Open mend-for-github-com[bot] opened 4 months ago
:heavy_check_mark: This issue was automatically closed by Mend because the vulnerable library in the specific branch(es) was either marked as ignored or it is no longer part of the Mend inventory.
:information_source: This issue was automatically re-opened by Mend because the vulnerable library in the specific branch(es) has been detected in the Mend inventory.
Vulnerable Library - download-8.0.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/http-cache-semantics/package.json
Found in HEAD commit: 46f9017bf07d9afe8f4c8706e6bb2bdfc9524486
Vulnerabilities
Reachable
Reachable
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
CVE-2022-33987
### Vulnerable Library - got-8.3.2.tgzSimplified HTTP requests
Library home page: https://registry.npmjs.org/got/-/got-8.3.2.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/got/package.json
Dependency Hierarchy: - download-8.0.0.tgz (Root Library) - :x: **got-8.3.2.tgz** (Vulnerable Library)
Found in HEAD commit: 46f9017bf07d9afe8f4c8706e6bb2bdfc9524486
Found in base branch: main
### Reachability Analysis This vulnerability is potentially reachable ``` juice-shop-17.0.0/routes/chatbot.ts (Application) -> download-8.0.0/index.js (Extension) -> ❌ got-8.3.2/index.js (Vulnerable Component) ``` ### Vulnerability DetailsThe got package before 12.1.0 (also fixed in 11.8.5) for Node.js allows a redirect to a UNIX socket.
Publish Date: 2022-06-18
URL: CVE-2022-33987
### CVSS 3 Score Details (5.3)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: Low - Availability Impact: None
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-33987
Release Date: 2022-06-18
Fix Resolution: got - 11.8.5,12.1.0
CVE-2022-25881
### Vulnerable Library - http-cache-semantics-3.8.1.tgzParses Cache-Control and other headers. Helps building correct HTTP caches and proxies
Library home page: https://registry.npmjs.org/http-cache-semantics/-/http-cache-semantics-3.8.1.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/http-cache-semantics/package.json
Dependency Hierarchy: - download-8.0.0.tgz (Root Library) - got-8.3.2.tgz - cacheable-request-2.1.4.tgz - :x: **http-cache-semantics-3.8.1.tgz** (Vulnerable Library)
Found in HEAD commit: 46f9017bf07d9afe8f4c8706e6bb2bdfc9524486
Found in base branch: main
### Reachability Analysis This vulnerability is potentially reachable ``` juice-shop-17.0.0/routes/chatbot.ts (Application) -> download-8.0.0/index.js (Extension) -> got-8.3.2/index.js (Extension) -> cacheable-request-2.1.4/src/index.js (Extension) -> ❌ http-cache-semantics-3.8.1/node4/index.js (Vulnerable Component) ``` ### Vulnerability DetailsThis affects versions of the package http-cache-semantics before 4.1.1. The issue can be exploited via malicious request header values sent to a server, when that server reads the cache policy from the request using this library.
Publish Date: 2023-01-31
URL: CVE-2022-25881
### CVSS 3 Score Details (5.3)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: Low
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://github.com/advisories/GHSA-rc47-6667-2j5j
Release Date: 2023-01-31
Fix Resolution: http-cache-semantics - 4.1.1;org.webjars.npm:http-cache-semantics:4.1.1