-
Notifications
You must be signed in to change notification settings - Fork 28
Expand file tree
/
Copy path.nsprc
More file actions
162 lines (162 loc) · 12.2 KB
/
.nsprc
File metadata and controls
162 lines (162 loc) · 12.2 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
{
"1113461": {
"active": true,
"notes": "minimatch is a transitive dependency of @redocly/cli and redoc, used only for API documentation rendering. The vulnerable wildcard pattern matching is not exposed to user input in our usage context, making ReDoS exploitation not feasible.",
"expiry": "2026-09-30"
},
"1113466": {
"active": true,
"notes": "minimatch is a transitive dependency of @redocly/cli and redoc, used only for API documentation rendering. The vulnerable wildcard pattern matching is not exposed to user input in our usage context, making ReDoS exploitation not feasible.",
"expiry": "2026-09-30"
},
"1113540": {
"active": true,
"notes": "minimatch is a transitive dependency of @redocly/cli and redoc, used only for API documentation rendering. The vulnerable wildcard pattern matching is not exposed to user input in our usage context, making ReDoS exploitation not feasible.",
"expiry": "2026-09-30"
},
"1113545": {
"active": true,
"notes": "minimatch is a transitive dependency of @redocly/cli and redoc, used only for API documentation rendering. The vulnerable wildcard pattern matching is not exposed to user input in our usage context, making ReDoS exploitation not feasible.",
"expiry": "2026-09-30"
},
"1113548": {
"active": true,
"notes": "minimatch is a transitive dependency of @redocly/cli and redoc, used only for API documentation rendering. The vulnerable wildcard pattern matching is not exposed to user input in our usage context, making ReDoS exploitation not feasible.",
"expiry": "2026-09-30"
},
"1113553": {
"active": true,
"notes": "minimatch is a transitive dependency of @redocly/cli and redoc, used only for API documentation rendering. The vulnerable wildcard pattern matching is not exposed to user input in our usage context, making ReDoS exploitation not feasible.",
"expiry": "2026-09-30"
},
"1115339": {
"active": true,
"notes": "fast-xml-parser is a transitive dependency of @redocly/cli via openapi-sampler, used only as a build tool to generate static API documentation. This second incomplete fix for CVE-2026-26278 affects numeric entity expansion limits. We do not configure fast-xml-parser directly and @redocly/cli is never run against untrusted input, making this not exploitable.",
"expiry": "2026-06-30"
},
"1116307": {
"active": true,
"notes": "fast-xml-parser is a transitive dependency of @redocly/cli via openapi-sampler, used only as a build tool to generate static API documentation. The entity expansion limit bypass via JavaScript falsy evaluation of zero values only affects applications that explicitly configure maxEntityCount:0 or maxEntitySize:0. We do not configure fast-xml-parser directly and @redocly/cli is never run against untrusted input, making this not exploitable.",
"expiry": "2026-06-30"
},
"1116957": {
"active": true,
"notes": "fast-xml-parser is a transitive dependency of @redocly/cli via openapi-sampler, used only as a build tool to generate static API documentation. The XMLBuilder XML comment and CDATA injection via unescaped delimiters requires use of the XMLBuilder API with attacker-controlled input. We do not use fast-xml-parser directly and @redocly/cli is never run against untrusted input, making this not exploitable.",
"expiry": "2026-06-30"
},
"1115541": {
"active": true,
"notes": "brace-expansion is a transitive dependency of redoc, used only for API documentation rendering. The zero-step sequence causing process hang is not exploitable as brace-expansion is never used to process untrusted input in our usage context.",
"expiry": "2026-09-30"
},
"1115538": {
"active": true,
"notes": "handlebars is a transitive dependency used only in dev/doc tooling, not in production runtime code. JavaScript injection via AST type confusion requires attacker-controlled template input which is not possible in our usage context.",
"expiry": "2026-09-30"
},
"1115539": {
"active": true,
"notes": "handlebars is a transitive dependency used only in dev/doc tooling, not in production runtime code. JavaScript injection via AST type confusion requires attacker-controlled template input which is not possible in our usage context.",
"expiry": "2026-09-30"
},
"1115544": {
"active": true,
"notes": "handlebars is a transitive dependency used only in dev/doc tooling, not in production runtime code. Prototype pollution via partial template injection requires attacker-controlled template input which is not possible in our usage context.",
"expiry": "2026-09-30"
},
"1115588": {
"active": true,
"notes": "handlebars is a transitive dependency used only in dev/doc tooling, not in production runtime code. Prototype method access control gap requires attacker-controlled template input which is not possible in our usage context.",
"expiry": "2026-09-30"
},
"1115589": {
"active": true,
"notes": "handlebars is a transitive dependency used only in dev/doc tooling, not in production runtime code. Property access validation bypass requires attacker-controlled template input which is not possible in our usage context.",
"expiry": "2026-09-30"
},
"1115692": {
"active": true,
"notes": "handlebars is a transitive dependency used only in dev/doc tooling, not in production runtime code. CLI precompiler JavaScript injection requires attacker-controlled template names which is not possible in our usage context.",
"expiry": "2026-09-30"
},
"1115693": {
"active": true,
"notes": "handlebars is a transitive dependency used only in dev/doc tooling, not in production runtime code. JavaScript injection via dynamic partial requires attacker-controlled template input which is not possible in our usage context.",
"expiry": "2026-09-30"
},
"1115694": {
"active": true,
"notes": "handlebars is a transitive dependency used only in dev/doc tooling, not in production runtime code. DoS via malformed decorator syntax requires attacker-controlled template input which is not possible in our usage context.",
"expiry": "2026-09-30"
},
"1115549": {
"active": true,
"notes": "picomatch is a transitive dependency of @redocly/cli and related packages, used only as a build tool to generate static API documentation. The method injection via POSIX character classes is not exploitable as picomatch is never used to match untrusted glob patterns in our usage context.",
"expiry": "2026-09-30"
},
"1115551": {
"active": true,
"notes": "picomatch is a transitive dependency of @redocly/cli and related packages, used only as a build tool to generate static API documentation. The method injection via POSIX character classes is not exploitable as picomatch is never used to match untrusted glob patterns in our usage context.",
"expiry": "2026-09-30"
},
"1115552": {
"active": true,
"notes": "picomatch is a transitive dependency of @redocly/cli and related packages, used only as a build tool to generate static API documentation. The ReDoS vulnerability via extglob quantifiers is not exploitable as picomatch is never used to match untrusted input in our usage context.",
"expiry": "2026-09-30"
},
"1115554": {
"active": true,
"notes": "picomatch is a transitive dependency of @redocly/cli and related packages, used only as a build tool to generate static API documentation. The ReDoS vulnerability via extglob quantifiers is not exploitable as picomatch is never used to match untrusted input in our usage context.",
"expiry": "2026-09-30"
},
"1115555": {
"active": true,
"notes": "yaml is a direct dependency used for configuration parsing. The stack overflow via deeply nested YAML collections is only exploitable with untrusted YAML input of extreme depth. Our usage parses only operator-controlled configuration files, making this not exploitable in practice.",
"expiry": "2026-09-30"
},
"1115527": {
"active": true,
"notes": "path-to-regexp is a transitive dependency of express. A DoS via multiple route parameters is a low practical risk for stac-server: deployments are primarily hosted on AWS which provides built-in DDoS detection and mitigation, and the underlying data is generally not mission critical. A fix is expected upstream in the near future and will be incorporated before the next release.",
"expiry": "2026-09-30"
},
"1116663": {
"active": true,
"notes": "dompurify is a transitive dependency of @redocly/cli via redoc, used only for API documentation rendering. The ADD_TAGS function form bypassing FORBID_TAGS due to short-circuit evaluation requires both ADD_TAGS as a function and FORBID_TAGS to be configured simultaneously. We do not configure DOMPurify directly and redoc is only used to render static API documentation, making this not exploitable in our usage context.",
"expiry": "2026-09-30"
},
"1117138": {
"active": true,
"notes": "dompurify is a transitive dependency of @redocly/cli via redoc, used only for API documentation rendering. The FORBID_TAGS bypass via function-based ADD_TAGS predicate requires direct DOMPurify configuration with both options simultaneously. We do not configure DOMPurify directly and redoc is only used to render static API documentation, making this not exploitable in our usage context.",
"expiry": "2026-09-30"
},
"1117139": {
"active": true,
"notes": "dompurify is a transitive dependency of @redocly/cli via redoc, used only for API documentation rendering. The SAFE_FOR_TEMPLATES bypass in RETURN_DOM mode requires direct DOMPurify configuration with RETURN_DOM mode enabled. We do not configure DOMPurify directly and redoc is only used to render static API documentation, making this not exploitable in our usage context.",
"expiry": "2026-09-30"
},
"1117140": {
"active": true,
"notes": "dompurify is a transitive dependency of @redocly/cli via redoc, used only for API documentation rendering. The prototype pollution to XSS bypass via CUSTOM_ELEMENT_HANDLING fallback requires attacker-controlled input to DOMPurify. We do not configure DOMPurify directly and redoc is only used to render static API documentation, making this not exploitable in our usage context.",
"expiry": "2026-09-30"
},
"1117015": {
"active": true,
"notes": "postcss is a transitive dependency of @redocly/cli via styled-components, used only as a build tool to generate static API documentation. The XSS via unescaped </style> in CSS stringify output requires attacker-controlled CSS input processed by PostCSS. We do not use PostCSS directly and @redocly/cli is never run against untrusted input, making this not exploitable.",
"expiry": "2026-09-30"
},
"1117042": {
"active": true,
"notes": "protobufjs is a transitive dependency of @redocly/cli via @opentelemetry/otlp-transformer, used only as a build tool to generate static API documentation. The arbitrary code execution via malicious protobuf definitions requires attacker-controlled protobuf definition files, which is not possible in our usage context as @redocly/cli is never run against untrusted input.",
"expiry": "2026-06-30"
},
"1115805": {
"active": true,
"notes": "lodash-es is a direct dependency. The _.template code injection vulnerability only affects use of the _.template function, which is not used anywhere in stac-server. The imported functions (pickBy, assign, get, isEmpty) are not affected.",
"expiry": "2026-09-30"
},
"1115809": {
"active": true,
"notes": "lodash-es is a direct dependency. The prototype pollution vulnerability via array path bypass in _.unset and _.omit only affects those specific functions, which are not used anywhere in stac-server. The imported functions (pickBy, assign, get, isEmpty) are not affected.",
"expiry": "2026-09-30"
}
}