Merge pull request #5650 from zapbot/retirejs-update

thc202 · web-flow · commit 2e960a079045 · 2024-08-15T16:46:40.000+01:00
retire.js Update 2024-08-15
diff --git a/addOns/retire/CHANGELOG.md b/addOns/retire/CHANGELOG.md
@@ -4,6 +4,9 @@ All notable changes to this add-on will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/).
 
 ## Unreleased
+### Changed
+- Updated with upstream retire.js pattern changes.
+
 ### Added
 - A helpful description for the add-on.
 
diff --git a/addOns/retire/src/main/resources/org/zaproxy/addon/retire/resources/jsrepository.json b/addOns/retire/src/main/resources/org/zaproxy/addon/retire/resources/jsrepository.json
@@ -3287,7 +3287,7 @@
           "retid": "54"
         },
         "info": [
-          "https://blog.angular.io/discontinued-long-term-support-for-angularjs-cc066b82e65a?gi=9d3103b5445c"
+          "https://docs.angularjs.org/misc/version-support-status"
         ]
       },
       {
@@ -5249,6 +5249,51 @@
           "https://github.com/advisories/GHSA-9v3m-8fp8-mj99",
           "https://github.com/twbs/bootstrap/issues/28236"
         ]
+      },
+      {
+        "atOrAbove": "2.0.0",
+        "below": "999",
+        "cwe": [
+          "CWE-79"
+        ],
+        "severity": "medium",
+        "identifiers": {
+          "summary": "Bootstrap Cross-Site Scripting (XSS) vulnerability",
+          "CVE": [
+            "CVE-2024-6484"
+          ],
+          "githubID": "GHSA-9mvj-f7w8-pvh2"
+        },
+        "info": [
+          "https://github.com/advisories/GHSA-9mvj-f7w8-pvh2",
+          "https://nvd.nist.gov/vuln/detail/CVE-2024-6484",
+          "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/bootstrap-sass/CVE-2024-6484.yml",
+          "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/bootstrap/CVE-2024-6484.yml",
+          "https://github.com/twbs/bootstrap",
+          "https://www.herodevs.com/vulnerability-directory/cve-2024-6484"
+        ]
+      },
+      {
+        "atOrAbove": "4.0.0",
+        "below": "999",
+        "cwe": [
+          "CWE-79"
+        ],
+        "severity": "medium",
+        "identifiers": {
+          "summary": "Bootstrap Cross-Site Scripting (XSS) vulnerability",
+          "CVE": [
+            "CVE-2024-6531"
+          ],
+          "githubID": "GHSA-vc8w-jr9v-vj7f"
+        },
+        "info": [
+          "https://github.com/advisories/GHSA-vc8w-jr9v-vj7f",
+          "https://nvd.nist.gov/vuln/detail/CVE-2024-6531",
+          "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/bootstrap/CVE-2024-6531.yml",
+          "https://github.com/twbs/bootstrap",
+          "https://www.herodevs.com/vulnerability-directory/cve-2024-6531"
+        ]
       }
     ],
     "extractors": {
@@ -5988,6 +6033,33 @@
         "info": [
           "https://github.com/axios/axios/pull/6300"
         ]
+      },
+      {
+        "atOrAbove": "1.3.2",
+        "below": "1.7.4",
+        "cwe": [
+          "CWE-918"
+        ],
+        "severity": "high",
+        "identifiers": {
+          "summary": "Server-Side Request Forgery in axios",
+          "CVE": [
+            "CVE-2024-39338"
+          ],
+          "githubID": "GHSA-8hc4-vh64-cxmj"
+        },
+        "info": [
+          "https://github.com/advisories/GHSA-8hc4-vh64-cxmj",
+          "https://nvd.nist.gov/vuln/detail/CVE-2024-39338",
+          "https://github.com/axios/axios/issues/6463",
+          "https://github.com/axios/axios/pull/6539",
+          "https://github.com/axios/axios/pull/6543",
+          "https://github.com/axios/axios/commit/6b6b605eaf73852fb2dae033f1e786155959de3a",
+          "https://github.com/axios/axios",
+          "https://github.com/axios/axios/releases",
+          "https://github.com/axios/axios/releases/tag/v1.7.4",
+          "https://jeffhacks.com/advisories/2024/06/24/CVE-2024-39338.html"
+        ]
       }
     ],
     "extractors": {
