Step up your Open Source Security Game with WhiteSource [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
CVE-2022-0691
### Vulnerable Library - url-parse-1.5.3.tgz
Small footprint URL parser that works seamlessly across Node.js and browser environments
Step up your Open Source Security Game with WhiteSource [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
CVE-2022-0686
### Vulnerable Library - url-parse-1.5.3.tgz
Small footprint URL parser that works seamlessly across Node.js and browser environments
Step up your Open Source Security Game with WhiteSource [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
CVE-2022-0355
### Vulnerable Libraries - simple-get-4.0.0.tgz, simple-get-3.1.0.tgz
### simple-get-4.0.0.tgz
Simplest way to make http get requests. Supports HTTPS, redirects, gzip/deflate, streams in < 100 lines.
Step up your Open Source Security Game with WhiteSource [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
CVE-2021-3807
### Vulnerable Library - ansi-regex-3.0.0.tgz
Path to vulnerable library: /node_modules/wrap-ansi/node_modules/ansi-regex/package.json,/node_modules/friendly-errors-webpack-plugin/node_modules/ansi-regex/package.json
Step up your Open Source Security Game with WhiteSource [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
CVE-2020-28469
### Vulnerable Library - glob-parent-3.1.0.tgz
Strips glob magic from a string to provide the parent directory path
Step up your Open Source Security Game with WhiteSource [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
CVE-2021-33502
### Vulnerable Libraries - normalize-url-3.3.0.tgz, normalize-url-2.0.1.tgz
The normalize-url package before 4.5.1, 5.x before 5.3.1, and 6.x before 6.0.1 for Node.js has a ReDoS (regular expression denial of service) issue because it has exponential performance for data: URLs.
Step up your Open Source Security Game with WhiteSource [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
CVE-2021-33623
### Vulnerable Library - trim-newlines-1.0.0.tgz
Trim newlines from the start and/or end of a string
The trim-newlines package before 3.0.1 and 4.x before 4.0.1 for Node.js has an issue related to regular expression denial-of-service (ReDoS) for the .end() method.
Step up your Open Source Security Game with WhiteSource [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
CVE-2021-33587
### Vulnerable Library - css-what-3.4.2.tgz
The css-what package 4.0.0 through 5.0.0 for Node.js does not ensure that attribute parsing has Linear Time Complexity relative to the size of the input.
Step up your Open Source Security Game with WhiteSource [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
CVE-2021-3795
### Vulnerable Library - semver-regex-2.0.0.tgz
Step up your Open Source Security Game with WhiteSource [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
CVE-2021-3803
### Vulnerable Library - nth-check-1.0.2.tgz
Step up your Open Source Security Game with WhiteSource [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
CVE-2022-0512
### Vulnerable Library - url-parse-1.5.3.tgz
Small footprint URL parser that works seamlessly across Node.js and browser environments
Step up your Open Source Security Game with WhiteSource [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
CVE-2022-0639
### Vulnerable Library - url-parse-1.5.3.tgz
Small footprint URL parser that works seamlessly across Node.js and browser environments
Step up your Open Source Security Game with WhiteSource [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
CVE-2021-44907
### Vulnerable Libraries - qs-6.5.2.tgz, qs-6.7.0.tgz
### qs-6.5.2.tgz
A querystring parser that supports nesting and arrays, with a depth limit
A Denial of Service vulnerability exists in qs up to 6.8.0 due to insufficient sanitization of property in the gs.parse function. The merge() function allows the assignment of properties on an array in the query. For any property being assigned, a value in the array is converted to an object containing these properties. Essentially, this means that the property whose expected type is Array always has to be checked with Array.isArray() by the user. This may not be obvious to the user and can cause unexpected behavior.
Vulnerable Library - gridsome-0.7.23.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/semver-regex/package.json
Found in HEAD commit: 32b67c67692f6675d372e4609d17196cdf1e0718
Vulnerabilities
Details
CVE-2021-3918
### Vulnerable Library - json-schema-0.2.3.tgzJSON Schema validation and specifications
Library home page: https://registry.npmjs.org/json-schema/-/json-schema-0.2.3.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/json-schema/package.json
Dependency Hierarchy: - gridsome-0.7.23.tgz (Root Library) - probe-image-size-4.1.1.tgz - request-2.88.2.tgz - http-signature-1.2.0.tgz - jsprim-1.4.1.tgz - :x: **json-schema-0.2.3.tgz** (Vulnerable Library)
Found in HEAD commit: 32b67c67692f6675d372e4609d17196cdf1e0718
Found in base branch: master
### Vulnerability Detailsjson-schema is vulnerable to Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')
Publish Date: 2021-11-13
URL: CVE-2021-3918
### CVSS 3 Score Details (9.8)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2021-3918
Release Date: 2021-11-13
Fix Resolution: json-schema - 0.4.0
Step up your Open Source Security Game with WhiteSource [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)CVE-2022-0691
### Vulnerable Library - url-parse-1.5.3.tgzSmall footprint URL parser that works seamlessly across Node.js and browser environments
Library home page: https://registry.npmjs.org/url-parse/-/url-parse-1.5.3.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/url-parse/package.json
Dependency Hierarchy: - gridsome-0.7.23.tgz (Root Library) - sockjs-client-1.5.2.tgz - :x: **url-parse-1.5.3.tgz** (Vulnerable Library)
Found in HEAD commit: 32b67c67692f6675d372e4609d17196cdf1e0718
Found in base branch: master
### Vulnerability DetailsAuthorization Bypass Through User-Controlled Key in NPM url-parse prior to 1.5.9.
Publish Date: 2022-02-21
URL: CVE-2022-0691
### CVSS 3 Score Details (9.8)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0691
Release Date: 2022-02-21
Fix Resolution: url-parse - 1.5.9
Step up your Open Source Security Game with WhiteSource [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)CVE-2022-0686
### Vulnerable Library - url-parse-1.5.3.tgzSmall footprint URL parser that works seamlessly across Node.js and browser environments
Library home page: https://registry.npmjs.org/url-parse/-/url-parse-1.5.3.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/url-parse/package.json
Dependency Hierarchy: - gridsome-0.7.23.tgz (Root Library) - sockjs-client-1.5.2.tgz - :x: **url-parse-1.5.3.tgz** (Vulnerable Library)
Found in HEAD commit: 32b67c67692f6675d372e4609d17196cdf1e0718
Found in base branch: master
### Vulnerability DetailsAuthorization Bypass Through User-Controlled Key in NPM url-parse prior to 1.5.8.
Publish Date: 2022-02-20
URL: CVE-2022-0686
### CVSS 3 Score Details (9.1)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: None
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0686
Release Date: 2022-02-20
Fix Resolution: url-parse - 1.5.8
Step up your Open Source Security Game with WhiteSource [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)CVE-2022-0355
### Vulnerable Libraries - simple-get-4.0.0.tgz, simple-get-3.1.0.tgz### simple-get-4.0.0.tgz
Simplest way to make http get requests. Supports HTTPS, redirects, gzip/deflate, streams in < 100 lines.
Library home page: https://registry.npmjs.org/simple-get/-/simple-get-4.0.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/simple-get/package.json
Dependency Hierarchy: - gridsome-0.7.23.tgz (Root Library) - sharp-0.25.4.tgz - :x: **simple-get-4.0.0.tgz** (Vulnerable Library) ### simple-get-3.1.0.tgz
Simplest way to make http get requests. Supports HTTPS, redirects, gzip/deflate, streams in < 100 lines.
Library home page: https://registry.npmjs.org/simple-get/-/simple-get-3.1.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/prebuild-install/node_modules/simple-get/package.json
Dependency Hierarchy: - gridsome-0.7.23.tgz (Root Library) - sharp-0.25.4.tgz - prebuild-install-5.3.6.tgz - :x: **simple-get-3.1.0.tgz** (Vulnerable Library)
Found in HEAD commit: 32b67c67692f6675d372e4609d17196cdf1e0718
Found in base branch: master
### Vulnerability DetailsExposure of Sensitive Information to an Unauthorized Actor in NPM simple-get prior to 4.0.1.
Publish Date: 2022-01-26
URL: CVE-2022-0355
### CVSS 3 Score Details (7.5)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: None - Availability Impact: None
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0355
Release Date: 2022-01-26
Fix Resolution: simple-get - 4.0.1
Step up your Open Source Security Game with WhiteSource [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)CVE-2021-3807
### Vulnerable Library - ansi-regex-3.0.0.tgzRegular expression for matching ANSI escape codes
Library home page: https://registry.npmjs.org/ansi-regex/-/ansi-regex-3.0.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/wrap-ansi/node_modules/ansi-regex/package.json,/node_modules/friendly-errors-webpack-plugin/node_modules/ansi-regex/package.json
Dependency Hierarchy: - gridsome-0.7.23.tgz (Root Library) - friendly-errors-webpack-plugin-1.7.0.tgz - string-width-2.1.1.tgz - strip-ansi-4.0.0.tgz - :x: **ansi-regex-3.0.0.tgz** (Vulnerable Library)
Found in HEAD commit: 32b67c67692f6675d372e4609d17196cdf1e0718
Found in base branch: master
### Vulnerability Detailsansi-regex is vulnerable to Inefficient Regular Expression Complexity
Publish Date: 2021-09-17
URL: CVE-2021-3807
### CVSS 3 Score Details (7.5)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://huntr.dev/bounties/5b3cf33b-ede0-4398-9974-800876dfd994/
Release Date: 2021-09-17
Fix Resolution: ansi-regex - 5.0.1,6.0.1
Step up your Open Source Security Game with WhiteSource [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)CVE-2020-28469
### Vulnerable Library - glob-parent-3.1.0.tgzStrips glob magic from a string to provide the parent directory path
Library home page: https://registry.npmjs.org/glob-parent/-/glob-parent-3.1.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/glob-parent/package.json
Dependency Hierarchy: - gridsome-0.7.23.tgz (Root Library) - chokidar-2.1.8.tgz - :x: **glob-parent-3.1.0.tgz** (Vulnerable Library)
Found in HEAD commit: 32b67c67692f6675d372e4609d17196cdf1e0718
Found in base branch: master
### Vulnerability DetailsThis affects the package glob-parent before 5.1.2. The enclosure regex used to check for strings ending in enclosure containing path separator.
Publish Date: 2021-06-03
URL: CVE-2020-28469
### CVSS 3 Score Details (7.5)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-28469
Release Date: 2021-06-03
Fix Resolution: glob-parent - 5.1.2
Step up your Open Source Security Game with WhiteSource [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)CVE-2021-33502
### Vulnerable Libraries - normalize-url-3.3.0.tgz, normalize-url-2.0.1.tgz### normalize-url-3.3.0.tgz
Normalize a URL
Library home page: https://registry.npmjs.org/normalize-url/-/normalize-url-3.3.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/normalize-url/package.json
Dependency Hierarchy: - gridsome-0.7.23.tgz (Root Library) - optimize-css-assets-webpack-plugin-5.0.8.tgz - cssnano-4.1.11.tgz - cssnano-preset-default-4.0.8.tgz - postcss-normalize-url-4.0.1.tgz - :x: **normalize-url-3.3.0.tgz** (Vulnerable Library) ### normalize-url-2.0.1.tgz
Normalize a URL
Library home page: https://registry.npmjs.org/normalize-url/-/normalize-url-2.0.1.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/cacheable-request/node_modules/normalize-url/package.json
Dependency Hierarchy: - gridsome-0.7.23.tgz (Root Library) - imagemin-mozjpeg-8.0.0.tgz - mozjpeg-6.0.1.tgz - bin-wrapper-4.1.0.tgz - download-7.1.0.tgz - got-8.3.2.tgz - cacheable-request-2.1.4.tgz - :x: **normalize-url-2.0.1.tgz** (Vulnerable Library)
Found in HEAD commit: 32b67c67692f6675d372e4609d17196cdf1e0718
Found in base branch: master
### Vulnerability DetailsThe normalize-url package before 4.5.1, 5.x before 5.3.1, and 6.x before 6.0.1 for Node.js has a ReDoS (regular expression denial of service) issue because it has exponential performance for data: URLs.
Publish Date: 2021-05-24
URL: CVE-2021-33502
### CVSS 3 Score Details (7.5)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-33502
Release Date: 2021-05-24
Fix Resolution: normalize-url - 4.5.1,5.3.1,6.0.1
Step up your Open Source Security Game with WhiteSource [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)CVE-2021-33623
### Vulnerable Library - trim-newlines-1.0.0.tgzTrim newlines from the start and/or end of a string
Library home page: https://registry.npmjs.org/trim-newlines/-/trim-newlines-1.0.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/trim-newlines/package.json
Dependency Hierarchy: - gridsome-0.7.23.tgz (Root Library) - imagemin-mozjpeg-8.0.0.tgz - mozjpeg-6.0.1.tgz - logalot-2.1.0.tgz - squeak-1.3.0.tgz - lpad-align-1.1.2.tgz - meow-3.7.0.tgz - :x: **trim-newlines-1.0.0.tgz** (Vulnerable Library)
Found in HEAD commit: 32b67c67692f6675d372e4609d17196cdf1e0718
Found in base branch: master
### Vulnerability DetailsThe trim-newlines package before 3.0.1 and 4.x before 4.0.1 for Node.js has an issue related to regular expression denial-of-service (ReDoS) for the .end() method.
Publish Date: 2021-05-28
URL: CVE-2021-33623
### CVSS 3 Score Details (7.5)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-33623
Release Date: 2021-05-28
Fix Resolution: trim-newlines - 3.0.1, 4.0.1
Step up your Open Source Security Game with WhiteSource [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)CVE-2021-33587
### Vulnerable Library - css-what-3.4.2.tgza CSS selector parser
Library home page: https://registry.npmjs.org/css-what/-/css-what-3.4.2.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/svgo/node_modules/css-what/package.json
Dependency Hierarchy: - gridsome-0.7.23.tgz (Root Library) - optimize-css-assets-webpack-plugin-5.0.8.tgz - cssnano-4.1.11.tgz - cssnano-preset-default-4.0.8.tgz - postcss-svgo-4.0.3.tgz - svgo-1.3.2.tgz - css-select-2.1.0.tgz - :x: **css-what-3.4.2.tgz** (Vulnerable Library)
Found in HEAD commit: 32b67c67692f6675d372e4609d17196cdf1e0718
Found in base branch: master
### Vulnerability DetailsThe css-what package 4.0.0 through 5.0.0 for Node.js does not ensure that attribute parsing has Linear Time Complexity relative to the size of the input.
Publish Date: 2021-05-28
URL: CVE-2021-33587
### CVSS 3 Score Details (7.5)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-33587
Release Date: 2021-05-28
Fix Resolution: css-what - 5.0.1
Step up your Open Source Security Game with WhiteSource [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)CVE-2021-3795
### Vulnerable Library - semver-regex-2.0.0.tgzRegular expression for matching semver versions
Library home page: https://registry.npmjs.org/semver-regex/-/semver-regex-2.0.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/semver-regex/package.json
Dependency Hierarchy: - gridsome-0.7.23.tgz (Root Library) - imagemin-mozjpeg-8.0.0.tgz - mozjpeg-6.0.1.tgz - bin-wrapper-4.1.0.tgz - bin-version-check-4.0.0.tgz - bin-version-3.1.0.tgz - find-versions-3.2.0.tgz - :x: **semver-regex-2.0.0.tgz** (Vulnerable Library)
Found in HEAD commit: 32b67c67692f6675d372e4609d17196cdf1e0718
Found in base branch: master
### Vulnerability Detailssemver-regex is vulnerable to Inefficient Regular Expression Complexity
Publish Date: 2021-09-15
URL: CVE-2021-3795
### CVSS 3 Score Details (7.5)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://github.com/sindresorhus/semver-regex/releases/tag/v4.0.1
Release Date: 2021-09-15
Fix Resolution: semver-regex - 3.1.3,4.0.1
Step up your Open Source Security Game with WhiteSource [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)CVE-2021-3803
### Vulnerable Library - nth-check-1.0.2.tgzperformant nth-check parser & compiler
Library home page: https://registry.npmjs.org/nth-check/-/nth-check-1.0.2.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/svgo/node_modules/nth-check/package.json
Dependency Hierarchy: - gridsome-0.7.23.tgz (Root Library) - optimize-css-assets-webpack-plugin-5.0.8.tgz - cssnano-4.1.11.tgz - cssnano-preset-default-4.0.8.tgz - postcss-svgo-4.0.3.tgz - svgo-1.3.2.tgz - css-select-2.1.0.tgz - :x: **nth-check-1.0.2.tgz** (Vulnerable Library)
Found in HEAD commit: 32b67c67692f6675d372e4609d17196cdf1e0718
Found in base branch: master
### Vulnerability Detailsnth-check is vulnerable to Inefficient Regular Expression Complexity
Publish Date: 2021-09-17
URL: CVE-2021-3803
### CVSS 3 Score Details (7.5)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://github.com/fb55/nth-check/compare/v2.0.0...v2.0.1
Release Date: 2021-09-17
Fix Resolution: nth-check - v2.0.1
Step up your Open Source Security Game with WhiteSource [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)CVE-2022-0512
### Vulnerable Library - url-parse-1.5.3.tgzSmall footprint URL parser that works seamlessly across Node.js and browser environments
Library home page: https://registry.npmjs.org/url-parse/-/url-parse-1.5.3.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/url-parse/package.json
Dependency Hierarchy: - gridsome-0.7.23.tgz (Root Library) - sockjs-client-1.5.2.tgz - :x: **url-parse-1.5.3.tgz** (Vulnerable Library)
Found in HEAD commit: 32b67c67692f6675d372e4609d17196cdf1e0718
Found in base branch: master
### Vulnerability DetailsAuthorization Bypass Through User-Controlled Key in NPM url-parse prior to 1.5.6.
Publish Date: 2022-02-14
URL: CVE-2022-0512
### CVSS 3 Score Details (5.3)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: Low - Availability Impact: None
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0512
Release Date: 2022-02-14
Fix Resolution: url-parse - 1.5.6
Step up your Open Source Security Game with WhiteSource [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)CVE-2022-0639
### Vulnerable Library - url-parse-1.5.3.tgzSmall footprint URL parser that works seamlessly across Node.js and browser environments
Library home page: https://registry.npmjs.org/url-parse/-/url-parse-1.5.3.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/url-parse/package.json
Dependency Hierarchy: - gridsome-0.7.23.tgz (Root Library) - sockjs-client-1.5.2.tgz - :x: **url-parse-1.5.3.tgz** (Vulnerable Library)
Found in HEAD commit: 32b67c67692f6675d372e4609d17196cdf1e0718
Found in base branch: master
### Vulnerability DetailsAuthorization Bypass Through User-Controlled Key in NPM url-parse prior to 1.5.7.
Publish Date: 2022-02-17
URL: CVE-2022-0639
### CVSS 3 Score Details (5.3)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: Low - Availability Impact: None
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0639
Release Date: 2022-02-17
Fix Resolution: url-parse - 1.5.7
Step up your Open Source Security Game with WhiteSource [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)CVE-2021-44907
### Vulnerable Libraries - qs-6.5.2.tgz, qs-6.7.0.tgz### qs-6.5.2.tgz
A querystring parser that supports nesting and arrays, with a depth limit
Library home page: https://registry.npmjs.org/qs/-/qs-6.5.2.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/request/node_modules/qs/package.json
Dependency Hierarchy: - gridsome-0.7.23.tgz (Root Library) - probe-image-size-4.1.1.tgz - request-2.88.2.tgz - :x: **qs-6.5.2.tgz** (Vulnerable Library) ### qs-6.7.0.tgz
A querystring parser that supports nesting and arrays, with a depth limit
Library home page: https://registry.npmjs.org/qs/-/qs-6.7.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/qs/package.json
Dependency Hierarchy: - gridsome-0.7.23.tgz (Root Library) - express-4.17.1.tgz - :x: **qs-6.7.0.tgz** (Vulnerable Library)
Found in HEAD commit: 32b67c67692f6675d372e4609d17196cdf1e0718
Found in base branch: master
### Vulnerability DetailsA Denial of Service vulnerability exists in qs up to 6.8.0 due to insufficient sanitization of property in the gs.parse function. The merge() function allows the assignment of properties on an array in the query. For any property being assigned, a value in the array is converted to an object containing these properties. Essentially, this means that the property whose expected type is Array always has to be checked with Array.isArray() by the user. This may not be obvious to the user and can cause unexpected behavior.
Publish Date: 2022-03-17
URL: CVE-2021-44907
### CVSS 3 Score Details (3.1)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: High - Privileges Required: Low - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: Low - Availability Impact: None
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44907
Release Date: 2022-03-17
Fix Resolution: qs - 6.8.1
Step up your Open Source Security Game with WhiteSource [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)