Add severity to JSON feed (#1374)

* vuln/core: fix bad refs

* vuln/core: add severity

* vuln/core: CR fixes

* vuln/core: CR fixes 2

Author: srmish-jfrog

__mocks__/mockVuln/pass/core/1.json

@@ -7,5 +7,6 @@
   "patched": "^8.1.4 || ^7.10.1 || ^4.8.4 || ^6.11.1",
   "description": "mocked core vulnerability overview",
   "overview": "mocked core vulnerability overview",
-  "affectedEnvironments": ["all"]
+  "affectedEnvironments": ["all"],
+  "severity": "medium"
 }

tools/vuln_valid/vulnValidate.js

@@ -37,6 +37,10 @@ const coreModel = joi.object().keys({
   // See: https://nodejs.org/api/os.html#osplatform
   .items(joi.string().valid("all", "aix", "darwin", "freebsd", "linux", "openbsd", "sunos", "win32", "android"))
   .min(1)
+  .required(),
+  severity: joi
+  .string()
+  .regex(/^(unknown)|(low)|(medium)|(high)|(critical)$/)
   .required()
 });
 

vuln/core/1.json

@@ -7,5 +7,8 @@
   "patched": "^8.1.4 || ^7.10.1 || ^4.8.4 || ^6.11.1",
   "description": "memory overread when parsing invalid NAPTR responses",
   "overview": "The c-ares function ares_parse_naptr_reply(), which is used for parsing NAPTR\nresponses, could be triggered to read memory outside of the given input buffer\nif the passed in DNS response packet was crafted in a particular way.\n\n",
-  "affectedEnvironments": ["all"]
+  "affectedEnvironments": [
+    "all"
+  ],
+  "severity": "unknown"
 }

vuln/core/10.json

@@ -6,5 +6,8 @@
   "patched": "^6.9.0",
   "ref": "https://nodejs.org/en/blog/vulnerability/october-2016-security-releases/",
   "overview": "The V8 parser mishandled scopes, potentially allowing an attacker to obtain\nsensitive information from arbitrary memory locations via crafted JavaScript\ncode. This vulnerability would require an attacker to be able to execute\narbitrary JavaScript code in a Node.js process.\n\n",
-  "affectedEnvironments": ["all"]
+  "affectedEnvironments": [
+    "all"
+  ],
+  "severity": "unknown"
 }

vuln/core/100.json

@@ -1,8 +1,13 @@
 {
-  "cve": ["CVE-2022-35256"],
+  "cve": [
+    "CVE-2022-35256"
+  ],
   "vulnerable": "14.x || 16.x || 18.x",
   "patched": "^14.20.1 || ^16.17.1 || ^18.9.1",
   "ref": "https://nodejs.org/en/blog/vulnerability/september-2022-security-releases/",
   "overview": "The llhttp parser in the http module in Node.js v18.7.0 does not correctly handle header fields that are not terminated with CLRF. This may result in HTTP Request Smuggling.",
-  "affectedEnvironments": ["all"]
+  "affectedEnvironments": [
+    "all"
+  ],
+  "severity": "medium"
 }

vuln/core/101.json

@@ -1,8 +1,13 @@
 {
-  "cve": ["CVE-2022-35255"],
+  "cve": [
+    "CVE-2022-35255"
+  ],
   "vulnerable": "18.x",
   "patched": "^18.9.1",
   "ref": "https://nodejs.org/en/blog/vulnerability/september-2022-security-releases/",
   "overview": "Node.js made calls to EntropySource() in SecretKeyGenTraits::DoKeyGen() in src/crypto/crypto_keygen.cc. However, it does not check the return value, it assumes EntropySource() always succeeds, but it can (and sometimes will) fail.",
-  "affectedEnvironments": ["all"]
+  "affectedEnvironments": [
+    "all"
+  ],
+  "severity": "high"
 }

vuln/core/102.json

@@ -1,8 +1,13 @@
 {
-  "cve": ["CVE-2022-43548"],
+  "cve": [
+    "CVE-2022-43548"
+  ],
   "vulnerable": "14.x || 16.x || 18.x || 19.x",
   "patched": "^14.21.1 || ^16.18.1 || ^18.12.1 || ^19.0.1",
   "ref": "https://nodejs.org/en/blog/vulnerability/november-2022-security-releases/",
   "overview": "The Node.js rebinding protector for --inspect still allows invalid IP address, specifically, the octal format.",
-  "affectedEnvironments": ["all"]
+  "affectedEnvironments": [
+    "all"
+  ],
+  "severity": "medium"
 }

vuln/core/103.json

@@ -1,8 +1,13 @@
 {
-  "cve": ["CVE-2023-23918"],
+  "cve": [
+    "CVE-2023-23918"
+  ],
   "vulnerable": "14.x || 16.x || 18.x || 19.x",
   "patched": "^14.21.3 || ^16.19.1 || ^18.14.1 || ^19.6.1",
   "ref": "https://nodejs.org/en/blog/vulnerability/february-2023-security-releases/",
   "overview": "It was possible to bypass Permissions and access non authorized modules by using process.mainModule.require(). This only affects users who had enabled the experimental permissions option with --experimental-policy.",
-  "affectedEnvironments": ["all"]
+  "affectedEnvironments": [
+    "all"
+  ],
+  "severity": "high"
 }

vuln/core/104.json

@@ -1,8 +1,13 @@
 {
-  "cve": ["CVE-2023-23919"],
+  "cve": [
+    "CVE-2023-23919"
+  ],
   "vulnerable": "14.x || 16.x || 18.x || 19.x",
   "patched": "^14.21.3 || ^16.19.1 || ^18.14.1 || ^19.2.0",
   "ref": "https://nodejs.org/en/blog/vulnerability/february-2023-security-releases/",
   "overview": "In some cases Node.js did does not clear the OpenSSL error stack after operations that may set it. This may lead to false positive errors during subsequent cryptographic operations that happen to be on the same thread. This in turn could be used to cause a denial of service.",
-  "affectedEnvironments": ["all"]
+  "affectedEnvironments": [
+    "all"
+  ],
+  "severity": "medium"
 }

vuln/core/105.json

@@ -1,8 +1,13 @@
 {
-  "cve": ["CVE-2023-23936"],
+  "cve": [
+    "CVE-2023-23936"
+  ],
   "vulnerable": "14.x || 16.x || 18.x || 19.x",
   "patched": "^14.21.3 || ^16.19.1 || ^18.14.1 || ^19.6.1",
   "ref": "https://nodejs.org/en/blog/vulnerability/february-2023-security-releases/",
   "overview": "The fetch API in Node.js did not prevent CRLF injection in the 'host' header potentially allowing attacks such as HTTP response splitting and HTTP header injection.",
-  "affectedEnvironments": ["all"]
+  "affectedEnvironments": [
+    "all"
+  ],
+  "severity": "medium"
 }

vuln/core/106.json

@@ -1,8 +1,13 @@
 {
-  "cve": ["CVE-2023-24807"],
+  "cve": [
+    "CVE-2023-24807"
+  ],
   "vulnerable": "14.x || 16.x || 18.x || 19.x",
   "patched": "^14.21.3 || ^16.19.1 || ^18.14.1 || ^19.6.1",
   "ref": "https://nodejs.org/en/blog/vulnerability/february-2023-security-releases/",
   "overview": "The Headers.set() and Headers.append() methods in the fetch API in Node.js where vulnerable to Regular a Expression Denial of Service (ReDoS) attacks.",
-  "affectedEnvironments": ["all"]
+  "affectedEnvironments": [
+    "all"
+  ],
+  "severity": "low"
 }

vuln/core/107.json

@@ -1,8 +1,13 @@
 {
-  "cve": ["CVE-2023-23920"],
+  "cve": [
+    "CVE-2023-23920"
+  ],
   "vulnerable": "14.x || 16.x || 18.x || 19.x",
   "patched": "^14.21.3 || ^16.19.1 || ^18.14.1 || ^19.6.1",
   "ref": "https://nodejs.org/en/blog/vulnerability/february-2023-security-releases/",
   "overview": "Node.js would search and potentially load ICU data when running with elevated priviledges. Node.js was modified to build with ICU_NO_USER_DATA_OVERRIDE to avoid this.",
-  "affectedEnvironments": ["all"]
+  "affectedEnvironments": [
+    "all"
+  ],
+  "severity": "low"
 }

vuln/core/108.json

@@ -1,8 +1,13 @@
 {
-  "cve": ["CVE-2023-30581"],
+  "cve": [
+    "CVE-2023-30581"
+  ],
   "vulnerable": "16.x || 18.x || 20.x",
   "patched": "^16.20.1 || ^18.16.1 || ^20.3.1",
   "ref": "https://nodejs.org/en/blog/vulnerability/june-2023-security-releases/",
   "overview": "The use of proto in process.mainModule.proto.require() can bypass the policy mechanism and require modules outside of the policy.json definition",
-  "affectedEnvironments": ["all"]
+  "affectedEnvironments": [
+    "all"
+  ],
+  "severity": "high"
 }

vuln/core/109.json

@@ -1,8 +1,13 @@
 {
-  "cve": ["CVE-2023-30582"],
+  "cve": [
+    "CVE-2023-30582"
+  ],
   "vulnerable": "20.x",
   "patched": "^20.3.1",
   "ref": "https://nodejs.org/en/blog/vulnerability/june-2023-security-releases/",
   "overview": "A vulnerability has been identified in Node.js version 20, affecting users of the experimental permission model when the --allow-fs-read flag is used with a non-* argument.",
-  "affectedEnvironments": ["all"]
+  "affectedEnvironments": [
+    "all"
+  ],
+  "severity": "medium"
 }

vuln/core/11.json

@@ -6,5 +6,8 @@
   "author": "Jann Horn",
   "description": "unauthorized clients can easily access inspector port",
   "overview": "Generate a UUID for each execution of the inspector. This provides additional\nsecurity to prevent unauthorized clients from connecting to the Node.js process\nvia the v8_inspector port when running with `--inspect`. Since the debugging\nprotocol allows extensive access to the internals of a running process, and the\nexecution of arbitrary code, it is important to limit connections to authorized\ntools only.\n\n",
-  "affectedEnvironments": ["all"]
+  "affectedEnvironments": [
+    "all"
+  ],
+  "severity": "medium"
 }

vuln/core/110.json

@@ -1,8 +1,13 @@
 {
-  "cve": ["CVE-2023-30583"],
+  "cve": [
+    "CVE-2023-30583"
+  ],
   "vulnerable": "20.x",
   "patched": "^20.3.1",
   "ref": "https://nodejs.org/en/blog/vulnerability/june-2023-security-releases/",
   "overview": "fs.openAsBlob() can bypass the experimental permission model when using the file system read restriction with the --allow-fs-read flag in Node.js 20",
-  "affectedEnvironments": ["all"]
+  "affectedEnvironments": [
+    "all"
+  ],
+  "severity": "medium"
 }

vuln/core/111.json

@@ -1,8 +1,13 @@
 {
-  "cve": ["CVE-2023-30584"],
+  "cve": [
+    "CVE-2023-30584"
+  ],
   "vulnerable": "20.x",
   "patched": "^20.3.1",
   "ref": "https://nodejs.org/en/blog/vulnerability/june-2023-security-releases/",
   "overview": "A vulnerability has been discovered in Node.js version 20, specifically within the experimental permission model. This flaw relates to improper handling of path traversal bypass when verifying file permissions.",
-  "affectedEnvironments": ["all"]
+  "affectedEnvironments": [
+    "all"
+  ],
+  "severity": "high"
 }

vuln/core/112.json

@@ -1,8 +1,13 @@
 {
-  "cve": ["CVE-2023-30585"],
+  "cve": [
+    "CVE-2023-30585"
+  ],
   "vulnerable": "16.x || 18.x || 20.x",
   "patched": "^16.20.1 || ^18.16.1 || ^20.3.1",
   "ref": "https://nodejs.org/en/blog/vulnerability/june-2023-security-releases/",
   "overview": "Privilege escalation via Malicious Registry Key manipulation during Node.js installer repair process",
-  "affectedEnvironments": ["win32"]
+  "affectedEnvironments": [
+    "win32"
+  ],
+  "severity": "medium"
 }

vuln/core/113.json

@@ -1,8 +1,13 @@
 {
-  "cve": ["CVE-2023-30586"],
+  "cve": [
+    "CVE-2023-30586"
+  ],
   "vulnerable": "20.x",
   "patched": "^20.3.1",
   "ref": "https://nodejs.org/en/blog/vulnerability/june-2023-security-releases/",
   "overview": "Node.js 20 allows loading arbitrary OpenSSL engines when the experimental permission model is enabled, which can bypass and/or disable the permission model.",
-  "affectedEnvironments": ["all"]
+  "affectedEnvironments": [
+    "all"
+  ],
+  "severity": "medium"
 }

vuln/core/114.json

@@ -1,8 +1,13 @@
 {
-  "cve": ["CVE-2023-30587"],
+  "cve": [
+    "CVE-2023-30587"
+  ],
   "vulnerable": "20.x",
   "patched": "^20.3.1",
   "ref": "https://nodejs.org/en/blog/vulnerability/june-2023-security-releases/",
   "overview": "A vulnerability in Node.js version 20 allows for bypassing restrictions set by the --experimental-permission flag using the built-in inspector module (node:inspector).",
-  "affectedEnvironments": ["all"]
+  "affectedEnvironments": [
+    "all"
+  ],
+  "severity": "high"
 }

vuln/core/115.json

@@ -1,8 +1,13 @@
 {
-  "cve": ["CVE-2023-30589"],
+  "cve": [
+    "CVE-2023-30589"
+  ],
   "vulnerable": "16.x || 18.x || 20.x",
   "patched": "^16.20.1 || ^18.16.1 || ^20.3.1",
   "ref": "https://nodejs.org/en/blog/vulnerability/june-2023-security-releases/",
   "overview": "The llhttp parser in the http module in Node.js does not strictly use the CRLF sequence to delimit HTTP requests.",
-  "affectedEnvironments": ["all"]
+  "affectedEnvironments": [
+    "all"
+  ],
+  "severity": "medium"
 }

vuln/core/116.json

@@ -1,8 +1,13 @@
 {
-  "cve": ["CVE-2023-30588"],
+  "cve": [
+    "CVE-2023-30588"
+  ],
   "vulnerable": "16.x || 18.x || 20.x",
   "patched": "^16.20.1 || ^18.16.1 || ^20.3.1",
   "ref": "https://nodejs.org/en/blog/vulnerability/june-2023-security-releases/",
   "overview": "When an invalid public key is used to create an x509 certificate using the crypto.X509Certificate() API a non-expect termination occurs.",
-  "affectedEnvironments": ["all"]
+  "affectedEnvironments": [
+    "all"
+  ],
+  "severity": "medium"
 }

vuln/core/117.json

@@ -1,8 +1,13 @@
 {
-  "cve": ["CVE-2023-30590"],
+  "cve": [
+    "CVE-2023-30590"
+  ],
   "vulnerable": "16.x || 18.x || 20.x",
   "patched": "^16.20.1 || ^18.16.1 || ^20.3.1",
   "ref": "https://nodejs.org/en/blog/vulnerability/june-2023-security-releases/",
   "overview": "The generateKeys() API function returned from crypto.createDiffieHellman() only generates missing (or outdated) keys, that is, it only generates a private key if none has been set yet.",
-  "affectedEnvironments": ["all"]
+  "affectedEnvironments": [
+    "all"
+  ],
+  "severity": "medium"
 }

vuln/core/118.json

@@ -1,8 +1,13 @@
 {
-  "cve": ["CVE-2023-32002"],
+  "cve": [
+    "CVE-2023-32002"
+  ],
   "vulnerable": "16.x || 18.x || 20.x",
   "patched": "^16.20.2 || ^18.17.1 || ^20.5.1",
   "ref": "https://nodejs.org/en/blog/vulnerability/august-2023-security-releases/",
   "overview": "The use of Module._load() can bypass the policy mechanism and require modules outside of the policy.json definition for a given module.",
-  "affectedEnvironments": ["all"]
+  "affectedEnvironments": [
+    "all"
+  ],
+  "severity": "unknown"
 }

vuln/core/119.json

@@ -1,8 +1,13 @@
 {
-  "cve": ["CVE-2023-32004"],
+  "cve": [
+    "CVE-2023-32004"
+  ],
   "vulnerable": "20.x",
   "patched": "^20.5.1",
   "ref": "https://nodejs.org/en/blog/vulnerability/august-2023-security-releases/",
   "overview": "Improper handling of Buffers in file system APIs causing a traversal path to bypass when verifying file permissions.",
-  "affectedEnvironments": ["all"]
+  "affectedEnvironments": [
+    "all"
+  ],
+  "severity": "unknown"
 }

vuln/core/12.json

@@ -7,5 +7,8 @@
   "patched": "^6.7.0 || ^4.6.0",
   "description": "openssl 1.0.2h vulnerabilities",
   "overview": "A malicious client can exhaust a server's memory, resulting in a denial of\nservice (DoS) by sending very large OCSP Status Request extensions in a single\nsession.\n\nThis flaw is labelled high severity due to the ease of use for a DoS attack and\nNode.js servers using TLS are vulnerable.\n\n",
-  "affectedEnvironments": ["all"]
+  "affectedEnvironments": [
+    "all"
+  ],
+  "severity": "unknown"
 }

vuln/core/120.json

@@ -1,8 +1,13 @@
 {
-  "cve": ["CVE-2023-32558"],
+  "cve": [
+    "CVE-2023-32558"
+  ],
   "vulnerable": "20.x",
   "patched": "^20.5.1",
   "ref": "https://nodejs.org/en/blog/vulnerability/august-2023-security-releases/",
   "overview": "The use of the deprecated API process.binding() can bypass the permission model through path traversal.",
-  "affectedEnvironments": ["all"]
+  "affectedEnvironments": [
+    "all"
+  ],
+  "severity": "unknown"
 }