Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

react-scripts-1.0.17.tgz: 95 vulnerabilities (highest severity is: 9.8) #186

Open
mend-bolt-for-github bot opened this issue Dec 14, 2022 · 0 comments

Comments

@mend-bolt-for-github
Copy link
Contributor

Vulnerable Library - react-scripts-1.0.17.tgz

Path to dependency file: /Groovy/grails-react-oauth-google-master/client/package.json

Path to vulnerable library: /Groovy/grails-react-oauth-google-master/client/node_modules/original/node_modules/url-parse/package.json,/Groovy/grails-react-spring-security-master/client/node_modules/original/node_modules/url-parse/package.json

Found in HEAD commit: 005e7e1229c0d378ecd766783164e16d4102b5ce

Vulnerabilities

CVE Severity CVSS Dependency Type Fixed in (react-scripts version) Remediation Available
CVE-2018-3774 High 9.8 detected in multiple dependencies Transitive 1.1.0
CVE-2021-23369 High 9.8 handlebars-4.0.11.tgz Transitive 1.1.0
CVE-2019-19919 High 9.8 handlebars-4.0.11.tgz Transitive 1.1.0
CVE-2018-13797 High 9.8 macaddress-0.2.8.tgz Transitive 1.1.0
CVE-2018-1000620 High 9.8 detected in multiple dependencies Transitive 1.1.0
CVE-2020-28499 High 9.8 merge-1.2.0.tgz Transitive 3.0.0
CVE-2021-44906 High 9.8 minimist-0.0.10.tgz Transitive 5.0.1
CVE-2021-23383 High 9.8 handlebars-4.0.11.tgz Transitive 1.1.0
CVE-2018-3750 High 9.8 deep-extend-0.4.2.tgz Transitive 1.1.0
CVE-2022-0691 High 9.8 detected in multiple dependencies Transitive 1.1.0
CVE-2018-16492 High 9.8 extend-3.0.1.tgz Transitive 1.1.0
CVE-2018-6342 High 9.8 react-dev-utils-4.2.1.tgz Transitive 1.1.0
CVE-2022-37601 High 9.8 detected in multiple dependencies Transitive 4.0.0
CVE-2021-42740 High 9.8 shell-quote-1.6.1.tgz Transitive 5.0.0
CVE-2022-1650 High 9.3 eventsource-0.1.6.tgz Transitive 2.1.3
CVE-2019-10744 High 9.1 lodash-4.17.5.tgz Transitive 1.1.0
CVE-2022-0686 High 9.1 detected in multiple dependencies Transitive 1.1.0
CVE-2018-3728 High 8.8 hoek-2.16.3.tgz Transitive 1.1.1
CVE-2019-20920 High 8.1 handlebars-4.0.11.tgz Transitive 1.1.0
WS-2019-0063 High 8.1 detected in multiple dependencies Transitive 2.0.0
CVE-2021-43138 High 7.8 detected in multiple dependencies Transitive 3.0.0
CVE-2020-13822 High 7.7 elliptic-6.4.0.tgz Transitive 1.1.0
CVE-2022-37620 High 7.5 html-minifier-3.5.9.tgz Transitive N/A*
CVE-2018-3737 High 7.5 sshpk-1.13.1.tgz Transitive 1.1.0
CVE-2018-16469 High 7.5 merge-1.2.0.tgz Transitive 1.1.0
CVE-2022-29167 High 7.5 detected in multiple dependencies Transitive N/A*
CVE-2021-23382 High 7.5 detected in multiple dependencies Transitive 3.0.0
CVE-2022-37603 High 7.5 loader-utils-1.1.0.tgz Transitive 1.1.0
CVE-2018-14732 High 7.5 webpack-dev-server-2.9.4.tgz Transitive 2.0.0
CVE-2021-23343 High 7.5 path-parse-1.0.5.tgz Transitive 1.1.0
CVE-2020-7662 High 7.5 websocket-extensions-0.1.3.tgz Transitive 1.1.0
CVE-2019-20922 High 7.5 handlebars-4.0.11.tgz Transitive 1.1.0
CVE-2021-23424 High 7.5 ansi-html-0.0.7.tgz Transitive 5.0.0
CVE-2020-28469 High 7.5 glob-parent-2.0.0.tgz Transitive 5.0.0
WS-2021-0152 High 7.5 color-string-0.3.0.tgz Transitive 2.0.0
CVE-2022-21222 High 7.5 css-what-2.1.0.tgz Transitive 1.1.0
CVE-2022-24772 High 7.5 node-forge-0.7.1.tgz Transitive 5.0.0
CVE-2021-29059 High 7.5 is-svg-2.1.0.tgz Transitive 2.0.0
CVE-2022-24771 High 7.5 node-forge-0.7.1.tgz Transitive 5.0.0
WS-2019-0032 High 7.5 detected in multiple dependencies Transitive 2.0.0
CVE-2021-3803 High 7.5 nth-check-1.0.1.tgz Transitive 1.1.0
CVE-2021-27516 High 7.5 urijs-1.19.1.tgz Transitive 1.1.0
CVE-2022-24999 High 7.5 detected in multiple dependencies Transitive 1.1.0
WS-2020-0450 High 7.5 handlebars-4.0.11.tgz Transitive 1.1.0
CVE-2022-3517 High 7.5 minimatch-3.0.3.tgz Transitive N/A*
CVE-2021-28092 High 7.5 is-svg-2.1.0.tgz Transitive 2.0.0
WS-2020-0091 High 7.5 http-proxy-1.16.2.tgz Transitive 1.1.0
WS-2019-0541 High 7.5 macaddress-0.2.8.tgz Transitive 1.1.0
CVE-2021-3777 High 7.5 tmpl-1.0.4.tgz Transitive 1.1.0
WS-2018-0588 High 7.4 detected in multiple dependencies Transitive 1.1.0
CVE-2020-8203 High 7.4 lodash-4.17.5.tgz Transitive 1.1.0
CVE-2020-7720 High 7.3 node-forge-0.7.1.tgz Transitive 1.1.0
WS-2019-0064 High 7.3 handlebars-4.0.11.tgz Transitive 1.1.0
CVE-2021-23337 High 7.2 lodash-4.17.5.tgz Transitive 1.1.0
WS-2018-0590 High 7.1 diff-3.4.0.tgz Transitive 1.1.0
CVE-2020-28498 Medium 6.8 elliptic-6.4.0.tgz Transitive 1.1.0
WS-2022-0008 Medium 6.6 node-forge-0.7.1.tgz Transitive 5.0.0
CVE-2018-21270 Medium 6.5 stringstream-0.0.5.tgz Transitive 1.1.0
CVE-2021-23386 Medium 6.5 dns-packet-1.3.1.tgz Transitive 1.1.0
CVE-2022-0613 Medium 6.5 urijs-1.19.1.tgz Transitive N/A*
CVE-2019-1010266 Medium 6.5 lodash-4.17.5.tgz Transitive 1.1.0
CVE-2020-26291 Medium 6.5 urijs-1.19.1.tgz Transitive 1.1.0
CVE-2022-1243 Medium 6.1 urijs-1.19.1.tgz Transitive 1.1.0
CVE-2022-1233 Medium 6.1 urijs-1.19.1.tgz Transitive 1.1.0
CVE-2022-0868 Medium 6.1 urijs-1.19.1.tgz Transitive 1.1.0
CVE-2021-3647 Medium 6.1 urijs-1.19.1.tgz Transitive 1.1.0
CVE-2022-0122 Medium 6.1 node-forge-0.7.1.tgz Transitive 5.0.0
WS-2019-0427 Medium 5.9 elliptic-6.4.0.tgz Transitive 1.1.0
WS-2019-0424 Medium 5.9 elliptic-6.4.0.tgz Transitive 1.1.0
CVE-2020-7789 Medium 5.6 node-notifier-5.2.1.tgz Transitive 1.1.0
CVE-2021-24033 Medium 5.6 react-dev-utils-4.2.1.tgz Transitive 4.0.0
CVE-2020-7598 Medium 5.6 minimist-0.0.10.tgz Transitive 1.1.0
CVE-2018-16487 Medium 5.6 lodash-4.17.5.tgz Transitive 1.1.0
WS-2019-0103 Medium 5.6 handlebars-4.0.11.tgz Transitive 1.1.0
CVE-2020-15366 Medium 5.6 detected in multiple dependencies Transitive 2.0.0
CVE-2020-7693 Medium 5.3 sockjs-0.3.18.tgz Transitive 3.4.2
CVE-2022-0512 Medium 5.3 detected in multiple dependencies Transitive 1.1.0
CVE-2021-3664 Medium 5.3 detected in multiple dependencies Transitive 1.1.0
WS-2019-0017 Medium 5.3 clean-css-4.1.9.tgz Transitive 1.1.0
WS-2017-3757 Medium 5.3 content-type-parser-1.0.2.tgz Transitive N/A*
CVE-2022-24723 Medium 5.3 urijs-1.19.1.tgz Transitive 1.1.0
CVE-2020-28500 Medium 5.3 lodash-4.17.5.tgz Transitive 1.1.0
WS-2018-0347 Medium 5.3 eslint-4.10.0.tgz Transitive 2.0.0
CVE-2022-24773 Medium 5.3 node-forge-0.7.1.tgz Transitive 5.0.0
CVE-2021-27515 Medium 5.3 detected in multiple dependencies Transitive 1.1.0
CVE-2020-8124 Medium 5.3 detected in multiple dependencies Transitive 1.1.0
CVE-2021-29060 Medium 5.3 color-string-0.3.0.tgz Transitive 2.0.0
CVE-2022-33987 Medium 5.3 got-6.7.1.tgz Transitive 2.0.1
CVE-2020-7608 Medium 5.3 detected in multiple dependencies Transitive 3.4.2
CVE-2022-0639 Medium 5.3 detected in multiple dependencies Transitive 1.1.0
CVE-2021-23362 Medium 5.3 hosted-git-info-2.5.0.tgz Transitive 1.1.0
CVE-2017-16028 Medium 5.3 randomatic-1.1.7.tgz Transitive 1.1.0
WS-2019-0307 Medium 5.1 mem-1.1.0.tgz Transitive 2.0.0
WS-2018-0103 Medium 4.8 stringstream-0.0.5.tgz Transitive 1.1.0
WS-2018-0589 Low 3.7 nwmatcher-1.4.3.tgz Transitive 1.1.0

*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the section "Details" below to see if there is a version of transitive dependency where vulnerability is fixed.

Details

Partial details (14 vulnerabilities) are displayed below due to a content size limitation in GitHub. To view information on the remaining vulnerabilities, navigate to the Mend Application.

CVE-2018-3774

Vulnerable Libraries - url-parse-1.0.5.tgz, url-parse-1.2.0.tgz

url-parse-1.0.5.tgz

Small footprint URL parser that works seamlessly across Node.js and browser environments

Library home page: https://registry.npmjs.org/url-parse/-/url-parse-1.0.5.tgz

Path to dependency file: /Groovy/grails-react-oauth-google-master/client/package.json

Path to vulnerable library: /Groovy/grails-react-oauth-google-master/client/node_modules/original/node_modules/url-parse/package.json,/Groovy/grails-react-spring-security-master/client/node_modules/original/node_modules/url-parse/package.json

Dependency Hierarchy:

  • react-scripts-1.0.17.tgz (Root Library)
    • react-dev-utils-4.2.1.tgz
      • sockjs-client-1.1.4.tgz
        • eventsource-0.1.6.tgz
          • original-1.0.0.tgz
            • url-parse-1.0.5.tgz (Vulnerable Library)

url-parse-1.2.0.tgz

Small footprint URL parser that works seamlessly across Node.js and browser environments

Library home page: https://registry.npmjs.org/url-parse/-/url-parse-1.2.0.tgz

Path to dependency file: /Groovy/grails-react-spring-security-master/client/package.json

Path to vulnerable library: /Groovy/grails-react-spring-security-master/client/node_modules/url-parse/package.json,/Groovy/grails-react-oauth-google-master/client/node_modules/url-parse/package.json

Dependency Hierarchy:

  • react-scripts-1.0.17.tgz (Root Library)
    • react-dev-utils-4.2.1.tgz
      • sockjs-client-1.1.4.tgz
        • url-parse-1.2.0.tgz (Vulnerable Library)

Found in HEAD commit: 005e7e1229c0d378ecd766783164e16d4102b5ce

Vulnerability Details

Incorrect parsing in url-parse <1.4.3 returns wrong hostname which leads to multiple vulnerabilities such as SSRF, Open Redirect, Bypass Authentication Protocol.

Publish Date: 2018-08-12

URL: CVE-2018-3774

CVSS 3 Score Details (9.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2018-3774

Release Date: 2018-08-12

Fix Resolution (url-parse): 1.4.3

Direct dependency fix Resolution (react-scripts): 1.1.0

Fix Resolution (url-parse): 1.4.3

Direct dependency fix Resolution (react-scripts): 1.1.0

Step up your Open Source Security Game with Mend here

CVE-2021-23369

Vulnerable Library - handlebars-4.0.11.tgz

Handlebars provides the power necessary to let you build semantic templates effectively with no frustration

Library home page: https://registry.npmjs.org/handlebars/-/handlebars-4.0.11.tgz

Path to dependency file: /Groovy/grails-react-oauth-google-master/client/package.json

Path to vulnerable library: /Groovy/grails-react-oauth-google-master/client/node_modules/handlebars/package.json,/Groovy/grails-react-spring-security-master/client/node_modules/handlebars/package.json

Dependency Hierarchy:

  • react-scripts-1.0.17.tgz (Root Library)
    • jest-20.0.4.tgz
      • jest-cli-20.0.4.tgz
        • istanbul-api-1.2.1.tgz
          • istanbul-reports-1.1.3.tgz
            • handlebars-4.0.11.tgz (Vulnerable Library)

Found in HEAD commit: 005e7e1229c0d378ecd766783164e16d4102b5ce

Vulnerability Details

The package handlebars before 4.7.7 are vulnerable to Remote Code Execution (RCE) when selecting certain compiling options to compile templates coming from an untrusted source.

Publish Date: 2021-04-12

URL: CVE-2021-23369

CVSS 3 Score Details (9.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23369

Release Date: 2021-04-12

Fix Resolution (handlebars): 4.1.2-0

Direct dependency fix Resolution (react-scripts): 1.1.0

Step up your Open Source Security Game with Mend here

CVE-2019-19919

Vulnerable Library - handlebars-4.0.11.tgz

Handlebars provides the power necessary to let you build semantic templates effectively with no frustration

Library home page: https://registry.npmjs.org/handlebars/-/handlebars-4.0.11.tgz

Path to dependency file: /Groovy/grails-react-oauth-google-master/client/package.json

Path to vulnerable library: /Groovy/grails-react-oauth-google-master/client/node_modules/handlebars/package.json,/Groovy/grails-react-spring-security-master/client/node_modules/handlebars/package.json

Dependency Hierarchy:

  • react-scripts-1.0.17.tgz (Root Library)
    • jest-20.0.4.tgz
      • jest-cli-20.0.4.tgz
        • istanbul-api-1.2.1.tgz
          • istanbul-reports-1.1.3.tgz
            • handlebars-4.0.11.tgz (Vulnerable Library)

Found in HEAD commit: 005e7e1229c0d378ecd766783164e16d4102b5ce

Vulnerability Details

Versions of handlebars prior to 4.3.0 are vulnerable to Prototype Pollution leading to Remote Code Execution. Templates may alter an Object's proto and defineGetter properties, which may allow an attacker to execute arbitrary code through crafted payloads.

Publish Date: 2019-12-20

URL: CVE-2019-19919

CVSS 3 Score Details (9.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19919

Release Date: 2019-12-20

Fix Resolution (handlebars): 4.3.0

Direct dependency fix Resolution (react-scripts): 1.1.0

Step up your Open Source Security Game with Mend here

CVE-2018-13797

Vulnerable Library - macaddress-0.2.8.tgz

Get the MAC addresses (hardware addresses) of the hosts network interfaces.

Library home page: https://registry.npmjs.org/macaddress/-/macaddress-0.2.8.tgz

Path to dependency file: /Groovy/grails-react-spring-security-master/client/package.json

Path to vulnerable library: /Groovy/grails-react-spring-security-master/client/node_modules/macaddress/package.json,/Groovy/grails-react-oauth-google-master/client/node_modules/macaddress/package.json

Dependency Hierarchy:

  • react-scripts-1.0.17.tgz (Root Library)
    • css-loader-0.28.7.tgz
      • cssnano-3.10.0.tgz
        • postcss-filter-plugins-2.0.2.tgz
          • uniqid-4.1.1.tgz
            • macaddress-0.2.8.tgz (Vulnerable Library)

Found in HEAD commit: 005e7e1229c0d378ecd766783164e16d4102b5ce

Vulnerability Details

The macaddress module before 0.2.9 for Node.js is prone to an arbitrary command injection flaw, due to allowing unsanitized input to an exec (rather than execFile) call.

Publish Date: 2018-07-10

URL: CVE-2018-13797

CVSS 3 Score Details (9.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2018-13797

Release Date: 2018-07-10

Fix Resolution (macaddress): 0.2.9

Direct dependency fix Resolution (react-scripts): 1.1.0

Step up your Open Source Security Game with Mend here

CVE-2018-1000620

Vulnerable Libraries - cryptiles-2.0.5.tgz, cryptiles-3.1.2.tgz

cryptiles-2.0.5.tgz

General purpose crypto utilities

Library home page: https://registry.npmjs.org/cryptiles/-/cryptiles-2.0.5.tgz

Dependency Hierarchy:

  • react-scripts-1.0.17.tgz (Root Library)
    • fsevents-1.1.2.tgz
      • node-pre-gyp-0.6.39.tgz
        • hawk-3.1.3.tgz
          • cryptiles-2.0.5.tgz (Vulnerable Library)

cryptiles-3.1.2.tgz

General purpose crypto utilities

Library home page: https://registry.npmjs.org/cryptiles/-/cryptiles-3.1.2.tgz

Dependency Hierarchy:

  • react-scripts-1.0.17.tgz (Root Library)
    • jest-20.0.4.tgz
      • jest-cli-20.0.4.tgz
        • jest-environment-jsdom-20.0.3.tgz
          • jsdom-9.12.0.tgz
            • request-2.83.0.tgz
              • hawk-6.0.2.tgz
                • cryptiles-3.1.2.tgz (Vulnerable Library)

Found in HEAD commit: 005e7e1229c0d378ecd766783164e16d4102b5ce

Vulnerability Details

Eran Hammer cryptiles version 4.1.1 earlier contains a CWE-331: Insufficient Entropy vulnerability in randomDigits() method that can result in An attacker is more likely to be able to brute force something that was supposed to be random.. This attack appear to be exploitable via Depends upon the calling application.. This vulnerability appears to have been fixed in 4.1.2.

Publish Date: 2018-07-09

URL: CVE-2018-1000620

CVSS 3 Score Details (9.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-1000620

Release Date: 2018-07-09

Fix Resolution (cryptiles): 4.1.2

Direct dependency fix Resolution (react-scripts): 1.1.0

Fix Resolution (cryptiles): 4.1.2

Direct dependency fix Resolution (react-scripts): 1.1.0

Step up your Open Source Security Game with Mend here

CVE-2020-28499

Vulnerable Library - merge-1.2.0.tgz

Merge multiple objects into one, optionally creating a new cloned object. Similar to the jQuery.extend but more flexible. Works in Node.js and the browser.

Library home page: https://registry.npmjs.org/merge/-/merge-1.2.0.tgz

Path to dependency file: /Groovy/grails-react-spring-security-master/client/package.json

Path to vulnerable library: /Groovy/grails-react-spring-security-master/client/node_modules/merge/package.json,/Groovy/grails-react-oauth-google-master/client/node_modules/merge/package.json

Dependency Hierarchy:

  • react-scripts-1.0.17.tgz (Root Library)
    • jest-20.0.4.tgz
      • jest-cli-20.0.4.tgz
        • jest-haste-map-20.0.5.tgz
          • sane-1.6.0.tgz
            • exec-sh-0.2.1.tgz
              • merge-1.2.0.tgz (Vulnerable Library)

Found in HEAD commit: 005e7e1229c0d378ecd766783164e16d4102b5ce

Vulnerability Details

All versions of package merge are vulnerable to Prototype Pollution via _recursiveMerge .

Publish Date: 2021-02-18

URL: CVE-2020-28499

CVSS 3 Score Details (9.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2021-02-18

Fix Resolution (merge): 2.1.0

Direct dependency fix Resolution (react-scripts): 3.0.0

Step up your Open Source Security Game with Mend here

CVE-2021-44906

Vulnerable Library - minimist-0.0.10.tgz

parse argument options

Library home page: https://registry.npmjs.org/minimist/-/minimist-0.0.10.tgz

Path to dependency file: /Groovy/grails-react-oauth-google-master/client/package.json

Path to vulnerable library: /Groovy/grails-react-oauth-google-master/client/node_modules/minimist/package.json,/Groovy/grails-react-spring-security-master/client/node_modules/minimist/package.json

Dependency Hierarchy:

  • react-scripts-1.0.17.tgz (Root Library)
    • jest-20.0.4.tgz
      • jest-cli-20.0.4.tgz
        • istanbul-api-1.2.1.tgz
          • istanbul-reports-1.1.3.tgz
            • handlebars-4.0.11.tgz
              • optimist-0.6.1.tgz
                • minimist-0.0.10.tgz (Vulnerable Library)

Found in HEAD commit: 005e7e1229c0d378ecd766783164e16d4102b5ce

Vulnerability Details

Minimist <=1.2.5 is vulnerable to Prototype Pollution via file index.js, function setKey() (lines 69-95).

Publish Date: 2022-03-17

URL: CVE-2021-44906

CVSS 3 Score Details (9.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2022-03-17

Fix Resolution (minimist): 1.2.6

Direct dependency fix Resolution (react-scripts): 5.0.1

Step up your Open Source Security Game with Mend here

CVE-2021-23383

Vulnerable Library - handlebars-4.0.11.tgz

Handlebars provides the power necessary to let you build semantic templates effectively with no frustration

Library home page: https://registry.npmjs.org/handlebars/-/handlebars-4.0.11.tgz

Path to dependency file: /Groovy/grails-react-oauth-google-master/client/package.json

Path to vulnerable library: /Groovy/grails-react-oauth-google-master/client/node_modules/handlebars/package.json,/Groovy/grails-react-spring-security-master/client/node_modules/handlebars/package.json

Dependency Hierarchy:

  • react-scripts-1.0.17.tgz (Root Library)
    • jest-20.0.4.tgz
      • jest-cli-20.0.4.tgz
        • istanbul-api-1.2.1.tgz
          • istanbul-reports-1.1.3.tgz
            • handlebars-4.0.11.tgz (Vulnerable Library)

Found in HEAD commit: 005e7e1229c0d378ecd766783164e16d4102b5ce

Vulnerability Details

The package handlebars before 4.7.7 are vulnerable to Prototype Pollution when selecting certain compiling options to compile templates coming from an untrusted source.

Publish Date: 2021-05-04

URL: CVE-2021-23383

CVSS 3 Score Details (9.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23383

Release Date: 2021-05-04

Fix Resolution (handlebars): 4.1.2-0

Direct dependency fix Resolution (react-scripts): 1.1.0

Step up your Open Source Security Game with Mend here

CVE-2018-3750

Vulnerable Library - deep-extend-0.4.2.tgz

Recursive object extending

Library home page: https://registry.npmjs.org/deep-extend/-/deep-extend-0.4.2.tgz

Path to dependency file: /Groovy/grails-react-spring-security-master/client/package.json

Path to vulnerable library: /Groovy/grails-react-spring-security-master/client/node_modules/deep-extend/package.json,/Groovy/grails-react-oauth-google-master/client/node_modules/deep-extend/package.json

Dependency Hierarchy:

  • react-scripts-1.0.17.tgz (Root Library)
    • fsevents-1.1.2.tgz
      • node-pre-gyp-0.6.39.tgz
        • rc-1.2.5.tgz
          • deep-extend-0.4.2.tgz (Vulnerable Library)

Found in HEAD commit: 005e7e1229c0d378ecd766783164e16d4102b5ce

Vulnerability Details

The utilities function in all versions <= 0.5.0 of the deep-extend node module can be tricked into modifying the prototype of Object when the attacker can control part of the structure passed to this function. This can let an attacker add or modify existing properties that will exist on all objects.

Publish Date: 2018-07-03

URL: CVE-2018-3750

CVSS 3 Score Details (9.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-3750

Release Date: 2018-07-03

Fix Resolution (deep-extend): 0.5.1

Direct dependency fix Resolution (react-scripts): 1.1.0

Step up your Open Source Security Game with Mend here

CVE-2022-0691

Vulnerable Libraries - url-parse-1.0.5.tgz, url-parse-1.2.0.tgz

url-parse-1.0.5.tgz

Small footprint URL parser that works seamlessly across Node.js and browser environments

Library home page: https://registry.npmjs.org/url-parse/-/url-parse-1.0.5.tgz

Path to dependency file: /Groovy/grails-react-oauth-google-master/client/package.json

Path to vulnerable library: /Groovy/grails-react-oauth-google-master/client/node_modules/original/node_modules/url-parse/package.json,/Groovy/grails-react-spring-security-master/client/node_modules/original/node_modules/url-parse/package.json

Dependency Hierarchy:

  • react-scripts-1.0.17.tgz (Root Library)
    • react-dev-utils-4.2.1.tgz
      • sockjs-client-1.1.4.tgz
        • eventsource-0.1.6.tgz
          • original-1.0.0.tgz
            • url-parse-1.0.5.tgz (Vulnerable Library)

url-parse-1.2.0.tgz

Small footprint URL parser that works seamlessly across Node.js and browser environments

Library home page: https://registry.npmjs.org/url-parse/-/url-parse-1.2.0.tgz

Path to dependency file: /Groovy/grails-react-spring-security-master/client/package.json

Path to vulnerable library: /Groovy/grails-react-spring-security-master/client/node_modules/url-parse/package.json,/Groovy/grails-react-oauth-google-master/client/node_modules/url-parse/package.json

Dependency Hierarchy:

  • react-scripts-1.0.17.tgz (Root Library)
    • react-dev-utils-4.2.1.tgz
      • sockjs-client-1.1.4.tgz
        • url-parse-1.2.0.tgz (Vulnerable Library)

Found in HEAD commit: 005e7e1229c0d378ecd766783164e16d4102b5ce

Vulnerability Details

Authorization Bypass Through User-Controlled Key in NPM url-parse prior to 1.5.9.

Publish Date: 2022-02-21

URL: CVE-2022-0691

CVSS 3 Score Details (9.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0691

Release Date: 2022-02-21

Fix Resolution (url-parse): 1.5.9

Direct dependency fix Resolution (react-scripts): 1.1.0

Fix Resolution (url-parse): 1.5.9

Direct dependency fix Resolution (react-scripts): 1.1.0

Step up your Open Source Security Game with Mend here

CVE-2018-16492

Vulnerable Library - extend-3.0.1.tgz

Port of jQuery.extend for node.js and the browser

Library home page: https://registry.npmjs.org/extend/-/extend-3.0.1.tgz

Path to dependency file: /Groovy/grails-react-spring-security-master/client/package.json

Path to vulnerable library: /Groovy/grails-react-spring-security-master/client/node_modules/extend/package.json,/Groovy/grails-react-oauth-google-master/client/node_modules/extend/package.json

Dependency Hierarchy:

  • react-scripts-1.0.17.tgz (Root Library)
    • jest-20.0.4.tgz
      • jest-cli-20.0.4.tgz
        • jest-environment-jsdom-20.0.3.tgz
          • jsdom-9.12.0.tgz
            • request-2.83.0.tgz
              • extend-3.0.1.tgz (Vulnerable Library)

Found in HEAD commit: 005e7e1229c0d378ecd766783164e16d4102b5ce

Vulnerability Details

A prototype pollution vulnerability was found in module extend <2.0.2, ~<3.0.2 that allows an attacker to inject arbitrary properties onto Object.prototype.

Publish Date: 2019-02-01

URL: CVE-2018-16492

CVSS 3 Score Details (9.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://hackerone.com/reports/381185

Release Date: 2019-02-01

Fix Resolution (extend): 3.0.2

Direct dependency fix Resolution (react-scripts): 1.1.0

Step up your Open Source Security Game with Mend here

CVE-2018-6342

Vulnerable Library - react-dev-utils-4.2.1.tgz

Webpack utilities used by Create React App

Library home page: https://registry.npmjs.org/react-dev-utils/-/react-dev-utils-4.2.1.tgz

Path to dependency file: /Groovy/grails-react-oauth-google-master/client/package.json

Path to vulnerable library: /Groovy/grails-react-oauth-google-master/client/node_modules/react-dev-utils/package.json,/Groovy/grails-react-spring-security-master/client/node_modules/react-dev-utils/package.json

Dependency Hierarchy:

  • react-scripts-1.0.17.tgz (Root Library)
    • react-dev-utils-4.2.1.tgz (Vulnerable Library)

Found in HEAD commit: 005e7e1229c0d378ecd766783164e16d4102b5ce

Vulnerability Details

react-dev-utils on Windows allows developers to run a local webserver for accepting various commands, including a command to launch an editor. The input to that command was not properly sanitized, allowing an attacker who can make a network request to the server (either via CSRF or by direct request) to execute arbitrary commands on the targeted system. This issue affects multiple branches: 1.x.x prior to 1.0.4, 2.x.x prior to 2.0.2, 3.x.x prior to 3.1.2, 4.x.x prior to 4.2.2, and 5.x.x prior to 5.0.2.

Publish Date: 2018-12-31

URL: CVE-2018-6342

CVSS 3 Score Details (9.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6342

Release Date: 2018-12-31

Fix Resolution (react-dev-utils): 4.2.2

Direct dependency fix Resolution (react-scripts): 1.1.0

Step up your Open Source Security Game with Mend here

CVE-2022-37601

Vulnerable Libraries - loader-utils-0.2.17.tgz, loader-utils-1.1.0.tgz

loader-utils-0.2.17.tgz

utils for webpack loaders

Library home page: https://registry.npmjs.org/loader-utils/-/loader-utils-0.2.17.tgz

Path to dependency file: /Groovy/grails-react-spring-security-master/client/package.json

Path to vulnerable library: /Groovy/grails-react-spring-security-master/client/node_modules/loader-utils/package.json,/Groovy/grails-react-oauth-google-master/client/node_modules/loader-utils/package.json

Dependency Hierarchy:

  • react-scripts-1.0.17.tgz (Root Library)
    • html-webpack-plugin-2.29.0.tgz
      • loader-utils-0.2.17.tgz (Vulnerable Library)

loader-utils-1.1.0.tgz

utils for webpack loaders

Library home page: https://registry.npmjs.org/loader-utils/-/loader-utils-1.1.0.tgz

Path to dependency file: /Groovy/grails-react-oauth-google-master/client/package.json

Path to vulnerable library: /Groovy/grails-react-oauth-google-master/client/node_modules/loader-utils/package.json,/Groovy/grails-react-spring-security-master/client/node_modules/loader-utils/package.json

Dependency Hierarchy:

  • react-scripts-1.0.17.tgz (Root Library)
    • postcss-loader-2.0.8.tgz
      • loader-utils-1.1.0.tgz (Vulnerable Library)

Found in HEAD commit: 005e7e1229c0d378ecd766783164e16d4102b5ce

Vulnerability Details

Prototype pollution vulnerability in function parseQuery in parseQuery.js in webpack loader-utils 2.0.0 via the name variable in parseQuery.js.

Publish Date: 2022-10-12

URL: CVE-2022-37601

CVSS 3 Score Details (9.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2022-10-12

Fix Resolution (loader-utils): 1.4.1

Direct dependency fix Resolution (react-scripts): 4.0.0

Fix Resolution (loader-utils): 1.4.1

Direct dependency fix Resolution (react-scripts): 4.0.0

Step up your Open Source Security Game with Mend here

CVE-2021-42740

Vulnerable Library - shell-quote-1.6.1.tgz

quote and parse shell commands

Library home page: https://registry.npmjs.org/shell-quote/-/shell-quote-1.6.1.tgz

Path to dependency file: /Groovy/grails-react-oauth-google-master/client/package.json

Path to vulnerable library: /Groovy/grails-react-oauth-google-master/client/node_modules/shell-quote/package.json,/Groovy/grails-react-spring-security-master/client/node_modules/shell-quote/package.json

Dependency Hierarchy:

  • react-scripts-1.0.17.tgz (Root Library)
    • react-dev-utils-4.2.1.tgz
      • shell-quote-1.6.1.tgz (Vulnerable Library)

Found in HEAD commit: 005e7e1229c0d378ecd766783164e16d4102b5ce

Vulnerability Details

The shell-quote package before 1.7.3 for Node.js allows command injection. An attacker can inject unescaped shell metacharacters through a regex designed to support Windows drive letters. If the output of this package is passed to a real shell as a quoted argument to a command with exec(), an attacker can inject arbitrary commands. This is because the Windows drive letter regex character class is {A-z] instead of the correct {A-Za-z]. Several shell metacharacters exist in the space between capital letter Z and lower case letter a, such as the backtick character.

Publish Date: 2021-10-21

URL: CVE-2021-42740

CVSS 3 Score Details (9.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-42740

Release Date: 2021-10-21

Fix Resolution (shell-quote): 1.7.3

Direct dependency fix Resolution (react-scripts): 5.0.0

Step up your Open Source Security Game with Mend here

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

0 participants