[email protected] rejected Risk: 88 BSD-2-Clause 2016-09-18

taffydb @2.7.3

rejected

This version was rejected. It did not pass GreenFlagged's security review and is not served by the registry. The findings and risk dispositions below explain why.

npm Repository Homepage Tarball

Risk Score

BSD-2-Clause

License

Install Scripts

Dependencies

Dev Dependencies

24.1 KB

Package Size

2016-09-18

Published

TaffyDB is an opensouce library that brings database features into your JavaScript applications.

Maintainers

biastoactchamberymcwhittemoremikem

Keywords

databasebrowserjsoncollectionrecordsnodenodejs

Dev Dependencies (5)

Package	Constraint	Registry Status
jslint	^0.9.3	auto_approved
nodeunit	^0.9.1	auto_approved
uglifyjs	^2.4.10	Not imported
nodeunit-b	^4.0.0	Not imported
node-inspector	^0.12.5	Not imported

Changes from v0.0.1

Dependency Changes

Script Changes

+ test

License Changed

none → BSD-2-Clause

File Changes

4 added 4 removed 2 modified size delta: +7.4 KB

Risk Dispositions (1 applicable to this version, 0 other)

Accepted rules are downgraded to INFO on future analyses; rejected rules escalate to CRITICAL.

Rule	Source	Disposition	Author	Reason
`osv:GHSA-mxhp-79qh-mcx6`	osv	reject	AI	AI (osv): HIGH severity CVE-2019-10790 affects all versions <= 2.7.3 with no fix available. Package is unmaintained; this advisory generalizes to every published version.

SAST Findings (4)

HIGH Publisher changed: mcwhittemore → mikem (on 2016-09-18) provenance

This version was published by a different npm account than previous versions on 2016-09-18. This could indicate a legitimate maintainer transition or an account compromise.

HIGH New obfuscated file: taffy-min.js source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

HIGH GHSA-mxhp-79qh-mcx6: TaffyDB can allow access to any data items in the DB osv

CVSS 7.5 (HIGH) — CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N TaffyDB allows attackers to forge adding additional properties into user-input processed by taffy which can allow access to any data items in the DB. Taffy sets an internal index for each data item in its DB. However, it is found that the internal index can be forged by adding additional properties into user-input. If index is found in the query, TaffyDB will ignore other query conditions and directly return the indexed data item. Moreover, the internal index is in an easily-guessable format (e.g., T000002R000001). As such, attackers can use this vulnerability to access any data items in the DB. **Note:** `taffy` and its successor package `taffydb` are not maintained.

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

Review Summary

Risk score: 88. Findings: 3 high (+75), 1 medium (+10), 1 low (+3).

Commit: c88fd85462f4 Browse source

Published to npm: 2016-09-18