react-scripts-1.0.17.tgz: 84 vulnerabilities (highest severity is: 9.8) - autoclosed

Vulnerable Library - react-scripts-1.0.17.tgz

Path to dependency file: /src/Templating/src/Microsoft.DotNet.Web.Spa.ProjectTemplates/content/ReactRedux-CSharp/ClientApp/package.json

Path to vulnerable library: /src/Templating/src/Microsoft.DotNet.Web.Spa.ProjectTemplates/content/React-CSharp/ClientApp/node_modules/normalize-url/package.json,/src/Templating/src/Microsoft.DotNet.Web.Spa.ProjectTemplates/content/ReactRedux-CSharp/ClientApp/node_modules/normalize-url/package.json

Found in HEAD commit: ebe7c6237e41b2d6f63ad16df6b50fa372ea6b4d

Vulnerabilities

CVE	Severity	CVSS	Dependency	Type	Fixed in	Remediation Available
CVE-2021-23369	High	9.8	handlebars-4.0.11.tgz	Transitive	1.1.0	❌
CVE-2018-3774	High	9.8	detected in multiple dependencies	Transitive	1.1.0	❌
CVE-2019-19919	High	9.8	handlebars-4.0.11.tgz	Transitive	1.1.0	❌
CVE-2018-13797	High	9.8	macaddress-0.2.8.tgz	Transitive	1.1.0	❌
CVE-2018-1000620	High	9.8	cryptiles-3.1.2.tgz	Transitive	1.1.0	❌
CVE-2020-28499	High	9.8	merge-1.2.0.tgz	Transitive	3.0.0	❌
CVE-2021-23383	High	9.8	handlebars-4.0.11.tgz	Transitive	1.1.0	❌
CVE-2018-3750	High	9.8	deep-extend-0.4.2.tgz	Transitive	1.1.0	❌
CVE-2022-0691	High	9.8	detected in multiple dependencies	Transitive	1.1.0	❌
CVE-2018-6342	High	9.8	react-dev-utils-4.2.1.tgz	Transitive	1.1.0	❌
CVE-2021-42740	High	9.8	shell-quote-1.6.1.tgz	Transitive	5.0.0	❌
CVE-2022-1650	High	9.3	eventsource-0.1.6.tgz	Transitive	2.1.3	❌
CVE-2019-10744	High	9.1	detected in multiple dependencies	Transitive	1.1.0	❌
CVE-2022-0686	High	9.1	detected in multiple dependencies	Transitive	1.1.0	❌
CVE-2019-20920	High	8.1	handlebars-4.0.11.tgz	Transitive	1.1.0	❌
WS-2019-0063	High	8.1	detected in multiple dependencies	Transitive	2.0.0	❌
CVE-2021-43138	High	7.8	async-2.6.0.tgz	Transitive	3.0.0	❌
CVE-2020-13822	High	7.7	elliptic-6.4.0.tgz	Transitive	1.1.0	❌
CVE-2018-16469	High	7.5	merge-1.2.0.tgz	Transitive	1.1.0	❌
CVE-2022-29167	High	7.5	hawk-6.0.2.tgz	Transitive	N/A	❌
CVE-2018-14732	High	7.5	webpack-dev-server-2.9.4.tgz	Transitive	2.0.0	❌
CVE-2021-23343	High	7.5	path-parse-1.0.5.tgz	Transitive	1.1.0	❌
CVE-2020-7662	High	7.5	websocket-extensions-0.1.3.tgz	Transitive	1.1.0	❌
CVE-2021-23424	High	7.5	ansi-html-0.0.7.tgz	Transitive	5.0.0	❌
CVE-2019-20922	High	7.5	handlebars-4.0.11.tgz	Transitive	1.1.0	❌
CVE-2021-33502	High	7.5	normalize-url-1.9.1.tgz	Transitive	5.0.0	❌
WS-2021-0152	High	7.5	color-string-0.3.0.tgz	Transitive	2.0.0	❌
CVE-2022-24772	High	7.5	node-forge-0.6.33.tgz	Transitive	5.0.0	❌
CVE-2021-29059	High	7.5	is-svg-2.1.0.tgz	Transitive	2.0.0	❌
CVE-2022-24771	High	7.5	node-forge-0.6.33.tgz	Transitive	5.0.0	❌
WS-2019-0032	High	7.5	detected in multiple dependencies	Transitive	2.0.0	❌
CVE-2021-3803	High	7.5	nth-check-1.0.1.tgz	Transitive	1.1.0	❌
CVE-2021-27516	High	7.5	urijs-1.19.0.tgz	Transitive	1.1.0	❌
CVE-2021-3807	High	7.5	ansi-regex-3.0.0.tgz	Transitive	1.1.0	❌
WS-2020-0450	High	7.5	handlebars-4.0.11.tgz	Transitive	1.1.0	❌
CVE-2021-28092	High	7.5	is-svg-2.1.0.tgz	Transitive	2.0.0	❌
WS-2020-0091	High	7.5	http-proxy-1.16.2.tgz	Transitive	1.1.0	❌
WS-2019-0541	High	7.5	macaddress-0.2.8.tgz	Transitive	1.1.0	❌
CVE-2021-3777	High	7.5	tmpl-1.0.4.tgz	Transitive	1.1.0	❌
WS-2018-0588	High	7.4	detected in multiple dependencies	Transitive	1.1.0	❌
CVE-2020-8203	High	7.4	lodash-4.17.4.tgz	Transitive	1.1.0	❌
CVE-2020-7788	High	7.3	ini-1.3.5.tgz	Transitive	1.1.0	❌
CVE-2020-8116	High	7.3	dot-prop-3.0.0.tgz	Transitive	1.1.0	❌
CVE-2020-7720	High	7.3	node-forge-0.6.33.tgz	Transitive	1.1.0	❌
WS-2019-0064	High	7.3	handlebars-4.0.11.tgz	Transitive	1.1.0	❌
CVE-2021-23337	High	7.2	lodash-4.17.4.tgz	Transitive	1.1.0	❌
WS-2018-0590	High	7.1	diff-3.4.0.tgz	Transitive	1.1.0	❌
CVE-2020-28498	Medium	6.8	elliptic-6.4.0.tgz	Transitive	1.1.0	❌
WS-2022-0008	Medium	6.6	node-forge-0.6.33.tgz	Transitive	5.0.0	❌
CVE-2021-23386	Medium	6.5	dns-packet-1.2.2.tgz	Transitive	1.1.0	❌
CVE-2022-0613	Medium	6.5	urijs-1.19.0.tgz	Transitive	N/A	❌
CVE-2019-1010266	Medium	6.5	lodash-4.17.4.tgz	Transitive	1.1.0	❌
CVE-2020-26291	Medium	6.5	urijs-1.19.0.tgz	Transitive	1.1.0	❌
CVE-2018-3721	Medium	6.5	lodash-4.17.4.tgz	Transitive	1.1.0	❌
CVE-2022-1243	Medium	6.1	urijs-1.19.0.tgz	Transitive	1.1.0	❌
CVE-2022-1233	Medium	6.1	urijs-1.19.0.tgz	Transitive	1.1.0	❌
CVE-2022-0868	Medium	6.1	urijs-1.19.0.tgz	Transitive	1.1.0	❌
CVE-2021-3647	Medium	6.1	urijs-1.19.0.tgz	Transitive	1.1.0	❌
CVE-2022-0122	Medium	6.1	node-forge-0.6.33.tgz	Transitive	5.0.0	❌
WS-2019-0427	Medium	5.9	elliptic-6.4.0.tgz	Transitive	1.1.0	❌
WS-2019-0424	Medium	5.9	elliptic-6.4.0.tgz	Transitive	1.1.0	❌
CVE-2020-7789	Medium	5.6	node-notifier-5.1.2.tgz	Transitive	1.1.0	❌
CVE-2021-24033	Medium	5.6	react-dev-utils-4.2.1.tgz	Transitive	4.0.0	❌
CVE-2018-16487	Medium	5.6	lodash-4.17.4.tgz	Transitive	1.1.0	❌
WS-2019-0103	Medium	5.6	handlebars-4.0.11.tgz	Transitive	1.1.0	❌
CVE-2020-15366	Medium	5.6	ajv-5.5.2.tgz	Transitive	2.0.0	❌
CVE-2020-7693	Medium	5.3	sockjs-0.3.18.tgz	Transitive	3.4.2	❌
CVE-2022-0512	Medium	5.3	detected in multiple dependencies	Transitive	1.1.0	❌
CVE-2021-3664	Medium	5.3	detected in multiple dependencies	Transitive	1.1.0	❌
WS-2019-0017	Medium	5.3	clean-css-4.1.9.tgz	Transitive	1.1.0	❌
CVE-2021-23382	Medium	5.3	detected in multiple dependencies	Transitive	3.0.0	❌
CVE-2020-28500	Medium	5.3	lodash-4.17.4.tgz	Transitive	1.1.0	❌
CVE-2022-24723	Medium	5.3	urijs-1.19.0.tgz	Transitive	1.1.0	❌
WS-2018-0347	Medium	5.3	eslint-4.10.0.tgz	Transitive	2.0.0	❌
CVE-2022-24773	Medium	5.3	node-forge-0.6.33.tgz	Transitive	5.0.0	❌
CVE-2021-27515	Medium	5.3	detected in multiple dependencies	Transitive	1.1.0	❌
CVE-2020-8124	Medium	5.3	detected in multiple dependencies	Transitive	1.1.0	❌
CVE-2021-29060	Medium	5.3	color-string-0.3.0.tgz	Transitive	2.0.0	❌
CVE-2022-33987	Medium	5.3	got-5.7.1.tgz	Transitive	2.0.1	❌
CVE-2020-7608	Medium	5.3	detected in multiple dependencies	Transitive	2.0.0	❌
CVE-2022-0639	Medium	5.3	detected in multiple dependencies	Transitive	1.1.0	❌
CVE-2017-16028	Medium	5.3	randomatic-1.1.7.tgz	Transitive	1.1.0	❌
WS-2019-0307	Medium	5.1	mem-1.1.0.tgz	Transitive	2.0.0	❌
WS-2018-0589	Low	3.7	nwmatcher-1.4.3.tgz	Transitive	1.1.0	❌

Details

Partial details (13 vulnerabilities) are displayed below due to a content size limitation in GitHub. To view information on the remaining vulnerabilities, navigate to the Mend Application.

CVE-2021-23369

### Vulnerable Library - handlebars-4.0.11.tgz

Handlebars provides the power necessary to let you build semantic templates effectively with no frustration

Library home page: https://registry.npmjs.org/handlebars/-/handlebars-4.0.11.tgz

Path to dependency file: /src/Templating/src/Microsoft.DotNet.Web.Spa.ProjectTemplates/content/ReactRedux-CSharp/ClientApp/package.json

Path to vulnerable library: /src/Templating/src/Microsoft.DotNet.Web.Spa.ProjectTemplates/content/ReactRedux-CSharp/ClientApp/node_modules/handlebars/package.json,/src/Templating/src/Microsoft.DotNet.Web.Spa.ProjectTemplates/content/React-CSharp/ClientApp/node_modules/handlebars/package.json

Dependency Hierarchy: - react-scripts-1.0.17.tgz (Root Library) - jest-20.0.4.tgz - jest-cli-20.0.4.tgz - istanbul-api-1.2.1.tgz - istanbul-reports-1.1.3.tgz - :x: **handlebars-4.0.11.tgz** (Vulnerable Library)

Found in HEAD commit: ebe7c6237e41b2d6f63ad16df6b50fa372ea6b4d

Found in base branch: main

### Vulnerability Details

The package handlebars before 4.7.7 are vulnerable to Remote Code Execution (RCE) when selecting certain compiling options to compile templates coming from an untrusted source.

