search

Offensive-Sec / test-react

MIT License
0 stars 0 forks source link

nodemon-2.0.6.tgz: 3 vulnerabilities (highest severity is: 7.5) #6

Open mend-bolt-for-github[bot] opened 12 months ago

mend-bolt-for-github[bot] commented 12 months ago
Vulnerable Library - nodemon-2.0.6.tgz

Path to dependency file: /fixtures/ssr2/package.json

Path to vulnerable library: /fixtures/ssr2/package.json,/react-main/fixtures/ssr2/package.json

Found in HEAD commit: f7127272769002f98a4adb752b5ccfbffdc43a03

Vulnerabilities

CVE Severity CVSS Dependency Type Fixed in (nodemon version) Remediation Possible**
CVE-2021-33502 High 7.5 normalize-url-4.5.0.tgz Transitive 2.0.7
CVE-2022-25881 Medium 5.3 http-cache-semantics-4.1.0.tgz Transitive 2.0.7
CVE-2020-28469 Medium 5.3 glob-parent-5.1.1.tgz Transitive 2.0.7

**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation

Details

CVE-2021-33502 ### Vulnerable Library - normalize-url-4.5.0.tgz

Normalize a URL

Library home page: https://registry.npmjs.org/normalize-url/-/normalize-url-4.5.0.tgz

Path to dependency file: /fixtures/ssr2/package.json

Path to vulnerable library: /fixtures/ssr2/package.json,/react-main/fixtures/ssr2/package.json

Dependency Hierarchy: - nodemon-2.0.6.tgz (Root Library) - update-notifier-4.1.3.tgz - latest-version-5.1.0.tgz - package-json-6.5.0.tgz - got-9.6.0.tgz - cacheable-request-6.1.0.tgz - :x: **normalize-url-4.5.0.tgz** (Vulnerable Library)

Found in HEAD commit: f7127272769002f98a4adb752b5ccfbffdc43a03

Found in base branch: main

### Vulnerability Details

The normalize-url package before 4.5.1, 5.x before 5.3.1, and 6.x before 6.0.1 for Node.js has a ReDoS (regular expression denial of service) issue because it has exponential performance for data: URLs.

Publish Date: 2021-05-24

URL: CVE-2021-33502

### CVSS 3 Score Details (7.5)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-33502

Release Date: 2021-05-24

Fix Resolution (normalize-url): 4.5.1

Direct dependency fix Resolution (nodemon): 2.0.7

Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
CVE-2022-25881 ### Vulnerable Library - http-cache-semantics-4.1.0.tgz

Parses Cache-Control and other headers. Helps building correct HTTP caches and proxies

Library home page: https://registry.npmjs.org/http-cache-semantics/-/http-cache-semantics-4.1.0.tgz

Path to dependency file: /fixtures/fizz/package.json

Path to vulnerable library: /fixtures/fizz/package.json,/fixtures/ssr2/package.json,/react-main/fixtures/fizz/package.json,/react-main/fixtures/ssr2/package.json

Dependency Hierarchy: - nodemon-2.0.6.tgz (Root Library) - update-notifier-4.1.3.tgz - latest-version-5.1.0.tgz - package-json-6.5.0.tgz - got-9.6.0.tgz - cacheable-request-6.1.0.tgz - :x: **http-cache-semantics-4.1.0.tgz** (Vulnerable Library)

Found in HEAD commit: f7127272769002f98a4adb752b5ccfbffdc43a03

Found in base branch: main

### Vulnerability Details

This affects versions of the package http-cache-semantics before 4.1.1. The issue can be exploited via malicious request header values sent to a server, when that server reads the cache policy from the request using this library.

Publish Date: 2023-01-31

URL: CVE-2022-25881

### CVSS 3 Score Details (5.3)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: Low

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://github.com/advisories/GHSA-rc47-6667-2j5j

Release Date: 2023-01-31

Fix Resolution (http-cache-semantics): 4.1.1

Direct dependency fix Resolution (nodemon): 2.0.7

Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
CVE-2020-28469 ### Vulnerable Library - glob-parent-5.1.1.tgz

Extract the non-magic parent path from a glob string.

Library home page: https://registry.npmjs.org/glob-parent/-/glob-parent-5.1.1.tgz

Path to dependency file: /react-main/fixtures/ssr2/package.json

Path to vulnerable library: /react-main/fixtures/ssr2/package.json,/fixtures/ssr2/package.json

Dependency Hierarchy: - nodemon-2.0.6.tgz (Root Library) - chokidar-3.4.3.tgz - :x: **glob-parent-5.1.1.tgz** (Vulnerable Library)

Found in HEAD commit: f7127272769002f98a4adb752b5ccfbffdc43a03

Found in base branch: main

### Vulnerability Details

This affects the package glob-parent before 5.1.2. The enclosure regex used to check for strings ending in enclosure containing path separator.

Publish Date: 2021-06-03

URL: CVE-2020-28469

### CVSS 3 Score Details (5.3)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: Low

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-28469

Release Date: 2021-06-03

Fix Resolution (glob-parent): 5.1.2

Direct dependency fix Resolution (nodemon): 2.0.7

Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)