Version Details and Security Vulnerabilities

📦

@azure/ms-rest-nodeauth

3.0.8

Comparision Betweeen 3.0.8 and 3.0.7

Identify the differences between the current version of the package and the previous one.

Version

Dependencies

Dev Dependencies

Peer Dependencies

Distributed Files

Unpacked Size

357.32 KB

357.16 KB

Security Vulnerabilities

This site is an independent open-source project and is not affiliated with, endorsed by, or sponsored by npm, Inc. or GitHub, Inc. The name “npm” is a registered trademark of npm, Inc., used here solely to describe compatibility and reference publicly available npm package data.

Version Details and Security Vulnerabilities

📦

@azure/ms-rest-nodeauth

3.0.8

Comparision Betweeen 3.0.8 and 3.0.7

Identify the differences between the current version of the package and the previous one.

Version

Dependencies

Dev Dependencies

Peer Dependencies

Distributed Files

Unpacked Size

357.32 KB

357.16 KB

Security Vulnerabilities

Security Details

Comprehensive list of direct or transitive vulnerabilities for version 3.0.8 of the package @azure/ms-rest-nodeauth.

All Security Vulnerabilities

All the vulnerabilities related to the version 3.0.8 of the package

Summary:

Server-Side Request Forgery in Request

Details:

The request package through 2.88.2 for Node.js and the @cypress/request package prior to 3.0.0 allow a bypass of SSRF mitigations via an attacker-controller server that does a cross-protocol redirect (HTTP to HTTPS, or HTTPS to HTTP).

NOTE: The request package is no longer supported by the maintainer.

Details about request@2.88.2

Summary:

tough-cookie Prototype Pollution vulnerability

Details:

Versions of the package tough-cookie before 4.1.3 are vulnerable to Prototype Pollution due to improper handling of Cookies when using CookieJar in rejectPublicSuffixes=false mode. This issue arises from the manner in which the objects are initialized.

Details about tough-cookie@2.5.0

Summary:

Misinterpretation of malicious XML input

Details:

Impact

xmldom versions 0.6.0 and older do not correctly escape special characters when serializing elements removed from their ancestor. This may lead to unexpected syntactic changes during XML processing in some downstream applications.

Patches

Update to one of the fixed versions of @xmldom/xmldom (>=0.7.0)

See issue #271 for the status of publishing xmldom to npm or join #270 for Q&A/discussion until it's resolved.

Workarounds

Downstream applications can validate the input and reject the maliciously crafted documents.

References

Similar to this one reported on the Go standard library:

https://mattermost.com/blog/coordinated-disclosure-go-xml-vulnerabilities/
https://mattermost.com/blog/securing-xml-implementations-across-the-web/

For more information

If you have any questions or comments about this advisory:

Open an issue in xmldom/xmldom
Email us: send an email to all addresses that are shown by npm owner ls @xmldom/xmldom

Details about xmldom@0.6.0

Summary:

xmldom allows multiple root nodes in a DOM

Details:

Impact

xmldom parses XML that is not well-formed because it contains multiple top level elements, and adds all root nodes to the childNodes collection of the Document, without reporting any error or throwing. This breaks the assumption that there is only a single root node in the tree, which led to https://nvd.nist.gov/vuln/detail/CVE-2022-39299 and is a potential issue for dependents.

Patches

Update to @xmldom/xmldom@~0.7.7, @xmldom/xmldom@~0.8.4 (dist-tag latest) or @xmldom/xmldom@>=0.9.0-beta.4 (dist-tag next).

Workarounds

One of the following approaches might help, depending on your use case:

Instead of searching for elements in the whole DOM, only search in the documentElement.
Reject a document with a document that has more then 1 childNode.

References

https://nvd.nist.gov/vuln/detail/CVE-2022-39299
https://github.com/jindw/xmldom/issues/150

For more information

If you have any questions or comments about this advisory:

Email us at security@xmldom.org

Details about xmldom@0.6.0

Security Details

Comprehensive list of direct or transitive vulnerabilities for version 3.0.8 of the package @azure/ms-rest-nodeauth.

All Security Vulnerabilities

All the vulnerabilities related to the version 3.0.8 of the package

Summary:

Server-Side Request Forgery in Request

Details:

NOTE: The request package is no longer supported by the maintainer.

Details about request@2.88.2

Summary:

tough-cookie Prototype Pollution vulnerability

Details:

Details about tough-cookie@2.5.0

Summary:

Misinterpretation of malicious XML input

Details:

Impact

Patches

Update to one of the fixed versions of @xmldom/xmldom (>=0.7.0)

See issue #271 for the status of publishing xmldom to npm or join #270 for Q&A/discussion until it's resolved.

Workarounds

Downstream applications can validate the input and reject the maliciously crafted documents.

References

Similar to this one reported on the Go standard library:

https://mattermost.com/blog/coordinated-disclosure-go-xml-vulnerabilities/
https://mattermost.com/blog/securing-xml-implementations-across-the-web/

For more information

If you have any questions or comments about this advisory:

Open an issue in xmldom/xmldom
Email us: send an email to all addresses that are shown by npm owner ls @xmldom/xmldom

Details about xmldom@0.6.0

Summary:

xmldom allows multiple root nodes in a DOM

Details:

Impact

Patches

Update to @xmldom/xmldom@~0.7.7, @xmldom/xmldom@~0.8.4 (dist-tag latest) or @xmldom/xmldom@>=0.9.0-beta.4 (dist-tag next).

Workarounds

One of the following approaches might help, depending on your use case:

Instead of searching for elements in the whole DOM, only search in the documentElement.
Reject a document with a document that has more then 1 childNode.

References

https://nvd.nist.gov/vuln/detail/CVE-2022-39299
https://github.com/jindw/xmldom/issues/150

For more information

If you have any questions or comments about this advisory:

Email us at security@xmldom.org

Details about xmldom@0.6.0

Version Details and Security Vulnerabilities

@azure/ms-rest-nodeauth

Comparision Betweeen 3.0.8 and 3.0.7

Security Vulnerabilities

Version Details and Security Vulnerabilities

@azure/ms-rest-nodeauth

Comparision Betweeen 3.0.8 and 3.0.7

Security Vulnerabilities

Security Details

All

Transitive Dependencies

Package

All Security Vulnerabilities

Impact

Patches

Workarounds

References

For more information

Impact

Patches

Workarounds

References

For more information

Security Details

All

Transitive Dependencies

Package

All Security Vulnerabilities

Impact

Patches

Workarounds

References

For more information

Impact

Patches

Workarounds

References

For more information

Version Details and Security Vulnerabilities

@azure/ms-rest-nodeauth

Comparision Betweeen 3.0.8 and 3.0.7

Security Vulnerabilities

Version Details and Security Vulnerabilities

@azure/ms-rest-nodeauth

Comparision Betweeen 3.0.8 and 3.0.7

Security Vulnerabilities

Security Details

All

Transitive Dependencies

Package

All Security Vulnerabilities

request@2.88.2 GHSA-p8p7-x288-28g6 6.1

tough-cookie@2.5.0 GHSA-72xf-g2v4-qvf3 6.5

xmldom@0.6.0 GHSA-5fg8-2547-mr8q 6.5

Impact

Patches

Workarounds

References

For more information

xmldom@0.6.0 GHSA-crh6-fp67-6883 9.8

Impact

Patches

Workarounds

References

For more information

Security Details

All

Transitive Dependencies

Package

All Security Vulnerabilities

request@2.88.2 GHSA-p8p7-x288-28g6 6.1

tough-cookie@2.5.0 GHSA-72xf-g2v4-qvf3 6.5

xmldom@0.6.0 GHSA-5fg8-2547-mr8q 6.5

Impact

Patches

Workarounds

References

For more information

xmldom@0.6.0 GHSA-crh6-fp67-6883 9.8

Impact

Patches

Workarounds

References

For more information