Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

translate-google-1.5.0.tgz: 7 vulnerabilities (highest severity is: 10.0) #14

Open
mend-bolt-for-github bot opened this issue Feb 28, 2023 · 0 comments
Open

translate-google-1.5.0.tgz: 7 vulnerabilities (highest severity is: 10.0) #14

mend-bolt-for-github bot opened this issue Feb 28, 2023 · 0 comments
Labels
Mend: dependency security vulnerability Security vulnerability detected by Mend

Comments

@mend-bolt-for-github
Copy link
Contributor

mend-bolt-for-github bot commented Feb 28, 2023
edited

Vulnerable Library - translate-google-1.5.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/trim/package.json

Found in HEAD commit: fe4be47f59a3978dcf06a4d0698c67585e715a31

Vulnerabilities

CVE Severity CVSS Dependency Type Fixed in (translate-google version) Remediation Possible**
CVE-2023-26122 Critical 10.0 safe-eval-0.4.1.tgz Transitive N/A*
CVE-2023-26121 Critical 10.0 safe-eval-0.4.1.tgz Transitive N/A*
WS-2020-0077 Critical 9.8 safe-eval-0.4.1.tgz Transitive N/A*
CVE-2022-25904 Critical 9.8 safe-eval-0.4.1.tgz Transitive N/A*
CVE-2020-7710 Critical 9.8 safe-eval-0.4.1.tgz Transitive N/A*
CVE-2023-26139 High 7.5 underscore-keypath-0.0.22.tgz Transitive N/A*
CVE-2020-7753 High 7.5 trim-0.0.1.tgz Transitive N/A*

*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.

**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation

Details

CVE-2023-26122

Vulnerable Library - safe-eval-0.4.1.tgz

Safer version of eval()

Library home page: https://registry.npmjs.org/safe-eval/-/safe-eval-0.4.1.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/safe-eval/package.json

Dependency Hierarchy:

  • translate-google-1.5.0.tgz (Root Library)
    • safe-eval-0.4.1.tgz (Vulnerable Library)

Found in HEAD commit: fe4be47f59a3978dcf06a4d0698c67585e715a31

Found in base branch: master

Vulnerability Details

All versions of the package safe-eval are vulnerable to Sandbox Bypass due to improper input sanitization. The vulnerability is derived from prototype pollution exploitation.
Exploiting this vulnerability might result in remote code execution ("RCE").

Vulnerable functions:

defineGetter, stack(), toLocaleString(), propertyIsEnumerable.call(), valueOf().

Publish Date: 2023-04-11

URL: CVE-2023-26122

CVSS 3 Score Details (10.0)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Changed
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Step up your Open Source Security Game with Mend here

CVE-2023-26121

Vulnerable Library - safe-eval-0.4.1.tgz

Safer version of eval()

Library home page: https://registry.npmjs.org/safe-eval/-/safe-eval-0.4.1.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/safe-eval/package.json

Dependency Hierarchy:

  • translate-google-1.5.0.tgz (Root Library)
    • safe-eval-0.4.1.tgz (Vulnerable Library)

Found in HEAD commit: fe4be47f59a3978dcf06a4d0698c67585e715a31

Found in base branch: master

Vulnerability Details

All versions of the package safe-eval are vulnerable to Prototype Pollution via the safeEval function, due to improper sanitization of its parameter content.

Publish Date: 2023-04-11

URL: CVE-2023-26121

CVSS 3 Score Details (10.0)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Changed
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Step up your Open Source Security Game with Mend here

WS-2020-0077

Vulnerable Library - safe-eval-0.4.1.tgz

Safer version of eval()

Library home page: https://registry.npmjs.org/safe-eval/-/safe-eval-0.4.1.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/safe-eval/package.json

Dependency Hierarchy:

  • translate-google-1.5.0.tgz (Root Library)
    • safe-eval-0.4.1.tgz (Vulnerable Library)

Found in HEAD commit: fe4be47f59a3978dcf06a4d0698c67585e715a31

Found in base branch: master

Vulnerability Details

safe-eval through 0.4.1 is vulnerable to Sandbox Escape leading to Remote Code Execution. The package fails to restrict access to the main context through Error objects. This may allow attackers to execute arbitrary code in the system.

Publish Date: 2020-05-20

URL: WS-2020-0077

CVSS 3 Score Details (9.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Step up your Open Source Security Game with Mend here

CVE-2022-25904

Vulnerable Library - safe-eval-0.4.1.tgz

Safer version of eval()

Library home page: https://registry.npmjs.org/safe-eval/-/safe-eval-0.4.1.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/safe-eval/package.json

Dependency Hierarchy:

  • translate-google-1.5.0.tgz (Root Library)
    • safe-eval-0.4.1.tgz (Vulnerable Library)

Found in HEAD commit: fe4be47f59a3978dcf06a4d0698c67585e715a31

Found in base branch: master

Vulnerability Details

All versions of package safe-eval are vulnerable to Prototype Pollution which allows an attacker to add or modify properties of the Object.prototype.Consolidate when using the function safeEval. This is because the function uses vm variable, leading an attacker to modify properties of the Object.prototype.

Publish Date: 2022-12-20

URL: CVE-2022-25904

CVSS 3 Score Details (9.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Step up your Open Source Security Game with Mend here

CVE-2020-7710

Vulnerable Library - safe-eval-0.4.1.tgz

Safer version of eval()

Library home page: https://registry.npmjs.org/safe-eval/-/safe-eval-0.4.1.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/safe-eval/package.json

Dependency Hierarchy:

  • translate-google-1.5.0.tgz (Root Library)
    • safe-eval-0.4.1.tgz (Vulnerable Library)

Found in HEAD commit: fe4be47f59a3978dcf06a4d0698c67585e715a31

Found in base branch: master

Vulnerability Details

This affects all versions of package safe-eval. It is possible for an attacker to run an arbitrary command on the host machine.

Publish Date: 2020-08-21

URL: CVE-2020-7710

CVSS 3 Score Details (9.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Step up your Open Source Security Game with Mend here

CVE-2023-26139

Vulnerable Library - underscore-keypath-0.0.22.tgz

Adds Key-Path mechanism extensions for underscore

Library home page: https://registry.npmjs.org/underscore-keypath/-/underscore-keypath-0.0.22.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/underscore-keypath/package.json

Dependency Hierarchy:

  • translate-google-1.5.0.tgz (Root Library)
    • user-agents-1.0.1304.tgz
      • dot-json-1.2.2.tgz
        • underscore-keypath-0.0.22.tgz (Vulnerable Library)

Found in HEAD commit: fe4be47f59a3978dcf06a4d0698c67585e715a31

Found in base branch: master

Vulnerability Details

Versions of the package underscore-keypath from 0.0.11 are vulnerable to Prototype Pollution via the name argument of the setProperty() function. Exploiting this vulnerability is possible due to improper input sanitization which allows the usage of arguments like “proto”.

Publish Date: 2023-08-01

URL: CVE-2023-26139

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Step up your Open Source Security Game with Mend here

CVE-2020-7753

Vulnerable Library - trim-0.0.1.tgz

Trim string whitespace

Library home page: https://registry.npmjs.org/trim/-/trim-0.0.1.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/trim/package.json

Dependency Hierarchy:

  • translate-google-1.5.0.tgz (Root Library)
    • num-or-not-1.0.1.tgz
      • trim-0.0.1.tgz (Vulnerable Library)

Found in HEAD commit: fe4be47f59a3978dcf06a4d0698c67585e715a31

Found in base branch: master

Vulnerability Details

All versions of package trim are vulnerable to Regular Expression Denial of Service (ReDoS) via trim().

Publish Date: 2020-10-27

URL: CVE-2020-7753

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2020-10-27

Fix Resolution: trim - 0.0.3

Step up your Open Source Security Game with Mend here
@mend-bolt-for-github mend-bolt-for-github bot added the Mend: dependency security vulnerability Security vulnerability detected by Mend label Feb 28, 2023
@mend-bolt-for-github mend-bolt-for-github bot changed the title translate-google-1.5.0.tgz: 4 vulnerabilities (highest severity is: 9.8) translate-google-1.5.0.tgz: 6 vulnerabilities (highest severity is: 9.8) Apr 12, 2023
@mend-bolt-for-github mend-bolt-for-github bot changed the title translate-google-1.5.0.tgz: 6 vulnerabilities (highest severity is: 9.8) translate-google-1.5.0.tgz: 7 vulnerabilities (highest severity is: 10.0) Aug 5, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Mend: dependency security vulnerability Security vulnerability detected by Mend
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
0 participants