{"url":"http://public2.vulnerablecode.io/api/packages/6506?format=json","purl":"pkg:npm/tomato@0.0.6","type":"npm","namespace":"","name":"tomato","version":"0.0.6","qualifiers":{},"subpath":"","is_vulnerable":false,"next_non_vulnerable_version":"0.0.6","latest_non_vulnerable_version":"0.0.6","affected_by_vulnerabilities":[],"fixing_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/30479?format=json","vulnerability_id":"VCID-t2gf-z94c-tyam","summary":"API Admin Auth Weakness\nTomato is a Node.js web framework.\n\nThe tomato API has an admin service that is enabled by setting up an access_key in the config options. This access_key is intended to protect the API admin from unauthorized access.\n\nThe key is checked by checking to see if the access_key provided in the request is within the configured access_key string, not equal to. So a single character that's within the access key is sufficient to bypass this control.\n\n### Example:\nThis is the snippet of code that does the comparison to authorize requests.\n\n```\nif (access_key && config.master.api.access_key.indexOf(access_key) !== -1) {\n```\n\nFor an access_key that is set to anything that includes the letter 'a' the following request would be authorized.\n\n```\n$ curl -X POST \"http://localhost:8081/api/exec\" -H \"Content-Type: application/json\" -d @test -H \"access-key: a\"\n{\n \"cmd\": \"ls\",\n \"path\": \".\",\n \"stdout\": \"app.js\\nconfig.js\\nlog\\nnode_modules\\nserver.js\\n\",\n \"stderr\": \"\"\n}\n```\n\n### Mitigating factors:\n\nThe admin interface is disabled by default. The module author confirmed that the access_key should really be an array of access_keys, however based on variable name and documentation it was not clear that it should be an array. The vulnerability exists only if a string access_key is set.\n\nModule version 0.0.6 has been updated to ensure an array of keys is provided as well as documentation updates.","references":[{"reference_url":"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-7379","reference_id":"","reference_type":"","scores":[],"url":"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-7379"},{"reference_url":"https://github.com/nodejs/security-wg/blob/main/vuln/npm/38.json","reference_id":"38","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3","scoring_elements":""}],"url":"https://github.com/nodejs/security-wg/blob/main/vuln/npm/38.json"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/6506?format=json","purl":"pkg:npm/tomato@0.0.6","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/tomato@0.0.6"}],"aliases":["CVE-2013-7379"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-t2gf-z94c-tyam"}],"risk_score":null,"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/tomato@0.0.6"}