webpack-4.6.0.tgz: 15 vulnerabilities (highest severity is: 9.8)

[mend-for-github-com]

Vulnerable Library - webpack-4.6.0.tgz

Path to dependency file: /springfox-swagger-ui/src/web/package.json

Path to vulnerable library: /springfox-swagger-ui/src/web/node_modules/mixin-deep/package.json

Found in HEAD commit: d81ad8f4720da473278f27eeb39173c414852834

Vulnerabilities

CVE	Severity	CVSS	Dependency	Type	Fixed in	Remediation Available
CVE-2019-10747	High	9.8	detected in multiple dependencies	Transitive	4.7.0	✅
CVE-2019-10746	High	9.8	mixin-deep-1.3.1.tgz	Transitive	4.7.0	✅
CVE-2021-23440	High	9.8	detected in multiple dependencies	Transitive	4.7.0	✅
CVE-2020-7774	High	9.8	y18n-4.0.0.tgz	Transitive	4.7.0	✅
CVE-2020-7660	High	8.1	serialize-javascript-1.5.0.tgz	Transitive	4.26.0	✅
CVE-2020-13822	High	7.7	elliptic-6.4.0.tgz	Transitive	4.7.0	✅
CVE-2019-20149	High	7.5	kind-of-6.0.2.tgz	Transitive	4.7.0	✅
CVE-2020-28469	High	7.5	glob-parent-3.1.0.tgz	Transitive	5.0.0	✅
WS-2020-0042	High	7.5	acorn-5.5.3.tgz	Transitive	4.7.0	✅
CVE-2021-27290	High	7.5	ssri-5.3.0.tgz	Transitive	4.26.0	✅
CVE-2020-28498	Medium	6.8	elliptic-6.4.0.tgz	Transitive	4.7.0	✅
WS-2019-0427	Medium	5.9	elliptic-6.4.0.tgz	Transitive	4.7.0	✅
WS-2019-0424	Medium	5.9	elliptic-6.4.0.tgz	Transitive	4.7.0	✅
CVE-2020-15366	Medium	5.6	ajv-6.4.0.tgz	Transitive	4.7.0	✅
CVE-2019-16769	Medium	5.4	serialize-javascript-1.5.0.tgz	Transitive	4.26.0	✅

Details

CVE-2019-10747

Vulnerable Libraries - set-value-0.4.3.tgz, set-value-2.0.0.tgz

set-value-0.4.3.tgz

Create nested values and any intermediaries using dot notation (`'a.b.c'`) paths.

Library home page: https://registry.npmjs.org/set-value/-/set-value-0.4.3.tgz

Path to dependency file: /springfox-swagger-ui/src/web/package.json

Path to vulnerable library: /springfox-swagger-ui/src/web/node_modules/union-value/node_modules/set-value/package.json

Dependency Hierarchy:

• webpack-4.6.0.tgz (Root Library)
  • micromatch-3.1.10.tgz
    • snapdragon-0.8.2.tgz
      • base-0.11.2.tgz
        • cache-base-1.0.1.tgz
          • union-value-1.0.0.tgz
            • ❌ set-value-0.4.3.tgz (Vulnerable Library)

set-value-2.0.0.tgz

Create nested values and any intermediaries using dot notation (`'a.b.c'`) paths.

Library home page: https://registry.npmjs.org/set-value/-/set-value-2.0.0.tgz

Path to dependency file: /springfox-swagger-ui/src/web/package.json

Path to vulnerable library: /springfox-swagger-ui/src/web/node_modules/set-value/package.json

Dependency Hierarchy:

• webpack-4.6.0.tgz (Root Library)
  • micromatch-3.1.10.tgz
    • snapdragon-0.8.2.tgz
      • base-0.11.2.tgz
        • cache-base-1.0.1.tgz
          • ❌ set-value-2.0.0.tgz (Vulnerable Library)

Found in HEAD commit: d81ad8f4720da473278f27eeb39173c414852834

Found in base branch: main

Vulnerability Details

set-value is vulnerable to Prototype Pollution in versions lower than 3.0.1. The function mixin-deep could be tricked into adding or modifying properties of Object.prototype using any of the constructor, prototype and proto payloads.

Publish Date: 2019-08-23

URL: CVE-2019-10747

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2019-10-29

Fix Resolution (set-value): 2.0.1

Direct dependency fix Resolution (webpack): 4.7.0

Fix Resolution (set-value): 2.0.1

Direct dependency fix Resolution (webpack): 4.7.0

⛑️ Automatic Remediation is available for this issue

CVE-2019-10746

Vulnerable Library - mixin-deep-1.3.1.tgz

Deeply mix the properties of objects into the first object. Like merge-deep, but doesn't clone.

Library home page: https://registry.npmjs.org/mixin-deep/-/mixin-deep-1.3.1.tgz

Path to dependency file: /springfox-swagger-ui/src/web/package.json

Path to vulnerable library: /springfox-swagger-ui/src/web/node_modules/mixin-deep/package.json

Dependency Hierarchy:

• webpack-4.6.0.tgz (Root Library)
  • micromatch-3.1.10.tgz
    • snapdragon-0.8.2.tgz
      • base-0.11.2.tgz
        • ❌ mixin-deep-1.3.1.tgz (Vulnerable Library)

Found in HEAD commit: d81ad8f4720da473278f27eeb39173c414852834

Found in base branch: main

Vulnerability Details

mixin-deep is vulnerable to Prototype Pollution in versions before 1.3.2 and version 2.0.0. The function mixin-deep could be tricked into adding or modifying properties of Object.prototype using a constructor payload.

Publish Date: 2019-08-23

URL: CVE-2019-10746

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2019-08-23

Fix Resolution (mixin-deep): 1.3.2

Direct dependency fix Resolution (webpack): 4.7.0

⛑️ Automatic Remediation is available for this issue

CVE-2021-23440

Vulnerable Libraries - set-value-2.0.0.tgz, set-value-0.4.3.tgz

set-value-2.0.0.tgz

Create nested values and any intermediaries using dot notation (`'a.b.c'`) paths.

Library home page: https://registry.npmjs.org/set-value/-/set-value-2.0.0.tgz

Path to dependency file: /springfox-swagger-ui/src/web/package.json

Path to vulnerable library: /springfox-swagger-ui/src/web/node_modules/set-value/package.json

Dependency Hierarchy:

• webpack-4.6.0.tgz (Root Library)
  • micromatch-3.1.10.tgz
    • snapdragon-0.8.2.tgz
      • base-0.11.2.tgz
        • cache-base-1.0.1.tgz
          • ❌ set-value-2.0.0.tgz (Vulnerable Library)

set-value-0.4.3.tgz

Create nested values and any intermediaries using dot notation (`'a.b.c'`) paths.

Library home page: https://registry.npmjs.org/set-value/-/set-value-0.4.3.tgz

Path to dependency file: /springfox-swagger-ui/src/web/package.json

Path to vulnerable library: /springfox-swagger-ui/src/web/node_modules/union-value/node_modules/set-value/package.json

Dependency Hierarchy:

• webpack-4.6.0.tgz (Root Library)
  • micromatch-3.1.10.tgz
    • snapdragon-0.8.2.tgz
      • base-0.11.2.tgz
        • cache-base-1.0.1.tgz
          • union-value-1.0.0.tgz
            • ❌ set-value-0.4.3.tgz (Vulnerable Library)

Found in HEAD commit: d81ad8f4720da473278f27eeb39173c414852834

Found in base branch: main

Vulnerability Details

This affects the package set-value before <2.0.1, >=3.0.0 <4.0.1. A type confusion vulnerability can lead to a bypass of CVE-2019-10747 when the user-provided keys used in the path parameter are arrays.

Publish Date: 2021-09-12

URL: CVE-2021-23440

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23440

Release Date: 2021-09-12

Fix Resolution (set-value): 2.0.1

Direct dependency fix Resolution (webpack): 4.7.0

Fix Resolution (set-value): 2.0.1

Direct dependency fix Resolution (webpack): 4.7.0

⛑️ Automatic Remediation is available for this issue

CVE-2020-7774

Vulnerable Library - y18n-4.0.0.tgz

the bare-bones internationalization library used by yargs

Library home page: https://registry.npmjs.org/y18n/-/y18n-4.0.0.tgz

Path to dependency file: /springfox-swagger-ui/src/web/package.json

Path to vulnerable library: /springfox-swagger-ui/src/web/node_modules/y18n/package.json

Dependency Hierarchy:

• webpack-4.6.0.tgz (Root Library)
  • uglifyjs-webpack-plugin-1.2.5.tgz
    • cacache-10.0.4.tgz
      • ❌ y18n-4.0.0.tgz (Vulnerable Library)

Found in HEAD commit: d81ad8f4720da473278f27eeb39173c414852834

Found in base branch: main

Vulnerability Details

This affects the package y18n before 3.2.2, 4.0.1 and 5.0.5. PoC by po6ix: const y18n = require('y18n')(); y18n.setLocale('proto'); y18n.updateLocale({polluted: true}); console.log(polluted); // true

Publish Date: 2020-11-17

URL: CVE-2020-7774

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://www.npmjs.com/advisories/1654

Release Date: 2020-11-17

Fix Resolution (y18n): 4.0.1

Direct dependency fix Resolution (webpack): 4.7.0

⛑️ Automatic Remediation is available for this issue

CVE-2020-7660

Vulnerable Library - serialize-javascript-1.5.0.tgz

Serialize JavaScript to a superset of JSON that includes regular expressions and functions.

Library home page: https://registry.npmjs.org/serialize-javascript/-/serialize-javascript-1.5.0.tgz

Path to dependency file: /springfox-swagger-ui/src/web/package.json

Path to vulnerable library: /springfox-swagger-ui/src/web/node_modules/serialize-javascript/package.json

Dependency Hierarchy:

• webpack-4.6.0.tgz (Root Library)
  • uglifyjs-webpack-plugin-1.2.5.tgz
    • ❌ serialize-javascript-1.5.0.tgz (Vulnerable Library)

Found in HEAD commit: d81ad8f4720da473278f27eeb39173c414852834

Found in base branch: main

Vulnerability Details

serialize-javascript prior to 3.1.0 allows remote attackers to inject arbitrary code via the function "deleteFunctions" within "index.js".

Publish Date: 2020-06-01

URL: CVE-2020-7660

CVSS 3 Score Details (8.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7660

Release Date: 2020-06-08

Fix Resolution (serialize-javascript): 3.1.0

Direct dependency fix Resolution (webpack): 4.26.0

⛑️ Automatic Remediation is available for this issue

CVE-2020-13822

Vulnerable Library - elliptic-6.4.0.tgz

EC cryptography

Library home page: https://registry.npmjs.org/elliptic/-/elliptic-6.4.0.tgz

Path to dependency file: /springfox-swagger-ui/src/web/package.json

Path to vulnerable library: /springfox-swagger-ui/src/web/node_modules/elliptic/package.json

Dependency Hierarchy:

• webpack-4.6.0.tgz (Root Library)
  • node-libs-browser-2.1.0.tgz
    • crypto-browserify-3.12.0.tgz
      • create-ecdh-4.0.1.tgz
        • ❌ elliptic-6.4.0.tgz (Vulnerable Library)

Found in HEAD commit: d81ad8f4720da473278f27eeb39173c414852834

Found in base branch: main

Vulnerability Details

The Elliptic package 6.5.2 for Node.js allows ECDSA signature malleability via variations in encoding, leading '\0' bytes, or integer overflows. This could conceivably have a security-relevant impact if an application relied on a single canonical signature.

Publish Date: 2020-06-04

URL: CVE-2020-13822

CVSS 3 Score Details (7.7)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2020-07-02

Fix Resolution (elliptic): 6.5.3

Direct dependency fix Resolution (webpack): 4.7.0

⛑️ Automatic Remediation is available for this issue

CVE-2019-20149

Vulnerable Library - kind-of-6.0.2.tgz

Get the native type of a value.

Library home page: https://registry.npmjs.org/kind-of/-/kind-of-6.0.2.tgz

Path to dependency file: /springfox-swagger-ui/src/web/package.json

Path to vulnerable library: /springfox-swagger-ui/src/web/node_modules/kind-of/package.json

Dependency Hierarchy:

• webpack-4.6.0.tgz (Root Library)
  • micromatch-3.1.10.tgz
    • ❌ kind-of-6.0.2.tgz (Vulnerable Library)

Found in HEAD commit: d81ad8f4720da473278f27eeb39173c414852834

Found in base branch: main

Vulnerability Details

ctorName in index.js in kind-of v6.0.2 allows external user input to overwrite certain internal attributes via a conflicting name, as demonstrated by 'constructor': {'name':'Symbol'}. Hence, a crafted payload can overwrite this builtin attribute to manipulate the type detection result.

Publish Date: 2019-12-30

URL: CVE-2019-20149

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: High
  • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-20149

Release Date: 2020-08-24

Fix Resolution (kind-of): 6.0.3

Direct dependency fix Resolution (webpack): 4.7.0

⛑️ Automatic Remediation is available for this issue

CVE-2020-28469

Vulnerable Library - glob-parent-3.1.0.tgz

Strips glob magic from a string to provide the parent directory path

Library home page: https://registry.npmjs.org/glob-parent/-/glob-parent-3.1.0.tgz

Path to dependency file: /springfox-swagger-ui/src/web/package.json

Path to vulnerable library: /springfox-swagger-ui/src/web/node_modules/glob-parent/package.json

Dependency Hierarchy:

• webpack-4.6.0.tgz (Root Library)
  • watchpack-1.5.0.tgz
    • chokidar-2.0.3.tgz
      • ❌ glob-parent-3.1.0.tgz (Vulnerable Library)

Found in HEAD commit: d81ad8f4720da473278f27eeb39173c414852834

Found in base branch: main

Vulnerability Details

This affects the package glob-parent before 5.1.2. The enclosure regex used to check for strings ending in enclosure containing path separator.

Publish Date: 2021-06-03

URL: CVE-2020-28469

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-28469

Release Date: 2021-06-03

Fix Resolution (glob-parent): 5.1.2

Direct dependency fix Resolution (webpack): 5.0.0

⛑️ Automatic Remediation is available for this issue

WS-2020-0042

Vulnerable Library - acorn-5.5.3.tgz

ECMAScript parser

Library home page: https://registry.npmjs.org/acorn/-/acorn-5.5.3.tgz

Path to dependency file: /springfox-swagger-ui/src/web/package.json

Path to vulnerable library: /springfox-swagger-ui/src/web/node_modules/acorn/package.json

Dependency Hierarchy:

• webpack-4.6.0.tgz (Root Library)
  • ❌ acorn-5.5.3.tgz (Vulnerable Library)

Found in HEAD commit: d81ad8f4720da473278f27eeb39173c414852834

Found in base branch: main

Vulnerability Details

acorn is vulnerable to REGEX DoS. A regex of the form /[x-\ud800]/u causes the parser to enter an infinite loop. attackers may leverage the vulnerability leading to a Denial of Service since the string is not valid UTF16 and it results in it being sanitized before reaching the parser.

Publish Date: 2020-03-01

URL: WS-2020-0042

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://www.npmjs.com/advisories/1488

Release Date: 2020-03-01

Fix Resolution (acorn): 5.7.4

Direct dependency fix Resolution (webpack): 4.7.0

⛑️ Automatic Remediation is available for this issue

CVE-2021-27290

Vulnerable Library - ssri-5.3.0.tgz

Standard Subresource Integrity library -- parses, serializes, generates, and verifies integrity metadata according to the SRI spec.

Library home page: https://registry.npmjs.org/ssri/-/ssri-5.3.0.tgz

Path to dependency file: /springfox-swagger-ui/src/web/package.json

Path to vulnerable library: /springfox-swagger-ui/src/web/node_modules/ssri/package.json

Dependency Hierarchy:

• webpack-4.6.0.tgz (Root Library)
  • uglifyjs-webpack-plugin-1.2.5.tgz
    • cacache-10.0.4.tgz
      • ❌ ssri-5.3.0.tgz (Vulnerable Library)

Found in HEAD commit: d81ad8f4720da473278f27eeb39173c414852834

Found in base branch: main

Vulnerability Details

ssri 5.2.2-8.0.0, fixed in 8.0.1, processes SRIs using a regular expression which is vulnerable to a denial of service. Malicious SRIs could take an extremely long time to process, leading to denial of service. This issue only affects consumers using the strict option.

Publish Date: 2021-03-12

URL: CVE-2021-27290

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-vx3p-948g-6vhq

Release Date: 2021-03-12

Fix Resolution (ssri): 6.0.2

Direct dependency fix Resolution (webpack): 4.26.0

⛑️ Automatic Remediation is available for this issue

CVE-2020-28498

Vulnerable Library - elliptic-6.4.0.tgz

EC cryptography

Library home page: https://registry.npmjs.org/elliptic/-/elliptic-6.4.0.tgz

Path to dependency file: /springfox-swagger-ui/src/web/package.json

Path to vulnerable library: /springfox-swagger-ui/src/web/node_modules/elliptic/package.json

Dependency Hierarchy:

• webpack-4.6.0.tgz (Root Library)
  • node-libs-browser-2.1.0.tgz
    • crypto-browserify-3.12.0.tgz
      • create-ecdh-4.0.1.tgz
        • ❌ elliptic-6.4.0.tgz (Vulnerable Library)

Found in HEAD commit: d81ad8f4720da473278f27eeb39173c414852834

Found in base branch: main

Vulnerability Details

The package elliptic before 6.5.4 are vulnerable to Cryptographic Issues via the secp256k1 implementation in elliptic/ec/key.js. There is no check to confirm that the public key point passed into the derive function actually exists on the secp256k1 curve. This results in the potential for the private key used in this implementation to be revealed after a number of ECDH operations are performed.

Publish Date: 2021-02-02

URL: CVE-2020-28498

CVSS 3 Score Details (6.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: None
  • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-28498

Release Date: 2021-02-02

Fix Resolution (elliptic): 6.5.4

Direct dependency fix Resolution (webpack): 4.7.0

⛑️ Automatic Remediation is available for this issue

WS-2019-0427

Vulnerable Library - elliptic-6.4.0.tgz

EC cryptography

Library home page: https://registry.npmjs.org/elliptic/-/elliptic-6.4.0.tgz

Path to dependency file: /springfox-swagger-ui/src/web/package.json

Path to vulnerable library: /springfox-swagger-ui/src/web/node_modules/elliptic/package.json

Dependency Hierarchy:

• webpack-4.6.0.tgz (Root Library)
  • node-libs-browser-2.1.0.tgz
    • crypto-browserify-3.12.0.tgz
      • create-ecdh-4.0.1.tgz
        • ❌ elliptic-6.4.0.tgz (Vulnerable Library)

Found in HEAD commit: d81ad8f4720da473278f27eeb39173c414852834

Found in base branch: main

Vulnerability Details

The function getNAF() in elliptic library has information leakage. This issue is mitigated in version 6.5.2

Publish Date: 2019-11-22

URL: WS-2019-0427

CVSS 3 Score Details (5.9)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Adjacent
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: High
  • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2019-11-22

Fix Resolution (elliptic): 6.5.2

Direct dependency fix Resolution (webpack): 4.7.0

⛑️ Automatic Remediation is available for this issue

WS-2019-0424

Vulnerable Library - elliptic-6.4.0.tgz

EC cryptography

Library home page: https://registry.npmjs.org/elliptic/-/elliptic-6.4.0.tgz

Path to dependency file: /springfox-swagger-ui/src/web/package.json

Path to vulnerable library: /springfox-swagger-ui/src/web/node_modules/elliptic/package.json

Dependency Hierarchy:

• webpack-4.6.0.tgz (Root Library)
  • node-libs-browser-2.1.0.tgz
    • crypto-browserify-3.12.0.tgz
      • create-ecdh-4.0.1.tgz
        • ❌ elliptic-6.4.0.tgz (Vulnerable Library)

Found in HEAD commit: d81ad8f4720da473278f27eeb39173c414852834

Found in base branch: main

Vulnerability Details

all versions of elliptic are vulnerable to Timing Attack through side-channels.

Publish Date: 2019-11-13

URL: WS-2019-0424

CVSS 3 Score Details (5.9)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Adjacent
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: High
  • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/WS-2019-0424

Release Date: 2019-11-13

Fix Resolution (elliptic): 6.5.3

Direct dependency fix Resolution (webpack): 4.7.0

⛑️ Automatic Remediation is available for this issue

CVE-2020-15366

Vulnerable Library - ajv-6.4.0.tgz

Another JSON Schema Validator

Library home page: https://registry.npmjs.org/ajv/-/ajv-6.4.0.tgz

Path to dependency file: /springfox-swagger-ui/src/web/package.json

Path to vulnerable library: /springfox-swagger-ui/src/web/node_modules/ajv/package.json

Dependency Hierarchy:

• webpack-4.6.0.tgz (Root Library)
  • ❌ ajv-6.4.0.tgz (Vulnerable Library)

Found in HEAD commit: d81ad8f4720da473278f27eeb39173c414852834

Found in base branch: main

Vulnerability Details

An issue was discovered in ajv.validate() in Ajv (aka Another JSON Schema Validator) 6.12.2. A carefully crafted JSON schema could be provided that allows execution of other code by prototype pollution. (While untrusted schemas are recommended against, the worst case of an untrusted schema should be a denial of service, not execution of code.)

Publish Date: 2020-07-15

URL: CVE-2020-15366

CVSS 3 Score Details (5.6)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2020-07-15

Fix Resolution (ajv): 6.12.3

Direct dependency fix Resolution (webpack): 4.7.0

⛑️ Automatic Remediation is available for this issue

CVE-2019-16769

Vulnerable Library - serialize-javascript-1.5.0.tgz

Serialize JavaScript to a superset of JSON that includes regular expressions and functions.

Library home page: https://registry.npmjs.org/serialize-javascript/-/serialize-javascript-1.5.0.tgz

Path to dependency file: /springfox-swagger-ui/src/web/package.json

Path to vulnerable library: /springfox-swagger-ui/src/web/node_modules/serialize-javascript/package.json

Dependency Hierarchy:

• webpack-4.6.0.tgz (Root Library)
  • uglifyjs-webpack-plugin-1.2.5.tgz
    • ❌ serialize-javascript-1.5.0.tgz (Vulnerable Library)

Found in HEAD commit: d81ad8f4720da473278f27eeb39173c414852834

Found in base branch: main

Vulnerability Details

The serialize-javascript npm package before version 2.1.1 is vulnerable to Cross-site Scripting (XSS). It does not properly mitigate against unsafe characters in serialized regular expressions. This vulnerability is not affected on Node.js environment since Node.js's implementation of RegExp.prototype.toString() backslash-escapes all forward slashes in regular expressions. If serialized data of regular expression objects are used in an environment other than Node.js, it is affected by this vulnerability.

Publish Date: 2019-12-05

URL: CVE-2019-16769

CVSS 3 Score Details (5.4)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: Low
  • User Interaction: Required
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16769

Release Date: 2020-01-17

Fix Resolution (serialize-javascript): 2.1.1

Direct dependency fix Resolution (webpack): 4.26.0

⛑️ Automatic Remediation is available for this issue

---

⛑️ Automatic Remediation is available for this issue.