Skip to content

Commit feb168c

Browse files
valentijnscholtenvalentijnscholten
authored
prettify sample scan files (#14113)
* prettify sample scan files * prettify sample scan files
1 parent 9831998 commit feb168c

5 files changed

Lines changed: 519 additions & 13 deletions

File tree

unittests/scans/dependency_check/dc_empty.xml

Lines changed: 24 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1 +1,24 @@
1-
<?xml version="1.0"?><analysis xmlns="https://jeremylong.github.io/DependencyCheck/dependency-check.2.5.xsd"><scanInfo><engineVersion>6.5.3</engineVersion><dataSource><name>NVD CVE Checked</name><timestamp>2022-01-22T14:36:52</timestamp></dataSource><dataSource><name>NVD CVE Modified</name><timestamp>2022-01-22T14:00:01</timestamp></dataSource><dataSource><name>VersionCheckOn</name><timestamp>2022-01-15T15:27:20</timestamp></dataSource></scanInfo><projectInfo><name></name><reportDate>2022-01-22T13:40:32.740468526Z</reportDate><credits>This report contains data retrieved from the National Vulnerability Database: https://nvd.nist.gov, NPM Public Advisories: https://www.npmjs.com/advisories, and the RetireJS community.</credits></projectInfo><dependencies></dependencies></analysis>
1+
<?xml version="1.0" ?>
2+
<analysis xmlns="https://jeremylong.github.io/DependencyCheck/dependency-check.2.5.xsd">
3+
<scanInfo>
4+
<engineVersion>6.5.3</engineVersion>
5+
<dataSource>
6+
<name>NVD CVE Checked</name>
7+
<timestamp>2022-01-22T14:36:52</timestamp>
8+
</dataSource>
9+
<dataSource>
10+
<name>NVD CVE Modified</name>
11+
<timestamp>2022-01-22T14:00:01</timestamp>
12+
</dataSource>
13+
<dataSource>
14+
<name>VersionCheckOn</name>
15+
<timestamp>2022-01-15T15:27:20</timestamp>
16+
</dataSource>
17+
</scanInfo>
18+
<projectInfo>
19+
<name/>
20+
<reportDate>2022-01-22T13:40:32.740468526Z</reportDate>
21+
<credits>This report contains data retrieved from the National Vulnerability Database: https://nvd.nist.gov, NPM Public Advisories: https://www.npmjs.com/advisories, and the RetireJS community.</credits>
22+
</projectInfo>
23+
<dependencies/>
24+
</analysis>

unittests/scans/nsp/scan.json

Lines changed: 192 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1 +1,192 @@
1-
[{"id":521,"updated_at":"2018-05-08T14:27:01.871Z","created_at":"2017-08-13T04:26:17.960Z","publish_date":"2017-08-13T04:34:53.158Z","overview":"Affected versions of `pg` contain a remote code execution vulnerability that occurs when the remote database or query specifies a crafted column name. \n\nThere are two specific scenarios in which it is likely for an application to be vulnerable:\n1. The application executes unsafe, user-supplied sql which contains malicious column names.\n2. The application connects to an untrusted database and executes a query returning results which contain a malicious column name.\n\n## Proof of Concept\n```\nconst { Client } = require('pg')\nconst client = new Client()\nclient.connect()\n\nconst sql = `SELECT 1 AS \"\\\\'/*\", 2 AS \"\\\\'*/\\n + console.log(process.env)] = null;\\n//\"`\n\nclient.query(sql, (err, res) => {\n client.end()\n})\n```","recommendation":"* Version 2.x.x: Update to version 2.11.2 or later.\n* Version 3.x.x: Update to version 3.6.4 or later.\n* Version 4.x.x: Update to version 4.5.7 or later.\n* Version 5.x.x: Update to version 5.2.1 or later.\n* Version 6.x.x: Update to version 6.4.2 or later. ( Note that versions 6.1.6, 6.2.5, and 6.3.3 are also patched. )\n* Version 7.x.x: Update to version 7.1.2 or later. ( Note that version 7.0.2 is also patched. )","cvss_vector":"CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H","cvss_score":8.3,"module":"pg","version":"5.1.0","vulnerable_versions":"< 2.11.2 || >= 3.0.0 < 3.6.4 || >= 4.0.0 < 4.5.7 || >= 5.0.0 < 5.2.1 || >= 6.0.0 < 6.0.5 || >= 6.1.0 < 6.1.6 || >= 6.2.0 < 6.2.5 || >= 6.3.0 < 6.3.3 || >= 6.4.0 < 6.4.2 || >= 7.0.0 < 7.0.2 || >= 7.1.0 < 7.1.2","patched_versions":">= 2.11.2 < 3.0.0|| >= 3.6.4 < 4.0.0 || >= 4.5.7 < 5.0.0 || >= 5.2.1 < 6.0.0 || >= 6.0.5 < 6.1.0 || >= 6.1.6 < 6.2.0 || >= 6.2.5 < 6.3.0 || >= 6.3.3 < 6.4.0 || >= 6.4.2 < 7.0.0 || >= 7.0.2 < 7.1.0 || >= 7.1.2","title":"Remote Code Execution","path":["vulnerable-node-source@0.0.0","pg-promise@4.8.1","pg@5.1.0"],"advisory":"https://nodesecurity.io/advisories/521"},{"id":535,"updated_at":"2018-05-08T14:27:01.895Z","created_at":"2017-09-25T19:02:28.152Z","publish_date":"2017-09-27T18:25:14.672Z","overview":"Affected versions of `mime` are vulnerable to regular expression denial of service when a mime lookup is performed on untrusted user input.","recommendation":"Update to version 2.0.3 or later.","cvss_vector":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","cvss_score":7.5,"module":"mime","version":"1.3.4","vulnerable_versions":"< 1.4.1 || > 2.0.0 < 2.0.3","patched_versions":">= 1.4.1 < 2.0.0 || >= 2.0.3","title":"Regular Expression Denial of Service","path":["vulnerable-node-source@0.0.0","express@4.13.4","send@0.13.1","mime@1.3.4"],"advisory":"https://nodesecurity.io/advisories/535"},{"id":526,"updated_at":"2018-05-08T14:27:01.882Z","created_at":"2017-09-08T20:23:54.164Z","publish_date":"2017-09-26T16:06:50.827Z","overview":"Affected versions of `fresh` are vulnerable to regular expression denial of service when parsing specially crafted user input.","recommendation":"Update to version 0.5.2 or later.","cvss_vector":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","cvss_score":7.5,"module":"fresh","version":"0.3.0","vulnerable_versions":"< 0.5.2","patched_versions":">= 0.5.2","title":"Regular Expression Denial of Service","path":["vulnerable-node-source@0.0.0","express@4.13.4","fresh@0.3.0"],"advisory":"https://nodesecurity.io/advisories/526"},{"id":526,"updated_at":"2018-05-08T14:27:01.882Z","created_at":"2017-09-08T20:23:54.164Z","publish_date":"2017-09-26T16:06:50.827Z","overview":"Affected versions of `fresh` are vulnerable to regular expression denial of service when parsing specially crafted user input.","recommendation":"Update to version 0.5.2 or later.","cvss_vector":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","cvss_score":7.5,"module":"fresh","version":"0.3.0","vulnerable_versions":"< 0.5.2","patched_versions":">= 0.5.2","title":"Regular Expression Denial of Service","path":["vulnerable-node-source@0.0.0","serve-favicon@2.3.2","fresh@0.3.0"],"advisory":"https://nodesecurity.io/advisories/526"},{"id":106,"updated_at":"2018-05-08T14:27:01.154Z","created_at":"2016-05-04T16:34:12.000Z","publish_date":"2016-06-16T17:36:06.000Z","overview":"Affected versions of `negotiator` are vulnerable to regular expression denial of service attacks, which trigger upon parsing a specially crafted `Accept-Language` header value.\n\n","recommendation":"Update to version 0.6.1 or later.","cvss_vector":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","cvss_score":7.5,"module":"negotiator","version":"0.5.3","vulnerable_versions":"<= 0.6.0","patched_versions":">= 0.6.1","title":"Regular Expression Denial of Service","path":["vulnerable-node-source@0.0.0","express@4.13.4","accepts@1.2.13","negotiator@0.5.3"],"advisory":"https://nodesecurity.io/advisories/106"},{"id":534,"updated_at":"2018-05-16T19:37:31.802Z","created_at":"2017-09-25T18:55:55.956Z","publish_date":"2017-09-27T18:24:24.490Z","overview":"Affected versions of `debug` are vulnerable to regular expression denial of service when untrusted user input is passed into the `o` formatter. \n\nAs it takes 50,000 characters to block the event loop for 2 seconds, this issue is a low severity issue.","recommendation":"Version 2.x.x: Update to version 2.6.9 or later.\nVersion 3.x.x: Update to version 3.1.0 or later.","cvss_vector":"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L","cvss_score":3.7,"module":"debug","version":"2.2.0","vulnerable_versions":"<= 2.6.8 || >= 3.0.0 <= 3.0.1","patched_versions":">= 2.6.9 < 3.0.0 || >= 3.1.0","title":"Regular Expression Denial of Service","path":["vulnerable-node-source@0.0.0","body-parser@1.13.3","debug@2.2.0"],"advisory":"https://nodesecurity.io/advisories/534"},{"id":534,"updated_at":"2018-05-16T19:37:31.802Z","created_at":"2017-09-25T18:55:55.956Z","publish_date":"2017-09-27T18:24:24.490Z","overview":"Affected versions of `debug` are vulnerable to regular expression denial of service when untrusted user input is passed into the `o` formatter. \n\nAs it takes 50,000 characters to block the event loop for 2 seconds, this issue is a low severity issue.","recommendation":"Version 2.x.x: Update to version 2.6.9 or later.\nVersion 3.x.x: Update to version 3.1.0 or later.","cvss_vector":"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L","cvss_score":3.7,"module":"debug","version":"2.2.0","vulnerable_versions":"<= 2.6.8 || >= 3.0.0 <= 3.0.1","patched_versions":">= 2.6.9 < 3.0.0 || >= 3.1.0","title":"Regular Expression Denial of Service","path":["vulnerable-node-source@0.0.0","debug@2.2.0"],"advisory":"https://nodesecurity.io/advisories/534"},{"id":534,"updated_at":"2018-05-16T19:37:31.802Z","created_at":"2017-09-25T18:55:55.956Z","publish_date":"2017-09-27T18:24:24.490Z","overview":"Affected versions of `debug` are vulnerable to regular expression denial of service when untrusted user input is passed into the `o` formatter. \n\nAs it takes 50,000 characters to block the event loop for 2 seconds, this issue is a low severity issue.","recommendation":"Version 2.x.x: Update to version 2.6.9 or later.\nVersion 3.x.x: Update to version 3.1.0 or later.","cvss_vector":"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L","cvss_score":3.7,"module":"debug","version":"2.2.0","vulnerable_versions":"<= 2.6.8 || >= 3.0.0 <= 3.0.1","patched_versions":">= 2.6.9 < 3.0.0 || >= 3.1.0","title":"Regular Expression Denial of Service","path":["vulnerable-node-source@0.0.0","express@4.13.4","debug@2.2.0"],"advisory":"https://nodesecurity.io/advisories/534"},{"id":534,"updated_at":"2018-05-16T19:37:31.802Z","created_at":"2017-09-25T18:55:55.956Z","publish_date":"2017-09-27T18:24:24.490Z","overview":"Affected versions of `debug` are vulnerable to regular expression denial of service when untrusted user input is passed into the `o` formatter. \n\nAs it takes 50,000 characters to block the event loop for 2 seconds, this issue is a low severity issue.","recommendation":"Version 2.x.x: Update to version 2.6.9 or later.\nVersion 3.x.x: Update to version 3.1.0 or later.","cvss_vector":"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L","cvss_score":3.7,"module":"debug","version":"2.2.0","vulnerable_versions":"<= 2.6.8 || >= 3.0.0 <= 3.0.1","patched_versions":">= 2.6.9 < 3.0.0 || >= 3.1.0","title":"Regular Expression Denial of Service","path":["vulnerable-node-source@0.0.0","morgan@1.6.1","debug@2.2.0"],"advisory":"https://nodesecurity.io/advisories/534"}]
1+
[
2+
{
3+
"id": 521,
4+
"updated_at": "2018-05-08T14:27:01.871Z",
5+
"created_at": "2017-08-13T04:26:17.960Z",
6+
"publish_date": "2017-08-13T04:34:53.158Z",
7+
"overview": "Affected versions of `pg` contain a remote code execution vulnerability that occurs when the remote database or query specifies a crafted column name. \n\nThere are two specific scenarios in which it is likely for an application to be vulnerable:\n1. The application executes unsafe, user-supplied sql which contains malicious column names.\n2. The application connects to an untrusted database and executes a query returning results which contain a malicious column name.\n\n## Proof of Concept\n```\nconst { Client } = require('pg')\nconst client = new Client()\nclient.connect()\n\nconst sql = `SELECT 1 AS \"\\\\'/*\", 2 AS \"\\\\'*/\\n + console.log(process.env)] = null;\\n//\"`\n\nclient.query(sql, (err, res) => {\n client.end()\n})\n```",
8+
"recommendation": "* Version 2.x.x: Update to version 2.11.2 or later.\n* Version 3.x.x: Update to version 3.6.4 or later.\n* Version 4.x.x: Update to version 4.5.7 or later.\n* Version 5.x.x: Update to version 5.2.1 or later.\n* Version 6.x.x: Update to version 6.4.2 or later. ( Note that versions 6.1.6, 6.2.5, and 6.3.3 are also patched. )\n* Version 7.x.x: Update to version 7.1.2 or later. ( Note that version 7.0.2 is also patched. )",
9+
"cvss_vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H",
10+
"cvss_score": 8.3,
11+
"module": "pg",
12+
"version": "5.1.0",
13+
"vulnerable_versions": "< 2.11.2 || >= 3.0.0 < 3.6.4 || >= 4.0.0 < 4.5.7 || >= 5.0.0 < 5.2.1 || >= 6.0.0 < 6.0.5 || >= 6.1.0 < 6.1.6 || >= 6.2.0 < 6.2.5 || >= 6.3.0 < 6.3.3 || >= 6.4.0 < 6.4.2 || >= 7.0.0 < 7.0.2 || >= 7.1.0 < 7.1.2",
14+
"patched_versions": ">= 2.11.2 < 3.0.0|| >= 3.6.4 < 4.0.0 || >= 4.5.7 < 5.0.0 || >= 5.2.1 < 6.0.0 || >= 6.0.5 < 6.1.0 || >= 6.1.6 < 6.2.0 || >= 6.2.5 < 6.3.0 || >= 6.3.3 < 6.4.0 || >= 6.4.2 < 7.0.0 || >= 7.0.2 < 7.1.0 || >= 7.1.2",
15+
"title": "Remote Code Execution",
16+
"path": [
17+
"vulnerable-node-source@0.0.0",
18+
"pg-promise@4.8.1",
19+
"pg@5.1.0"
20+
],
21+
"advisory": "https://nodesecurity.io/advisories/521"
22+
},
23+
{
24+
"id": 535,
25+
"updated_at": "2018-05-08T14:27:01.895Z",
26+
"created_at": "2017-09-25T19:02:28.152Z",
27+
"publish_date": "2017-09-27T18:25:14.672Z",
28+
"overview": "Affected versions of `mime` are vulnerable to regular expression denial of service when a mime lookup is performed on untrusted user input.",
29+
"recommendation": "Update to version 2.0.3 or later.",
30+
"cvss_vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
31+
"cvss_score": 7.5,
32+
"module": "mime",
33+
"version": "1.3.4",
34+
"vulnerable_versions": "< 1.4.1 || > 2.0.0 < 2.0.3",
35+
"patched_versions": ">= 1.4.1 < 2.0.0 || >= 2.0.3",
36+
"title": "Regular Expression Denial of Service",
37+
"path": [
38+
"vulnerable-node-source@0.0.0",
39+
"express@4.13.4",
40+
"send@0.13.1",
41+
"mime@1.3.4"
42+
],
43+
"advisory": "https://nodesecurity.io/advisories/535"
44+
},
45+
{
46+
"id": 526,
47+
"updated_at": "2018-05-08T14:27:01.882Z",
48+
"created_at": "2017-09-08T20:23:54.164Z",
49+
"publish_date": "2017-09-26T16:06:50.827Z",
50+
"overview": "Affected versions of `fresh` are vulnerable to regular expression denial of service when parsing specially crafted user input.",
51+
"recommendation": "Update to version 0.5.2 or later.",
52+
"cvss_vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
53+
"cvss_score": 7.5,
54+
"module": "fresh",
55+
"version": "0.3.0",
56+
"vulnerable_versions": "< 0.5.2",
57+
"patched_versions": ">= 0.5.2",
58+
"title": "Regular Expression Denial of Service",
59+
"path": [
60+
"vulnerable-node-source@0.0.0",
61+
"express@4.13.4",
62+
"fresh@0.3.0"
63+
],
64+
"advisory": "https://nodesecurity.io/advisories/526"
65+
},
66+
{
67+
"id": 526,
68+
"updated_at": "2018-05-08T14:27:01.882Z",
69+
"created_at": "2017-09-08T20:23:54.164Z",
70+
"publish_date": "2017-09-26T16:06:50.827Z",
71+
"overview": "Affected versions of `fresh` are vulnerable to regular expression denial of service when parsing specially crafted user input.",
72+
"recommendation": "Update to version 0.5.2 or later.",
73+
"cvss_vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
74+
"cvss_score": 7.5,
75+
"module": "fresh",
76+
"version": "0.3.0",
77+
"vulnerable_versions": "< 0.5.2",
78+
"patched_versions": ">= 0.5.2",
79+
"title": "Regular Expression Denial of Service",
80+
"path": [
81+
"vulnerable-node-source@0.0.0",
82+
"serve-favicon@2.3.2",
83+
"fresh@0.3.0"
84+
],
85+
"advisory": "https://nodesecurity.io/advisories/526"
86+
},
87+
{
88+
"id": 106,
89+
"updated_at": "2018-05-08T14:27:01.154Z",
90+
"created_at": "2016-05-04T16:34:12.000Z",
91+
"publish_date": "2016-06-16T17:36:06.000Z",
92+
"overview": "Affected versions of `negotiator` are vulnerable to regular expression denial of service attacks, which trigger upon parsing a specially crafted `Accept-Language` header value.\n\n",
93+
"recommendation": "Update to version 0.6.1 or later.",
94+
"cvss_vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
95+
"cvss_score": 7.5,
96+
"module": "negotiator",
97+
"version": "0.5.3",
98+
"vulnerable_versions": "<= 0.6.0",
99+
"patched_versions": ">= 0.6.1",
100+
"title": "Regular Expression Denial of Service",
101+
"path": [
102+
"vulnerable-node-source@0.0.0",
103+
"express@4.13.4",
104+
"accepts@1.2.13",
105+
"negotiator@0.5.3"
106+
],
107+
"advisory": "https://nodesecurity.io/advisories/106"
108+
},
109+
{
110+
"id": 534,
111+
"updated_at": "2018-05-16T19:37:31.802Z",
112+
"created_at": "2017-09-25T18:55:55.956Z",
113+
"publish_date": "2017-09-27T18:24:24.490Z",
114+
"overview": "Affected versions of `debug` are vulnerable to regular expression denial of service when untrusted user input is passed into the `o` formatter. \n\nAs it takes 50,000 characters to block the event loop for 2 seconds, this issue is a low severity issue.",
115+
"recommendation": "Version 2.x.x: Update to version 2.6.9 or later.\nVersion 3.x.x: Update to version 3.1.0 or later.",
116+
"cvss_vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L",
117+
"cvss_score": 3.7,
118+
"module": "debug",
119+
"version": "2.2.0",
120+
"vulnerable_versions": "<= 2.6.8 || >= 3.0.0 <= 3.0.1",
121+
"patched_versions": ">= 2.6.9 < 3.0.0 || >= 3.1.0",
122+
"title": "Regular Expression Denial of Service",
123+
"path": [
124+
"vulnerable-node-source@0.0.0",
125+
"body-parser@1.13.3",
126+
"debug@2.2.0"
127+
],
128+
"advisory": "https://nodesecurity.io/advisories/534"
129+
},
130+
{
131+
"id": 534,
132+
"updated_at": "2018-05-16T19:37:31.802Z",
133+
"created_at": "2017-09-25T18:55:55.956Z",
134+
"publish_date": "2017-09-27T18:24:24.490Z",
135+
"overview": "Affected versions of `debug` are vulnerable to regular expression denial of service when untrusted user input is passed into the `o` formatter. \n\nAs it takes 50,000 characters to block the event loop for 2 seconds, this issue is a low severity issue.",
136+
"recommendation": "Version 2.x.x: Update to version 2.6.9 or later.\nVersion 3.x.x: Update to version 3.1.0 or later.",
137+
"cvss_vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L",
138+
"cvss_score": 3.7,
139+
"module": "debug",
140+
"version": "2.2.0",
141+
"vulnerable_versions": "<= 2.6.8 || >= 3.0.0 <= 3.0.1",
142+
"patched_versions": ">= 2.6.9 < 3.0.0 || >= 3.1.0",
143+
"title": "Regular Expression Denial of Service",
144+
"path": [
145+
"vulnerable-node-source@0.0.0",
146+
"debug@2.2.0"
147+
],
148+
"advisory": "https://nodesecurity.io/advisories/534"
149+
},
150+
{
151+
"id": 534,
152+
"updated_at": "2018-05-16T19:37:31.802Z",
153+
"created_at": "2017-09-25T18:55:55.956Z",
154+
"publish_date": "2017-09-27T18:24:24.490Z",
155+
"overview": "Affected versions of `debug` are vulnerable to regular expression denial of service when untrusted user input is passed into the `o` formatter. \n\nAs it takes 50,000 characters to block the event loop for 2 seconds, this issue is a low severity issue.",
156+
"recommendation": "Version 2.x.x: Update to version 2.6.9 or later.\nVersion 3.x.x: Update to version 3.1.0 or later.",
157+
"cvss_vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L",
158+
"cvss_score": 3.7,
159+
"module": "debug",
160+
"version": "2.2.0",
161+
"vulnerable_versions": "<= 2.6.8 || >= 3.0.0 <= 3.0.1",
162+
"patched_versions": ">= 2.6.9 < 3.0.0 || >= 3.1.0",
163+
"title": "Regular Expression Denial of Service",
164+
"path": [
165+
"vulnerable-node-source@0.0.0",
166+
"express@4.13.4",
167+
"debug@2.2.0"
168+
],
169+
"advisory": "https://nodesecurity.io/advisories/534"
170+
},
171+
{
172+
"id": 534,
173+
"updated_at": "2018-05-16T19:37:31.802Z",
174+
"created_at": "2017-09-25T18:55:55.956Z",
175+
"publish_date": "2017-09-27T18:24:24.490Z",
176+
"overview": "Affected versions of `debug` are vulnerable to regular expression denial of service when untrusted user input is passed into the `o` formatter. \n\nAs it takes 50,000 characters to block the event loop for 2 seconds, this issue is a low severity issue.",
177+
"recommendation": "Version 2.x.x: Update to version 2.6.9 or later.\nVersion 3.x.x: Update to version 3.1.0 or later.",
178+
"cvss_vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L",
179+
"cvss_score": 3.7,
180+
"module": "debug",
181+
"version": "2.2.0",
182+
"vulnerable_versions": "<= 2.6.8 || >= 3.0.0 <= 3.0.1",
183+
"patched_versions": ">= 2.6.9 < 3.0.0 || >= 3.1.0",
184+
"title": "Regular Expression Denial of Service",
185+
"path": [
186+
"vulnerable-node-source@0.0.0",
187+
"morgan@1.6.1",
188+
"debug@2.2.0"
189+
],
190+
"advisory": "https://nodesecurity.io/advisories/534"
191+
}
192+
]

0 commit comments

Comments
 (0)