Dependency-Check is an open source tool performing a best effort analysis of 3rd party dependencies; false positives and false negatives may exist in the analysis performed by the tool. Use of the tool and the reporting provided constitutes acceptance for use in an AS IS condition, and there are NO warranties, implied or otherwise, with regard to the analysis or its use. Any use of the tool and the reporting provided is at the user’s risk. In no event shall the copyright holder or OWASP be held liable for any damages whatsoever arising out of or in connection with the use of this tool, the analysis performed, or the resulting report.
| Dependency | Vulnerability IDs | Package | Highest Severity | CVE Count | Confidence | Evidence Count |
|---|---|---|---|---|---|---|
| .eslintrc.js | 0 | 0 | ||||
| .prettierrc.js | 0 | 0 | ||||
| Gemfile.lock | 0 | 0 | ||||
| babel.config.js | 0 | 0 | ||||
| braces:3.0.2 | pkg:npm/braces@3.0.2 | HIGH | 2 | 3 | ||
| config.js | 0 | 0 | ||||
| fast-xml-parser:4.3.6 | pkg:npm/fast-xml-parser@4.3.6 | HIGH | 2 | 3 | ||
| gradle-wrapper.jar | 0 | 8 | ||||
| index.js | 0 | 0 | ||||
| jest.config.js | 0 | 0 | ||||
| lodash.pick:4.4.0 | pkg:npm/lodash.pick@4.4.0 | HIGH | 1 | 3 | ||
| metro.config.js | 0 | 0 | ||||
| micromatch:4.0.5 | pkg:npm/micromatch@4.0.5 | HIGH | 2 | 3 | ||
| nanoid:3.3.7 | pkg:npm/nanoid@3.3.7 | MEDIUM | 2 | 3 | ||
| react-native.config.js | 0 | 0 | ||||
| send:0.18.0 | pkg:npm/send@0.18.0 | MEDIUM | 2 | 3 | ||
| serve-static:1.15.0 | pkg:npm/serve-static@1.15.0 | MEDIUM | 2 | 3 | ||
| ws:7.5.9 | pkg:npm/ws@7.5.9 | HIGH | 2 | 3 |
File Path: D:\Auropayrepos\auropay-payment-mobile-app\.eslintrc.js
MD5: ee3839d010493015473712471d334665
SHA1: 0150171fa7e0db9497a3c4e998fa70680eb1b157
SHA256:4a6869d72e894df2dde1b7b1875bdca7e927f2aa18c71ee14cb4347500952666
File Path: D:\Auropayrepos\auropay-payment-mobile-app\.prettierrc.js
MD5: 7456e48751aa9c41a2dc480fe7294452
SHA1: 361b83777c9c1e12a142c98be1ad8db6180e5737
SHA256:b0090e54c5a4263fd42a064405baa701d84bba6c6c168a648ddb388e3161649c
File Path: D:\Auropayrepos\auropay-payment-mobile-app\Gemfile.lock
MD5: b124ba7f764fadf476c603854cb042b7
SHA1: 8c98c3f0a8890a425a6b5b902ec3139471f6f815
SHA256:26ed20fabcca26d4208d1ec3a921abda30e802caf1ae4ce406848498445f0275
File Path: D:\Auropayrepos\auropay-payment-mobile-app\babel.config.js
MD5: f7039412efda1452a30911fc0f2a2ea7
SHA1: 27b0580db5a4440332e1b5d1e2237280f4a6e161
SHA256:2c2b99afe2f6c2b959a1031da66f6cf9b6d82bd0a2af3188a5a64cd742305c89
File Path: D:\Auropayrepos\auropay-payment-mobile-app\package-lock.json?braces
Referenced In Project/Scope: package-lock.json: transitive
The NPM package `braces` fails to limit the number of characters it can handle, which could lead to Memory Exhaustion. In `lib/parse.js,` if a malicious user sends "imbalanced braces" as input, the parsing will enter a loop, which will cause the program to start allocating heap memory without freeing it at any moment of the loop. Eventually, the JavaScript heap limit is reached, and the program will crash.CWE-400 Uncontrolled Resource Consumption, CWE-1050 Excessive Platform Resource Consumption within a Loop
Vulnerable Software & Versions (NPM):
CVE-2024-4068 (OSSINDEX)
The NPM package `braces`, versions prior to 3.0.3, fails to limit the number of characters it can handle, which could lead to Memory Exhaustion. In `lib/parse.js,` if a malicious user sends "imbalanced braces" as input, the parsing will enter a loop, which will cause the program to start allocating heap memory without freeing it at any moment of the loop. Eventually, the JavaScript heap limit is reached, and the program will crash.CWE-1050 Excessive Platform Resource Consumption within a Loop
Vulnerable Software & Versions (OSSINDEX):
File Path: D:\Auropayrepos\auropay-payment-mobile-app\src\config.js
MD5: 3abee16076406e934a78078933a3588a
SHA1: c3679b7cf6e50924eef4600cded5a46261cfdb27
SHA256:5d10aed2966b744eec395cde6bc223958f32870080c64c5cc620847bef2bfa34
File Path: D:\Auropayrepos\auropay-payment-mobile-app\package-lock.json?fast-xml-parser
Referenced In Project/Scope: package-lock.json: transitive
CVE-2024-41818 (OSSINDEX)
fast-xml-parser is an open source, pure javascript xml parser. a ReDOS exists on currency.js. This vulnerability is fixed in 4.4.1. Sonatype's research suggests that this CVE's details differ from those defined at NVD. See https://ossindex.sonatype.org/vulnerability/CVE-2024-41818 for detailsCWE-1333 Inefficient Regular Expression Complexity
Vulnerable Software & Versions (OSSINDEX):
### Summary A ReDOS that exists on currency.js was discovered by Gauss Security Labs R&D team. ### Details https://github.com/NaturalIntelligence/fast-xml-parser/blob/v4.4.0/src/v5/valueParsers/currency.js#L10 contains a vulnerable regex ### PoC pass the following string '\t'.repeat(13337) + '.' ### Impact Denial of service during currency parsing in experimental version 5 of fast-xml-parser-library https://gauss-security.comCWE-400 Uncontrolled Resource Consumption, CWE-1333 Inefficient Regular Expression Complexity
Vulnerable Software & Versions (NPM):
File Path: D:\Auropayrepos\auropay-payment-mobile-app\android\gradle\wrapper\gradle-wrapper.jar
MD5: 6cf842e595188f6153a84f2c05815eb5
SHA1: 9a441e5080ee4b41eea415c020af18f4d7852ee2
SHA256:0336f591bc0ec9aa0c9988929b93ecc916b3c1d52aed202c7381db144aa0ef15
File Path: D:\Auropayrepos\auropay-payment-mobile-app\index.js
MD5: 3b237e9c9c6db80a96078beb2252ec0e
SHA1: 556ea42c8b3c2e5dcfe741a40337a429e6cb013f
SHA256:83d78c9686049920ca44d585568b4d70e9d4708cb8dac42cd687919a5520bb45
File Path: D:\Auropayrepos\auropay-payment-mobile-app\jest.config.js
MD5: d3752a586e1c39c1a9f412299eb803be
SHA1: 6f902fadd708cc40dba6c3dd912337a5bfd81567
SHA256:787dc60d35ff6ac390c4013405ada43f5db8986b643fede7e61e319b45e65b34
File Path: D:\Auropayrepos\auropay-payment-mobile-app\package-lock.json?lodash.pick
Referenced In Project/Scope: package-lock.json: transitive
Versions of lodash prior to 4.17.19 are vulnerable to Prototype Pollution. The functions `pick`, `set`, `setWith`, `update`, `updateWith`, and `zipObjectDeep` allow a malicious user to modify the prototype of Object if the property identifiers are user-supplied. Being affected by this issue requires manipulating objects based on user-provided property values or arrays. This vulnerability causes the addition or modification of an existing property that will exist on all objects and may lead to Denial of Service or Code Execution under specific circumstances.CWE-1321 Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution'), CWE-770 Allocation of Resources Without Limits or Throttling
Vulnerable Software & Versions (NPM):
File Path: D:\Auropayrepos\auropay-payment-mobile-app\metro.config.js
MD5: 125205c2396b5bfaa3ba8ef677dda243
SHA1: 97ecda32b1ebb4b5f65d965a534169fc8ebf7064
SHA256:4e357abb102f918836b2c96e63ef34f6c4fea3d9553b355e52569144b0abe638
File Path: D:\Auropayrepos\auropay-payment-mobile-app\package-lock.json?micromatch
Referenced In Project/Scope: package-lock.json: transitive
CVE-2024-4067 (OSSINDEX)
The NPM package `micromatch` prior to 4.0.8 is vulnerable to Regular Expression Denial of Service (ReDoS). The vulnerability occurs in `micromatch.braces()` in `index.js` because the pattern `.*` will greedily match anything. By passing a malicious payload, the pattern matching will keep backtracking to the input while it doesn't find the closing bracket. As the input size increases, the consumption time will also increase until it causes the application to hang or slow down. There was a merged fix but further testing shows the issue persists. This issue should be mitigated by using a safe pattern that won't start backtracking the regular expression due to greedy matching. This issue was fixed in version 4.0.8.CWE-1333 Inefficient Regular Expression Complexity
Vulnerable Software & Versions (OSSINDEX):
The NPM package `micromatch` prior to version 4.0.8 is vulnerable to Regular Expression Denial of Service (ReDoS). The vulnerability occurs in `micromatch.braces()` in `index.js` because the pattern `.*` will greedily match anything. By passing a malicious payload, the pattern matching will keep backtracking to the input while it doesn't find the closing bracket. As the input size increases, the consumption time will also increase until it causes the application to hang or slow down. There was a merged fix but further testing shows the issue persisted prior to https://github.com/micromatch/micromatch/pull/266. This issue should be mitigated by using a safe pattern that won't start backtracking the regular expression due to greedy matching.CWE-1333 Inefficient Regular Expression Complexity
Vulnerable Software & Versions (NPM):
File Path: D:\Auropayrepos\auropay-payment-mobile-app\package-lock.json?nanoid
Referenced In Project/Scope: package-lock.json: transitive
CVE-2024-55565 (OSSINDEX)
nanoid (aka Nano ID) before 5.0.9 mishandles non-integer values. 3.3.8 is also a fixed version.CWE-835 Loop with Unreachable Exit Condition ('Infinite Loop')
Vulnerable Software & Versions (OSSINDEX):
When nanoid is called with a fractional value, there were a number of undesirable effects: 1. in browser and non-secure, the code infinite loops on while (size--) 2. in node, the value of poolOffset becomes fractional, causing calls to nanoid to return zeroes until the pool is next filled 3. if the first call in node is a fractional argument, the initial buffer allocation fails with an error Version 3.3.8 and 5.0.9 are fixed.CWE-835 Loop with Unreachable Exit Condition ('Infinite Loop')
Vulnerable Software & Versions (NPM):
File Path: D:\Auropayrepos\auropay-payment-mobile-app\react-native.config.js
MD5: 5d1c2c8e61208a4f4b93d5396066633f
SHA1: 0d2b26da1dd7b249f6b0f10b71370cfa64e16bb3
SHA256:30ed74baea90cc2c6f4a58fcbe19b175955174ab174f6d5e7f325450067af8c0
File Path: D:\Auropayrepos\auropay-payment-mobile-app\package-lock.json?send
Referenced In Project/Scope: package-lock.json: transitive
### Impact passing untrusted user input - even after sanitizing it - to `SendStream.redirect()` may execute untrusted code ### Patches this issue is patched in send 0.19.0 ### Workarounds users are encouraged to upgrade to the patched version of express, but otherwise can workaround this issue by making sure any untrusted inputs are safe, ideally by validating them against an explicit allowlist ### Details successful exploitation of this vector requires the following: 1. The attacker MUST control the input to response.redirect() 1. express MUST NOT redirect before the template appears 1. the browser MUST NOT complete redirection before: 1. the user MUST click on the link in the templateCWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Vulnerable Software & Versions (NPM):
CVE-2024-43799 (OSSINDEX)
Send is a library for streaming files from the file system as a http response. Send passes untrusted user input to SendStream.redirect() which executes untrusted code. This issue is patched in send 0.19.0. Sonatype's research suggests that this CVE's details differ from those defined at NVD. See https://ossindex.sonatype.org/vulnerability/CVE-2024-43799 for detailsCWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Vulnerable Software & Versions (OSSINDEX):
File Path: D:\Auropayrepos\auropay-payment-mobile-app\package-lock.json?serve-static
Referenced In Project/Scope: package-lock.json: transitive
### Impact passing untrusted user input - even after sanitizing it - to `redirect()` may execute untrusted code ### Patches this issue is patched in serve-static 1.16.0 ### Workarounds users are encouraged to upgrade to the patched version of express, but otherwise can workaround this issue by making sure any untrusted inputs are safe, ideally by validating them against an explicit allowlist ### Details successful exploitation of this vector requires the following: 1. The attacker MUST control the input to response.redirect() 1. express MUST NOT redirect before the template appears 1. the browser MUST NOT complete redirection before: 1. the user MUST click on the link in the templateCWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Vulnerable Software & Versions (NPM):
CVE-2024-43800 (OSSINDEX)
serve-static serves static files. serve-static passes untrusted user input - even after sanitizing it - to redirect() may execute untrusted code. This issue is patched in serve-static 1.16.0. Sonatype's research suggests that this CVE's details differ from those defined at NVD. See https://ossindex.sonatype.org/vulnerability/CVE-2024-43800 for detailsCWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Vulnerable Software & Versions (OSSINDEX):
File Path: D:\Auropayrepos\auropay-payment-mobile-app\package-lock.json?ws
Referenced In Project/Scope: package-lock.json: transitive
CVE-2024-37890 (OSSINDEX)
ws is an open source WebSocket client and server for Node.js. A request with a number of headers exceeding theserver.maxHeadersCount threshold could be used to crash a ws server. The vulnerability was fixed in ws@8.17.1 (e55e510) and backported to ws@7.5.10 (22c2876), ws@6.2.3 (eeb76d3), and ws@5.2.4 (4abd8f6). In vulnerable versions of ws, the issue can be mitigated in the following ways: 1. Reduce the maximum allowed length of the request headers using the --max-http-header-size=size and/or the maxHeaderSize options so that no more headers than the server.maxHeadersCount limit can be sent. 2. Set server.maxHeadersCount to 0 so that no limit is applied.CWE-476 NULL Pointer Dereference
Vulnerable Software & Versions (OSSINDEX):
### Impact
A request with a number of headers exceeding the[`server.maxHeadersCount`][] threshold could be used to crash a ws server.
### Proof of concept
```js
const http = require('http');
const WebSocket = require('ws');
const wss = new WebSocket.Server({ port: 0 }, function () {
const chars = "!#$%&'*+-.0123456789abcdefghijklmnopqrstuvwxyz^_`|~".split('');
const headers = {};
let count = 0;
for (let i = 0; i < chars.length; i++) {
if (count === 2000) break;
for (let j = 0; j < chars.length; j++) {
const key = chars[i] + chars[j];
headers[key] = 'x';
if (++count === 2000) break;
}
}
headers.Connection = 'Upgrade';
headers.Upgrade = 'websocket';
headers['Sec-WebSocket-Key'] = 'dGhlIHNhbXBsZSBub25jZQ==';
headers['Sec-WebSocket-Version'] = '13';
const request = http.request({
headers: headers,
host: '127.0.0.1',
port: wss.address().port
});
request.end();
});
```
### Patches
The vulnerability was fixed in ws@8.17.1 (https://github.com/websockets/ws/commit/e55e5106f10fcbaac37cfa89759e4cc0d073a52c) and backported to ws@7.5.10 (https://github.com/websockets/ws/commit/22c28763234aa75a7e1b76f5c01c181260d7917f), ws@6.2.3 (https://github.com/websockets/ws/commit/eeb76d313e2a00dd5247ca3597bba7877d064a63), and ws@5.2.4 (https://github.com/websockets/ws/commit/4abd8f6de4b0b65ef80b3ff081989479ed93377e)
### Workarounds
In vulnerable versions of ws, the issue can be mitigated in the following ways:
1. Reduce the maximum allowed length of the request headers using the [`--max-http-header-size=size`][] and/or the [`maxHeaderSize`][] options so that no more headers than the `server.maxHeadersCount` limit can be sent.
2. Set `server.maxHeadersCount` to `0` so that no limit is applied.
### Credits
The vulnerability was reported by [Ryan LaPointe](https://github.com/rrlapointe) in https://github.com/websockets/ws/issues/2230.
### References
- https://github.com/websockets/ws/issues/2230
- https://github.com/websockets/ws/pull/2231
[`--max-http-header-size=size`]: https://nodejs.org/api/cli.html#--max-http-header-sizesize
[`maxHeaderSize`]: https://nodejs.org/api/http.html#httpcreateserveroptions-requestlistener
[`server.maxHeadersCount`]: https://nodejs.org/api/http.html#servermaxheaderscount
CWE-476 NULL Pointer DereferenceVulnerable Software & Versions (NPM):