "LOW", @@ -4243,6 +4283,7 @@ exports[`Parsing the juice-shop results. 1`] = ` "description": "The response appears to contain suspicious comments which may help an attacker. Note: Matches made within script blocks or files are against the entire content not only comments.", "hint": undefined, "location": "http://juice-shop:3000", + "mitigation": "Remove all comments that return information that may help an attacker and fix any underlying problems they refer to.", "name": "Information Disclosure - Suspicious Comments", "osi_layer": "APPLICATION", "severity": "INFORMATIONAL", @@ -4319,6 +4360,7 @@ exports[`Parsing the juice-shop results. 1`] = ` "description": "Content Security Policy (CSP) is an added layer of security that helps to detect and mitigate certain types of attacks, including Cross Site Scripting (XSS) and data injection attacks. These attacks are used for everything from data theft to site defacement or distribution of malware. CSP provides a set of standard HTTP headers that allow website owners to declare approved sources of content that browsers should be allowed to load on that page — covered types are JavaScript, CSS, HTML frames, fonts, images and embeddable objects such as Java applets, ActiveX, audio and video files.", "hint": undefined, "location": "http://juice-shop:3000", + "mitigation": "Ensure that your web server, application server, load balancer, etc. is configured to set the Content-Security-Policy header, to achieve optimal browser support: "Content-Security-Policy" for Chrome 25+, Firefox 23+ and Safari 7+, "X-Content-Security-Policy" for Firefox 4.0+ and Internet Explorer 10+, and "X-WebKit-CSP" for Chrome 14+ and Safari 6+.", "name": "Content Security Policy (CSP) Header Not Set", "osi_layer": "APPLICATION", "severity": "LOW", @@ -4379,6 +4421,7 @@ exports[`Parsing the juice-shop results. 1`] = ` "description": "The page includes one or more script files from a third-party domain.", "hint": undefined, "location": "http://juice-shop:3000", + "mitigation": "Ensure JavaScript source files are loaded from only trusted sources, and the sources can't be controlled by end users of the application.", "name": "Cross-Domain JavaScript Source File Inclusion", "osi_layer": "APPLICATION", "severity": "LOW", @@ -4413,6 +4456,7 @@ exports[`Parsing the juice-shop results. 1`] = ` "description": "X-Frame-Options header is not included in the HTTP response to protect against 'ClickJacking' attacks.", "hint": undefined, "location": "http://juice-shop:3000", + "mitigation": "Most modern Web browsers support the X-Frame-Options HTTP header. Ensure it's set on all web pages returned by your site (if you expect the page to be framed only by pages on your server (e.g. it's part of a FRAMESET) then you'll want to use SAMEORIGIN, otherwise if you never expect the page to be framed, you should use DENY. ALLOW-FROM allows specific websites to frame the web page in supported web browsers).", "name": "X-Frame-Options Header Not Set", "osi_layer": "APPLICATION", "severity": "MEDIUM", @@ -4442,6 +4486,7 @@ exports[`Parsing the juice-shop results. 1`] = ` "description": "A private IP (such as 10.x.x.x, 172.x.x.x, 192.168.x.x) or an Amazon EC2 private hostname (for example, ip-10-0-56-78) has been found in the HTTP response body. This information might be helpful for further attacks targeting internal systems.", "hint": undefined, "location": "http://juice-shop:3000", + "mitigation": "Remove the private IP address from the HTTP response body. For comments, use JSP/ASP/PHP comment instead of HTML/JavaScript comment which can be seen by client browsers.", "name": "Private IP Disclosure", "osi_layer": "APPLICATION", "severity": "LOW", diff --git a/scanners/zap/parser/parser.js b/scanners/zap/parser/parser.js index cf30f1c2e9..f50ffe4ff8 100644 --- a/scanners/zap/parser/parser.js +++ b/scanners/zap/parser/parser.js @@ -65,6 +65,7 @@ function createFindingFromAlert(alert, { location, host, port }) { location, osi_layer: "APPLICATION", severity: riskToSeverity(alert.riskcode), + mitigation: stripHtmlTags(alert.solution) || null, attributes: { hostname: host, port,