webpack-cli-2.0.15.tgz: 19 vulnerabilities (highest severity is: 9.8) #5
Labels
security vulnerability
Security vulnerability detected by WhiteSource
Comments
mend-for-github-com
bot
added
the
security vulnerability
This was referenced Apr 22, 2022
mend-for-github-com
bot
changed the title
mend-for-github-com
bot
changed the title
1 task
mend-for-github-com
bot
changed the title
1 task
1 task
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Path to dependency file: /springfox-swagger-ui/src/web/package.json
Path to vulnerable library: /springfox-swagger-ui/src/web/node_modules/mem/package.json
Found in HEAD commit: d81ad8f4720da473278f27eeb39173c414852834
Vulnerabilities
Details
Vulnerable Library - deep-extend-0.4.2.tgz
Recursive object extending
Library home page: https://registry.npmjs.org/deep-extend/-/deep-extend-0.4.2.tgz
Path to dependency file: /springfox-swagger-ui/src/web/package.json
Path to vulnerable library: /springfox-swagger-ui/src/web/node_modules/deep-extend/package.json
Dependency Hierarchy:
Found in HEAD commit: d81ad8f4720da473278f27eeb39173c414852834
Found in base branch: main
Vulnerability Details
The utilities function in all versions <= 0.5.0 of the deep-extend node module can be tricked into modifying the prototype of Object when the attacker can control part of the structure passed to this function. This can let an attacker add or modify existing properties that will exist on all objects.
Publish Date: 2018-07-03
URL: CVE-2018-3750
CVSS 3 Score Details (9.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-3750
Release Date: 2018-07-03
Fix Resolution (deep-extend): 0.5.1
Direct dependency fix Resolution (webpack-cli): 2.1.0
⛑️ Automatic Remediation is available for this issue
Vulnerable Library - ejs-2.5.9.tgz
Embedded JavaScript templates
Library home page: https://registry.npmjs.org/ejs/-/ejs-2.5.9.tgz
Path to dependency file: /springfox-swagger-ui/src/web/package.json
Path to vulnerable library: /springfox-swagger-ui/src/web/node_modules/ejs/package.json
Dependency Hierarchy:
Found in HEAD commit: d81ad8f4720da473278f27eeb39173c414852834
Found in base branch: main
Vulnerability Details
Arbitrary Code Injection vulnerability was found in ejs before 3.1.6. Caused by filename which isn't sanitized for display.
Publish Date: 2021-01-22
URL: WS-2021-0153
CVSS 3 Score Details (9.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Release Date: 2021-01-22
Fix Resolution (ejs): 3.1.6
Direct dependency fix Resolution (webpack-cli): 3.0.0
⛑️ Automatic Remediation is available for this issue
Vulnerable Library - ejs-2.5.9.tgz
Embedded JavaScript templates
Library home page: https://registry.npmjs.org/ejs/-/ejs-2.5.9.tgz
Path to dependency file: /springfox-swagger-ui/src/web/package.json
Path to vulnerable library: /springfox-swagger-ui/src/web/node_modules/ejs/package.json
Dependency Hierarchy:
Found in HEAD commit: d81ad8f4720da473278f27eeb39173c414852834
Found in base branch: main
Vulnerability Details
The ejs (aka Embedded JavaScript templates) package 3.1.6 for Node.js allows server-side template injection in settings[view options][outputFunctionName]. This is parsed as an internal option, and overwrites the outputFunctionName option with an arbitrary OS command (which is executed upon template compilation).
Publish Date: 2022-04-25
URL: CVE-2022-29078
CVSS 3 Score Details (9.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-29078~
Release Date: 2022-04-25
Fix Resolution (ejs): 3.1.7
Direct dependency fix Resolution (webpack-cli): 3.0.0
⛑️ Automatic Remediation is available for this issue
Vulnerable Library - lodash-4.17.5.tgz
Lodash modular utilities.
Library home page: https://registry.npmjs.org/lodash/-/lodash-4.17.5.tgz
Path to dependency file: /springfox-swagger-ui/src/web/package.json
Path to vulnerable library: /springfox-swagger-ui/src/web/node_modules/webpack-cli/node_modules/lodash/package.json
Dependency Hierarchy:
Found in HEAD commit: d81ad8f4720da473278f27eeb39173c414852834
Found in base branch: main
Vulnerability Details
Versions of lodash lower than 4.17.12 are vulnerable to Prototype Pollution. The function defaultsDeep could be tricked into adding or modifying properties of Object.prototype using a constructor payload.
Publish Date: 2019-07-26
URL: CVE-2019-10744
CVSS 3 Score Details (9.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: High
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-jf85-cpcp-j695
Release Date: 2019-07-26
Fix Resolution (lodash): 4.17.12
Direct dependency fix Resolution (webpack-cli): 2.1.0
⛑️ Automatic Remediation is available for this issue
Vulnerable Libraries - async-1.5.2.tgz, async-2.6.0.tgz
async-1.5.2.tgz
Higher-order functions and common patterns for asynchronous code
Library home page: https://registry.npmjs.org/async/-/async-1.5.2.tgz
Path to dependency file: /springfox-swagger-ui/src/web/package.json
Path to vulnerable library: /springfox-swagger-ui/src/web/node_modules/async/package.json
Dependency Hierarchy:
async-2.6.0.tgz
Higher-order functions and common patterns for asynchronous code
Library home page: https://registry.npmjs.org/async/-/async-2.6.0.tgz
Path to dependency file: /springfox-swagger-ui/src/web/package.json
Path to vulnerable library: /springfox-swagger-ui/src/web/node_modules/yeoman-generator/node_modules/async/package.json
Dependency Hierarchy:
Found in HEAD commit: d81ad8f4720da473278f27eeb39173c414852834
Found in base branch: main
Vulnerability Details
In Async before 2.6.4 and 3.x before 3.2.2, a malicious user can obtain privileges via the mapValues() method, aka lib/internal/iterator.js createObjectIterator prototype pollution.
Publish Date: 2022-04-06
URL: CVE-2021-43138
CVSS 3 Score Details (7.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Local
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2021-43138
Release Date: 2022-04-06
Fix Resolution (async): 2.6.4
Direct dependency fix Resolution (webpack-cli): 3.0.0
Fix Resolution (async): 2.6.4
Direct dependency fix Resolution (webpack-cli): 3.0.0
⛑️ Automatic Remediation is available for this issue
Vulnerable Library - normalize-url-2.0.1.tgz
Normalize a URL
Library home page: https://registry.npmjs.org/normalize-url/-/normalize-url-2.0.1.tgz
Path to dependency file: /springfox-swagger-ui/src/web/package.json
Path to vulnerable library: /springfox-swagger-ui/src/web/node_modules/normalize-url/package.json
Dependency Hierarchy:
Found in HEAD commit: d81ad8f4720da473278f27eeb39173c414852834
Found in base branch: main
Vulnerability Details
The normalize-url package before 4.5.1, 5.x before 5.3.1, and 6.x before 6.0.1 for Node.js has a ReDoS (regular expression denial of service) issue because it has exponential performance for data: URLs.
Publish Date: 2021-05-24
URL: CVE-2021-33502
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-33502
Release Date: 2021-05-24
Fix Resolution (normalize-url): 4.5.1
Direct dependency fix Resolution (webpack-cli): 3.0.0
⛑️ Automatic Remediation is available for this issue
Vulnerable Library - lodash-4.17.5.tgz
Lodash modular utilities.
Library home page: https://registry.npmjs.org/lodash/-/lodash-4.17.5.tgz
Path to dependency file: /springfox-swagger-ui/src/web/package.json
Path to vulnerable library: /springfox-swagger-ui/src/web/node_modules/webpack-cli/node_modules/lodash/package.json
Dependency Hierarchy:
Found in HEAD commit: d81ad8f4720da473278f27eeb39173c414852834
Found in base branch: main
Vulnerability Details
Prototype pollution attack when using _.zipObjectDeep in lodash before 4.17.20.
Publish Date: 2020-07-15
URL: CVE-2020-8203
CVSS 3 Score Details (7.4)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: High
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: https://www.npmjs.com/advisories/1523
Release Date: 2020-07-15
Fix Resolution (lodash): 4.17.9
Direct dependency fix Resolution (webpack-cli): 2.1.0
⛑️ Automatic Remediation is available for this issue
Vulnerable Library - underscore-1.6.0.tgz
JavaScript's functional programming helper library.
Library home page: https://registry.npmjs.org/underscore/-/underscore-1.6.0.tgz
Path to dependency file: /springfox-swagger-ui/src/web/package.json
Path to vulnerable library: /springfox-swagger-ui/src/web/node_modules/underscore/package.json
Dependency Hierarchy:
Found in HEAD commit: d81ad8f4720da473278f27eeb39173c414852834
Found in base branch: main
Vulnerability Details
The package underscore from 1.13.0-0 and before 1.13.0-2, from 1.3.2 and before 1.12.1 are vulnerable to Arbitrary Code Injection via the template function, particularly when a variable property is passed as an argument as it is not sanitized.
Publish Date: 2021-03-29
URL: CVE-2021-23358
CVSS 3 Score Details (7.2)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: High
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23358
Release Date: 2021-03-29
Fix Resolution (underscore): 1.12.1
Direct dependency fix Resolution (webpack-cli): 3.0.0
⛑️ Automatic Remediation is available for this issue
Vulnerable Library - lodash-4.17.5.tgz
Lodash modular utilities.
Library home page: https://registry.npmjs.org/lodash/-/lodash-4.17.5.tgz
Path to dependency file: /springfox-swagger-ui/src/web/package.json
Path to vulnerable library: /springfox-swagger-ui/src/web/node_modules/webpack-cli/node_modules/lodash/package.json
Dependency Hierarchy:
Found in HEAD commit: d81ad8f4720da473278f27eeb39173c414852834
Found in base branch: main
Vulnerability Details
Lodash versions prior to 4.17.21 are vulnerable to Command Injection via the template function.
Publish Date: 2021-02-15
URL: CVE-2021-23337
CVSS 3 Score Details (7.2)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: High
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Release Date: 2021-02-15
Fix Resolution (lodash): 4.17.21
Direct dependency fix Resolution (webpack-cli): 2.1.0
⛑️ Automatic Remediation is available for this issue
Vulnerable Library - shelljs-0.8.1.tgz
Portable Unix shell commands for Node.js
Library home page: https://registry.npmjs.org/shelljs/-/shelljs-0.8.1.tgz
Path to dependency file: /springfox-swagger-ui/src/web/package.json
Path to vulnerable library: /springfox-swagger-ui/src/web/node_modules/shelljs/package.json
Dependency Hierarchy:
Found in HEAD commit: d81ad8f4720da473278f27eeb39173c414852834
Found in base branch: main
Vulnerability Details
shelljs is vulnerable to Improper Privilege Management
Publish Date: 2022-01-11
URL: CVE-2022-0144
CVSS 3 Score Details (7.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Local
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Release Date: 2022-01-11
Fix Resolution (shelljs): 0.8.5
Direct dependency fix Resolution (webpack-cli): 2.1.0
⛑️ Automatic Remediation is available for this issue
Vulnerable Library - lodash-4.17.5.tgz
Lodash modular utilities.
Library home page: https://registry.npmjs.org/lodash/-/lodash-4.17.5.tgz
Path to dependency file: /springfox-swagger-ui/src/web/package.json
Path to vulnerable library: /springfox-swagger-ui/src/web/node_modules/webpack-cli/node_modules/lodash/package.json
Dependency Hierarchy:
Found in HEAD commit: d81ad8f4720da473278f27eeb39173c414852834
Found in base branch: main
Vulnerability Details
lodash prior to 4.17.11 is affected by: CWE-400: Uncontrolled Resource Consumption. The impact is: Denial of service. The component is: Date handler. The attack vector is: Attacker provides very long strings, which the library attempts to match using a regular expression. The fixed version is: 4.17.11.
Publish Date: 2019-07-17
URL: CVE-2019-1010266
CVSS 3 Score Details (6.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1010266
Release Date: 2020-09-30
Fix Resolution (lodash): 4.17.11
Direct dependency fix Resolution (webpack-cli): 2.1.0
⛑️ Automatic Remediation is available for this issue
Vulnerable Library - minimist-0.1.0.tgz
parse argument options
Library home page: https://registry.npmjs.org/minimist/-/minimist-0.1.0.tgz
Path to dependency file: /springfox-swagger-ui/src/web/package.json
Path to vulnerable library: /springfox-swagger-ui/src/web/node_modules/glob-all/node_modules/minimist/package.json
Dependency Hierarchy:
Found in HEAD commit: d81ad8f4720da473278f27eeb39173c414852834
Found in base branch: main
Vulnerability Details
minimist before 1.2.2 could be tricked into adding or modifying properties of Object.prototype using a "constructor" or "proto" payload.
Publish Date: 2020-03-11
URL: CVE-2020-7598
CVSS 3 Score Details (5.6)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: Low
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Release Date: 2020-03-11
Fix Resolution (minimist): 0.2.1
Direct dependency fix Resolution (webpack-cli): 2.1.0
⛑️ Automatic Remediation is available for this issue
Vulnerable Library - lodash-4.17.5.tgz
Lodash modular utilities.
Library home page: https://registry.npmjs.org/lodash/-/lodash-4.17.5.tgz
Path to dependency file: /springfox-swagger-ui/src/web/package.json
Path to vulnerable library: /springfox-swagger-ui/src/web/node_modules/webpack-cli/node_modules/lodash/package.json
Dependency Hierarchy:
Found in HEAD commit: d81ad8f4720da473278f27eeb39173c414852834
Found in base branch: main
Vulnerability Details
A prototype pollution vulnerability was found in lodash <4.17.11 where the functions merge, mergeWith, and defaultsDeep can be tricked into adding or modifying properties of Object.prototype.
Publish Date: 2019-02-01
URL: CVE-2018-16487
CVSS 3 Score Details (5.6)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: Low
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-16487
Release Date: 2019-02-01
Fix Resolution (lodash): 4.17.11
Direct dependency fix Resolution (webpack-cli): 2.1.0
⛑️ Automatic Remediation is available for this issue
Vulnerable Library - lodash-4.17.5.tgz
Lodash modular utilities.
Library home page: https://registry.npmjs.org/lodash/-/lodash-4.17.5.tgz
Path to dependency file: /springfox-swagger-ui/src/web/package.json
Path to vulnerable library: /springfox-swagger-ui/src/web/node_modules/webpack-cli/node_modules/lodash/package.json
Dependency Hierarchy:
Found in HEAD commit: d81ad8f4720da473278f27eeb39173c414852834
Found in base branch: main
Vulnerability Details
Lodash versions prior to 4.17.21 are vulnerable to Regular Expression Denial of Service (ReDoS) via the toNumber, trim and trimEnd functions.
Mend Note: After conducting further research, Mend has determined that CVE-2020-28500 only affects environments with versions 4.0.0 to 4.17.20 of Lodash.
Publish Date: 2021-02-15
URL: CVE-2020-28500
CVSS 3 Score Details (5.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: Low
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-28500
Release Date: 2021-02-15
Fix Resolution (lodash): 4.17.21
Direct dependency fix Resolution (webpack-cli): 2.1.0
⛑️ Automatic Remediation is available for this issue
Vulnerable Libraries - got-7.1.0.tgz, got-8.3.0.tgz
got-7.1.0.tgz
Simplified HTTP requests
Library home page: https://registry.npmjs.org/got/-/got-7.1.0.tgz
Path to dependency file: /springfox-swagger-ui/src/web/package.json
Path to vulnerable library: /springfox-swagger-ui/src/web/node_modules/gh-got/node_modules/got/package.json
Dependency Hierarchy:
got-8.3.0.tgz
Simplified HTTP requests
Library home page: https://registry.npmjs.org/got/-/got-8.3.0.tgz
Path to dependency file: /springfox-swagger-ui/src/web/package.json
Path to vulnerable library: /springfox-swagger-ui/src/web/node_modules/got/package.json
Dependency Hierarchy:
Found in HEAD commit: d81ad8f4720da473278f27eeb39173c414852834
Found in base branch: main
Vulnerability Details
The got package before 12.1.0 (also fixed in 11.8.5) for Node.js allows a redirect to a UNIX socket.
Publish Date: 2022-06-18
URL: CVE-2022-33987
CVSS 3 Score Details (5.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: Low
- Availability Impact: None
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-33987
Release Date: 2022-06-18
Fix Resolution (got): 12.0.0-beta.1
Direct dependency fix Resolution (webpack-cli): 3.0.0
Fix Resolution (got): 12.0.0-beta.1
Direct dependency fix Resolution (webpack-cli): 3.0.0
⛑️ Automatic Remediation is available for this issue
Vulnerable Library - yargs-parser-9.0.2.tgz
the mighty option parser used by yargs
Library home page: https://registry.npmjs.org/yargs-parser/-/yargs-parser-9.0.2.tgz
Path to dependency file: /springfox-swagger-ui/src/web/package.json
Path to vulnerable library: /springfox-swagger-ui/src/web/node_modules/yargs-parser/package.json
Dependency Hierarchy:
Found in HEAD commit: d81ad8f4720da473278f27eeb39173c414852834
Found in base branch: main
Vulnerability Details
yargs-parser could be tricked into adding or modifying properties of Object.prototype using a "proto" payload.
Publish Date: 2020-03-16
URL: CVE-2020-7608
CVSS 3 Score Details (5.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Local
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: Low
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Release Date: 2020-03-16
Fix Resolution (yargs-parser): 13.1.2
Direct dependency fix Resolution (webpack-cli): 3.3.5
⛑️ Automatic Remediation is available for this issue
Vulnerable Library - hosted-git-info-2.6.0.tgz
Provides metadata and conversions from repository urls for Github, Bitbucket and Gitlab
Library home page: https://registry.npmjs.org/hosted-git-info/-/hosted-git-info-2.6.0.tgz
Path to dependency file: /springfox-swagger-ui/src/web/package.json
Path to vulnerable library: /springfox-swagger-ui/src/web/node_modules/hosted-git-info/package.json
Dependency Hierarchy:
Found in HEAD commit: d81ad8f4720da473278f27eeb39173c414852834
Found in base branch: main
Vulnerability Details
The package hosted-git-info before 3.0.8 are vulnerable to Regular Expression Denial of Service (ReDoS) via regular expression shortcutMatch in the fromUrl function in index.js. The affected regular expression exhibits polynomial worst-case time complexity.
Publish Date: 2021-03-23
URL: CVE-2021-23362
CVSS 3 Score Details (5.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: Low
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-43f8-2h32-f4cj
Release Date: 2021-03-23
Fix Resolution (hosted-git-info): 2.8.9
Direct dependency fix Resolution (webpack-cli): 2.1.0
⛑️ Automatic Remediation is available for this issue
Vulnerable Library - mem-1.1.0.tgz
Memoize functions - An optimization used to speed up consecutive function calls by caching the result of calls with identical input
Library home page: https://registry.npmjs.org/mem/-/mem-1.1.0.tgz
Path to dependency file: /springfox-swagger-ui/src/web/package.json
Path to vulnerable library: /springfox-swagger-ui/src/web/node_modules/mem/package.json
Dependency Hierarchy:
Found in HEAD commit: d81ad8f4720da473278f27eeb39173c414852834
Found in base branch: main
Vulnerability Details
In 'mem' before v4.0.0 there is a Denial of Service (DoS) vulnerability as a result of a failure in removal old values from the cache.
Publish Date: 2018-08-27
URL: WS-2019-0307
CVSS 3 Score Details (5.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Local
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: None
- Availability Impact: Low
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: https://www.npmjs.com/advisories/1084
Release Date: 2018-08-27
Fix Resolution (mem): 4.0.0
Direct dependency fix Resolution (webpack-cli): 2.1.0
⛑️ Automatic Remediation is available for this issue
Vulnerable Library - minimist-0.1.0.tgz
parse argument options
Library home page: https://registry.npmjs.org/minimist/-/minimist-0.1.0.tgz
Path to dependency file: /springfox-swagger-ui/src/web/package.json
Path to vulnerable library: /springfox-swagger-ui/src/web/node_modules/glob-all/node_modules/minimist/package.json
Dependency Hierarchy:
Found in HEAD commit: d81ad8f4720da473278f27eeb39173c414852834
Found in base branch: main
Vulnerability Details
Minimist <=1.2.5 is vulnerable to Prototype Pollution via file index.js, function setKey() (lines 69-95).
Publish Date: 2022-03-17
URL: CVE-2021-44906
CVSS 3 Score Details (5.0)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: Low
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: Low
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Release Date: 2022-03-17
Fix Resolution (minimist): 1.2.6
Direct dependency fix Resolution (webpack-cli): 4.0.0
⛑️ Automatic Remediation is available for this issue
⛑️ Automatic Remediation is available for this issue.
The text was updated successfully, but these errors were encountered: