download-8.0.0.tgz: 3 vulnerabilities (highest severity is: 9.3)

[mend-for-github-com[bot]]

Vulnerable Library - download-8.0.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/got/package.json

Found in HEAD commit: 141277bbe1dbdc1d667de53b0177a226b25277eb

Vulnerabilities

CVE	Severity	CVSS	Dependency	Type	Fixed in (download version)	Remediation Possible**
CVE-2020-12265	Critical	9.3	decompress-tar-4.1.1.tgz	Transitive	N/A*	❌
CVE-2022-25881	High	8.7	http-cache-semantics-3.8.1.tgz	Transitive	N/A*	❌
CVE-2022-33987	Medium	6.9	got-8.3.2.tgz	Transitive	N/A*	❌

*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.

**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation

Details

CVE-2020-12265

### Vulnerable Library - decompress-tar-4.1.1.tgz

decompress tar plugin

Library home page: https://registry.npmjs.org/decompress-tar/-/decompress-tar-4.1.1.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/decompress-tar/package.json

Dependency Hierarchy: - download-8.0.0.tgz (Root Library) - decompress-4.2.1.tgz - :x: **decompress-tar-4.1.1.tgz** (Vulnerable Library)

Found in HEAD commit: 141277bbe1dbdc1d667de53b0177a226b25277eb

Found in base branch: master

### Vulnerability Details

The decompress package before 4.2.1 for Node.js is vulnerable to Arbitrary File Write via ../ in an archive member, when a symlink is used, because of Directory Traversal. Mend Note: Decompress versions prior to 4.2.1 are vulnerable to CVE-2020-12265 which could lead to Path Traversal. decompress-tar is a tar plugin for decompress and is also vulnerable to CVE-2020-12265 and there is no fixed version for decompress-tar.

Publish Date: 2020-04-26

URL: CVE-2020-12265

### CVSS 4 Score Details (9.3)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: N/A - Impact Metrics: - Confidentiality Impact: N/A - Integrity Impact: N/A - Availability Impact: N/A

For more information on CVSS4 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-12265

Release Date: 2020-04-26

Fix Resolution: decompress - 4.2.1, decompress-tar - No fix version available

CVE-2022-25881

### Vulnerable Library - http-cache-semantics-3.8.1.tgz

Parses Cache-Control and other headers. Helps building correct HTTP caches and proxies

Library home page: https://registry.npmjs.org/http-cache-semantics/-/http-cache-semantics-3.8.1.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/http-cache-semantics/package.json

Dependency Hierarchy: - download-8.0.0.tgz (Root Library) - got-8.3.2.tgz - cacheable-request-2.1.4.tgz - :x: **http-cache-semantics-3.8.1.tgz** (Vulnerable Library)

Found in HEAD commit: 141277bbe1dbdc1d667de53b0177a226b25277eb

Found in base branch: master

### Vulnerability Details

This affects versions of the package http-cache-semantics before 4.1.1. The issue can be exploited via malicious request header values sent to a server, when that server reads the cache policy from the request using this library.

Publish Date: 2023-01-31

URL: CVE-2022-25881

### CVSS 4 Score Details (8.7)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: N/A - Impact Metrics: - Confidentiality Impact: N/A - Integrity Impact: N/A - Availability Impact: N/A

For more information on CVSS4 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://github.com/advisories/GHSA-rc47-6667-2j5j

Release Date: 2023-01-31

Fix Resolution: http-cache-semantics - 4.1.1;org.webjars.npm:http-cache-semantics:4.1.1

CVE-2022-33987

### Vulnerable Library - got-8.3.2.tgz

Simplified HTTP requests

Library home page: https://registry.npmjs.org/got/-/got-8.3.2.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/got/package.json

Dependency Hierarchy: - download-8.0.0.tgz (Root Library) - :x: **got-8.3.2.tgz** (Vulnerable Library)

Found in HEAD commit: 141277bbe1dbdc1d667de53b0177a226b25277eb

Found in base branch: master

### Vulnerability Details

The got package before 12.1.0 (also fixed in 11.8.5) for Node.js allows a redirect to a UNIX socket.

Publish Date: 2022-06-18

URL: CVE-2022-33987

### CVSS 4 Score Details (6.9)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: N/A - Impact Metrics: - Confidentiality Impact: N/A - Integrity Impact: N/A - Availability Impact: N/A

For more information on CVSS4 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-33987

Release Date: 2022-06-18

Fix Resolution: got - 11.8.5,12.1.0

[github-actions[bot]]

This issue has been automatically marked as stale because it has not had recent activity. :calendar: It will be closed automatically in one week if no further activity occurs.

[github-actions[bot]]

This issue was closed because it has been stalled for 7 days with no activity.