eslint-4.1.0.tgz: 13 vulnerabilities (highest severity is: 9.8) #16
Labels
Mend: dependency security vulnerability
Security vulnerability detected by Mend
Comments
mend-bolt-for-github
bot
added
the
Mend: dependency security vulnerability
mend-bolt-for-github
bot
changed the title
mend-bolt-for-github
bot
changed the title
mend-bolt-for-github
bot
changed the title
mend-bolt-for-github
bot
changed the title
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
An AST-based pattern checker for JavaScript.
Library home page: https://registry.npmjs.org/eslint/-/eslint-4.1.0.tgz
Path to dependency file: /react-main/fixtures/eslint/package.json
Path to vulnerable library: /react-main/fixtures/eslint/package.json,/fixtures/eslint/package.json
Found in HEAD commit: f7127272769002f98a4adb752b5ccfbffdc43a03
Vulnerabilities
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
Vulnerable Library - is-my-json-valid-2.19.0.tgz
A JSONSchema validator that uses code generation to be extremely fast
Library home page: https://registry.npmjs.org/is-my-json-valid/-/is-my-json-valid-2.19.0.tgz
Path to dependency file: /fixtures/eslint/package.json
Path to vulnerable library: /fixtures/eslint/package.json,/react-main/fixtures/eslint/package.json
Dependency Hierarchy:
Found in HEAD commit: f7127272769002f98a4adb752b5ccfbffdc43a03
Found in base branch: main
Vulnerability Details
Arbitrary Code Execution vulnerability was found in is-my-json-valid before 2.20.3 via the fromatName function.
Publish Date: 2020-06-09
URL: WS-2020-0344
CVSS 3 Score Details (9.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Release Date: 2020-06-09
Fix Resolution (is-my-json-valid): 2.20.3
Direct dependency fix Resolution (eslint): 4.1.1
Step up your Open Source Security Game with Mend here
Vulnerable Library - jsonpointer-4.0.1.tgz
Simple JSON Addressing.
Library home page: https://registry.npmjs.org/jsonpointer/-/jsonpointer-4.0.1.tgz
Path to dependency file: /react-main/fixtures/eslint/package.json
Path to vulnerable library: /react-main/fixtures/eslint/package.json,/fixtures/eslint/package.json
Dependency Hierarchy:
Found in HEAD commit: f7127272769002f98a4adb752b5ccfbffdc43a03
Found in base branch: main
Vulnerability Details
This affects the package jsonpointer before 5.0.0. A type confusion vulnerability can lead to a bypass of a previous Prototype Pollution fix when the pointer components are arrays.
Publish Date: 2021-11-03
URL: CVE-2021-23807
CVSS 3 Score Details (9.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23807
Release Date: 2021-11-03
Fix Resolution (jsonpointer): 5.0.0
Direct dependency fix Resolution (eslint): 4.1.1
Step up your Open Source Security Game with Mend here
Vulnerable Library - lodash-4.17.11.tgz
Lodash modular utilities.
Library home page: https://registry.npmjs.org/lodash/-/lodash-4.17.11.tgz
Path to dependency file: /react-main/scripts/bench/package.json
Path to vulnerable library: /react-main/scripts/bench/package.json,/react-main/fixtures/flight/package.json,/scripts/bench/package.json,/fixtures/flight/package.json,/fixtures/eslint/package.json,/react-main/fixtures/eslint/package.json
Dependency Hierarchy:
Found in HEAD commit: f7127272769002f98a4adb752b5ccfbffdc43a03
Found in base branch: main
Vulnerability Details
Versions of lodash lower than 4.17.12 are vulnerable to Prototype Pollution. The function defaultsDeep could be tricked into adding or modifying properties of Object.prototype using a constructor payload.
Publish Date: 2019-07-26
URL: CVE-2019-10744
CVSS 3 Score Details (9.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: High
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-jf85-cpcp-j695
Release Date: 2019-07-26
Fix Resolution (lodash): 4.17.12
Direct dependency fix Resolution (eslint): 4.1.1
Step up your Open Source Security Game with Mend here
Vulnerable Library - jsonpointer-4.0.1.tgz
Simple JSON Addressing.
Library home page: https://registry.npmjs.org/jsonpointer/-/jsonpointer-4.0.1.tgz
Path to dependency file: /react-main/fixtures/eslint/package.json
Path to vulnerable library: /react-main/fixtures/eslint/package.json,/fixtures/eslint/package.json
Dependency Hierarchy:
Found in HEAD commit: f7127272769002f98a4adb752b5ccfbffdc43a03
Found in base branch: main
Vulnerability Details
Prototype Pollution vulnerability was found in jsonpointer before 4.1.0 via the set function.
