You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
This affects the package jsonpointer before 5.0.0. A type confusion vulnerability can lead to a bypass of a previous Prototype Pollution fix when the pointer components are arrays.
Path to dependency file: /react-main/scripts/bench/package.json
Path to vulnerable library: /react-main/scripts/bench/package.json,/react-main/fixtures/flight/package.json,/scripts/bench/package.json,/fixtures/flight/package.json,/fixtures/eslint/package.json,/react-main/fixtures/eslint/package.json
Versions of lodash lower than 4.17.12 are vulnerable to Prototype Pollution. The function defaultsDeep could be tricked into adding or modifying properties of Object.prototype using a constructor payload.
acorn is vulnerable to REGEX DoS. A regex of the form /[x-\ud800]/u causes the parser to enter an infinite loop. attackers may leverage the vulnerability leading to a Denial of Service since the string is not valid UTF16 and it results in it being sanitized before reaching the parser.
Versions js-yaml prior to 3.13.0 are vulnerable to Denial of Service. By parsing a carefully-crafted YAML file, the node process stalls and may exhaust system resources leading to a Denial of Service.
Path to dependency file: /react-main/scripts/bench/package.json
Path to vulnerable library: /react-main/scripts/bench/package.json,/react-main/fixtures/flight/package.json,/scripts/bench/package.json,/fixtures/flight/package.json,/fixtures/eslint/package.json,/react-main/fixtures/eslint/package.json
Path to dependency file: /react-main/scripts/bench/package.json
Path to vulnerable library: /react-main/scripts/bench/package.json,/react-main/fixtures/flight/package.json,/scripts/bench/package.json,/fixtures/flight/package.json,/fixtures/eslint/package.json,/react-main/fixtures/eslint/package.json
An issue was discovered in ajv.validate() in Ajv (aka Another JSON Schema Validator) 6.12.2. A carefully crafted JSON schema could be provided that allows execution of other code by prototype pollution. (While untrusted schemas are recommended against, the worst case of an untrusted schema should be a denial of service, not execution of code.)
Path to dependency file: /react-main/scripts/bench/package.json
Path to vulnerable library: /react-main/scripts/bench/package.json,/react-main/fixtures/flight/package.json,/scripts/bench/package.json,/fixtures/flight/package.json,/fixtures/eslint/package.json,/react-main/fixtures/eslint/package.json
mend-bolt-for-githubbot
changed the title
eslint-4.1.0.tgz: 13 vulnerabilities (highest severity is: 9.8)
eslint-4.1.0.tgz: 9 vulnerabilities (highest severity is: 9.8)
Mar 23, 2024
mend-bolt-for-githubbot
changed the title
eslint-4.1.0.tgz: 9 vulnerabilities (highest severity is: 9.8)
eslint-4.1.0.tgz: 10 vulnerabilities (highest severity is: 9.8)
Mar 29, 2024
mend-bolt-for-githubbot
changed the title
eslint-4.1.0.tgz: 10 vulnerabilities (highest severity is: 9.8)
eslint-4.1.0.tgz: 12 vulnerabilities (highest severity is: 9.8)
Mar 31, 2024
mend-bolt-for-githubbot
changed the title
eslint-4.1.0.tgz: 12 vulnerabilities (highest severity is: 9.8)
eslint-4.1.0.tgz: 13 vulnerabilities (highest severity is: 9.8)
Mar 31, 2024
Vulnerable Library - eslint-4.1.0.tgz
An AST-based pattern checker for JavaScript.
Library home page: https://registry.npmjs.org/eslint/-/eslint-4.1.0.tgz
Path to dependency file: /react-main/fixtures/eslint/package.json
Path to vulnerable library: /react-main/fixtures/eslint/package.json,/fixtures/eslint/package.json
Found in HEAD commit: f7127272769002f98a4adb752b5ccfbffdc43a03
Vulnerabilities
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
WS-2020-0344
Vulnerable Library - is-my-json-valid-2.19.0.tgz
A JSONSchema validator that uses code generation to be extremely fast
Library home page: https://registry.npmjs.org/is-my-json-valid/-/is-my-json-valid-2.19.0.tgz
Path to dependency file: /fixtures/eslint/package.json
Path to vulnerable library: /fixtures/eslint/package.json,/react-main/fixtures/eslint/package.json
Dependency Hierarchy:
Found in HEAD commit: f7127272769002f98a4adb752b5ccfbffdc43a03
Found in base branch: main
Vulnerability Details
Arbitrary Code Execution vulnerability was found in is-my-json-valid before 2.20.3 via the fromatName function.
Publish Date: 2020-06-09
URL: WS-2020-0344
CVSS 3 Score Details (9.8)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Release Date: 2020-06-09
Fix Resolution (is-my-json-valid): 2.20.3
Direct dependency fix Resolution (eslint): 4.1.1
Step up your Open Source Security Game with Mend here
CVE-2021-23807
Vulnerable Library - jsonpointer-4.0.1.tgz
Simple JSON Addressing.
Library home page: https://registry.npmjs.org/jsonpointer/-/jsonpointer-4.0.1.tgz
Path to dependency file: /react-main/fixtures/eslint/package.json
Path to vulnerable library: /react-main/fixtures/eslint/package.json,/fixtures/eslint/package.json
Dependency Hierarchy:
Found in HEAD commit: f7127272769002f98a4adb752b5ccfbffdc43a03
Found in base branch: main
Vulnerability Details
This affects the package jsonpointer before 5.0.0. A type confusion vulnerability can lead to a bypass of a previous Prototype Pollution fix when the pointer components are arrays.
Publish Date: 2021-11-03
URL: CVE-2021-23807
CVSS 3 Score Details (9.8)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23807
Release Date: 2021-11-03
Fix Resolution (jsonpointer): 5.0.0
Direct dependency fix Resolution (eslint): 4.1.1
Step up your Open Source Security Game with Mend here
CVE-2019-10744
Vulnerable Library - lodash-4.17.11.tgz
Lodash modular utilities.
Library home page: https://registry.npmjs.org/lodash/-/lodash-4.17.11.tgz
Path to dependency file: /react-main/scripts/bench/package.json
Path to vulnerable library: /react-main/scripts/bench/package.json,/react-main/fixtures/flight/package.json,/scripts/bench/package.json,/fixtures/flight/package.json,/fixtures/eslint/package.json,/react-main/fixtures/eslint/package.json
Dependency Hierarchy:
Found in HEAD commit: f7127272769002f98a4adb752b5ccfbffdc43a03
Found in base branch: main
Vulnerability Details
Versions of lodash lower than 4.17.12 are vulnerable to Prototype Pollution. The function defaultsDeep could be tricked into adding or modifying properties of Object.prototype using a constructor payload.
Publish Date: 2019-07-26
URL: CVE-2019-10744
CVSS 3 Score Details (9.1)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: GHSA-jf85-cpcp-j695
Release Date: 2019-07-26
Fix Resolution (lodash): 4.17.12
Direct dependency fix Resolution (eslint): 4.1.1
Step up your Open Source Security Game with Mend here
WS-2020-0345
Vulnerable Library - jsonpointer-4.0.1.tgz
Simple JSON Addressing.
Library home page: https://registry.npmjs.org/jsonpointer/-/jsonpointer-4.0.1.tgz
Path to dependency file: /react-main/fixtures/eslint/package.json
Path to vulnerable library: /react-main/fixtures/eslint/package.json,/fixtures/eslint/package.json
Dependency Hierarchy:
Found in HEAD commit: f7127272769002f98a4adb752b5ccfbffdc43a03
Found in base branch: main
Vulnerability Details
Prototype Pollution vulnerability was found in jsonpointer before 4.1.0 via the set function.
Publish Date: 2020-07-03
URL: WS-2020-0345
CVSS 3 Score Details (8.2)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Release Date: 2020-07-03
Fix Resolution (jsonpointer): 4.1.0
Direct dependency fix Resolution (eslint): 4.1.1
Step up your Open Source Security Game with Mend here
WS-2019-0063
Vulnerable Library - js-yaml-3.12.1.tgz
YAML 1.2 parser and serializer
Library home page: https://registry.npmjs.org/js-yaml/-/js-yaml-3.12.1.tgz
Path to dependency file: /react-main/fixtures/eslint/package.json
Path to vulnerable library: /react-main/fixtures/eslint/package.json,/fixtures/eslint/package.json
Dependency Hierarchy:
Found in HEAD commit: f7127272769002f98a4adb752b5ccfbffdc43a03
Found in base branch: main
Vulnerability Details
Js-yaml prior to 3.13.1 are vulnerable to Code Injection. The load() function may execute arbitrary code injected through a malicious YAML file.
Publish Date: 2019-04-05
URL: WS-2019-0063
CVSS 3 Score Details (8.1)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://www.npmjs.com/advisories/813
Release Date: 2019-04-05
Fix Resolution (js-yaml): 3.13.1
Direct dependency fix Resolution (eslint): 4.1.1
Step up your Open Source Security Game with Mend here
WS-2020-0342
Vulnerable Library - is-my-json-valid-2.19.0.tgz
A JSONSchema validator that uses code generation to be extremely fast
Library home page: https://registry.npmjs.org/is-my-json-valid/-/is-my-json-valid-2.19.0.tgz
Path to dependency file: /fixtures/eslint/package.json
Path to vulnerable library: /fixtures/eslint/package.json,/react-main/fixtures/eslint/package.json
Dependency Hierarchy:
Found in HEAD commit: f7127272769002f98a4adb752b5ccfbffdc43a03
Found in base branch: main
Vulnerability Details
Regular Expression Denial of Service (ReDoS) vulnerability was found in is-my-json-valid before 2.20.2 via the style format.
Publish Date: 2020-06-27
URL: WS-2020-0342
CVSS 3 Score Details (7.5)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Release Date: 2020-06-27
Fix Resolution (is-my-json-valid): 2.20.2
Direct dependency fix Resolution (eslint): 4.1.1
Step up your Open Source Security Game with Mend here
WS-2020-0042
Vulnerable Library - acorn-5.7.3.tgz
ECMAScript parser
Library home page: https://registry.npmjs.org/acorn/-/acorn-5.7.3.tgz
Path to dependency file: /react-main/fixtures/eslint/package.json
Path to vulnerable library: /react-main/fixtures/eslint/package.json,/fixtures/eslint/package.json
Dependency Hierarchy:
Found in HEAD commit: f7127272769002f98a4adb752b5ccfbffdc43a03
Found in base branch: main
Vulnerability Details
acorn is vulnerable to REGEX DoS. A regex of the form /[x-\ud800]/u causes the parser to enter an infinite loop. attackers may leverage the vulnerability leading to a Denial of Service since the string is not valid UTF16 and it results in it being sanitized before reaching the parser.
Publish Date: 2020-03-01
URL: WS-2020-0042
CVSS 3 Score Details (7.5)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: GHSA-6chw-6frg-f759
Release Date: 2020-03-01
Fix Resolution (acorn): 5.7.4
Direct dependency fix Resolution (eslint): 4.1.1
Step up your Open Source Security Game with Mend here
WS-2019-0032
Vulnerable Library - js-yaml-3.12.1.tgz
YAML 1.2 parser and serializer
Library home page: https://registry.npmjs.org/js-yaml/-/js-yaml-3.12.1.tgz
Path to dependency file: /react-main/fixtures/eslint/package.json
Path to vulnerable library: /react-main/fixtures/eslint/package.json,/fixtures/eslint/package.json
Dependency Hierarchy:
Found in HEAD commit: f7127272769002f98a4adb752b5ccfbffdc43a03
Found in base branch: main
Vulnerability Details
Versions js-yaml prior to 3.13.0 are vulnerable to Denial of Service. By parsing a carefully-crafted YAML file, the node process stalls and may exhaust system resources leading to a Denial of Service.
Publish Date: 2019-03-20
URL: WS-2019-0032
CVSS 3 Score Details (7.5)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://www.npmjs.com/advisories/788/versions
Release Date: 2019-03-20
Fix Resolution (js-yaml): 3.13.0
Direct dependency fix Resolution (eslint): 4.1.1
Step up your Open Source Security Game with Mend here
CVE-2020-8203
Vulnerable Library - lodash-4.17.11.tgz
Lodash modular utilities.
Library home page: https://registry.npmjs.org/lodash/-/lodash-4.17.11.tgz
Path to dependency file: /react-main/scripts/bench/package.json
Path to vulnerable library: /react-main/scripts/bench/package.json,/react-main/fixtures/flight/package.json,/scripts/bench/package.json,/fixtures/flight/package.json,/fixtures/eslint/package.json,/react-main/fixtures/eslint/package.json
Dependency Hierarchy:
Found in HEAD commit: f7127272769002f98a4adb752b5ccfbffdc43a03
Found in base branch: main
Vulnerability Details
Prototype pollution attack when using _.zipObjectDeep in lodash before 4.17.20.
Publish Date: 2020-07-15
URL: CVE-2020-8203
CVSS 3 Score Details (7.4)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://www.npmjs.com/advisories/1523
Release Date: 2020-07-15
Fix Resolution (lodash): 4.17.19
Direct dependency fix Resolution (eslint): 4.1.1
Step up your Open Source Security Game with Mend here
CVE-2021-23337
Vulnerable Library - lodash-4.17.11.tgz
Lodash modular utilities.
Library home page: https://registry.npmjs.org/lodash/-/lodash-4.17.11.tgz
Path to dependency file: /react-main/scripts/bench/package.json
Path to vulnerable library: /react-main/scripts/bench/package.json,/react-main/fixtures/flight/package.json,/scripts/bench/package.json,/fixtures/flight/package.json,/fixtures/eslint/package.json,/react-main/fixtures/eslint/package.json
Dependency Hierarchy:
Found in HEAD commit: f7127272769002f98a4adb752b5ccfbffdc43a03
Found in base branch: main
Vulnerability Details
Lodash versions prior to 4.17.21 are vulnerable to Command Injection via the template function.
Publish Date: 2021-02-15
URL: CVE-2021-23337
CVSS 3 Score Details (7.2)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: GHSA-35jh-r3h4-6jhm
Release Date: 2021-02-15
Fix Resolution (lodash): 4.17.21
Direct dependency fix Resolution (eslint): 4.1.1
Step up your Open Source Security Game with Mend here
CVE-2020-15366
Vulnerable Library - ajv-6.7.0.tgz
Another JSON Schema Validator
Library home page: https://registry.npmjs.org/ajv/-/ajv-6.7.0.tgz
Path to dependency file: /react-main/fixtures/eslint/package.json
Path to vulnerable library: /react-main/fixtures/eslint/package.json,/fixtures/eslint/package.json
Dependency Hierarchy:
Found in HEAD commit: f7127272769002f98a4adb752b5ccfbffdc43a03
Found in base branch: main
Vulnerability Details
An issue was discovered in ajv.validate() in Ajv (aka Another JSON Schema Validator) 6.12.2. A carefully crafted JSON schema could be provided that allows execution of other code by prototype pollution. (While untrusted schemas are recommended against, the worst case of an untrusted schema should be a denial of service, not execution of code.)
Publish Date: 2020-07-15
URL: CVE-2020-15366
CVSS 3 Score Details (5.6)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Release Date: 2020-07-15
Fix Resolution (ajv): 6.12.3
Direct dependency fix Resolution (eslint): 4.1.1
Step up your Open Source Security Game with Mend here
WS-2018-0347
Vulnerable Library - eslint-4.1.0.tgz
An AST-based pattern checker for JavaScript.
Library home page: https://registry.npmjs.org/eslint/-/eslint-4.1.0.tgz
Path to dependency file: /react-main/fixtures/eslint/package.json
Path to vulnerable library: /react-main/fixtures/eslint/package.json,/fixtures/eslint/package.json
Dependency Hierarchy:
Found in HEAD commit: f7127272769002f98a4adb752b5ccfbffdc43a03
Found in base branch: main
Vulnerability Details
A vulnerability was descovered in eslint before 4.18.2. One of the regexes in eslint is vulnerable to catastrophic backtracking.
Publish Date: 2018-02-27
URL: WS-2018-0347
CVSS 3 Score Details (5.3)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Release Date: 2018-02-27
Fix Resolution: 4.18.2
Step up your Open Source Security Game with Mend here
CVE-2020-28500
Vulnerable Library - lodash-4.17.11.tgz
Lodash modular utilities.
Library home page: https://registry.npmjs.org/lodash/-/lodash-4.17.11.tgz
Path to dependency file: /react-main/scripts/bench/package.json
Path to vulnerable library: /react-main/scripts/bench/package.json,/react-main/fixtures/flight/package.json,/scripts/bench/package.json,/fixtures/flight/package.json,/fixtures/eslint/package.json,/react-main/fixtures/eslint/package.json
Dependency Hierarchy:
Found in HEAD commit: f7127272769002f98a4adb752b5ccfbffdc43a03
Found in base branch: main
Vulnerability Details
Lodash versions prior to 4.17.21 are vulnerable to Regular Expression Denial of Service (ReDoS) via the toNumber, trim and trimEnd functions.
Publish Date: 2021-02-15
URL: CVE-2020-28500
CVSS 3 Score Details (5.3)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-28500
Release Date: 2021-02-15
Fix Resolution (lodash): 4.17.21
Direct dependency fix Resolution (eslint): 4.1.1
Step up your Open Source Security Game with Mend here
The text was updated successfully, but these errors were encountered: