jest-cli-22.0.4.tgz: 22 vulnerabilities (highest severity is: 9.8)

[dev-mend-for-github-com]

Vulnerable Library - jest-cli-22.0.4.tgz

Path to dependency file: /npm_and_yarn/spec/fixtures/projects/yarn/lockfile_only_change/package.json

Path to vulnerable library: /npm_and_yarn/spec/fixtures/projects/yarn/lockfile_only_change/node_modules/handlebars/package.json,/npm_and_yarn/spec/fixtures/projects/yarn/lockfile_only_change/node_modules/handlebars/package.json

Vulnerabilities

CVE	Severity	CVSS	Dependency	Type	Fixed in (jest-cli version)	Remediation Possible**	Reachability
CVE-2021-23383	Critical	9.8	handlebars-4.0.11.tgz	Transitive	22.0.5	✅
CVE-2021-23369	Critical	9.8	handlebars-4.0.11.tgz	Transitive	22.0.5	✅
CVE-2020-28499	Critical	9.8	merge-1.2.0.tgz	Transitive	24.0.0	✅
CVE-2019-19919	Critical	9.8	handlebars-4.0.11.tgz	Transitive	22.0.5	✅
WS-2019-0333	High	8.1	handlebars-4.0.11.tgz	Transitive	22.0.5	✅
CVE-2019-20920	High	8.1	handlebars-4.0.11.tgz	Transitive	22.0.5	✅
WS-2020-0218	High	7.5	merge-1.2.0.tgz	Transitive	24.0.0	✅
WS-2019-0493	High	7.5	handlebars-4.0.11.tgz	Transitive	22.0.5	✅
WS-2019-0492	High	7.5	handlebars-4.0.11.tgz	Transitive	22.0.5	✅
WS-2019-0318	High	7.5	handlebars-4.0.11.tgz	Transitive	22.0.5	✅
CVE-2019-20922	High	7.5	handlebars-4.0.11.tgz	Transitive	22.0.5	✅
CVE-2018-16469	High	7.5	merge-1.2.0.tgz	Transitive	22.0.5	✅
WS-2019-0064	High	7.3	handlebars-4.0.11.tgz	Transitive	22.0.5	✅
WS-2018-0590	High	7.0	diff-3.4.0.tgz	Transitive	22.0.5	✅
WS-2019-0103	Medium	5.6	handlebars-4.0.11.tgz	Transitive	22.0.5	✅
CVE-2020-7789	Medium	5.6	node-notifier-5.1.2.tgz	Transitive	22.0.5	✅
WS-2017-3757	Medium	5.3	content-type-parser-1.0.2.tgz	Transitive	N/A*	❌
CVE-2020-7608	Medium	5.3	yargs-parser-8.0.0.tgz	Transitive	24.9.0	✅
CVE-2017-16028	Medium	5.3	randomatic-1.1.7.tgz	Transitive	22.0.5	✅
WS-2019-0332	Medium	5.0	handlebars-4.0.11.tgz	Transitive	22.0.5	✅
WS-2019-0331	Medium	5.0	handlebars-4.0.11.tgz	Transitive	22.0.5	✅
WS-2018-0589	Medium	4.0	nwmatcher-1.4.3.tgz	Transitive	22.0.5	✅

*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.

**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation

Details

CVE-2021-23383

Vulnerable Library - handlebars-4.0.11.tgz

Handlebars provides the power necessary to let you build semantic templates effectively with no frustration

Library home page: https://registry.npmjs.org/handlebars/-/handlebars-4.0.11.tgz

Path to dependency file: /npm_and_yarn/spec/fixtures/projects/yarn/lockfile_only_change/package.json

Path to vulnerable library: /npm_and_yarn/spec/fixtures/projects/yarn/lockfile_only_change/node_modules/handlebars/package.json,/npm_and_yarn/spec/fixtures/projects/yarn/lockfile_only_change/node_modules/handlebars/package.json

Dependency Hierarchy:

• jest-cli-22.0.4.tgz (Root Library)
  • istanbul-api-1.2.1.tgz
    • istanbul-reports-1.1.3.tgz
      • ❌ handlebars-4.0.11.tgz (Vulnerable Library)

Found in base branch: main

Vulnerability Details

The package handlebars before 4.7.7 are vulnerable to Prototype Pollution when selecting certain compiling options to compile templates coming from an untrusted source.

Publish Date: 2021-05-04

URL: CVE-2021-23383

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23383

Release Date: 2021-05-04

Fix Resolution (handlebars): 4.1.2-0

Direct dependency fix Resolution (jest-cli): 22.0.5

In order to enable automatic remediation, please create workflow rules

CVE-2021-23369

Vulnerable Library - handlebars-4.0.11.tgz

Handlebars provides the power necessary to let you build semantic templates effectively with no frustration

Library home page: https://registry.npmjs.org/handlebars/-/handlebars-4.0.11.tgz

Path to dependency file: /npm_and_yarn/spec/fixtures/projects/yarn/lockfile_only_change/package.json

Path to vulnerable library: /npm_and_yarn/spec/fixtures/projects/yarn/lockfile_only_change/node_modules/handlebars/package.json,/npm_and_yarn/spec/fixtures/projects/yarn/lockfile_only_change/node_modules/handlebars/package.json

Dependency Hierarchy:

• jest-cli-22.0.4.tgz (Root Library)
  • istanbul-api-1.2.1.tgz
    • istanbul-reports-1.1.3.tgz
      • ❌ handlebars-4.0.11.tgz (Vulnerable Library)

Found in base branch: main

Vulnerability Details

The package handlebars before 4.7.7 are vulnerable to Remote Code Execution (RCE) when selecting certain compiling options to compile templates coming from an untrusted source.

Publish Date: 2021-04-12

URL: CVE-2021-23369

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23369

Release Date: 2021-04-12

Fix Resolution (handlebars): 4.1.2-0

Direct dependency fix Resolution (jest-cli): 22.0.5

In order to enable automatic remediation, please create workflow rules

CVE-2020-28499

Vulnerable Library - merge-1.2.0.tgz

Merge multiple objects into one, optionally creating a new cloned object. Similar to the jQuery.extend but more flexible. Works in Node.js and the browser.

Library home page: https://registry.npmjs.org/merge/-/merge-1.2.0.tgz

Path to dependency file: /npm_and_yarn/spec/fixtures/projects/yarn/lockfile_only_change/package.json

Path to vulnerable library: /npm_and_yarn/spec/fixtures/projects/yarn/lockfile_only_change/node_modules/merge/package.json,/npm_and_yarn/spec/fixtures/projects/yarn/lockfile_only_change/node_modules/merge/package.json

Dependency Hierarchy:

• jest-cli-22.0.4.tgz (Root Library)
  • jest-haste-map-22.0.3.tgz
    • sane-2.2.0.tgz
      • exec-sh-0.2.1.tgz
        • ❌ merge-1.2.0.tgz (Vulnerable Library)

Found in base branch: main

Vulnerability Details

All versions of package merge are vulnerable to Prototype Pollution via _recursiveMerge .

Publish Date: 2021-02-18

URL: CVE-2020-28499

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://www.npmjs.com/advisories/1666

Release Date: 2021-02-18

Fix Resolution (merge): 2.1.1

Direct dependency fix Resolution (jest-cli): 24.0.0

In order to enable automatic remediation, please create workflow rules

CVE-2019-19919

Vulnerable Library - handlebars-4.0.11.tgz

Handlebars provides the power necessary to let you build semantic templates effectively with no frustration

Library home page: https://registry.npmjs.org/handlebars/-/handlebars-4.0.11.tgz

Path to dependency file: /npm_and_yarn/spec/fixtures/projects/yarn/lockfile_only_change/package.json

Path to vulnerable library: /npm_and_yarn/spec/fixtures/projects/yarn/lockfile_only_change/node_modules/handlebars/package.json,/npm_and_yarn/spec/fixtures/projects/yarn/lockfile_only_change/node_modules/handlebars/package.json

Dependency Hierarchy:

• jest-cli-22.0.4.tgz (Root Library)
  • istanbul-api-1.2.1.tgz
    • istanbul-reports-1.1.3.tgz
      • ❌ handlebars-4.0.11.tgz (Vulnerable Library)

Found in base branch: main

Vulnerability Details

Versions of handlebars prior to 4.3.0 are vulnerable to Prototype Pollution leading to Remote Code Execution. Templates may alter an Object's proto and defineGetter properties, which may allow an attacker to execute arbitrary code through crafted payloads.

Publish Date: 2019-12-20

URL: CVE-2019-19919

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://www.npmjs.com/advisories/1164

Release Date: 2019-12-20

Fix Resolution (handlebars): 4.3.0

Direct dependency fix Resolution (jest-cli): 22.0.5

In order to enable automatic remediation, please create workflow rules

WS-2019-0333

Vulnerable Library - handlebars-4.0.11.tgz

Handlebars provides the power necessary to let you build semantic templates effectively with no frustration

Library home page: https://registry.npmjs.org/handlebars/-/handlebars-4.0.11.tgz

Path to dependency file: /npm_and_yarn/spec/fixtures/projects/yarn/lockfile_only_change/package.json

Path to vulnerable library: /npm_and_yarn/spec/fixtures/projects/yarn/lockfile_only_change/node_modules/handlebars/package.json,/npm_and_yarn/spec/fixtures/projects/yarn/lockfile_only_change/node_modules/handlebars/package.json

Dependency Hierarchy:

• jest-cli-22.0.4.tgz (Root Library)
  • istanbul-api-1.2.1.tgz
    • istanbul-reports-1.1.3.tgz
      • ❌ handlebars-4.0.11.tgz (Vulnerable Library)

Found in base branch: main

Vulnerability Details

In handlebars, versions prior to v4.5.3 are vulnerable to prototype pollution. Using a malicious template it's possbile to add or modify properties to the Object prototype. This can also lead to DOS and RCE in certain conditions.

Publish Date: 2019-11-18

URL: WS-2019-0333

CVSS 3 Score Details (8.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://www.npmjs.com/advisories/1325

Release Date: 2019-11-18

Fix Resolution (handlebars): 4.5.3

Direct dependency fix Resolution (jest-cli): 22.0.5

In order to enable automatic remediation, please create workflow rules

CVE-2019-20920

Vulnerable Library - handlebars-4.0.11.tgz

Handlebars provides the power necessary to let you build semantic templates effectively with no frustration

Library home page: https://registry.npmjs.org/handlebars/-/handlebars-4.0.11.tgz

Path to dependency file: /npm_and_yarn/spec/fixtures/projects/yarn/lockfile_only_change/package.json

Path to vulnerable library: /npm_and_yarn/spec/fixtures/projects/yarn/lockfile_only_change/node_modules/handlebars/package.json,/npm_and_yarn/spec/fixtures/projects/yarn/lockfile_only_change/node_modules/handlebars/package.json

Dependency Hierarchy:

• jest-cli-22.0.4.tgz (Root Library)
  • istanbul-api-1.2.1.tgz
    • istanbul-reports-1.1.3.tgz
      • ❌ handlebars-4.0.11.tgz (Vulnerable Library)

Found in base branch: main

Vulnerability Details

Handlebars before 3.0.8 and 4.x before 4.5.3 is vulnerable to Arbitrary Code Execution. The lookup helper fails to properly validate templates, allowing attackers to submit templates that execute arbitrary JavaScript. This can be used to run arbitrary code on a server processing Handlebars templates or in a victim's browser (effectively serving as XSS).

Publish Date: 2020-09-30

URL: CVE-2019-20920

CVSS 3 Score Details (8.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: Low
  • Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://www.npmjs.com/advisories/1324

Release Date: 2020-10-15

Fix Resolution (handlebars): 4.5.3

Direct dependency fix Resolution (jest-cli): 22.0.5

In order to enable automatic remediation, please create workflow rules

WS-2020-0218

Vulnerable Library - merge-1.2.0.tgz

Merge multiple objects into one, optionally creating a new cloned object. Similar to the jQuery.extend but more flexible. Works in Node.js and the browser.

Library home page: https://registry.npmjs.org/merge/-/merge-1.2.0.tgz

Path to dependency file: /npm_and_yarn/spec/fixtures/projects/yarn/lockfile_only_change/package.json

Path to vulnerable library: /npm_and_yarn/spec/fixtures/projects/yarn/lockfile_only_change/node_modules/merge/package.json,/npm_and_yarn/spec/fixtures/projects/yarn/lockfile_only_change/node_modules/merge/package.json

Dependency Hierarchy:

• jest-cli-22.0.4.tgz (Root Library)
  • jest-haste-map-22.0.3.tgz
    • sane-2.2.0.tgz
      • exec-sh-0.2.1.tgz
        • ❌ merge-1.2.0.tgz (Vulnerable Library)

Found in base branch: main

Vulnerability Details

A Prototype Pollution vulnerability was found in merge before 2.1.0 via the merge.recursive function. It can be tricked into adding or modifying properties of the Object prototype. These properties will be present on all objects.

Publish Date: 2020-10-09

URL: WS-2020-0218

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2020-10-09

Fix Resolution (merge): 2.1.0

Direct dependency fix Resolution (jest-cli): 24.0.0

In order to enable automatic remediation, please create workflow rules

WS-2019-0493

Vulnerable Library - handlebars-4.0.11.tgz

Handlebars provides the power necessary to let you build semantic templates effectively with no frustration

Library home page: https://registry.npmjs.org/handlebars/-/handlebars-4.0.11.tgz

Path to dependency file: /npm_and_yarn/spec/fixtures/projects/yarn/lockfile_only_change/package.json

Path to vulnerable library: /npm_and_yarn/spec/fixtures/projects/yarn/lockfile_only_change/node_modules/handlebars/package.json,/npm_and_yarn/spec/fixtures/projects/yarn/lockfile_only_change/node_modules/handlebars/package.json

Dependency Hierarchy:

• jest-cli-22.0.4.tgz (Root Library)
  • istanbul-api-1.2.1.tgz
    • istanbul-reports-1.1.3.tgz
      • ❌ handlebars-4.0.11.tgz (Vulnerable Library)

Found in base branch: main

Vulnerability Details

handlebars before 3.0.8 and 4.x before 4.5.2 is vulnerable to Arbitrary Code Execution. The package's lookup helper fails to properly validate templates, allowing attackers to submit templates that execute arbitrary JavaScript in the system.

Publish Date: 2019-11-14

URL: WS-2019-0493

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://www.npmjs.com/advisories/1316

Release Date: 2019-11-14

Fix Resolution (handlebars): 4.5.2

Direct dependency fix Resolution (jest-cli): 22.0.5

In order to enable automatic remediation, please create workflow rules

WS-2019-0492

Vulnerable Library - handlebars-4.0.11.tgz

Handlebars provides the power necessary to let you build semantic templates effectively with no frustration

Library home page: https://registry.npmjs.org/handlebars/-/handlebars-4.0.11.tgz

Path to dependency file: /npm_and_yarn/spec/fixtures/projects/yarn/lockfile_only_change/package.json

Path to vulnerable library: /npm_and_yarn/spec/fixtures/projects/yarn/lockfile_only_change/node_modules/handlebars/package.json,/npm_and_yarn/spec/fixtures/projects/yarn/lockfile_only_change/node_modules/handlebars/package.json

Dependency Hierarchy:

• jest-cli-22.0.4.tgz (Root Library)
  • istanbul-api-1.2.1.tgz
    • istanbul-reports-1.1.3.tgz
      • ❌ handlebars-4.0.11.tgz (Vulnerable Library)

Found in base branch: main

Vulnerability Details

handlebars before 3.0.8 and 4.x before 4.5.3 is vulnerable to Arbitrary Code Execution. The package's lookup helper fails to properly validate templates, allowing attackers to submit templates that execute arbitrary JavaScript in the system.

Publish Date: 2019-11-19

URL: WS-2019-0492

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://www.npmjs.com/advisories/1324

Release Date: 2019-11-19

Fix Resolution (handlebars): 4.5.3

Direct dependency fix Resolution (jest-cli): 22.0.5

In order to enable automatic remediation, please create workflow rules

WS-2019-0318

Vulnerable Library - handlebars-4.0.11.tgz

Handlebars provides the power necessary to let you build semantic templates effectively with no frustration

Library home page: https://registry.npmjs.org/handlebars/-/handlebars-4.0.11.tgz

Path to dependency file: /npm_and_yarn/spec/fixtures/projects/yarn/lockfile_only_change/package.json

Path to vulnerable library: /npm_and_yarn/spec/fixtures/projects/yarn/lockfile_only_change/node_modules/handlebars/package.json,/npm_and_yarn/spec/fixtures/projects/yarn/lockfile_only_change/node_modules/handlebars/package.json

Dependency Hierarchy:

• jest-cli-22.0.4.tgz (Root Library)
  • istanbul-api-1.2.1.tgz
    • istanbul-reports-1.1.3.tgz
      • ❌ handlebars-4.0.11.tgz (Vulnerable Library)

Found in base branch: main

Vulnerability Details

In "showdownjs/showdown", versions prior to v4.4.5 are vulnerable against Regular expression Denial of Service (ReDOS) once receiving specially-crafted templates.

Publish Date: 2019-10-20

URL: WS-2019-0318

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://www.npmjs.com/advisories/1300

Release Date: 2019-10-20

Fix Resolution (handlebars): 4.4.5

Direct dependency fix Resolution (jest-cli): 22.0.5

In order to enable automatic remediation, please create workflow rules

CVE-2019-20922

Vulnerable Library - handlebars-4.0.11.tgz

Handlebars provides the power necessary to let you build semantic templates effectively with no frustration

Library home page: https://registry.npmjs.org/handlebars/-/handlebars-4.0.11.tgz

Path to dependency file: /npm_and_yarn/spec/fixtures/projects/yarn/lockfile_only_change/package.json

Path to vulnerable library: /npm_and_yarn/spec/fixtures/projects/yarn/lockfile_only_change/node_modules/handlebars/package.json,/npm_and_yarn/spec/fixtures/projects/yarn/lockfile_only_change/node_modules/handlebars/package.json

Dependency Hierarchy:

• jest-cli-22.0.4.tgz (Root Library)
  • istanbul-api-1.2.1.tgz
    • istanbul-reports-1.1.3.tgz
      • ❌ handlebars-4.0.11.tgz (Vulnerable Library)

Found in base branch: main

Vulnerability Details

Handlebars before 4.4.5 allows Regular Expression Denial of Service (ReDoS) because of eager matching. The parser may be forced into an endless loop while processing crafted templates. This may allow attackers to exhaust system resources.

Publish Date: 2020-09-30

URL: CVE-2019-20922

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://www.npmjs.com/advisories/1300

Release Date: 2020-09-30

Fix Resolution (handlebars): 4.4.5

Direct dependency fix Resolution (jest-cli): 22.0.5

In order to enable automatic remediation, please create workflow rules

CVE-2018-16469

Vulnerable Library - merge-1.2.0.tgz

Merge multiple objects into one, optionally creating a new cloned object. Similar to the jQuery.extend but more flexible. Works in Node.js and the browser.

Library home page: https://registry.npmjs.org/merge/-/merge-1.2.0.tgz

Path to dependency file: /npm_and_yarn/spec/fixtures/projects/yarn/lockfile_only_change/package.json

Path to vulnerable library: /npm_and_yarn/spec/fixtures/projects/yarn/lockfile_only_change/node_modules/merge/package.json,/npm_and_yarn/spec/fixtures/projects/yarn/lockfile_only_change/node_modules/merge/package.json

Dependency Hierarchy:

• jest-cli-22.0.4.tgz (Root Library)
  • jest-haste-map-22.0.3.tgz
    • sane-2.2.0.tgz
      • exec-sh-0.2.1.tgz
        • ❌ merge-1.2.0.tgz (Vulnerable Library)

Found in base branch: main

Vulnerability Details

The merge.recursive function in the merge package <1.2.1 can be tricked into adding or modifying properties of the Object prototype. These properties will be present on all objects allowing for a denial of service attack.

Publish Date: 2018-10-30

URL: CVE-2018-16469

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16469

Release Date: 2018-10-30

Fix Resolution (merge): 1.2.1

Direct dependency fix Resolution (jest-cli): 22.0.5

In order to enable automatic remediation, please create workflow rules

WS-2019-0064

Vulnerable Library - handlebars-4.0.11.tgz

Handlebars provides the power necessary to let you build semantic templates effectively with no frustration

Library home page: https://registry.npmjs.org/handlebars/-/handlebars-4.0.11.tgz

Path to dependency file: /npm_and_yarn/spec/fixtures/projects/yarn/lockfile_only_change/package.json

Path to vulnerable library: /npm_and_yarn/spec/fixtures/projects/yarn/lockfile_only_change/node_modules/handlebars/package.json,/npm_and_yarn/spec/fixtures/projects/yarn/lockfile_only_change/node_modules/handlebars/package.json

Dependency Hierarchy:

• jest-cli-22.0.4.tgz (Root Library)
  • istanbul-api-1.2.1.tgz
    • istanbul-reports-1.1.3.tgz
      • ❌ handlebars-4.0.11.tgz (Vulnerable Library)

Found in base branch: main

Vulnerability Details

Versions of handlebars prior to 4.0.14 are vulnerable to Prototype Pollution. Templates may alter an Objects' prototype, thus allowing an attacker to execute arbitrary code on the server.

Publish Date: 2019-01-30

URL: WS-2019-0064

CVSS 3 Score Details (7.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://www.npmjs.com/advisories/755/

Release Date: 2019-01-30

Fix Resolution (handlebars): 4.0.14

Direct dependency fix Resolution (jest-cli): 22.0.5

In order to enable automatic remediation, please create workflow rules

WS-2018-0590

Vulnerable Library - diff-3.4.0.tgz

A javascript text diff implementation.

Library home page: https://registry.npmjs.org/diff/-/diff-3.4.0.tgz

Path to dependency file: /npm_and_yarn/spec/fixtures/projects/yarn/lockfile_only_change/package.json

Path to vulnerable library: /npm_and_yarn/spec/fixtures/projects/yarn/lockfile_only_change/node_modules/diff/package.json

Dependency Hierarchy:

• jest-cli-22.0.4.tgz (Root Library)
  • jest-snapshot-22.0.3.tgz
    • jest-diff-22.0.3.tgz
      • ❌ diff-3.4.0.tgz (Vulnerable Library)

Found in base branch: main

Vulnerability Details

A vulnerability was found in diff before v3.5.0, the affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS) attacks.

Publish Date: 2018-03-05

URL: WS-2018-0590

CVSS 2 Score Details (7.0)

Base Score Metrics not available

Suggested Fix

Type: Upgrade version

Release Date: 2018-03-05

Fix Resolution (diff): 3.5.0

Direct dependency fix Resolution (jest-cli): 22.0.5

In order to enable automatic remediation, please create workflow rules

WS-2019-0103

Vulnerable Library - handlebars-4.0.11.tgz

Handlebars provides the power necessary to let you build semantic templates effectively with no frustration

Library home page: https://registry.npmjs.org/handlebars/-/handlebars-4.0.11.tgz

Path to dependency file: /npm_and_yarn/spec/fixtures/projects/yarn/lockfile_only_change/package.json

Path to vulnerable library: /npm_and_yarn/spec/fixtures/projects/yarn/lockfile_only_change/node_modules/handlebars/package.json,/npm_and_yarn/spec/fixtures/projects/yarn/lockfile_only_change/node_modules/handlebars/package.json

Dependency Hierarchy:

• jest-cli-22.0.4.tgz (Root Library)
  • istanbul-api-1.2.1.tgz
    • istanbul-reports-1.1.3.tgz
      • ❌ handlebars-4.0.11.tgz (Vulnerable Library)

Found in base branch: main

Vulnerability Details

Handlebars.js before 4.1.0 has Remote Code Execution (RCE)

Publish Date: 2019-01-30

URL: WS-2019-0103

CVSS 3 Score Details (5.6)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2019-01-30

Fix Resolution (handlebars): 4.0.13

Direct dependency fix Resolution (jest-cli): 22.0.5

In order to enable automatic remediation, please create workflow rules

CVE-2020-7789

Vulnerable Library - node-notifier-5.1.2.tgz

A Node.js module for sending notifications on native Mac, Windows (post and pre 8) and Linux (or Growl as fallback)

Library home page: https://registry.npmjs.org/node-notifier/-/node-notifier-5.1.2.tgz

Path to dependency file: /npm_and_yarn/spec/fixtures/projects/yarn/lockfile_only_change/package.json

Path to vulnerable library: /npm_and_yarn/spec/fixtures/projects/yarn/lockfile_only_change/node_modules/node-notifier/package.json,/npm_and_yarn/spec/fixtures/projects/yarn/lockfile_only_change/node_modules/node-notifier/package.json

Dependency Hierarchy:

• jest-cli-22.0.4.tgz (Root Library)
  • ❌ node-notifier-5.1.2.tgz (Vulnerable Library)

Found in base branch: main

Vulnerability Details

This affects the package node-notifier before 9.0.0. It allows an attacker to run arbitrary commands on Linux machines due to the options params not being sanitised when being passed an array.

Publish Date: 2020-12-11

URL: CVE-2020-7789

CVSS 3 Score Details (5.6)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7789

Release Date: 2020-12-11

Fix Resolution (node-notifier): 5.4.4

Direct dependency fix Resolution (jest-cli): 22.0.5

In order to enable automatic remediation, please create workflow rules

WS-2017-3757

Vulnerable Library - content-type-parser-1.0.2.tgz

Parse the value of the Content-Type header

Library home page: https://registry.npmjs.org/content-type-parser/-/content-type-parser-1.0.2.tgz

Path to dependency file: /npm_and_yarn/spec/fixtures/projects/yarn/lockfile_only_change/package.json

Path to vulnerable library: /npm_and_yarn/spec/fixtures/projects/yarn/lockfile_only_change/node_modules/content-type-parser/package.json,/npm_and_yarn/spec/fixtures/projects/yarn/lockfile_only_change/node_modules/content-type-parser/package.json

Dependency Hierarchy:

• jest-cli-22.0.4.tgz (Root Library)
  • jest-environment-jsdom-22.0.4.tgz
    • jsdom-11.5.1.tgz
      • ❌ content-type-parser-1.0.2.tgz (Vulnerable Library)

Found in base branch: main

Vulnerability Details

all versions prior to 2.0.0 of content-type-parser npm package are vulnerable to ReDoS via the user agent parser. the vulnerability was fixed by reintroducing a new parser and deleting the old one.

Publish Date: 2017-12-10

URL: WS-2017-3757

CVSS 3 Score Details (5.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2017-12-10

Fix Resolution: v2.0.0

CVE-2020-7608

Vulnerable Library - yargs-parser-8.0.0.tgz

the mighty option parser used by yargs

Library home page: https://registry.npmjs.org/yargs-parser/-/yargs-parser-8.0.0.tgz

Path to dependency file: /npm_and_yarn/spec/fixtures/projects/yarn/lockfile_only_change/package.json

Path to vulnerable library: /npm_and_yarn/spec/fixtures/projects/yarn/lockfile_only_change/node_modules/yargs-parser/package.json,/npm_and_yarn/spec/fixtures/projects/yarn/lockfile_only_change/node_modules/yargs-parser/package.json

Dependency Hierarchy:

• jest-cli-22.0.4.tgz (Root Library)
  • yargs-10.0.3.tgz
    • ❌ yargs-parser-8.0.0.tgz (Vulnerable Library)

Found in base branch: main

Vulnerability Details

yargs-parser could be tricked into adding or modifying properties of Object.prototype using a "proto" payload.

Publish Date: 2020-03-16

URL: CVE-2020-7608

CVSS 3 Score Details (5.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Local
  • Attack Complexity: Low
  • Privileges Required: Low
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2020-03-16

Fix Resolution (yargs-parser): 13.1.2

Direct dependency fix Resolution (jest-cli): 24.9.0

In order to enable automatic remediation, please create workflow rules

CVE-2017-16028

Vulnerable Library - randomatic-1.1.7.tgz

Generate randomized strings of a specified length, fast. Only the length is necessary, but you can optionally generate patterns using any combination of numeric, alpha-numeric, alphabetical, special or custom characters.

Library home page: https://registry.npmjs.org/randomatic/-/randomatic-1.1.7.tgz

Path to dependency file: /npm_and_yarn/spec/fixtures/projects/yarn/lockfile_only_change/package.json

Path to vulnerable library: /npm_and_yarn/spec/fixtures/projects/yarn/lockfile_only_change/node_modules/randomatic/package.json,/npm_and_yarn/spec/fixtures/projects/yarn/lockfile_only_change/node_modules/randomatic/package.json

Dependency Hierarchy:

• jest-cli-22.0.4.tgz (Root Library)
  • micromatch-2.3.11.tgz
    • braces-1.8.5.tgz
      • expand-range-1.8.2.tgz
        • fill-range-2.2.3.tgz
          • ❌ randomatic-1.1.7.tgz (Vulnerable Library)

Found in base branch: main

Vulnerability Details

react-native-meteor-oauth is a library for Oauth2 login to a Meteor server in React Native. The oauth Random Token is generated using a non-cryptographically strong RNG (Math.random()).

Publish Date: 2018-06-04

URL: CVE-2017-16028

CVSS 3 Score Details (5.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: None
  • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://www.npmjs.com/advisories/157/versions

Release Date: 2018-04-26

Fix Resolution (randomatic): 3.0.0

Direct dependency fix Resolution (jest-cli): 22.0.5

In order to enable automatic remediation, please create workflow rules

WS-2019-0332

Vulnerable Library - handlebars-4.0.11.tgz

Handlebars provides the power necessary to let you build semantic templates effectively with no frustration

Library home page: https://registry.npmjs.org/handlebars/-/handlebars-4.0.11.tgz

Path to dependency file: /npm_and_yarn/spec/fixtures/projects/yarn/lockfile_only_change/package.json

Path to vulnerable library: /npm_and_yarn/spec/fixtures/projects/yarn/lockfile_only_change/node_modules/handlebars/package.json,/npm_and_yarn/spec/fixtures/projects/yarn/lockfile_only_change/node_modules/handlebars/package.json

Dependency Hierarchy:

• jest-cli-22.0.4.tgz (Root Library)
  • istanbul-api-1.2.1.tgz
    • istanbul-reports-1.1.3.tgz
      • ❌ handlebars-4.0.11.tgz (Vulnerable Library)

Found in base branch: main

Vulnerability Details

Arbitrary Code Execution vulnerability found in handlebars before 4.5.3. Lookup helper fails to validate templates. Attack may submit templates that execute arbitrary JavaScript in the system.It is due to an incomplete fix for a WS-2019-0331.

Publish Date: 2019-11-17

URL: WS-2019-0332

CVSS 2 Score Details (5.0)

Base Score Metrics not available

Suggested Fix

Type: Upgrade version

Origin: https://www.npmjs.com/advisories/1324

Release Date: 2019-11-17

Fix Resolution (handlebars): 4.5.3

Direct dependency fix Resolution (jest-cli): 22.0.5

In order to enable automatic remediation, please create workflow rules

WS-2019-0331

Vulnerable Library - handlebars-4.0.11.tgz

Handlebars provides the power necessary to let you build semantic templates effectively with no frustration

Library home page: https://registry.npmjs.org/handlebars/-/handlebars-4.0.11.tgz

Path to dependency file: /npm_and_yarn/spec/fixtures/projects/yarn/lockfile_only_change/package.json

Path to vulnerable library: /npm_and_yarn/spec/fixtures/projects/yarn/lockfile_only_change/node_modules/handlebars/package.json,/npm_and_yarn/spec/fixtures/projects/yarn/lockfile_only_change/node_modules/handlebars/package.json

Dependency Hierarchy:

• jest-cli-22.0.4.tgz (Root Library)
  • istanbul-api-1.2.1.tgz
    • istanbul-reports-1.1.3.tgz
      • ❌ handlebars-4.0.11.tgz (Vulnerable Library)

Found in base branch: main

Vulnerability Details

Arbitrary Code Execution vulnerability found in handlebars before 4.5.2. Lookup helper fails to validate templates. Attack may submit templates that execute arbitrary JavaScript in the system.

Publish Date: 2019-11-13

URL: WS-2019-0331

CVSS 2 Score Details (5.0)

Base Score Metrics not available

Suggested Fix

Type: Upgrade version

Origin: https://www.npmjs.com/advisories/1316

Release Date: 2019-11-13

Fix Resolution (handlebars): 4.1.2-0

Direct dependency fix Resolution (jest-cli): 22.0.5

In order to enable automatic remediation, please create workflow rules

WS-2018-0589

Vulnerable Library - nwmatcher-1.4.3.tgz

A CSS3-compliant JavaScript selector engine.

Library home page: https://registry.npmjs.org/nwmatcher/-/nwmatcher-1.4.3.tgz

Path to dependency file: /npm_and_yarn/spec/fixtures/projects/yarn/lockfile_only_change/package.json

Path to vulnerable library: /npm_and_yarn/spec/fixtures/projects/yarn/lockfile_only_change/node_modules/nwmatcher/package.json,/npm_and_yarn/spec/fixtures/projects/yarn/lockfile_only_change/node_modules/nwmatcher/package.json

Dependency Hierarchy:

• jest-cli-22.0.4.tgz (Root Library)
  • jest-environment-jsdom-22.0.4.tgz
    • jsdom-11.5.1.tgz
      • ❌ nwmatcher-1.4.3.tgz (Vulnerable Library)

Found in base branch: main

Vulnerability Details

A Regular Expression vulnerability was found in nwmatcher before 1.4.4. The fix replacing multiple repeated instances of the "\s*" pattern.

Publish Date: 2018-03-05

URL: WS-2018-0589

CVSS 2 Score Details (4.0)

Base Score Metrics not available

Suggested Fix

Type: Upgrade version

Release Date: 2018-03-05

Fix Resolution (nwmatcher): 1.4.4

Direct dependency fix Resolution (jest-cli): 22.0.5

In order to enable automatic remediation, please create workflow rules

---

In order to enable automatic remediation for this issue, please create workflow rules