CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2022-39288 – Denial of service in Fastify via Content-Type header
https://notcve.org/view.php?id=CVE-2022-39288
fastify is a fast and low overhead web framework, for Node.js. Affected versions of fastify are subject to a denial of service via malicious use of the Content-Type header. An attacker can send an invalid Content-Type header that can cause the application to crash. This issue has been addressed in commit `fbb07e8d` and will be included in release version 4.8.1. Users are advised to upgrade. • https://github.com/fastify/fastify/commit/fbb07e8dfad74c69cd4cd2211aedab87194618e3 https://github.com/fastify/fastify/security/advisories/GHSA-455w-c45v-86rg https://github.com/fastify/fastify/security/policy • CWE-754: Improper Check for Unusual or Exceptional Conditions •
CVSS: 7.5EPSS: 0%CPEs: 2EXPL: 0CVE-2022-31142 – Potential Timing Attack Vector in @fastify/bearer-auth
https://notcve.org/view.php?id=CVE-2022-31142
@fastify/bearer-auth is a Fastify plugin to require bearer Authorization headers. @fastify/bearer-auth prior to versions 7.0.2 and 8.0.1 does not securely use crypto.timingSafeEqual. A malicious attacker could estimate the length of one valid bearer token. According to the corresponding RFC 6750, the bearer token has only base64 valid characters, reducing the range of characters for a brute force attack. Version 7.0.2 and 8.0.1 of @fastify/bearer-auth contain a patch. • https://github.com/fastify/fastify-bearer-auth/commit/0c468a616d7e56126dc468150f6a5a92e530b8e4 https://github.com/fastify/fastify-bearer-auth/commit/39353b15409ee99474545f615ffb16180cf3b716 https://github.com/fastify/fastify-bearer-auth/commit/f921a0582dc83112039004a9b5041141b50c5b3f https://github.com/fastify/fastify-bearer-auth/security/advisories/GHSA-376v-xgjx-7mfr https://hackerone.com/reports/1633287 • CWE-203: Observable Discrepancy CWE-208: Observable Timing Discrepancy •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 0CVE-2022-29220 – No verification of commits origin in github-action-merge-dependabot
https://notcve.org/view.php?id=CVE-2022-29220
github-action-merge-dependabot is an action that automatically approves and merges dependabot pull requests (PRs). Prior to version 3.2.0, github-action-merge-dependabot does not check if a commit created by dependabot is verified with the proper GPG key. There is just a check if the actor is set to `dependabot[bot]` to determine if the PR is a legit PR. Theoretically, an owner of a seemingly valid and legit action in the pipeline can check if the PR is created by dependabot and if their own action has enough permissions to modify the PR in the pipeline. If so, they can modify the PR by adding a second seemingly valid and legit commit to the PR, as they can set arbitrarily the username and email in for commits in git. • https://github.com/fastify/github-action-merge-dependabot/commit/309f39539c5d918d8a47075587aa8720a9c127f7 https://github.com/fastify/github-action-merge-dependabot/security/advisories/GHSA-v5vr-h3xq-8v6w https://hackerone.com/bugs?report_id=1564530 • CWE-283: Unverified Ownership CWE-345: Insufficient Verification of Data Authenticity •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 1CVE-2021-23597 – Denial of Service (DoS)
https://notcve.org/view.php?id=CVE-2021-23597
This affects the package fastify-multipart before 5.3.1. By providing a name=constructor property it is still possible to crash the application. **Note:** This is a bypass of CVE-2020-8136 (https://security.snyk.io/vuln/SNYK-JS-FASTIFYMULTIPART-1290382). Esto afecta al paquete fastify-multipart versiones anteriores a 5.3.1. Proporcionando una propiedad name=constructor todavía es posible bloquear la aplicación. • https://github.com/fastify/fastify-multipart/commit/a70dc7059a794589bd4fe066453141fc609e6066 https://github.com/fastify/fastify-multipart/releases/tag/v5.3.1 https://snyk.io/vuln/SNYK-JS-FASTIFYMULTIPART-2395480 • CWE-1321: Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 1CVE-2021-22963 – fastify-static: open redirect via an URL with double slash followed by a domain
https://notcve.org/view.php?id=CVE-2021-22963
A redirect vulnerability in the fastify-static module version < 4.2.4 allows remote attackers to redirect users to arbitrary websites via a double slash // followed by a domain: http://localhost:3000//google.com/%2e%2e.The issue shows up on all the fastify-static applications that set redirect: true option. By default, it is false. Una vulnerabilidad de redirección en el módulo fastify-static versiones anteriores a 4.2.4, permite a atacantes remotos redirigir a usuarios a sitios web arbitrarios por medio de una doble barra // seguida de un dominio: http://localhost:3000//google.com/%2e%2e. El problema aparece en todas las aplicaciones fastify-static que establecen la opción redirect: true. Por defecto, es false • https://hackerone.com/reports/1354255 https://access.redhat.com/security/cve/CVE-2021-22963 https://bugzilla.redhat.com/show_bug.cgi?id=2015152 • CWE-601: URL Redirection to Untrusted Site ('Open Redirect') •