CVE-2022-0355 (High) detected in simple-get-2.8.1.tgz, simple-get-3.1.0.tgz

[mend-for-github-com[bot]]

CVE-2022-0355 - High Severity Vulnerability

Vulnerable Libraries - simple-get-2.8.1.tgz, simple-get-3.1.0.tgz

simple-get-2.8.1.tgz

Simplest way to make http get requests. Supports HTTPS, redirects, gzip/deflate, streams in < 100 lines.

Library home page: https://registry.npmjs.org/simple-get/-/simple-get-2.8.1.tgz

Dependency Hierarchy: - drivelist-8.0.10.tgz (Root Library) - prebuild-install-5.3.0.tgz - :x: **simple-get-2.8.1.tgz** (Vulnerable Library)

simple-get-3.1.0.tgz

Simplest way to make http get requests. Supports HTTPS, redirects, gzip/deflate, streams in < 100 lines.

Library home page: https://registry.npmjs.org/simple-get/-/simple-get-3.1.0.tgz

Dependency Hierarchy: - serialport-9.0.7.tgz (Root Library) - bindings-9.0.7.tgz - prebuild-install-6.1.4.tgz - :x: **simple-get-3.1.0.tgz** (Vulnerable Library)

Found in base branch: master

Vulnerability Details

Exposure of Sensitive Information to an Unauthorized Actor in NPM simple-get prior to 4.0.1.

Publish Date: 2022-01-26

URL: CVE-2022-0355

CVSS 3 Score Details (7.5)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: None - Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0355

Release Date: 2022-01-26

Fix Resolution (simple-get): 2.8.2

Direct dependency fix Resolution (drivelist): 9.0.0-remove-mz-2351ae1f877adde5aa159c70cf6410564538e68e

Fix Resolution (simple-get): 3.1.1

Direct dependency fix Resolution (serialport): 9.0.8