Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Snyk] Security upgrade @reactioncommerce/api-plugin-files from 1.0.13 to 1.0.19 #7

Open
wants to merge 1 commit into
base: trunk
Choose a base branch
from

Conversation

terrorizer1980
Copy link
Owner

This PR was automatically created by Snyk using the credentials of a real user.


Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.

merge advice

Changes included in this PR

  • Changes to the following files to upgrade the vulnerable dependencies to a fixed version:
    • package.json
    • package-lock.json

Vulnerabilities that will be fixed

With an upgrade:
Severity Priority Score (*) Issue Breaking Change Exploit Maturity
high severity 696/1000
Why? Proof of Concept exploit, Has a fix available, CVSS 7.5
Regular Expression Denial of Service (ReDoS)
SNYK-JS-ANSIREGEX-1583908
No Proof of Concept

(*) Note that the real score may have changed since the PR was raised.

Commit messages
Package name: @reactioncommerce/api-plugin-files The new version differs by 47 commits.

See the full diff

Check the changes in this PR to ensure they won't cause issues with your project.


Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report

🛠 Adjust project settings

📚 Read more about Snyk's upgrade and patch logic


Learn how to fix vulnerabilities with free interactive lessons:

🦉 Learn about vulnerability in an interactive lesson of Snyk Learn.

@@ -33,7 +33,7 @@
"@reactioncommerce/api-plugin-email": "~1.0.1",
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Critical OSS Vulnerability:

pkg:npm/%40reactioncommerce/[email protected]

9 Critical, 2 Severe, 1 Moderate, 0 Unknown vulnerabilities have been found across 9 dependencies

Components
    pkg:npm/[email protected]
      CRITICAL Vulnerabilities (1)

        [CVE-2021-23337] CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection')

        Lodash versions prior to 4.17.21 are vulnerable to Command Injection via the template function.

        CVSS Score: 7.2

        CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

        CWE: CWE-77

      SEVERE Vulnerabilities (1)

        [CVE-2020-28500] CWE-400: Uncontrolled Resource Consumption ('Resource Exhaustion')

        Lodash versions prior to 4.17.21 are vulnerable to Regular Expression Denial of Service (ReDoS) via the toNumber, trim and trimEnd functions.

        CVSS Score: 5.3

        CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

        CWE: CWE-400

    pkg:npm/[email protected]
      CRITICAL Vulnerabilities (1)

        [CVE-2021-44906] Minimist <=1.2.5 is vulnerable to Prototype Pollution via file index.js, function setKey() (lines 69-95).

        Minimist <=1.2.5 is vulnerable to Prototype Pollution via file index.js, function setKey() (lines 69-95).

        CVSS Score: 9.8

        CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

        CWE: CWE-1321

    pkg:npm/[email protected]
      CRITICAL Vulnerabilities (1)

        [sonatype-2021-1169] Unknown

        ansi-regex - Regular Expression Denial of Service (ReDoS) [CVE-2021-3807]

        CVSS Score: 7.5

        CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

        CWE: CWE-1333

    pkg:npm/[email protected]
      CRITICAL Vulnerabilities (1)

        [CVE-2021-3918] CWE-915: Improperly Controlled Modification of Dynamically-Determined Object Attributes

        json-schema is vulnerable to Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')

        CVSS Score: 9.8

        CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

        CWE: CWE-915

    pkg:npm/[email protected]
      CRITICAL Vulnerabilities (1)

        [sonatype-2021-1736] Unknown

        ramda - Regular Expression Denial of Service (ReDoS)

        CVSS Score: 7.5

        CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

        CWE: CWE-1333

    pkg:npm/[email protected]
      CRITICAL Vulnerabilities (1)

        [CVE-2022-24785] CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

        Moment.js is a JavaScript date library for parsing, validating, manipulating, and formatting dates. A path traversal vulnerability impacts npm (server) users of Moment.js between versions 1.0.1 and 2.29.1, especially if a user-provided locale string is directly used to switch moment locale. This problem is patched in 2.29.2, and the patch can be applied to all affected versions. As a workaround, sanitize the user-provided locale name before passing it to Moment.js.

        CVSS Score: 7.5

        CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

        CWE: CWE-22

    pkg:npm/[email protected]
      CRITICAL Vulnerabilities (1)

        [sonatype-2021-4879] Unknown

        minimatch - Regular Expression Denial of Service (ReDoS)

        CVSS Score: 7.5

        CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

        CWE: CWE-1333

    pkg:npm/[email protected]
      SEVERE Vulnerabilities (1)

        [sonatype-2017-0655] Unknown

        request - Weak Authentication Algorithm

        CVSS Score: 5.9

        CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

        CWE: CWE-310

      MODERATE Vulnerabilities (1)

        [sonatype-2021-0749] CWE-326: Inadequate Encryption Strength

        request - Inadequate Encryption Strength

        The software stores or transmits sensitive data using an encryption scheme that is theoretically sound, but is not strong enough for the level of protection required.

        CVSS Score: 3.7

        CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N

        CWE: CWE-326

    pkg:npm/[email protected]
      CRITICAL Vulnerabilities (2)
        sonatype-2021-0509

        [sonatype-2021-0509] CWE-400: Uncontrolled Resource Consumption ('Resource Exhaustion')

        validator - Regular Expression Denial of Service (ReDoS)

        The software does not properly restrict the size or amount of resources that are requested or influenced by an actor, which can be used to consume more resources than intended.

        CVSS Score: 7.5

        CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

        CWE: CWE-400

        sonatype-2021-0510

        [sonatype-2021-0510] CWE-400: Uncontrolled Resource Consumption ('Resource Exhaustion')

        validator - Regular Expression Denial of Service (ReDoS)

        The software does not properly restrict the size or amount of resources that are requested or influenced by an actor, which can be used to consume more resources than intended.

        CVSS Score: 7.5

        CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

        CWE: CWE-400

(at-me in a reply with help or ignore)


Was this a good recommendation?
[ 🙁 Not relevant ] - [ 😕 Won't fix ] - [ 😑 Not critical, will fix ] - [ 🙂 Critical, will fix ] - [ 😊 Critical, fixing now ]

@@ -33,7 +33,7 @@
"@reactioncommerce/api-plugin-email": "~1.0.1",
"@reactioncommerce/api-plugin-email-smtp": "~1.0.1",
"@reactioncommerce/api-plugin-email-templates": "~1.0.1",
"@reactioncommerce/api-plugin-files": "~1.0.13",
"@reactioncommerce/api-plugin-files": "~1.0.19",
"@reactioncommerce/api-plugin-i18n": "~1.0.0",
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Critical OSS Vulnerability:

pkg:npm/%40reactioncommerce/[email protected]

9 Critical, 2 Severe, 1 Moderate, 0 Unknown vulnerabilities have been found across 9 dependencies

Components
    pkg:npm/[email protected]
      CRITICAL Vulnerabilities (1)

        [CVE-2021-23337] CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection')

        Lodash versions prior to 4.17.21 are vulnerable to Command Injection via the template function.

        CVSS Score: 7.2

        CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

        CWE: CWE-77

      SEVERE Vulnerabilities (1)

        [CVE-2020-28500] CWE-400: Uncontrolled Resource Consumption ('Resource Exhaustion')

        Lodash versions prior to 4.17.21 are vulnerable to Regular Expression Denial of Service (ReDoS) via the toNumber, trim and trimEnd functions.

        CVSS Score: 5.3

        CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

        CWE: CWE-400

    pkg:npm/[email protected]
      CRITICAL Vulnerabilities (1)

        [CVE-2021-44906] Minimist <=1.2.5 is vulnerable to Prototype Pollution via file index.js, function setKey() (lines 69-95).

        Minimist <=1.2.5 is vulnerable to Prototype Pollution via file index.js, function setKey() (lines 69-95).

        CVSS Score: 9.8

        CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

        CWE: CWE-1321

    pkg:npm/[email protected]
      CRITICAL Vulnerabilities (1)

        [sonatype-2021-1169] Unknown

        ansi-regex - Regular Expression Denial of Service (ReDoS) [CVE-2021-3807]

        CVSS Score: 7.5

        CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

        CWE: CWE-1333

    pkg:npm/[email protected]
      CRITICAL Vulnerabilities (1)

        [CVE-2021-3918] CWE-915: Improperly Controlled Modification of Dynamically-Determined Object Attributes

        json-schema is vulnerable to Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')

        CVSS Score: 9.8

        CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

        CWE: CWE-915

    pkg:npm/[email protected]
      CRITICAL Vulnerabilities (1)

        [sonatype-2021-1736] Unknown

        ramda - Regular Expression Denial of Service (ReDoS)

        CVSS Score: 7.5

        CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

        CWE: CWE-1333

    pkg:npm/[email protected]
      CRITICAL Vulnerabilities (1)

        [CVE-2022-24785] CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

        Moment.js is a JavaScript date library for parsing, validating, manipulating, and formatting dates. A path traversal vulnerability impacts npm (server) users of Moment.js between versions 1.0.1 and 2.29.1, especially if a user-provided locale string is directly used to switch moment locale. This problem is patched in 2.29.2, and the patch can be applied to all affected versions. As a workaround, sanitize the user-provided locale name before passing it to Moment.js.

        CVSS Score: 7.5

        CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

        CWE: CWE-22

    pkg:npm/[email protected]
      CRITICAL Vulnerabilities (1)

        [sonatype-2021-4879] Unknown

        minimatch - Regular Expression Denial of Service (ReDoS)

        CVSS Score: 7.5

        CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

        CWE: CWE-1333

    pkg:npm/[email protected]
      SEVERE Vulnerabilities (1)

        [sonatype-2017-0655] Unknown

        request - Weak Authentication Algorithm

        CVSS Score: 5.9

        CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

        CWE: CWE-310

      MODERATE Vulnerabilities (1)

        [sonatype-2021-0749] CWE-326: Inadequate Encryption Strength

        request - Inadequate Encryption Strength

        The software stores or transmits sensitive data using an encryption scheme that is theoretically sound, but is not strong enough for the level of protection required.

        CVSS Score: 3.7

        CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N

        CWE: CWE-326

    pkg:npm/[email protected]
      CRITICAL Vulnerabilities (2)
        sonatype-2021-0509

        [sonatype-2021-0509] CWE-400: Uncontrolled Resource Consumption ('Resource Exhaustion')

        validator - Regular Expression Denial of Service (ReDoS)

        The software does not properly restrict the size or amount of resources that are requested or influenced by an actor, which can be used to consume more resources than intended.

        CVSS Score: 7.5

        CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

        CWE: CWE-400

        sonatype-2021-0510

        [sonatype-2021-0510] CWE-400: Uncontrolled Resource Consumption ('Resource Exhaustion')

        validator - Regular Expression Denial of Service (ReDoS)

        The software does not properly restrict the size or amount of resources that are requested or influenced by an actor, which can be used to consume more resources than intended.

        CVSS Score: 7.5

        CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

        CWE: CWE-400

(at-me in a reply with help or ignore)


Was this a good recommendation?
[ 🙁 Not relevant ] - [ 😕 Won't fix ] - [ 😑 Not critical, will fix ] - [ 🙂 Critical, will fix ] - [ 😊 Critical, fixing now ]

@@ -33,7 +33,7 @@
"@reactioncommerce/api-plugin-email": "~1.0.1",
"@reactioncommerce/api-plugin-email-smtp": "~1.0.1",
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Critical OSS Vulnerability:

pkg:npm/%40reactioncommerce/[email protected]

12 Critical, 2 Severe, 1 Moderate, 0 Unknown vulnerabilities have been found across 12 dependencies

Components
    pkg:npm/[email protected]
      CRITICAL Vulnerabilities (1)

        [CVE-2021-23337] CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection')

        Lodash versions prior to 4.17.21 are vulnerable to Command Injection via the template function.

        CVSS Score: 7.2

        CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

        CWE: CWE-77

      SEVERE Vulnerabilities (1)

        [CVE-2020-28500] CWE-400: Uncontrolled Resource Consumption ('Resource Exhaustion')

        Lodash versions prior to 4.17.21 are vulnerable to Regular Expression Denial of Service (ReDoS) via the toNumber, trim and trimEnd functions.

        CVSS Score: 5.3

        CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

        CWE: CWE-400

    pkg:npm/[email protected]
      CRITICAL Vulnerabilities (1)

        [CVE-2021-44906] Minimist <=1.2.5 is vulnerable to Prototype Pollution via file index.js, function setKey() (lines 69-95).

        Minimist <=1.2.5 is vulnerable to Prototype Pollution via file index.js, function setKey() (lines 69-95).

        CVSS Score: 9.8

        CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

        CWE: CWE-1321

    pkg:npm/[email protected]
      CRITICAL Vulnerabilities (1)

        [sonatype-2021-1169] Unknown

        ansi-regex - Regular Expression Denial of Service (ReDoS) [CVE-2021-3807]

        CVSS Score: 7.5

        CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

        CWE: CWE-1333

    pkg:npm/[email protected]
      CRITICAL Vulnerabilities (1)

        [CVE-2021-3918] CWE-915: Improperly Controlled Modification of Dynamically-Determined Object Attributes

        json-schema is vulnerable to Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')

        CVSS Score: 9.8

        CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

        CWE: CWE-915

    pkg:npm/[email protected]
      CRITICAL Vulnerabilities (1)

        [sonatype-2021-1736] Unknown

        ramda - Regular Expression Denial of Service (ReDoS)

        CVSS Score: 7.5

        CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

        CWE: CWE-1333

    pkg:npm/[email protected]
      CRITICAL Vulnerabilities (1)

        [CVE-2021-23337] CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection')

        Lodash versions prior to 4.17.21 are vulnerable to Command Injection via the template function.

        CVSS Score: 7.2

        CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

        CWE: CWE-77

    pkg:npm/[email protected]
      CRITICAL Vulnerabilities (1)

        [CVE-2022-24785] CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

        Moment.js is a JavaScript date library for parsing, validating, manipulating, and formatting dates. A path traversal vulnerability impacts npm (server) users of Moment.js between versions 1.0.1 and 2.29.1, especially if a user-provided locale string is directly used to switch moment locale. This problem is patched in 2.29.2, and the patch can be applied to all affected versions. As a workaround, sanitize the user-provided locale name before passing it to Moment.js.

        CVSS Score: 7.5

        CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

        CWE: CWE-22

    pkg:npm/[email protected]
      CRITICAL Vulnerabilities (1)

        [sonatype-2021-4879] Unknown

        minimatch - Regular Expression Denial of Service (ReDoS)

        CVSS Score: 7.5

        CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

        CWE: CWE-1333

    pkg:npm/[email protected]
      SEVERE Vulnerabilities (1)

        [sonatype-2017-0655] Unknown

        request - Weak Authentication Algorithm

        CVSS Score: 5.9

        CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

        CWE: CWE-310

      MODERATE Vulnerabilities (1)

        [sonatype-2021-0749] CWE-326: Inadequate Encryption Strength

        request - Inadequate Encryption Strength

        The software stores or transmits sensitive data using an encryption scheme that is theoretically sound, but is not strong enough for the level of protection required.

        CVSS Score: 3.7

        CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N

        CWE: CWE-326

    pkg:npm/[email protected]
      CRITICAL Vulnerabilities (1)

        [CVE-2020-7742] This affects the package simpl-schema before 1.10.2.

        This affects the package simpl-schema before 1.10.2.

        CVSS Score: 7.5

        CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

        CWE: CWE-1321

    pkg:npm/[email protected]
      CRITICAL Vulnerabilities (2)
        sonatype-2021-0509

        [sonatype-2021-0509] CWE-400: Uncontrolled Resource Consumption ('Resource Exhaustion')

        validator - Regular Expression Denial of Service (ReDoS)

        The software does not properly restrict the size or amount of resources that are requested or influenced by an actor, which can be used to consume more resources than intended.

        CVSS Score: 7.5

        CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

        CWE: CWE-400

        sonatype-2021-0510

        [sonatype-2021-0510] CWE-400: Uncontrolled Resource Consumption ('Resource Exhaustion')

        validator - Regular Expression Denial of Service (ReDoS)

        The software does not properly restrict the size or amount of resources that are requested or influenced by an actor, which can be used to consume more resources than intended.

        CVSS Score: 7.5

        CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

        CWE: CWE-400

    pkg:npm/[email protected]
      CRITICAL Vulnerabilities (1)

        [CVE-2020-7742] This affects the package simpl-schema before 1.10.2.

        This affects the package simpl-schema before 1.10.2.

        CVSS Score: 7.5

        CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

        CWE: CWE-1321

(at-me in a reply with help or ignore)


Was this a good recommendation?
[ 🙁 Not relevant ] - [ 😕 Won't fix ] - [ 😑 Not critical, will fix ] - [ 🙂 Critical, will fix ] - [ 😊 Critical, fixing now ]

@@ -33,7 +33,7 @@
"@reactioncommerce/api-plugin-email": "~1.0.1",
"@reactioncommerce/api-plugin-email-smtp": "~1.0.1",
"@reactioncommerce/api-plugin-email-templates": "~1.0.1",
"@reactioncommerce/api-plugin-files": "~1.0.13",
"@reactioncommerce/api-plugin-files": "~1.0.19",
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Critical OSS Vulnerability:

pkg:npm/%40reactioncommerce/[email protected]

21 Critical, 15 Severe, 1 Moderate, 0 Unknown vulnerabilities have been found across 21 dependencies

Components
    pkg:npm/[email protected]
      SEVERE Vulnerabilities (1)

        [CVE-2022-29256] CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

        sharp is an application for Node.js image processing. Prior to version 0.30.5, there is a possible vulnerability in logic that is run only at npm install time when installing versions of sharp prior to the latest v0.30.5. If an attacker has the ability to set the value of the PKG_CONFIG_PATH environment variable in a build environment then they might be able to use this to inject an arbitrary command at npm install time. This is not part of any runtime code, does not affect Windows users at all, and is unlikely to affect anyone that already cares about the security of their build environment. This problem is fixed in version 0.30.5.

        CVSS Score: 6.5

        CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H

        CWE: CWE-78

    pkg:npm/[email protected]
      CRITICAL Vulnerabilities (1)

        [CVE-2021-44906] Minimist <=1.2.5 is vulnerable to Prototype Pollution via file index.js, function setKey() (lines 69-95).

        Minimist <=1.2.5 is vulnerable to Prototype Pollution via file index.js, function setKey() (lines 69-95).

        CVSS Score: 9.8

        CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

        CWE: CWE-1321

    pkg:npm/[email protected]
      SEVERE Vulnerabilities (2)
        CVE-2022-0155

        [CVE-2022-0155] CWE-359: Exposure of Private Information ('Privacy Violation')

        follow-redirects is vulnerable to Exposure of Private Personal Information to an Unauthorized Actor

        CVSS Score: 6.5

        CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N

        CWE: CWE-359

        CVE-2022-0536

        [CVE-2022-0536] CWE-200: Information Exposure

        Exposure of Sensitive Information to an Unauthorized Actor in NPM follow-redirects prior to 1.14.8.

        CVSS Score: 5.9

        CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

        CWE: CWE-200

    pkg:npm/[email protected]
      CRITICAL Vulnerabilities (1)

        [sonatype-2021-1169] Unknown

        ansi-regex - Regular Expression Denial of Service (ReDoS) [CVE-2021-3807]

        CVSS Score: 7.5

        CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

        CWE: CWE-1333

    pkg:npm/[email protected]
      CRITICAL Vulnerabilities (1)

        [CVE-2021-3918] CWE-915: Improperly Controlled Modification of Dynamically-Determined Object Attributes

        json-schema is vulnerable to Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')

        CVSS Score: 9.8

        CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

        CWE: CWE-915

    pkg:npm/[email protected]
      CRITICAL Vulnerabilities (1)

        [CVE-2021-3749] CWE-400: Uncontrolled Resource Consumption ('Resource Exhaustion')

        axios is vulnerable to Inefficient Regular Expression Complexity

        CVSS Score: 7.5

        CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

        CWE: CWE-400

      SEVERE Vulnerabilities (1)

        [CVE-2020-28168] CWE-918: Server-Side Request Forgery (SSRF)

        Axios NPM package 0.21.0 contains a Server-Side Request Forgery (SSRF) vulnerability where an attacker is able to bypass a proxy by providing a URL that responds with a redirect to a restricted host or IP address.

        CVSS Score: 5.9

        CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

        CWE: CWE-918

    pkg:npm/[email protected]
      CRITICAL Vulnerabilities (4)
        CVE-2022-24771

        [CVE-2022-24771] CWE-347: Improper Verification of Cryptographic Signature

        Forge (also called node-forge) is a native implementation of Transport Layer Security in JavaScript. Prior to version 1.3.0, RSA PKCS#1 v1.5 signature verification code is lenient in checking the digest algorithm structure. This can allow a crafted structure that steals padding bytes and uses unchecked portion of the PKCS#1 encoded message to forge a signature when a low public exponent is being used. The issue has been addressed in node-forge version 1.3.0. There are currently no known workarounds.

        CVSS Score: 7.5

        CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

        CWE: CWE-347

        CVE-2022-24772

        [CVE-2022-24772] CWE-347: Improper Verification of Cryptographic Signature

        Forge (also called node-forge) is a native implementation of Transport Layer Security in JavaScript. Prior to version 1.3.0, RSA PKCS#1 v1.5 signature verification code does not check for tailing garbage bytes after decoding a DigestInfo ASN.1 structure. This can allow padding bytes to be removed and garbage data added to forge a signature when a low public exponent is being used. The issue has been addressed in node-forge version 1.3.0. There are currently no known workarounds.

        CVSS Score: 7.5

        CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

        CWE: CWE-347

        sonatype-2022-0218

        [sonatype-2022-0218] Unknown

        node-forge - Prototype Pollution

        CVSS Score: 7.5

        CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

        CWE: CWE-1321

        CVE-2020-7720

        [CVE-2020-7720] CWE-915: Improperly Controlled Modification of Dynamically-Determined Object Attributes

        The package node-forge before 0.10.0 is vulnerable to Prototype Pollution via the util.setPath function. Note: Version 0.10.0 is a breaking change removing the vulnerable functions.

        CVSS Score: 7.3

        CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

        CWE: CWE-915

      SEVERE Vulnerabilities (2)
        CVE-2022-0122

        [CVE-2022-0122] CWE-601: URL Redirection to Untrusted Site ('Open Redirect')

        forge is vulnerable to URL Redirection to Untrusted Site

        CVSS Score: 6.1

        CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

        CWE: CWE-601

        CVE-2022-24773

        [CVE-2022-24773] CWE-347: Improper Verification of Cryptographic Signature

        Forge (also called node-forge) is a native implementation of Transport Layer Security in JavaScript. Prior to version 1.3.0, RSA PKCS#1 v1.5 signature verification code does not properly check DigestInfo for a proper ASN.1 structure. This can lead to successful verification with signatures that contain invalid structures but a valid digest. The issue has been addressed in node-forge version 1.3.0. There are currently no known workarounds.

        CVSS Score: 5.3

        CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

        CWE: CWE-347

    pkg:npm/[email protected]
      SEVERE Vulnerabilities (1)

        [sonatype-2017-0655] Unknown

        request - Weak Authentication Algorithm

        CVSS Score: 5.9

        CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

        CWE: CWE-310

      MODERATE Vulnerabilities (1)

        [sonatype-2021-0749] CWE-326: Inadequate Encryption Strength

        request - Inadequate Encryption Strength

        The software stores or transmits sensitive data using an encryption scheme that is theoretically sound, but is not strong enough for the level of protection required.

        CVSS Score: 3.7

        CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N

        CWE: CWE-326

    pkg:npm/[email protected]
      CRITICAL Vulnerabilities (1)

        [CVE-2020-28472] CWE-471: Modification of Assumed-Immutable Data (MAID)

        This affects the package @aws-sdk/shared-ini-file-loader before 1.0.0-rc.9; the package aws-sdk before 2.814.0. If an attacker submits a malicious INI file to an application that parses it with loadSharedConfigFiles , they will pollute the prototype on the application. This can be exploited further depending on the context.

        CVSS Score: 9.8

        CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

        CWE: CWE-471

    pkg:npm/[email protected]
      CRITICAL Vulnerabilities (1)

        [sonatype-2020-1214] CWE-471: Modification of Assumed-Immutable Data (MAID)

        ini - Prototype Pollution [CVE-2020-7788]

        The software does not properly protect an assumed-immutable element from being modified by an attacker.

        CVSS Score: 7.3

        CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

        CWE: CWE-471

    pkg:npm/[email protected]
      CRITICAL Vulnerabilities (1)

        [CVE-2021-23337] CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection')

        Lodash versions prior to 4.17.21 are vulnerable to Command Injection via the template function.

        CVSS Score: 7.2

        CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

        CWE: CWE-77

      SEVERE Vulnerabilities (1)

        [CVE-2020-28500] CWE-400: Uncontrolled Resource Consumption ('Resource Exhaustion')

        Lodash versions prior to 4.17.21 are vulnerable to Regular Expression Denial of Service (ReDoS) via the toNumber, trim and trimEnd functions.

        CVSS Score: 5.3

        CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

        CWE: CWE-400

    pkg:npm/[email protected]
      CRITICAL Vulnerabilities (2)
        CVE-2022-0691

        [CVE-2022-0691] CWE-639: Authorization Bypass Through User-Controlled Key

        Authorization Bypass Through User-Controlled Key in NPM url-parse prior to 1.5.9.

        CVSS Score: 9.8

        CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

        CWE: CWE-639

        CVE-2022-0686

        [CVE-2022-0686] CWE-639: Authorization Bypass Through User-Controlled Key

        Authorization Bypass Through User-Controlled Key in NPM url-parse prior to 1.5.8.

        CVSS Score: 9.1

        CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

        CWE: CWE-639

      SEVERE Vulnerabilities (4)
        CVE-2021-27515

        [CVE-2021-27515] CWE-20: Improper Input Validation

        url-parse before 1.5.0 mishandles certain uses of backslash such as http:/ and interprets the URI as a relative path.

        CVSS Score: 5.3

        CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

        CWE: CWE-20

        CVE-2021-3664

        [CVE-2021-3664] CWE-601: URL Redirection to Untrusted Site ('Open Redirect')

        url-parse is vulnerable to URL Redirection to Untrusted Site

        CVSS Score: 5.3

        CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

        CWE: CWE-601

        CVE-2022-0512

        [CVE-2022-0512] CWE-639: Authorization Bypass Through User-Controlled Key

        Authorization Bypass Through User-Controlled Key in NPM url-parse prior to 1.5.6.

        CVSS Score: 5.3

        CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

        CWE: CWE-639

        CVE-2022-0639

        [CVE-2022-0639] CWE-639: Authorization Bypass Through User-Controlled Key

        Authorization Bypass Through User-Controlled Key in NPM url-parse prior to 1.5.7.

        CVSS Score: 5.3

        CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

        CWE: CWE-639

    pkg:npm/[email protected]
      SEVERE Vulnerabilities (1)

        [sonatype-2019-0419] CWE-300: Channel Accessible by Non-Endpoint ('Man-in-the-Middle')

        https-proxy-agent - Man-in-the-Middle

        The product does not adequately verify the identity of actors at both ends of a communication channel, or does not adequately ensure the integrity of the channel, in a way that allows the channel to be accessed or influenced by an actor that is not an endpoint.

        CVSS Score: 5.9

        CVSS Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

        CWE: CWE-300

    pkg:npm/[email protected]
      SEVERE Vulnerabilities (2)
        CVE-2022-0235

        [CVE-2022-0235] CWE-601: URL Redirection to Untrusted Site ('Open Redirect')

        node-fetch is vulnerable to Exposure of Sensitive Information to an Unauthorized Actor

        CVSS Score: 6.1

        CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

        CWE: CWE-601

        CVE-2022-0645

        [CVE-2022-0645] CWE-601: URL Redirection to Untrusted Site ('Open Redirect')

        Open redirect vulnerability via endpoint authorize_and_redirect/?redirect= in GitHub repository posthog/posthog prior to 1.34.1.

        CVSS Score: 6.1

        CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

        CWE: CWE-601

    pkg:npm/[email protected]
      CRITICAL Vulnerabilities (1)

        [sonatype-2021-1736] Unknown

        ramda - Regular Expression Denial of Service (ReDoS)

        CVSS Score: 7.5

        CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

        CWE: CWE-1333

    pkg:npm/[email protected]
      CRITICAL Vulnerabilities (1)

        [CVE-2021-23337] CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection')

        Lodash versions prior to 4.17.21 are vulnerable to Command Injection via the template function.

        CVSS Score: 7.2

        CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

        CWE: CWE-77

    pkg:npm/[email protected]
      CRITICAL Vulnerabilities (1)

        [CVE-2021-43138] In Async before 2.6.4 and 3.x before 3.2.2, a malicious user can obtain privileges via the mapValues() method, aka lib/internal/iterator.js createObjectIterator prototype pollution.

        In Async before 2.6.4 and 3.x before 3.2.2, a malicious user can obtain privileges via the mapValues() method, aka lib/internal/iterator.js createObjectIterator prototype pollution.

        CVSS Score: 7.8

        CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

        CWE: CWE-1321

    pkg:npm/[email protected]
      CRITICAL Vulnerabilities (1)

        [sonatype-2021-0509] CWE-400: Uncontrolled Resource Consumption ('Resource Exhaustion')

        validator - Regular Expression Denial of Service (ReDoS)

        The software does not properly restrict the size or amount of resources that are requested or influenced by an actor, which can be used to consume more resources than intended.

        CVSS Score: 7.5

        CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

        CWE: CWE-400

    pkg:npm/[email protected]
      CRITICAL Vulnerabilities (1)

        [CVE-2022-24785] CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

        Moment.js is a JavaScript date library for parsing, validating, manipulating, and formatting dates. A path traversal vulnerability impacts npm (server) users of Moment.js between versions 1.0.1 and 2.29.1, especially if a user-provided locale string is directly used to switch moment locale. This problem is patched in 2.29.2, and the patch can be applied to all affected versions. As a workaround, sanitize the user-provided locale name before passing it to Moment.js.

        CVSS Score: 7.5

        CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

        CWE: CWE-22

    pkg:npm/[email protected]
      CRITICAL Vulnerabilities (1)

        [sonatype-2021-4879] Unknown

        minimatch - Regular Expression Denial of Service (ReDoS)

        CVSS Score: 7.5

        CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

        CWE: CWE-1333

    pkg:npm/[email protected]
      CRITICAL Vulnerabilities (2)
        sonatype-2021-0509

        [sonatype-2021-0509] CWE-400: Uncontrolled Resource Consumption ('Resource Exhaustion')

        validator - Regular Expression Denial of Service (ReDoS)

        The software does not properly restrict the size or amount of resources that are requested or influenced by an actor, which can be used to consume more resources than intended.

        CVSS Score: 7.5

        CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

        CWE: CWE-400

        sonatype-2021-0510

        [sonatype-2021-0510] CWE-400: Uncontrolled Resource Consumption ('Resource Exhaustion')

        validator - Regular Expression Denial of Service (ReDoS)

        The software does not properly restrict the size or amount of resources that are requested or influenced by an actor, which can be used to consume more resources than intended.

        CVSS Score: 7.5

        CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

        CWE: CWE-400

(at-me in a reply with help or ignore)


Was this a good recommendation?
[ 🙁 Not relevant ] - [ 😕 Won't fix ] - [ 😑 Not critical, will fix ] - [ 🙂 Critical, will fix ] - [ 😊 Critical, fixing now ]

@@ -33,7 +33,7 @@
"@reactioncommerce/api-plugin-email": "~1.0.1",
"@reactioncommerce/api-plugin-email-smtp": "~1.0.1",
"@reactioncommerce/api-plugin-email-templates": "~1.0.1",
"@reactioncommerce/api-plugin-files": "~1.0.13",
"@reactioncommerce/api-plugin-files": "~1.0.19",
"@reactioncommerce/api-plugin-i18n": "~1.0.0",
"@reactioncommerce/api-plugin-inventory": "~1.0.2",
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Critical OSS Vulnerability:

pkg:npm/%40reactioncommerce/[email protected]

9 Critical, 2 Severe, 1 Moderate, 0 Unknown vulnerabilities have been found across 9 dependencies

Components
    pkg:npm/[email protected]
      CRITICAL Vulnerabilities (1)

        [CVE-2021-23337] CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection')

        Lodash versions prior to 4.17.21 are vulnerable to Command Injection via the template function.

        CVSS Score: 7.2

        CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

        CWE: CWE-77

      SEVERE Vulnerabilities (1)

        [CVE-2020-28500] CWE-400: Uncontrolled Resource Consumption ('Resource Exhaustion')

        Lodash versions prior to 4.17.21 are vulnerable to Regular Expression Denial of Service (ReDoS) via the toNumber, trim and trimEnd functions.

        CVSS Score: 5.3

        CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

        CWE: CWE-400

    pkg:npm/[email protected]
      CRITICAL Vulnerabilities (1)

        [CVE-2021-44906] Minimist <=1.2.5 is vulnerable to Prototype Pollution via file index.js, function setKey() (lines 69-95).

        Minimist <=1.2.5 is vulnerable to Prototype Pollution via file index.js, function setKey() (lines 69-95).

        CVSS Score: 9.8

        CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

        CWE: CWE-1321

    pkg:npm/[email protected]
      CRITICAL Vulnerabilities (1)

        [sonatype-2021-1169] Unknown

        ansi-regex - Regular Expression Denial of Service (ReDoS) [CVE-2021-3807]

        CVSS Score: 7.5

        CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

        CWE: CWE-1333

    pkg:npm/[email protected]
      CRITICAL Vulnerabilities (1)

        [CVE-2021-3918] CWE-915: Improperly Controlled Modification of Dynamically-Determined Object Attributes

        json-schema is vulnerable to Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')

        CVSS Score: 9.8

        CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

        CWE: CWE-915

    pkg:npm/[email protected]
      CRITICAL Vulnerabilities (1)

        [sonatype-2021-1736] Unknown

        ramda - Regular Expression Denial of Service (ReDoS)

        CVSS Score: 7.5

        CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

        CWE: CWE-1333

    pkg:npm/[email protected]
      CRITICAL Vulnerabilities (1)

        [CVE-2022-24785] CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

        Moment.js is a JavaScript date library for parsing, validating, manipulating, and formatting dates. A path traversal vulnerability impacts npm (server) users of Moment.js between versions 1.0.1 and 2.29.1, especially if a user-provided locale string is directly used to switch moment locale. This problem is patched in 2.29.2, and the patch can be applied to all affected versions. As a workaround, sanitize the user-provided locale name before passing it to Moment.js.

        CVSS Score: 7.5

        CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

        CWE: CWE-22

    pkg:npm/[email protected]
      CRITICAL Vulnerabilities (1)

        [sonatype-2021-4879] Unknown

        minimatch - Regular Expression Denial of Service (ReDoS)

        CVSS Score: 7.5

        CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

        CWE: CWE-1333

    pkg:npm/[email protected]
      SEVERE Vulnerabilities (1)

        [sonatype-2017-0655] Unknown

        request - Weak Authentication Algorithm

        CVSS Score: 5.9

        CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

        CWE: CWE-310

      MODERATE Vulnerabilities (1)

        [sonatype-2021-0749] CWE-326: Inadequate Encryption Strength

        request - Inadequate Encryption Strength

        The software stores or transmits sensitive data using an encryption scheme that is theoretically sound, but is not strong enough for the level of protection required.

        CVSS Score: 3.7

        CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N

        CWE: CWE-326

    pkg:npm/[email protected]
      CRITICAL Vulnerabilities (2)
        sonatype-2021-0509

        [sonatype-2021-0509] CWE-400: Uncontrolled Resource Consumption ('Resource Exhaustion')

        validator - Regular Expression Denial of Service (ReDoS)

        The software does not properly restrict the size or amount of resources that are requested or influenced by an actor, which can be used to consume more resources than intended.

        CVSS Score: 7.5

        CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

        CWE: CWE-400

        sonatype-2021-0510

        [sonatype-2021-0510] CWE-400: Uncontrolled Resource Consumption ('Resource Exhaustion')

        validator - Regular Expression Denial of Service (ReDoS)

        The software does not properly restrict the size or amount of resources that are requested or influenced by an actor, which can be used to consume more resources than intended.

        CVSS Score: 7.5

        CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

        CWE: CWE-400

(at-me in a reply with help or ignore)


Was this a good recommendation?
[ 🙁 Not relevant ] - [ 😕 Won't fix ] - [ 😑 Not critical, will fix ] - [ 🙂 Critical, will fix ] - [ 😊 Critical, fixing now ]

@@ -33,7 +33,7 @@
"@reactioncommerce/api-plugin-email": "~1.0.1",
"@reactioncommerce/api-plugin-email-smtp": "~1.0.1",
"@reactioncommerce/api-plugin-email-templates": "~1.0.1",
"@reactioncommerce/api-plugin-files": "~1.0.13",
"@reactioncommerce/api-plugin-files": "~1.0.19",
"@reactioncommerce/api-plugin-i18n": "~1.0.0",
"@reactioncommerce/api-plugin-inventory": "~1.0.2",
"@reactioncommerce/api-plugin-inventory-simple": "~1.0.1",
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Critical OSS Vulnerability:

pkg:npm/%40reactioncommerce/[email protected]

11 Critical, 2 Severe, 1 Moderate, 0 Unknown vulnerabilities have been found across 11 dependencies

Components
    pkg:npm/[email protected]
      CRITICAL Vulnerabilities (1)

        [CVE-2021-23337] CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection')

        Lodash versions prior to 4.17.21 are vulnerable to Command Injection via the template function.

        CVSS Score: 7.2

        CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

        CWE: CWE-77

      SEVERE Vulnerabilities (1)

        [CVE-2020-28500] CWE-400: Uncontrolled Resource Consumption ('Resource Exhaustion')

        Lodash versions prior to 4.17.21 are vulnerable to Regular Expression Denial of Service (ReDoS) via the toNumber, trim and trimEnd functions.

        CVSS Score: 5.3

        CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

        CWE: CWE-400

    pkg:npm/[email protected]
      CRITICAL Vulnerabilities (1)

        [CVE-2021-44906] Minimist <=1.2.5 is vulnerable to Prototype Pollution via file index.js, function setKey() (lines 69-95).

        Minimist <=1.2.5 is vulnerable to Prototype Pollution via file index.js, function setKey() (lines 69-95).

        CVSS Score: 9.8

        CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

        CWE: CWE-1321

    pkg:npm/[email protected]
      CRITICAL Vulnerabilities (1)

        [sonatype-2021-1169] Unknown

        ansi-regex - Regular Expression Denial of Service (ReDoS) [CVE-2021-3807]

        CVSS Score: 7.5

        CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

        CWE: CWE-1333

    pkg:npm/[email protected]
      CRITICAL Vulnerabilities (1)

        [CVE-2021-3918] CWE-915: Improperly Controlled Modification of Dynamically-Determined Object Attributes

        json-schema is vulnerable to Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')

        CVSS Score: 9.8

        CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

        CWE: CWE-915

    pkg:npm/[email protected]
      CRITICAL Vulnerabilities (1)

        [sonatype-2021-1736] Unknown

        ramda - Regular Expression Denial of Service (ReDoS)

        CVSS Score: 7.5

        CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

        CWE: CWE-1333

    pkg:npm/[email protected]
      CRITICAL Vulnerabilities (1)

        [CVE-2021-23337] CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection')

        Lodash versions prior to 4.17.21 are vulnerable to Command Injection via the template function.

        CVSS Score: 7.2

        CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

        CWE: CWE-77

    pkg:npm/[email protected]
      CRITICAL Vulnerabilities (1)

        [CVE-2022-24785] CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

        Moment.js is a JavaScript date library for parsing, validating, manipulating, and formatting dates. A path traversal vulnerability impacts npm (server) users of Moment.js between versions 1.0.1 and 2.29.1, especially if a user-provided locale string is directly used to switch moment locale. This problem is patched in 2.29.2, and the patch can be applied to all affected versions. As a workaround, sanitize the user-provided locale name before passing it to Moment.js.

        CVSS Score: 7.5

        CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

        CWE: CWE-22

    pkg:npm/[email protected]
      CRITICAL Vulnerabilities (1)

        [sonatype-2021-4879] Unknown

        minimatch - Regular Expression Denial of Service (ReDoS)

        CVSS Score: 7.5

        CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

        CWE: CWE-1333

    pkg:npm/[email protected]
      SEVERE Vulnerabilities (1)

        [sonatype-2017-0655] Unknown

        request - Weak Authentication Algorithm

        CVSS Score: 5.9

        CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

        CWE: CWE-310

      MODERATE Vulnerabilities (1)

        [sonatype-2021-0749] CWE-326: Inadequate Encryption Strength

        request - Inadequate Encryption Strength

        The software stores or transmits sensitive data using an encryption scheme that is theoretically sound, but is not strong enough for the level of protection required.

        CVSS Score: 3.7

        CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N

        CWE: CWE-326

    pkg:npm/[email protected]
      CRITICAL Vulnerabilities (1)

        [CVE-2020-7742] This affects the package simpl-schema before 1.10.2.

        This affects the package simpl-schema before 1.10.2.

        CVSS Score: 7.5

        CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

        CWE: CWE-1321

    pkg:npm/[email protected]
      CRITICAL Vulnerabilities (2)
        sonatype-2021-0509

        [sonatype-2021-0509] CWE-400: Uncontrolled Resource Consumption ('Resource Exhaustion')

        validator - Regular Expression Denial of Service (ReDoS)

        The software does not properly restrict the size or amount of resources that are requested or influenced by an actor, which can be used to consume more resources than intended.

        CVSS Score: 7.5

        CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

        CWE: CWE-400

        sonatype-2021-0510

        [sonatype-2021-0510] CWE-400: Uncontrolled Resource Consumption ('Resource Exhaustion')

        validator - Regular Expression Denial of Service (ReDoS)

        The software does not properly restrict the size or amount of resources that are requested or influenced by an actor, which can be used to consume more resources than intended.

        CVSS Score: 7.5

        CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

        CWE: CWE-400

(at-me in a reply with help or ignore)


Was this a good recommendation?
[ 🙁 Not relevant ] - [ 😕 Won't fix ] - [ 😑 Not critical, will fix ] - [ 🙂 Critical, will fix ] - [ 😊 Critical, fixing now ]

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants