Vulnerable Library - marked-0.6.2.tgz

A markdown parser built for speed

Library home page: https://registry.npmjs.org/marked/-/marked-0.6.2.tgz

Path to dependency file: sync-moltin-to-shippo/package.json

Path to vulnerable library: sync-moltin-to-shippo/node_modules/marked/package.json

Dependency Hierarchy:

• semantic-release-15.13.15.tgz (Root Library)
  • ❌ marked-0.6.2.tgz (Vulnerable Library)

Found in HEAD commit: 27f2fe72ff6e4ca8a18edbe3108549a8312d142e

Vulnerability Details

marked before 0.7.0 vulnerable to Redos attack by he _label subrule that may significantly degrade parsing performance of malformed input.

Publish Date: 2019-07-04

URL: WS-2019-0209

CVSS 2 Score Details (5.0)

Base Score Metrics not available

Suggested Fix

Type: Upgrade version

Origin: https://www.npmjs.com/advisories/1076

Release Date: 2019-09-05

Fix Resolution: 0.7.0

Vulnerable Library - bin-links-1.1.2.tgz

JavaScript package binary linker

Library home page: https://registry.npmjs.org/bin-links/-/bin-links-1.1.2.tgz

Path to dependency file: sync-moltin-to-shippo/package.json

Path to vulnerable library: sync-moltin-to-shippo/node_modules/npm/node_modules/bin-links/package.json

Dependency Hierarchy:

• semantic-release-15.13.15.tgz (Root Library)
  • npm-5.1.7.tgz
    • npm-6.9.0.tgz
      • ❌ bin-links-1.1.2.tgz (Vulnerable Library)

Found in HEAD commit: 9751f50f3931bb08d4180d1a57d5aa27c2f66225

Vulnerability Details

Arbitrary File Write vulnerability found in bin-links before 1.1.5. The package fails to restrict access to folders outside of the intended node_modules folder through the bin field. This allows attackers to create arbitrary files in the system.

Publish Date: 2019-12-11

URL: WS-2019-0337

CVSS 2 Score Details (5.0)

Base Score Metrics not available

Suggested Fix

Type: Upgrade version

Origin: npm/bin-links@642cd18

Release Date: 2019-12-17

Fix Resolution: bin-links - 1.1.5

Vulnerable Library - kind-of-6.0.2.tgz

Get the native type of a value.

Library home page: https://registry.npmjs.org/kind-of/-/kind-of-6.0.2.tgz

Path to dependency file: /tmp/ws-scm/sync-moltin-to-shippo/package.json

Path to vulnerable library: /tmp/ws-scm/sync-moltin-to-shippo/node_modules/kind-of/package.json

Dependency Hierarchy:

• jest-24.8.0.tgz (Root Library)
  • jest-cli-24.8.0.tgz
    • core-24.8.0.tgz
      • micromatch-3.1.10.tgz
        • ❌ kind-of-6.0.2.tgz (Vulnerable Library)

Found in HEAD commit: 92dd38c9cd8e467044b9ed3cfa87cf98dd563456

Vulnerability Details

Versions of kind-of 6.x prior to 6.0.3 are vulnerable to a Validation Bypass. A maliciously crafted object can alter the result of the type check, allowing attackers to bypass the type checking validation.

Publish Date: 2019-12-30

URL: WS-2019-0381

CVSS 3 Score Details (5.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: Low
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: jonschlinkert/kind-of@975c13a

Release Date: 2020-03-18

Fix Resolution: kind-of - 6.0.3

Vulnerable Library - bin-links-1.1.2.tgz

JavaScript package binary linker

Library home page: https://registry.npmjs.org/bin-links/-/bin-links-1.1.2.tgz

Path to dependency file: sync-moltin-to-shippo/package.json

Path to vulnerable library: sync-moltin-to-shippo/node_modules/npm/node_modules/bin-links/package.json

Dependency Hierarchy:

• semantic-release-15.13.15.tgz (Root Library)
  • npm-5.1.7.tgz
    • npm-6.9.0.tgz
      • ❌ bin-links-1.1.2.tgz (Vulnerable Library)

Found in HEAD commit: 9751f50f3931bb08d4180d1a57d5aa27c2f66225

Vulnerability Details

In bin-links, versions prior to v1.1.6 are vulnerable to a Global 'node_modules' Binary Overwrite. It fails to prevent globally-installed binaries to be overwritten by other package installs.

Publish Date: 2019-12-11

URL: WS-2019-0339

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: High
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: npm/bin-links@642cd18

Release Date: 2019-12-17

Fix Resolution: bin-links - 1.1.6

Vulnerable Library - handlebars-4.1.2.tgz

Handlebars provides the power necessary to let you build semantic templates effectively with no frustration

Library home page: https://registry.npmjs.org/handlebars/-/handlebars-4.1.2.tgz

Path to dependency file: sync-moltin-to-shippo/package.json

Path to vulnerable library: sync-moltin-to-shippo/node_modules/handlebars/package.json

Dependency Hierarchy:

• semantic-release-15.13.15.tgz (Root Library)
  • release-notes-generator-7.1.4.tgz
    • conventional-changelog-writer-4.0.3.tgz
      • ❌ handlebars-4.1.2.tgz (Vulnerable Library)

Found in HEAD commit: c492d4f7c07cfd0b5854c6bd1655bf236325b4e2

Vulnerability Details

Arbitrary Code Execution vulnerability found in handlebars before 4.5.3. Lookup helper fails to validate templates. Attack may submit templates that execute arbitrary JavaScript in the system.It is due to an incomplete fix for a WS-2019-0331.

Publish Date: 2019-11-17

URL: WS-2019-0332

CVSS 2 Score Details (5.0)

Base Score Metrics not available

Suggested Fix

Type: Upgrade version

Origin: https://www.npmjs.com/advisories/1324

Release Date: 2019-12-05

Fix Resolution: handlebars - 4.5.3

Vulnerable Library - handlebars-4.1.2.tgz

Handlebars provides the power necessary to let you build semantic templates effectively with no frustration

Library home page: https://registry.npmjs.org/handlebars/-/handlebars-4.1.2.tgz

Path to dependency file: sync-moltin-to-shippo/package.json

Path to vulnerable library: sync-moltin-to-shippo/node_modules/handlebars/package.json

Dependency Hierarchy:

• semantic-release-15.13.15.tgz (Root Library)
  • release-notes-generator-7.1.4.tgz
    • conventional-changelog-writer-4.0.3.tgz
      • ❌ handlebars-4.1.2.tgz (Vulnerable Library)

Found in HEAD commit: 8e31b8412f3cf76c270e8689a850ecdf48d6a85f

Vulnerability Details

Handlebars before 4.4.5 allows Regular Expression Denial of Service (ReDoS) because of eager matching. The parser may be forced into an endless loop while processing crafted templates. This may allow attackers to exhaust system resources.

Publish Date: 2020-09-30

URL: CVE-2019-20922

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://www.npmjs.com/advisories/1300

Release Date: 2020-10-07

Fix Resolution: handlebars - 4.4.5

Vulnerable Library - lodash-4.17.11.tgz

Lodash modular utilities.

Library home page: https://registry.npmjs.org/lodash/-/lodash-4.17.11.tgz

Path to dependency file: /tmp/ws-scm/sync-moltin-to-shippo/package.json

Path to vulnerable library: /tmp/ws-scm/sync-moltin-to-shippo/node_modules/lodash/package.json

Dependency Hierarchy:

• semantic-release-15.13.15.tgz (Root Library)
  • ❌ lodash-4.17.11.tgz (Vulnerable Library)

Found in HEAD commit: eebe8de6c83f7fd2373b406c19afebba2fbab52e

Vulnerability Details

a prototype pollution vulnerability in lodash. It allows an attacker to inject properties on Object.prototype

Publish Date: 2020-04-28

URL: WS-2020-0070

CVSS 3 Score Details (8.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Vulnerable Library - handlebars-4.1.2.tgz

Handlebars provides the power necessary to let you build semantic templates effectively with no frustration

Library home page: https://registry.npmjs.org/handlebars/-/handlebars-4.1.2.tgz

Path to dependency file: sync-moltin-to-shippo/package.json

Path to vulnerable library: sync-moltin-to-shippo/node_modules/handlebars/package.json

Dependency Hierarchy:

• semantic-release-15.13.15.tgz (Root Library)
  • release-notes-generator-7.1.4.tgz
    • conventional-changelog-writer-4.0.3.tgz
      • ❌ handlebars-4.1.2.tgz (Vulnerable Library)

Found in HEAD commit: 8e31b8412f3cf76c270e8689a850ecdf48d6a85f

Vulnerability Details

handlebars before 3.0.8 and 4.x before 4.5.2 is vulnerable to Arbitrary Code Execution. The package's lookup helper fails to properly validate templates, allowing attackers to submit templates that execute arbitrary JavaScript in the system.

Publish Date: 2019-11-14

URL: WS-2019-0493

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://www.npmjs.com/advisories/1316

Release Date: 2019-11-14

Fix Resolution: handlebars - 3.0.8,4.5.2

Vulnerable Library - handlebars-4.1.2.tgz

Handlebars provides the power necessary to let you build semantic templates effectively with no frustration

Library home page: https://registry.npmjs.org/handlebars/-/handlebars-4.1.2.tgz

Path to dependency file: sync-moltin-to-shippo/package.json

Path to vulnerable library: sync-moltin-to-shippo/node_modules/handlebars/package.json

Dependency Hierarchy:

• semantic-release-15.13.15.tgz (Root Library)
  • release-notes-generator-7.1.4.tgz
    • conventional-changelog-writer-4.0.3.tgz
      • ❌ handlebars-4.1.2.tgz (Vulnerable Library)

Found in HEAD commit: c492d4f7c07cfd0b5854c6bd1655bf236325b4e2

Vulnerability Details

In handlebars, versions prior to v4.5.3 are vulnerable to prototype pollution. Using a malicious template it's possbile to add or modify properties to the Object prototype. This can also lead to DOS and RCE in certain conditions.

Publish Date: 2019-11-18

URL: WS-2019-0333

CVSS 3 Score Details (8.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://www.npmjs.com/advisories/1325

Release Date: 2019-12-05

Fix Resolution: handlebars - 4.5.3

Vulnerable Libraries - yargs-parser-10.1.0.tgz, yargs-parser-9.0.2.tgz, yargs-parser-11.1.1.tgz, yargs-parser-13.1.0.tgz

Found in HEAD commit: 92dd38c9cd8e467044b9ed3cfa87cf98dd563456

Vulnerability Details

Affected versions of yargs-parser are vulnerable to prototype pollution. Arguments are not properly sanitized, allowing an attacker to modify the prototype of Object, causing the addition or modification of an existing property that will exist on all objects. Parsing the argument --foo.proto.bar baz' adds a bar property with value baz to all objects. This is only exploitable if attackers have control over the arguments being passed to yargs-parser.

Publish Date: 2020-05-01

URL: WS-2020-0068

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Adjacent
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://www.npmjs.com/package/yargs-parser

Release Date: 2020-05-04

Fix Resolution: https://www.npmjs.com/package/yargs-parser/v/18.1.2,https://www.npmjs.com/package/yargs-parser/v/15.0.1

Vulnerable Library - npm-user-validate-1.0.0.tgz

User validations for npm

Library home page: https://registry.npmjs.org/npm-user-validate/-/npm-user-validate-1.0.0.tgz

Path to dependency file: sync-moltin-to-shippo/package.json

Path to vulnerable library: sync-moltin-to-shippo/node_modules/npm/node_modules/npm-user-validate/package.json

Dependency Hierarchy:

• semantic-release-15.13.15.tgz (Root Library)
  • npm-5.1.7.tgz
    • npm-6.9.0.tgz
      • ❌ npm-user-validate-1.0.0.tgz (Vulnerable Library)

Found in HEAD commit: 8e31b8412f3cf76c270e8689a850ecdf48d6a85f

Vulnerability Details

The package npm-user-validate prior to version 1.0.1 is vulnerable to REDoS. The regex that validates a user's email took exponentially longer to process input strings that begin with the '@' character.

Publish Date: 2020-10-16

URL: WS-2020-0180

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: GHSA-xgh6-85xh-479p

Release Date: 2020-10-16

Fix Resolution: 1.0.1

Vulnerable Library - npm-6.9.0.tgz

a package manager for JavaScript

Library home page: https://registry.npmjs.org/npm/-/npm-6.9.0.tgz

Path to dependency file: sync-moltin-to-shippo/package.json

Path to vulnerable library: sync-moltin-to-shippo/node_modules/npm/package.json

Dependency Hierarchy:

• semantic-release-15.13.15.tgz (Root Library)
  • npm-5.1.7.tgz
    • ❌ npm-6.9.0.tgz (Vulnerable Library)

Found in HEAD commit: a82ba494fccee66331990f772ade34a53a69d85f

Vulnerability Details

Versions of the npm CLI prior to 6.13.3 are vulnerable to an Arbitrary File Write. It is possible for packages to create symlinks to files outside of thenode_modules folder through the bin field upon installation. A properly constructed entry in the package.json bin field would allow a package publisher to create a symlink pointing to arbitrary files on a user's system when the package is installed. This behavior is still possible through install scripts. This vulnerability bypasses a user using the --ignore-scripts install option.

Publish Date: 2019-12-13

URL: CVE-2019-16775

CVSS 3 Score Details (6.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: Low
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: High
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://blog.npmjs.org/post/189618601100/binary-planting-with-the-npm-cli

Release Date: 2019-12-13

Fix Resolution: npm - 6.13.3;yarn - 1.21.1

Vulnerable Library - tar-2.2.1.tgz

tar for node

Library home page: https://registry.npmjs.org/tar/-/tar-2.2.1.tgz

Path to dependency file: /sync-moltin-to-shippo/package.json

Path to vulnerable library: /tmp/git/sync-moltin-to-shippo/node_modules/npm/node_modules/node-gyp/node_modules/tar/package.json

Dependency Hierarchy:

• semantic-release-15.13.3.tgz (Root Library)
  • npm-5.1.6.tgz
    • npm-6.9.0.tgz
      • node-gyp-3.8.0.tgz
        • ❌ tar-2.2.1.tgz (Vulnerable Library)

Found in HEAD commit: 4f4cb7598986b4817764b1f71ac765aa9f3983c8

Vulnerability Details

Versions of node-tar prior to 4.4.2 are vulnerable to Arbitrary File Overwrite. Extracting tarballs containing a hardlink to a file that already exists in the system, and a file that matches the hardlink will overwrite the system's file with the contents of the extracted file.

Publish Date: 2019-04-05

URL: WS-2019-0047

CVSS 2 Score Details (5.0)

Base Score Metrics not available

Suggested Fix

Type: Upgrade version

Origin: https://www.npmjs.com/advisories/803

Release Date: 2019-04-05

Fix Resolution: 4.4.2

Vulnerable Libraries - jquery-1.7.2.min.js, jquery-1.8.1.min.js

Found in HEAD commit: 27f2fe72ff6e4ca8a18edbe3108549a8312d142e

Vulnerability Details

jQuery before 1.9.0 is vulnerable to Cross-site Scripting (XSS) attacks. The jQuery(strInput) function does not differentiate selectors from HTML in a reliable fashion. In vulnerable versions, jQuery determined whether the input was HTML by looking for the '<' character anywhere in the string, giving attackers more flexibility when attempting to construct a malicious payload. In fixed versions, jQuery only deems the input to be HTML if it explicitly starts with the '<' character, limiting exploitability only to attackers who can control the beginning of a string, which is far less common.

Publish Date: 2018-01-18

URL: CVE-2012-6708

CVSS 3 Score Details (6.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2012-6708

Release Date: 2018-01-18

Fix Resolution: jQuery - v1.9.0

Vulnerable Library - lodash-4.17.11.tgz

Lodash modular utilities.

Library home page: https://registry.npmjs.org/lodash/-/lodash-4.17.11.tgz

Path to dependency file: sync-moltin-to-shippo/package.json

Path to vulnerable library: sync-moltin-to-shippo/node_modules/lodash/package.json

Dependency Hierarchy:

• semantic-release-15.13.15.tgz (Root Library)
  • ❌ lodash-4.17.11.tgz (Vulnerable Library)

Found in HEAD commit: 8e97c47fbfdda4427f8e99c4173a1d1f5e7e4afb

Vulnerability Details

Prototype pollution attack when using _.zipObjectDeep in lodash before 4.17.20.

Publish Date: 2020-07-15

URL: CVE-2020-8203

CVSS 3 Score Details (7.4)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://www.npmjs.com/advisories/1523

Release Date: 2020-10-21

Fix Resolution: lodash - 4.17.19

Vulnerable Library - handlebars-4.1.2.tgz

Handlebars provides the power necessary to let you build semantic templates effectively with no frustration

Library home page: https://registry.npmjs.org/handlebars/-/handlebars-4.1.2.tgz

Path to dependency file: /tmp/ws-scm/sync-moltin-to-shippo/package.json

Path to vulnerable library: /tmp/ws-scm/sync-moltin-to-shippo/node_modules/handlebars/package.json

Dependency Hierarchy:

• semantic-release-15.13.15.tgz (Root Library)
  • release-notes-generator-7.1.4.tgz
    • conventional-changelog-writer-4.0.3.tgz
      • ❌ handlebars-4.1.2.tgz (Vulnerable Library)

Found in HEAD commit: 4aef70993b79edf7c688d70027ef6636acfa0b7c

Vulnerability Details

Prototype Pollution vulnerability found in handlebars.js before 4.5.3. Attacker may use Remote-Code-Execution exploits.

Publish Date: 2020-01-08

URL: WS-2019-0369

CVSS 2 Score Details (5.0)

Base Score Metrics not available

Suggested Fix

Type: Upgrade version

Origin: https://github.com/wycats/handlebars.js/blob/master/release-notes.md#v453---november-18th-2019

Release Date: 2020-01-08

Fix Resolution: handlebars - 4.5.3

Vulnerable Library - handlebars-4.1.2.tgz

Handlebars provides the power necessary to let you build semantic templates effectively with no frustration

Library home page: https://registry.npmjs.org/handlebars/-/handlebars-4.1.2.tgz

Path to dependency file: /tmp/ws-scm/sync-moltin-to-shippo/package.json

Path to vulnerable library: /tmp/ws-scm/sync-moltin-to-shippo/node_modules/handlebars/package.json

Dependency Hierarchy:

• semantic-release-15.13.15.tgz (Root Library)
  • release-notes-generator-7.1.4.tgz
    • conventional-changelog-writer-4.0.3.tgz
      • ❌ handlebars-4.1.2.tgz (Vulnerable Library)

Found in HEAD commit: 4aef70993b79edf7c688d70027ef6636acfa0b7c

Vulnerability Details

Security vulnerability found in handlebars.js before 4.3.0.

Publish Date: 2020-01-08

URL: WS-2019-0368

CVSS 2 Score Details (3.0)

Base Score Metrics not available

Suggested Fix

Type: Upgrade version

Origin: handlebars-lang/handlebars.js@2078c72

Release Date: 2020-01-08

Fix Resolution: handlebars - 4.3.0

Vulnerable Library - npm-6.9.0.tgz

a package manager for JavaScript

Library home page: https://registry.npmjs.org/npm/-/npm-6.9.0.tgz

Path to dependency file: sync-moltin-to-shippo/package.json

Path to vulnerable library: sync-moltin-to-shippo/node_modules/npm/package.json

Dependency Hierarchy:

• semantic-release-15.13.15.tgz (Root Library)
  • npm-5.1.7.tgz
    • ❌ npm-6.9.0.tgz (Vulnerable Library)

Found in HEAD commit: a82ba494fccee66331990f772ade34a53a69d85f

Vulnerability Details

Versions of the npm CLI prior to 6.13.3 are vulnerable to an Arbitrary File Write. It fails to prevent access to folders outside of the intended node_modules folder through the bin field. A properly constructed entry in the package.json bin field would allow a package publisher to modify and/or gain access to arbitrary files on a user's system when the package is installed. This behavior is still possible through install scripts. This vulnerability bypasses a user using the --ignore-scripts install option.

Publish Date: 2019-12-13

URL: CVE-2019-16776

CVSS 3 Score Details (8.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: Low
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://blog.npmjs.org/post/189618601100/binary-planting-with-the-npm-cli

Release Date: 2019-12-13

Fix Resolution: npm - 6.13.3;yarn - 1.21.1

Vulnerable Library - kind-of-6.0.2.tgz

Get the native type of a value.

Library home page: https://registry.npmjs.org/kind-of/-/kind-of-6.0.2.tgz

Path to dependency file: sync-moltin-to-shippo/package.json

Path to vulnerable library: sync-moltin-to-shippo/node_modules/kind-of/package.json

Dependency Hierarchy:

• jest-24.8.0.tgz (Root Library)
  • jest-cli-24.8.0.tgz
    • core-24.8.0.tgz
      • micromatch-3.1.10.tgz
        • ❌ kind-of-6.0.2.tgz (Vulnerable Library)

Found in HEAD commit: 4aef70993b79edf7c688d70027ef6636acfa0b7c

Vulnerability Details

ctorName in index.js in kind-of v6.0.2 allows external user input to overwrite certain internal attributes via a conflicting name, as demonstrated by 'constructor': {'name':'Symbol'}. Hence, a crafted payload can overwrite this builtin attribute to manipulate the type detection result.

Publish Date: 2019-12-30

URL: CVE-2019-20149

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: High
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-20149

Release Date: 2019-12-30

Fix Resolution: 6.0.3

Vulnerable Library - mixin-deep-1.3.1.tgz

Deeply mix the properties of objects into the first object. Like merge-deep, but doesn't clone.

Library home page: https://registry.npmjs.org/mixin-deep/-/mixin-deep-1.3.1.tgz

Path to dependency file: sync-moltin-to-shippo/package.json

Path to vulnerable library: sync-moltin-to-shippo/node_modules/mixin-deep/package.json

Dependency Hierarchy:

• micro-dev-3.0.0.tgz (Root Library)
  • chokidar-2.0.3.tgz
    • braces-2.3.2.tgz
      • snapdragon-0.8.2.tgz
        • base-0.11.2.tgz
          • ❌ mixin-deep-1.3.1.tgz (Vulnerable Library)

Found in HEAD commit: 4cb81e34d70b67830dfb3f8100bd6140dccb9f19

Vulnerability Details

mixin-deep is vulnerable to Prototype Pollution in versions before 1.3.2 and version 2.0.0. The function mixin-deep could be tricked into adding or modifying properties of Object.prototype using a constructor payload.

Publish Date: 2019-08-23

URL: CVE-2019-10746

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: jonschlinkert/mixin-deep@8f464c8

Release Date: 2019-07-11

Fix Resolution: 1.3.2,2.0.1

Vulnerable Library - npm-6.9.0.tgz

a package manager for JavaScript

Library home page: https://registry.npmjs.org/npm/-/npm-6.9.0.tgz

Path to dependency file: sync-moltin-to-shippo/package.json

Path to vulnerable library: sync-moltin-to-shippo/node_modules/npm/package.json

Dependency Hierarchy:

• semantic-release-15.13.15.tgz (Root Library)
  • npm-5.1.7.tgz
    • ❌ npm-6.9.0.tgz (Vulnerable Library)

Found in HEAD commit: 8e97c47fbfdda4427f8e99c4173a1d1f5e7e4afb

Vulnerability Details

Versions of the npm CLI prior to 6.14.6 are vulnerable to an information exposure vulnerability through log files. The CLI supports URLs like "://[[:]@][:][:][/]". The password value is not redacted and is printed to stdout and also to any generated log files.

Publish Date: 2020-07-07

URL: CVE-2020-15095

CVSS 3 Score Details (4.4)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Local
  • Attack Complexity: High
  • Privileges Required: Low
  • User Interaction: Required
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: None
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: GHSA-93f3-23rq-pjfp

Release Date: 2020-07-07

Fix Resolution: npm - 6.14.6

Vulnerable Library - fstream-1.0.11.tgz

Advanced file system stream things

Library home page: https://registry.npmjs.org/fstream/-/fstream-1.0.11.tgz

Path to dependency file: /sync-moltin-to-shippo/package.json

Path to vulnerable library: /tmp/git/sync-moltin-to-shippo/node_modules/npm/node_modules/fstream/package.json

Dependency Hierarchy:

• semantic-release-15.13.12.tgz (Root Library)
  • npm-5.1.4.tgz
    • npm-6.5.0.tgz
      • node-gyp-3.8.0.tgz
        • ❌ fstream-1.0.11.tgz (Vulnerable Library)

Found in HEAD commit: a712490998a0d13c47f8a099cd3df70959bca61b

Vulnerability Details

Versions of fstream prior to 1.0.12 are vulnerable to Arbitrary File Overwrite.

Publish Date: 2019-05-23

URL: WS-2019-0100

CVSS 2 Score Details (5.0)

Base Score Metrics not available

Suggested Fix

Type: Upgrade version

Origin: https://www.npmjs.com/advisories/886

Release Date: 2019-05-23

Fix Resolution: 1.0.12

Vulnerable Libraries - jquery-1.7.2.min.js, jquery-1.8.1.min.js

Found in HEAD commit: 8e97c47fbfdda4427f8e99c4173a1d1f5e7e4afb

Vulnerability Details

In jQuery versions greater than or equal to 1.0.3 and before 3.5.0, passing HTML containing elements from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. This problem is patched in jQuery 3.5.0.

Publish Date: 2020-04-29

URL: CVE-2020-11023

CVSS 3 Score Details (6.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11023

Release Date: 2020-04-29

Fix Resolution: jquery - 3.5.0

Vulnerable Library - handlebars-4.1.2.tgz

Handlebars provides the power necessary to let you build semantic templates effectively with no frustration

Library home page: https://registry.npmjs.org/handlebars/-/handlebars-4.1.2.tgz

Path to dependency file: sync-moltin-to-shippo/package.json

Path to vulnerable library: sync-moltin-to-shippo/node_modules/handlebars/package.json

Dependency Hierarchy:

• semantic-release-15.13.15.tgz (Root Library)
  • release-notes-generator-7.1.4.tgz
    • conventional-changelog-writer-4.0.3.tgz
      • ❌ handlebars-4.1.2.tgz (Vulnerable Library)

Found in HEAD commit: c492d4f7c07cfd0b5854c6bd1655bf236325b4e2

Vulnerability Details

Arbitrary Code Execution vulnerability found in handlebars before 4.5.2. Lookup helper fails to validate templates. Attack may submit templates that execute arbitrary JavaScript in the system.

Publish Date: 2019-11-13

URL: WS-2019-0331

CVSS 2 Score Details (5.0)

Base Score Metrics not available

Suggested Fix

Type: Upgrade version

Origin: https://www.npmjs.com/advisories/1316

Release Date: 2019-12-05

Fix Resolution: handlebars - 4.5.2

Vulnerable Library - npm-registry-fetch-3.9.0.tgz

Fetch-based http client for use with npm registry APIs

Library home page: https://registry.npmjs.org/npm-registry-fetch/-/npm-registry-fetch-3.9.0.tgz

Path to dependency file: sync-moltin-to-shippo/package.json

Path to vulnerable library: sync-moltin-to-shippo/node_modules/npm/node_modules/npm-registry-fetch/package.json

Dependency Hierarchy:

• semantic-release-15.13.15.tgz (Root Library)
  • npm-5.1.7.tgz
    • npm-6.9.0.tgz
      • ❌ npm-registry-fetch-3.9.0.tgz (Vulnerable Library)

Found in HEAD commit: 8e97c47fbfdda4427f8e99c4173a1d1f5e7e4afb

Vulnerability Details

npm-registry-fetch before 4.0.5 and 8.1.1 is vulnerable to an information exposure vulnerability through log files.

Publish Date: 2020-07-07

URL: WS-2020-0127

CVSS 3 Score Details (3.4)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: N/A
  • Attack Complexity: N/A
  • Privileges Required: N/A
  • User Interaction: N/A
  • Scope: N/A
• Impact Metrics:
  • Confidentiality Impact: N/A
  • Integrity Impact: N/A
  • Availability Impact: N/A

Suggested Fix

Type: Upgrade version

Origin: https://www.npmjs.com/advisories/1544

Release Date: 2020-07-14

Fix Resolution: npm-registry-fetch - 4.0.5,8.1.1

Vulnerable Libraries - jquery-1.7.2.min.js, jquery-1.8.1.min.js

Found in HEAD commit: 4dff834e6e5ce2c39466bea3935a83fd68e7050b

Vulnerability Details

jquery prior to 1.9.0 allows Cross-site Scripting attacks via the load method. The load method fails to recognize and remove "<script>" HTML tags that contain a whitespace character, i.e: "</script >", which results in the enclosed script logic to be executed.

Publish Date: 2020-05-19

URL: CVE-2020-7656

CVSS 3 Score Details (6.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: GHSA-q4m3-2j7h-f7xw

Release Date: 2020-05-28

Fix Resolution: jquery - 1.9.0

Vulnerable Library - handlebars-4.1.2.tgz

Handlebars provides the power necessary to let you build semantic templates effectively with no frustration

Library home page: https://registry.npmjs.org/handlebars/-/handlebars-4.1.2.tgz

Path to dependency file: sync-moltin-to-shippo/package.json

Path to vulnerable library: sync-moltin-to-shippo/node_modules/handlebars/package.json

Dependency Hierarchy:

• semantic-release-15.13.15.tgz (Root Library)
  • release-notes-generator-7.1.4.tgz
    • conventional-changelog-writer-4.0.3.tgz
      • ❌ handlebars-4.1.2.tgz (Vulnerable Library)

Found in HEAD commit: 8e31b8412f3cf76c270e8689a850ecdf48d6a85f

Vulnerability Details

handlebars before 3.0.8 and 4.x before 4.5.3 is vulnerable to Arbitrary Code Execution. The package's lookup helper fails to properly validate templates, allowing attackers to submit templates that execute arbitrary JavaScript in the system.

Publish Date: 2019-11-19

URL: WS-2019-0492

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://www.npmjs.com/advisories/1324

Release Date: 2019-11-19

Fix Resolution: handlebars - 3.0.8,4.5.3

Vulnerable Libraries - set-value-2.0.0.tgz, set-value-0.4.3.tgz

Found in HEAD commit: ce62bb4a2889633e9704e74b42d11c363c77976d

Vulnerability Details

set-value is vulnerable to Prototype Pollution in versions lower than 3.0.1. The function mixin-deep could be tricked into adding or modifying properties of Object.prototype using any of the constructor, prototype and proto payloads.

Publish Date: 2019-08-23

URL: CVE-2019-10747

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: jonschlinkert/set-value@95e9d99

Release Date: 2019-07-24

Fix Resolution: 2.0.1,3.0.1

Vulnerable Library - npm-6.9.0.tgz

a package manager for JavaScript

Library home page: https://registry.npmjs.org/npm/-/npm-6.9.0.tgz

Path to dependency file: sync-moltin-to-shippo/package.json

Path to vulnerable library: sync-moltin-to-shippo/node_modules/npm/package.json

Dependency Hierarchy:

• semantic-release-15.13.15.tgz (Root Library)
  • npm-5.1.7.tgz
    • ❌ npm-6.9.0.tgz (Vulnerable Library)

Found in HEAD commit: a82ba494fccee66331990f772ade34a53a69d85f

Vulnerability Details

Versions of the npm CLI prior to 6.13.4 are vulnerable to an Arbitrary File Overwrite. It fails to prevent existing globally-installed binaries to be overwritten by other package installations. For example, if a package was installed globally and created a serve binary, any subsequent installs of packages that also create a serve binary would overwrite the previous serve binary. This behavior is still allowed in local installations and also through install scripts. This vulnerability bypasses a user using the --ignore-scripts install option.

Publish Date: 2019-12-13

URL: CVE-2019-16777

CVSS 3 Score Details (6.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: Low
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: High
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://blog.npmjs.org/post/189618601100/binary-planting-with-the-npm-cli

Release Date: 2019-12-13

Fix Resolution: npm - 6.13.4

Vulnerable Library - fstream-1.0.11.tgz

Advanced file system stream things

Library home page: https://registry.npmjs.org/fstream/-/fstream-1.0.11.tgz

Path to dependency file: sync-moltin-to-shippo/package.json

Path to vulnerable library: sync-moltin-to-shippo/node_modules/npm/node_modules/fstream/package.json

Dependency Hierarchy:

• semantic-release-15.13.15.tgz (Root Library)
  • npm-5.1.7.tgz
    • npm-6.9.0.tgz
      • node-gyp-3.8.0.tgz
        • ❌ fstream-1.0.11.tgz (Vulnerable Library)

Found in HEAD commit: 8719afe290091be16c78aeb3b137f4e34dc559fd

Vulnerability Details

fstream before 1.0.12 is vulnerable to Arbitrary File Overwrite. Extracting tarballs containing a hardlink to a file that already exists in the system, and a file that matches the hardlink, will overwrite the system's file with the contents of the extracted file. The fstream.DirWriter() function is vulnerable.

Publish Date: 2019-07-02

URL: CVE-2019-13173

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: High
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13173

Release Date: 2019-07-02

Fix Resolution: 1.0.12

Vulnerable Library - handlebars-4.1.2.tgz

Handlebars provides the power necessary to let you build semantic templates effectively with no frustration

Library home page: https://registry.npmjs.org/handlebars/-/handlebars-4.1.2.tgz

Path to dependency file: /tmp/ws-scm/sync-moltin-to-shippo/package.json

Path to vulnerable library: /tmp/ws-scm/sync-moltin-to-shippo/node_modules/handlebars/package.json

Dependency Hierarchy:

• semantic-release-15.13.15.tgz (Root Library)
  • release-notes-generator-7.1.4.tgz
    • conventional-changelog-writer-4.0.3.tgz
      • ❌ handlebars-4.1.2.tgz (Vulnerable Library)

Found in HEAD commit: 4a4373c354d0d8be91f9f9b035ea9e22efff3793

Vulnerability Details

handlebars before 4.3.0 is vulnerable to Prototype Pollution leading to Remote Code Execution. Templates may alter an Objects' proto and defineGetter properties, which may allow an attacker to execute arbitrary code through crafted payloads.

Publish Date: 2019-10-06

URL: WS-2019-0291

CVSS 2 Score Details (7.3)

Base Score Metrics not available

Suggested Fix

Type: Upgrade version

Origin: https://www.npmjs.com/advisories/1164

Release Date: 2019-10-06

Fix Resolution: 4.3.0

Vulnerable Library - mem-1.1.0.tgz

Memoize functions - An optimization used to speed up consecutive function calls by caching the result of calls with identical input

Library home page: https://registry.npmjs.org/mem/-/mem-1.1.0.tgz

Path to dependency file: sync-moltin-to-shippo/package.json

Path to vulnerable library: sync-moltin-to-shippo/node_modules/jsome/node_modules/mem/package.json

Dependency Hierarchy:

• micro-dev-3.0.0.tgz (Root Library)
  • jsome-2.5.0.tgz
    • yargs-11.1.0.tgz
      • os-locale-2.1.0.tgz
        • ❌ mem-1.1.0.tgz (Vulnerable Library)

Found in HEAD commit: 00cff1202944686d2e5a82dcd0280b6a22daede7

Vulnerability Details

In nodejs-mem before version 4.0.0 there is a memory leak due to old results not being removed from the cache despite reaching maxAge. Exploitation of this can lead to exhaustion of memory and subsequent denial of service.

Publish Date: 2018-08-27

URL: WS-2018-0236

CVSS 2 Score Details (5.5)

Base Score Metrics not available

Suggested Fix

Type: Upgrade version

Origin: https://bugzilla.redhat.com/show_bug.cgi?id=1623744

Release Date: 2019-05-30

Fix Resolution: 4.0.0

Vulnerable Library - lodash-4.17.11.tgz

Lodash modular utilities.

Library home page: https://registry.npmjs.org/lodash/-/lodash-4.17.11.tgz

Path to dependency file: sync-moltin-to-shippo/package.json

Path to vulnerable library: sync-moltin-to-shippo/node_modules/lodash/package.json

Dependency Hierarchy:

• semantic-release-15.13.15.tgz (Root Library)
  • ❌ lodash-4.17.11.tgz (Vulnerable Library)

Found in HEAD commit: 3b27e27324c0a69c29566e9fda78a196894dd95d

Vulnerability Details

Versions of lodash lower than 4.17.12 are vulnerable to Prototype Pollution. The function defaultsDeep could be tricked into adding or modifying properties of Object.prototype using a constructor payload.

Publish Date: 2019-07-26

URL: CVE-2019-10744

CVSS 3 Score Details (9.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: GHSA-jf85-cpcp-j695

Release Date: 2019-07-08

Fix Resolution: lodash-4.17.12, lodash-amd-4.17.12, lodash-es-4.17.12, lodash.defaultsdeep-4.6.1, lodash.merge- 4.6.2, lodash.mergewith-4.6.2, lodash.template-4.5.0

Vulnerable Libraries - yargs-parser-13.1.0.tgz, yargs-parser-10.1.0.tgz, yargs-parser-9.0.2.tgz, yargs-parser-11.1.1.tgz

Found in HEAD commit: 92dd38c9cd8e467044b9ed3cfa87cf98dd563456

Vulnerability Details

yargs-parser could be tricked into adding or modifying properties of Object.prototype using a "proto" payload.

Publish Date: 2020-03-16

URL: CVE-2020-7608

CVSS 3 Score Details (5.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Local
  • Attack Complexity: Low
  • Privileges Required: Low
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: Low

Suggested Fix

Type: Upgrade version

Origin: yargs/yargs-parser@63810ca

Release Date: 2020-06-05

Fix Resolution: 5.0.1;13.1.2;15.0.1;18.1.1

Vulnerable Library - bin-links-1.1.2.tgz

JavaScript package binary linker

Library home page: https://registry.npmjs.org/bin-links/-/bin-links-1.1.2.tgz

Path to dependency file: sync-moltin-to-shippo/package.json

Path to vulnerable library: sync-moltin-to-shippo/node_modules/npm/node_modules/bin-links/package.json

Dependency Hierarchy:

• semantic-release-15.13.15.tgz (Root Library)
  • npm-5.1.7.tgz
    • npm-6.9.0.tgz
      • ❌ bin-links-1.1.2.tgz (Vulnerable Library)

Found in HEAD commit: 9751f50f3931bb08d4180d1a57d5aa27c2f66225

Vulnerability Details

In bin-links, versions prior to v1.1.5 are vulnerable to a Symlink reference outside of 'node_modules' directory. An attacker can access unauthorized files.

Publish Date: 2019-12-10

URL: WS-2019-0338

CVSS 3 Score Details (8.6)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: None
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: npm/bin-links@b3cfd2e

Release Date: 2019-12-17

Fix Resolution: bin-links - 1.1.5

Vulnerable Library - https-proxy-agent-2.2.1.tgz

An HTTP(s) proxy `http.Agent` implementation for HTTPS

Library home page: https://registry.npmjs.org/https-proxy-agent/-/https-proxy-agent-2.2.1.tgz

Path to dependency file: sync-moltin-to-shippo/package.json

Path to vulnerable library: sync-moltin-to-shippo/node_modules/https-proxy-agent/package.json,sync-moltin-to-shippo/node_modules/npm/node_modules/https-proxy-agent/package.json

Dependency Hierarchy:

• semantic-release-15.13.15.tgz (Root Library)
  • github-5.2.10.tgz
    • ❌ https-proxy-agent-2.2.1.tgz (Vulnerable Library)

Found in HEAD commit: c492d4f7c07cfd0b5854c6bd1655bf236325b4e2

Vulnerability Details

"in 'https-proxy-agent', before v2.2.3, there is a failure of TLS enforcement on the socket. Attacker may intercept unencrypted communications.

Publish Date: 2019-10-07

URL: WS-2019-0310

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: None
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://www.npmjs.com/advisories/1184

Release Date: 2019-12-01

Fix Resolution: https-proxy-agent - 2.2.3

Vulnerable Libraries - dot-prop-4.2.0.tgz, dot-prop-3.0.0.tgz

Found in HEAD commit: ea7aad202f179e8d6bc18c5e0906dd264f8058a7

Vulnerability Details

Prototype pollution vulnerability in dot-prop npm package versions before 4.2.1 and versions 5.x before 5.1.1 allows an attacker to add arbitrary properties to JavaScript language constructs such as objects.

Publish Date: 2020-02-04

URL: CVE-2020-8116

CVSS 3 Score Details (7.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: Low

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8116

Release Date: 2020-02-04

Fix Resolution: dot-prop - 5.1.1

Vulnerable Library - handlebars-4.1.2.tgz

Handlebars provides the power necessary to let you build semantic templates effectively with no frustration

Library home page: https://registry.npmjs.org/handlebars/-/handlebars-4.1.2.tgz

Path to dependency file: sync-moltin-to-shippo/package.json

Path to vulnerable library: sync-moltin-to-shippo/node_modules/handlebars/package.json

Dependency Hierarchy:

• semantic-release-15.13.15.tgz (Root Library)
  • release-notes-generator-7.1.4.tgz
    • conventional-changelog-writer-4.0.3.tgz
      • ❌ handlebars-4.1.2.tgz (Vulnerable Library)

Found in HEAD commit: c492d4f7c07cfd0b5854c6bd1655bf236325b4e2

Vulnerability Details

In "showdownjs/showdown", versions prior to v4.4.5 are vulnerable against Regular expression Denial of Service (ReDOS) once receiving specially-crafted templates.

Publish Date: 2019-10-20

URL: WS-2019-0318

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://www.npmjs.com/advisories/1300

Release Date: 2019-12-01

Fix Resolution: handlebars - 4.4.5

Vulnerable Library - handlebars-4.1.2.tgz

Handlebars provides the power necessary to let you build semantic templates effectively with no frustration

Library home page: https://registry.npmjs.org/handlebars/-/handlebars-4.1.2.tgz

Path to dependency file: sync-moltin-to-shippo/package.json

Path to vulnerable library: sync-moltin-to-shippo/node_modules/handlebars/package.json

Dependency Hierarchy:

• semantic-release-15.13.15.tgz (Root Library)
  • release-notes-generator-7.1.4.tgz
    • conventional-changelog-writer-4.0.3.tgz
      • ❌ handlebars-4.1.2.tgz (Vulnerable Library)

Found in HEAD commit: 8e31b8412f3cf76c270e8689a850ecdf48d6a85f

Vulnerability Details

Handlebars before 3.0.8 and 4.x before 4.5.3 is vulnerable to Arbitrary Code Execution. The lookup helper fails to properly validate templates, allowing attackers to submit templates that execute arbitrary JavaScript. This can be used to run arbitrary code on a server processing Handlebars templates or in a victim's browser (effectively serving as XSS).

Publish Date: 2020-09-30

URL: CVE-2019-20920

CVSS 3 Score Details (8.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: Low
  • Availability Impact: Low

Suggested Fix

Type: Upgrade version

Origin: https://www.npmjs.com/advisories/1324

Release Date: 2020-10-15

Fix Resolution: handlebars - 4.5.3

Vulnerable Libraries - acorn-6.1.1.tgz, acorn-5.7.3.tgz

Found in HEAD commit: 84ca42e4154dd2768cb39c600071d281257fddc0

Vulnerability Details

acorn is vulnerable to REGEX DoS. A regex of the form /[x-\ud800]/u causes the parser to enter an infinite loop. attackers may leverage the vulnerability leading to a Denial of Service since the string is not valid UTF16 and it results in it being sanitized before reaching the parser.

Publish Date: 2020-03-01

URL: WS-2020-0042

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://www.npmjs.com/advisories/1488

Release Date: 2020-03-08

Fix Resolution: 7.1.1

Vulnerable Library - marked-0.6.2.tgz

A markdown parser built for speed

Library home page: https://registry.npmjs.org/marked/-/marked-0.6.2.tgz

Path to dependency file: sync-moltin-to-shippo/package.json

Path to vulnerable library: sync-moltin-to-shippo/node_modules/marked/package.json

Dependency Hierarchy:

• semantic-release-15.13.15.tgz (Root Library)
  • ❌ marked-0.6.2.tgz (Vulnerable Library)

Found in HEAD commit: 8e31b8412f3cf76c270e8689a850ecdf48d6a85f

Vulnerability Details

marked before 1.1.1 is vulnerable to Regular Expression Denial of Service (REDoS). rules.js have multiple unused capture groups which can lead to a Denial of Service.

Publish Date: 2020-07-02

URL: WS-2020-0163

CVSS 3 Score Details (5.9)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://github.com/markedjs/marked/releases/tag/v1.1.1

Release Date: 2020-07-02

Fix Resolution: marked - 1.1.1

Vulnerable Libraries - minimist-0.0.8.tgz, minimist-0.0.10.tgz, minimist-1.2.0.tgz

Found in HEAD commit: 92dd38c9cd8e467044b9ed3cfa87cf98dd563456

Vulnerability Details

minimist before 1.2.2 could be tricked into adding or modifying properties of Object.prototype using a "constructor" or "proto" payload.

Publish Date: 2020-03-11

URL: CVE-2020-7598

CVSS 3 Score Details (5.6)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: Low

Suggested Fix

Type: Upgrade version

Origin: https://github.com/substack/minimist/commit/63e7ed05aa4b1889ec2f3b196426db4500cbda94

Release Date: 2020-03-11

Fix Resolution: minimist - 0.2.1,1.2.3

Vulnerable Libraries - jquery-1.7.2.min.js, jquery-1.8.1.min.js

Found in HEAD commit: 92dd38c9cd8e467044b9ed3cfa87cf98dd563456

Vulnerability Details

In jQuery versions greater than or equal to 1.2 and before 3.5.0, passing HTML from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. This problem is patched in jQuery 3.5.0.

Publish Date: 2020-04-29

URL: CVE-2020-11022

CVSS 3 Score Details (6.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://blog.jquery.com/2020/04/10/jquery-3-5-0-released/

Release Date: 2020-04-29

Fix Resolution: jQuery - 3.5.0

Vulnerable Libraries - jquery-1.7.2.min.js, jquery-1.8.1.min.js

Found in HEAD commit: 27f2fe72ff6e4ca8a18edbe3108549a8312d142e

Vulnerability Details

JQuery, before 2.2.0, is vulnerable to Cross-site Scripting (XSS) attacks via text/javascript response with arbitrary code execution.

Publish Date: 2016-11-27

URL: WS-2016-0090

CVSS 2 Score Details (4.3)

Base Score Metrics not available

Suggested Fix

Type: Upgrade version

Origin: jquery/jquery@b078a62

Release Date: 2019-04-08

Fix Resolution: 2.2.0

Vulnerable Library - mem-1.1.0.tgz

Memoize functions - An optimization used to speed up consecutive function calls by caching the result of calls with identical input

Library home page: https://registry.npmjs.org/mem/-/mem-1.1.0.tgz

Path to dependency file: sync-moltin-to-shippo/package.json

Path to vulnerable library: sync-moltin-to-shippo/node_modules/jsome/node_modules/mem/package.json,sync-moltin-to-shippo/node_modules/npm/node_modules/mem/package.json

Dependency Hierarchy:

• micro-dev-3.0.0.tgz (Root Library)
  • jsome-2.5.0.tgz
    • yargs-11.1.0.tgz
      • os-locale-2.1.0.tgz
        • ❌ mem-1.1.0.tgz (Vulnerable Library)

Found in HEAD commit: c492d4f7c07cfd0b5854c6bd1655bf236325b4e2

Vulnerability Details

In 'mem' before v4.0.0 there is a Denial of Service (DoS) vulnerability as a result of a failure in removal old values from the cache.

Publish Date: 2018-08-27

URL: WS-2019-0307

CVSS 3 Score Details (5.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Local
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: None
  • Availability Impact: Low

Suggested Fix

Type: Upgrade version

Origin: https://www.npmjs.com/advisories/1084

Release Date: 2019-12-01

Fix Resolution: mem - 4.0.0

Vulnerable Libraries - ajv-6.10.0.tgz, ajv-5.5.2.tgz

Found in HEAD commit: 8e97c47fbfdda4427f8e99c4173a1d1f5e7e4afb

Vulnerability Details

An issue was discovered in ajv.validate() in Ajv (aka Another JSON Schema Validator) 6.12.2. A carefully crafted JSON schema could be provided that allows execution of other code by prototype pollution. (While untrusted schemas are recommended against, the worst case of an untrusted schema should be a denial of service, not execution of code.)

Publish Date: 2020-07-15

URL: CVE-2020-15366

CVSS 3 Score Details (5.6)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: Low

Suggested Fix

Type: Upgrade version

Origin: https://github.com/ajv-validator/ajv/releases/tag/v6.12.3

Release Date: 2020-07-15

Fix Resolution: ajv - 6.12.3

Vulnerable Library - handlebars-4.1.2.tgz

Handlebars provides the power necessary to let you build semantic templates effectively with no frustration

Library home page: https://registry.npmjs.org/handlebars/-/handlebars-4.1.2.tgz

Path to dependency file: sync-moltin-to-shippo/package.json

Path to vulnerable library: sync-moltin-to-shippo/node_modules/handlebars/package.json

Dependency Hierarchy:

• semantic-release-15.13.15.tgz (Root Library)
  • release-notes-generator-7.1.4.tgz
    • conventional-changelog-writer-4.0.3.tgz
      • ❌ handlebars-4.1.2.tgz (Vulnerable Library)

Found in HEAD commit: 81fd041cf1f3ae85d75376464e5eab009f53228b

Vulnerability Details

Versions of handlebars prior to 4.3.0 are vulnerable to Prototype Pollution leading to Remote Code Execution. Templates may alter an Object's proto and defineGetter properties, which may allow an attacker to execute arbitrary code through crafted payloads.

Publish Date: 2019-12-20

URL: CVE-2019-19919

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://www.npmjs.com/advisories/1164

Release Date: 2019-12-20

Fix Resolution: 4.3.0

Vulnerable Library - handlebars-4.1.2.tgz

Handlebars provides the power necessary to let you build semantic templates effectively with no frustration

Library home page: https://registry.npmjs.org/handlebars/-/handlebars-4.1.2.tgz

Path to dependency file: sync-moltin-to-shippo/package.json

Path to vulnerable library: sync-moltin-to-shippo/node_modules/handlebars/package.json

Dependency Hierarchy:

• semantic-release-15.13.15.tgz (Root Library)
  • release-notes-generator-7.1.4.tgz
    • conventional-changelog-writer-4.0.3.tgz
      • ❌ handlebars-4.1.2.tgz (Vulnerable Library)

Found in HEAD commit: 8e31b8412f3cf76c270e8689a850ecdf48d6a85f

Vulnerability Details

handlebars before 4.4.5 is vulnerable to Denial of Service. The package's parser may be forced into an endless loop while processing specially-crafted templates. This may allow attackers to exhaust system resources leading to Denial of Service.

Publish Date: 2019-11-04

URL: WS-2019-0491

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://www.npmjs.com/advisories/1300

Release Date: 2019-11-04

Fix Resolution: handlebars - 4.4.5

Vulnerable Library - tar-2.2.1.tgz

tar for node

Library home page: https://registry.npmjs.org/tar/-/tar-2.2.1.tgz

Path to dependency file: sync-moltin-to-shippo/package.json

Path to vulnerable library: sync-moltin-to-shippo/node_modules/npm/node_modules/node-gyp/node_modules/tar/package.json

Dependency Hierarchy:

• semantic-release-15.13.15.tgz (Root Library)
  • npm-5.1.7.tgz
    • npm-6.9.0.tgz
      • node-gyp-3.8.0.tgz
        • ❌ tar-2.2.1.tgz (Vulnerable Library)

Found in HEAD commit: 788b3aa1fe5ae23501686b98e5e9220c4566a24b

Vulnerability Details

A vulnerability was found in node-tar before version 4.4.2 (excluding version 2.2.2). An Arbitrary File Overwrite issue exists when extracting a tarball containing a hardlink to a file that already exists on the system, in conjunction with a later plain file with the same name as the hardlink. This plain file content replaces the existing file content. A patch has been applied to node-tar v2.2.2).

Publish Date: 2019-04-30

URL: CVE-2018-20834

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: High
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20834

Release Date: 2019-04-30

Fix Resolution: tar - 2.2.2,4.4.2

Vulnerable Libraries - jquery-1.7.2.min.js, jquery-1.8.1.min.js

Found in HEAD commit: 27f2fe72ff6e4ca8a18edbe3108549a8312d142e

Vulnerability Details

jQuery before 3.0.0 is vulnerable to Cross-site Scripting (XSS) attacks when a cross-domain Ajax request is performed without the dataType option, causing text/javascript responses to be executed.

Publish Date: 2018-01-18

URL: CVE-2015-9251

CVSS 3 Score Details (6.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2015-9251

Release Date: 2018-01-18

Fix Resolution: jQuery - v3.0.0