Publish Date: 2020-07-03
URL: WS-2020-0345
CVSS 3 Score Details (8.2)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: Low
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Release Date: 2020-07-03
Fix Resolution (jsonpointer): 4.1.0
Direct dependency fix Resolution (eslint): 4.1.1
Step up your Open Source Security Game with Mend here
Vulnerable Library - js-yaml-3.12.1.tgz
YAML 1.2 parser and serializer
Library home page: https://registry.npmjs.org/js-yaml/-/js-yaml-3.12.1.tgz
Path to dependency file: /react-main/fixtures/eslint/package.json
Path to vulnerable library: /react-main/fixtures/eslint/package.json,/fixtures/eslint/package.json
Dependency Hierarchy:
Found in HEAD commit: f7127272769002f98a4adb752b5ccfbffdc43a03
Found in base branch: main
Vulnerability Details
Js-yaml prior to 3.13.1 are vulnerable to Code Injection. The load() function may execute arbitrary code injected through a malicious YAML file.
Publish Date: 2019-04-05
URL: WS-2019-0063
CVSS 3 Score Details (8.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: https://www.npmjs.com/advisories/813
Release Date: 2019-04-05
Fix Resolution (js-yaml): 3.13.1
Direct dependency fix Resolution (eslint): 4.1.1
Step up your Open Source Security Game with Mend here
Vulnerable Library - is-my-json-valid-2.19.0.tgz
A JSONSchema validator that uses code generation to be extremely fast
Library home page: https://registry.npmjs.org/is-my-json-valid/-/is-my-json-valid-2.19.0.tgz
Path to dependency file: /fixtures/eslint/package.json
Path to vulnerable library: /fixtures/eslint/package.json,/react-main/fixtures/eslint/package.json
Dependency Hierarchy:
Found in HEAD commit: f7127272769002f98a4adb752b5ccfbffdc43a03
Found in base branch: main
Vulnerability Details
Regular Expression Denial of Service (ReDoS) vulnerability was found in is-my-json-valid before 2.20.2 via the style format.
Publish Date: 2020-06-27
URL: WS-2020-0342
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Release Date: 2020-06-27
Fix Resolution (is-my-json-valid): 2.20.2
Direct dependency fix Resolution (eslint): 4.1.1
Step up your Open Source Security Game with Mend here
Vulnerable Library - acorn-5.7.3.tgz
ECMAScript parser
Library home page: https://registry.npmjs.org/acorn/-/acorn-5.7.3.tgz
Path to dependency file: /react-main/fixtures/eslint/package.json
Path to vulnerable library: /react-main/fixtures/eslint/package.json,/fixtures/eslint/package.json
Dependency Hierarchy:
Found in HEAD commit: f7127272769002f98a4adb752b5ccfbffdc43a03
Found in base branch: main
Vulnerability Details
acorn is vulnerable to REGEX DoS. A regex of the form /[x-\ud800]/u causes the parser to enter an infinite loop. attackers may leverage the vulnerability leading to a Denial of Service since the string is not valid UTF16 and it results in it being sanitized before reaching the parser.
Publish Date: 2020-03-01
URL: WS-2020-0042
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-6chw-6frg-f759
Release Date: 2020-03-01
Fix Resolution (acorn): 5.7.4
Direct dependency fix Resolution (eslint): 4.1.1
Step up your Open Source Security Game with Mend here
Vulnerable Library - js-yaml-3.12.1.tgz
YAML 1.2 parser and serializer
Library home page: https://registry.npmjs.org/js-yaml/-/js-yaml-3.12.1.tgz
Path to dependency file: /react-main/fixtures/eslint/package.json
Path to vulnerable library: /react-main/fixtures/eslint/package.json,/fixtures/eslint/package.json
Dependency Hierarchy:
Found in HEAD commit: f7127272769002f98a4adb752b5ccfbffdc43a03
Found in base branch: main
Vulnerability Details
Versions js-yaml prior to 3.13.0 are vulnerable to Denial of Service. By parsing a carefully-crafted YAML file, the node process stalls and may exhaust system resources leading to a Denial of Service.
Publish Date: 2019-03-20
URL: WS-2019-0032
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: https://www.npmjs.com/advisories/788/versions
Release Date: 2019-03-20
Fix Resolution (js-yaml): 3.13.0
Direct dependency fix Resolution (eslint): 4.1.1
Step up your Open Source Security Game with Mend here
Vulnerable Library - lodash-4.17.11.tgz
Lodash modular utilities.
Library home page: https://registry.npmjs.org/lodash/-/lodash-4.17.11.tgz
Path to dependency file: /react-main/scripts/bench/package.json
Path to vulnerable library: /react-main/scripts/bench/package.json,/react-main/fixtures/flight/package.json,/scripts/bench/package.json,/fixtures/flight/package.json,/fixtures/eslint/package.json,/react-main/fixtures/eslint/package.json
Dependency Hierarchy:
Found in HEAD commit: f7127272769002f98a4adb752b5ccfbffdc43a03
Found in base branch: main
Vulnerability Details
Prototype pollution attack when using _.zipObjectDeep in lodash before 4.17.20.
Publish Date: 2020-07-15
URL: CVE-2020-8203
CVSS 3 Score Details (7.4)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: High
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: https://www.npmjs.com/advisories/1523
Release Date: 2020-07-15
Fix Resolution (lodash): 4.17.19
Direct dependency fix Resolution (eslint): 4.1.1
Step up your Open Source Security Game with Mend here
Vulnerable Library - lodash-4.17.11.tgz
Lodash modular utilities.
Library home page: https://registry.npmjs.org/lodash/-/lodash-4.17.11.tgz
Path to dependency file: /react-main/scripts/bench/package.json
Path to vulnerable library: /react-main/scripts/bench/package.json,/react-main/fixtures/flight/package.json,/scripts/bench/package.json,/fixtures/flight/package.json,/fixtures/eslint/package.json,/react-main/fixtures/eslint/package.json
Dependency Hierarchy:
Found in HEAD commit: f7127272769002f98a4adb752b5ccfbffdc43a03
Found in base branch: main
Vulnerability Details
Lodash versions prior to 4.17.21 are vulnerable to Command Injection via the template function.
Publish Date: 2021-02-15
URL: CVE-2021-23337
CVSS 3 Score Details (7.2)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: High
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-35jh-r3h4-6jhm
Release Date: 2021-02-15
Fix Resolution (lodash): 4.17.21
Direct dependency fix Resolution (eslint): 4.1.1
Step up your Open Source Security Game with Mend here
Vulnerable Library - ajv-6.7.0.tgz
Another JSON Schema Validator
Library home page: https://registry.npmjs.org/ajv/-/ajv-6.7.0.tgz
Path to dependency file: /react-main/fixtures/eslint/package.json
Path to vulnerable library: /react-main/fixtures/eslint/package.json,/fixtures/eslint/package.json
Dependency Hierarchy:
Found in HEAD commit: f7127272769002f98a4adb752b5ccfbffdc43a03
Found in base branch: main
Vulnerability Details
An issue was discovered in ajv.validate() in Ajv (aka Another JSON Schema Validator) 6.12.2. A carefully crafted JSON schema could be provided that allows execution of other code by prototype pollution. (While untrusted schemas are recommended against, the worst case of an untrusted schema should be a denial of service, not execution of code.)
Publish Date: 2020-07-15
URL: CVE-2020-15366
CVSS 3 Score Details (5.6)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: Low
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Release Date: 2020-07-15
Fix Resolution (ajv): 6.12.3
Direct dependency fix Resolution (eslint): 4.1.1
Step up your Open Source Security Game with Mend here
Vulnerable Library - eslint-4.1.0.tgz
An AST-based pattern checker for JavaScript.
Library home page: https://registry.npmjs.org/eslint/-/eslint-4.1.0.tgz
Path to dependency file: /react-main/fixtures/eslint/package.json
Path to vulnerable library: /react-main/fixtures/eslint/package.json,/fixtures/eslint/package.json
Dependency Hierarchy:
Found in HEAD commit: f7127272769002f98a4adb752b5ccfbffdc43a03
Found in base branch: main
Vulnerability Details
A vulnerability was descovered in eslint before 4.18.2. One of the regexes in eslint is vulnerable to catastrophic backtracking.
Publish Date: 2018-02-27
URL: WS-2018-0347
CVSS 3 Score Details (5.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: Low
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Release Date: 2018-02-27
Fix Resolution: 4.18.2
Step up your Open Source Security Game with Mend here
Vulnerable Library - lodash-4.17.11.tgz
Lodash modular utilities.
Library home page: https://registry.npmjs.org/lodash/-/lodash-4.17.11.tgz
Path to dependency file: /react-main/scripts/bench/package.json
Path to vulnerable library: /react-main/scripts/bench/package.json,/react-main/fixtures/flight/package.json,/scripts/bench/package.json,/fixtures/flight/package.json,/fixtures/eslint/package.json,/react-main/fixtures/eslint/package.json
Dependency Hierarchy:
Found in HEAD commit: f7127272769002f98a4adb752b5ccfbffdc43a03
Found in base branch: main
Vulnerability Details
Lodash versions prior to 4.17.21 are vulnerable to Regular Expression Denial of Service (ReDoS) via the toNumber, trim and trimEnd functions.
Publish Date: 2021-02-15
URL: CVE-2020-28500
CVSS 3 Score Details (5.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: Low
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-28500
Release Date: 2021-02-15
Fix Resolution (lodash): 4.17.21
Direct dependency fix Resolution (eslint): 4.1.1
Step up your Open Source Security Game with Mend here
The text was updated successfully, but these errors were encountered: