You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
set-value is vulnerable to Prototype Pollution in versions lower than 3.0.1. The function mixin-deep could be tricked into adding or modifying properties of Object.prototype using any of the constructor, prototype and proto payloads.
mixin-deep is vulnerable to Prototype Pollution in versions before 1.3.2 and version 2.0.0. The function mixin-deep could be tricked into adding or modifying properties of Object.prototype using a constructor payload.
This affects the package set-value before <2.0.1, >=3.0.0 <4.0.1. A type confusion vulnerability can lead to a bypass of CVE-2019-10747 when the user-provided keys used in the path parameter are arrays.
This affects the package y18n before 3.2.2, 4.0.1 and 5.0.5. PoC by po6ix: const y18n = require('y18n')(); y18n.setLocale('proto'); y18n.updateLocale({polluted: true}); console.log(polluted); // true
The Elliptic package 6.5.2 for Node.js allows ECDSA signature malleability via variations in encoding, leading '\0' bytes, or integer overflows. This could conceivably have a security-relevant impact if an application relied on a single canonical signature.
ctorName in index.js in kind-of v6.0.2 allows external user input to overwrite certain internal attributes via a conflicting name, as demonstrated by 'constructor': {'name':'Symbol'}. Hence, a crafted payload can overwrite this builtin attribute to manipulate the type detection result.
acorn is vulnerable to REGEX DoS. A regex of the form /[x-\ud800]/u causes the parser to enter an infinite loop. attackers may leverage the vulnerability leading to a Denial of Service since the string is not valid UTF16 and it results in it being sanitized before reaching the parser.
ssri 5.2.2-8.0.0, fixed in 8.0.1, processes SRIs using a regular expression which is vulnerable to a denial of service. Malicious SRIs could take an extremely long time to process, leading to denial of service. This issue only affects consumers using the strict option.
The package elliptic before 6.5.4 are vulnerable to Cryptographic Issues via the secp256k1 implementation in elliptic/ec/key.js. There is no check to confirm that the public key point passed into the derive function actually exists on the secp256k1 curve. This results in the potential for the private key used in this implementation to be revealed after a number of ECDH operations are performed.
An issue was discovered in ajv.validate() in Ajv (aka Another JSON Schema Validator) 6.12.2. A carefully crafted JSON schema could be provided that allows execution of other code by prototype pollution. (While untrusted schemas are recommended against, the worst case of an untrusted schema should be a denial of service, not execution of code.)
The serialize-javascript npm package before version 2.1.1 is vulnerable to Cross-site Scripting (XSS). It does not properly mitigate against unsafe characters in serialized regular expressions. This vulnerability is not affected on Node.js environment since Node.js's implementation of RegExp.prototype.toString() backslash-escapes all forward slashes in regular expressions. If serialized data of regular expression objects are used in an environment other than Node.js, it is affected by this vulnerability.
mend-for-github-combot
changed the title
webpack-4.6.0.tgz: 23 vulnerabilities (highest severity is: 9.8)
webpack-4.6.0.tgz: 15 vulnerabilities (highest severity is: 9.8)
Jun 29, 2022
mend-for-github-combot
changed the title
webpack-4.6.0.tgz: 15 vulnerabilities (highest severity is: 9.8)
webpack-4.6.0.tgz: 16 vulnerabilities (highest severity is: 9.8)
Jul 25, 2022
mend-for-github-combot
changed the title
webpack-4.6.0.tgz: 16 vulnerabilities (highest severity is: 9.8)
webpack-4.6.0.tgz: 15 vulnerabilities (highest severity is: 9.8)
Jul 28, 2022
Vulnerable Library - webpack-4.6.0.tgz
Path to dependency file: /springfox-swagger-ui/src/web/package.json
Path to vulnerable library: /springfox-swagger-ui/src/web/node_modules/mixin-deep/package.json
Found in HEAD commit: d81ad8f4720da473278f27eeb39173c414852834
Vulnerabilities
Details
CVE-2019-10747
Vulnerable Libraries - set-value-0.4.3.tgz, set-value-2.0.0.tgz
set-value-0.4.3.tgz
Create nested values and any intermediaries using dot notation (`'a.b.c'`) paths.
