react-scripts-1.0.11.tgz: 74 vulnerabilities (highest severity is: 9.8)

[mend-bolt-for-github]

Vulnerable Library - react-scripts-1.0.11.tgz

Path to dependency file: /react-main/fixtures/attribute-behavior/package.json

Path to vulnerable library: /fixtures/attribute-behavior/package.json,/react-main/fixtures/attribute-behavior/package.json

Found in HEAD commit: f7127272769002f98a4adb752b5ccfbffdc43a03

Vulnerabilities

CVE	Severity	CVSS	Dependency	Type	Fixed in (react-scripts version)	Remediation Possible**
CVE-2023-26136	Critical	9.8	tough-cookie-2.3.2.tgz	Transitive	4.0.0	❌
CVE-2022-37601	Critical	9.8	loader-utils-1.1.0.tgz	Transitive	4.0.0	❌
CVE-2022-37598	Critical	9.8	uglify-js-3.7.3.tgz	Transitive	3.3.1	❌
CVE-2022-0691	Critical	9.8	detected in multiple dependencies	Transitive	1.0.12	❌
CVE-2021-23383	Critical	9.8	handlebars-4.5.3.tgz	Transitive	1.0.12	❌
CVE-2021-23369	Critical	9.8	handlebars-4.5.3.tgz	Transitive	1.0.12	❌
CVE-2020-28499	Critical	9.8	merge-1.2.0.tgz	Transitive	3.0.0	❌
CVE-2018-6342	Critical	9.8	react-dev-utils-3.1.1.tgz	Transitive	1.0.12	❌
CVE-2018-3774	Critical	9.8	detected in multiple dependencies	Transitive	1.0.12	❌
CVE-2018-13797	Critical	9.8	macaddress-0.2.8.tgz	Transitive	1.0.12	❌
CVE-2022-0686	Critical	9.1	detected in multiple dependencies	Transitive	1.0.12	❌
CVE-2019-10744	Critical	9.1	lodash.template-4.4.0.tgz	Transitive	1.0.12	❌
WS-2019-0063	High	8.1	js-yaml-3.9.1.tgz	Transitive	2.0.0	❌
CVE-2020-13822	High	7.7	elliptic-6.4.0.tgz	Transitive	1.0.12	❌
WS-2020-0450	High	7.5	handlebars-4.5.3.tgz	Transitive	1.0.12	❌
WS-2020-0091	High	7.5	http-proxy-1.16.2.tgz	Transitive	1.0.12	❌
WS-2019-0541	High	7.5	macaddress-0.2.8.tgz	Transitive	1.0.12	❌
WS-2019-0032	High	7.5	js-yaml-3.9.1.tgz	Transitive	2.0.0	❌
CVE-2022-37620	High	7.5	html-minifier-3.5.3.tgz	Transitive	N/A*	❌
CVE-2022-37603	High	7.5	loader-utils-1.1.0.tgz	Transitive	1.0.12	❌
CVE-2022-24999	High	7.5	qs-6.5.0.tgz	Transitive	1.0.12	❌
CVE-2022-24772	High	7.5	node-forge-0.6.33.tgz	Transitive	5.0.0	❌
CVE-2022-24771	High	7.5	node-forge-0.6.33.tgz	Transitive	5.0.0	❌
CVE-2021-3803	High	7.5	nth-check-1.0.1.tgz	Transitive	1.0.12	❌
CVE-2021-27516	High	7.5	urijs-1.18.12.tgz	Transitive	1.0.12	❌
CVE-2021-23382	High	7.5	detected in multiple dependencies	Transitive	3.0.0	❌
CVE-2021-23343	High	7.5	path-parse-1.0.5.tgz	Transitive	1.0.12	❌
CVE-2020-7662	High	7.5	websocket-extensions-0.1.1.tgz	Transitive	1.0.12	❌
CVE-2018-16469	High	7.5	merge-1.2.0.tgz	Transitive	1.0.12	❌
CVE-2018-14732	High	7.5	webpack-dev-server-2.7.1.tgz	Transitive	2.0.0	❌
CVE-2017-20165	High	7.5	debug-2.6.8.tgz	Transitive	1.0.12	❌
CVE-2017-16138	High	7.5	detected in multiple dependencies	Transitive	1.0.15	❌
CVE-2017-16119	High	7.5	fresh-0.5.0.tgz	Transitive	1.0.12	❌
CVE-2017-16118	High	7.5	forwarded-0.1.0.tgz	Transitive	1.0.12	❌
CVE-2017-16099	High	7.5	no-case-2.3.1.tgz	Transitive	1.0.12	❌
CVE-2017-15010	High	7.5	tough-cookie-2.3.2.tgz	Transitive	1.0.12	❌
WS-2018-0588	High	7.4	detected in multiple dependencies	Transitive	1.0.12	❌
CVE-2024-29180	High	7.4	webpack-dev-middleware-1.12.0.tgz	Transitive	5.0.0	❌
CVE-2020-8116	High	7.3	dot-prop-3.0.0.tgz	Transitive	1.0.12	❌
CVE-2020-7720	High	7.3	node-forge-0.6.33.tgz	Transitive	1.0.12	❌
WS-2018-0590	High	7.1	diff-3.3.0.tgz	Transitive	1.0.12	❌
CVE-2020-28498	Medium	6.8	elliptic-6.4.0.tgz	Transitive	1.0.12	❌
WS-2022-0008	Medium	6.6	node-forge-0.6.33.tgz	Transitive	5.0.0	❌
CVE-2022-0613	Medium	6.5	urijs-1.18.12.tgz	Transitive	N/A*	❌
CVE-2021-23386	Medium	6.5	dns-packet-1.2.2.tgz	Transitive	1.0.12	❌
CVE-2020-26291	Medium	6.5	urijs-1.18.12.tgz	Transitive	1.0.12	❌
CVE-2024-29041	Medium	6.1	express-4.15.4.tgz	Transitive	N/A*	❌
CVE-2022-1243	Medium	6.1	urijs-1.18.12.tgz	Transitive	1.0.12	❌
CVE-2022-1233	Medium	6.1	urijs-1.18.12.tgz	Transitive	1.0.12	❌
CVE-2022-0868	Medium	6.1	urijs-1.18.12.tgz	Transitive	1.0.12	❌
CVE-2022-0122	Medium	6.1	node-forge-0.6.33.tgz	Transitive	5.0.0	❌
CVE-2021-3647	Medium	6.1	urijs-1.18.12.tgz	Transitive	1.0.12	❌
WS-2019-0427	Medium	5.9	elliptic-6.4.0.tgz	Transitive	1.0.12	❌
WS-2019-0424	Medium	5.9	elliptic-6.4.0.tgz	Transitive	1.0.12	❌
CVE-2021-24033	Medium	5.6	react-dev-utils-3.1.1.tgz	Transitive	4.0.0	❌
CVE-2020-7789	Medium	5.6	node-notifier-5.1.2.tgz	Transitive	1.0.12	❌
CVE-2020-15366	Medium	5.6	ajv-5.2.2.tgz	Transitive	2.0.0	❌
WS-2019-0017	Medium	5.3	clean-css-4.1.7.tgz	Transitive	1.0.12	❌
WS-2018-0347	Medium	5.3	eslint-4.4.1.tgz	Transitive	2.0.0	❌
WS-2017-3757	Medium	5.3	content-type-parser-1.0.1.tgz	Transitive	N/A*	❌
CVE-2022-33987	Medium	5.3	got-5.7.1.tgz	Transitive	2.0.1	❌
CVE-2022-24773	Medium	5.3	node-forge-0.6.33.tgz	Transitive	5.0.0	❌
CVE-2022-24723	Medium	5.3	urijs-1.18.12.tgz	Transitive	1.0.12	❌
CVE-2022-0639	Medium	5.3	detected in multiple dependencies	Transitive	1.0.12	❌
CVE-2022-0512	Medium	5.3	detected in multiple dependencies	Transitive	1.0.12	❌
CVE-2021-3664	Medium	5.3	detected in multiple dependencies	Transitive	1.0.12	❌
CVE-2021-27515	Medium	5.3	detected in multiple dependencies	Transitive	1.0.12	❌
CVE-2021-23362	Medium	5.3	hosted-git-info-2.5.0.tgz	Transitive	1.0.12	❌
CVE-2020-8124	Medium	5.3	detected in multiple dependencies	Transitive	1.0.12	❌
CVE-2020-7693	Medium	5.3	sockjs-0.3.18.tgz	Transitive	3.4.2	❌
CVE-2020-7608	Medium	5.3	yargs-parser-5.0.0.tgz	Transitive	1.0.12	❌
WS-2018-0589	Low	3.7	nwmatcher-1.4.1.tgz	Transitive	1.0.12	❌
CVE-2017-16137	Low	3.7	debug-2.6.8.tgz	Transitive	1.0.12	❌
CVE-2024-27088	Low	0.0	es5-ext-0.10.29.tgz	Transitive	1.0.12	❌

*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.

**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation

Details

Partial details (17 vulnerabilities) are displayed below due to a content size limitation in GitHub. To view information on the remaining vulnerabilities, navigate to the Mend Application.

CVE-2023-26136

Vulnerable Library - tough-cookie-2.3.2.tgz

RFC6265 Cookies and Cookie Jar for node.js

Library home page: https://registry.npmjs.org/tough-cookie/-/tough-cookie-2.3.2.tgz

Path to dependency file: /fixtures/attribute-behavior/package.json

Path to vulnerable library: /fixtures/attribute-behavior/package.json,/react-main/scripts/bench/package.json,/react-main/fixtures/attribute-behavior/package.json,/scripts/bench/package.json

Dependency Hierarchy:

• react-scripts-1.0.11.tgz (Root Library)
  • fsevents-1.1.2.tgz
    • node-pre-gyp-0.6.36.tgz
      • request-2.81.0.tgz
        • ❌ tough-cookie-2.3.2.tgz (Vulnerable Library)

Found in HEAD commit: f7127272769002f98a4adb752b5ccfbffdc43a03

Found in base branch: main

Vulnerability Details

Versions of the package tough-cookie before 4.1.3 are vulnerable to Prototype Pollution due to improper handling of Cookies when using CookieJar in rejectPublicSuffixes=false mode. This issue arises from the manner in which the objects are initialized.

Publish Date: 2023-07-01

URL: CVE-2023-26136

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://www.cve.org/CVERecord?id=CVE-2023-26136

Release Date: 2023-07-01

Fix Resolution (tough-cookie): 4.1.3

Direct dependency fix Resolution (react-scripts): 4.0.0

Step up your Open Source Security Game with Mend here

CVE-2022-37601

Vulnerable Library - loader-utils-1.1.0.tgz

utils for webpack loaders

Library home page: https://registry.npmjs.org/loader-utils/-/loader-utils-1.1.0.tgz

Path to dependency file: /react-main/fixtures/attribute-behavior/package.json

Path to vulnerable library: /react-main/fixtures/attribute-behavior/package.json,/react-main/fixtures/expiration/package.json,/fixtures/attribute-behavior/package.json,/fixtures/expiration/package.json

Dependency Hierarchy:

• react-scripts-1.0.11.tgz (Root Library)
  • extract-text-webpack-plugin-3.0.0.tgz
    • ❌ loader-utils-1.1.0.tgz (Vulnerable Library)

Found in HEAD commit: f7127272769002f98a4adb752b5ccfbffdc43a03

Found in base branch: main

Vulnerability Details

Prototype pollution vulnerability in function parseQuery in parseQuery.js in webpack loader-utils 2.0.0 via the name variable in parseQuery.js.

Publish Date: 2022-10-12

URL: CVE-2022-37601

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-76p3-8jx3-jpfq

Release Date: 2022-10-12

Fix Resolution (loader-utils): 1.4.1

Direct dependency fix Resolution (react-scripts): 4.0.0

Step up your Open Source Security Game with Mend here

CVE-2022-37598

Vulnerable Library - uglify-js-3.7.3.tgz

JavaScript parser, mangler/compressor and beautifier toolkit

Library home page: https://registry.npmjs.org/uglify-js/-/uglify-js-3.7.3.tgz

Path to dependency file: /react-main/fixtures/attribute-behavior/package.json

Path to vulnerable library: /react-main/fixtures/attribute-behavior/package.json,/fixtures/attribute-behavior/package.json,/fixtures/expiration/package.json,/react-main/fixtures/expiration/package.json

Dependency Hierarchy:

• react-scripts-1.0.11.tgz (Root Library)
  • jest-20.0.4.tgz
    • jest-cli-20.0.4.tgz
      • istanbul-api-1.1.12.tgz
        • istanbul-reports-1.1.1.tgz
          • handlebars-4.5.3.tgz
            • ❌ uglify-js-3.7.3.tgz (Vulnerable Library)

Found in HEAD commit: f7127272769002f98a4adb752b5ccfbffdc43a03

Found in base branch: main

Vulnerability Details

** DISPUTED ** Prototype pollution vulnerability in function DEFNODE in ast.js in mishoo UglifyJS 3.13.2 via the name variable in ast.js. NOTE: the vendor considers this an invalid report.

Publish Date: 2022-10-20

URL: CVE-2022-37598

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2022-10-20

Fix Resolution (uglify-js): 3.13.10

Direct dependency fix Resolution (react-scripts): 3.3.1

Step up your Open Source Security Game with Mend here

CVE-2022-0691

Vulnerable Libraries - url-parse-1.0.5.tgz, url-parse-1.1.9.tgz

url-parse-1.0.5.tgz

Small footprint URL parser that works seamlessly across Node.js and browser environments

Library home page: https://registry.npmjs.org/url-parse/-/url-parse-1.0.5.tgz

Path to dependency file: /fixtures/expiration/package.json

Path to vulnerable library: /fixtures/expiration/package.json,/react-main/fixtures/expiration/package.json,/fixtures/attribute-behavior/package.json,/react-main/fixtures/attribute-behavior/package.json

Dependency Hierarchy:

• react-scripts-1.0.11.tgz (Root Library)
  • webpack-dev-server-2.7.1.tgz
    • sockjs-client-1.1.4.tgz
      • eventsource-0.1.6.tgz
        • original-1.0.0.tgz
          • ❌ url-parse-1.0.5.tgz (Vulnerable Library)

url-parse-1.1.9.tgz

Small footprint URL parser that works seamlessly across Node.js and browser environments

Library home page: https://registry.npmjs.org/url-parse/-/url-parse-1.1.9.tgz

Path to dependency file: /fixtures/attribute-behavior/package.json

Path to vulnerable library: /fixtures/attribute-behavior/package.json,/react-main/fixtures/attribute-behavior/package.json

Dependency Hierarchy:

• react-scripts-1.0.11.tgz (Root Library)
  • webpack-dev-server-2.7.1.tgz
    • sockjs-client-1.1.4.tgz
      • ❌ url-parse-1.1.9.tgz (Vulnerable Library)

Found in HEAD commit: f7127272769002f98a4adb752b5ccfbffdc43a03

Found in base branch: main

Vulnerability Details

Authorization Bypass Through User-Controlled Key in NPM url-parse prior to 1.5.9.

Publish Date: 2022-02-21

URL: CVE-2022-0691

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0691

Release Date: 2022-02-21

Fix Resolution (url-parse): 1.5.9

Direct dependency fix Resolution (react-scripts): 1.0.12

Fix Resolution (url-parse): 1.5.9

Direct dependency fix Resolution (react-scripts): 1.0.12

Step up your Open Source Security Game with Mend here

CVE-2021-23383

Vulnerable Library - handlebars-4.5.3.tgz

Handlebars provides the power necessary to let you build semantic templates effectively with no frustration

Library home page: https://registry.npmjs.org/handlebars/-/handlebars-4.5.3.tgz

Path to dependency file: /react-main/fixtures/expiration/package.json

Path to vulnerable library: /react-main/fixtures/expiration/package.json,/fixtures/expiration/package.json,/react-main/fixtures/attribute-behavior/package.json,/fixtures/attribute-behavior/package.json

Dependency Hierarchy:

• react-scripts-1.0.11.tgz (Root Library)
  • jest-20.0.4.tgz
    • jest-cli-20.0.4.tgz
      • istanbul-api-1.1.12.tgz
        • istanbul-reports-1.1.1.tgz
          • ❌ handlebars-4.5.3.tgz (Vulnerable Library)

Found in HEAD commit: f7127272769002f98a4adb752b5ccfbffdc43a03

Found in base branch: main

Vulnerability Details

The package handlebars before 4.7.7 are vulnerable to Prototype Pollution when selecting certain compiling options to compile templates coming from an untrusted source.

Publish Date: 2021-05-04

URL: CVE-2021-23383

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23383

Release Date: 2021-05-04

Fix Resolution (handlebars): 4.7.7

Direct dependency fix Resolution (react-scripts): 1.0.12

Step up your Open Source Security Game with Mend here

CVE-2021-23369

Vulnerable Library - handlebars-4.5.3.tgz

Handlebars provides the power necessary to let you build semantic templates effectively with no frustration

Library home page: https://registry.npmjs.org/handlebars/-/handlebars-4.5.3.tgz

Path to dependency file: /react-main/fixtures/expiration/package.json

Path to vulnerable library: /react-main/fixtures/expiration/package.json,/fixtures/expiration/package.json,/react-main/fixtures/attribute-behavior/package.json,/fixtures/attribute-behavior/package.json

Dependency Hierarchy:

• react-scripts-1.0.11.tgz (Root Library)
  • jest-20.0.4.tgz
    • jest-cli-20.0.4.tgz
      • istanbul-api-1.1.12.tgz
        • istanbul-reports-1.1.1.tgz
          • ❌ handlebars-4.5.3.tgz (Vulnerable Library)

Found in HEAD commit: f7127272769002f98a4adb752b5ccfbffdc43a03

Found in base branch: main

Vulnerability Details

The package handlebars before 4.7.7 are vulnerable to Remote Code Execution (RCE) when selecting certain compiling options to compile templates coming from an untrusted source.

Publish Date: 2021-04-12

URL: CVE-2021-23369

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2021-04-12

Fix Resolution (handlebars): 4.7.7

Direct dependency fix Resolution (react-scripts): 1.0.12

Step up your Open Source Security Game with Mend here

CVE-2020-28499

Vulnerable Library - merge-1.2.0.tgz

Merge multiple objects into one, optionally creating a new cloned object. Similar to the jQuery.extend but more flexible. Works in Node.js and the browser.

Library home page: https://registry.npmjs.org/merge/-/merge-1.2.0.tgz

Path to dependency file: /react-main/fixtures/expiration/package.json

Path to vulnerable library: /react-main/fixtures/expiration/package.json,/fixtures/expiration/package.json,/react-main/fixtures/attribute-behavior/package.json,/fixtures/attribute-behavior/package.json

Dependency Hierarchy:

• react-scripts-1.0.11.tgz (Root Library)
  • jest-20.0.4.tgz
    • jest-cli-20.0.4.tgz
      • jest-haste-map-20.0.5.tgz
        • sane-1.6.0.tgz
          • exec-sh-0.2.0.tgz
            • ❌ merge-1.2.0.tgz (Vulnerable Library)

Found in HEAD commit: f7127272769002f98a4adb752b5ccfbffdc43a03

Found in base branch: main

Vulnerability Details

All versions of package merge are vulnerable to Prototype Pollution via _recursiveMerge .

Publish Date: 2021-02-18

URL: CVE-2020-28499

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2021-02-18

Fix Resolution (merge): 2.1.0

Direct dependency fix Resolution (react-scripts): 3.0.0

Step up your Open Source Security Game with Mend here

CVE-2018-6342

Vulnerable Library - react-dev-utils-3.1.1.tgz

Webpack utilities used by Create React App

Library home page: https://registry.npmjs.org/react-dev-utils/-/react-dev-utils-3.1.1.tgz

Path to dependency file: /fixtures/attribute-behavior/package.json

Path to vulnerable library: /fixtures/attribute-behavior/package.json,/react-main/fixtures/attribute-behavior/package.json

Dependency Hierarchy:

• react-scripts-1.0.11.tgz (Root Library)
  • ❌ react-dev-utils-3.1.1.tgz (Vulnerable Library)

Found in HEAD commit: f7127272769002f98a4adb752b5ccfbffdc43a03

Found in base branch: main

Vulnerability Details

react-dev-utils on Windows allows developers to run a local webserver for accepting various commands, including a command to launch an editor. The input to that command was not properly sanitized, allowing an attacker who can make a network request to the server (either via CSRF or by direct request) to execute arbitrary commands on the targeted system. This issue affects multiple branches: 1.x.x prior to 1.0.4, 2.x.x prior to 2.0.2, 3.x.x prior to 3.1.2, 4.x.x prior to 4.2.2, and 5.x.x prior to 5.0.2.

Publish Date: 2018-12-31

URL: CVE-2018-6342

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6342

Release Date: 2018-12-31

Fix Resolution (react-dev-utils): 3.1.2

Direct dependency fix Resolution (react-scripts): 1.0.12

Step up your Open Source Security Game with Mend here

CVE-2018-3774

Vulnerable Libraries - url-parse-1.1.9.tgz, url-parse-1.0.5.tgz

url-parse-1.1.9.tgz

Small footprint URL parser that works seamlessly across Node.js and browser environments

Library home page: https://registry.npmjs.org/url-parse/-/url-parse-1.1.9.tgz

Path to dependency file: /fixtures/attribute-behavior/package.json

Path to vulnerable library: /fixtures/attribute-behavior/package.json,/react-main/fixtures/attribute-behavior/package.json

Dependency Hierarchy:

• react-scripts-1.0.11.tgz (Root Library)
  • webpack-dev-server-2.7.1.tgz
    • sockjs-client-1.1.4.tgz
      • ❌ url-parse-1.1.9.tgz (Vulnerable Library)

url-parse-1.0.5.tgz

Small footprint URL parser that works seamlessly across Node.js and browser environments

Library home page: https://registry.npmjs.org/url-parse/-/url-parse-1.0.5.tgz

Path to dependency file: /fixtures/expiration/package.json

Path to vulnerable library: /fixtures/expiration/package.json,/react-main/fixtures/expiration/package.json,/fixtures/attribute-behavior/package.json,/react-main/fixtures/attribute-behavior/package.json

Dependency Hierarchy:

• react-scripts-1.0.11.tgz (Root Library)
  • webpack-dev-server-2.7.1.tgz
    • sockjs-client-1.1.4.tgz
      • eventsource-0.1.6.tgz
        • original-1.0.0.tgz
          • ❌ url-parse-1.0.5.tgz (Vulnerable Library)

Found in HEAD commit: f7127272769002f98a4adb752b5ccfbffdc43a03

Found in base branch: main

Vulnerability Details

Incorrect parsing in url-parse <1.4.3 returns wrong hostname which leads to multiple vulnerabilities such as SSRF, Open Redirect, Bypass Authentication Protocol.

Publish Date: 2018-08-12

URL: CVE-2018-3774

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2018-3774

Release Date: 2018-08-12

Fix Resolution (url-parse): 1.4.3

Direct dependency fix Resolution (react-scripts): 1.0.12

Fix Resolution (url-parse): 1.4.3

Direct dependency fix Resolution (react-scripts): 1.0.12

Step up your Open Source Security Game with Mend here

CVE-2018-13797

Vulnerable Library - macaddress-0.2.8.tgz

Get the MAC addresses (hardware addresses) of the hosts network interfaces.

Library home page: https://registry.npmjs.org/macaddress/-/macaddress-0.2.8.tgz

Path to dependency file: /fixtures/attribute-behavior/package.json

Path to vulnerable library: /fixtures/attribute-behavior/package.json,/react-main/fixtures/attribute-behavior/package.json,/fixtures/expiration/package.json,/react-main/fixtures/expiration/package.json

Dependency Hierarchy:

• react-scripts-1.0.11.tgz (Root Library)
  • css-loader-0.28.4.tgz
    • cssnano-3.10.0.tgz
      • postcss-filter-plugins-2.0.2.tgz
        • uniqid-4.1.1.tgz
          • ❌ macaddress-0.2.8.tgz (Vulnerable Library)

Found in HEAD commit: f7127272769002f98a4adb752b5ccfbffdc43a03

Found in base branch: main

Vulnerability Details

The macaddress module before 0.2.9 for Node.js is prone to an arbitrary command injection flaw, due to allowing unsanitized input to an exec (rather than execFile) call.

Publish Date: 2018-07-10

URL: CVE-2018-13797

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2018-13797

Release Date: 2022-10-03

Fix Resolution (macaddress): 0.2.9

Direct dependency fix Resolution (react-scripts): 1.0.12

Step up your Open Source Security Game with Mend here

CVE-2022-0686

Vulnerable Libraries - url-parse-1.0.5.tgz, url-parse-1.1.9.tgz

url-parse-1.0.5.tgz

Small footprint URL parser that works seamlessly across Node.js and browser environments

Library home page: https://registry.npmjs.org/url-parse/-/url-parse-1.0.5.tgz

Path to dependency file: /fixtures/expiration/package.json

Path to vulnerable library: /fixtures/expiration/package.json,/react-main/fixtures/expiration/package.json,/fixtures/attribute-behavior/package.json,/react-main/fixtures/attribute-behavior/package.json

Dependency Hierarchy:

• react-scripts-1.0.11.tgz (Root Library)
  • webpack-dev-server-2.7.1.tgz
    • sockjs-client-1.1.4.tgz
      • eventsource-0.1.6.tgz
        • original-1.0.0.tgz
          • ❌ url-parse-1.0.5.tgz (Vulnerable Library)

url-parse-1.1.9.tgz

Small footprint URL parser that works seamlessly across Node.js and browser environments

Library home page: https://registry.npmjs.org/url-parse/-/url-parse-1.1.9.tgz

Path to dependency file: /fixtures/attribute-behavior/package.json

Path to vulnerable library: /fixtures/attribute-behavior/package.json,/react-main/fixtures/attribute-behavior/package.json

Dependency Hierarchy:

• react-scripts-1.0.11.tgz (Root Library)
  • webpack-dev-server-2.7.1.tgz
    • sockjs-client-1.1.4.tgz
      • ❌ url-parse-1.1.9.tgz (Vulnerable Library)

Found in HEAD commit: f7127272769002f98a4adb752b5ccfbffdc43a03

Found in base branch: main

Vulnerability Details

Authorization Bypass Through User-Controlled Key in NPM url-parse prior to 1.5.8.

Publish Date: 2022-02-20

URL: CVE-2022-0686

CVSS 3 Score Details (9.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0686

Release Date: 2022-02-20

Fix Resolution (url-parse): 1.5.8

Direct dependency fix Resolution (react-scripts): 1.0.12

Fix Resolution (url-parse): 1.5.8

Direct dependency fix Resolution (react-scripts): 1.0.12

Step up your Open Source Security Game with Mend here

CVE-2019-10744

Vulnerable Library - lodash.template-4.4.0.tgz

The lodash method `_.template` exported as a module.

Library home page: https://registry.npmjs.org/lodash.template/-/lodash.template-4.4.0.tgz

Path to dependency file: /react-main/fixtures/expiration/package.json

Path to vulnerable library: /react-main/fixtures/expiration/package.json,/fixtures/attribute-behavior/package.json,/fixtures/expiration/package.json,/react-main/fixtures/attribute-behavior/package.json

Dependency Hierarchy:

• react-scripts-1.0.11.tgz (Root Library)
  • sw-precache-webpack-plugin-0.11.4.tgz
    • sw-precache-5.2.0.tgz
      • ❌ lodash.template-4.4.0.tgz (Vulnerable Library)

Found in HEAD commit: f7127272769002f98a4adb752b5ccfbffdc43a03

Found in base branch: main

Vulnerability Details

Versions of lodash lower than 4.17.12 are vulnerable to Prototype Pollution. The function defaultsDeep could be tricked into adding or modifying properties of Object.prototype using a constructor payload.

Publish Date: 2019-07-26

URL: CVE-2019-10744

CVSS 3 Score Details (9.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: High
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-jf85-cpcp-j695

Release Date: 2019-07-26

Fix Resolution (lodash.template): 4.5.0

Direct dependency fix Resolution (react-scripts): 1.0.12

Step up your Open Source Security Game with Mend here

WS-2019-0063

Vulnerable Library - js-yaml-3.9.1.tgz

YAML 1.2 parser and serializer

Library home page: https://registry.npmjs.org/js-yaml/-/js-yaml-3.9.1.tgz

Path to dependency file: /react-main/fixtures/attribute-behavior/package.json

Path to vulnerable library: /react-main/fixtures/attribute-behavior/package.json,/fixtures/attribute-behavior/package.json

Dependency Hierarchy:

• react-scripts-1.0.11.tgz (Root Library)
  • postcss-loader-2.0.6.tgz
    • postcss-load-config-1.2.0.tgz
      • cosmiconfig-2.2.2.tgz
        • ❌ js-yaml-3.9.1.tgz (Vulnerable Library)

Found in HEAD commit: f7127272769002f98a4adb752b5ccfbffdc43a03

Found in base branch: main

Vulnerability Details

Js-yaml prior to 3.13.1 are vulnerable to Code Injection. The load() function may execute arbitrary code injected through a malicious YAML file.

Publish Date: 2019-04-05

URL: WS-2019-0063

CVSS 3 Score Details (8.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://www.npmjs.com/advisories/813

Release Date: 2019-04-05

Fix Resolution (js-yaml): 3.13.1

Direct dependency fix Resolution (react-scripts): 2.0.0

Step up your Open Source Security Game with Mend here

CVE-2020-13822

Vulnerable Library - elliptic-6.4.0.tgz

EC cryptography

Library home page: https://registry.npmjs.org/elliptic/-/elliptic-6.4.0.tgz

Path to dependency file: /fixtures/expiration/package.json

Path to vulnerable library: /fixtures/expiration/package.json,/react-main/fixtures/expiration/package.json,/react-main/fixtures/packaging/browserify/prod/package.json,/fixtures/packaging/browserify/prod/package.json,/fixtures/attribute-behavior/package.json,/react-main/fixtures/packaging/browserify/dev/package.json,/fixtures/packaging/browserify/dev/package.json,/react-main/fixtures/attribute-behavior/package.json

Dependency Hierarchy:

• react-scripts-1.0.11.tgz (Root Library)
  • webpack-3.5.1.tgz
    • node-libs-browser-2.0.0.tgz
      • crypto-browserify-3.11.1.tgz
        • create-ecdh-4.0.0.tgz
          • ❌ elliptic-6.4.0.tgz (Vulnerable Library)

Found in HEAD commit: f7127272769002f98a4adb752b5ccfbffdc43a03

Found in base branch: main

Vulnerability Details

The Elliptic package 6.5.2 for Node.js allows ECDSA signature malleability via variations in encoding, leading '\0' bytes, or integer overflows. This could conceivably have a security-relevant impact if an application relied on a single canonical signature.

Publish Date: 2020-06-04

URL: CVE-2020-13822

CVSS 3 Score Details (7.7)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2020-07-02

Fix Resolution (elliptic): 6.5.3

Direct dependency fix Resolution (react-scripts): 1.0.12

Step up your Open Source Security Game with Mend here

WS-2020-0450

Vulnerable Library - handlebars-4.5.3.tgz

Handlebars provides the power necessary to let you build semantic templates effectively with no frustration

Library home page: https://registry.npmjs.org/handlebars/-/handlebars-4.5.3.tgz

Path to dependency file: /react-main/fixtures/expiration/package.json

Path to vulnerable library: /react-main/fixtures/expiration/package.json,/fixtures/expiration/package.json,/react-main/fixtures/attribute-behavior/package.json,/fixtures/attribute-behavior/package.json

Dependency Hierarchy:

• react-scripts-1.0.11.tgz (Root Library)
  • jest-20.0.4.tgz
    • jest-cli-20.0.4.tgz
      • istanbul-api-1.1.12.tgz
        • istanbul-reports-1.1.1.tgz
          • ❌ handlebars-4.5.3.tgz (Vulnerable Library)

Found in HEAD commit: f7127272769002f98a4adb752b5ccfbffdc43a03

Found in base branch: main

Vulnerability Details

Handlebars before 4.6.0 vulnerable to Prototype Pollution. Prototype access to the template engine allows for potential code execution, which may lead to Denial Of Service (DoS).

Publish Date: 2020-01-09

URL: WS-2020-0450

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2020-01-09

Fix Resolution (handlebars): 4.6.0

Direct dependency fix Resolution (react-scripts): 1.0.12

Step up your Open Source Security Game with Mend here

WS-2020-0091

Vulnerable Library - http-proxy-1.16.2.tgz

HTTP proxying for the masses

Library home page: https://registry.npmjs.org/http-proxy/-/http-proxy-1.16.2.tgz

Path to dependency file: /react-main/fixtures/expiration/package.json

Path to vulnerable library: /react-main/fixtures/expiration/package.json,/react-main/scripts/bench/package.json,/react-main/fixtures/attribute-behavior/package.json,/fixtures/attribute-behavior/package.json,/fixtures/expiration/package.json,/scripts/bench/package.json

Dependency Hierarchy:

• react-scripts-1.0.11.tgz (Root Library)
  • webpack-dev-server-2.7.1.tgz
    • http-proxy-middleware-0.17.4.tgz
      • ❌ http-proxy-1.16.2.tgz (Vulnerable Library)

Found in HEAD commit: f7127272769002f98a4adb752b5ccfbffdc43a03

Found in base branch: main

Vulnerability Details

Versions of http-proxy prior to 1.18.1 are vulnerable to Denial of Service. An HTTP request with a long body triggers an ERR_HTTP_HEADERS_SENT unhandled exception that crashes the proxy server. This is only possible when the proxy server sets headers in the proxy request using the proxyReq.setHeader function.

Publish Date: 2020-05-14

URL: WS-2020-0091

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://www.npmjs.com/advisories/1486

Release Date: 2020-05-14

Fix Resolution (http-proxy): 1.18.1

Direct dependency fix Resolution (react-scripts): 1.0.12

Step up your Open Source Security Game with Mend here

WS-2019-0541

Vulnerable Library - macaddress-0.2.8.tgz

Get the MAC addresses (hardware addresses) of the hosts network interfaces.

Library home page: https://registry.npmjs.org/macaddress/-/macaddress-0.2.8.tgz

Path to dependency file: /fixtures/attribute-behavior/package.json

Path to vulnerable library: /fixtures/attribute-behavior/package.json,/react-main/fixtures/attribute-behavior/package.json,/fixtures/expiration/package.json,/react-main/fixtures/expiration/package.json

Dependency Hierarchy:

• react-scripts-1.0.11.tgz (Root Library)
  • css-loader-0.28.4.tgz
    • cssnano-3.10.0.tgz
      • postcss-filter-plugins-2.0.2.tgz
        • uniqid-4.1.1.tgz
          • ❌ macaddress-0.2.8.tgz (Vulnerable Library)

Found in HEAD commit: f7127272769002f98a4adb752b5ccfbffdc43a03

Found in base branch: main

Vulnerability Details

Arbitrary File Read vulnerability was found in macaddress before 0.4.3.

Publish Date: 2019-08-20

URL: WS-2019-0541

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: None
  • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2019-08-20

Fix Resolution (macaddress): 0.4.3

Direct dependency fix Resolution (react-scripts): 1.0.12

Step up your Open Source Security Game with Mend here