firebase-functions-3.6.1.tgz: 6 vulnerabilities (highest severity is: 7.5)

[mend-for-github-com]

Vulnerable Library - firebase-functions-3.6.1.tgz

Path to dependency file: /firebase/JavaScript/functions/package.json

Path to vulnerable library: /firebase/JavaScript/functions/node_modules/lodash/package.json

Vulnerabilities

CVE	Severity	CVSS	Dependency	Type	Fixed in (firebase-functions version)	Remediation Possible**
CVE-2022-24999	High	7.5	qs-6.7.0.tgz	Transitive	3.6.2	✅
CVE-2020-8203	High	7.4	lodash-4.17.15.tgz	Transitive	3.6.2	✅
CVE-2021-23337	High	7.2	lodash-4.17.15.tgz	Transitive	3.6.2	✅
CVE-2024-29041	Medium	6.1	express-4.17.1.tgz	Transitive	N/A*	❌
CVE-2024-47764	Medium	5.3	cookie-0.4.0.tgz	Transitive	N/A*	❌
CVE-2020-28500	Medium	5.3	lodash-4.17.15.tgz	Transitive	3.6.2	✅

*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.

**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation

Details

CVE-2022-24999

Vulnerable Library - qs-6.7.0.tgz

A querystring parser that supports nesting and arrays, with a depth limit

Library home page: https://registry.npmjs.org/qs/-/qs-6.7.0.tgz

Path to dependency file: /firebase/JavaScript/functions/package.json

Path to vulnerable library: /firebase/JavaScript/functions/node_modules/qs/package.json

Dependency Hierarchy:

• firebase-functions-3.6.1.tgz (Root Library)
  • express-4.17.1.tgz
    • ❌ qs-6.7.0.tgz (Vulnerable Library)

Found in base branch: main

Vulnerability Details

qs before 6.10.3, as used in Express before 4.17.3 and other products, allows attackers to cause a Node process hang for an Express application because an __ proto__ key can be used. In many typical Express use cases, an unauthenticated remote attacker can place the attack payload in the query string of the URL that is used to visit the application, such as a[proto]=b&a[proto]&a[length]=100000000. The fix was backported to qs 6.9.7, 6.8.3, 6.7.3, 6.6.1, 6.5.3, 6.4.1, 6.3.3, and 6.2.4 (and therefore Express 4.17.3, which has "deps: [email protected]" in its release description, is not vulnerable).

Publish Date: 2022-11-26

URL: CVE-2022-24999

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://www.cve.org/CVERecord?id=CVE-2022-24999

Release Date: 2022-11-26

Fix Resolution (qs): 6.7.3

Direct dependency fix Resolution (firebase-functions): 3.6.2

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2020-8203

Vulnerable Library - lodash-4.17.15.tgz

Lodash modular utilities.

Library home page: https://registry.npmjs.org/lodash/-/lodash-4.17.15.tgz

Path to dependency file: /firebase/JavaScript/functions/package.json

Path to vulnerable library: /firebase/JavaScript/functions/node_modules/lodash/package.json

Dependency Hierarchy:

• firebase-functions-3.6.1.tgz (Root Library)
  • ❌ lodash-4.17.15.tgz (Vulnerable Library)

Found in base branch: main

Vulnerability Details

Prototype pollution attack when using _.zipObjectDeep in lodash before 4.17.20.

Publish Date: 2020-07-15

URL: CVE-2020-8203

CVSS 3 Score Details (7.4)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: High
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://www.npmjs.com/advisories/1523

Release Date: 2020-07-15

Fix Resolution (lodash): 4.17.19

Direct dependency fix Resolution (firebase-functions): 3.6.2

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2021-23337

Vulnerable Library - lodash-4.17.15.tgz

Lodash modular utilities.

Library home page: https://registry.npmjs.org/lodash/-/lodash-4.17.15.tgz

Path to dependency file: /firebase/JavaScript/functions/package.json

Path to vulnerable library: /firebase/JavaScript/functions/node_modules/lodash/package.json

Dependency Hierarchy:

• firebase-functions-3.6.1.tgz (Root Library)
  • ❌ lodash-4.17.15.tgz (Vulnerable Library)

Found in base branch: main

Vulnerability Details

Lodash versions prior to 4.17.21 are vulnerable to Command Injection via the template function.

Publish Date: 2021-02-15

URL: CVE-2021-23337

CVSS 3 Score Details (7.2)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: High
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-35jh-r3h4-6jhm

Release Date: 2021-02-15

Fix Resolution (lodash): 4.17.21

Direct dependency fix Resolution (firebase-functions): 3.6.2

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2024-29041

Vulnerable Library - express-4.17.1.tgz

Fast, unopinionated, minimalist web framework

Library home page: https://registry.npmjs.org/express/-/express-4.17.1.tgz

Path to dependency file: /firebase/JavaScript/functions/package.json

Path to vulnerable library: /firebase/JavaScript/functions/node_modules/express/package.json

Dependency Hierarchy:

• firebase-functions-3.6.1.tgz (Root Library)
  • ❌ express-4.17.1.tgz (Vulnerable Library)

Found in base branch: main

Vulnerability Details

Express.js minimalist web framework for node. Versions of Express.js prior to 4.19.0 and all pre-release alpha and beta versions of 5.0 are affected by an open redirect vulnerability using malformed URLs. When a user of Express performs a redirect using a user-provided URL Express performs an encode using encodeurl on the contents before passing it to the location header. This can cause malformed URLs to be evaluated in unexpected ways by common redirect allow list implementations in Express applications, leading to an Open Redirect via bypass of a properly implemented allow list. The main method impacted is res.location() but this is also called from within res.redirect(). The vulnerability is fixed in 4.19.2 and 5.0.0-beta.3.

Publish Date: 2024-03-25

URL: CVE-2024-29041

CVSS 3 Score Details (6.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-rv95-896h-c2vc

Release Date: 2024-03-25

Fix Resolution: express - 4.19.0

CVE-2024-47764

Vulnerable Library - cookie-0.4.0.tgz

HTTP server cookie parsing and serialization

Library home page: https://registry.npmjs.org/cookie/-/cookie-0.4.0.tgz

Path to dependency file: /firebase/JavaScript/functions/package.json

Path to vulnerable library: /firebase/JavaScript/functions/node_modules/cookie/package.json

Dependency Hierarchy:

• firebase-functions-3.6.1.tgz (Root Library)
  • express-4.17.1.tgz
    • ❌ cookie-0.4.0.tgz (Vulnerable Library)

Found in base branch: main

Vulnerability Details

cookie is a basic HTTP cookie parser and serializer for HTTP servers. The cookie name could be used to set other fields of the cookie, resulting in an unexpected cookie value. A similar escape can be used for path and domain, which could be abused to alter other fields of the cookie. Upgrade to 0.7.0, which updates the validation for name, path, and domain.

Publish Date: 2024-10-04

URL: CVE-2024-47764

CVSS 3 Score Details (5.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: Low
  • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-pxg6-pf52-xh8x

Release Date: 2024-10-04

Fix Resolution: cookie - 0.7.0

CVE-2020-28500

Vulnerable Library - lodash-4.17.15.tgz

Lodash modular utilities.

Library home page: https://registry.npmjs.org/lodash/-/lodash-4.17.15.tgz

Path to dependency file: /firebase/JavaScript/functions/package.json

Path to vulnerable library: /firebase/JavaScript/functions/node_modules/lodash/package.json

Dependency Hierarchy:

• firebase-functions-3.6.1.tgz (Root Library)
  • ❌ lodash-4.17.15.tgz (Vulnerable Library)

Found in base branch: main

Vulnerability Details

Lodash versions prior to 4.17.21 are vulnerable to Regular Expression Denial of Service (ReDoS) via the toNumber, trim and trimEnd functions.
Mend Note: After conducting further research, Mend has determined that CVE-2020-28500 only affects environments with versions 4.0.0 to 4.17.20 of Lodash.

Publish Date: 2021-02-15

URL: CVE-2020-28500

CVSS 3 Score Details (5.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-28500

Release Date: 2021-02-15

Fix Resolution (lodash): 4.17.21

Direct dependency fix Resolution (firebase-functions): 3.6.2

⛑️ Automatic Remediation will be attempted for this issue.

---

⛑️Automatic Remediation will be attempted for this issue.