coveralls@2.13.3

Vulnerabilities 3 via 6 paths
Dependencies 70
Source npm

Snyk continuously finds and fixes vulnerabilities in your dependencies.

Severity
  • 2
  • 1
Status
  • 3
  • 0
  • 0
medium severity

Insecure Randomness

  • Vulnerable module: cryptiles
  • Introduced through: request@2.79.0

Detailed paths

  • Introduced through: coveralls@2.13.3 request@2.79.0 hawk@3.1.3 cryptiles@2.0.5
    Remediation: Upgrade to coveralls@3.0.0.

Overview

cryptiles is a package for general crypto utilities.

Affected versions of this package are vulnerable to Insecure Randomness. The randomDigits() method is supposed to return a cryptographically strong pseudo-random data string, but it was biased to certain digits. An attacker could be able to guess the created digits.

Remediation

Upgrade to version 4.1.2 and higher.

References

medium severity

Uninitialized Memory Exposure

  • Vulnerable module: tunnel-agent
  • Introduced through: request@2.79.0

Detailed paths

  • Introduced through: coveralls@2.13.3 request@2.79.0 tunnel-agent@0.4.3
    Remediation: Upgrade to coveralls@3.0.0.

Overview

tunnel-agent is HTTP proxy tunneling agent. Affected versions of the package are vulnerable to Uninitialized Memory Exposure.

A possible memory disclosure vulnerability exists when a value of type number is used to set the proxy.auth option of a request request and results in a possible uninitialized memory exposures in the request body.

This is a result of unobstructed use of the Buffer constructor, whose insecure default constructor increases the odds of memory leakage.

Details

Constructing a Buffer class with integer N creates a Buffer of length N with raw (not "zero-ed") memory.

In the following example, the first call would allocate 100 bytes of memory, while the second example will allocate the memory needed for the string "100":

// uninitialized Buffer of length 100
x = new Buffer(100);
// initialized Buffer with value of '100'
x = new Buffer('100');

tunnel-agent's request construction uses the default Buffer constructor as-is, making it easy to append uninitialized memory to an existing list. If the value of the buffer list is exposed to users, it may expose raw server side memory, potentially holding secrets, private data and code. This is a similar vulnerability to the infamous Heartbleed flaw in OpenSSL.

Proof of concept by ChALkeR

require('request')({
  method: 'GET',
  uri: 'http://www.example.com',
  tunnel: true,
  proxy:{
      protocol: 'http:',
      host:"127.0.0.1",
      port:8080,
      auth:80
  }
});

You can read more about the insecure Buffer behavior on our blog.

Similar vulnerabilities were discovered in request, mongoose, ws and sequelize.

Remediation

Upgrade tunnel-agent to version 0.6.0 or higher. Note This is vulnerable only for Node <=4

References

low severity

Prototype Pollution

  • Vulnerable module: hoek
  • Introduced through: request@2.79.0

Detailed paths

  • Introduced through: coveralls@2.13.3 request@2.79.0 hawk@3.1.3 hoek@2.16.3
    Remediation: Upgrade to coveralls@3.0.0.
  • Introduced through: coveralls@2.13.3 request@2.79.0 hawk@3.1.3 boom@2.10.1 hoek@2.16.3
    Remediation: Upgrade to coveralls@3.0.0.
  • Introduced through: coveralls@2.13.3 request@2.79.0 hawk@3.1.3 sntp@1.0.9 hoek@2.16.3
    Remediation: Upgrade to coveralls@3.0.0.
  • Introduced through: coveralls@2.13.3 request@2.79.0 hawk@3.1.3 cryptiles@2.0.5 boom@2.10.1 hoek@2.16.3
    Remediation: Upgrade to coveralls@3.0.0.

Overview

hoek is a Utility methods for the hapi ecosystem.

Affected versions of this package are vulnerable to Prototype Pollution. The utilities function allow modification of the Object prototype. If an attacker can control part of the structure passed to this function, they could add or modify an existing property.

PoC by Olivier Arteau (HoLyVieR)

var Hoek = require('hoek');
var malicious_payload = '{"__proto__":{"oops":"It works !"}}';

var a = {};
console.log("Before : " + a.oops);
Hoek.merge({}, JSON.parse(malicious_payload));
console.log("After : " + a.oops);

Remediation

Upgrade hoek to versions 4.2.1, 5.0.3 or higher.

References