jest-cli-15.1.1.tgz: 55 vulnerabilities (highest severity is: 9.8)

[dev-mend-for-github-com]

Vulnerable Library - jest-cli-15.1.1.tgz

Found in HEAD commit: 152391439c08935dcc6310281831e81c661f942e

Vulnerabilities

CVE	Severity	CVSS	Dependency	Type	Fixed in (jest-cli version)	Remediation Possible**
CVE-2021-23369	Critical	9.8	handlebars-4.0.5.tgz	Transitive	16.0.0	❌
CVE-2019-19919	Critical	9.8	handlebars-4.0.5.tgz	Transitive	16.0.0	❌
CVE-2020-7774	Critical	9.8	y18n-3.2.1.tgz	Transitive	16.0.0	❌
CVE-2018-1000620	Critical	9.8	cryptiles-2.0.5.tgz	Transitive	16.0.0	❌
CVE-2020-28499	Critical	9.8	merge-1.2.0.tgz	Transitive	24.0.0	❌
WS-2020-0344	Critical	9.8	is-my-json-valid-2.14.0.tgz	Transitive	16.0.0	❌
CVE-2021-23383	Critical	9.8	handlebars-4.0.5.tgz	Transitive	16.0.0	❌
CVE-2018-16492	Critical	9.8	extend-3.0.0.tgz	Transitive	16.0.0	❌
CVE-2018-3728	High	8.8	hoek-2.16.3.tgz	Transitive	16.0.0	❌
WS-2019-0333	High	8.1	handlebars-4.0.5.tgz	Transitive	16.0.0	❌
CVE-2019-20920	High	8.1	handlebars-4.0.5.tgz	Transitive	16.0.0	❌
WS-2019-0063	High	8.1	js-yaml-3.6.1.tgz	Transitive	16.0.0	❌
WS-2018-0084	High	8.0	sshpk-1.10.0.tgz	Transitive	16.0.0	❌
CVE-2017-15010	High	7.5	tough-cookie-2.3.1.tgz	Transitive	16.0.0	❌
CVE-2016-10540	High	7.5	minimatch-2.0.10.tgz	Transitive	16.0.0	❌
WS-2019-0492	High	7.5	handlebars-4.0.5.tgz	Transitive	16.0.0	❌
CVE-2018-3737	High	7.5	sshpk-1.10.0.tgz	Transitive	16.0.0	❌
CVE-2018-16469	High	7.5	merge-1.2.0.tgz	Transitive	16.0.0	❌
WS-2019-0493	High	7.5	handlebars-4.0.5.tgz	Transitive	16.0.0	❌
CVE-2017-18077	High	7.5	brace-expansion-1.1.6.tgz	Transitive	16.0.0	❌
WS-2019-0318	High	7.5	handlebars-4.0.5.tgz	Transitive	16.0.0	❌
CVE-2021-23343	High	7.5	path-parse-1.0.5.tgz	Transitive	16.0.0	❌
CVE-2019-20922	High	7.5	handlebars-4.0.5.tgz	Transitive	16.0.0	❌
WS-2018-0069	High	7.5	is-my-json-valid-2.14.0.tgz	Transitive	16.0.0	❌
CVE-2017-16114	High	7.5	marked-0.3.6.tgz	Transitive	16.0.0	❌
WS-2020-0218	High	7.5	merge-1.2.0.tgz	Transitive	24.0.0	❌
WS-2019-0032	High	7.5	js-yaml-3.6.1.tgz	Transitive	16.0.0	❌
WS-2019-0064	High	7.3	handlebars-4.0.5.tgz	Transitive	16.0.0	❌
WS-2018-0590	High	7.0	diff-3.0.0.tgz	Transitive	16.0.0	❌
CVE-2018-21270	Medium	6.5	stringstream-0.0.5.tgz	Transitive	16.0.0	❌
CVE-2020-8244	Medium	6.5	bl-1.1.2.tgz	Transitive	16.0.0	❌
CVE-2017-1000427	Medium	6.1	marked-0.3.6.tgz	Transitive	16.0.0	❌
WS-2019-0026	Medium	6.1	marked-0.3.6.tgz	Transitive	16.0.0	❌
WS-2019-0025	Medium	6.1	marked-0.3.6.tgz	Transitive	16.0.0	❌
WS-2020-0163	Medium	5.9	marked-0.3.6.tgz	Transitive	19.0.0	❌
CVE-2020-7789	Medium	5.6	node-notifier-4.6.1.tgz	Transitive	19.0.0	❌
CVE-2020-7598	Medium	5.6	detected in multiple dependencies	Transitive	16.0.0	❌
WS-2019-0103	Medium	5.6	handlebars-4.0.5.tgz	Transitive	16.0.0	❌
CVE-2017-16032	Medium	5.5	brace-expansion-1.1.6.tgz	Transitive	16.0.0	❌
CVE-2017-16137	Medium	5.3	debug-2.2.0.tgz	Transitive	16.0.0	❌
WS-2020-0342	Medium	5.3	is-my-json-valid-2.14.0.tgz	Transitive	16.0.0	❌
WS-2018-0628	Medium	5.3	marked-0.3.6.tgz	Transitive	16.0.0	❌
WS-2021-0154	Medium	5.3	glob-parent-2.0.0.tgz	Transitive	N/A*	❌
WS-2019-0027	Medium	5.3	marked-0.3.6.tgz	Transitive	16.0.0	❌
CVE-2020-7608	Medium	5.3	yargs-parser-3.2.0.tgz	Transitive	20.0.0	❌
CVE-2018-1107	Medium	5.3	is-my-json-valid-2.14.0.tgz	Transitive	16.0.0	❌
CVE-2021-23362	Medium	5.3	hosted-git-info-2.1.5.tgz	Transitive	16.0.0	❌
CVE-2017-16028	Medium	5.3	randomatic-1.1.5.tgz	Transitive	16.0.0	❌
WS-2018-0076	Medium	5.1	tunnel-agent-0.4.3.tgz	Transitive	16.0.0	❌
WS-2019-0332	Medium	5.0	handlebars-4.0.5.tgz	Transitive	16.0.0	❌
CVE-2017-1000048	Medium	5.0	qs-6.2.1.tgz	Transitive	16.0.0	❌
WS-2019-0331	Medium	5.0	handlebars-4.0.5.tgz	Transitive	16.0.0	❌
WS-2018-0103	Medium	4.8	stringstream-0.0.5.tgz	Transitive	16.0.0	❌
WS-2018-0589	Medium	4.0	nwmatcher-1.3.8.tgz	Transitive	16.0.0	❌
WS-2017-0247	Low	3.4	ms-0.7.1.tgz	Transitive	16.0.0	❌

*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.

**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation

Details

Partial details (24 vulnerabilities) are displayed below due to a content size limitation in GitHub. To view information on the remaining vulnerabilities, navigate to the Mend Application.

CVE-2021-23369

Vulnerable Library - handlebars-4.0.5.tgz

Handlebars provides the power necessary to let you build semantic templates effectively with no frustration

Library home page: https://registry.npmjs.org/handlebars/-/handlebars-4.0.5.tgz

Dependency Hierarchy:

• jest-cli-15.1.1.tgz (Root Library)
  • istanbul-api-1.0.0-aplha.10.tgz
    • istanbul-reports-1.0.0-alpha.8.tgz
      • ❌ handlebars-4.0.5.tgz (Vulnerable Library)

Found in HEAD commit: 152391439c08935dcc6310281831e81c661f942e

Found in base branch: main

Vulnerability Details

The package handlebars before 4.7.7 are vulnerable to Remote Code Execution (RCE) when selecting certain compiling options to compile templates coming from an untrusted source.

Publish Date: 2021-04-12

URL: CVE-2021-23369

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23369

Release Date: 2021-04-12

Fix Resolution (handlebars): 4.1.2-0

Direct dependency fix Resolution (jest-cli): 16.0.0

CVE-2019-19919

Vulnerable Library - handlebars-4.0.5.tgz

Handlebars provides the power necessary to let you build semantic templates effectively with no frustration

Library home page: https://registry.npmjs.org/handlebars/-/handlebars-4.0.5.tgz

Dependency Hierarchy:

• jest-cli-15.1.1.tgz (Root Library)
  • istanbul-api-1.0.0-aplha.10.tgz
    • istanbul-reports-1.0.0-alpha.8.tgz
      • ❌ handlebars-4.0.5.tgz (Vulnerable Library)

Found in HEAD commit: 152391439c08935dcc6310281831e81c661f942e

Found in base branch: main

Vulnerability Details

Versions of handlebars prior to 4.3.0 are vulnerable to Prototype Pollution leading to Remote Code Execution. Templates may alter an Object's proto and defineGetter properties, which may allow an attacker to execute arbitrary code through crafted payloads.

Publish Date: 2019-12-20

URL: CVE-2019-19919

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://www.npmjs.com/advisories/1164

Release Date: 2019-12-20

Fix Resolution (handlebars): 4.3.0

Direct dependency fix Resolution (jest-cli): 16.0.0

CVE-2020-7774

Vulnerable Library - y18n-3.2.1.tgz

the bare-bones internationalization library used by yargs

Library home page: https://registry.npmjs.org/y18n/-/y18n-3.2.1.tgz

Dependency Hierarchy:

• jest-cli-15.1.1.tgz (Root Library)
  • yargs-5.0.0.tgz
    • ❌ y18n-3.2.1.tgz (Vulnerable Library)

Found in HEAD commit: 152391439c08935dcc6310281831e81c661f942e

Found in base branch: main

Vulnerability Details

The package y18n before 3.2.2, 4.0.1 and 5.0.5, is vulnerable to Prototype Pollution.

Publish Date: 2020-11-17

URL: CVE-2020-7774

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://www.npmjs.com/advisories/1654

Release Date: 2020-11-17

Fix Resolution (y18n): 3.2.2

Direct dependency fix Resolution (jest-cli): 16.0.0

CVE-2018-1000620

Vulnerable Library - cryptiles-2.0.5.tgz

General purpose crypto utilities

Library home page: https://registry.npmjs.org/cryptiles/-/cryptiles-2.0.5.tgz

Dependency Hierarchy:

• jest-cli-15.1.1.tgz (Root Library)
  • jest-environment-jsdom-15.1.1.tgz
    • jsdom-9.5.0.tgz
      • request-2.75.0.tgz
        • hawk-3.1.3.tgz
          • ❌ cryptiles-2.0.5.tgz (Vulnerable Library)

Found in HEAD commit: 152391439c08935dcc6310281831e81c661f942e

Found in base branch: main

Vulnerability Details

Eran Hammer cryptiles version 4.1.1 earlier contains a CWE-331: Insufficient Entropy vulnerability in randomDigits() method that can result in An attacker is more likely to be able to brute force something that was supposed to be random.. This attack appear to be exploitable via Depends upon the calling application.. This vulnerability appears to have been fixed in 4.1.2.

Publish Date: 2018-07-09

URL: CVE-2018-1000620

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-1000620

Release Date: 2018-07-09

Fix Resolution (cryptiles): 4.1.2

Direct dependency fix Resolution (jest-cli): 16.0.0

CVE-2020-28499

Vulnerable Library - merge-1.2.0.tgz

Merge multiple objects into one, optionally creating a new cloned object. Similar to the jQuery.extend but more flexible. Works in Node.js and the browser.

Library home page: https://registry.npmjs.org/merge/-/merge-1.2.0.tgz

Dependency Hierarchy:

• jest-cli-15.1.1.tgz (Root Library)
  • sane-1.4.1.tgz
    • exec-sh-0.2.0.tgz
      • ❌ merge-1.2.0.tgz (Vulnerable Library)

Found in HEAD commit: 152391439c08935dcc6310281831e81c661f942e

Found in base branch: main

Vulnerability Details

All versions of package merge are vulnerable to Prototype Pollution via _recursiveMerge .

Publish Date: 2021-02-18

URL: CVE-2020-28499

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://www.npmjs.com/advisories/1666

Release Date: 2021-02-18

Fix Resolution (merge): 2.1.1

Direct dependency fix Resolution (jest-cli): 24.0.0

WS-2020-0344

Vulnerable Library - is-my-json-valid-2.14.0.tgz

A JSONSchema validator that uses code generation to be extremely fast

Library home page: https://registry.npmjs.org/is-my-json-valid/-/is-my-json-valid-2.14.0.tgz

Dependency Hierarchy:

• jest-cli-15.1.1.tgz (Root Library)
  • jest-environment-jsdom-15.1.1.tgz
    • jsdom-9.5.0.tgz
      • request-2.75.0.tgz
        • har-validator-2.0.6.tgz
          • ❌ is-my-json-valid-2.14.0.tgz (Vulnerable Library)

Found in HEAD commit: 152391439c08935dcc6310281831e81c661f942e

Found in base branch: main

Vulnerability Details

Arbitrary Code Execution vulnerability was found in is-my-json-valid before 2.20.3 via the fromatName function.

Publish Date: 2020-06-09

URL: WS-2020-0344

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2020-06-09

Fix Resolution (is-my-json-valid): 2.20.3

Direct dependency fix Resolution (jest-cli): 16.0.0

CVE-2021-23383

Vulnerable Library - handlebars-4.0.5.tgz

Handlebars provides the power necessary to let you build semantic templates effectively with no frustration

Library home page: https://registry.npmjs.org/handlebars/-/handlebars-4.0.5.tgz

Dependency Hierarchy:

• jest-cli-15.1.1.tgz (Root Library)
  • istanbul-api-1.0.0-aplha.10.tgz
    • istanbul-reports-1.0.0-alpha.8.tgz
      • ❌ handlebars-4.0.5.tgz (Vulnerable Library)

Found in HEAD commit: 152391439c08935dcc6310281831e81c661f942e

Found in base branch: main

Vulnerability Details

The package handlebars before 4.7.7 are vulnerable to Prototype Pollution when selecting certain compiling options to compile templates coming from an untrusted source.

Publish Date: 2021-05-04

URL: CVE-2021-23383

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23383

Release Date: 2021-05-04

Fix Resolution (handlebars): 4.1.2-0

Direct dependency fix Resolution (jest-cli): 16.0.0

CVE-2018-16492

Vulnerable Library - extend-3.0.0.tgz

Port of jQuery.extend for node.js and the browser

Library home page: https://registry.npmjs.org/extend/-/extend-3.0.0.tgz

Dependency Hierarchy:

• jest-cli-15.1.1.tgz (Root Library)
  • jest-environment-jsdom-15.1.1.tgz
    • jsdom-9.5.0.tgz
      • request-2.75.0.tgz
        • ❌ extend-3.0.0.tgz (Vulnerable Library)

Found in HEAD commit: 152391439c08935dcc6310281831e81c661f942e

Found in base branch: main

Vulnerability Details

A prototype pollution vulnerability was found in module extend <2.0.2, ~<3.0.2 that allows an attacker to inject arbitrary properties onto Object.prototype.

Publish Date: 2019-02-01

URL: CVE-2018-16492

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://hackerone.com/reports/381185

Release Date: 2019-02-01

Fix Resolution (extend): 3.0.2

Direct dependency fix Resolution (jest-cli): 16.0.0

CVE-2018-3728

Vulnerable Library - hoek-2.16.3.tgz

General purpose node utilities

Library home page: https://registry.npmjs.org/hoek/-/hoek-2.16.3.tgz

Dependency Hierarchy:

• jest-cli-15.1.1.tgz (Root Library)
  • jest-environment-jsdom-15.1.1.tgz
    • jsdom-9.5.0.tgz
      • request-2.75.0.tgz
        • hawk-3.1.3.tgz
          • ❌ hoek-2.16.3.tgz (Vulnerable Library)

Found in HEAD commit: 152391439c08935dcc6310281831e81c661f942e

Found in base branch: main

Vulnerability Details

hoek node module before 4.2.0 and 5.0.x before 5.0.3 suffers from a Modification of Assumed-Immutable Data (MAID) vulnerability via 'merge' and 'applyToDefaults' functions, which allows a malicious user to modify the prototype of "Object" via proto, causing the addition or modification of an existing property that will exist on all objects.

Publish Date: 2018-03-30

URL: CVE-2018-3728

CVSS 3 Score Details (8.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: Low
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2018-3728

Release Date: 2018-03-30

Fix Resolution (hoek): 4.2.0

Direct dependency fix Resolution (jest-cli): 16.0.0

WS-2019-0333

Vulnerable Library - handlebars-4.0.5.tgz

Handlebars provides the power necessary to let you build semantic templates effectively with no frustration

Library home page: https://registry.npmjs.org/handlebars/-/handlebars-4.0.5.tgz

Dependency Hierarchy:

• jest-cli-15.1.1.tgz (Root Library)
  • istanbul-api-1.0.0-aplha.10.tgz
    • istanbul-reports-1.0.0-alpha.8.tgz
      • ❌ handlebars-4.0.5.tgz (Vulnerable Library)

Found in HEAD commit: 152391439c08935dcc6310281831e81c661f942e

Found in base branch: main

Vulnerability Details

In handlebars, versions prior to v4.5.3 are vulnerable to prototype pollution. Using a malicious template it's possbile to add or modify properties to the Object prototype. This can also lead to DOS and RCE in certain conditions.

Publish Date: 2019-11-18

URL: WS-2019-0333

CVSS 3 Score Details (8.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://www.npmjs.com/advisories/1325

Release Date: 2019-11-18

Fix Resolution (handlebars): 4.5.3

Direct dependency fix Resolution (jest-cli): 16.0.0

CVE-2019-20920

Vulnerable Library - handlebars-4.0.5.tgz

Handlebars provides the power necessary to let you build semantic templates effectively with no frustration

Library home page: https://registry.npmjs.org/handlebars/-/handlebars-4.0.5.tgz

Dependency Hierarchy:

• jest-cli-15.1.1.tgz (Root Library)
  • istanbul-api-1.0.0-aplha.10.tgz
    • istanbul-reports-1.0.0-alpha.8.tgz
      • ❌ handlebars-4.0.5.tgz (Vulnerable Library)

Found in HEAD commit: 152391439c08935dcc6310281831e81c661f942e

Found in base branch: main

Vulnerability Details

Handlebars before 3.0.8 and 4.x before 4.5.3 is vulnerable to Arbitrary Code Execution. The lookup helper fails to properly validate templates, allowing attackers to submit templates that execute arbitrary JavaScript. This can be used to run arbitrary code on a server processing Handlebars templates or in a victim's browser (effectively serving as XSS).

Publish Date: 2020-09-30

URL: CVE-2019-20920

CVSS 3 Score Details (8.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: Low
  • Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://www.npmjs.com/advisories/1324

Release Date: 2020-10-15

Fix Resolution (handlebars): 4.5.3

Direct dependency fix Resolution (jest-cli): 16.0.0

WS-2019-0063

Vulnerable Library - js-yaml-3.6.1.tgz

YAML 1.2 parser and serializer

Library home page: https://registry.npmjs.org/js-yaml/-/js-yaml-3.6.1.tgz

Dependency Hierarchy:

• jest-cli-15.1.1.tgz (Root Library)
  • istanbul-api-1.0.0-aplha.10.tgz
    • ❌ js-yaml-3.6.1.tgz (Vulnerable Library)

Found in HEAD commit: 152391439c08935dcc6310281831e81c661f942e

Found in base branch: main

Vulnerability Details

Js-yaml prior to 3.13.1 are vulnerable to Code Injection. The load() function may execute arbitrary code injected through a malicious YAML file.

Publish Date: 2019-04-05

URL: WS-2019-0063

CVSS 3 Score Details (8.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://www.npmjs.com/advisories/813

Release Date: 2019-04-05

Fix Resolution (js-yaml): 3.13.1

Direct dependency fix Resolution (jest-cli): 16.0.0

WS-2018-0084

Vulnerable Library - sshpk-1.10.0.tgz

A library for finding and using SSH public keys

Library home page: https://registry.npmjs.org/sshpk/-/sshpk-1.10.0.tgz

Dependency Hierarchy:

• jest-cli-15.1.1.tgz (Root Library)
  • jest-environment-jsdom-15.1.1.tgz
    • jsdom-9.5.0.tgz
      • request-2.75.0.tgz
        • http-signature-1.1.1.tgz
          • ❌ sshpk-1.10.0.tgz (Vulnerable Library)

Found in HEAD commit: 152391439c08935dcc6310281831e81c661f942e

Found in base branch: main

Vulnerability Details

Versions of sshpk before 1.14.1 are vulnerable to regular expression denial of service when parsing crafted invalid public keys.

Publish Date: 2018-04-25

URL: WS-2018-0084

CVSS 2 Score Details (8.0)

Base Score Metrics not available

Suggested Fix

Type: Upgrade version

Origin: https://nodesecurity.io/advisories/606

Release Date: 2018-01-27

Fix Resolution (sshpk): 1.14.1

Direct dependency fix Resolution (jest-cli): 16.0.0

CVE-2017-15010

Vulnerable Library - tough-cookie-2.3.1.tgz

RFC6265 Cookies and Cookie Jar for node.js

Library home page: https://registry.npmjs.org/tough-cookie/-/tough-cookie-2.3.1.tgz

Dependency Hierarchy:

• jest-cli-15.1.1.tgz (Root Library)
  • jest-environment-jsdom-15.1.1.tgz
    • jsdom-9.5.0.tgz
      • ❌ tough-cookie-2.3.1.tgz (Vulnerable Library)

Found in HEAD commit: 152391439c08935dcc6310281831e81c661f942e

Found in base branch: main

Vulnerability Details

A ReDoS (regular expression denial of service) flaw was found in the tough-cookie module before 2.3.3 for Node.js. An attacker that is able to make an HTTP request using a specially crafted cookie may cause the application to consume an excessive amount of CPU.

Publish Date: 2017-10-04

URL: CVE-2017-15010

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2017-15010

Release Date: 2017-10-04

Fix Resolution (tough-cookie): 2.3.3

Direct dependency fix Resolution (jest-cli): 16.0.0

CVE-2016-10540

Vulnerable Library - minimatch-2.0.10.tgz

a glob matcher in javascript

Library home page: https://registry.npmjs.org/minimatch/-/minimatch-2.0.10.tgz

Dependency Hierarchy:

• jest-cli-15.1.1.tgz (Root Library)
  • istanbul-api-1.0.0-aplha.10.tgz
    • fileset-0.2.1.tgz
      • ❌ minimatch-2.0.10.tgz (Vulnerable Library)

Found in HEAD commit: 152391439c08935dcc6310281831e81c661f942e

Found in base branch: main

Vulnerability Details

Minimatch is a minimal matching utility that works by converting glob expressions into JavaScript RegExp objects. The primary function, minimatch(path, pattern) in Minimatch 3.0.1 and earlier is vulnerable to ReDoS in the pattern parameter.

Publish Date: 2018-05-31

URL: CVE-2016-10540

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2016-10540

Release Date: 2018-05-31

Fix Resolution (minimatch): 3.0.2

Direct dependency fix Resolution (jest-cli): 16.0.0

WS-2019-0492

Vulnerable Library - handlebars-4.0.5.tgz

Handlebars provides the power necessary to let you build semantic templates effectively with no frustration

Library home page: https://registry.npmjs.org/handlebars/-/handlebars-4.0.5.tgz

Dependency Hierarchy:

• jest-cli-15.1.1.tgz (Root Library)
  • istanbul-api-1.0.0-aplha.10.tgz
    • istanbul-reports-1.0.0-alpha.8.tgz
      • ❌ handlebars-4.0.5.tgz (Vulnerable Library)

Found in HEAD commit: 152391439c08935dcc6310281831e81c661f942e

Found in base branch: main

Vulnerability Details

handlebars before 3.0.8 and 4.x before 4.5.3 is vulnerable to Arbitrary Code Execution. The package's lookup helper fails to properly validate templates, allowing attackers to submit templates that execute arbitrary JavaScript in the system.

Publish Date: 2019-11-19

URL: WS-2019-0492

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://www.npmjs.com/advisories/1324

Release Date: 2019-11-19

Fix Resolution (handlebars): 4.5.3

Direct dependency fix Resolution (jest-cli): 16.0.0

CVE-2018-3737

Vulnerable Library - sshpk-1.10.0.tgz

A library for finding and using SSH public keys

Library home page: https://registry.npmjs.org/sshpk/-/sshpk-1.10.0.tgz

Dependency Hierarchy:

• jest-cli-15.1.1.tgz (Root Library)
  • jest-environment-jsdom-15.1.1.tgz
    • jsdom-9.5.0.tgz
      • request-2.75.0.tgz
        • http-signature-1.1.1.tgz
          • ❌ sshpk-1.10.0.tgz (Vulnerable Library)

Found in HEAD commit: 152391439c08935dcc6310281831e81c661f942e

Found in base branch: main

Vulnerability Details

sshpk is vulnerable to ReDoS when parsing crafted invalid public keys.

Publish Date: 2018-06-07

URL: CVE-2018-3737

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://hackerone.com/reports/319593

Release Date: 2018-06-07

Fix Resolution (sshpk): 1.13.2

Direct dependency fix Resolution (jest-cli): 16.0.0

CVE-2018-16469

Vulnerable Library - merge-1.2.0.tgz

Merge multiple objects into one, optionally creating a new cloned object. Similar to the jQuery.extend but more flexible. Works in Node.js and the browser.

Library home page: https://registry.npmjs.org/merge/-/merge-1.2.0.tgz

Dependency Hierarchy:

• jest-cli-15.1.1.tgz (Root Library)
  • sane-1.4.1.tgz
    • exec-sh-0.2.0.tgz
      • ❌ merge-1.2.0.tgz (Vulnerable Library)

Found in HEAD commit: 152391439c08935dcc6310281831e81c661f942e

Found in base branch: main

Vulnerability Details

The merge.recursive function in the merge package <1.2.1 can be tricked into adding or modifying properties of the Object prototype. These properties will be present on all objects allowing for a denial of service attack.

Publish Date: 2018-10-30

URL: CVE-2018-16469

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16469

Release Date: 2018-10-30

Fix Resolution (merge): 1.2.1

Direct dependency fix Resolution (jest-cli): 16.0.0

WS-2019-0493

Vulnerable Library - handlebars-4.0.5.tgz

Handlebars provides the power necessary to let you build semantic templates effectively with no frustration

Library home page: https://registry.npmjs.org/handlebars/-/handlebars-4.0.5.tgz

Dependency Hierarchy:

• jest-cli-15.1.1.tgz (Root Library)
  • istanbul-api-1.0.0-aplha.10.tgz
    • istanbul-reports-1.0.0-alpha.8.tgz
      • ❌ handlebars-4.0.5.tgz (Vulnerable Library)

Found in HEAD commit: 152391439c08935dcc6310281831e81c661f942e

Found in base branch: main

Vulnerability Details

handlebars before 3.0.8 and 4.x before 4.5.2 is vulnerable to Arbitrary Code Execution. The package's lookup helper fails to properly validate templates, allowing attackers to submit templates that execute arbitrary JavaScript in the system.

Publish Date: 2019-11-14

URL: WS-2019-0493

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://www.npmjs.com/advisories/1316

Release Date: 2019-11-14

Fix Resolution (handlebars): 4.5.2

Direct dependency fix Resolution (jest-cli): 16.0.0

CVE-2017-18077

Vulnerable Library - brace-expansion-1.1.6.tgz

Brace expansion as known from sh/bash

Library home page: https://registry.npmjs.org/brace-expansion/-/brace-expansion-1.1.6.tgz

Dependency Hierarchy:

• jest-cli-15.1.1.tgz (Root Library)
  • sane-1.4.1.tgz
    • minimatch-3.0.3.tgz
      • ❌ brace-expansion-1.1.6.tgz (Vulnerable Library)

Found in HEAD commit: 152391439c08935dcc6310281831e81c661f942e

Found in base branch: main

Vulnerability Details

index.js in brace-expansion before 1.1.7 is vulnerable to Regular Expression Denial of Service (ReDoS) attacks, as demonstrated by an expand argument containing many comma characters.

Publish Date: 2018-01-27

URL: CVE-2017-18077

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2017-18077

Release Date: 2018-01-27

Fix Resolution (brace-expansion): 1.1.7

Direct dependency fix Resolution (jest-cli): 16.0.0

WS-2019-0318

Vulnerable Library - handlebars-4.0.5.tgz

Handlebars provides the power necessary to let you build semantic templates effectively with no frustration

Library home page: https://registry.npmjs.org/handlebars/-/handlebars-4.0.5.tgz

Dependency Hierarchy:

• jest-cli-15.1.1.tgz (Root Library)
  • istanbul-api-1.0.0-aplha.10.tgz
    • istanbul-reports-1.0.0-alpha.8.tgz
      • ❌ handlebars-4.0.5.tgz (Vulnerable Library)

Found in HEAD commit: 152391439c08935dcc6310281831e81c661f942e

Found in base branch: main

Vulnerability Details

In "showdownjs/showdown", versions prior to v4.4.5 are vulnerable against Regular expression Denial of Service (ReDOS) once receiving specially-crafted templates.

Publish Date: 2019-10-20

URL: WS-2019-0318

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://www.npmjs.com/advisories/1300

Release Date: 2019-10-20

Fix Resolution (handlebars): 4.4.5

Direct dependency fix Resolution (jest-cli): 16.0.0

CVE-2021-23343

Vulnerable Library - path-parse-1.0.5.tgz

Node.js path.parse() ponyfill

Library home page: https://registry.npmjs.org/path-parse/-/path-parse-1.0.5.tgz

Dependency Hierarchy:

• jest-cli-15.1.1.tgz (Root Library)
  • istanbul-api-1.0.0-aplha.10.tgz
    • istanbul-lib-report-1.0.0-alpha.3.tgz
      • ❌ path-parse-1.0.5.tgz (Vulnerable Library)

Found in HEAD commit: 152391439c08935dcc6310281831e81c661f942e

Found in base branch: main

Vulnerability Details

All versions of package path-parse are vulnerable to Regular Expression Denial of Service (ReDoS) via splitDeviceRe, splitTailRe, and splitPathRe regular expressions. ReDoS exhibits polynomial worst-case time complexity.

Publish Date: 2021-05-04

URL: CVE-2021-23343

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2021-05-04

Fix Resolution (path-parse): 1.0.7

Direct dependency fix Resolution (jest-cli): 16.0.0

CVE-2019-20922

Vulnerable Library - handlebars-4.0.5.tgz

Handlebars provides the power necessary to let you build semantic templates effectively with no frustration

Library home page: https://registry.npmjs.org/handlebars/-/handlebars-4.0.5.tgz

Dependency Hierarchy:

• jest-cli-15.1.1.tgz (Root Library)
  • istanbul-api-1.0.0-aplha.10.tgz
    • istanbul-reports-1.0.0-alpha.8.tgz
      • ❌ handlebars-4.0.5.tgz (Vulnerable Library)

Found in HEAD commit: 152391439c08935dcc6310281831e81c661f942e

Found in base branch: main

Vulnerability Details

Handlebars before 4.4.5 allows Regular Expression Denial of Service (ReDoS) because of eager matching. The parser may be forced into an endless loop while processing crafted templates. This may allow attackers to exhaust system resources.

Publish Date: 2020-09-30

URL: CVE-2019-20922

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://www.npmjs.com/advisories/1300

Release Date: 2020-09-30

Fix Resolution (handlebars): 4.4.5

Direct dependency fix Resolution (jest-cli): 16.0.0

WS-2018-0069

Vulnerable Library - is-my-json-valid-2.14.0.tgz

A JSONSchema validator that uses code generation to be extremely fast

Library home page: https://registry.npmjs.org/is-my-json-valid/-/is-my-json-valid-2.14.0.tgz

Dependency Hierarchy:

• jest-cli-15.1.1.tgz (Root Library)
  • jest-environment-jsdom-15.1.1.tgz
    • jsdom-9.5.0.tgz
      • request-2.75.0.tgz
        • har-validator-2.0.6.tgz
          • ❌ is-my-json-valid-2.14.0.tgz (Vulnerable Library)

Found in HEAD commit: 152391439c08935dcc6310281831e81c661f942e

Found in base branch: main

Vulnerability Details

Version of is-my-json-valid before 1.4.1 or 2.17.2 are vulnerable to regular expression denial of service (ReDoS) via the email validation function.

Publish Date: 2018-02-14

URL: WS-2018-0069

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://nodesecurity.io/advisories/572

Release Date: 2018-02-14

Fix Resolution (is-my-json-valid): 2.17.2

Direct dependency fix Resolution (jest-cli): 16.0.0