WS-2022-0322 (High) detected in d3-color-1.4.1.tgz #1804

mend-bolt-for-github · 2022-10-06T01:03:33Z

WS-2022-0322 - High Severity Vulnerability

Vulnerable Library - d3-color-1.4.1.tgz

Color spaces! RGB, HSL, Cubehelix, Lab and HCL (Lch).

Library home page: https://registry.npmjs.org/d3-color/-/d3-color-1.4.1.tgz

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Dependency Hierarchy:

c3-0.7.20.tgz (Root Library)
- d3-5.16.0.tgz
  - ❌ d3-color-1.4.1.tgz (Vulnerable Library)

Found in HEAD commit: 5def65f0b4206a5ad7d8195b61a34437fb09ec9d

Found in base branch: master

Vulnerability Details

The d3-color module provides representations for various color spaces in the browser. Versions prior to 3.1.0 are vulnerable to a Regular expression Denial of Service. This issue has been patched in version 3.1.0. There are no known workarounds.

Publish Date: 2022-09-29

URL: WS-2022-0322

CVSS 3 Score Details (7.5)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-36jr-mh4h-2g58

Release Date: 2022-09-29

Fix Resolution: d3-color - 3.1.0

Step up your Open Source Security Game with Mend here

Fryguy · 2022-10-06T13:13:21Z

@MelsHyrule Can you please take a look at this one?

Fryguy · 2023-03-06T16:46:47Z

Reopening to make sure it gets rescanned

MelsHyrule · 2023-03-13T16:02:06Z

As a note this issue was not resolved by #1805 because it is the c3 package that actually uses these versions of d3-color. Looking into seeing if we can remove this from our package.json file.

miq-bot · 2023-07-24T00:00:19Z

This issue has been automatically marked as stale because it has not been updated for at least 3 months.

If you can still reproduce this issue on the current release or on master, please reply with all of the information you have about it in order to keep the issue open.

Thank you for all your contributions! More information about the ManageIQ triage process can be found in the triage process documentation.

mend-bolt-for-github bot added the Mend: dependency security vulnerability Security vulnerability detected by WhiteSource label Oct 6, 2022

Fryguy assigned Fryguy and MelsHyrule and unassigned Fryguy Oct 6, 2022

MelsHyrule mentioned this issue Oct 10, 2022

Updating to latest d3 #1805

Merged

mend-bolt-for-github bot changed the title ~~WS-2022-0322 (Medium) detected in d3-color-1.4.1.tgz, d3-color-2.0.0.tgz~~ WS-2022-0322 (High) detected in d3-color-1.4.1.tgz, d3-color-2.0.0.tgz Oct 12, 2022

jeffibm closed this as completed in #1805 Oct 12, 2022

Fryguy reopened this Mar 6, 2023

mend-bolt-for-github bot changed the title ~~WS-2022-0322 (High) detected in d3-color-1.4.1.tgz, d3-color-2.0.0.tgz~~ WS-2022-0322 (High) detected in d3-color-1.4.1.tgz Mar 17, 2023

miq-bot added the stale label Jul 24, 2023

Fryguy removed the stale label Sep 18, 2023

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

WS-2022-0322 (High) detected in d3-color-1.4.1.tgz #1804

WS-2022-0322 (High) detected in d3-color-1.4.1.tgz #1804

mend-bolt-for-github bot commented Oct 6, 2022 •

edited

Fryguy commented Oct 6, 2022

Fryguy commented Mar 6, 2023

MelsHyrule commented Mar 13, 2023

miq-bot commented Jul 24, 2023

WS-2022-0322 (High) detected in d3-color-1.4.1.tgz #1804

WS-2022-0322 (High) detected in d3-color-1.4.1.tgz #1804

Comments

mend-bolt-for-github bot commented Oct 6, 2022 • edited

WS-2022-0322 - High Severity Vulnerability

Fryguy commented Oct 6, 2022

Fryguy commented Mar 6, 2023

MelsHyrule commented Mar 13, 2023

miq-bot commented Jul 24, 2023

mend-bolt-for-github bot commented Oct 6, 2022 •

edited