Quickly view, search and use the icons in the Material Icons icon pack, even the undocumented ones!
Home Page: https://material-icons-library.dugny.me/
License: MIT License
Vulnerable Library - async-2.6.3.tgzHigher-order functions and common patterns for asynchronous code
Library home page: https://registry.npmjs.org/async/-/async-2.6.3.tgz
Dependency Hierarchy:
Found in base branch: main
Vulnerability Details
In Async before 2.6.4 and 3.x before 3.2.2, a malicious user can obtain privileges via the mapValues() method, aka lib/internal/iterator.js createObjectIterator prototype pollution.
Publish Date: 2022-04-06
URL: CVE-2021-43138
CVSS 3 Score Details (7.8)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2021-43138
Release Date: 2022-04-06
Fix Resolution (async): 2.6.4
Direct dependency fix Resolution (@angular-devkit/build-angular): 12.0.1
Step up your Open Source Security Game with Mend here
Vulnerable Libraries - ansi-regex-4.1.0.tgz, ansi-regex-3.0.0.tgz, ansi-regex-5.0.0.tgz
Regular expression for matching ANSI escape codes
Library home page: https://registry.npmjs.org/ansi-regex/-/ansi-regex-4.1.0.tgz
Dependency Hierarchy:
Regular expression for matching ANSI escape codes
Library home page: https://registry.npmjs.org/ansi-regex/-/ansi-regex-3.0.0.tgz
Dependency Hierarchy:
Regular expression for matching ANSI escape codes
Library home page: https://registry.npmjs.org/ansi-regex/-/ansi-regex-5.0.0.tgz
Dependency Hierarchy:
Found in HEAD commit: 89aa5982db5f213f61df052ca5dc7f0732ce3a91
Found in base branch: main
Vulnerability Details
ansi-regex is vulnerable to Inefficient Regular Expression Complexity
Publish Date: 2021-09-17
URL: CVE-2021-3807
CVSS 3 Score Details (7.5)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://huntr.dev/bounties/5b3cf33b-ede0-4398-9974-800876dfd994/
Release Date: 2021-09-17
Fix Resolution (ansi-regex): 4.1.1
Direct dependency fix Resolution (@angular-devkit/build-angular): 12.0.1
Fix Resolution (ansi-regex): 4.1.1
Direct dependency fix Resolution (@angular/cli): 12.0.1
Fix Resolution (ansi-regex): 4.1.1
Direct dependency fix Resolution (@angular/cli): 12.0.1
Step up your Open Source Security Game with Mend here
Vulnerable Library - css-what-4.0.0.tgza CSS selector parser
Library home page: https://registry.npmjs.org/css-what/-/css-what-4.0.0.tgz
Dependency Hierarchy:
Found in HEAD commit: 89aa5982db5f213f61df052ca5dc7f0732ce3a91
Found in base branch: main
Vulnerability Details
The css-what package 4.0.0 through 5.0.0 for Node.js does not ensure that attribute parsing has Linear Time Complexity relative to the size of the input.
Publish Date: 2021-05-28
URL: CVE-2021-33587
CVSS 3 Score Details (7.5)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-33587
Release Date: 2021-05-28
Fix Resolution (css-what): 5.0.1
Direct dependency fix Resolution (@angular-devkit/build-angular): 12.0.1
Step up your Open Source Security Game with Mend here
Vulnerable Library - nanoid-3.1.23.tgzA tiny (108 bytes), secure URL-friendly unique string ID generator
Library home page: https://registry.npmjs.org/nanoid/-/nanoid-3.1.23.tgz
Dependency Hierarchy:
Found in base branch: main
Vulnerability Details
The package nanoid from 3.0.0 and before 3.1.31 are vulnerable to Information Exposure via the valueOf() function which allows to reproduce the last id generated.
Publish Date: 2022-01-14
URL: CVE-2021-23566
CVSS 3 Score Details (5.5)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Release Date: 2022-01-14
Fix Resolution (nanoid): 3.1.31
Direct dependency fix Resolution (@angular-devkit/build-angular): 12.0.1
Step up your Open Source Security Game with Mend here
Vulnerable Library - trim-off-newlines-1.0.1.tgzSimilar to String#trim() but removes only newlines
Library home page: https://registry.npmjs.org/trim-off-newlines/-/trim-off-newlines-1.0.1.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/trim-off-newlines/package.json
Dependency Hierarchy:
Found in HEAD commit: 89aa5982db5f213f61df052ca5dc7f0732ce3a91
Found in base branch: main
Vulnerability Details
All versions of package trim-off-newlines are vulnerable to Regular Expression Denial of Service (ReDoS) via string processing.
Publish Date: 2021-08-18
URL: CVE-2021-23425
CVSS 3 Score Details (5.3)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2021-23425
Release Date: 2021-08-18
Fix Resolution (trim-off-newlines): 1.0.2
Direct dependency fix Resolution (@commitlint/cli): 13.0.0
Step up your Open Source Security Game with Mend here
Vulnerable Libraries - loader-utils-1.4.0.tgz, loader-utils-2.0.0.tgz
utils for webpack loaders
Library home page: https://registry.npmjs.org/loader-utils/-/loader-utils-1.4.0.tgz
Dependency Hierarchy:
utils for webpack loaders
Library home page: https://registry.npmjs.org/loader-utils/-/loader-utils-2.0.0.tgz
Dependency Hierarchy:
Found in HEAD commit: 89aa5982db5f213f61df052ca5dc7f0732ce3a91
Found in base branch: main
Vulnerability Details
Prototype pollution vulnerability in function parseQuery in parseQuery.js in webpack loader-utils 2.0.0 via the name variable in parseQuery.js.
Publish Date: 2022-10-12
URL: CVE-2022-37601
CVSS 3 Score Details (9.8)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: GHSA-76p3-8jx3-jpfq
Release Date: 2022-10-12
Fix Resolution (loader-utils): 1.4.1
Direct dependency fix Resolution (@angular-devkit/build-angular): 12.0.1
Fix Resolution (loader-utils): 1.4.1
Direct dependency fix Resolution (@angular-devkit/build-angular): 12.0.1
Step up your Open Source Security Game with Mend here
Vulnerable Library - minimatch-3.0.4.tgza glob matcher in javascript
Library home page: https://registry.npmjs.org/minimatch/-/minimatch-3.0.4.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/minimatch/package.json
Dependency Hierarchy:
Found in HEAD commit: 89aa5982db5f213f61df052ca5dc7f0732ce3a91
Found in base branch: main
Vulnerability Details
A vulnerability was found in the minimatch package. This flaw allows a Regular Expression Denial of Service (ReDoS) when calling the braceExpand function with specific arguments, resulting in a Denial of Service.
Publish Date: 2022-10-17
URL: CVE-2022-3517
CVSS 3 Score Details (7.5)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Release Date: 2022-10-17
Fix Resolution: minimatch - 3.0.5
Step up your Open Source Security Game with Mend here
Vulnerable Library - node-forge-0.10.0.tgzJavaScript implementations of network transports, cryptography, ciphers, PKI, message digests, and various utilities.
Library home page: https://registry.npmjs.org/node-forge/-/node-forge-0.10.0.tgz
Dependency Hierarchy:
Found in base branch: main
Vulnerability Details
Forge (also called node-forge) is a native implementation of Transport Layer Security in JavaScript. Prior to version 1.3.0, RSA PKCS#1 v1.5 signature verification code does not check for tailing garbage bytes after decoding a DigestInfo ASN.1 structure. This can allow padding bytes to be removed and garbage data added to forge a signature when a low public exponent is being used. The issue has been addressed in node-forge version 1.3.0. There are currently no known workarounds.
Publish Date: 2022-03-18
URL: CVE-2022-24772
CVSS 3 Score Details (7.5)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24772
Release Date: 2022-03-18
Fix Resolution (node-forge): 1.3.0
Direct dependency fix Resolution (@angular-devkit/build-angular): 13.2.0
Step up your Open Source Security Game with Mend here
Vulnerable Library - url-parse-1.5.1.tgzSmall footprint URL parser that works seamlessly across Node.js and browser environments
Library home page: https://registry.npmjs.org/url-parse/-/url-parse-1.5.1.tgz
Dependency Hierarchy:
Found in base branch: main
Vulnerability Details
Authorization Bypass Through User-Controlled Key in NPM url-parse prior to 1.5.9.
Publish Date: 2022-02-21
URL: CVE-2022-0691
CVSS 3 Score Details (9.8)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0691
Release Date: 2022-02-21
Fix Resolution (url-parse): 1.5.9
Direct dependency fix Resolution (@angular-devkit/build-angular): 12.0.1
Step up your Open Source Security Game with Mend here
Vulnerable Library - tar-6.1.0.tgztar for node
Library home page: https://registry.npmjs.org/tar/-/tar-6.1.0.tgz
Dependency Hierarchy:
Found in HEAD commit: 89aa5982db5f213f61df052ca5dc7f0732ce3a91
Found in base branch: main
Vulnerability Details
The npm package "tar" (aka node-tar) before versions 4.4.18, 5.0.10, and 6.1.9 has an arbitrary file creation/overwrite and arbitrary code execution vulnerability. node-tar aims to guarantee that any file whose location would be modified by a symbolic link is not extracted. This is, in part, achieved by ensuring that extracted directories are not symlinks. Additionally, in order to prevent unnecessary stat calls to determine whether a given path is a directory, paths are cached when directories are created. This logic was insufficient when extracting tar files that contained both a directory and a symlink with names containing unicode values that normalized to the same value. Additionally, on Windows systems, long path portions would resolve to the same file system entities as their 8.3 "short path" counterparts. A specially crafted tar archive could thus include a directory with one form of the path, followed by a symbolic link with a different string that resolves to the same file system entity, followed by a file using the first form. By first creating a directory, and then replacing that directory with a symlink that had a different apparent name that resolved to the same entry in the filesystem, it was thus possible to bypass node-tar symlink checks on directories, essentially allowing an untrusted tar file to symlink into an arbitrary location and subsequently extracting arbitrary files into that location, thus allowing arbitrary file creation and overwrite. These issues were addressed in releases 4.4.18, 5.0.10 and 6.1.9. The v3 branch of node-tar has been deprecated and did not receive patches for these issues. If you are still using a v3 release we recommend you update to a more recent version of node-tar. If this is not possible, a workaround is available in the referenced GHSA-qq89-hq3f-393p.
Publish Date: 2021-08-31
URL: CVE-2021-37712
CVSS 3 Score Details (8.6)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: GHSA-qq89-hq3f-393p
Release Date: 2021-08-31
Fix Resolution (tar): 6.1.9
Direct dependency fix Resolution (@angular/cli): 12.0.1
Step up your Open Source Security Game with Mend here
Vulnerable Library - glob-parent-3.1.0.tgzStrips glob magic from a string to provide the parent directory path
Library home page: https://registry.npmjs.org/glob-parent/-/glob-parent-3.1.0.tgz
Dependency Hierarchy:
Found in HEAD commit: 89aa5982db5f213f61df052ca5dc7f0732ce3a91
Found in base branch: main
Vulnerability Details
This affects the package glob-parent before 5.1.2. The enclosure regex used to check for strings ending in enclosure containing path separator.
Publish Date: 2021-06-03
URL: CVE-2020-28469
CVSS 3 Score Details (7.5)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-28469
Release Date: 2021-06-03
Fix Resolution (glob-parent): 5.1.2
Direct dependency fix Resolution (@angular-devkit/build-angular): 13.0.0
Step up your Open Source Security Game with Mend here
Vulnerable Library - url-parse-1.5.1.tgzSmall footprint URL parser that works seamlessly across Node.js and browser environments
Library home page: https://registry.npmjs.org/url-parse/-/url-parse-1.5.1.tgz
Dependency Hierarchy:
Found in base branch: main
Vulnerability Details
Authorization Bypass Through User-Controlled Key in NPM url-parse prior to 1.5.8.
Publish Date: 2022-02-20
URL: CVE-2022-0686
CVSS 3 Score Details (9.1)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0686
Release Date: 2022-02-20
Fix Resolution (url-parse): 1.5.8
Direct dependency fix Resolution (@angular-devkit/build-angular): 12.0.1
Step up your Open Source Security Game with Mend here
Vulnerable Library - core-9.0.0.tgzAngular - the core framework
Library home page: https://registry.npmjs.org/@angular/core/-/core-9.0.0.tgz
Dependency Hierarchy:
Found in HEAD commit: 89aa5982db5f213f61df052ca5dc7f0732ce3a91
Found in base branch: main
Vulnerability Details
A vulnerability was found in Angular up to 11.0.4/11.1.0-next.2. It has been classified as problematic. Affected is the handling of comments. The manipulation leads to cross site scripting. It is possible to launch the attack remotely but it might require an authentication first. Upgrading to version 11.0.5 and 11.1.0-next.3 is able to address this issue. The name of the patch is ba8da742e3b243e8f43d4c63aa842b44e14f2b09. It is recommended to upgrade the affected component.
Publish Date: 2022-05-26
URL: CVE-2021-4231
CVSS 3 Score Details (5.4)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Release Date: 2022-05-26
Fix Resolution: @angular/core -10.2.5,11.0.5 ,11.1.0-next.3
Step up your Open Source Security Game with Mend here
Vulnerable Libraries - ws-7.4.5.tgz, ws-6.2.1.tgz
Simple to use, blazing fast and thoroughly tested websocket client and server for Node.js
Library home page: https://registry.npmjs.org/ws/-/ws-7.4.5.tgz
Dependency Hierarchy:
Simple to use, blazing fast and thoroughly tested websocket client and server for Node.js
Library home page: https://registry.npmjs.org/ws/-/ws-6.2.1.tgz
Dependency Hierarchy:
Found in HEAD commit: 89aa5982db5f213f61df052ca5dc7f0732ce3a91
Found in base branch: main
Vulnerability Details
ws is an open source WebSocket client and server library for Node.js. A specially crafted value of the Sec-Websocket-Protocol header can be used to significantly slow down a ws server. The vulnerability has been fixed in [email protected] (websockets/ws@00c425e). In vulnerable versions of ws, the issue can be mitigated by reducing the maximum allowed length of the request headers using the --max-http-header-size=size and/or the maxHeaderSize options.
Publish Date: 2021-05-25
URL: CVE-2021-32640
CVSS 3 Score Details (5.3)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: GHSA-6fc8-4gx4-v693
Release Date: 2021-05-25
Fix Resolution (ws): 7.4.6
Direct dependency fix Resolution (karma): 6.3.3
Fix Resolution (ws): 7.4.6
Direct dependency fix Resolution (@angular-devkit/build-angular): 12.0.1
Step up your Open Source Security Game with Mend here
Vulnerable Library - postcss-7.0.35.tgzTool for transforming styles with JS plugins
Library home page: https://registry.npmjs.org/postcss/-/postcss-7.0.35.tgz
Dependency Hierarchy:
Found in HEAD commit: 89aa5982db5f213f61df052ca5dc7f0732ce3a91
Found in base branch: main
Vulnerability Details
The package postcss from 7.0.0 and before 8.2.10 are vulnerable to Regular Expression Denial of Service (ReDoS) during source map parsing.
Publish Date: 2021-04-12
URL: CVE-2021-23368
CVSS 3 Score Details (5.3)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23368
Release Date: 2021-04-12
Fix Resolution (postcss): 7.0.36
Direct dependency fix Resolution (@angular-devkit/build-angular): 12.0.1
Step up your Open Source Security Game with Mend here
Vulnerable Library - jszip-3.6.0.tgzCreate, read and edit .zip files with JavaScript http://stuartk.com/jszip
Library home page: https://registry.npmjs.org/jszip/-/jszip-3.6.0.tgz
Dependency Hierarchy:
Found in HEAD commit: 89aa5982db5f213f61df052ca5dc7f0732ce3a91
Found in base branch: main
Vulnerability Details
This affects the package jszip before 3.7.0. Crafting a new zip file with filenames set to Object prototype values (e.g proto, toString, etc) results in a returned object with a modified prototype instance.
Publish Date: 2021-07-25
URL: CVE-2021-23413
CVSS 3 Score Details (5.3)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23413
Release Date: 2021-07-25
Fix Resolution: jszip - 3.7.0
Step up your Open Source Security Game with Mend here
Vulnerable Library - url-parse-1.5.1.tgzSmall footprint URL parser that works seamlessly across Node.js and browser environments
Library home page: https://registry.npmjs.org/url-parse/-/url-parse-1.5.1.tgz
Dependency Hierarchy:
Found in base branch: main
Vulnerability Details
Authorization Bypass Through User-Controlled Key in NPM url-parse prior to 1.5.6.
Publish Date: 2022-02-14
URL: CVE-2022-0512
CVSS 3 Score Details (5.3)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0512
Release Date: 2022-02-14
Fix Resolution (url-parse): 1.5.6
Direct dependency fix Resolution (@angular-devkit/build-angular): 12.0.1
Step up your Open Source Security Game with Mend here
When searching for an icon, all categories name are displayed, even if no icon from this category is shown.
Current behavior:
Expected behavior:
Previously, the category name was included in the icon-item component, and only shown for the first icon of a category, but this is not maintainable.
Waiting for a fix in Angular Universal, where pre-rendering can't be used when the app is a PWA.
Check branch feature/ssr
Vulnerable Library - trim-newlines-1.0.0.tgzTrim newlines from the start and/or end of a string
Library home page: https://registry.npmjs.org/trim-newlines/-/trim-newlines-1.0.0.tgz
Dependency Hierarchy:
Found in HEAD commit: 89aa5982db5f213f61df052ca5dc7f0732ce3a91
Found in base branch: main
Vulnerability Details
The trim-newlines package before 3.0.1 and 4.x before 4.0.1 for Node.js has an issue related to regular expression denial-of-service (ReDoS) for the .end() method.
Publish Date: 2021-05-28
URL: CVE-2021-33623
CVSS 3 Score Details (7.5)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-33623
Release Date: 2021-05-28
Fix Resolution (trim-newlines): 3.0.1
Direct dependency fix Resolution (standard-version): 9.3.1
Step up your Open Source Security Game with Mend here
Vulnerable Library - tar-6.1.0.tgztar for node
Library home page: https://registry.npmjs.org/tar/-/tar-6.1.0.tgz
Dependency Hierarchy:
Found in HEAD commit: 89aa5982db5f213f61df052ca5dc7f0732ce3a91
Found in base branch: main
Vulnerability Details
The npm package "tar" (aka node-tar) before versions 4.4.16, 5.0.8, and 6.1.7 has an arbitrary file creation/overwrite and arbitrary code execution vulnerability. node-tar aims to guarantee that any file whose location would be modified by a symbolic link is not extracted. This is, in part, achieved by ensuring that extracted directories are not symlinks. Additionally, in order to prevent unnecessary stat calls to determine whether a given path is a directory, paths are cached when directories are created. This logic was insufficient when extracting tar files that contained both a directory and a symlink with the same name as the directory, where the symlink and directory names in the archive entry used backslashes as a path separator on posix systems. The cache checking logic used both \ and / characters as path separators, however \ is a valid filename character on posix systems. By first creating a directory, and then replacing that directory with a symlink, it was thus possible to bypass node-tar symlink checks on directories, essentially allowing an untrusted tar file to symlink into an arbitrary location and subsequently extracting arbitrary files into that location, thus allowing arbitrary file creation and overwrite. Additionally, a similar confusion could arise on case-insensitive filesystems. If a tar archive contained a directory at FOO, followed by a symbolic link named foo, then on case-insensitive file systems, the creation of the symbolic link would remove the directory from the filesystem, but not from the internal directory cache, as it would not be treated as a cache hit. A subsequent file entry within the FOO directory would then be placed in the target of the symbolic link, thinking that the directory had already been created. These issues were addressed in releases 4.4.16, 5.0.8 and 6.1.7. The v3 branch of node-tar has been deprecated and did not receive patches for these issues. If you are still using a v3 release we recommend you update to a more recent version of node-tar. If this is not possible, a workaround is available in the referenced GHSA-9r2w-394v-53qc.
Publish Date: 2021-08-31
URL: CVE-2021-37701
CVSS 3 Score Details (8.6)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: GHSA-9r2w-394v-53qc
Release Date: 2021-08-31
Fix Resolution (tar): 6.1.7
Direct dependency fix Resolution (@angular/cli): 12.0.1
Step up your Open Source Security Game with Mend here
Vulnerable Library - karma-6.3.2.tgzSpectacular Test Runner for JavaScript.
Library home page: https://registry.npmjs.org/karma/-/karma-6.3.2.tgz
Dependency Hierarchy:
Found in base branch: main
Vulnerability Details
Cross-site Scripting (XSS) - DOM in NPM karma prior to 6.3.14.
Publish Date: 2022-02-05
URL: CVE-2022-0437
CVSS 3 Score Details (6.1)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2022-0437
Release Date: 2022-02-05
Fix Resolution: 6.3.14
Step up your Open Source Security Game with Mend here
Vulnerable Library - semver-regex-3.1.2.tgzRegular expression for matching semver versions
Library home page: https://registry.npmjs.org/semver-regex/-/semver-regex-3.1.2.tgz
Dependency Hierarchy:
Found in base branch: main
Vulnerability Details
An exponential ReDoS (Regular Expression Denial of Service) can be triggered in the semver-regex npm package, when an attacker is able to supply arbitrary input to the test() method
Publish Date: 2022-06-02
URL: CVE-2021-43307
CVSS 3 Score Details (7.5)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://research.jfrog.com/vulnerabilities/semver-regex-redos-xray-211349/
Release Date: 2022-06-02
Fix Resolution (semver-regex): 3.1.4
Direct dependency fix Resolution (husky): 5.0.0
Step up your Open Source Security Game with Mend here
Vulnerable Library - semver-regex-3.1.2.tgzRegular expression for matching semver versions
Library home page: https://registry.npmjs.org/semver-regex/-/semver-regex-3.1.2.tgz
Dependency Hierarchy:
Found in HEAD commit: 89aa5982db5f213f61df052ca5dc7f0732ce3a91
Found in base branch: main
Vulnerability Details
semver-regex is vulnerable to Inefficient Regular Expression Complexity
Publish Date: 2021-09-15
URL: CVE-2021-3795
CVSS 3 Score Details (7.5)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Release Date: 2021-09-15
Fix Resolution (semver-regex): 3.1.3
Direct dependency fix Resolution (husky): 5.0.0
Step up your Open Source Security Game with Mend here
Vulnerable Library - node-forge-0.10.0.tgzJavaScript implementations of network transports, cryptography, ciphers, PKI, message digests, and various utilities.
Library home page: https://registry.npmjs.org/node-forge/-/node-forge-0.10.0.tgz
Dependency Hierarchy:
Found in base branch: main
Vulnerability Details
Forge (also called node-forge) is a native implementation of Transport Layer Security in JavaScript. Prior to version 1.3.0, RSA PKCS#1 v1.5 signature verification code is lenient in checking the digest algorithm structure. This can allow a crafted structure that steals padding bytes and uses unchecked portion of the PKCS#1 encoded message to forge a signature when a low public exponent is being used. The issue has been addressed in node-forge version 1.3.0. There are currently no known workarounds.
Publish Date: 2022-03-18
URL: CVE-2022-24771
CVSS 3 Score Details (7.5)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24771
Release Date: 2022-03-18
Fix Resolution (node-forge): 1.3.0
Direct dependency fix Resolution (@angular-devkit/build-angular): 13.2.0
Step up your Open Source Security Game with Mend here
Vulnerable Library - terser-5.7.0.tgzJavaScript parser, mangler/compressor and beautifier toolkit for ES6+
Library home page: https://registry.npmjs.org/terser/-/terser-5.7.0.tgz
Dependency Hierarchy:
Found in HEAD commit: 89aa5982db5f213f61df052ca5dc7f0732ce3a91
Found in base branch: main
Vulnerability Details
The package terser before 4.8.1, from 5.0.0 and before 5.14.2 are vulnerable to Regular Expression Denial of Service (ReDoS) due to insecure usage of regular expressions.
Publish Date: 2022-07-15
URL: CVE-2022-25858
CVSS 3 Score Details (7.5)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-25858
Release Date: 2022-07-15
Fix Resolution (terser): 5.14.2
Direct dependency fix Resolution (@angular-devkit/build-angular): 12.2.18
Step up your Open Source Security Game with Mend here
Vulnerable Library - nth-check-2.0.0.tgzParses and compiles CSS nth-checks to highly optimized functions.
Library home page: https://registry.npmjs.org/nth-check/-/nth-check-2.0.0.tgz
Dependency Hierarchy:
Found in HEAD commit: 89aa5982db5f213f61df052ca5dc7f0732ce3a91
Found in base branch: main
Vulnerability Details
nth-check is vulnerable to Inefficient Regular Expression Complexity
Publish Date: 2021-09-17
URL: CVE-2021-3803
CVSS 3 Score Details (7.5)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Release Date: 2021-09-17
Fix Resolution (nth-check): 2.0.1
Direct dependency fix Resolution (@angular-devkit/build-angular): 12.0.1
Step up your Open Source Security Game with Mend here
Vulnerable Library - path-parse-1.0.6.tgzNode.js path.parse() ponyfill
Library home page: https://registry.npmjs.org/path-parse/-/path-parse-1.0.6.tgz
Dependency Hierarchy:
Found in HEAD commit: 89aa5982db5f213f61df052ca5dc7f0732ce3a91
Found in base branch: main
Vulnerability Details
All versions of package path-parse are vulnerable to Regular Expression Denial of Service (ReDoS) via splitDeviceRe, splitTailRe, and splitPathRe regular expressions. ReDoS exhibits polynomial worst-case time complexity.
Publish Date: 2021-05-04
URL: CVE-2021-23343
CVSS 3 Score Details (7.5)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Release Date: 2021-05-04
Fix Resolution (path-parse): 1.0.7
Direct dependency fix Resolution (@angular/cli): 12.0.1
Step up your Open Source Security Game with Mend here
Vulnerable Library - postcss-7.0.35.tgzTool for transforming styles with JS plugins
Library home page: https://registry.npmjs.org/postcss/-/postcss-7.0.35.tgz
Dependency Hierarchy:
Found in HEAD commit: 89aa5982db5f213f61df052ca5dc7f0732ce3a91
Found in base branch: main
Vulnerability Details
The package postcss before 8.2.13 are vulnerable to Regular Expression Denial of Service (ReDoS) via getAnnotationURL() and loadAnnotation() in lib/previous-map.js. The vulnerable regexes are caused mainly by the sub-pattern /*\s* sourceMappingURL=(.*).
Publish Date: 2021-04-26
URL: CVE-2021-23382
CVSS 3 Score Details (7.5)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23382
Release Date: 2021-04-26
Fix Resolution (postcss): 7.0.36
Direct dependency fix Resolution (@angular-devkit/build-angular): 12.0.1
Step up your Open Source Security Game with Mend here
Vulnerable Library - eventsource-1.1.0.tgzW3C compliant EventSource client for Node.js and browser (polyfill)
Library home page: https://registry.npmjs.org/eventsource/-/eventsource-1.1.0.tgz
Dependency Hierarchy:
Found in HEAD commit: 89aa5982db5f213f61df052ca5dc7f0732ce3a91
Found in base branch: main
Vulnerability Details
Improper Removal of Sensitive Information Before Storage or Transfer in GitHub repository eventsource/eventsource prior to v2.0.2.
Publish Date: 2022-05-12
URL: CVE-2022-1650
CVSS 3 Score Details (9.3)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Release Date: 2022-05-12
Fix Resolution (eventsource): 1.1.1
Direct dependency fix Resolution (@angular-devkit/build-angular): 12.0.1
Step up your Open Source Security Game with Mend here
Vulnerable Library - uglify-js-3.13.6.tgzJavaScript parser, mangler/compressor and beautifier toolkit
Library home page: https://registry.npmjs.org/uglify-js/-/uglify-js-3.13.6.tgz
Dependency Hierarchy:
Found in HEAD commit: 89aa5982db5f213f61df052ca5dc7f0732ce3a91
Found in base branch: main
Vulnerability Details
** DISPUTED ** Prototype pollution vulnerability in function DEFNODE in ast.js in mishoo UglifyJS 3.13.2 via the name variable in ast.js. NOTE: the vendor considers this an invalid report.
Publish Date: 2022-10-20
URL: CVE-2022-37598
CVSS 3 Score Details (9.8)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Release Date: 2022-10-20
Fix Resolution (uglify-js): 3.13.10
Direct dependency fix Resolution (standard-version): 9.3.1
Step up your Open Source Security Game with Mend here
Vulnerable Library - node-forge-0.10.0.tgzJavaScript implementations of network transports, cryptography, ciphers, PKI, message digests, and various utilities.
Library home page: https://registry.npmjs.org/node-forge/-/node-forge-0.10.0.tgz
Dependency Hierarchy:
Found in base branch: main
Vulnerability Details
forge is vulnerable to URL Redirection to Untrusted Site
Mend Note: Converted from WS-2022-0007, on 2022-11-07.
Publish Date: 2022-01-06
URL: CVE-2022-0122
CVSS 3 Score Details (6.1)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: GHSA-gf8q-jrpm-jvxq
Release Date: 2022-01-06
Fix Resolution (node-forge): 1.0.0
Direct dependency fix Resolution (@angular-devkit/build-angular): 13.2.0
Step up your Open Source Security Game with Mend here
This issue lists Renovate updates and detected dependencies. Read the Dependency Dashboard docs to learn more.
These updates have all been created already. Click a checkbox below to force a retry/rebase of any.
package.json
@angular/animations ^17.1.2@angular/cdk ^17.1.2@angular/common ^17.1.2@angular/compiler ^17.1.2@angular/core ^17.1.2@angular/forms ^17.1.2@angular/material ^17.1.2@angular/platform-browser ^17.1.2@angular/platform-browser-dynamic ^17.1.2@angular/router ^17.1.2@angular/service-worker ^17.1.2@commitlint/cli ^18.6.0@commitlint/config-conventional ^18.6.0prettier ^3.2.4pretty-quick ^4.0.0rxjs ~7.8.1standard-version ^9.5.0tslib ^2.6.2zone.js ~0.14.3@angular-devkit/build-angular ^17.1.2@angular/cli ^17.1.2@angular/compiler-cli ^17.1.2@types/jasmine ~5.1.4@types/jasminewd2 ~2.0.13codelyzer ^6.0.2husky ^9.0.10jasmine-core ~5.1.1jasmine-spec-reporter ~7.0.0karma ~6.4.2karma-chrome-launcher ~3.2.0karma-coverage-istanbul-reporter ~3.0.2karma-jasmine ~5.1.0karma-jasmine-html-reporter ^2.1.0protractor ~7.0.0ts-node ~10.9.2tslint ~6.1.0typescript ~5.3.3node >=18.13.0yarn >=1.22.17
Vulnerable Libraries - loader-utils-1.4.0.tgz, loader-utils-2.0.0.tgz
utils for webpack loaders
Library home page: https://registry.npmjs.org/loader-utils/-/loader-utils-1.4.0.tgz
Dependency Hierarchy:
utils for webpack loaders
Library home page: https://registry.npmjs.org/loader-utils/-/loader-utils-2.0.0.tgz
Dependency Hierarchy:
Found in base branch: main
Vulnerability Details
A Regular expression denial of service (ReDoS) flaw was found in Function interpolateName in interpolateName.js in webpack loader-utils 2.0.0 via the url variable in interpolateName.js.
Publish Date: 2022-10-14
URL: CVE-2022-37603
CVSS 3 Score Details (7.5)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: GHSA-3rfm-jhwj-7488
Release Date: 2022-10-14
Fix Resolution (loader-utils): 1.4.2
Direct dependency fix Resolution (@angular-devkit/build-angular): 12.0.1
Fix Resolution (loader-utils): 1.4.2
Direct dependency fix Resolution (@angular-devkit/build-angular): 12.0.1
Step up your Open Source Security Game with Mend here
Vulnerable Library - core-9.0.0.tgzAngular - the core framework
Library home page: https://registry.npmjs.org/@angular/core/-/core-9.0.0.tgz
Path to dependency file: MaterialIconsLibrary/package.json
Path to vulnerable library: MaterialIconsLibrary/node_modules/@angular/core/package.json
Dependency Hierarchy:
Found in HEAD commit: 89aa5982db5f213f61df052ca5dc7f0732ce3a91
Found in base branch: main
Vulnerability Details
Cross-Site Scripting (XSS) vulnerability was found in @angular/core before 11.1.1. HTML doesn't specify any way to escape comment end text inside the comment.
Publish Date: 2021-01-26
URL: WS-2021-0039
CVSS 3 Score Details (3.9)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://github.com/angular/angular/releases/tag/11.1.1
Release Date: 2021-01-26
Fix Resolution: @angular/core - 11.1.1
Step up your Open Source Security Game with WhiteSource here
Vulnerable Library - tar-6.1.0.tgztar for node
Library home page: https://registry.npmjs.org/tar/-/tar-6.1.0.tgz
Dependency Hierarchy:
Found in HEAD commit: 89aa5982db5f213f61df052ca5dc7f0732ce3a91
Found in base branch: main
Vulnerability Details
The npm package "tar" (aka node-tar) before versions 4.4.18, 5.0.10, and 6.1.9 has an arbitrary file creation/overwrite and arbitrary code execution vulnerability. node-tar aims to guarantee that any file whose location would be outside of the extraction target directory is not extracted. This is, in part, accomplished by sanitizing absolute paths of entries within the archive, skipping archive entries that contain .. path portions, and resolving the sanitized paths against the extraction target directory. This logic was insufficient on Windows systems when extracting tar files that contained a path that was not an absolute path, but specified a drive letter different from the extraction target, such as C:some\path. If the drive letter does not match the extraction target, for example D:\extraction\dir, then the result of path.resolve(extractionDirectory, entryPath) would resolve against the current working directory on the C: drive, rather than the extraction target directory. Additionally, a .. portion of the path could occur immediately after the drive letter, such as C:../foo, and was not properly sanitized by the logic that checked for .. within the normalized and split portions of the path. This only affects users of node-tar on Windows systems. These issues were addressed in releases 4.4.18, 5.0.10 and 6.1.9. The v3 branch of node-tar has been deprecated and did not receive patches for these issues. If you are still using a v3 release we recommend you update to a more recent version of node-tar. There is no reasonable way to work around this issue without performing the same path normalization procedures that node-tar now does. Users are encouraged to upgrade to the latest patched versions of node-tar, rather than attempt to sanitize paths themselves.
Publish Date: 2021-08-31
URL: CVE-2021-37713
CVSS 3 Score Details (8.6)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: GHSA-5955-9wpr-37jh
Release Date: 2021-08-31
Fix Resolution (tar): 6.1.9
Direct dependency fix Resolution (@angular/cli): 12.0.1
Step up your Open Source Security Game with Mend here
Vulnerable Library - node-forge-0.10.0.tgzJavaScript implementations of network transports, cryptography, ciphers, PKI, message digests, and various utilities.
Library home page: https://registry.npmjs.org/node-forge/-/node-forge-0.10.0.tgz
Dependency Hierarchy:
Found in base branch: main
Vulnerability Details
Forge (also called node-forge) is a native implementation of Transport Layer Security in JavaScript. Prior to version 1.3.0, RSA PKCS#1 v1.5 signature verification code does not properly check DigestInfo for a proper ASN.1 structure. This can lead to successful verification with signatures that contain invalid structures but a valid digest. The issue has been addressed in node-forge version 1.3.0. There are currently no known workarounds.
Publish Date: 2022-03-18
URL: CVE-2022-24773
CVSS 3 Score Details (5.3)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24773
Release Date: 2022-03-18
Fix Resolution (node-forge): 1.3.0
Direct dependency fix Resolution (@angular-devkit/build-angular): 13.2.0
Step up your Open Source Security Game with Mend here
Vulnerable Library - url-parse-1.5.1.tgzSmall footprint URL parser that works seamlessly across Node.js and browser environments
Library home page: https://registry.npmjs.org/url-parse/-/url-parse-1.5.1.tgz
Dependency Hierarchy:
Found in HEAD commit: 89aa5982db5f213f61df052ca5dc7f0732ce3a91
Found in base branch: main
Vulnerability Details
url-parse is vulnerable to URL Redirection to Untrusted Site
Publish Date: 2021-07-26
URL: CVE-2021-3664
CVSS 3 Score Details (5.3)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3664
Release Date: 2021-07-26
Fix Resolution (url-parse): 1.5.2
Direct dependency fix Resolution (@angular-devkit/build-angular): 12.0.1
Step up your Open Source Security Game with Mend here
Vulnerable Library - tar-6.1.0.tgztar for node
Library home page: https://registry.npmjs.org/tar/-/tar-6.1.0.tgz
Dependency Hierarchy:
Found in HEAD commit: 89aa5982db5f213f61df052ca5dc7f0732ce3a91
Found in base branch: main
Vulnerability Details
The npm package "tar" (aka node-tar) before versions 6.1.1, 5.0.6, 4.4.14, and 3.3.2 has a arbitrary File Creation/Overwrite vulnerability due to insufficient absolute path sanitization. node-tar aims to prevent extraction of absolute file paths by turning absolute paths into relative paths when the preservePaths flag is not set to true. This is achieved by stripping the absolute path root from any absolute file paths contained in a tar file. For example /home/user/.bashrc would turn into home/user/.bashrc. This logic was insufficient when file paths contained repeated path roots such as ////home/user/.bashrc. node-tar would only strip a single path root from such paths. When given an absolute file path with repeating path roots, the resulting path (e.g. ///home/user/.bashrc) would still resolve to an absolute path, thus allowing arbitrary file creation and overwrite. This issue was addressed in releases 3.2.2, 4.4.14, 5.0.6 and 6.1.1. Users may work around this vulnerability without upgrading by creating a custom onentry method which sanitizes the entry.path or a filter method which removes entries with absolute paths. See referenced GitHub Advisory for details. Be aware of CVE-2021-32803 which fixes a similar bug in later versions of tar.
Publish Date: 2021-08-03
URL: CVE-2021-32804
CVSS 3 Score Details (8.1)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: GHSA-3jfq-g458-7qm9
Release Date: 2021-08-03
Fix Resolution (tar): 6.1.1
Direct dependency fix Resolution (@angular/cli): 12.0.1
Step up your Open Source Security Game with Mend here
Vulnerable Library - normalize-url-4.5.0.tgzNormalize a URL
Library home page: https://registry.npmjs.org/normalize-url/-/normalize-url-4.5.0.tgz
Dependency Hierarchy:
Found in HEAD commit: 89aa5982db5f213f61df052ca5dc7f0732ce3a91
Found in base branch: main
Vulnerability Details
The normalize-url package before 4.5.1, 5.x before 5.3.1, and 6.x before 6.0.1 for Node.js has a ReDoS (regular expression denial of service) issue because it has exponential performance for data: URLs.
Publish Date: 2021-05-24
URL: CVE-2021-33502
CVSS 3 Score Details (7.5)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-33502
Release Date: 2021-05-24
Fix Resolution (normalize-url): 4.5.1
Direct dependency fix Resolution (@angular-devkit/build-angular): 12.0.1
Step up your Open Source Security Game with Mend here
Vulnerable Library - glob-parent-5.1.2.tgzExtract the non-magic parent path from a glob string.
Library home page: https://registry.npmjs.org/glob-parent/-/glob-parent-5.1.2.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/glob-parent/package.json
Dependency Hierarchy:
Found in base branch: main
Vulnerability Details
The package glob-parent from 6.0.0 and before 6.0.1 are vulnerable to Regular Expression Denial of Service (ReDoS)
Publish Date: 2021-06-22
URL: CVE-2021-35065
CVSS 3 Score Details (7.5)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: GHSA-cj88-88mr-972w
Release Date: 2021-06-22
Fix Resolution: glob-parent - 6.0.1
Step up your Open Source Security Game with Mend here
Vulnerable Library - karma-6.3.2.tgzSpectacular Test Runner for JavaScript.
Library home page: https://registry.npmjs.org/karma/-/karma-6.3.2.tgz
Dependency Hierarchy:
Found in base branch: main
Vulnerability Details
The package karma before 6.3.16 are vulnerable to Open Redirect due to missing validation of the return_url query parameter.
Publish Date: 2022-02-25
URL: CVE-2021-23495
CVSS 3 Score Details (6.1)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23495
Release Date: 2022-02-25
Fix Resolution: 6.3.16
Step up your Open Source Security Game with Mend here
Vulnerable Library - ansi-html-0.0.7.tgzAn elegant lib that converts the chalked (ANSI) text to HTML.
Library home page: https://registry.npmjs.org/ansi-html/-/ansi-html-0.0.7.tgz
Dependency Hierarchy:
Found in HEAD commit: 89aa5982db5f213f61df052ca5dc7f0732ce3a91
Found in base branch: main
Vulnerability Details
This affects all versions of package ansi-html. If an attacker provides a malicious string, it will get stuck processing the input for an extremely long time.
Publish Date: 2021-08-18
URL: CVE-2021-23424
CVSS 3 Score Details (7.5)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2021-23424
Release Date: 2021-08-18
Fix Resolution (ansi-html): 0.0.8
Direct dependency fix Resolution (@angular-devkit/build-angular): 12.2.15
Step up your Open Source Security Game with Mend here
Vulnerable Library - engine.io-4.1.1.tgzThe realtime engine behind Socket.IO. Provides the foundation of a bidirectional connection between client and server
Library home page: https://registry.npmjs.org/engine.io/-/engine.io-4.1.1.tgz
Dependency Hierarchy:
Found in base branch: main
Vulnerability Details
Engine.IO is the implementation of transport-based cross-browser/cross-device bi-directional communication layer for Socket.IO. A specially crafted HTTP request can trigger an uncaught exception on the Engine.IO server, thus killing the Node.js process. This impacts all the users of the engine.io package starting from version 4.0.0, including those who uses depending packages like socket.io. Versions prior to 4.0.0 are not impacted. A fix has been released for each major branch, namely 4.1.2 for the 4.x.x branch, 5.2.1 for the 5.x.x branch, and 6.1.1 for the 6.x.x branch. There is no known workaround except upgrading to a safe version.
Publish Date: 2022-01-12
URL: CVE-2022-21676
CVSS 3 Score Details (7.5)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: GHSA-273r-mgr4-v34f
Release Date: 2022-01-12
Fix Resolution (engine.io): 4.1.2
Direct dependency fix Resolution (karma): 6.3.3
Step up your Open Source Security Game with Mend here
Vulnerable Library - url-parse-1.5.1.tgzSmall footprint URL parser that works seamlessly across Node.js and browser environments
Library home page: https://registry.npmjs.org/url-parse/-/url-parse-1.5.1.tgz
Dependency Hierarchy:
Found in base branch: main
Vulnerability Details
Authorization Bypass Through User-Controlled Key in NPM url-parse prior to 1.5.7.
Publish Date: 2022-02-17
URL: CVE-2022-0639
CVSS 3 Score Details (5.3)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0639
Release Date: 2022-02-17
Fix Resolution (url-parse): 1.5.7
Direct dependency fix Resolution (@angular-devkit/build-angular): 12.0.1
Step up your Open Source Security Game with Mend here
Vulnerable Library - node-forge-0.10.0.tgzJavaScript implementations of network transports, cryptography, ciphers, PKI, message digests, and various utilities.
Library home page: https://registry.npmjs.org/node-forge/-/node-forge-0.10.0.tgz
Dependency Hierarchy:
Found in base branch: main
Vulnerability Details
The forge.debug API had a potential prototype pollution issue if called with untrusted input. The API was only used for internal debug purposes in a safe way and never documented or advertised. It is suspected that uses of this API, if any exist, would likely not have used untrusted inputs in a vulnerable way.
Publish Date: 2022-01-08
URL: WS-2022-0008
CVSS 3 Score Details (6.6)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: GHSA-5rrq-pxf6-6jx5
Release Date: 2022-01-08
Fix Resolution (node-forge): 1.0.0
Direct dependency fix Resolution (@angular-devkit/build-angular): 13.2.0
Step up your Open Source Security Game with Mend here
Vulnerable Library - loader-utils-2.0.0.tgzutils for webpack loaders
Library home page: https://registry.npmjs.org/loader-utils/-/loader-utils-2.0.0.tgz
Dependency Hierarchy:
Found in HEAD commit: 89aa5982db5f213f61df052ca5dc7f0732ce3a91
Found in base branch: main
Vulnerability Details
A Regular expression denial of service (ReDoS) flaw was found in Function interpolateName in interpolateName.js in webpack loader-utils 2.0.0 via the resourcePath variable in interpolateName.js.
Publish Date: 2022-10-11
URL: CVE-2022-37599
CVSS 3 Score Details (7.5)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: GHSA-hhq3-ff78-jv3g
Release Date: 2022-10-11
Fix Resolution (loader-utils): 2.0.3
Direct dependency fix Resolution (@angular-devkit/build-angular): 13.0.0
Step up your Open Source Security Game with Mend here
Vulnerable Library - dns-packet-1.3.1.tgzAn abstract-encoding compliant module for encoding / decoding DNS packets
Library home page: https://registry.npmjs.org/dns-packet/-/dns-packet-1.3.1.tgz
Dependency Hierarchy:
Found in HEAD commit: 89aa5982db5f213f61df052ca5dc7f0732ce3a91
Found in base branch: main
Vulnerability Details
This affects the package dns-packet before 5.2.2. It creates buffers with allocUnsafe and does not always fill them before forming network packets. This can expose internal application memory over unencrypted network when querying crafted invalid domain names.
Publish Date: 2021-05-20
URL: CVE-2021-23386
CVSS 3 Score Details (6.5)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23386
Release Date: 2021-05-20
Fix Resolution (dns-packet): 1.3.2
Direct dependency fix Resolution (@angular-devkit/build-angular): 12.0.1
Step up your Open Source Security Game with Mend here
Vulnerable Library - tar-6.1.0.tgztar for node
Library home page: https://registry.npmjs.org/tar/-/tar-6.1.0.tgz
Dependency Hierarchy:
Found in HEAD commit: 89aa5982db5f213f61df052ca5dc7f0732ce3a91
Found in base branch: main
Vulnerability Details
The npm package "tar" (aka node-tar) before versions 6.1.2, 5.0.7, 4.4.15, and 3.2.3 has an arbitrary File Creation/Overwrite vulnerability via insufficient symlink protection. node-tar aims to guarantee that any file whose location would be modified by a symbolic link is not extracted. This is, in part, achieved by ensuring that extracted directories are not symlinks. Additionally, in order to prevent unnecessary stat calls to determine whether a given path is a directory, paths are cached when directories are created. This logic was insufficient when extracting tar files that contained both a directory and a symlink with the same name as the directory. This order of operations resulted in the directory being created and added to the node-tar directory cache. When a directory is present in the directory cache, subsequent calls to mkdir for that directory are skipped. However, this is also where node-tar checks for symlinks occur. By first creating a directory, and then replacing that directory with a symlink, it was thus possible to bypass node-tar symlink checks on directories, essentially allowing an untrusted tar file to symlink into an arbitrary location and subsequently extracting arbitrary files into that location, thus allowing arbitrary file creation and overwrite. This issue was addressed in releases 3.2.3, 4.4.15, 5.0.7 and 6.1.2.
Publish Date: 2021-08-03
URL: CVE-2021-32803
CVSS 3 Score Details (8.1)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: GHSA-r628-mhmh-qjhw
Release Date: 2021-08-03
Fix Resolution (tar): 6.1.2
Direct dependency fix Resolution (@angular/cli): 12.0.1
Step up your Open Source Security Game with Mend here
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
Django
The Web framework for perfectionists with deadlines.
Laravel
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
Microsoft
Open source projects and samples from Microsoft.
Google
Google ❤️ Open Source for everyone.
Alibaba
Alibaba Open Source for everyone
D3
Data-Driven Documents codes.
Tencent
China tencent open source team.
