-
Notifications
You must be signed in to change notification settings - Fork 7
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge pull request #2163 from HHS/mb/TTAHUB-3013/system-added-empty-goal
[TTAHUB-3013] Do not roll up goal by status on reports
- Loading branch information
Showing
3 changed files
with
15 additions
and
2 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,10 @@ | ||
{"type":"auditAdvisory","data":{"resolution":{"id":1096366,"path":"email-templates>preview-email>mailparser>nodemailer","dev":false,"optional":false,"bundled":false},"advisory":{"findings":[{"version":"6.7.3","paths":["email-templates>preview-email>mailparser>nodemailer"]}],"metadata":null,"vulnerable_versions":"<=6.9.8","module_name":"nodemailer","severity":"moderate","github_advisory_id":"GHSA-9h6g-pr28-7cqp","cves":[],"access":"public","patched_versions":">=6.9.9","cvss":{"score":5.3,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"},"updated":"2024-02-01T17:58:50.000Z","recommendation":"Upgrade to version 6.9.9 or later","cwe":["CWE-1333"],"found_by":null,"deleted":null,"id":1096366,"references":"- https://github.com/nodemailer/nodemailer/security/advisories/GHSA-9h6g-pr28-7cqp\n- https://gist.github.com/francoatmega/890dd5053375333e40c6fdbcc8c58df6\n- https://gist.github.com/francoatmega/9aab042b0b24968d7b7039818e8b2698\n- https://github.com/nodemailer/nodemailer/commit/dd8f5e8a4ddc99992e31df76bcff9c590035cd4a\n- https://github.com/advisories/GHSA-9h6g-pr28-7cqp","created":"2024-01-31T22:42:54.000Z","reported_by":null,"title":"nodemailer ReDoS when trying to send a specially crafted email","npm_advisory_id":null,"overview":"### Summary\nA ReDoS vulnerability occurs when nodemailer tries to parse img files with the parameter `attachDataUrls` set, causing the stuck of event loop. \nAnother flaw was found when nodemailer tries to parse an attachments with a embedded file, causing the stuck of event loop. \n\n### Details\n\nRegex: /^data:((?:[^;]*;)*(?:[^,]*)),(.*)$/\n\nPath: compile -> getAttachments -> _processDataUrl\n\nRegex: /(<img\\b[^>]* src\\s*=[\\s\"']*)(data:([^;]+);[^\"'>\\s]+)/\n\nPath: _convertDataImages\n\n### PoC\n\nhttps://gist.github.com/francoatmega/890dd5053375333e40c6fdbcc8c58df6\nhttps://gist.github.com/francoatmega/9aab042b0b24968d7b7039818e8b2698\n\n### Impact\n\nReDoS causes the event loop to stuck a specially crafted evil email can cause this problem.\n","url":"https://github.com/advisories/GHSA-9h6g-pr28-7cqp"}}} | ||
{"type":"auditAdvisory","data":{"resolution":{"id":1096502,"path":"@elastic/elasticsearch>@elastic/transport>undici","dev":false,"optional":false,"bundled":false},"advisory":{"findings":[{"version":"5.19.1","paths":["@elastic/elasticsearch>@elastic/transport>undici"]}],"metadata":null,"vulnerable_versions":"<5.26.2","module_name":"undici","severity":"low","github_advisory_id":"GHSA-wqq4-5wpv-mx2g","cves":["CVE-2023-45143"],"access":"public","patched_versions":">=5.26.2","cvss":{"score":3.9,"vectorString":"CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:L/A:L"},"updated":"2024-02-16T22:38:40.000Z","recommendation":"Upgrade to version 5.26.2 or later","cwe":["CWE-200"],"found_by":null,"deleted":null,"id":1096502,"references":"- https://github.com/nodejs/undici/security/advisories/GHSA-q768-x9m6-m9qp\n- https://github.com/nodejs/undici/security/advisories/GHSA-wqq4-5wpv-mx2g\n- https://nvd.nist.gov/vuln/detail/CVE-2023-45143\n- https://github.com/nodejs/undici/commit/e041de359221ebeae04c469e8aff4145764e6d76\n- https://hackerone.com/reports/2166948\n- https://github.com/nodejs/undici/releases/tag/v5.26.2\n- https://lists.fedoraproject.org/archives/list/[email protected]/message/3N4NJ7FR4X4FPZUGNTQAPSTVB2HB2Y4A\n- https://lists.fedoraproject.org/archives/list/[email protected]/message/E72T67UPDRXHIDLO3OROR25YAMN4GGW5\n- https://lists.fedoraproject.org/archives/list/[email protected]/message/FNA62Q767CFAFHBCDKYNPBMZWB7TWYVU\n- https://lists.fedoraproject.org/archives/list/[email protected]/message/HT7T2R4MQKLIF4ODV4BDLPARWFPCJ5CZ\n- https://lists.fedoraproject.org/archives/list/[email protected]/message/LKYHSZQFDNR7RSA7LHVLLIAQMVYCUGBG\n- https://lists.fedoraproject.org/archives/list/[email protected]/message/X6QXN4ORIVF6XBW4WWFE7VNPVC74S45Y\n- https://github.com/advisories/GHSA-wqq4-5wpv-mx2g","created":"2023-10-16T14:05:37.000Z","reported_by":null,"title":"Undici's cookie header not cleared on cross-origin redirect in fetch","npm_advisory_id":null,"overview":"### Impact\n\nUndici clears Authorization headers on cross-origin redirects, but does not clear `Cookie` headers. By design, `cookie` headers are [forbidden request headers](https://fetch.spec.whatwg.org/#forbidden-request-header), disallowing them to be set in `RequestInit.headers` in browser environments. Since Undici handles headers more liberally than the specification, there was a disconnect from the assumptions the spec made, and Undici's implementation of fetch.\n\nAs such this may lead to accidental leakage of cookie to a 3rd-party site or a malicious attacker who can control the redirection target (ie. an open redirector) to leak the cookie to the 3rd party site.\n\n### Patches\n\nThis was patched in [e041de359221ebeae04c469e8aff4145764e6d76](https://github.com/nodejs/undici/commit/e041de359221ebeae04c469e8aff4145764e6d76), which is included in version 5.26.2.\n","url":"https://github.com/advisories/GHSA-wqq4-5wpv-mx2g"}}} | ||
{"type":"auditAdvisory","data":{"resolution":{"id":1097109,"path":"@elastic/elasticsearch>@elastic/transport>undici","dev":false,"optional":false,"bundled":false},"advisory":{"findings":[{"version":"5.19.1","paths":["@elastic/elasticsearch>@elastic/transport>undici"]}],"metadata":null,"vulnerable_versions":"<5.28.4","module_name":"undici","severity":"low","github_advisory_id":"GHSA-m4v8-wqvr-p9f7","cves":["CVE-2024-30260"],"access":"public","patched_versions":">=5.28.4","cvss":{"score":3.9,"vectorString":"CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:L/A:L"},"updated":"2024-04-20T00:31:53.000Z","recommendation":"Upgrade to version 5.28.4 or later","cwe":["CWE-200","CWE-285"],"found_by":null,"deleted":null,"id":1097109,"references":"- https://github.com/nodejs/undici/security/advisories/GHSA-m4v8-wqvr-p9f7\n- https://github.com/nodejs/undici/commit/64e3402da4e032e68de46acb52800c9a06aaea3f\n- https://github.com/nodejs/undici/commit/6805746680d27a5369d7fb67bc05f95a28247d75\n- https://hackerone.com/reports/2408074\n- https://nvd.nist.gov/vuln/detail/CVE-2024-30260\n- https://lists.fedoraproject.org/archives/list/[email protected]/message/HQVHWAS6WDXXIU7F72XI55VZ2LTZUB33\n- https://lists.fedoraproject.org/archives/list/[email protected]/message/NC3V3HFZ5MOJRZDY5ZELL6REIRSPFROJ\n- https://lists.fedoraproject.org/archives/list/[email protected]/message/P6Q4RGETHVYVHDIQGTJGU5AV6NJEI67E\n- https://github.com/advisories/GHSA-m4v8-wqvr-p9f7","created":"2024-04-04T14:20:39.000Z","reported_by":null,"title":"Undici's Proxy-Authorization header not cleared on cross-origin redirect for dispatch, request, stream, pipeline","npm_advisory_id":null,"overview":"### Impact\n\nUndici cleared Authorization and Proxy-Authorization headers for `fetch()`, but did not clear them for `undici.request()`.\n\n### Patches\n\nThis has been patched in https://github.com/nodejs/undici/commit/6805746680d27a5369d7fb67bc05f95a28247d75.\nFixes has been released in v5.28.4 and v6.11.1.\n\n### Workarounds\n\nuse `fetch()` or disable `maxRedirections`.\n\n### References\n\nLinzi Shang reported this.\n\n* https://hackerone.com/reports/2408074\n* https://github.com/nodejs/undici/security/advisories/GHSA-3787-6prv-h9w3\n","url":"https://github.com/advisories/GHSA-m4v8-wqvr-p9f7"}}} | ||
{"type":"auditAdvisory","data":{"resolution":{"id":1097200,"path":"@elastic/elasticsearch>@elastic/transport>undici","dev":false,"optional":false,"bundled":false},"advisory":{"findings":[{"version":"5.19.1","paths":["@elastic/elasticsearch>@elastic/transport>undici"]}],"metadata":null,"vulnerable_versions":"<5.28.4","module_name":"undici","severity":"low","github_advisory_id":"GHSA-9qxr-qj54-h672","cves":["CVE-2024-30261"],"access":"public","patched_versions":">=5.28.4","cvss":{"score":2.6,"vectorString":"CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:N/I:L/A:N"},"updated":"2024-04-29T05:02:11.000Z","recommendation":"Upgrade to version 5.28.4 or later","cwe":["CWE-284"],"found_by":null,"deleted":null,"id":1097200,"references":"- https://github.com/nodejs/undici/security/advisories/GHSA-9qxr-qj54-h672\n- https://github.com/nodejs/undici/commit/2b39440bd9ded841c93dd72138f3b1763ae26055\n- https://github.com/nodejs/undici/commit/d542b8cd39ec1ba303f038ea26098c3f355974f3\n- https://hackerone.com/reports/2377760\n- https://nvd.nist.gov/vuln/detail/CVE-2024-30261\n- https://lists.fedoraproject.org/archives/list/[email protected]/message/HQVHWAS6WDXXIU7F72XI55VZ2LTZUB33\n- https://lists.fedoraproject.org/archives/list/[email protected]/message/P6Q4RGETHVYVHDIQGTJGU5AV6NJEI67E\n- https://lists.fedoraproject.org/archives/list/[email protected]/message/NC3V3HFZ5MOJRZDY5ZELL6REIRSPFROJ\n- https://github.com/advisories/GHSA-9qxr-qj54-h672","created":"2024-04-04T14:20:54.000Z","reported_by":null,"title":"Undici's fetch with integrity option is too lax when algorithm is specified but hash value is in incorrect","npm_advisory_id":null,"overview":"### Impact\n\nIf an attacker can alter the `integrity` option passed to `fetch()`, they can let `fetch()` accept requests as valid even if they have been tampered.\n\n### Patches\n\nFixed in https://github.com/nodejs/undici/commit/d542b8cd39ec1ba303f038ea26098c3f355974f3.\nFixes has been released in v5.28.4 and v6.11.1.\n\n\n### Workarounds\n\nEnsure that `integrity` cannot be tampered with.\n\n### References\n\nhttps://hackerone.com/reports/2377760\n","url":"https://github.com/advisories/GHSA-9qxr-qj54-h672"}}} | ||
{"type":"auditAdvisory","data":{"resolution":{"id":1097221,"path":"@elastic/elasticsearch>@elastic/transport>undici","dev":false,"optional":false,"bundled":false},"advisory":{"findings":[{"version":"5.19.1","paths":["@elastic/elasticsearch>@elastic/transport>undici"]}],"metadata":null,"vulnerable_versions":"<=5.28.2","module_name":"undici","severity":"low","github_advisory_id":"GHSA-3787-6prv-h9w3","cves":["CVE-2024-24758"],"access":"public","patched_versions":">=5.28.3","cvss":{"score":3.9,"vectorString":"CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:L/A:L"},"updated":"2024-05-02T13:15:07.000Z","recommendation":"Upgrade to version 5.28.3 or later","cwe":["CWE-200"],"found_by":null,"deleted":null,"id":1097221,"references":"- https://github.com/nodejs/undici/security/advisories/GHSA-3787-6prv-h9w3\n- https://github.com/nodejs/undici/commit/b9da3e40f1f096a06b4caedbb27c2568730434ef\n- https://github.com/nodejs/undici/commit/d3aa574b1259c1d8d329a0f0f495ee82882b1458\n- https://github.com/nodejs/undici/releases/tag/v5.28.3\n- https://github.com/nodejs/undici/releases/tag/v6.6.1\n- https://nvd.nist.gov/vuln/detail/CVE-2024-24758\n- https://security.netapp.com/advisory/ntap-20240419-0007\n- http://www.openwall.com/lists/oss-security/2024/03/11/1\n- https://github.com/advisories/GHSA-3787-6prv-h9w3","created":"2024-02-16T16:02:52.000Z","reported_by":null,"title":"Undici proxy-authorization header not cleared on cross-origin redirect in fetch","npm_advisory_id":null,"overview":"### Impact\n\nUndici already cleared Authorization headers on cross-origin redirects, but did not clear `Proxy-Authorization` headers. \n\n### Patches\n\nThis is patched in v5.28.3 and v6.6.1\n\n### Workarounds\n\nThere are no known workarounds.\n\n### References\n\n- https://fetch.spec.whatwg.org/#authentication-entries\n- https://github.com/nodejs/undici/security/advisories/GHSA-wqq4-5wpv-mx2g","url":"https://github.com/advisories/GHSA-3787-6prv-h9w3"}}} | ||
{"type":"auditAdvisory","data":{"resolution":{"id":1096410,"path":"xml2json>hoek","dev":false,"bundled":false,"optional":false},"advisory":{"findings":[{"version":"4.2.1","paths":["xml2json>hoek"]},{"version":"5.0.4","paths":["xml2json>joi>hoek"]},{"version":"6.1.3","paths":["xml2json>joi>topo>hoek"]}],"metadata":null,"vulnerable_versions":"<=6.1.3","module_name":"hoek","severity":"high","github_advisory_id":"GHSA-c429-5p7v-vgjp","cves":["CVE-2020-36604"],"access":"public","patched_versions":"<0.0.0","cvss":{"score":8.1,"vectorString":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"},"updated":"2024-02-07T18:59:37.000Z","recommendation":"None","cwe":["CWE-1321"],"found_by":null,"deleted":null,"id":1096410,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2020-36604\n- https://github.com/hapijs/hoek/issues/352\n- https://github.com/hapijs/hoek/commit/4d0804bc6135ad72afdc5e1ec002b935b2f5216a\n- https://github.com/hapijs/hoek/commit/948baf98634a5c206875b67d11368f133034fa90\n- https://github.com/advisories/GHSA-c429-5p7v-vgjp","created":"2022-09-25T00:00:27.000Z","reported_by":null,"title":"hoek subject to prototype pollution via the clone function.","npm_advisory_id":null,"overview":"hoek versions prior to 8.5.1, and 9.x prior to 9.0.3 are vulnerable to prototype pollution in the clone function. If an object with the __proto__ key is passed to clone() the key is converted to a prototype. This issue has been patched in version 9.0.3, and backported to 8.5.1. ","url":"https://github.com/advisories/GHSA-c429-5p7v-vgjp"}}} | ||
{"type":"auditAdvisory","data":{"resolution":{"id":1096410,"path":"xml2json>joi>hoek","dev":false,"bundled":false,"optional":false},"advisory":{"findings":[{"version":"4.2.1","paths":["xml2json>hoek"]},{"version":"5.0.4","paths":["xml2json>joi>hoek"]},{"version":"6.1.3","paths":["xml2json>joi>topo>hoek"]}],"metadata":null,"vulnerable_versions":"<=6.1.3","module_name":"hoek","severity":"high","github_advisory_id":"GHSA-c429-5p7v-vgjp","cves":["CVE-2020-36604"],"access":"public","patched_versions":"<0.0.0","cvss":{"score":8.1,"vectorString":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"},"updated":"2024-02-07T18:59:37.000Z","recommendation":"None","cwe":["CWE-1321"],"found_by":null,"deleted":null,"id":1096410,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2020-36604\n- https://github.com/hapijs/hoek/issues/352\n- https://github.com/hapijs/hoek/commit/4d0804bc6135ad72afdc5e1ec002b935b2f5216a\n- https://github.com/hapijs/hoek/commit/948baf98634a5c206875b67d11368f133034fa90\n- https://github.com/advisories/GHSA-c429-5p7v-vgjp","created":"2022-09-25T00:00:27.000Z","reported_by":null,"title":"hoek subject to prototype pollution via the clone function.","npm_advisory_id":null,"overview":"hoek versions prior to 8.5.1, and 9.x prior to 9.0.3 are vulnerable to prototype pollution in the clone function. If an object with the __proto__ key is passed to clone() the key is converted to a prototype. This issue has been patched in version 9.0.3, and backported to 8.5.1. ","url":"https://github.com/advisories/GHSA-c429-5p7v-vgjp"}}} | ||
{"type":"auditAdvisory","data":{"resolution":{"id":1096410,"path":"xml2json>joi>topo>hoek","dev":false,"bundled":false,"optional":false},"advisory":{"findings":[{"version":"4.2.1","paths":["xml2json>hoek"]},{"version":"5.0.4","paths":["xml2json>joi>hoek"]},{"version":"6.1.3","paths":["xml2json>joi>topo>hoek"]}],"metadata":null,"vulnerable_versions":"<=6.1.3","module_name":"hoek","severity":"high","github_advisory_id":"GHSA-c429-5p7v-vgjp","cves":["CVE-2020-36604"],"access":"public","patched_versions":"<0.0.0","cvss":{"score":8.1,"vectorString":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"},"updated":"2024-02-07T18:59:37.000Z","recommendation":"None","cwe":["CWE-1321"],"found_by":null,"deleted":null,"id":1096410,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2020-36604\n- https://github.com/hapijs/hoek/issues/352\n- https://github.com/hapijs/hoek/commit/4d0804bc6135ad72afdc5e1ec002b935b2f5216a\n- https://github.com/hapijs/hoek/commit/948baf98634a5c206875b67d11368f133034fa90\n- https://github.com/advisories/GHSA-c429-5p7v-vgjp","created":"2022-09-25T00:00:27.000Z","reported_by":null,"title":"hoek subject to prototype pollution via the clone function.","npm_advisory_id":null,"overview":"hoek versions prior to 8.5.1, and 9.x prior to 9.0.3 are vulnerable to prototype pollution in the clone function. If an object with the __proto__ key is passed to clone() the key is converted to a prototype. This issue has been patched in version 9.0.3, and backported to 8.5.1. ","url":"https://github.com/advisories/GHSA-c429-5p7v-vgjp"}}} | ||
{"type":"auditAdvisory","data":{"resolution":{"id":1097335,"path":"pug","dev":false,"bundled":false,"optional":false},"advisory":{"findings":[{"version":"3.0.2","paths":["pug","email-templates>preview-email>pug"]}],"metadata":null,"vulnerable_versions":"<=3.0.2","module_name":"pug","severity":"high","github_advisory_id":"GHSA-3965-hpx2-q597","cves":["CVE-2024-36361"],"access":"public","patched_versions":"<0.0.0","cvss":{"score":8.1,"vectorString":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"},"updated":"2024-05-24T14:45:05.000Z","recommendation":"None","cwe":["CWE-94"],"found_by":null,"deleted":null,"id":1097335,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2024-36361\n- https://github.com/pugjs/pug/pull/3428\n- https://github.com/Coding-Competition-Team/hackac-2024/tree/main/web/pug\n- https://github.com/pugjs/pug/blob/4767cafea0af3d3f935553df0f9a8a6e76d470c2/packages/pug/lib/index.js#L328\n- https://pugjs.org/api/reference.html\n- https://www.npmjs.com/package/pug-code-gen\n- https://github.com/advisories/GHSA-3965-hpx2-q597","created":"2024-05-24T14:45:02.000Z","reported_by":null,"title":"Pug allows JavaScript code execution if an application accepts untrusted input","npm_advisory_id":null,"overview":"Pug through 3.0.2 allows JavaScript code execution if an application accepts untrusted input for the name option of the `compileClient`, `compileFileClient`, or `compileClientWithDependenciesTracked` function. NOTE: these functions are for compiling Pug templates into JavaScript, and there would typically be no reason to allow untrusted callers.","url":"https://github.com/advisories/GHSA-3965-hpx2-q597"}}} | ||
{"type":"auditAdvisory","data":{"resolution":{"id":1097335,"path":"email-templates>preview-email>pug","dev":false,"bundled":false,"optional":false},"advisory":{"findings":[{"version":"3.0.2","paths":["pug","email-templates>preview-email>pug"]}],"metadata":null,"vulnerable_versions":"<=3.0.2","module_name":"pug","severity":"high","github_advisory_id":"GHSA-3965-hpx2-q597","cves":["CVE-2024-36361"],"access":"public","patched_versions":"<0.0.0","cvss":{"score":8.1,"vectorString":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"},"updated":"2024-05-24T14:45:05.000Z","recommendation":"None","cwe":["CWE-94"],"found_by":null,"deleted":null,"id":1097335,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2024-36361\n- https://github.com/pugjs/pug/pull/3428\n- https://github.com/Coding-Competition-Team/hackac-2024/tree/main/web/pug\n- https://github.com/pugjs/pug/blob/4767cafea0af3d3f935553df0f9a8a6e76d470c2/packages/pug/lib/index.js#L328\n- https://pugjs.org/api/reference.html\n- https://www.npmjs.com/package/pug-code-gen\n- https://github.com/advisories/GHSA-3965-hpx2-q597","created":"2024-05-24T14:45:02.000Z","reported_by":null,"title":"Pug allows JavaScript code execution if an application accepts untrusted input","npm_advisory_id":null,"overview":"Pug through 3.0.2 allows JavaScript code execution if an application accepts untrusted input for the name option of the `compileClient`, `compileFileClient`, or `compileClientWithDependenciesTracked` function. NOTE: these functions are for compiling Pug templates into JavaScript, and there would typically be no reason to allow untrusted callers.","url":"https://github.com/advisories/GHSA-3965-hpx2-q597"}}} |
Oops, something went wrong.