marked-0.5.2.tgz: 6 vulnerabilities (highest severity is: 7.5) - autoclosed

[mend-bolt-for-github]

Vulnerable Library - marked-0.5.2.tgz

A markdown parser built for speed

Library home page: https://registry.npmjs.org/marked/-/marked-0.5.2.tgz

Path to dependency file: /Modules/UpendoPrompt/package.json

Path to vulnerable library: /Modules/UpendoPrompt/node_modules/marked/package.json

Found in HEAD commit: 34d11f1fc219eef34bab125547d2716a9a9ac785

Vulnerabilities

CVE	Severity	CVSS	Dependency	Type	Fixed in (marked version)	Remediation Available
WS-2019-0024	High	7.5	marked-0.5.2.tgz	Direct	0.6.1	❌
CVE-2022-21681	High	7.5	marked-0.5.2.tgz	Direct	4.0.10	❌
CVE-2022-21680	High	7.5	marked-0.5.2.tgz	Direct	4.0.10	❌
WS-2020-0163	Medium	5.9	marked-0.5.2.tgz	Direct	1.1.1	❌
WS-2019-0209	Medium	5.5	marked-0.5.2.tgz	Direct	0.7.0	❌
WS-2019-0169	Medium	5.3	marked-0.5.2.tgz	Direct	0.6.2	❌

Details

WS-2019-0024

Vulnerable Library - marked-0.5.2.tgz

A markdown parser built for speed

Library home page: https://registry.npmjs.org/marked/-/marked-0.5.2.tgz

Path to dependency file: /Modules/UpendoPrompt/package.json

Path to vulnerable library: /Modules/UpendoPrompt/node_modules/marked/package.json

Dependency Hierarchy:

• ❌ marked-0.5.2.tgz (Vulnerable Library)

Found in HEAD commit: 34d11f1fc219eef34bab125547d2716a9a9ac785

Found in base branch: main

Vulnerability Details

A flaw was found in nodejs-marked versions from 0.5.0 to before 0.6.1. Affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS). Input to the host variable is vulnerable when input contains parenthesis in link URIs, coupled with a high number of link tokens in a single line.

Publish Date: 2019-01-13

URL: WS-2019-0024

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://bugzilla.redhat.com/show_bug.cgi?id=1679550

Release Date: 2019-01-13

Fix Resolution: 0.6.1

Step up your Open Source Security Game with Mend here

CVE-2022-21681

Vulnerable Library - marked-0.5.2.tgz

A markdown parser built for speed

Library home page: https://registry.npmjs.org/marked/-/marked-0.5.2.tgz

Path to dependency file: /Modules/UpendoPrompt/package.json

Path to vulnerable library: /Modules/UpendoPrompt/node_modules/marked/package.json

Dependency Hierarchy:

• ❌ marked-0.5.2.tgz (Vulnerable Library)

Found in HEAD commit: 34d11f1fc219eef34bab125547d2716a9a9ac785

Found in base branch: main

Vulnerability Details

Marked is a markdown parser and compiler. Prior to version 4.0.10, the regular expression inline.reflinkSearch may cause catastrophic backtracking against some strings and lead to a denial of service (DoS). Anyone who runs untrusted markdown through a vulnerable version of marked and does not use a worker with a time limit may be affected. This issue is patched in version 4.0.10. As a workaround, avoid running untrusted markdown through marked or run marked on a worker thread and set a reasonable time limit to prevent draining resources.

Publish Date: 2022-01-14

URL: CVE-2022-21681

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-5v2h-r2cx-5xgj

Release Date: 2022-01-14

Fix Resolution: 4.0.10

Step up your Open Source Security Game with Mend here

CVE-2022-21680

Vulnerable Library - marked-0.5.2.tgz

A markdown parser built for speed

Library home page: https://registry.npmjs.org/marked/-/marked-0.5.2.tgz

Path to dependency file: /Modules/UpendoPrompt/package.json

Path to vulnerable library: /Modules/UpendoPrompt/node_modules/marked/package.json

Dependency Hierarchy:

• ❌ marked-0.5.2.tgz (Vulnerable Library)

Found in HEAD commit: 34d11f1fc219eef34bab125547d2716a9a9ac785

Found in base branch: main

Vulnerability Details

Marked is a markdown parser and compiler. Prior to version 4.0.10, the regular expression block.def may cause catastrophic backtracking against some strings and lead to a regular expression denial of service (ReDoS). Anyone who runs untrusted markdown through a vulnerable version of marked and does not use a worker with a time limit may be affected. This issue is patched in version 4.0.10. As a workaround, avoid running untrusted markdown through marked or run marked on a worker thread and set a reasonable time limit to prevent draining resources.

Publish Date: 2022-01-14

URL: CVE-2022-21680

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-rrrm-qjm4-v8hf

Release Date: 2022-01-14

Fix Resolution: 4.0.10

Step up your Open Source Security Game with Mend here

WS-2020-0163

Vulnerable Library - marked-0.5.2.tgz

A markdown parser built for speed

Library home page: https://registry.npmjs.org/marked/-/marked-0.5.2.tgz

Path to dependency file: /Modules/UpendoPrompt/package.json

Path to vulnerable library: /Modules/UpendoPrompt/node_modules/marked/package.json

Dependency Hierarchy:

• ❌ marked-0.5.2.tgz (Vulnerable Library)

Found in HEAD commit: 34d11f1fc219eef34bab125547d2716a9a9ac785

Found in base branch: main

Vulnerability Details

marked before 1.1.1 is vulnerable to Regular Expression Denial of Service (REDoS). rules.js have multiple unused capture groups which can lead to a Denial of Service.

Publish Date: 2020-07-02

URL: WS-2020-0163

CVSS 3 Score Details (5.9)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2020-07-02

Fix Resolution: 1.1.1

Step up your Open Source Security Game with Mend here

WS-2019-0209

Vulnerable Library - marked-0.5.2.tgz

A markdown parser built for speed

Library home page: https://registry.npmjs.org/marked/-/marked-0.5.2.tgz

Path to dependency file: /Modules/UpendoPrompt/package.json

Path to vulnerable library: /Modules/UpendoPrompt/node_modules/marked/package.json

Dependency Hierarchy:

• ❌ marked-0.5.2.tgz (Vulnerable Library)

Found in HEAD commit: 34d11f1fc219eef34bab125547d2716a9a9ac785

Found in base branch: main

Vulnerability Details

marked before 0.7.0 vulnerable to Redos attack by he _label subrule that may significantly degrade parsing performance of malformed input.

Publish Date: 2019-07-04

URL: WS-2019-0209

CVSS 3 Score Details (5.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Local
  • Attack Complexity: Low
  • Privileges Required: Low
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://www.npmjs.com/advisories/1076

Release Date: 2019-07-04

Fix Resolution: 0.7.0

Step up your Open Source Security Game with Mend here

WS-2019-0169

Vulnerable Library - marked-0.5.2.tgz

A markdown parser built for speed

Library home page: https://registry.npmjs.org/marked/-/marked-0.5.2.tgz

Path to dependency file: /Modules/UpendoPrompt/package.json

Path to vulnerable library: /Modules/UpendoPrompt/node_modules/marked/package.json

Dependency Hierarchy:

• ❌ marked-0.5.2.tgz (Vulnerable Library)

Found in HEAD commit: 34d11f1fc219eef34bab125547d2716a9a9ac785

Found in base branch: main

Vulnerability Details

marked versions >0.3.14 and < 0.6.2 has Regular Expression Denial of Service vulnerability Email addresses may be evaluated in quadratic time, allowing attackers to potentially crash the node process due to resource exhaustion.

Publish Date: 2019-04-03

URL: WS-2019-0169

CVSS 3 Score Details (5.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://www.npmjs.com/advisories/812

Release Date: 2019-04-03

Fix Resolution: 0.6.2

Step up your Open Source Security Game with Mend here

[mend-bolt-for-github]

✔️ This issue was automatically closed by Mend because the vulnerable library in the specific branch(es) was either marked as ignored or it is no longer part of the Mend inventory.