grunt-contrib-jshint-0.8.0.tgz: 4 vulnerabilities (highest severity is: 7.5)

[mend-bolt-for-github]

Vulnerable Library - grunt-contrib-jshint-0.8.0.tgz

Path to dependency file: /clumsy-bird/package.json

Path to vulnerable library: /clumsy-bird/node_modules/cli/package.json

Vulnerabilities

CVE	Severity	CVSS	Dependency	Type	Fixed in (grunt-contrib-jshint version)	Remediation Possible**
WS-2016-0036	High	7.5	cli-0.4.5.tgz	Transitive	0.11.1	❌
CVE-2021-23358	High	7.2	underscore-1.4.4.tgz	Transitive	0.11.1	❌
CVE-2022-0144	High	7.1	shelljs-0.1.4.tgz	Transitive	0.11.1	❌
CVE-2016-10538	Low	3.5	cli-0.4.5.tgz	Transitive	0.11.1	❌

**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation

Details

WS-2016-0036

Vulnerable Library - cli-0.4.5.tgz

A tool for rapidly building command line apps

Library home page: https://registry.npmjs.org/cli/-/cli-0.4.5.tgz

Path to dependency file: /clumsy-bird/package.json

Path to vulnerable library: /clumsy-bird/node_modules/cli/package.json

Dependency Hierarchy:

• grunt-contrib-jshint-0.8.0.tgz (Root Library)
  • jshint-2.4.4.tgz
    • ❌ cli-0.4.5.tgz (Vulnerable Library)

Found in base branch: master

Vulnerability Details

The package node-cli insecurely uses the lock_file and log_file. Both of these are temporary, but it allows the starting user to overwrite any file they have access to.

Publish Date: 2016-08-16

URL: WS-2016-0036

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: High
  • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2016-08-16

Fix Resolution (cli): 1.0.0

Direct dependency fix Resolution (grunt-contrib-jshint): 0.11.1

Step up your Open Source Security Game with Mend here

CVE-2021-23358

Vulnerable Library - underscore-1.4.4.tgz

JavaScript's functional programming helper library.

Library home page: https://registry.npmjs.org/underscore/-/underscore-1.4.4.tgz

Path to dependency file: /clumsy-bird/package.json

Path to vulnerable library: /clumsy-bird/node_modules/jshint/node_modules/underscore/package.json

Dependency Hierarchy:

• grunt-contrib-jshint-0.8.0.tgz (Root Library)
  • jshint-2.4.4.tgz
    • ❌ underscore-1.4.4.tgz (Vulnerable Library)

Found in base branch: master

Vulnerability Details

The package underscore from 1.13.0-0 and before 1.13.0-2, from 1.3.2 and before 1.12.1 are vulnerable to Arbitrary Code Injection via the template function, particularly when a variable property is passed as an argument as it is not sanitized.

Publish Date: 2021-03-29

URL: CVE-2021-23358

CVSS 3 Score Details (7.2)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: High
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23358

Release Date: 2021-03-29

Fix Resolution (underscore): 1.12.1

Direct dependency fix Resolution (grunt-contrib-jshint): 0.11.1

Step up your Open Source Security Game with Mend here

CVE-2022-0144

Vulnerable Library - shelljs-0.1.4.tgz

Portable Unix shell commands for Node.js

Library home page: https://registry.npmjs.org/shelljs/-/shelljs-0.1.4.tgz

Path to dependency file: /clumsy-bird/package.json

Path to vulnerable library: /clumsy-bird/node_modules/shelljs/package.json

Dependency Hierarchy:

• grunt-contrib-jshint-0.8.0.tgz (Root Library)
  • jshint-2.4.4.tgz
    • ❌ shelljs-0.1.4.tgz (Vulnerable Library)

Found in base branch: master

Vulnerability Details

shelljs is vulnerable to Improper Privilege Management

Publish Date: 2022-01-11

URL: CVE-2022-0144

CVSS 3 Score Details (7.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Local
  • Attack Complexity: Low
  • Privileges Required: Low
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: None
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2022-01-11

Fix Resolution (shelljs): 0.8.5

Direct dependency fix Resolution (grunt-contrib-jshint): 0.11.1

Step up your Open Source Security Game with Mend here

CVE-2016-10538

Vulnerable Library - cli-0.4.5.tgz

A tool for rapidly building command line apps

Library home page: https://registry.npmjs.org/cli/-/cli-0.4.5.tgz

Path to dependency file: /clumsy-bird/package.json

Path to vulnerable library: /clumsy-bird/node_modules/cli/package.json

Dependency Hierarchy:

• grunt-contrib-jshint-0.8.0.tgz (Root Library)
  • jshint-2.4.4.tgz
    • ❌ cli-0.4.5.tgz (Vulnerable Library)

Found in base branch: master

Vulnerability Details

The package node-cli before 1.0.0 insecurely uses the lock_file and log_file. Both of these are temporary, but it allows the starting user to overwrite any file they have access to.

Publish Date: 2018-05-31

URL: CVE-2016-10538

CVSS 3 Score Details (3.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: Low
  • User Interaction: Required
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: Low
  • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2016-10538

Release Date: 2018-05-31

Fix Resolution (cli): 1.0.0

Direct dependency fix Resolution (grunt-contrib-jshint): 0.11.1

Step up your Open Source Security Game with Mend here