firebase-admin-8.12.0.tgz: 15 vulnerabilities (highest severity is: 9.8)

[mend-for-github-com]

Vulnerable Library - firebase-admin-8.12.0.tgz

Path to dependency file: /firebase/JavaScript/functions/package.json

Path to vulnerable library: /firebase/JavaScript/functions/node_modules/node-forge/package.json

Vulnerabilities

CVE	Severity	CVSS	Dependency	Type	Fixed in (firebase-admin version)	Remediation Possible**
CVE-2020-7720	Critical	9.8	node-forge-0.7.4.tgz	Transitive	9.2.0	✅
WS-2020-0219	High	7.5	date-and-time-0.13.1.tgz	Transitive	8.12.1	✅
CVE-2022-24772	High	7.5	node-forge-0.7.4.tgz	Transitive	10.0.2	✅
CVE-2022-24771	High	7.5	node-forge-0.7.4.tgz	Transitive	10.0.2	✅
CVE-2022-24434	High	7.5	dicer-0.3.0.tgz	Transitive	N/A*	❌
CVE-2020-7662	High	7.5	websocket-extensions-0.1.3.tgz	Transitive	8.12.1	✅
CVE-2020-26289	High	7.5	date-and-time-0.13.1.tgz	Transitive	8.12.1	✅
WS-2022-0008	Medium	6.6	node-forge-0.7.4.tgz	Transitive	10.0.2	✅
CVE-2022-23540	Medium	6.4	jsonwebtoken-8.1.0.tgz	Transitive	11.4.1	✅
CVE-2022-0122	Medium	6.1	node-forge-0.7.4.tgz	Transitive	10.0.2	✅
CVE-2022-23539	Medium	5.9	jsonwebtoken-8.1.0.tgz	Transitive	11.4.1	✅
CVE-2020-7765	Medium	5.6	util-0.2.45.tgz	Transitive	9.4.2	✅
CVE-2022-24773	Medium	5.3	node-forge-0.7.4.tgz	Transitive	10.0.2	✅
CVE-2022-23541	Medium	5.0	jsonwebtoken-8.1.0.tgz	Transitive	11.4.1	✅
CVE-2023-6460	Medium	4.0	firestore-3.7.5.tgz	Transitive	11.1.0	✅

*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.

**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation

Details

CVE-2020-7720

Vulnerable Library - node-forge-0.7.4.tgz

JavaScript implementations of network transports, cryptography, ciphers, PKI, message digests, and various utilities.

Library home page: https://registry.npmjs.org/node-forge/-/node-forge-0.7.4.tgz

Path to dependency file: /firebase/JavaScript/functions/package.json

Path to vulnerable library: /firebase/JavaScript/functions/node_modules/node-forge/package.json

Dependency Hierarchy:

• firebase-admin-8.12.0.tgz (Root Library)
  • ❌ node-forge-0.7.4.tgz (Vulnerable Library)

Found in base branch: main

Vulnerability Details

The package node-forge before 0.10.0 is vulnerable to Prototype Pollution via the util.setPath function. Note: Version 0.10.0 is a breaking change removing the vulnerable functions.

Publish Date: 2020-09-01

URL: CVE-2020-7720

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2020-09-01

Fix Resolution (node-forge): 0.10.0

Direct dependency fix Resolution (firebase-admin): 9.2.0

⛑️ Automatic Remediation will be attempted for this issue.

WS-2020-0219

Vulnerable Library - date-and-time-0.13.1.tgz

A Minimalist DateTime utility for Node.js and the browser

Library home page: https://registry.npmjs.org/date-and-time/-/date-and-time-0.13.1.tgz

Path to dependency file: /firebase/JavaScript/functions/package.json

Path to vulnerable library: /firebase/JavaScript/functions/node_modules/date-and-time/package.json

Dependency Hierarchy:

• firebase-admin-8.12.0.tgz (Root Library)
  • storage-4.7.0.tgz
    • ❌ date-and-time-0.13.1.tgz (Vulnerable Library)

Found in base branch: main

Vulnerability Details

Due to an overly permissive regular expression, the parsing of certain date strings may lead to a denial of service.

Publish Date: 2020-12-25

URL: WS-2020-0219

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2020-12-25

Fix Resolution (date-and-time): 0.14.2

Direct dependency fix Resolution (firebase-admin): 8.12.1

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2022-24772

Vulnerable Library - node-forge-0.7.4.tgz

JavaScript implementations of network transports, cryptography, ciphers, PKI, message digests, and various utilities.

Library home page: https://registry.npmjs.org/node-forge/-/node-forge-0.7.4.tgz

Path to dependency file: /firebase/JavaScript/functions/package.json

Path to vulnerable library: /firebase/JavaScript/functions/node_modules/node-forge/package.json

Dependency Hierarchy:

• firebase-admin-8.12.0.tgz (Root Library)
  • ❌ node-forge-0.7.4.tgz (Vulnerable Library)

Found in base branch: main

Vulnerability Details

Forge (also called node-forge) is a native implementation of Transport Layer Security in JavaScript. Prior to version 1.3.0, RSA PKCS#1 v1.5 signature verification code does not check for tailing garbage bytes after decoding a DigestInfo ASN.1 structure. This can allow padding bytes to be removed and garbage data added to forge a signature when a low public exponent is being used. The issue has been addressed in node-forge version 1.3.0. There are currently no known workarounds.

Publish Date: 2022-03-18

URL: CVE-2022-24772

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: High
  • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24772

Release Date: 2022-03-18

Fix Resolution (node-forge): 1.3.0

Direct dependency fix Resolution (firebase-admin): 10.0.2

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2022-24771

Vulnerable Library - node-forge-0.7.4.tgz

JavaScript implementations of network transports, cryptography, ciphers, PKI, message digests, and various utilities.

Library home page: https://registry.npmjs.org/node-forge/-/node-forge-0.7.4.tgz

Path to dependency file: /firebase/JavaScript/functions/package.json

Path to vulnerable library: /firebase/JavaScript/functions/node_modules/node-forge/package.json

Dependency Hierarchy:

• firebase-admin-8.12.0.tgz (Root Library)
  • ❌ node-forge-0.7.4.tgz (Vulnerable Library)

Found in base branch: main

Vulnerability Details

Forge (also called node-forge) is a native implementation of Transport Layer Security in JavaScript. Prior to version 1.3.0, RSA PKCS#1 v1.5 signature verification code is lenient in checking the digest algorithm structure. This can allow a crafted structure that steals padding bytes and uses unchecked portion of the PKCS#1 encoded message to forge a signature when a low public exponent is being used. The issue has been addressed in node-forge version 1.3.0. There are currently no known workarounds.

Publish Date: 2022-03-18

URL: CVE-2022-24771

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: High
  • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24771

Release Date: 2022-03-18

Fix Resolution (node-forge): 1.3.0

Direct dependency fix Resolution (firebase-admin): 10.0.2

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2022-24434

Vulnerable Library - dicer-0.3.0.tgz

A very fast streaming multipart parser for node.js

Library home page: https://registry.npmjs.org/dicer/-/dicer-0.3.0.tgz

Path to dependency file: /firebase/JavaScript/functions/package.json

Path to vulnerable library: /firebase/JavaScript/functions/node_modules/dicer/package.json

Dependency Hierarchy:

• firebase-admin-8.12.0.tgz (Root Library)
  • ❌ dicer-0.3.0.tgz (Vulnerable Library)

Found in base branch: main

Vulnerability Details

This affects all versions of package dicer. A malicious attacker can send a modified form to server, and crash the nodejs service. An attacker could sent the payload again and again so that the service continuously crashes.

Publish Date: 2022-05-20

URL: CVE-2022-24434

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

CVE-2020-7662

Vulnerable Library - websocket-extensions-0.1.3.tgz

Generic extension manager for WebSocket connections

Library home page: https://registry.npmjs.org/websocket-extensions/-/websocket-extensions-0.1.3.tgz

Path to dependency file: /firebase/JavaScript/functions/package.json

Path to vulnerable library: /firebase/JavaScript/functions/node_modules/websocket-extensions/package.json

Dependency Hierarchy:

• firebase-admin-8.12.0.tgz (Root Library)
  • database-0.6.1.tgz
    • faye-websocket-0.11.3.tgz
      • websocket-driver-0.7.3.tgz
        • ❌ websocket-extensions-0.1.3.tgz (Vulnerable Library)

Found in base branch: main

Vulnerability Details

websocket-extensions npm module prior to 0.1.4 allows Denial of Service (DoS) via Regex Backtracking. The extension parser may take quadratic time when parsing a header containing an unclosed string parameter value whose content is a repeating two-byte sequence of a backslash and some other character. This could be abused by an attacker to conduct Regex Denial Of Service (ReDoS) on a single-threaded server by providing a malicious payload with the Sec-WebSocket-Extensions header.

Publish Date: 2020-06-02

URL: CVE-2020-7662

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-g78m-2chm-r7qv

Release Date: 2020-06-02

Fix Resolution (websocket-extensions): 0.1.4

Direct dependency fix Resolution (firebase-admin): 8.12.1

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2020-26289

Vulnerable Library - date-and-time-0.13.1.tgz

A Minimalist DateTime utility for Node.js and the browser

Library home page: https://registry.npmjs.org/date-and-time/-/date-and-time-0.13.1.tgz

Path to dependency file: /firebase/JavaScript/functions/package.json

Path to vulnerable library: /firebase/JavaScript/functions/node_modules/date-and-time/package.json

Dependency Hierarchy:

• firebase-admin-8.12.0.tgz (Root Library)
  • storage-4.7.0.tgz
    • ❌ date-and-time-0.13.1.tgz (Vulnerable Library)

Found in base branch: main

Vulnerability Details

date-and-time is an npm package for manipulating date and time. In date-and-time before version 0.14.2, there a regular expression involved in parsing which can be exploited to to cause a denial of service. This is fixed in version 0.14.2.

Publish Date: 2020-12-28

URL: CVE-2020-26289

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-26289

Release Date: 2020-12-28

Fix Resolution (date-and-time): 0.14.2

Direct dependency fix Resolution (firebase-admin): 8.12.1

⛑️ Automatic Remediation will be attempted for this issue.

WS-2022-0008

Vulnerable Library - node-forge-0.7.4.tgz

JavaScript implementations of network transports, cryptography, ciphers, PKI, message digests, and various utilities.

Library home page: https://registry.npmjs.org/node-forge/-/node-forge-0.7.4.tgz

Path to dependency file: /firebase/JavaScript/functions/package.json

Path to vulnerable library: /firebase/JavaScript/functions/node_modules/node-forge/package.json

Dependency Hierarchy:

• firebase-admin-8.12.0.tgz (Root Library)
  • ❌ node-forge-0.7.4.tgz (Vulnerable Library)

Found in base branch: main

Vulnerability Details

The forge.debug API had a potential prototype pollution issue if called with untrusted input. The API was only used for internal debug purposes in a safe way and never documented or advertised. It is suspected that uses of this API, if any exist, would likely not have used untrusted inputs in a vulnerable way.

Publish Date: 2024-11-03

URL: WS-2022-0008

CVSS 3 Score Details (6.6)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: High
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-5rrq-pxf6-6jx5

Release Date: 2024-11-03

Fix Resolution (node-forge): 1.0.0

Direct dependency fix Resolution (firebase-admin): 10.0.2

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2022-23540

Vulnerable Library - jsonwebtoken-8.1.0.tgz

JSON Web Token implementation (symmetric and asymmetric)

Library home page: https://registry.npmjs.org/jsonwebtoken/-/jsonwebtoken-8.1.0.tgz

Path to dependency file: /firebase/JavaScript/functions/package.json

Path to vulnerable library: /firebase/JavaScript/functions/node_modules/jsonwebtoken/package.json

Dependency Hierarchy:

• firebase-admin-8.12.0.tgz (Root Library)
  • ❌ jsonwebtoken-8.1.0.tgz (Vulnerable Library)

Found in base branch: main

Vulnerability Details

In versions <=8.5.1 of jsonwebtoken library, lack of algorithm definition in the jwt.verify() function can lead to signature validation bypass due to defaulting to the none algorithm for signature verification. Users are affected if you do not specify algorithms in the jwt.verify() function. This issue has been fixed, please update to version 9.0.0 which removes the default support for the none algorithm in the jwt.verify() method. There will be no impact, if you update to version 9.0.0 and you don’t need to allow for the none algorithm. If you need 'none' algorithm, you have to explicitly specify that in jwt.verify() options.

Publish Date: 2022-12-22

URL: CVE-2022-23540

CVSS 3 Score Details (6.4)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: Low
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: High
  • Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://www.cve.org/CVERecord?id=CVE-2022-23540

Release Date: 2022-12-22

Fix Resolution (jsonwebtoken): 9.0.0

Direct dependency fix Resolution (firebase-admin): 11.4.1

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2022-0122

Vulnerable Library - node-forge-0.7.4.tgz

JavaScript implementations of network transports, cryptography, ciphers, PKI, message digests, and various utilities.

Library home page: https://registry.npmjs.org/node-forge/-/node-forge-0.7.4.tgz

Path to dependency file: /firebase/JavaScript/functions/package.json

Path to vulnerable library: /firebase/JavaScript/functions/node_modules/node-forge/package.json

Dependency Hierarchy:

• firebase-admin-8.12.0.tgz (Root Library)
  • ❌ node-forge-0.7.4.tgz (Vulnerable Library)

Found in base branch: main

Vulnerability Details

forge is vulnerable to URL Redirection to Untrusted Site
Mend Note: Converted from WS-2022-0007, on 2022-11-07.

Publish Date: 2022-01-06

URL: CVE-2022-0122

CVSS 3 Score Details (6.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-gf8q-jrpm-jvxq

Release Date: 2022-01-06

Fix Resolution (node-forge): 1.0.0

Direct dependency fix Resolution (firebase-admin): 10.0.2

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2022-23539

Vulnerable Library - jsonwebtoken-8.1.0.tgz

JSON Web Token implementation (symmetric and asymmetric)

Library home page: https://registry.npmjs.org/jsonwebtoken/-/jsonwebtoken-8.1.0.tgz

Path to dependency file: /firebase/JavaScript/functions/package.json

Path to vulnerable library: /firebase/JavaScript/functions/node_modules/jsonwebtoken/package.json

Dependency Hierarchy:

• firebase-admin-8.12.0.tgz (Root Library)
  • ❌ jsonwebtoken-8.1.0.tgz (Vulnerable Library)

Found in base branch: main

Vulnerability Details

Versions <=8.5.1 of jsonwebtoken library could be misconfigured so that legacy, insecure key types are used for signature verification. For example, DSA keys could be used with the RS256 algorithm. You are affected if you are using an algorithm and a key type other than a combination listed in the GitHub Security Advisory as unaffected. This issue has been fixed, please update to version 9.0.0. This version validates for asymmetric key type and algorithm combinations. Please refer to the above mentioned algorithm / key type combinations for the valid secure configuration. After updating to version 9.0.0, if you still intend to continue with signing or verifying tokens using invalid key type/algorithm value combinations, you’ll need to set the allowInvalidAsymmetricKeyTypes option to true in the sign() and/or verify() functions.

Publish Date: 2022-12-22

URL: CVE-2022-23539

CVSS 3 Score Details (5.9)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: Low
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: High
  • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-8cf7-32gw-wr33

Release Date: 2022-12-23

Fix Resolution (jsonwebtoken): 9.0.0

Direct dependency fix Resolution (firebase-admin): 11.4.1

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2020-7765

Vulnerable Library - util-0.2.45.tgz

_NOTE: This is specifically tailored for Firebase JS SDK usage, if you are not a member of the Firebase team, please avoid using this package_

Library home page: https://registry.npmjs.org/@firebase/util/-/util-0.2.45.tgz

Path to dependency file: /firebase/JavaScript/functions/package.json

Path to vulnerable library: /firebase/JavaScript/functions/node_modules/@firebase/util/package.json

Dependency Hierarchy:

• firebase-admin-8.12.0.tgz (Root Library)
  • database-0.6.1.tgz
    • ❌ util-0.2.45.tgz (Vulnerable Library)

Found in base branch: main

Vulnerability Details

This affects the package @firebase/util before 0.3.4. This vulnerability relates to the deepExtend function within the DeepCopy.ts file. Depending on if user input is provided, an attacker can overwrite and pollute the object prototype of a program.

Publish Date: 2020-11-16

URL: CVE-2020-7765

CVSS 3 Score Details (5.6)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7765

Release Date: 2020-11-16

Fix Resolution (@firebase/util): 0.3.3-2020922203858

Direct dependency fix Resolution (firebase-admin): 9.4.2

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2022-24773

Vulnerable Library - node-forge-0.7.4.tgz

JavaScript implementations of network transports, cryptography, ciphers, PKI, message digests, and various utilities.

Library home page: https://registry.npmjs.org/node-forge/-/node-forge-0.7.4.tgz

Path to dependency file: /firebase/JavaScript/functions/package.json

Path to vulnerable library: /firebase/JavaScript/functions/node_modules/node-forge/package.json

Dependency Hierarchy:

• firebase-admin-8.12.0.tgz (Root Library)
  • ❌ node-forge-0.7.4.tgz (Vulnerable Library)

Found in base branch: main

Vulnerability Details

Forge (also called node-forge) is a native implementation of Transport Layer Security in JavaScript. Prior to version 1.3.0, RSA PKCS#1 v1.5 signature verification code does not properly check DigestInfo for a proper ASN.1 structure. This can lead to successful verification with signatures that contain invalid structures but a valid digest. The issue has been addressed in node-forge version 1.3.0. There are currently no known workarounds.

Publish Date: 2022-03-18

URL: CVE-2022-24773

CVSS 3 Score Details (5.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: Low
  • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24773

Release Date: 2022-03-18

Fix Resolution (node-forge): 1.3.0

Direct dependency fix Resolution (firebase-admin): 10.0.2

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2022-23541

Vulnerable Library - jsonwebtoken-8.1.0.tgz

JSON Web Token implementation (symmetric and asymmetric)

Library home page: https://registry.npmjs.org/jsonwebtoken/-/jsonwebtoken-8.1.0.tgz

Path to dependency file: /firebase/JavaScript/functions/package.json

Path to vulnerable library: /firebase/JavaScript/functions/node_modules/jsonwebtoken/package.json

Dependency Hierarchy:

• firebase-admin-8.12.0.tgz (Root Library)
  • ❌ jsonwebtoken-8.1.0.tgz (Vulnerable Library)

Found in base branch: main

Vulnerability Details

jsonwebtoken is an implementation of JSON Web Tokens. Versions <= 8.5.1 of jsonwebtoken library can be misconfigured so that passing a poorly implemented key retrieval function referring to the secretOrPublicKey argument from the readme link will result in incorrect verification of tokens. There is a possibility of using a different algorithm and key combination in verification, other than the one that was used to sign the tokens. Specifically, tokens signed with an asymmetric public key could be verified with a symmetric HS256 algorithm. This can lead to successful validation of forged tokens. If your application is supporting usage of both symmetric key and asymmetric key in jwt.verify() implementation with the same key retrieval function. This issue has been patched, please update to version 9.0.0.

Publish Date: 2022-12-22

URL: CVE-2022-23541

CVSS 3 Score Details (5.0)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: Low
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-hjrf-2m68-5959

Release Date: 2022-12-22

Fix Resolution (jsonwebtoken): 9.0.0

Direct dependency fix Resolution (firebase-admin): 11.4.1

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2023-6460

Vulnerable Library - firestore-3.7.5.tgz

Firestore Client Library for Node.js

Library home page: https://registry.npmjs.org/@google-cloud/firestore/-/firestore-3.7.5.tgz

Path to dependency file: /firebase/JavaScript/functions/package.json

Path to vulnerable library: /firebase/JavaScript/functions/node_modules/@google-cloud/firestore/package.json

Dependency Hierarchy:

• firebase-admin-8.12.0.tgz (Root Library)
  • ❌ firestore-3.7.5.tgz (Vulnerable Library)

Found in base branch: main

Vulnerability Details

A potential logging of the firestore key via logging within nodejs-firestore exists - Developers who were logging objects through this._settings would be logging the firestore key as well potentially exposing it to anyone with logs read access. We recommend upgrading to version 6.1.0 to avoid this issue

Publish Date: 2023-12-04

URL: CVE-2023-6460

CVSS 3 Score Details (4.0)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Local
  • Attack Complexity: High
  • Privileges Required: High
  • User Interaction: Required
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: None
  • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://www.cve.org/CVERecord?id=CVE-2023-6460

Release Date: 2023-12-04

Fix Resolution (@google-cloud/firestore): 6.2.0

Direct dependency fix Resolution (firebase-admin): 11.1.0

⛑️ Automatic Remediation will be attempted for this issue.

---

⛑️Automatic Remediation will be attempted for this issue.