pactflow / example-consumer-cypress Goto Github PK

Vulnerable Library - shell-quote-1.7.2.tgz

quote and parse shell commands

Library home page: https://registry.npmjs.org/shell-quote/-/shell-quote-1.7.2.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/shell-quote/package.json

Dependency Hierarchy:

• react-scripts-3.4.0.tgz (Root Library)
  • react-dev-utils-10.2.1.tgz
    • ❌ shell-quote-1.7.2.tgz (Vulnerable Library)

Found in HEAD commit: 340e24f4064182631ba657b42580dbb0476e3b94

Found in base branch: master

Vulnerability Details

The shell-quote package before 1.7.3 for Node.js allows command injection. An attacker can inject unescaped shell metacharacters through a regex designed to support Windows drive letters. If the output of this package is passed to a real shell as a quoted argument to a command with exec(), an attacker can inject arbitrary commands. This is because the Windows drive letter regex character class is {A-z] instead of the correct {A-Za-z]. Several shell metacharacters exist in the space between capital letter Z and lower case letter a, such as the backtick character.

Publish Date: 2021-10-21

URL: CVE-2021-42740

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-42740

Release Date: 2021-10-21

Fix Resolution (shell-quote): 1.7.3

Direct dependency fix Resolution (react-scripts): 5.0.0

Vulnerable Library - is-svg-3.0.0.tgz

Check if a string or buffer is SVG

Library home page: https://registry.npmjs.org/is-svg/-/is-svg-3.0.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/is-svg/package.json

Dependency Hierarchy:

• react-scripts-3.4.0.tgz (Root Library)
  • optimize-css-assets-webpack-plugin-5.0.3.tgz
    • cssnano-4.1.10.tgz
      • cssnano-preset-default-4.0.7.tgz
        • postcss-svgo-4.0.2.tgz
          • ❌ is-svg-3.0.0.tgz (Vulnerable Library)

Found in HEAD commit: 340e24f4064182631ba657b42580dbb0476e3b94

Found in base branch: master

Vulnerability Details

The is-svg package 2.1.0 through 4.2.1 for Node.js uses a regular expression that is vulnerable to Regular Expression Denial of Service (ReDoS). If an attacker provides a malicious string, is-svg will get stuck processing the input for a very long time.

Publish Date: 2021-03-12

URL: CVE-2021-28092

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-28092

Release Date: 2021-03-12

Fix Resolution (is-svg): 4.2.2

Direct dependency fix Resolution (react-scripts): 3.4.1

Vulnerable Library - path-parse-1.0.6.tgz

Node.js path.parse() ponyfill

Library home page: https://registry.npmjs.org/path-parse/-/path-parse-1.0.6.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/path-parse/package.json

Dependency Hierarchy:

• react-scripts-3.4.0.tgz (Root Library)
  • resolve-1.15.0.tgz
    • ❌ path-parse-1.0.6.tgz (Vulnerable Library)

Found in HEAD commit: 340e24f4064182631ba657b42580dbb0476e3b94

Found in base branch: master

Vulnerability Details

All versions of package path-parse are vulnerable to Regular Expression Denial of Service (ReDoS) via splitDeviceRe, splitTailRe, and splitPathRe regular expressions. ReDoS exhibits polynomial worst-case time complexity.

Publish Date: 2021-05-04

URL: CVE-2021-23343

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Release Date: 2021-05-04

Fix Resolution (path-parse): 1.0.7

Direct dependency fix Resolution (react-scripts): 3.4.1

Vulnerable Library - immer-1.10.0.tgz

Create your next immutable state by mutating the current one

Library home page: https://registry.npmjs.org/immer/-/immer-1.10.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/immer/package.json

Dependency Hierarchy:

• react-scripts-3.4.0.tgz (Root Library)
  • react-dev-utils-10.2.1.tgz
    • ❌ immer-1.10.0.tgz (Vulnerable Library)

Found in HEAD commit: 340e24f4064182631ba657b42580dbb0476e3b94

Found in base branch: master

Vulnerability Details

This affects the package immer before 9.0.6. A type confusion vulnerability can lead to a bypass of CVE-2020-28477 when the user-provided keys used in the path parameter are arrays. In particular, this bypass is possible because the condition (p === "proto" || p === "constructor") in applyPatches_ returns false if p is ['proto'] (or ['constructor']). The === operator (strict equality operator) returns false if the operands have different type.

Publish Date: 2021-09-01

URL: CVE-2021-23436

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23436

Release Date: 2021-09-01

Fix Resolution (immer): 9.0.6

Direct dependency fix Resolution (react-scripts): 5.0.0

Vulnerable Library - websocket-extensions-0.1.3.tgz

Generic extension manager for WebSocket connections

Library home page: https://registry.npmjs.org/websocket-extensions/-/websocket-extensions-0.1.3.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/websocket-extensions/package.json

Dependency Hierarchy:

• react-scripts-3.4.0.tgz (Root Library)
  • webpack-dev-server-3.10.2.tgz
    • sockjs-0.3.19.tgz
      • faye-websocket-0.10.0.tgz
        • websocket-driver-0.7.3.tgz
          • ❌ websocket-extensions-0.1.3.tgz (Vulnerable Library)

Found in HEAD commit: 340e24f4064182631ba657b42580dbb0476e3b94

Found in base branch: master

Vulnerability Details

websocket-extensions npm module prior to 0.1.4 allows Denial of Service (DoS) via Regex Backtracking. The extension parser may take quadratic time when parsing a header containing an unclosed string parameter value whose content is a repeating two-byte sequence of a backslash and some other character. This could be abused by an attacker to conduct Regex Denial Of Service (ReDoS) on a single-threaded server by providing a malicious payload with the Sec-WebSocket-Extensions header.

Publish Date: 2020-06-02

URL: CVE-2020-7662

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: GHSA-g78m-2chm-r7qv

Release Date: 2020-06-02

Fix Resolution (websocket-extensions): 0.1.4

Direct dependency fix Resolution (react-scripts): 3.4.1

Vulnerable Libraries - normalize-url-3.3.0.tgz, normalize-url-1.9.1.tgz

Found in HEAD commit: 340e24f4064182631ba657b42580dbb0476e3b94

Found in base branch: master

Vulnerability Details

The normalize-url package before 4.5.1, 5.x before 5.3.1, and 6.x before 6.0.1 for Node.js has a ReDoS (regular expression denial of service) issue because it has exponential performance for data: URLs.

Publish Date: 2021-05-24

URL: CVE-2021-33502

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-33502

Release Date: 2021-05-24

Fix Resolution (normalize-url): 4.5.1

Direct dependency fix Resolution (react-scripts): 5.0.0

Fix Resolution (normalize-url): 4.5.1

Direct dependency fix Resolution (react-scripts): 5.0.0

Vulnerable Library - acorn-5.7.4.tgz

ECMAScript parser

Library home page: https://registry.npmjs.org/acorn/-/acorn-5.7.4.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/jsdom/node_modules/acorn/package.json

Dependency Hierarchy:

• react-scripts-3.4.0.tgz (Root Library)
  • jest-24.9.0.tgz
    • jest-cli-24.9.0.tgz
      • jest-config-24.9.0.tgz
        • jest-environment-jsdom-24.9.0.tgz
          • jsdom-11.12.0.tgz
            • ❌ acorn-5.7.4.tgz (Vulnerable Library)

Found in HEAD commit: 340e24f4064182631ba657b42580dbb0476e3b94

Found in base branch: master

Vulnerability Details

acorn is vulnerable to REGEX DoS. A regex of the form /[x-\ud800]/u causes the parser to enter an infinite loop. attackers may leverage the vulnerability leading to a Denial of Service since the string is not valid UTF16 and it results in it being sanitized before reaching the parser.

Publish Date: 2020-03-01

URL: WS-2020-0042

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://www.npmjs.com/advisories/1488

Release Date: 2020-03-01

Fix Resolution (acorn): 6.4.1

Direct dependency fix Resolution (react-scripts): 4.0.0

Vulnerable Libraries - postcss-7.0.21.tgz, postcss-7.0.27.tgz

Found in HEAD commit: 340e24f4064182631ba657b42580dbb0476e3b94

Found in base branch: master

Vulnerability Details

The package postcss before 8.2.13 are vulnerable to Regular Expression Denial of Service (ReDoS) via getAnnotationURL() and loadAnnotation() in lib/previous-map.js. The vulnerable regexes are caused mainly by the sub-pattern /*\s* sourceMappingURL=(.*).

Publish Date: 2021-04-26

URL: CVE-2021-23382

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23382

Release Date: 2021-04-26

Fix Resolution (postcss): 7.0.36

Direct dependency fix Resolution (react-scripts): 4.0.0

Fix Resolution (postcss): 7.0.36

Direct dependency fix Resolution (react-scripts): 4.0.0

Vulnerable Library - y18n-4.0.0.tgz

the bare-bones internationalization library used by yargs

Library home page: https://registry.npmjs.org/y18n/-/y18n-4.0.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/y18n/package.json

Dependency Hierarchy:

• react-scripts-3.4.0.tgz (Root Library)
  • webpack-dev-server-3.10.2.tgz
    • yargs-12.0.5.tgz
      • ❌ y18n-4.0.0.tgz (Vulnerable Library)

Found in HEAD commit: 340e24f4064182631ba657b42580dbb0476e3b94

Found in base branch: master

Vulnerability Details

The package y18n before 3.2.2, 4.0.1 and 5.0.5, is vulnerable to Prototype Pollution.

Publish Date: 2020-11-17

URL: CVE-2020-7774

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://www.npmjs.com/advisories/1654

Release Date: 2020-11-17

Fix Resolution (y18n): 4.0.1

Direct dependency fix Resolution (react-scripts): 3.4.1

Vulnerable Library - url-parse-1.4.7.tgz

Small footprint URL parser that works seamlessly across Node.js and browser environments

Library home page: https://registry.npmjs.org/url-parse/-/url-parse-1.4.7.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/url-parse/package.json

Dependency Hierarchy:

• react-scripts-3.4.0.tgz (Root Library)
  • webpack-dev-server-3.10.2.tgz
    • sockjs-client-1.4.0.tgz
      • ❌ url-parse-1.4.7.tgz (Vulnerable Library)

Found in HEAD commit: 340e24f4064182631ba657b42580dbb0476e3b94

Found in base branch: master

Vulnerability Details

Authorization Bypass Through User-Controlled Key in NPM url-parse prior to 1.5.8.

Publish Date: 2022-02-20

URL: CVE-2022-0686

CVSS 3 Score Details (9.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0686

Release Date: 2022-02-20

Fix Resolution (url-parse): 1.5.8

Direct dependency fix Resolution (react-scripts): 3.4.1

Vulnerable Library - object-path-0.11.4.tgz

Access deep object properties using a path

Library home page: https://registry.npmjs.org/object-path/-/object-path-0.11.4.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/object-path/package.json

Dependency Hierarchy:

• react-scripts-3.4.0.tgz (Root Library)
  • resolve-url-loader-3.1.1.tgz
    • adjust-sourcemap-loader-2.0.0.tgz
      • ❌ object-path-0.11.4.tgz (Vulnerable Library)

Found in HEAD commit: 340e24f4064182631ba657b42580dbb0476e3b94

Found in base branch: master

Vulnerability Details

object-path is vulnerable to Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')

Publish Date: 2021-09-17

URL: CVE-2021-3805

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://huntr.dev/bounties/571e3baf-7c46-46e3-9003-ba7e4e623053/

Release Date: 2021-09-17

Fix Resolution: object-path - 0.11.8

Vulnerable Library - node-forge-0.9.0.tgz

JavaScript implementations of network transports, cryptography, ciphers, PKI, message digests, and various utilities.

Library home page: https://registry.npmjs.org/node-forge/-/node-forge-0.9.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/node-forge/package.json

Dependency Hierarchy:

• react-scripts-3.4.0.tgz (Root Library)
  • webpack-dev-server-3.10.2.tgz
    • selfsigned-1.10.7.tgz
      • ❌ node-forge-0.9.0.tgz (Vulnerable Library)

Found in HEAD commit: 340e24f4064182631ba657b42580dbb0476e3b94

Found in base branch: master

Vulnerability Details

Forge (also called node-forge) is a native implementation of Transport Layer Security in JavaScript. Prior to version 1.3.0, RSA PKCS#1 v1.5 signature verification code is lenient in checking the digest algorithm structure. This can allow a crafted structure that steals padding bytes and uses unchecked portion of the PKCS#1 encoded message to forge a signature when a low public exponent is being used. The issue has been addressed in node-forge version 1.3.0. There are currently no known workarounds.

Publish Date: 2022-03-18

URL: CVE-2022-24771

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: High
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24771

Release Date: 2022-03-18

Fix Resolution (node-forge): 1.3.0

Direct dependency fix Resolution (react-scripts): 5.0.0

Vulnerable Library - immer-1.10.0.tgz

Create your next immutable state by mutating the current one

Library home page: https://registry.npmjs.org/immer/-/immer-1.10.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/immer/package.json

Dependency Hierarchy:

• react-scripts-3.4.0.tgz (Root Library)
  • react-dev-utils-10.2.1.tgz
    • ❌ immer-1.10.0.tgz (Vulnerable Library)

Found in HEAD commit: 340e24f4064182631ba657b42580dbb0476e3b94

Found in base branch: master

Vulnerability Details

immer is vulnerable to Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')

Publish Date: 2021-09-02

URL: CVE-2021-3757

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://huntr.dev/bounties/23d38099-71cd-42ed-a77a-71e68094adfa/

Release Date: 2021-09-02

Fix Resolution (immer): 9.0.6

Direct dependency fix Resolution (react-scripts): 5.0.0

Vulnerable Library - json-schema-0.2.3.tgz

JSON Schema validation and specifications

Library home page: https://registry.npmjs.org/json-schema/-/json-schema-0.2.3.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/json-schema/package.json

Dependency Hierarchy:

• react-scripts-3.4.0.tgz (Root Library)
  • jest-environment-jsdom-fourteen-1.0.1.tgz
    • jsdom-14.1.0.tgz
      • request-2.88.2.tgz
        • http-signature-1.2.0.tgz
          • jsprim-1.4.1.tgz
            • ❌ json-schema-0.2.3.tgz (Vulnerable Library)

Found in HEAD commit: 340e24f4064182631ba657b42580dbb0476e3b94

Found in base branch: master

Vulnerability Details

json-schema is vulnerable to Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')

Publish Date: 2021-11-13

URL: CVE-2021-3918

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2021-3918

Release Date: 2021-11-13

Fix Resolution (json-schema): 0.4.0

Direct dependency fix Resolution (react-scripts): 3.4.1

Vulnerable Libraries - glob-parent-3.1.0.tgz, glob-parent-5.1.0.tgz

Found in HEAD commit: 340e24f4064182631ba657b42580dbb0476e3b94

Found in base branch: master

Vulnerability Details

This affects the package glob-parent before 5.1.2. The enclosure regex used to check for strings ending in enclosure containing path separator.

Publish Date: 2021-06-03

URL: CVE-2020-28469

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-28469

Release Date: 2021-06-03

Fix Resolution (glob-parent): 5.1.2

Direct dependency fix Resolution (react-scripts): 5.0.0

Fix Resolution (glob-parent): 5.1.2

Direct dependency fix Resolution (react-scripts): 5.0.0

Vulnerable Library - object-path-0.11.4.tgz

Access deep object properties using a path

Library home page: https://registry.npmjs.org/object-path/-/object-path-0.11.4.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/object-path/package.json

Dependency Hierarchy:

• react-scripts-3.4.0.tgz (Root Library)
  • resolve-url-loader-3.1.1.tgz
    • adjust-sourcemap-loader-2.0.0.tgz
      • ❌ object-path-0.11.4.tgz (Vulnerable Library)

Found in HEAD commit: 340e24f4064182631ba657b42580dbb0476e3b94

Found in base branch: master

Vulnerability Details

This affects the package object-path before 0.11.6. A type confusion vulnerability can lead to a bypass of CVE-2020-15256 when the path components used in the path parameter are arrays. In particular, the condition currentPath === 'proto' returns false if currentPath is ['proto']. This is because the === operator returns always false when the type of the operands is different.

Publish Date: 2021-08-27

URL: CVE-2021-23434

CVSS 3 Score Details (8.6)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23434

Release Date: 2021-08-27

Fix Resolution (object-path): 0.11.6

Direct dependency fix Resolution (react-scripts): 3.4.4

Vulnerable Libraries - ansi-regex-3.0.0.tgz, ansi-regex-4.1.0.tgz, ansi-regex-5.0.0.tgz

Found in HEAD commit: 340e24f4064182631ba657b42580dbb0476e3b94

Found in base branch: master

Vulnerability Details

ansi-regex is vulnerable to Inefficient Regular Expression Complexity

Publish Date: 2021-09-17

URL: CVE-2021-3807

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://huntr.dev/bounties/5b3cf33b-ede0-4398-9974-800876dfd994/

Release Date: 2021-09-17

Fix Resolution (ansi-regex): 3.0.1

Direct dependency fix Resolution (react-scripts): 3.4.1

Fix Resolution (ansi-regex): 4.1.1

Direct dependency fix Resolution (react-scripts): 5.0.0

Fix Resolution (ansi-regex): 5.0.1

Direct dependency fix Resolution (react-scripts): 3.4.1

Vulnerable Library - node-forge-0.9.0.tgz

JavaScript implementations of network transports, cryptography, ciphers, PKI, message digests, and various utilities.

Library home page: https://registry.npmjs.org/node-forge/-/node-forge-0.9.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/node-forge/package.json

Dependency Hierarchy:

• react-scripts-3.4.0.tgz (Root Library)
  • webpack-dev-server-3.10.2.tgz
    • selfsigned-1.10.7.tgz
      • ❌ node-forge-0.9.0.tgz (Vulnerable Library)

Found in HEAD commit: 340e24f4064182631ba657b42580dbb0476e3b94

Found in base branch: master

Vulnerability Details

The package node-forge before 0.10.0 is vulnerable to Prototype Pollution via the util.setPath function. Note: Version 0.10.0 is a breaking change removing the vulnerable functions.

Publish Date: 2020-09-01

URL: CVE-2020-7720

CVSS 3 Score Details (7.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: Low

Suggested Fix

Type: Upgrade version

Release Date: 2020-09-01

Fix Resolution (node-forge): 0.10.0

Direct dependency fix Resolution (react-scripts): 3.4.1

Vulnerable Library - is-svg-3.0.0.tgz

Check if a string or buffer is SVG

Library home page: https://registry.npmjs.org/is-svg/-/is-svg-3.0.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/is-svg/package.json

Dependency Hierarchy:

• react-scripts-3.4.0.tgz (Root Library)
  • optimize-css-assets-webpack-plugin-5.0.3.tgz
    • cssnano-4.1.10.tgz
      • cssnano-preset-default-4.0.7.tgz
        • postcss-svgo-4.0.2.tgz
          • ❌ is-svg-3.0.0.tgz (Vulnerable Library)

Found in HEAD commit: 340e24f4064182631ba657b42580dbb0476e3b94

Found in base branch: master

Vulnerability Details

A vulnerability was discovered in IS-SVG version 2.1.0 to 4.2.2 and below where a Regular Expression Denial of Service (ReDOS) occurs if the application is provided and checks a crafted invalid SVG string.

Publish Date: 2021-06-21

URL: CVE-2021-29059

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Release Date: 2021-06-21

Fix Resolution (is-svg): 4.3.0

Direct dependency fix Resolution (react-scripts): 3.4.1

Vulnerable Library - eventsource-1.0.7.tgz

W3C compliant EventSource client for Node.js and browser (polyfill)

Library home page: https://registry.npmjs.org/eventsource/-/eventsource-1.0.7.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/eventsource/package.json

Dependency Hierarchy:

• react-scripts-3.4.0.tgz (Root Library)
  • webpack-dev-server-3.10.2.tgz
    • sockjs-client-1.4.0.tgz
      • ❌ eventsource-1.0.7.tgz (Vulnerable Library)

Found in HEAD commit: 340e24f4064182631ba657b42580dbb0476e3b94

Found in base branch: master

Vulnerability Details

Exposure of Sensitive Information to an Unauthorized Actor in GitHub repository eventsource/eventsource prior to v2.0.2.

Publish Date: 2022-05-12

URL: CVE-2022-1650

CVSS 3 Score Details (9.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Release Date: 2022-05-12

Fix Resolution (eventsource): 1.1.1

Direct dependency fix Resolution (react-scripts): 3.4.1

Vulnerable Library - async-2.6.3.tgz

Higher-order functions and common patterns for asynchronous code

Library home page: https://registry.npmjs.org/async/-/async-2.6.3.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/async/package.json

Dependency Hierarchy:

• react-scripts-3.4.0.tgz (Root Library)
  • webpack-dev-server-3.10.2.tgz
    • portfinder-1.0.25.tgz
      • ❌ async-2.6.3.tgz (Vulnerable Library)

Found in HEAD commit: 340e24f4064182631ba657b42580dbb0476e3b94

Found in base branch: master

Vulnerability Details

In Async before 2.6.4 and 3.x before 3.2.2, a malicious user can obtain privileges via the mapValues() method, aka lib/internal/iterator.js createObjectIterator prototype pollution.

Publish Date: 2022-04-06

URL: CVE-2021-43138

CVSS 3 Score Details (7.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Local
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2021-43138

Release Date: 2022-04-06

Fix Resolution (async): 2.6.4

Direct dependency fix Resolution (react-scripts): 3.4.1

Vulnerable Library - ansi-html-0.0.7.tgz

An elegant lib that converts the chalked (ANSI) text to HTML.

Library home page: https://registry.npmjs.org/ansi-html/-/ansi-html-0.0.7.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/ansi-html/package.json

Dependency Hierarchy:

• react-scripts-3.4.0.tgz (Root Library)
  • webpack-dev-server-3.10.2.tgz
    • ❌ ansi-html-0.0.7.tgz (Vulnerable Library)

Found in HEAD commit: 340e24f4064182631ba657b42580dbb0476e3b94

Found in base branch: master

Vulnerability Details

This affects all versions of package ansi-html. If an attacker provides a malicious string, it will get stuck processing the input for an extremely long time.

Publish Date: 2021-08-18

URL: CVE-2021-23424

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2021-23424

Release Date: 2021-08-18

Fix Resolution (ansi-html): 0.0.8

Direct dependency fix Resolution (react-scripts): 5.0.0

Vulnerable Library - minimatch-3.0.4.tgz

a glob matcher in javascript

Library home page: https://registry.npmjs.org/minimatch/-/minimatch-3.0.4.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/minimatch/package.json

Dependency Hierarchy:

• react-scripts-3.4.0.tgz (Root Library)
  • eslint-plugin-import-2.20.0.tgz
    • ❌ minimatch-3.0.4.tgz (Vulnerable Library)

Found in HEAD commit: 340e24f4064182631ba657b42580dbb0476e3b94

Found in base branch: master

Vulnerability Details

A vulnerability was found in the minimatch package. This flaw allows a Regular Expression Denial of Service (ReDoS) when calling the braceExpand function with specific arguments, resulting in a Denial of Service.

Publish Date: 2022-10-17

URL: CVE-2022-3517

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Release Date: 2022-10-17

Fix Resolution: minimatch - 3.0.5

Vulnerable Library - minimist-1.2.5.tgz

parse argument options

Library home page: https://registry.npmjs.org/minimist/-/minimist-1.2.5.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/minimist/package.json

Dependency Hierarchy:

• react-scripts-3.4.0.tgz (Root Library)
  • babel-loader-8.0.6.tgz
    • mkdirp-0.5.5.tgz
      • ❌ minimist-1.2.5.tgz (Vulnerable Library)

Found in HEAD commit: 340e24f4064182631ba657b42580dbb0476e3b94

Found in base branch: master

Vulnerability Details

Minimist <=1.2.5 is vulnerable to Prototype Pollution via file index.js, function setKey() (lines 69-95).

Publish Date: 2022-03-17

URL: CVE-2021-44906

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Release Date: 2022-03-17

Fix Resolution (minimist): 1.2.6

Direct dependency fix Resolution (react-scripts): 5.0.1

Vulnerable Library - terser-4.6.11.tgz

JavaScript parser, mangler/compressor and beautifier toolkit for ES6+

Library home page: https://registry.npmjs.org/terser/-/terser-4.6.11.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/terser/package.json

Dependency Hierarchy:

• react-scripts-3.4.0.tgz (Root Library)
  • terser-webpack-plugin-2.3.4.tgz
    • ❌ terser-4.6.11.tgz (Vulnerable Library)

Found in HEAD commit: 340e24f4064182631ba657b42580dbb0476e3b94

Found in base branch: master

Vulnerability Details

The package terser before 4.8.1, from 5.0.0 and before 5.14.2 are vulnerable to Regular Expression Denial of Service (ReDoS) due to insecure usage of regular expressions.

Publish Date: 2022-07-15

URL: CVE-2022-25858

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-25858

Release Date: 2022-07-15

Fix Resolution (terser): 5.15.0

Direct dependency fix Resolution (react-scripts): 5.0.0

Vulnerable Library - merge-deep-3.0.2.tgz

Recursively merge values in a javascript object.

Library home page: https://registry.npmjs.org/merge-deep/-/merge-deep-3.0.2.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/merge-deep/package.json

Dependency Hierarchy:

• react-scripts-3.4.0.tgz (Root Library)
  • webpack-4.3.3.tgz
    • plugin-svgo-4.3.1.tgz
      • ❌ merge-deep-3.0.2.tgz (Vulnerable Library)

Found in HEAD commit: 340e24f4064182631ba657b42580dbb0476e3b94

Found in base branch: master

Vulnerability Details

The merge-deep library before 3.0.3 for Node.js can be tricked into overwriting properties of Object.prototype or adding new properties to it. These properties are then inherited by every object in the program, thus facilitating prototype-pollution attacks against applications using this library.

Publish Date: 2021-06-02

URL: CVE-2021-26707

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://bugzilla.redhat.com/show_bug.cgi?id=1922259

Release Date: 2021-06-02

Fix Resolution (merge-deep): 3.0.3

Direct dependency fix Resolution (react-scripts): 3.4.1

Vulnerable Library - node-forge-0.9.0.tgz

JavaScript implementations of network transports, cryptography, ciphers, PKI, message digests, and various utilities.

Library home page: https://registry.npmjs.org/node-forge/-/node-forge-0.9.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/node-forge/package.json

Dependency Hierarchy:

• react-scripts-3.4.0.tgz (Root Library)
  • webpack-dev-server-3.10.2.tgz
    • selfsigned-1.10.7.tgz
      • ❌ node-forge-0.9.0.tgz (Vulnerable Library)

Found in HEAD commit: 340e24f4064182631ba657b42580dbb0476e3b94

Found in base branch: master

Vulnerability Details

Forge (also called node-forge) is a native implementation of Transport Layer Security in JavaScript. Prior to version 1.3.0, RSA PKCS#1 v1.5 signature verification code does not check for tailing garbage bytes after decoding a DigestInfo ASN.1 structure. This can allow padding bytes to be removed and garbage data added to forge a signature when a low public exponent is being used. The issue has been addressed in node-forge version 1.3.0. There are currently no known workarounds.

Publish Date: 2022-03-18

URL: CVE-2022-24772

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: High
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24772

Release Date: 2022-03-18

Fix Resolution (node-forge): 1.3.0

Direct dependency fix Resolution (react-scripts): 5.0.0

Vulnerable Library - kind-of-6.0.2.tgz

Get the native type of a value.

Library home page: https://registry.npmjs.org/kind-of/-/kind-of-6.0.2.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/snapdragon-node/node_modules/kind-of/package.json,/node_modules/extglob/node_modules/kind-of/package.json,/node_modules/base/node_modules/kind-of/package.json

Dependency Hierarchy:

• react-scripts-3.4.0.tgz (Root Library)
  • webpack-4.41.5.tgz
    • micromatch-3.1.10.tgz
      • snapdragon-0.8.2.tgz
        • base-0.11.2.tgz
          • define-property-1.0.0.tgz
            • is-descriptor-1.0.2.tgz
              • ❌ kind-of-6.0.2.tgz (Vulnerable Library)

Found in HEAD commit: 340e24f4064182631ba657b42580dbb0476e3b94

Found in base branch: master

Vulnerability Details

ctorName in index.js in kind-of v6.0.2 allows external user input to overwrite certain internal attributes via a conflicting name, as demonstrated by 'constructor': {'name':'Symbol'}. Hence, a crafted payload can overwrite this builtin attribute to manipulate the type detection result.

Publish Date: 2019-12-30

URL: CVE-2019-20149

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: High
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-20149

Release Date: 2020-08-24

Fix Resolution (kind-of): 6.0.3

Direct dependency fix Resolution (react-scripts): 3.4.1

Vulnerable Library - css-what-3.2.1.tgz

a CSS selector parser

Library home page: https://registry.npmjs.org/css-what/-/css-what-3.2.1.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/css-what/package.json

Dependency Hierarchy:

• react-scripts-3.4.0.tgz (Root Library)
  • webpack-4.3.3.tgz
    • plugin-svgo-4.3.1.tgz
      • svgo-1.3.2.tgz
        • css-select-2.1.0.tgz
          • ❌ css-what-3.2.1.tgz (Vulnerable Library)

Found in HEAD commit: 340e24f4064182631ba657b42580dbb0476e3b94

Found in base branch: master

Vulnerability Details

The css-what package 4.0.0 through 5.0.0 for Node.js does not ensure that attribute parsing has Linear Time Complexity relative to the size of the input.

Publish Date: 2021-05-28

URL: CVE-2021-33587

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-33587

Release Date: 2021-05-28

Fix Resolution (css-what): 5.0.1

Direct dependency fix Resolution (react-scripts): 5.0.1

Vulnerable Library - tmpl-1.0.4.tgz

JavaScript micro templates.

Library home page: https://registry.npmjs.org/tmpl/-/tmpl-1.0.4.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/tmpl/package.json

Dependency Hierarchy:

• react-scripts-3.4.0.tgz (Root Library)
  • babel-jest-24.9.0.tgz
    • transform-24.9.0.tgz
      • jest-haste-map-24.9.0.tgz
        • walker-1.0.7.tgz
          • makeerror-1.0.11.tgz
            • ❌ tmpl-1.0.4.tgz (Vulnerable Library)

Found in HEAD commit: 340e24f4064182631ba657b42580dbb0476e3b94

Found in base branch: master

Vulnerability Details

nodejs-tmpl is vulnerable to Inefficient Regular Expression Complexity

Publish Date: 2021-09-15

URL: CVE-2021-3777

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Release Date: 2021-09-15

Fix Resolution (tmpl): 1.0.5

Direct dependency fix Resolution (react-scripts): 3.4.1

Vulnerable Library - url-parse-1.4.7.tgz

Small footprint URL parser that works seamlessly across Node.js and browser environments

Library home page: https://registry.npmjs.org/url-parse/-/url-parse-1.4.7.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/url-parse/package.json

Dependency Hierarchy:

• react-scripts-3.4.0.tgz (Root Library)
  • webpack-dev-server-3.10.2.tgz
    • sockjs-client-1.4.0.tgz
      • ❌ url-parse-1.4.7.tgz (Vulnerable Library)

Found in HEAD commit: 340e24f4064182631ba657b42580dbb0476e3b94

Found in base branch: master

Vulnerability Details

Authorization Bypass Through User-Controlled Key in NPM url-parse prior to 1.5.9.

Publish Date: 2022-02-21

URL: CVE-2022-0691

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0691

Release Date: 2022-02-21

Fix Resolution (url-parse): 1.5.9

Direct dependency fix Resolution (react-scripts): 3.4.1

Vulnerable Libraries - loader-utils-1.2.3.tgz, loader-utils-1.4.0.tgz

Found in HEAD commit: 340e24f4064182631ba657b42580dbb0476e3b94

Found in base branch: master

Vulnerability Details

Prototype pollution vulnerability in function parseQuery in parseQuery.js in webpack loader-utils 2.0.0 via the name variable in parseQuery.js.

Publish Date: 2022-10-12

URL: CVE-2022-37601

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Release Date: 2022-10-12

Fix Resolution (loader-utils): 1.4.1

Direct dependency fix Resolution (react-scripts): 5.0.0

Fix Resolution (loader-utils): 1.4.1

Direct dependency fix Resolution (react-scripts): 5.0.0

Vulnerable Library - decode-uri-component-0.2.0.tgz

A better decodeURIComponent

Library home page: https://registry.npmjs.org/decode-uri-component/-/decode-uri-component-0.2.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/decode-uri-component/package.json

Dependency Hierarchy:

• react-scripts-3.4.0.tgz (Root Library)
  • webpack-4.41.5.tgz
    • micromatch-3.1.10.tgz
      • snapdragon-0.8.2.tgz
        • source-map-resolve-0.5.3.tgz
          • ❌ decode-uri-component-0.2.0.tgz (Vulnerable Library)

Found in HEAD commit: 340e24f4064182631ba657b42580dbb0476e3b94

Found in base branch: master

Vulnerability Details

decode-uri-component 0.2.0 is vulnerable to Improper Input Validation resulting in DoS.

Publish Date: 2022-11-28

URL: CVE-2022-38900

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Vulnerable Library - ini-1.3.5.tgz

An ini encoder/decoder for node

Library home page: https://registry.npmjs.org/ini/-/ini-1.3.5.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/ini/package.json

Dependency Hierarchy:

• react-scripts-3.4.0.tgz (Root Library)
  • react-dev-utils-10.2.1.tgz
    • global-modules-2.0.0.tgz
      • global-prefix-3.0.0.tgz
        • ❌ ini-1.3.5.tgz (Vulnerable Library)

Found in HEAD commit: 340e24f4064182631ba657b42580dbb0476e3b94

Found in base branch: master

Vulnerability Details

This affects the package ini before 1.3.6. If an attacker submits a malicious INI file to an application that parses it with ini.parse, they will pollute the prototype on the application. This can be exploited further depending on the context.

Publish Date: 2020-12-11

URL: CVE-2020-7788

CVSS 3 Score Details (7.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: Low

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7788

Release Date: 2020-12-11

Fix Resolution (ini): 1.3.6

Direct dependency fix Resolution (react-scripts): 3.4.1

Vulnerable Library - object-path-0.11.4.tgz

Access deep object properties using a path

Library home page: https://registry.npmjs.org/object-path/-/object-path-0.11.4.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/object-path/package.json

Dependency Hierarchy:

• react-scripts-3.4.0.tgz (Root Library)
  • resolve-url-loader-3.1.1.tgz
    • adjust-sourcemap-loader-2.0.0.tgz
      • ❌ object-path-0.11.4.tgz (Vulnerable Library)

Found in HEAD commit: 340e24f4064182631ba657b42580dbb0476e3b94

Found in base branch: master

Vulnerability Details

A prototype pollution vulnerability has been found in object-path <= 0.11.4 affecting the set() method. The vulnerability is limited to the includeInheritedProps mode (if version >= 0.11.0 is used), which has to be explicitly enabled by creating a new instance of object-path and setting the option includeInheritedProps: true, or by using the default withInheritedProps instance. The default operating mode is not affected by the vulnerability if version >= 0.11.0 is used. Any usage of set() in versions < 0.11.0 is vulnerable. The issue is fixed in object-path version 0.11.5 As a workaround, don't use the includeInheritedProps: true options or the withInheritedProps instance if using a version >= 0.11.0.

Publish Date: 2020-10-19

URL: CVE-2020-15256

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: GHSA-cwx2-736x-mf6w

Release Date: 2020-10-19

Fix Resolution (object-path): 0.11.5

Direct dependency fix Resolution (react-scripts): 3.4.4

Vulnerable Libraries - ssri-7.1.0.tgz, ssri-6.0.1.tgz

Found in HEAD commit: 340e24f4064182631ba657b42580dbb0476e3b94

Found in base branch: master

Vulnerability Details

ssri 5.2.2-8.0.0, fixed in 8.0.1, processes SRIs using a regular expression which is vulnerable to a denial of service. Malicious SRIs could take an extremely long time to process, leading to denial of service. This issue only affects consumers using the strict option.

Publish Date: 2021-03-12

URL: CVE-2021-27290

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: GHSA-vx3p-948g-6vhq

Release Date: 2021-03-12

Fix Resolution (ssri): 7.1.1

Direct dependency fix Resolution (react-scripts): 3.4.1

Fix Resolution (ssri): 6.0.2

Direct dependency fix Resolution (react-scripts): 3.4.1

Vulnerable Library - elliptic-6.5.2.tgz

EC cryptography

Library home page: https://registry.npmjs.org/elliptic/-/elliptic-6.5.2.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/elliptic/package.json

Dependency Hierarchy:

• react-scripts-3.4.0.tgz (Root Library)
  • webpack-4.41.5.tgz
    • node-libs-browser-2.2.1.tgz
      • crypto-browserify-3.12.0.tgz
        • create-ecdh-4.0.3.tgz
          • ❌ elliptic-6.5.2.tgz (Vulnerable Library)

Found in HEAD commit: 340e24f4064182631ba657b42580dbb0476e3b94

Found in base branch: master

Vulnerability Details

The Elliptic package 6.5.2 for Node.js allows ECDSA signature malleability via variations in encoding, leading '\0' bytes, or integer overflows. This could conceivably have a security-relevant impact if an application relied on a single canonical signature.

Publish Date: 2020-06-04

URL: CVE-2020-13822

CVSS 3 Score Details (7.7)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: Low

Suggested Fix

Type: Upgrade version

Release Date: 2020-07-02

Fix Resolution (elliptic): 6.5.3

Direct dependency fix Resolution (react-scripts): 3.4.1

Vulnerable Library - immer-1.10.0.tgz

Create your next immutable state by mutating the current one

Library home page: https://registry.npmjs.org/immer/-/immer-1.10.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/immer/package.json

Dependency Hierarchy:

• react-scripts-3.4.0.tgz (Root Library)
  • react-dev-utils-10.2.1.tgz
    • ❌ immer-1.10.0.tgz (Vulnerable Library)

Found in HEAD commit: 340e24f4064182631ba657b42580dbb0476e3b94

Found in base branch: master

Vulnerability Details

This affects all versions of package immer.

Publish Date: 2021-01-19

URL: CVE-2020-28477

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Release Date: 2021-01-19

Fix Resolution (immer): 8.0.1

Direct dependency fix Resolution (react-scripts): 4.0.0

Vulnerable Library - serialize-javascript-2.1.2.tgz

Serialize JavaScript to a superset of JSON that includes regular expressions and functions.

Library home page: https://registry.npmjs.org/serialize-javascript/-/serialize-javascript-2.1.2.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/serialize-javascript/package.json

Dependency Hierarchy:

• react-scripts-3.4.0.tgz (Root Library)
  • terser-webpack-plugin-2.3.4.tgz
    • ❌ serialize-javascript-2.1.2.tgz (Vulnerable Library)

Found in HEAD commit: 340e24f4064182631ba657b42580dbb0476e3b94

Found in base branch: master

Vulnerability Details

serialize-javascript prior to 3.1.0 allows remote attackers to inject arbitrary code via the function "deleteFunctions" within "index.js".

Publish Date: 2020-06-01

URL: CVE-2020-7660

CVSS 3 Score Details (8.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7660

Release Date: 2020-06-08

Fix Resolution (serialize-javascript): 3.1.0

Direct dependency fix Resolution (react-scripts): 3.4.3

Vulnerable Library - color-string-1.5.3.tgz

Parser and generator for CSS color strings

Library home page: https://registry.npmjs.org/color-string/-/color-string-1.5.3.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/color-string/package.json

Dependency Hierarchy:

• react-scripts-3.4.0.tgz (Root Library)
  • optimize-css-assets-webpack-plugin-5.0.3.tgz
    • cssnano-4.1.10.tgz
      • cssnano-preset-default-4.0.7.tgz
        • postcss-colormin-4.0.3.tgz
          • color-3.1.2.tgz
            • ❌ color-string-1.5.3.tgz (Vulnerable Library)

Found in HEAD commit: 340e24f4064182631ba657b42580dbb0476e3b94

Found in base branch: master

Vulnerability Details

Regular Expression Denial of Service (ReDoS) was found in color-string before 1.5.5.

Publish Date: 2021-03-12

URL: WS-2021-0152

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Release Date: 2021-03-12

Fix Resolution (color-string): 1.5.5

Direct dependency fix Resolution (react-scripts): 3.4.1

Vulnerable Library - nth-check-1.0.2.tgz

performant nth-check parser & compiler

Library home page: https://registry.npmjs.org/nth-check/-/nth-check-1.0.2.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/nth-check/package.json

Dependency Hierarchy:

• react-scripts-3.4.0.tgz (Root Library)
  • webpack-4.3.3.tgz
    • plugin-svgo-4.3.1.tgz
      • svgo-1.3.2.tgz
        • css-select-2.1.0.tgz
          • ❌ nth-check-1.0.2.tgz (Vulnerable Library)

Found in HEAD commit: 340e24f4064182631ba657b42580dbb0476e3b94

Found in base branch: master

Vulnerability Details

nth-check is vulnerable to Inefficient Regular Expression Complexity

Publish Date: 2021-09-17

URL: CVE-2021-3803

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Release Date: 2021-09-17

Fix Resolution (nth-check): 2.0.1

Direct dependency fix Resolution (react-scripts): 5.0.1