Library home page: https://registry.npmjs.org/set-value/-/set-value-0.4.3.tgz
Path to dependency file: /springfox-swagger-ui/src/web/package.json
Path to vulnerable library: /springfox-swagger-ui/src/web/node_modules/union-value/node_modules/set-value/package.json
Dependency Hierarchy:
set-value-2.0.0.tgz
Create nested values and any intermediaries using dot notation (`'a.b.c'`) paths.
Library home page: https://registry.npmjs.org/set-value/-/set-value-2.0.0.tgz
Path to dependency file: /springfox-swagger-ui/src/web/package.json
Path to vulnerable library: /springfox-swagger-ui/src/web/node_modules/set-value/package.json
Dependency Hierarchy:
Found in HEAD commit: d81ad8f4720da473278f27eeb39173c414852834
Found in base branch: main
Vulnerability Details
set-value is vulnerable to Prototype Pollution in versions lower than 3.0.1. The function mixin-deep could be tricked into adding or modifying properties of Object.prototype using any of the constructor, prototype and proto payloads.
Publish Date: 2019-08-23
URL: CVE-2019-10747
CVSS 3 Score Details (9.8)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Release Date: 2019-10-29
Fix Resolution (set-value): 2.0.1
Direct dependency fix Resolution (webpack): 4.7.0
Fix Resolution (set-value): 2.0.1
Direct dependency fix Resolution (webpack): 4.7.0
⛑️ Automatic Remediation is available for this issue
CVE-2019-10746
Vulnerable Library - mixin-deep-1.3.1.tgz
Deeply mix the properties of objects into the first object. Like merge-deep, but doesn't clone.
Library home page: https://registry.npmjs.org/mixin-deep/-/mixin-deep-1.3.1.tgz
Path to dependency file: /springfox-swagger-ui/src/web/package.json
Path to vulnerable library: /springfox-swagger-ui/src/web/node_modules/mixin-deep/package.json
Dependency Hierarchy:
Found in HEAD commit: d81ad8f4720da473278f27eeb39173c414852834
Found in base branch: main
Vulnerability Details
mixin-deep is vulnerable to Prototype Pollution in versions before 1.3.2 and version 2.0.0. The function mixin-deep could be tricked into adding or modifying properties of Object.prototype using a constructor payload.
Publish Date: 2019-08-23
URL: CVE-2019-10746
CVSS 3 Score Details (9.8)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Release Date: 2019-08-23
Fix Resolution (mixin-deep): 1.3.2
Direct dependency fix Resolution (webpack): 4.7.0
⛑️ Automatic Remediation is available for this issue
CVE-2021-23440
Vulnerable Libraries - set-value-2.0.0.tgz, set-value-0.4.3.tgz
set-value-2.0.0.tgz
Create nested values and any intermediaries using dot notation (`'a.b.c'`) paths.
Library home page: https://registry.npmjs.org/set-value/-/set-value-2.0.0.tgz
Path to dependency file: /springfox-swagger-ui/src/web/package.json
Path to vulnerable library: /springfox-swagger-ui/src/web/node_modules/set-value/package.json
Dependency Hierarchy:
set-value-0.4.3.tgz
Create nested values and any intermediaries using dot notation (`'a.b.c'`) paths.
Library home page: https://registry.npmjs.org/set-value/-/set-value-0.4.3.tgz
Path to dependency file: /springfox-swagger-ui/src/web/package.json
Path to vulnerable library: /springfox-swagger-ui/src/web/node_modules/union-value/node_modules/set-value/package.json
Dependency Hierarchy:
Found in HEAD commit: d81ad8f4720da473278f27eeb39173c414852834
Found in base branch: main
Vulnerability Details
This affects the package set-value before <2.0.1, >=3.0.0 <4.0.1. A type confusion vulnerability can lead to a bypass of CVE-2019-10747 when the user-provided keys used in the path parameter are arrays.
Publish Date: 2021-09-12
URL: CVE-2021-23440
CVSS 3 Score Details (9.8)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23440
Release Date: 2021-09-12
Fix Resolution (set-value): 2.0.1
Direct dependency fix Resolution (webpack): 4.7.0
Fix Resolution (set-value): 2.0.1
Direct dependency fix Resolution (webpack): 4.7.0
⛑️ Automatic Remediation is available for this issue
CVE-2020-7774
Vulnerable Library - y18n-4.0.0.tgz
the bare-bones internationalization library used by yargs
Library home page: https://registry.npmjs.org/y18n/-/y18n-4.0.0.tgz
Path to dependency file: /springfox-swagger-ui/src/web/package.json
Path to vulnerable library: /springfox-swagger-ui/src/web/node_modules/y18n/package.json
Dependency Hierarchy:
Found in HEAD commit: d81ad8f4720da473278f27eeb39173c414852834
Found in base branch: main
Vulnerability Details
This affects the package y18n before 3.2.2, 4.0.1 and 5.0.5. PoC by po6ix: const y18n = require('y18n')(); y18n.setLocale('proto'); y18n.updateLocale({polluted: true}); console.log(polluted); // true
Publish Date: 2020-11-17
URL: CVE-2020-7774
CVSS 3 Score Details (9.8)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://www.npmjs.com/advisories/1654
Release Date: 2020-11-17
Fix Resolution (y18n): 4.0.1
Direct dependency fix Resolution (webpack): 4.7.0
⛑️ Automatic Remediation is available for this issue
CVE-2020-7660
Vulnerable Library - serialize-javascript-1.5.0.tgz
Serialize JavaScript to a superset of JSON that includes regular expressions and functions.
Library home page: https://registry.npmjs.org/serialize-javascript/-/serialize-javascript-1.5.0.tgz
Path to dependency file: /springfox-swagger-ui/src/web/package.json
Path to vulnerable library: /springfox-swagger-ui/src/web/node_modules/serialize-javascript/package.json
Dependency Hierarchy:
Found in HEAD commit: d81ad8f4720da473278f27eeb39173c414852834
Found in base branch: main
Vulnerability Details
serialize-javascript prior to 3.1.0 allows remote attackers to inject arbitrary code via the function "deleteFunctions" within "index.js".
Publish Date: 2020-06-01
URL: CVE-2020-7660
CVSS 3 Score Details (8.1)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7660
Release Date: 2020-06-08
Fix Resolution (serialize-javascript): 3.1.0
Direct dependency fix Resolution (webpack): 4.26.0
⛑️ Automatic Remediation is available for this issue
CVE-2020-13822
Vulnerable Library - elliptic-6.4.0.tgz
EC cryptography
Library home page: https://registry.npmjs.org/elliptic/-/elliptic-6.4.0.tgz
Path to dependency file: /springfox-swagger-ui/src/web/package.json
Path to vulnerable library: /springfox-swagger-ui/src/web/node_modules/elliptic/package.json
Dependency Hierarchy:
Found in HEAD commit: d81ad8f4720da473278f27eeb39173c414852834
Found in base branch: main
Vulnerability Details
The Elliptic package 6.5.2 for Node.js allows ECDSA signature malleability via variations in encoding, leading '\0' bytes, or integer overflows. This could conceivably have a security-relevant impact if an application relied on a single canonical signature.
Publish Date: 2020-06-04
URL: CVE-2020-13822
CVSS 3 Score Details (7.7)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Release Date: 2020-07-02
Fix Resolution (elliptic): 6.5.3
Direct dependency fix Resolution (webpack): 4.7.0
⛑️ Automatic Remediation is available for this issue
CVE-2019-20149
Vulnerable Library - kind-of-6.0.2.tgz
Get the native type of a value.
Library home page: https://registry.npmjs.org/kind-of/-/kind-of-6.0.2.tgz
Path to dependency file: /springfox-swagger-ui/src/web/package.json
Path to vulnerable library: /springfox-swagger-ui/src/web/node_modules/kind-of/package.json
Dependency Hierarchy:
Found in HEAD commit: d81ad8f4720da473278f27eeb39173c414852834
Found in base branch: main
Vulnerability Details
ctorName in index.js in kind-of v6.0.2 allows external user input to overwrite certain internal attributes via a conflicting name, as demonstrated by 'constructor': {'name':'Symbol'}. Hence, a crafted payload can overwrite this builtin attribute to manipulate the type detection result.
Publish Date: 2019-12-30
URL: CVE-2019-20149
CVSS 3 Score Details (7.5)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-20149
Release Date: 2020-08-24
Fix Resolution (kind-of): 6.0.3
Direct dependency fix Resolution (webpack): 4.7.0
⛑️ Automatic Remediation is available for this issue
CVE-2020-28469
Vulnerable Library - glob-parent-3.1.0.tgz
Strips glob magic from a string to provide the parent directory path
Library home page: https://registry.npmjs.org/glob-parent/-/glob-parent-3.1.0.tgz
Path to dependency file: /springfox-swagger-ui/src/web/package.json
Path to vulnerable library: /springfox-swagger-ui/src/web/node_modules/glob-parent/package.json
Dependency Hierarchy:
Found in HEAD commit: d81ad8f4720da473278f27eeb39173c414852834
Found in base branch: main
Vulnerability Details
This affects the package glob-parent before 5.1.2. The enclosure regex used to check for strings ending in enclosure containing path separator.
Publish Date: 2021-06-03
URL: CVE-2020-28469
CVSS 3 Score Details (7.5)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-28469
Release Date: 2021-06-03
Fix Resolution (glob-parent): 5.1.2
Direct dependency fix Resolution (webpack): 5.0.0
⛑️ Automatic Remediation is available for this issue
WS-2020-0042
Vulnerable Library - acorn-5.5.3.tgz
ECMAScript parser
Library home page: https://registry.npmjs.org/acorn/-/acorn-5.5.3.tgz
Path to dependency file: /springfox-swagger-ui/src/web/package.json
Path to vulnerable library: /springfox-swagger-ui/src/web/node_modules/acorn/package.json
Dependency Hierarchy:
Found in HEAD commit: d81ad8f4720da473278f27eeb39173c414852834
Found in base branch: main
Vulnerability Details
acorn is vulnerable to REGEX DoS. A regex of the form /[x-\ud800]/u causes the parser to enter an infinite loop. attackers may leverage the vulnerability leading to a Denial of Service since the string is not valid UTF16 and it results in it being sanitized before reaching the parser.
Publish Date: 2020-03-01
URL: WS-2020-0042
CVSS 3 Score Details (7.5)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://www.npmjs.com/advisories/1488
Release Date: 2020-03-01
Fix Resolution (acorn): 5.7.4
Direct dependency fix Resolution (webpack): 4.7.0
⛑️ Automatic Remediation is available for this issue
CVE-2021-27290
Vulnerable Library - ssri-5.3.0.tgz
Standard Subresource Integrity library -- parses, serializes, generates, and verifies integrity metadata according to the SRI spec.
Library home page: https://registry.npmjs.org/ssri/-/ssri-5.3.0.tgz
Path to dependency file: /springfox-swagger-ui/src/web/package.json
Path to vulnerable library: /springfox-swagger-ui/src/web/node_modules/ssri/package.json
Dependency Hierarchy:
Found in HEAD commit: d81ad8f4720da473278f27eeb39173c414852834
Found in base branch: main
Vulnerability Details
ssri 5.2.2-8.0.0, fixed in 8.0.1, processes SRIs using a regular expression which is vulnerable to a denial of service. Malicious SRIs could take an extremely long time to process, leading to denial of service. This issue only affects consumers using the strict option.
Publish Date: 2021-03-12
URL: CVE-2021-27290
CVSS 3 Score Details (7.5)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: GHSA-vx3p-948g-6vhq
Release Date: 2021-03-12
Fix Resolution (ssri): 6.0.2
Direct dependency fix Resolution (webpack): 4.26.0
⛑️ Automatic Remediation is available for this issue
CVE-2020-28498
Vulnerable Library - elliptic-6.4.0.tgz
EC cryptography
Library home page: https://registry.npmjs.org/elliptic/-/elliptic-6.4.0.tgz
Path to dependency file: /springfox-swagger-ui/src/web/package.json
Path to vulnerable library: /springfox-swagger-ui/src/web/node_modules/elliptic/package.json
Dependency Hierarchy:
Found in HEAD commit: d81ad8f4720da473278f27eeb39173c414852834
Found in base branch: main
Vulnerability Details
The package elliptic before 6.5.4 are vulnerable to Cryptographic Issues via the secp256k1 implementation in elliptic/ec/key.js. There is no check to confirm that the public key point passed into the derive function actually exists on the secp256k1 curve. This results in the potential for the private key used in this implementation to be revealed after a number of ECDH operations are performed.
Publish Date: 2021-02-02
URL: CVE-2020-28498
CVSS 3 Score Details (6.8)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-28498
Release Date: 2021-02-02
Fix Resolution (elliptic): 6.5.4
Direct dependency fix Resolution (webpack): 4.7.0
⛑️ Automatic Remediation is available for this issue
WS-2019-0427
Vulnerable Library - elliptic-6.4.0.tgz
EC cryptography
Library home page: https://registry.npmjs.org/elliptic/-/elliptic-6.4.0.tgz
Path to dependency file: /springfox-swagger-ui/src/web/package.json
Path to vulnerable library: /springfox-swagger-ui/src/web/node_modules/elliptic/package.json
Dependency Hierarchy:
Found in HEAD commit: d81ad8f4720da473278f27eeb39173c414852834
Found in base branch: main
Vulnerability Details
The function getNAF() in elliptic library has information leakage. This issue is mitigated in version 6.5.2
Publish Date: 2019-11-22
URL: WS-2019-0427
CVSS 3 Score Details (5.9)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Release Date: 2019-11-22
Fix Resolution (elliptic): 6.5.2
Direct dependency fix Resolution (webpack): 4.7.0
⛑️ Automatic Remediation is available for this issue
WS-2019-0424
Vulnerable Library - elliptic-6.4.0.tgz
EC cryptography
Library home page: https://registry.npmjs.org/elliptic/-/elliptic-6.4.0.tgz
Path to dependency file: /springfox-swagger-ui/src/web/package.json
Path to vulnerable library: /springfox-swagger-ui/src/web/node_modules/elliptic/package.json
Dependency Hierarchy:
Found in HEAD commit: d81ad8f4720da473278f27eeb39173c414852834
Found in base branch: main
Vulnerability Details
all versions of elliptic are vulnerable to Timing Attack through side-channels.
Publish Date: 2019-11-13
URL: WS-2019-0424
CVSS 3 Score Details (5.9)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/WS-2019-0424
Release Date: 2019-11-13
Fix Resolution (elliptic): 6.5.3
Direct dependency fix Resolution (webpack): 4.7.0
⛑️ Automatic Remediation is available for this issue
CVE-2020-15366
Vulnerable Library - ajv-6.4.0.tgz
Another JSON Schema Validator
Library home page: https://registry.npmjs.org/ajv/-/ajv-6.4.0.tgz
Path to dependency file: /springfox-swagger-ui/src/web/package.json
Path to vulnerable library: /springfox-swagger-ui/src/web/node_modules/ajv/package.json
Dependency Hierarchy:
Found in HEAD commit: d81ad8f4720da473278f27eeb39173c414852834
Found in base branch: main
Vulnerability Details
An issue was discovered in ajv.validate() in Ajv (aka Another JSON Schema Validator) 6.12.2. A carefully crafted JSON schema could be provided that allows execution of other code by prototype pollution. (While untrusted schemas are recommended against, the worst case of an untrusted schema should be a denial of service, not execution of code.)
Publish Date: 2020-07-15
URL: CVE-2020-15366
CVSS 3 Score Details (5.6)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Release Date: 2020-07-15
Fix Resolution (ajv): 6.12.3
Direct dependency fix Resolution (webpack): 4.7.0
⛑️ Automatic Remediation is available for this issue
CVE-2019-16769
Vulnerable Library - serialize-javascript-1.5.0.tgz
Serialize JavaScript to a superset of JSON that includes regular expressions and functions.
Library home page: https://registry.npmjs.org/serialize-javascript/-/serialize-javascript-1.5.0.tgz
Path to dependency file: /springfox-swagger-ui/src/web/package.json
Path to vulnerable library: /springfox-swagger-ui/src/web/node_modules/serialize-javascript/package.json
Dependency Hierarchy:
Found in HEAD commit: d81ad8f4720da473278f27eeb39173c414852834
Found in base branch: main
Vulnerability Details
The serialize-javascript npm package before version 2.1.1 is vulnerable to Cross-site Scripting (XSS). It does not properly mitigate against unsafe characters in serialized regular expressions. This vulnerability is not affected on Node.js environment since Node.js's implementation of RegExp.prototype.toString() backslash-escapes all forward slashes in regular expressions. If serialized data of regular expression objects are used in an environment other than Node.js, it is affected by this vulnerability.
Publish Date: 2019-12-05
URL: CVE-2019-16769
CVSS 3 Score Details (5.4)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16769
Release Date: 2020-01-17
Fix Resolution (serialize-javascript): 2.1.1
Direct dependency fix Resolution (webpack): 4.26.0
⛑️ Automatic Remediation is available for this issue
⛑️ Automatic Remediation is available for this issue.
The text was updated successfully, but these errors were encountered: