Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

grunt-if-https://github.com/binarymist/grunt-if/tarball/master.tgz: 34 vulnerabilities (highest severity is: 9.8) #131

Open
dimagwhitesourceapp bot opened this issue Dec 4, 2023 · 0 comments
Open

grunt-if-https://github.com/binarymist/grunt-if/tarball/master.tgz: 34 vulnerabilities (highest severity is: 9.8) #131

dimagwhitesourceapp bot opened this issue Dec 4, 2023 · 0 comments
Labels
Mend: dependency security vulnerability Security vulnerability detected by Mend

Comments

@dimagwhitesourceapp
Copy link

dimagwhitesourceapp bot commented Dec 4, 2023
edited

Vulnerable Library - grunt-if-https://github.com/binarymist/grunt-if/tarball/master.tgz

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Found in HEAD commit: b048946ae42446c0ab583ee08f8d27d6b90499e5

Vulnerabilities

CVE Severity CVSS Dependency Type Fixed in (grunt-if-https://github.com/binarymist/grunt-if/tarball/master.tgz version) Remediation Possible**
CVE-2021-23369 Critical 9.8 handlebars-4.0.5.tgz Transitive N/A*
CVE-2019-19919 Critical 9.8 handlebars-4.0.5.tgz Transitive N/A*
CVE-2020-7774 Critical 9.8 y18n-3.2.1.tgz Transitive N/A*
CVE-2021-44906 Critical 9.8 detected in multiple dependencies Transitive N/A*
CVE-2021-23383 Critical 9.8 handlebars-4.0.5.tgz Transitive N/A*
CVE-2019-10744 Critical 9.1 lodash-4.13.1.tgz Transitive N/A*
CVE-2023-45133 High 8.8 babel-traverse-6.11.4.tgz Transitive N/A*
CVE-2019-20920 High 8.1 handlebars-4.0.5.tgz Transitive N/A*
WS-2019-0063 High 8.1 detected in multiple dependencies Transitive N/A*
CVE-2019-20922 High 7.5 handlebars-4.0.5.tgz Transitive N/A*
CVE-2017-20165 High 7.5 debug-2.2.0.tgz Transitive N/A*
CVE-2020-28469 High 7.5 glob-parent-2.0.0.tgz Transitive N/A*
CVE-2022-25883 High 7.5 semver-5.3.0.tgz Transitive N/A*
WS-2019-0032 High 7.5 detected in multiple dependencies Transitive N/A*
CVE-2017-18077 High 7.5 brace-expansion-1.1.6.tgz Transitive N/A*
WS-2020-0450 High 7.5 handlebars-4.0.5.tgz Transitive N/A*
CVE-2022-3517 High 7.5 minimatch-3.0.2.tgz Transitive N/A*
CVE-2021-23343 High 7.5 path-parse-1.0.5.tgz Transitive N/A*
CVE-2020-8203 High 7.4 lodash-4.13.1.tgz Transitive N/A*
WS-2019-0064 High 7.3 handlebars-4.0.5.tgz Transitive N/A*
CVE-2021-23337 High 7.2 lodash-4.13.1.tgz Transitive N/A*
WS-2018-0590 High 7.1 diff-1.4.0.tgz Transitive N/A*
CVE-2019-1010266 Medium 6.5 lodash-4.13.1.tgz Transitive N/A*
CVE-2020-7598 Medium 5.6 detected in multiple dependencies Transitive N/A*
CVE-2018-16487 Medium 5.6 lodash-4.13.1.tgz Transitive N/A*
WS-2019-0103 Medium 5.6 handlebars-4.0.5.tgz Transitive N/A*
CVE-2017-16032 Medium 5.5 brace-expansion-1.1.6.tgz Transitive N/A*
CVE-2017-20162 Medium 5.3 ms-0.7.1.tgz Transitive N/A*
CVE-2020-28500 Medium 5.3 lodash-4.13.1.tgz Transitive N/A*
CVE-2017-16137 Medium 5.3 debug-2.2.0.tgz Transitive N/A*
CVE-2020-7608 Medium 5.3 yargs-parser-2.4.1.tgz Transitive N/A*
CVE-2021-23362 Medium 5.3 hosted-git-info-2.1.5.tgz Transitive N/A*
CVE-2017-16028 Medium 5.3 randomatic-1.1.5.tgz Transitive N/A*
CVE-2018-3721 Medium 4.3 lodash-4.13.1.tgz Transitive N/A*

*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.

**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation

Details

Partial details (23 vulnerabilities) are displayed below due to a content size limitation in GitHub. To view information on the remaining vulnerabilities, navigate to the Mend Application.

CVE-2021-23369

Vulnerable Library - handlebars-4.0.5.tgz

Handlebars provides the power necessary to let you build semantic templates effectively with no frustration

Library home page: https://registry.npmjs.org/handlebars/-/handlebars-4.0.5.tgz

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Dependency Hierarchy:

Found in HEAD commit: b048946ae42446c0ab583ee08f8d27d6b90499e5

Found in base branch: master

Vulnerability Details

The package handlebars before 4.7.7 are vulnerable to Remote Code Execution (RCE) when selecting certain compiling options to compile templates coming from an untrusted source.

Publish Date: 2021-04-12

URL: CVE-2021-23369

CVSS 3 Score Details (9.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: handlebars-lang/handlebars.js@b6d3de7

Release Date: 2021-04-12

Fix Resolution: com.github.jknack:handlebars:4.2.0, handlebars - 4.7.7

CVE-2019-19919

Vulnerable Library - handlebars-4.0.5.tgz

Handlebars provides the power necessary to let you build semantic templates effectively with no frustration

Library home page: https://registry.npmjs.org/handlebars/-/handlebars-4.0.5.tgz

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Dependency Hierarchy:

Found in HEAD commit: b048946ae42446c0ab583ee08f8d27d6b90499e5

Found in base branch: master

Vulnerability Details

Versions of handlebars prior to 4.3.0 are vulnerable to Prototype Pollution leading to Remote Code Execution. Templates may alter an Object's proto and defineGetter properties, which may allow an attacker to execute arbitrary code through crafted payloads.

Publish Date: 2019-12-20

URL: CVE-2019-19919

CVSS 3 Score Details (9.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-w457-6q6x-cgp9

Release Date: 2019-12-20

Fix Resolution: handlebars - 3.0.8,4.3.0

CVE-2020-7774

Vulnerable Library - y18n-3.2.1.tgz

the bare-bones internationalization library used by yargs

Library home page: https://registry.npmjs.org/y18n/-/y18n-3.2.1.tgz

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Dependency Hierarchy:

Found in HEAD commit: b048946ae42446c0ab583ee08f8d27d6b90499e5

Found in base branch: master

Vulnerability Details

The package y18n before 3.2.2, 4.0.1 and 5.0.5, is vulnerable to Prototype Pollution.

Publish Date: 2020-11-17

URL: CVE-2020-7774

CVSS 3 Score Details (9.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://www.npmjs.com/advisories/1654

Release Date: 2020-11-17

Fix Resolution: 3.2.2, 4.0.1, 5.0.5

CVE-2021-44906

Vulnerable Libraries - minimist-1.2.0.tgz, minimist-0.0.8.tgz

minimist-1.2.0.tgz

parse argument options

Library home page: https://registry.npmjs.org/minimist/-/minimist-1.2.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Dependency Hierarchy:

  • grunt-if-https://github.com/binarymist/grunt-if/tarball/master.tgz (Root Library)
    • grunt-contrib-nodeunit-1.0.0.tgz
      • nodeunit-0.9.5.tgz
        • tap-7.1.2.tgz
          • nyc-7.1.0.tgz
            • istanbul-lib-instrument-1.1.0-alpha.4.tgz
              • babel-generator-6.11.4.tgz
                • detect-indent-3.0.1.tgz
                  • minimist-1.2.0.tgz (Vulnerable Library)

minimist-0.0.8.tgz

parse argument options

Library home page: https://registry.npmjs.org/minimist/-/minimist-0.0.8.tgz

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Dependency Hierarchy:

Found in HEAD commit: b048946ae42446c0ab583ee08f8d27d6b90499e5

Found in base branch: master

Vulnerability Details

Minimist <=1.2.5 is vulnerable to Prototype Pollution via file index.js, function setKey() (lines 69-95).

Publish Date: 2022-03-17

URL: CVE-2021-44906

CVSS 3 Score Details (9.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-xvch-5gv4-984h

Release Date: 2022-03-17

Fix Resolution: minimist - 0.2.4,1.2.6

CVE-2021-23383

Vulnerable Library - handlebars-4.0.5.tgz

Handlebars provides the power necessary to let you build semantic templates effectively with no frustration

Library home page: https://registry.npmjs.org/handlebars/-/handlebars-4.0.5.tgz

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Dependency Hierarchy:

Found in HEAD commit: b048946ae42446c0ab583ee08f8d27d6b90499e5

Found in base branch: master

Vulnerability Details

The package handlebars before 4.7.7 are vulnerable to Prototype Pollution when selecting certain compiling options to compile templates coming from an untrusted source.

Publish Date: 2021-05-04

URL: CVE-2021-23383

CVSS 3 Score Details (9.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23383

Release Date: 2021-05-04

Fix Resolution: handlebars - 4.7.7

CVE-2019-10744

Vulnerable Library - lodash-4.13.1.tgz

Lodash modular utilities.

Library home page: https://registry.npmjs.org/lodash/-/lodash-4.13.1.tgz

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Dependency Hierarchy:

Found in HEAD commit: b048946ae42446c0ab583ee08f8d27d6b90499e5

Found in base branch: master

Vulnerability Details

Versions of lodash lower than 4.17.12 are vulnerable to Prototype Pollution. The function defaultsDeep could be tricked into adding or modifying properties of Object.prototype using a constructor payload.

Publish Date: 2019-07-26

URL: CVE-2019-10744

CVSS 3 Score Details (9.1)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-jf85-cpcp-j695

Release Date: 2019-07-26

Fix Resolution: lodash-4.17.12, lodash-amd-4.17.12, lodash-es-4.17.12, lodash.defaultsdeep-4.6.1, lodash.merge- 4.6.2, lodash.mergewith-4.6.2, lodash.template-4.5.0

CVE-2023-45133

Vulnerable Library - babel-traverse-6.11.4.tgz

Library home page: https://registry.npmjs.org/babel-traverse/-/babel-traverse-6.11.4.tgz

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Dependency Hierarchy:

Found in HEAD commit: b048946ae42446c0ab583ee08f8d27d6b90499e5

Found in base branch: master

Vulnerability Details

Babel is a compiler for writingJavaScript. In @babel/traverse prior to versions 7.23.2 and 8.0.0-alpha.4 and all versions of babel-traverse, using Babel to compile code that was specifically crafted by an attacker can lead to arbitrary code execution during compilation, when using plugins that rely on the path.evaluate()or path.evaluateTruthy() internal Babel methods. Known affected plugins are @babel/plugin-transform-runtime; @babel/preset-env when using its useBuiltIns option; and any "polyfill provider" plugin that depends on @babel/helper-define-polyfill-provider, such as babel-plugin-polyfill-corejs3, babel-plugin-polyfill-corejs2, babel-plugin-polyfill-es-shims, babel-plugin-polyfill-regenerator. No other plugins under the @babel/ namespace are impacted, but third-party plugins might be. Users that only compile trusted code are not impacted. The vulnerability has been fixed in @babel/traverse@7.23.2 and @babel/traverse@8.0.0-alpha.4. Those who cannot upgrade @babel/traverse and are using one of the affected packages mentioned above should upgrade them to their latest version to avoid triggering the vulnerable code path in affected @babel/traverse versions: @babel/plugin-transform-runtime v7.23.2, @babel/preset-env v7.23.2, @babel/helper-define-polyfill-provider v0.4.3, babel-plugin-polyfill-corejs2 v0.4.6, babel-plugin-polyfill-corejs3 v0.8.5, babel-plugin-polyfill-es-shims v0.10.0, babel-plugin-polyfill-regenerator v0.5.3.

Publish Date: 2023-10-12

URL: CVE-2023-45133

CVSS 3 Score Details (8.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Local
    • Attack Complexity: Low
    • Privileges Required: Low
    • User Interaction: None
    • Scope: Changed
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-67hx-6x53-jw92

Release Date: 2023-10-12

Fix Resolution: @babel/traverse - 7.23.2

CVE-2019-20920

Vulnerable Library - handlebars-4.0.5.tgz

Handlebars provides the power necessary to let you build semantic templates effectively with no frustration

Library home page: https://registry.npmjs.org/handlebars/-/handlebars-4.0.5.tgz

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Dependency Hierarchy:

Found in HEAD commit: b048946ae42446c0ab583ee08f8d27d6b90499e5

Found in base branch: master

Vulnerability Details

Handlebars before 3.0.8 and 4.x before 4.5.3 is vulnerable to Arbitrary Code Execution. The lookup helper fails to properly validate templates, allowing attackers to submit templates that execute arbitrary JavaScript. This can be used to run arbitrary code on a server processing Handlebars templates or in a victim's browser (effectively serving as XSS).

Publish Date: 2020-09-30

URL: CVE-2019-20920

CVSS 3 Score Details (8.1)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: High
    • Privileges Required: None
    • User Interaction: None
    • Scope: Changed
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: Low
    • Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://www.npmjs.com/advisories/1316

Release Date: 2020-10-15

Fix Resolution: handlebars - 4.5.3

WS-2019-0063

Vulnerable Libraries - js-yaml-3.5.5.tgz, js-yaml-3.6.1.tgz

js-yaml-3.5.5.tgz

YAML 1.2 parser and serializer

Library home page: https://registry.npmjs.org/js-yaml/-/js-yaml-3.5.5.tgz

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Dependency Hierarchy:

js-yaml-3.6.1.tgz

YAML 1.2 parser and serializer

Library home page: https://registry.npmjs.org/js-yaml/-/js-yaml-3.6.1.tgz

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Dependency Hierarchy:

Found in HEAD commit: b048946ae42446c0ab583ee08f8d27d6b90499e5

Found in base branch: master

Vulnerability Details

Js-yaml prior to 3.13.1 are vulnerable to Code Injection. The load() function may execute arbitrary code injected through a malicious YAML file.

Publish Date: 2019-04-05

URL: WS-2019-0063

CVSS 3 Score Details (8.1)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: High
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://www.npmjs.com/advisories/813

Release Date: 2019-04-05

Fix Resolution: js-yaml - 3.13.1

CVE-2019-20922

Vulnerable Library - handlebars-4.0.5.tgz

Handlebars provides the power necessary to let you build semantic templates effectively with no frustration

Library home page: https://registry.npmjs.org/handlebars/-/handlebars-4.0.5.tgz

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Dependency Hierarchy:

Found in HEAD commit: b048946ae42446c0ab583ee08f8d27d6b90499e5

Found in base branch: master

Vulnerability Details

Handlebars before 4.4.5 allows Regular Expression Denial of Service (ReDoS) because of eager matching. The parser may be forced into an endless loop while processing crafted templates. This may allow attackers to exhaust system resources.

Publish Date: 2020-09-30

URL: CVE-2019-20922

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://www.npmjs.com/advisories/1300

Release Date: 2020-09-30

Fix Resolution: handlebars - 4.4.5

CVE-2017-20165

Vulnerable Library - debug-2.2.0.tgz

small debugging utility

Library home page: https://registry.npmjs.org/debug/-/debug-2.2.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Dependency Hierarchy:

Found in HEAD commit: b048946ae42446c0ab583ee08f8d27d6b90499e5

Found in base branch: master

Vulnerability Details

A vulnerability classified as problematic has been found in debug-js debug up to 3.0.x. This affects the function useColors of the file src/node.js. The manipulation of the argument str leads to inefficient regular expression complexity. Upgrading to version 3.1.0 is able to address this issue. The identifier of the patch is c38a0166c266a679c8de012d4eaccec3f944e685. It is recommended to upgrade the affected component. The identifier VDB-217665 was assigned to this vulnerability.

Publish Date: 2023-01-09

URL: CVE-2017-20165

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-9vvw-cc9w-f27h

Release Date: 2023-01-09

Fix Resolution: debug - 2.6.9,3.1.0

CVE-2020-28469

Vulnerable Library - glob-parent-2.0.0.tgz

Strips glob magic from a string to provide the parent path

Library home page: https://registry.npmjs.org/glob-parent/-/glob-parent-2.0.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Dependency Hierarchy:

Found in HEAD commit: b048946ae42446c0ab583ee08f8d27d6b90499e5

Found in base branch: master

Vulnerability Details

This affects the package glob-parent before 5.1.2. The enclosure regex used to check for strings ending in enclosure containing path separator.

Publish Date: 2021-06-03

URL: CVE-2020-28469

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-28469

Release Date: 2021-06-03

Fix Resolution: glob-parent - 5.1.2

CVE-2022-25883

Vulnerable Library - semver-5.3.0.tgz

The semantic version parser used by npm.

Library home page: https://registry.npmjs.org/semver/-/semver-5.3.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Dependency Hierarchy:

  • grunt-if-https://github.com/binarymist/grunt-if/tarball/master.tgz (Root Library)
    • grunt-contrib-nodeunit-1.0.0.tgz
      • nodeunit-0.9.5.tgz
        • tap-7.1.2.tgz
          • nyc-7.1.0.tgz
            • yargs-4.8.1.tgz
              • read-pkg-up-1.0.1.tgz
                • read-pkg-1.1.0.tgz
                  • normalize-package-data-2.3.5.tgz
                    • semver-5.3.0.tgz (Vulnerable Library)

Found in HEAD commit: b048946ae42446c0ab583ee08f8d27d6b90499e5

Found in base branch: master

Vulnerability Details

Versions of the package semver before 7.5.2 are vulnerable to Regular Expression Denial of Service (ReDoS) via the function new Range, when untrusted user data is provided as a range.

Publish Date: 2023-06-21

URL: CVE-2022-25883

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-c2qf-rxjj-qqgw

Release Date: 2023-06-21

Fix Resolution: semver - 5.7.2,6.3.1,7.5.2;org.webjars.npm:semver:7.5.2

WS-2019-0032

Vulnerable Libraries - js-yaml-3.6.1.tgz, js-yaml-3.5.5.tgz

js-yaml-3.6.1.tgz

YAML 1.2 parser and serializer

Library home page: https://registry.npmjs.org/js-yaml/-/js-yaml-3.6.1.tgz

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Dependency Hierarchy:

js-yaml-3.5.5.tgz

YAML 1.2 parser and serializer

Library home page: https://registry.npmjs.org/js-yaml/-/js-yaml-3.5.5.tgz

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Dependency Hierarchy:

Found in HEAD commit: b048946ae42446c0ab583ee08f8d27d6b90499e5

Found in base branch: master

Vulnerability Details

Versions js-yaml prior to 3.13.0 are vulnerable to Denial of Service. By parsing a carefully-crafted YAML file, the node process stalls and may exhaust system resources leading to a Denial of Service.

Publish Date: 2019-03-20

URL: WS-2019-0032

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://www.npmjs.com/advisories/788/versions

Release Date: 2019-03-20

Fix Resolution: js-yaml - 3.13.0

CVE-2017-18077

Vulnerable Library - brace-expansion-1.1.6.tgz

Brace expansion as known from sh/bash

Library home page: https://registry.npmjs.org/brace-expansion/-/brace-expansion-1.1.6.tgz

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Dependency Hierarchy:

Found in HEAD commit: b048946ae42446c0ab583ee08f8d27d6b90499e5

Found in base branch: master

Vulnerability Details

index.js in brace-expansion before 1.1.7 is vulnerable to Regular Expression Denial of Service (ReDoS) attacks, as demonstrated by an expand argument containing many comma characters.

Publish Date: 2018-01-27

URL: CVE-2017-18077

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2017-18077

Release Date: 2022-10-03

Fix Resolution: 1.1.7

WS-2020-0450

Vulnerable Library - handlebars-4.0.5.tgz

Handlebars provides the power necessary to let you build semantic templates effectively with no frustration

Library home page: https://registry.npmjs.org/handlebars/-/handlebars-4.0.5.tgz

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Dependency Hierarchy:

Found in HEAD commit: b048946ae42446c0ab583ee08f8d27d6b90499e5

Found in base branch: master

Vulnerability Details

Handlebars before 4.6.0 vulnerable to Prototype Pollution. Prototype access to the template engine allows for potential code execution, which may lead to Denial Of Service (DoS).

Publish Date: 2020-01-09

URL: WS-2020-0450

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: handlebars-lang/handlebars.js#1633

Release Date: 2020-01-09

Fix Resolution: handlebars - 4.6.0

CVE-2022-3517

Vulnerable Library - minimatch-3.0.2.tgz

a glob matcher in javascript

Library home page: https://registry.npmjs.org/minimatch/-/minimatch-3.0.2.tgz

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Dependency Hierarchy:

Found in HEAD commit: b048946ae42446c0ab583ee08f8d27d6b90499e5

Found in base branch: master

Vulnerability Details

A vulnerability was found in the minimatch package. This flaw allows a Regular Expression Denial of Service (ReDoS) when calling the braceExpand function with specific arguments, resulting in a Denial of Service.

Publish Date: 2022-10-17

URL: CVE-2022-3517

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: isaacs/minimatch@a8763f4

Release Date: 2022-10-17

Fix Resolution: minimatch - 3.0.5

CVE-2021-23343

Vulnerable Library - path-parse-1.0.5.tgz

Node.js path.parse() ponyfill

Library home page: https://registry.npmjs.org/path-parse/-/path-parse-1.0.5.tgz

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Dependency Hierarchy:

Found in HEAD commit: b048946ae42446c0ab583ee08f8d27d6b90499e5

Found in base branch: master

Vulnerability Details

All versions of package path-parse are vulnerable to Regular Expression Denial of Service (ReDoS) via splitDeviceRe, splitTailRe, and splitPathRe regular expressions. ReDoS exhibits polynomial worst-case time complexity.

Publish Date: 2021-05-04

URL: CVE-2021-23343

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: jbgutierrez/path-parse#8

Release Date: 2021-05-04

Fix Resolution: path-parse - 1.0.7

CVE-2020-8203

Vulnerable Library - lodash-4.13.1.tgz

Lodash modular utilities.

Library home page: https://registry.npmjs.org/lodash/-/lodash-4.13.1.tgz

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Dependency Hierarchy:

Found in HEAD commit: b048946ae42446c0ab583ee08f8d27d6b90499e5

Found in base branch: master

Vulnerability Details

Prototype pollution attack when using _.zipObjectDeep in lodash before 4.17.20.

Publish Date: 2020-07-15

URL: CVE-2020-8203

CVSS 3 Score Details (7.4)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: High
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://www.npmjs.com/advisories/1523

Release Date: 2020-07-15

Fix Resolution: lodash - 4.17.19

WS-2019-0064

Vulnerable Library - handlebars-4.0.5.tgz

Handlebars provides the power necessary to let you build semantic templates effectively with no frustration

Library home page: https://registry.npmjs.org/handlebars/-/handlebars-4.0.5.tgz

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Dependency Hierarchy:

Found in HEAD commit: b048946ae42446c0ab583ee08f8d27d6b90499e5

Found in base branch: master

Vulnerability Details

Versions of handlebars prior to 4.0.14 are vulnerable to Prototype Pollution. Templates may alter an Objects' prototype, thus allowing an attacker to execute arbitrary code on the server.

Publish Date: 2019-01-30

URL: WS-2019-0064

CVSS 3 Score Details (7.3)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: Low
    • Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://www.npmjs.com/advisories/755/

Release Date: 2019-01-30

Fix Resolution: 3.0.7,4.0.14,4.1.2

CVE-2021-23337

Vulnerable Library - lodash-4.13.1.tgz

Lodash modular utilities.

Library home page: https://registry.npmjs.org/lodash/-/lodash-4.13.1.tgz

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Dependency Hierarchy:

Found in HEAD commit: b048946ae42446c0ab583ee08f8d27d6b90499e5

Found in base branch: master

Vulnerability Details

Lodash versions prior to 4.17.21 are vulnerable to Command Injection via the template function.

Publish Date: 2021-02-15

URL: CVE-2021-23337

CVSS 3 Score Details (7.2)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: High
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-35jh-r3h4-6jhm

Release Date: 2021-02-15

Fix Resolution: lodash - 4.17.21, lodash-es - 4.17.21

WS-2018-0590

Vulnerable Library - diff-1.4.0.tgz

A javascript text diff implementation.

Library home page: https://registry.npmjs.org/diff/-/diff-1.4.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Dependency Hierarchy:

Found in HEAD commit: b048946ae42446c0ab583ee08f8d27d6b90499e5

Found in base branch: master

Vulnerability Details

A vulnerability was found in diff before v3.5.0, the affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS) attacks.

Publish Date: 2018-03-05

URL: WS-2018-0590

CVSS 3 Score Details (7.1)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: High
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: kpdecker/jsdiff@2aec429

Release Date: 2018-03-05

Fix Resolution: 3.5.0

CVE-2019-1010266

Vulnerable Library - lodash-4.13.1.tgz

Lodash modular utilities.

Library home page: https://registry.npmjs.org/lodash/-/lodash-4.13.1.tgz

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Dependency Hierarchy:

Found in HEAD commit: b048946ae42446c0ab583ee08f8d27d6b90499e5

Found in base branch: master

Vulnerability Details

lodash prior to 4.17.11 is affected by: CWE-400: Uncontrolled Resource Consumption. The impact is: Denial of service. The component is: Date handler. The attack vector is: Attacker provides very long strings, which the library attempts to match using a regular expression. The fixed version is: 4.17.11.

Publish Date: 2019-07-17

URL: CVE-2019-1010266

CVSS 3 Score Details (6.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: Low
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: lodash/lodash@5c08f18

Release Date: 2019-07-17

Fix Resolution: lodash-4.17.11
@dimagwhitesourceapp dimagwhitesourceapp bot added the Mend: dependency security vulnerability Security vulnerability detected by Mend label Dec 4, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Mend: dependency security vulnerability Security vulnerability detected by Mend
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
0 participants