You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
Partial details (20 vulnerabilities) are displayed below due to a content size limitation in GitHub. To view information on the remaining vulnerabilities, navigate to the Mend Application.
Path to dependency file: /fixtures/nesting/package.json
Path to vulnerable library: /fixtures/nesting/node_modules/tough-cookie/package.json,/fixtures/concurrent/time-slicing/node_modules/tough-cookie/package.json
Versions of the package tough-cookie before 4.1.3 are vulnerable to Prototype Pollution due to improper handling of Cookies when using CookieJar in rejectPublicSuffixes=false mode. This issue arises from the manner in which the objects are initialized.
Path to dependency file: /fixtures/nesting/package.json
Path to vulnerable library: /fixtures/nesting/node_modules/adjust-sourcemap-loader/node_modules/loader-utils/package.json,/fixtures/nesting/node_modules/react-dev-utils/node_modules/loader-utils/package.json,/fixtures/nesting/node_modules/resolve-url-loader/node_modules/loader-utils/package.json
The shell-quote package before 1.7.3 for Node.js allows command injection. An attacker can inject unescaped shell metacharacters through a regex designed to support Windows drive letters. If the output of this package is passed to a real shell as a quoted argument to a command with exec(), an attacker can inject arbitrary commands. This is because the Windows drive letter regex character class is {A-z] instead of the correct {A-Za-z]. Several shell metacharacters exist in the space between capital letter Z and lower case letter a, such as the backtick character.
This affects the package immer before 9.0.6. A type confusion vulnerability can lead to a bypass of CVE-2020-28477 when the user-provided keys used in the path parameter are arrays. In particular, this bypass is possible because the condition (p === "proto" || p === "constructor") in applyPatches_ returns false if p is ['proto'] (or ['constructor']). The === operator (strict equality operator) returns false if the operands have different type.
A prototype pollution vulnerability has been found in object-path <= 0.11.4 affecting the set() method. The vulnerability is limited to the includeInheritedProps mode (if version >= 0.11.0 is used), which has to be explicitly enabled by creating a new instance of object-path and setting the option includeInheritedProps: true, or by using the default withInheritedProps instance. The default operating mode is not affected by the vulnerability if version >= 0.11.0 is used. Any usage of set() in versions < 0.11.0 is vulnerable. The issue is fixed in object-path version 0.11.5 As a workaround, don't use the includeInheritedProps: true options or the withInheritedProps instance if using a version >= 0.11.0.
This affects the package object-path before 0.11.6. A type confusion vulnerability can lead to a bypass of CVE-2020-15256 when the path components used in the path parameter are arrays. In particular, the condition currentPath === 'proto' returns false if currentPath is ['proto']. This is because the === operator returns always false when the type of the operands is different.
Bash-like brace expansion, implemented in JavaScript. Safer than other brace expansion libs, with complete support for the Bash 4.3 braces specification, without sacrificing speed.
Path to dependency file: /fixtures/nesting/package.json
Path to vulnerable library: /fixtures/nesting/node_modules/fast-glob/node_modules/braces/package.json,/fixtures/nesting/node_modules/jest-config/node_modules/braces/package.json,/fixtures/ssr2/package.json,/fixtures/nesting/node_modules/jest-haste-map/node_modules/braces/package.json,/node_modules/readdirp/node_modules/braces/package.json,/fixtures/concurrent/time-slicing/node_modules/braces/package.json,/fixtures/nesting/node_modules/readdirp/node_modules/braces/package.json,/fixtures/nesting/node_modules/http-proxy-middleware/node_modules/braces/package.json,/fixtures/nesting/node_modules/webpack/node_modules/braces/package.json,/fixtures/nesting/node_modules/@jest/transform/node_modules/braces/package.json,/fixtures/nesting/node_modules/webpack-dev-server/node_modules/braces/package.json,/fixtures/nesting/node_modules/sane/node_modules/braces/package.json,/node_modules/chokidar/node_modules/braces/package.json,/fixtures/nesting/node_modules/watchpack-chokidar2/node_modules/braces/package.json,/fixtures/nesting/node_modules/fork-ts-checker-webpack-plugin/node_modules/micromatch/node_modules/braces/package.json,/fixtures/nesting/node_modules/@jest/core/node_modules/braces/package.json,/fixtures/nesting/node_modules/jest-message-util/node_modules/braces/package.json,/fixtures/fizz/package.json
The NPM package braces, versions prior to 3.0.3, fails to limit the number of characters it can handle, which could lead to Memory Exhaustion. In lib/parse.js, if a malicious user sends "imbalanced braces" as input, the parsing will enter a loop, which will cause the program to start allocating heap memory without freeing it at any moment of the loop. Eventually, the JavaScript heap limit is reached, and the program will crash.
Mend Note: After conducting a further research, it was concluded that CVE-2024-4068 does not contain a high security risk that reflects the NVD score, but should be kept for users' awareness. Users of braces should follow the fix recommendation as noted.
Path to dependency file: /fixtures/nesting/package.json
Path to vulnerable library: /fixtures/nesting/node_modules/adjust-sourcemap-loader/node_modules/loader-utils/package.json,/fixtures/nesting/node_modules/react-dev-utils/node_modules/loader-utils/package.json,/fixtures/nesting/node_modules/resolve-url-loader/node_modules/loader-utils/package.json
A Regular expression denial of service (ReDoS) flaw was found in Function interpolateName in interpolateName.js in webpack loader-utils 2.0.0 via the url variable in interpolateName.js.
Path to dependency file: /fixtures/concurrent/time-slicing/package.json
Path to vulnerable library: /fixtures/concurrent/time-slicing/node_modules/node-forge/package.json,/fixtures/nesting/node_modules/node-forge/package.json
Forge (also called node-forge) is a native implementation of Transport Layer Security in JavaScript. Prior to version 1.3.0, RSA PKCS#1 v1.5 signature verification code does not check for tailing garbage bytes after decoding a DigestInfo ASN.1 structure. This can allow padding bytes to be removed and garbage data added to forge a signature when a low public exponent is being used. The issue has been addressed in node-forge version 1.3.0. There are currently no known workarounds.
Path to dependency file: /fixtures/concurrent/time-slicing/package.json
Path to vulnerable library: /fixtures/concurrent/time-slicing/node_modules/node-forge/package.json,/fixtures/nesting/node_modules/node-forge/package.json
Forge (also called node-forge) is a native implementation of Transport Layer Security in JavaScript. Prior to version 1.3.0, RSA PKCS#1 v1.5 signature verification code is lenient in checking the digest algorithm structure. This can allow a crafted structure that steals padding bytes and uses unchecked portion of the PKCS#1 encoded message to forge a signature when a low public exponent is being used. The issue has been addressed in node-forge version 1.3.0. There are currently no known workarounds.
The package postcss before 8.2.13 are vulnerable to Regular Expression Denial of Service (ReDoS) via getAnnotationURL() and loadAnnotation() in lib/previous-map.js. The vulnerable regexes are caused mainly by the sub-pattern /*\s* sourceMappingURL=(.*).
Path to dependency file: /fixtures/concurrent/time-slicing/package.json
Path to vulnerable library: /fixtures/concurrent/time-slicing/node_modules/node-forge/package.json,/fixtures/nesting/node_modules/node-forge/package.json
The forge.debug API had a potential prototype pollution issue if called with untrusted input. The API was only used for internal debug purposes in a safe way and never documented or advertised. It is suspected that uses of this API, if any exist, would likely not have used untrusted inputs in a vulnerable way.
The request package through 2.88.2 for Node.js and the @cypress/request package prior to 3.0.0 allow a bypass of SSRF mitigations via an attacker-controller server that does a cross-protocol redirect (HTTP to HTTPS, or HTTPS to HTTP).NOTE: The request package is no longer supported by the maintainer.
Path to dependency file: /fixtures/concurrent/time-slicing/package.json
Path to vulnerable library: /fixtures/concurrent/time-slicing/node_modules/node-forge/package.json,/fixtures/nesting/node_modules/node-forge/package.json
mend-for-github-combot
changed the title
react-scripts-3.4.1.tgz: 27 vulnerabilities (highest severity is: 9.8)
react-scripts-3.4.1.tgz: 28 vulnerabilities (highest severity is: 9.8)
May 28, 2024
Vulnerable Library - react-scripts-3.4.1.tgz
Path to dependency file: /fixtures/nesting/package.json
Found in HEAD commit: e4ce85c3d01611eeb661de5f903c01d4063186b7
Vulnerabilities
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
CVE-2023-26136
Vulnerable Library - tough-cookie-2.5.0.tgz
RFC6265 Cookies and Cookie Jar for node.js
Library home page: https://registry.npmjs.org/tough-cookie/-/tough-cookie-2.5.0.tgz
Path to dependency file: /fixtures/nesting/package.json
Path to vulnerable library: /fixtures/nesting/node_modules/tough-cookie/package.json,/fixtures/concurrent/time-slicing/node_modules/tough-cookie/package.json
Dependency Hierarchy:
Found in HEAD commit: e4ce85c3d01611eeb661de5f903c01d4063186b7
Found in base branch: main
Vulnerability Details
Versions of the package tough-cookie before 4.1.3 are vulnerable to Prototype Pollution due to improper handling of Cookies when using CookieJar in rejectPublicSuffixes=false mode. This issue arises from the manner in which the objects are initialized.
Publish Date: 2023-07-01
URL: CVE-2023-26136
Threat Assessment
Exploit Maturity: Not Defined
EPSS: 0.1%
CVSS 3 Score Details (9.8)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://www.cve.org/CVERecord?id=CVE-2023-26136
Release Date: 2023-07-01
Fix Resolution (tough-cookie): 4.1.3
Direct dependency fix Resolution (react-scripts): 4.0.0
In order to enable automatic remediation, please create workflow rules
CVE-2022-37601
Vulnerable Library - loader-utils-1.2.3.tgz
utils for webpack loaders
Library home page: https://registry.npmjs.org/loader-utils/-/loader-utils-1.2.3.tgz
Path to dependency file: /fixtures/nesting/package.json
Path to vulnerable library: /fixtures/nesting/node_modules/adjust-sourcemap-loader/node_modules/loader-utils/package.json,/fixtures/nesting/node_modules/react-dev-utils/node_modules/loader-utils/package.json,/fixtures/nesting/node_modules/resolve-url-loader/node_modules/loader-utils/package.json
Dependency Hierarchy:
Found in HEAD commit: e4ce85c3d01611eeb661de5f903c01d4063186b7
Found in base branch: main
Vulnerability Details
Prototype pollution vulnerability in function parseQuery in parseQuery.js in webpack loader-utils 2.0.0 via the name variable in parseQuery.js.
Publish Date: 2022-10-12
URL: CVE-2022-37601
Threat Assessment
Exploit Maturity: Not Defined
EPSS: 0.70000005%
CVSS 3 Score Details (9.8)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: GHSA-76p3-8jx3-jpfq
Release Date: 2022-10-12
Fix Resolution (loader-utils): 1.4.1
Direct dependency fix Resolution (react-scripts): 4.0.0
In order to enable automatic remediation, please create workflow rules
CVE-2021-42740
Vulnerable Library - shell-quote-1.7.2.tgz
quote and parse shell commands
Library home page: https://registry.npmjs.org/shell-quote/-/shell-quote-1.7.2.tgz
Path to dependency file: /fixtures/nesting/package.json
Path to vulnerable library: /fixtures/nesting/node_modules/react-dev-utils/node_modules/shell-quote/package.json
Dependency Hierarchy:
Found in HEAD commit: e4ce85c3d01611eeb661de5f903c01d4063186b7
Found in base branch: main
Vulnerability Details
The shell-quote package before 1.7.3 for Node.js allows command injection. An attacker can inject unescaped shell metacharacters through a regex designed to support Windows drive letters. If the output of this package is passed to a real shell as a quoted argument to a command with exec(), an attacker can inject arbitrary commands. This is because the Windows drive letter regex character class is {A-z] instead of the correct {A-Za-z]. Several shell metacharacters exist in the space between capital letter Z and lower case letter a, such as the backtick character.
Publish Date: 2021-10-21
URL: CVE-2021-42740
Threat Assessment
Exploit Maturity: Not Defined
EPSS: 0.2%
CVSS 3 Score Details (9.8)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-42740
Release Date: 2021-10-21
Fix Resolution (shell-quote): 1.7.3
Direct dependency fix Resolution (react-scripts): 5.0.0
In order to enable automatic remediation, please create workflow rules
CVE-2021-3757
Vulnerable Library - immer-1.10.0.tgz
Create your next immutable state by mutating the current one
Library home page: https://registry.npmjs.org/immer/-/immer-1.10.0.tgz
Path to dependency file: /fixtures/nesting/package.json
Path to vulnerable library: /fixtures/nesting/node_modules/immer/package.json
Dependency Hierarchy:
Found in HEAD commit: e4ce85c3d01611eeb661de5f903c01d4063186b7
Found in base branch: main
Vulnerability Details
immer is vulnerable to Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')
Publish Date: 2021-09-02
URL: CVE-2021-3757
Threat Assessment
Exploit Maturity: Not Defined
EPSS: 0.3%
CVSS 3 Score Details (9.8)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://huntr.dev/bounties/23d38099-71cd-42ed-a77a-71e68094adfa/
Release Date: 2021-09-02
Fix Resolution (immer): 9.0.6
Direct dependency fix Resolution (react-scripts): 5.0.0
In order to enable automatic remediation, please create workflow rules
CVE-2021-23436
Vulnerable Library - immer-1.10.0.tgz
Create your next immutable state by mutating the current one
Library home page: https://registry.npmjs.org/immer/-/immer-1.10.0.tgz
Path to dependency file: /fixtures/nesting/package.json
Path to vulnerable library: /fixtures/nesting/node_modules/immer/package.json
Dependency Hierarchy:
Found in HEAD commit: e4ce85c3d01611eeb661de5f903c01d4063186b7
Found in base branch: main
Vulnerability Details
This affects the package immer before 9.0.6. A type confusion vulnerability can lead to a bypass of CVE-2020-28477 when the user-provided keys used in the path parameter are arrays. In particular, this bypass is possible because the condition (p === "proto" || p === "constructor") in applyPatches_ returns false if p is ['proto'] (or ['constructor']). The === operator (strict equality operator) returns false if the operands have different type.
Publish Date: 2021-09-01
URL: CVE-2021-23436
Threat Assessment
Exploit Maturity: Not Defined
EPSS: 0.4%
CVSS 3 Score Details (9.8)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23436
Release Date: 2021-09-01
Fix Resolution (immer): 9.0.6
Direct dependency fix Resolution (react-scripts): 5.0.0
In order to enable automatic remediation, please create workflow rules
CVE-2020-15256
Vulnerable Library - object-path-0.11.4.tgz
Access deep object properties using a path
Library home page: https://registry.npmjs.org/object-path/-/object-path-0.11.4.tgz
Path to dependency file: /fixtures/nesting/package.json
Path to vulnerable library: /fixtures/nesting/node_modules/object-path/package.json
Dependency Hierarchy:
Found in HEAD commit: e4ce85c3d01611eeb661de5f903c01d4063186b7
Found in base branch: main
Vulnerability Details
A prototype pollution vulnerability has been found in
object-path
<= 0.11.4 affecting theset()
method. The vulnerability is limited to theincludeInheritedProps
mode (if version >= 0.11.0 is used), which has to be explicitly enabled by creating a new instance ofobject-path
and setting the optionincludeInheritedProps: true
, or by using the defaultwithInheritedProps
instance. The default operating mode is not affected by the vulnerability if version >= 0.11.0 is used. Any usage ofset()
in versions < 0.11.0 is vulnerable. The issue is fixed in object-path version 0.11.5 As a workaround, don't use theincludeInheritedProps: true
options or thewithInheritedProps
instance if using a version >= 0.11.0.Publish Date: 2020-10-19
URL: CVE-2020-15256
Threat Assessment
Exploit Maturity: Not Defined
EPSS: 0.3%
CVSS 3 Score Details (9.8)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: GHSA-cwx2-736x-mf6w
Release Date: 2020-10-19
Fix Resolution (object-path): 0.11.5
Direct dependency fix Resolution (react-scripts): 3.4.4
In order to enable automatic remediation, please create workflow rules
CVE-2021-23434
Vulnerable Library - object-path-0.11.4.tgz
Access deep object properties using a path
Library home page: https://registry.npmjs.org/object-path/-/object-path-0.11.4.tgz
Path to dependency file: /fixtures/nesting/package.json
Path to vulnerable library: /fixtures/nesting/node_modules/object-path/package.json
Dependency Hierarchy:
Found in HEAD commit: e4ce85c3d01611eeb661de5f903c01d4063186b7
Found in base branch: main
Vulnerability Details
This affects the package object-path before 0.11.6. A type confusion vulnerability can lead to a bypass of CVE-2020-15256 when the path components used in the path parameter are arrays. In particular, the condition currentPath === 'proto' returns false if currentPath is ['proto']. This is because the === operator returns always false when the type of the operands is different.
Publish Date: 2021-08-27
URL: CVE-2021-23434
Threat Assessment
Exploit Maturity: Not Defined
EPSS: 0.3%
CVSS 3 Score Details (8.6)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23434
Release Date: 2021-08-27
Fix Resolution (object-path): 0.11.6
Direct dependency fix Resolution (react-scripts): 3.4.4
In order to enable automatic remediation, please create workflow rules
CVE-2020-7660
Vulnerable Library - serialize-javascript-2.1.2.tgz
Serialize JavaScript to a superset of JSON that includes regular expressions and functions.
Library home page: https://registry.npmjs.org/serialize-javascript/-/serialize-javascript-2.1.2.tgz
Path to dependency file: /fixtures/nesting/package.json
Path to vulnerable library: /fixtures/nesting/node_modules/serialize-javascript/package.json
Dependency Hierarchy:
Found in HEAD commit: e4ce85c3d01611eeb661de5f903c01d4063186b7
Found in base branch: main
Vulnerability Details
serialize-javascript prior to 3.1.0 allows remote attackers to inject arbitrary code via the function "deleteFunctions" within "index.js".
Publish Date: 2020-06-01
URL: CVE-2020-7660
Threat Assessment
Exploit Maturity: Not Defined
EPSS: 1.0%
CVSS 3 Score Details (8.1)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7660
Release Date: 2020-06-08
Fix Resolution (serialize-javascript): 3.1.0
Direct dependency fix Resolution (react-scripts): 3.4.3
In order to enable automatic remediation, please create workflow rules
CVE-2024-4068
Vulnerable Library - braces-2.3.2.tgz
Bash-like brace expansion, implemented in JavaScript. Safer than other brace expansion libs, with complete support for the Bash 4.3 braces specification, without sacrificing speed.
Library home page: https://registry.npmjs.org/braces/-/braces-2.3.2.tgz
Path to dependency file: /fixtures/nesting/package.json
Path to vulnerable library: /fixtures/nesting/node_modules/fast-glob/node_modules/braces/package.json,/fixtures/nesting/node_modules/jest-config/node_modules/braces/package.json,/fixtures/ssr2/package.json,/fixtures/nesting/node_modules/jest-haste-map/node_modules/braces/package.json,/node_modules/readdirp/node_modules/braces/package.json,/fixtures/concurrent/time-slicing/node_modules/braces/package.json,/fixtures/nesting/node_modules/readdirp/node_modules/braces/package.json,/fixtures/nesting/node_modules/http-proxy-middleware/node_modules/braces/package.json,/fixtures/nesting/node_modules/webpack/node_modules/braces/package.json,/fixtures/nesting/node_modules/@jest/transform/node_modules/braces/package.json,/fixtures/nesting/node_modules/webpack-dev-server/node_modules/braces/package.json,/fixtures/nesting/node_modules/sane/node_modules/braces/package.json,/node_modules/chokidar/node_modules/braces/package.json,/fixtures/nesting/node_modules/watchpack-chokidar2/node_modules/braces/package.json,/fixtures/nesting/node_modules/fork-ts-checker-webpack-plugin/node_modules/micromatch/node_modules/braces/package.json,/fixtures/nesting/node_modules/@jest/core/node_modules/braces/package.json,/fixtures/nesting/node_modules/jest-message-util/node_modules/braces/package.json,/fixtures/fizz/package.json
Dependency Hierarchy:
Found in HEAD commit: e4ce85c3d01611eeb661de5f903c01d4063186b7
Found in base branch: main
Vulnerability Details
The NPM package
braces
, versions prior to 3.0.3, fails to limit the number of characters it can handle, which could lead to Memory Exhaustion. Inlib/parse.js,
if a malicious user sends "imbalanced braces" as input, the parsing will enter a loop, which will cause the program to start allocating heap memory without freeing it at any moment of the loop. Eventually, the JavaScript heap limit is reached, and the program will crash.Mend Note: After conducting a further research, it was concluded that CVE-2024-4068 does not contain a high security risk that reflects the NVD score, but should be kept for users' awareness. Users of braces should follow the fix recommendation as noted.
Publish Date: 2024-05-14
URL: CVE-2024-4068
Threat Assessment
Exploit Maturity: Not Defined
EPSS: 0.0%
CVSS 3 Score Details (7.5)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Release Date: 2024-05-14
Fix Resolution: braces - 3.0.3
CVE-2022-37603
Vulnerable Library - loader-utils-1.2.3.tgz
utils for webpack loaders
Library home page: https://registry.npmjs.org/loader-utils/-/loader-utils-1.2.3.tgz
Path to dependency file: /fixtures/nesting/package.json
Path to vulnerable library: /fixtures/nesting/node_modules/adjust-sourcemap-loader/node_modules/loader-utils/package.json,/fixtures/nesting/node_modules/react-dev-utils/node_modules/loader-utils/package.json,/fixtures/nesting/node_modules/resolve-url-loader/node_modules/loader-utils/package.json
Dependency Hierarchy:
Found in HEAD commit: e4ce85c3d01611eeb661de5f903c01d4063186b7
Found in base branch: main
Vulnerability Details
A Regular expression denial of service (ReDoS) flaw was found in Function interpolateName in interpolateName.js in webpack loader-utils 2.0.0 via the url variable in interpolateName.js.
Publish Date: 2022-10-14
URL: CVE-2022-37603
Threat Assessment
Exploit Maturity: Not Defined
EPSS: 0.6%
CVSS 3 Score Details (7.5)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: GHSA-3rfm-jhwj-7488
Release Date: 2022-10-14
Fix Resolution (loader-utils): 1.4.2
Direct dependency fix Resolution (react-scripts): 4.0.0
In order to enable automatic remediation, please create workflow rules
CVE-2022-24772
Vulnerable Library - node-forge-0.10.0.tgz
JavaScript implementations of network transports, cryptography, ciphers, PKI, message digests, and various utilities.
Library home page: https://registry.npmjs.org/node-forge/-/node-forge-0.10.0.tgz
Path to dependency file: /fixtures/concurrent/time-slicing/package.json
Path to vulnerable library: /fixtures/concurrent/time-slicing/node_modules/node-forge/package.json,/fixtures/nesting/node_modules/node-forge/package.json
Dependency Hierarchy:
Found in HEAD commit: e4ce85c3d01611eeb661de5f903c01d4063186b7
Found in base branch: main
Vulnerability Details
Forge (also called
node-forge
) is a native implementation of Transport Layer Security in JavaScript. Prior to version 1.3.0, RSA PKCS#1 v1.5 signature verification code does not check for tailing garbage bytes after decoding aDigestInfo
ASN.1 structure. This can allow padding bytes to be removed and garbage data added to forge a signature when a low public exponent is being used. The issue has been addressed innode-forge
version 1.3.0. There are currently no known workarounds.Publish Date: 2022-03-18
URL: CVE-2022-24772
Threat Assessment
Exploit Maturity: Not Defined
EPSS: 0.1%
CVSS 3 Score Details (7.5)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24772
Release Date: 2022-03-18
Fix Resolution (node-forge): 1.3.0
Direct dependency fix Resolution (react-scripts): 5.0.0
In order to enable automatic remediation, please create workflow rules
CVE-2022-24771
Vulnerable Library - node-forge-0.10.0.tgz
JavaScript implementations of network transports, cryptography, ciphers, PKI, message digests, and various utilities.
Library home page: https://registry.npmjs.org/node-forge/-/node-forge-0.10.0.tgz
Path to dependency file: /fixtures/concurrent/time-slicing/package.json
Path to vulnerable library: /fixtures/concurrent/time-slicing/node_modules/node-forge/package.json,/fixtures/nesting/node_modules/node-forge/package.json
Dependency Hierarchy:
Found in HEAD commit: e4ce85c3d01611eeb661de5f903c01d4063186b7
Found in base branch: main
Vulnerability Details
Forge (also called
node-forge
) is a native implementation of Transport Layer Security in JavaScript. Prior to version 1.3.0, RSA PKCS#1 v1.5 signature verification code is lenient in checking the digest algorithm structure. This can allow a crafted structure that steals padding bytes and uses unchecked portion of the PKCS#1 encoded message to forge a signature when a low public exponent is being used. The issue has been addressed innode-forge
version 1.3.0. There are currently no known workarounds.Publish Date: 2022-03-18
URL: CVE-2022-24771
Threat Assessment
Exploit Maturity: Not Defined
EPSS: 0.1%
CVSS 3 Score Details (7.5)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24771
Release Date: 2022-03-18
Fix Resolution (node-forge): 1.3.0
Direct dependency fix Resolution (react-scripts): 5.0.0
In order to enable automatic remediation, please create workflow rules
CVE-2021-3805
Vulnerable Library - object-path-0.11.4.tgz
Access deep object properties using a path
Library home page: https://registry.npmjs.org/object-path/-/object-path-0.11.4.tgz
Path to dependency file: /fixtures/nesting/package.json
Path to vulnerable library: /fixtures/nesting/node_modules/object-path/package.json
Dependency Hierarchy:
Found in HEAD commit: e4ce85c3d01611eeb661de5f903c01d4063186b7
Found in base branch: main
Vulnerability Details
object-path is vulnerable to Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')
Publish Date: 2021-09-17
URL: CVE-2021-3805
Threat Assessment
Exploit Maturity: Not Defined
EPSS: 0.2%
CVSS 3 Score Details (7.5)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://huntr.dev/bounties/571e3baf-7c46-46e3-9003-ba7e4e623053/
Release Date: 2021-09-17
Fix Resolution (object-path): 0.11.8
Direct dependency fix Resolution (react-scripts): 3.4.4
In order to enable automatic remediation, please create workflow rules
CVE-2021-3803
Vulnerable Library - nth-check-1.0.2.tgz
performant nth-check parser & compiler
Library home page: https://registry.npmjs.org/nth-check/-/nth-check-1.0.2.tgz
Dependency Hierarchy:
Found in HEAD commit: e4ce85c3d01611eeb661de5f903c01d4063186b7
Found in base branch: main
Vulnerability Details
nth-check is vulnerable to Inefficient Regular Expression Complexity
Publish Date: 2021-09-17
URL: CVE-2021-3803
Threat Assessment
Exploit Maturity: Not Defined
EPSS: 0.2%
CVSS 3 Score Details (7.5)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Release Date: 2021-09-17
Fix Resolution: nth-check - v2.0.1
CVE-2021-23382
Vulnerable Library - postcss-7.0.21.tgz
Tool for transforming styles with JS plugins
Library home page: https://registry.npmjs.org/postcss/-/postcss-7.0.21.tgz
Path to dependency file: /fixtures/nesting/package.json
Path to vulnerable library: /fixtures/nesting/node_modules/resolve-url-loader/node_modules/postcss/package.json
Dependency Hierarchy:
Found in HEAD commit: e4ce85c3d01611eeb661de5f903c01d4063186b7
Found in base branch: main
Vulnerability Details
The package postcss before 8.2.13 are vulnerable to Regular Expression Denial of Service (ReDoS) via getAnnotationURL() and loadAnnotation() in lib/previous-map.js. The vulnerable regexes are caused mainly by the sub-pattern /*\s* sourceMappingURL=(.*).
Publish Date: 2021-04-26
URL: CVE-2021-23382
Threat Assessment
Exploit Maturity: Not Defined
EPSS: 0.2%
CVSS 3 Score Details (7.5)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23382
Release Date: 2021-04-26
Fix Resolution (postcss): 7.0.36
Direct dependency fix Resolution (react-scripts): 4.0.0
In order to enable automatic remediation, please create workflow rules
CVE-2020-28477
Vulnerable Library - immer-1.10.0.tgz
Create your next immutable state by mutating the current one
Library home page: https://registry.npmjs.org/immer/-/immer-1.10.0.tgz
Path to dependency file: /fixtures/nesting/package.json
Path to vulnerable library: /fixtures/nesting/node_modules/immer/package.json
Dependency Hierarchy:
Found in HEAD commit: e4ce85c3d01611eeb661de5f903c01d4063186b7
Found in base branch: main
Vulnerability Details
This affects all versions of package immer.
Publish Date: 2021-01-19
URL: CVE-2020-28477
Threat Assessment
Exploit Maturity: Not Defined
EPSS: 0.2%
CVSS 3 Score Details (7.5)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Release Date: 2021-01-19
Fix Resolution (immer): 8.0.1
Direct dependency fix Resolution (react-scripts): 4.0.0
In order to enable automatic remediation, please create workflow rules
CVE-2020-28469
Vulnerable Library - glob-parent-3.1.0.tgz
Strips glob magic from a string to provide the parent directory path
Library home page: https://registry.npmjs.org/glob-parent/-/glob-parent-3.1.0.tgz
Dependency Hierarchy:
Found in HEAD commit: e4ce85c3d01611eeb661de5f903c01d4063186b7
Found in base branch: main
Vulnerability Details
This affects the package glob-parent before 5.1.2. The enclosure regex used to check for strings ending in enclosure containing path separator.
Publish Date: 2021-06-03
URL: CVE-2020-28469
Threat Assessment
Exploit Maturity: Not Defined
EPSS: 1.2%
CVSS 3 Score Details (7.5)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-28469
Release Date: 2021-06-03
Fix Resolution (glob-parent): 5.1.2
Direct dependency fix Resolution (react-scripts): 5.0.0
WS-2022-0008
Vulnerable Library - node-forge-0.10.0.tgz
JavaScript implementations of network transports, cryptography, ciphers, PKI, message digests, and various utilities.
Library home page: https://registry.npmjs.org/node-forge/-/node-forge-0.10.0.tgz
Path to dependency file: /fixtures/concurrent/time-slicing/package.json
Path to vulnerable library: /fixtures/concurrent/time-slicing/node_modules/node-forge/package.json,/fixtures/nesting/node_modules/node-forge/package.json
Dependency Hierarchy:
Found in HEAD commit: e4ce85c3d01611eeb661de5f903c01d4063186b7
Found in base branch: main
Vulnerability Details
The forge.debug API had a potential prototype pollution issue if called with untrusted input. The API was only used for internal debug purposes in a safe way and never documented or advertised. It is suspected that uses of this API, if any exist, would likely not have used untrusted inputs in a vulnerable way.
Publish Date: 2022-01-08
URL: WS-2022-0008
Threat Assessment
Exploit Maturity: Not Defined
EPSS:
CVSS 3 Score Details (6.6)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: GHSA-5rrq-pxf6-6jx5
Release Date: 2022-01-08
Fix Resolution (node-forge): 1.0.0
Direct dependency fix Resolution (react-scripts): 5.0.0
In order to enable automatic remediation, please create workflow rules
CVE-2023-28155
Vulnerable Library - request-2.88.2.tgz
Simplified HTTP request client.
Library home page: https://registry.npmjs.org/request/-/request-2.88.2.tgz
Path to dependency file: /fixtures/concurrent/time-slicing/package.json
Path to vulnerable library: /fixtures/concurrent/time-slicing/node_modules/request/package.json,/fixtures/nesting/node_modules/request/package.json
Dependency Hierarchy:
Found in HEAD commit: e4ce85c3d01611eeb661de5f903c01d4063186b7
Found in base branch: main
Vulnerability Details
The request package through 2.88.2 for Node.js and the @cypress/request package prior to 3.0.0 allow a bypass of SSRF mitigations via an attacker-controller server that does a cross-protocol redirect (HTTP to HTTPS, or HTTPS to HTTP).NOTE: The request package is no longer supported by the maintainer.
Publish Date: 2023-03-16
URL: CVE-2023-28155
Threat Assessment
Exploit Maturity: Not Defined
EPSS: 0.1%
CVSS 3 Score Details (6.1)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: GHSA-p8p7-x288-28g6
Release Date: 2023-03-16
Fix Resolution: @cypress/request - 3.0.0
CVE-2022-0122
Vulnerable Library - node-forge-0.10.0.tgz
JavaScript implementations of network transports, cryptography, ciphers, PKI, message digests, and various utilities.
Library home page: https://registry.npmjs.org/node-forge/-/node-forge-0.10.0.tgz
Path to dependency file: /fixtures/concurrent/time-slicing/package.json
Path to vulnerable library: /fixtures/concurrent/time-slicing/node_modules/node-forge/package.json,/fixtures/nesting/node_modules/node-forge/package.json
Dependency Hierarchy:
Found in HEAD commit: e4ce85c3d01611eeb661de5f903c01d4063186b7
Found in base branch: main
Vulnerability Details
forge is vulnerable to URL Redirection to Untrusted Site
Mend Note: Converted from WS-2022-0007, on 2022-11-07.
Publish Date: 2022-01-06
URL: CVE-2022-0122
Threat Assessment
Exploit Maturity: Not Defined
EPSS: 0.1%
CVSS 3 Score Details (6.1)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: GHSA-gf8q-jrpm-jvxq
Release Date: 2022-01-06
Fix Resolution (node-forge): 1.0.0
Direct dependency fix Resolution (react-scripts): 5.0.0
In order to enable automatic remediation, please create workflow rules
In order to enable automatic remediation for this issue, please create workflow rules
The text was updated successfully, but these errors were encountered: