Dependency-Check is an open source tool performing a best effort analysis of 3rd party dependencies; false positives and false negatives may exist in the analysis performed by the tool. Use of the tool and the reporting provided constitutes acceptance for use in an AS IS condition, and there are NO warranties, implied or otherwise, with regard to the analysis or its use. Any use of the tool and the reporting provided is at the user’s risk. In no event shall the copyright holder or OWASP be held liable for any damages whatsoever arising out of or in connection with the use of this tool, the analysis performed, or the resulting report.
File Path: D:\Onboarding\AWSInfrastructure\src\EmailHandler\EmailHandler.csproj
File Path: D:\Onboarding\AWSInfrastructure\src\RoleAccessHandler\RoleAccessHandler.csproj
File Path: D:\Onboarding\AWSInfrastructure\src\RoleAccessHandler\RoleAccessHandler.csproj
File Path: D:\Onboarding\AWSInfrastructure\src\EmailHandler\EmailHandler.csproj
File Path: D:\Onboarding\AWSInfrastructure\src\EmailHandler\EmailHandler.csproj
File Path: D:\Onboarding\AWSInfrastructure\src\RoleAccessHandler\RoleAccessHandler.csproj
File Path: D:\Onboarding\AWSInfrastructure\src\RoleAccessHandler\RoleAccessHandler.csproj
File Path: D:\Onboarding\AWSInfrastructure\src\RoleAccessHandler\RoleAccessHandler.csproj
File Path: D:\Onboarding\AWSInfrastructure\src\EmailHandler\EmailHandler.csproj
File Path: D:\Onboarding\AWSInfrastructure\src\RoleAccessHandler\RoleAccessHandler.csproj
File Path: D:\Onboarding\AWSInfrastructure\src\EmailHandler\EmailHandler.csproj
File Path: D:\Onboarding\AWSInfrastructure\src\EmailHandler\EmailHandler.csproj
MD5: 990e6a28e5a77cfc59ff0c0e5d23480e
SHA1: 8e2a84e5457bf44ee630019e4e316b9a31e8703c
SHA256:b728834a46907247101dbd86bf0fc870c10c88cfe342598cfbba35fd5a7f9d71
File Path: D:\Onboarding\AWSInfrastructure\src\EmailHandler\EmailHandler.csproj
WebKit, as used in Apple Safari before 5.0.6, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site, a different vulnerability than other WebKit CVEs listed in APPLE-SA-2011-07-20-1.CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer
Vulnerable Software & Versions: (show all)
An issue was discovered in certain Apple products. iOS before 10.3.2 is affected. macOS before 10.12.5 is affected. The issue involves the "SQLite" component. It allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site.CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer
Vulnerable Software & Versions:
Multiple unspecified vulnerabilities in Google Chrome before 40.0.2214.91 allow attackers to cause a denial of service or possibly have other impact via unknown vectors.NVD-CWE-noinfo
Vulnerable Software & Versions: (show all)
Multiple unspecified vulnerabilities in Google V8 before 3.30.33.15, as used in Google Chrome before 40.0.2214.91, allow attackers to cause a denial of service or possibly have other impact via unknown vectors.NVD-CWE-noinfo
Vulnerable Software & Versions: (show all)
File Path: D:\Onboarding\AWSInfrastructure\src\RoleAccessHandler\RoleAccessHandler.csproj
File Path: D:\Onboarding\AWSInfrastructure\src\EmailHandler\EmailHandler.csproj
CVE-2020-1045 (OSSINDEX)
<p>A security feature bypass vulnerability exists in the way Microsoft ASP.NET Core parses encoded cookie names.</p> <p>The ASP.NET Core cookie parser decodes entire cookie strings which could allow a malicious attacker to set a second cookie with the name being percent encoded.</p> <p>The security update addresses the vulnerability by fixing the way the ASP.NET Core cookie parser handles encoded names.</p> Sonatype's research suggests that this CVE's details differ from those defined at NVD. See https://ossindex.sonatype.org/vulnerability/CVE-2020-1045 for detailsCWE-noinfo
Vulnerable Software & Versions (OSSINDEX):
File Path: D:\Onboarding\AWSInfrastructure\src\EmailHandler\EmailHandler.csproj
File Path: D:\Onboarding\AWSInfrastructure\src\EmailHandler\EmailHandler.csproj
File Path: D:\Onboarding\AWSInfrastructure\src\EmailHandler\EmailHandler.csproj
File Path: D:\Onboarding\AWSInfrastructure\src\EmailHandler\EmailHandler.csproj
File Path: D:\Onboarding\AWSInfrastructure\src\EmailHandler\EmailHandler.csproj
File Path: D:\Onboarding\AWSInfrastructure\src\EmailHandler\EmailHandler.csproj
File Path: D:\Onboarding\AWSInfrastructure\src\EmailHandler\EmailHandler.csproj
File Path: D:\Onboarding\AWSInfrastructure\src\EmailHandler\EmailHandler.csproj
File Path: D:\Onboarding\AWSInfrastructure\src\EmailHandler\EmailHandler.csproj
CVE-2024-32655 (OSSINDEX)
Npgsql is the .NET data provider for PostgreSQL. The `WriteBind()` method in `src/Npgsql/Internal/NpgsqlConnector.FrontendMessages.cs` uses `int` variables to store the message length and the sum of parameter lengths. Both variables overflow when the sum of parameter lengths becomes too large. This causes Npgsql to write a message size that is too small when constructing a Postgres protocol message to send it over the network to the database. When parsing the message, the database will only read a small number of bytes and treat any following bytes as new messages while they belong to the old message. Attackers can abuse this to inject arbitrary Postgres protocol messages into the connection, leading to the execution of arbitrary SQL statements on the application's behalf. This vulnerability is fixed in 4.0.14, 4.1.13, 5.0.18, 6.0.11, 7.0.7, and 8.0.3.CWE-190 Integer Overflow or Wraparound
Vulnerable Software & Versions (OSSINDEX):
File Path: D:\Onboarding\AWSInfrastructure\src\RoleAccessHandler\RoleAccessHandler.csproj
MD5: ff85613a1480e42c587ac1b18f868d1f
SHA1: 41ad4db38ed0d7b531218292abb58b0babfa679f
SHA256:c2db761af2830a555e7039e9136dda2d4ac2f7bc309f69fdc1b777799ad024fd
Description:
RoleAccessHandler
File Path: D:\Onboarding\AWSInfrastructure\src\RoleAccessHandler\bin\Debug\net6.0\RoleAccessHandler.dll
MD5: 303cca95a57dec7ab5071f08939554c6
SHA1: 42e245e98e5e23b5be714b8b809f04fe976fb970
SHA256:13a2fdb2fa0bc5f7c12f5963ada20c6ea4415cf9b38e320856f51694dd4022e4
File Path: D:\Onboarding\AWSInfrastructure\src\SwaggerMerger\package-lock.json?aws-sdk
Referenced In Project/Scope: package-lock.json: transitive
CVE-2020-28472 (OSSINDEX)
This affects the package @aws-sdk/shared-ini-file-loader before 1.0.0-rc.9; the package aws-sdk before 2.814.0. If an attacker submits a malicious INI file to an application that parses it with loadSharedConfigFiles , they will pollute the prototype on the application. This can be exploited further depending on the context.CWE-noinfo
Vulnerable Software & Versions (OSSINDEX):
This affects the package @aws-sdk/shared-ini-file-loader before 1.0.0-rc.9; the package aws-sdk before 2.814.0. If an attacker submits a malicious INI file to an application that parses it with loadSharedConfigFiles , they will pollute the prototype on the application. This can be exploited further depending on the context.CWE-1321 Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')
Vulnerable Software & Versions (NPM):
File Path: D:\Onboarding\AWSInfrastructure\src\CodePipelineDeployAPI\package-lock.json?aws-sdk
Referenced In Project/Scope: package-lock.json: transitive
CVE-2020-28472 (OSSINDEX)
This affects the package @aws-sdk/shared-ini-file-loader before 1.0.0-rc.9; the package aws-sdk before 2.814.0. If an attacker submits a malicious INI file to an application that parses it with loadSharedConfigFiles , they will pollute the prototype on the application. This can be exploited further depending on the context.CWE-noinfo
Vulnerable Software & Versions (OSSINDEX):
This affects the package @aws-sdk/shared-ini-file-loader before 1.0.0-rc.9; the package aws-sdk before 2.814.0. If an attacker submits a malicious INI file to an application that parses it with loadSharedConfigFiles , they will pollute the prototype on the application. This can be exploited further depending on the context.CWE-1321 Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')
Vulnerable Software & Versions (NPM):
File Path: D:\Onboarding\AWSInfrastructure\src\CodePipelineDeployAPI\index.js
MD5: 2d2841c111477092ebae36588872e3fc
SHA1: 240f27aeab0102ae7f7ca35fe3b04406b4e26a68
SHA256:c9258f5776b445e63bb223b3450e7942c93834ac5cc43fa81ee0e72a3c64b2ee
File Path: D:\Onboarding\AWSInfrastructure\src\OperationsFromSwagger\index.js
MD5: 572545e8e3de393bd59e2efdc58b9124
SHA1: bff1caef4400026cb365bd8d75754cf34e7a4e46
SHA256:2726ca8f117f834fdef7b703cf29de66b006ea8c6369b4124dfde11c27952d18
File Path: D:\Onboarding\AWSInfrastructure\src\SwaggerMerger\index.js
MD5: cfd3efe32ac93649861ef62c78531487
SHA1: 64c03db2ab83cba47e6b561690ce83272e814b66
SHA256:760cf97145173e06f16875ca9af83960385dceebc1c4fc68137dcdce4062381e
File Path: D:\Onboarding\AWSInfrastructure\src\CodePipelineDeployAPI\package-lock.json?jszip
Referenced In Project/Scope: package-lock.json: transitive
CVE-2022-48285 (OSSINDEX)
jszip - Arbitrary File Write via Archive Extraction (Zip Slip) The software uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize '..filename' (leading backslash dot dot) sequences that can resolve to a location that is outside of that directory.CWE-29 Path Traversal: '\..\filename'
Vulnerable Software & Versions (OSSINDEX):
loadAsync in JSZip before 3.8.0 allows Directory Traversal via a crafted ZIP archive.CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Vulnerable Software & Versions (NPM):
CVE-2021-23413 (OSSINDEX)
This affects the package jszip before 3.7.0. Crafting a new zip file with filenames set to Object prototype values (e.g __proto__, toString, etc) results in a returned object with a modified prototype instance. Sonatype's research suggests that this CVE's details differ from those defined at NVD. See https://ossindex.sonatype.org/vulnerability/CVE-2021-23413 for detailsCWE-noinfo
Vulnerable Software & Versions (OSSINDEX):
This affects the package jszip before 3.7.0. Crafting a new zip file with filenames set to Object prototype values (e.g `__proto__`, `toString`, etc) results in a returned object with a modified prototype instance.CWE-1321 Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')
Vulnerable Software & Versions (NPM):
File Path: D:\Onboarding\AWSInfrastructure\src\SwaggerMerger\package-lock.json?lodash
Referenced In Project/Scope: package-lock.json: transitive
CVE-2019-10744 (OSSINDEX)
Versions of lodash lower than 4.17.12 are vulnerable to Prototype Pollution. The function defaultsDeep could be tricked into adding or modifying properties of Object.prototype using a constructor payload.CWE-1321 Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')
Vulnerable Software & Versions (OSSINDEX):
Versions of `lodash` before 4.17.12 are vulnerable to Prototype Pollution. The function `defaultsDeep` allows a malicious user to modify the prototype of `Object` via `{constructor: {prototype: {...}}}` causing the addition or modification of an existing property that will exist on all objects.
## Recommendation
Update to version 4.17.12 or later.CWE-1321 Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution'), CWE-20 Improper Input ValidationVulnerable Software & Versions (NPM):
CVE-2020-8203 (OSSINDEX)
lodash - Prototype Pollution [ CVE-2020-8203 ] The software does not properly protect an assumed-immutable element from being modified by an attacker. Sonatype's research suggests that this CVE's details differ from those defined at NVD. See https://ossindex.sonatype.org/vulnerability/CVE-2020-8203 for detailsCWE-471 Modification of Assumed-Immutable Data (MAID)
Vulnerable Software & Versions (OSSINDEX):
Versions of lodash prior to 4.17.19 are vulnerable to Prototype Pollution. The functions `pick`, `set`, `setWith`, `update`, `updateWith`, and `zipObjectDeep` allow a malicious user to modify the prototype of Object if the property identifiers are user-supplied. Being affected by this issue requires manipulating objects based on user-provided property values or arrays. This vulnerability causes the addition or modification of an existing property that will exist on all objects and may lead to Denial of Service or Code Execution under specific circumstances.CWE-1321 Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution'), CWE-770 Allocation of Resources Without Limits or Throttling
Vulnerable Software & Versions (NPM):
CVE-2021-23337 (OSSINDEX)
Lodash versions prior to 4.17.21 are vulnerable to Command Injection via the template function.CWE-94 Improper Control of Generation of Code ('Code Injection')
Vulnerable Software & Versions (OSSINDEX):
`lodash` versions prior to 4.17.21 are vulnerable to Command Injection via the template function.CWE-77 Improper Neutralization of Special Elements used in a Command ('Command Injection'), CWE-94 Improper Control of Generation of Code ('Code Injection')
Vulnerable Software & Versions (NPM):
Versions of `lodash` before 4.17.11 are vulnerable to prototype pollution.
The vulnerable functions are 'defaultsDeep', 'merge', and 'mergeWith' which allow a malicious user to modify the prototype of `Object` via `{constructor: {prototype: {...}}}` causing the addition or modification of an existing property that will exist on all objects.
## Recommendation
Update to version 4.17.11 or later.CWE-400 Uncontrolled Resource ConsumptionVulnerable Software & Versions (NPM):
CVE-2018-16487 (OSSINDEX)
A prototype pollution vulnerability was found in lodash <4.17.11 where the functions merge, mergeWith, and defaultsDeep can be tricked into adding or modifying properties of Object.prototype. Sonatype's research suggests that this CVE's details differ from those defined at NVD. See https://ossindex.sonatype.org/vulnerability/CVE-2018-16487 for detailsCWE-400 Uncontrolled Resource Consumption
Vulnerable Software & Versions (OSSINDEX):
CVE-2020-28500 (OSSINDEX)
Lodash versions prior to 4.17.21 are vulnerable to Regular Expression Denial of Service (ReDoS) via the toNumber, trim and trimEnd functions. Sonatype's research suggests that this CVE's details differ from those defined at NVD. See https://ossindex.sonatype.org/vulnerability/CVE-2020-28500 for detailsCWE-Other
Vulnerable Software & Versions (OSSINDEX):
All versions of package lodash prior to 4.17.21 are vulnerable to Regular Expression Denial of Service (ReDoS) via the `toNumber`, `trim` and `trimEnd` functions.
Steps to reproduce (provided by reporter Liyuan Chen):
```js
var lo = require('lodash');
function build_blank(n) {
var ret = "1"
for (var i = 0; i < n; i++) {
ret += " "
}
return ret + "1";
}
var s = build_blank(50000) var time0 = Date.now();
lo.trim(s)
var time_cost0 = Date.now() - time0;
console.log("time_cost0: " + time_cost0);
var time1 = Date.now();
lo.toNumber(s) var time_cost1 = Date.now() - time1;
console.log("time_cost1: " + time_cost1);
var time2 = Date.now();
lo.trimEnd(s);
var time_cost2 = Date.now() - time2;
console.log("time_cost2: " + time_cost2);
```CWE-400 Uncontrolled Resource Consumption, CWE-1333 Inefficient Regular Expression ComplexityVulnerable Software & Versions (NPM):
lodash prior to 4.7.11 is affected by: CWE-400: Uncontrolled Resource Consumption. The impact is: Denial of service. The component is: Date handler. The attack vector is: Attacker provides very long strings, which the library attempts to match using a regular expression. The fixed version is: 4.7.11.CWE-400 Uncontrolled Resource Consumption
Vulnerable Software & Versions (NPM):
File Path: D:\Onboarding\AWSInfrastructure\src\OperationsFromSwagger\operation.js
MD5: f3e8012e045b95ad06ac68dd67570f3d
SHA1: 44a324c71e1f4573b745622c1d4fbc8c9a5bb7a6
SHA256:552c271906a3241f8c2e1db0ac3f25dd5b9874238cb44952d13d71895246a91a
File Path: D:\Onboarding\AWSInfrastructure\src\SwaggerMerger\swaggermerge.js
MD5: 543febcd71e672ba3696360e0e44e44c
SHA1: 52fb4dfef640055549bf7744035d7fbfc5f33565
SHA256:d4bc0998ab1bd4681f24054ec1614e52fc7051525a3e145954d82843921cbb5f
File Path: D:\Onboarding\AWSInfrastructure\src\SwaggerMerger\package-lock.json?xml2js
Referenced In Project/Scope: package-lock.json: transitive
CVE-2023-0842 (OSSINDEX)
xml2js version 0.4.23 allows an external attacker to edit or add new properties to an object. This is possible because the application does not properly validate incoming JSON keys, thus allowing the __proto__ property to be edited. Sonatype's research suggests that this CVE's details differ from those defined at NVD. See https://ossindex.sonatype.org/vulnerability/CVE-2023-0842 for detailsCWE-1321 Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')
Vulnerable Software & Versions (OSSINDEX):
xml2js versions before 0.5.0 allows an external attacker to edit or add new properties to an object. This is possible because the application does not properly validate incoming JSON keys, thus allowing the `__proto__` property to be edited.CWE-1321 Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')
Vulnerable Software & Versions (NPM):