Publish Date: 2021-04-12

URL: CVE-2021-23369

### CVSS 3 Score Details (9.8)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23369

Release Date: 2021-04-12

Fix Resolution (handlebars): 4.1.2-0

Direct dependency fix Resolution (react-scripts): 1.1.0

Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)

CVE-2018-3774

### Vulnerable Libraries - url-parse-1.2.0.tgz, url-parse-1.0.5.tgz

### url-parse-1.2.0.tgz

Small footprint URL parser that works seamlessly across Node.js and browser environments

Library home page: https://registry.npmjs.org/url-parse/-/url-parse-1.2.0.tgz

Path to dependency file: /src/Templating/src/Microsoft.DotNet.Web.Spa.ProjectTemplates/content/ReactRedux-CSharp/ClientApp/package.json

Path to vulnerable library: /src/Templating/src/Microsoft.DotNet.Web.Spa.ProjectTemplates/content/ReactRedux-CSharp/ClientApp/node_modules/url-parse/package.json,/src/Templating/src/Microsoft.DotNet.Web.Spa.ProjectTemplates/content/React-CSharp/ClientApp/node_modules/url-parse/package.json

Dependency Hierarchy: - react-scripts-1.0.17.tgz (Root Library) - react-dev-utils-4.2.1.tgz - sockjs-client-1.1.4.tgz - :x: **url-parse-1.2.0.tgz** (Vulnerable Library) ### url-parse-1.0.5.tgz

Small footprint URL parser that works seamlessly across Node.js and browser environments

Library home page: https://registry.npmjs.org/url-parse/-/url-parse-1.0.5.tgz

Path to dependency file: /src/Templating/src/Microsoft.DotNet.Web.Spa.ProjectTemplates/content/ReactRedux-CSharp/ClientApp/package.json

Path to vulnerable library: /src/Templating/src/Microsoft.DotNet.Web.Spa.ProjectTemplates/content/ReactRedux-CSharp/ClientApp/node_modules/original/node_modules/url-parse/package.json,/src/Templating/src/Microsoft.DotNet.Web.Spa.ProjectTemplates/content/React-CSharp/ClientApp/node_modules/original/node_modules/url-parse/package.json

Dependency Hierarchy: - react-scripts-1.0.17.tgz (Root Library) - react-dev-utils-4.2.1.tgz - sockjs-client-1.1.4.tgz - eventsource-0.1.6.tgz - original-1.0.0.tgz - :x: **url-parse-1.0.5.tgz** (Vulnerable Library)

Found in HEAD commit: ebe7c6237e41b2d6f63ad16df6b50fa372ea6b4d

Found in base branch: main

### Vulnerability Details

Incorrect parsing in url-parse <1.4.3 returns wrong hostname which leads to multiple vulnerabilities such as SSRF, Open Redirect, Bypass Authentication Protocol.

Publish Date: 2018-08-12

URL: CVE-2018-3774

### CVSS 3 Score Details (9.8)

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2018-3774

Release Date: 2018-08-12

Fix Resolution (url-parse): 1.4.3

Direct dependency fix Resolution (react-scripts): 1.1.0

Fix Resolution (url-parse): 1.4.3

Direct dependency fix Resolution (react-scripts): 1.1.0

Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)

CVE-2019-19919

### Vulnerable Library - handlebars-4.0.11.tgz

Handlebars provides the power necessary to let you build semantic templates effectively with no frustration

Library home page: https://registry.npmjs.org/handlebars/-/handlebars-4.0.11.tgz

Path to dependency file: /src/Templating/src/Microsoft.DotNet.Web.Spa.ProjectTemplates/content/ReactRedux-CSharp/ClientApp/package.json

Found in HEAD commit: ebe7c6237e41b2d6f63ad16df6b50fa372ea6b4d

Found in base branch: main

### Vulnerability Details

Versions of handlebars prior to 4.3.0 are vulnerable to Prototype Pollution leading to Remote Code Execution. Templates may alter an Object's __proto__ and __defineGetter__ properties, which may allow an attacker to execute arbitrary code through crafted payloads.

Publish Date: 2019-12-20

URL: CVE-2019-19919

### CVSS 3 Score Details (9.8)

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19919

Release Date: 2019-12-20

Fix Resolution (handlebars): 4.3.0

Direct dependency fix Resolution (react-scripts): 1.1.0

Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)

CVE-2018-13797

### Vulnerable Library - macaddress-0.2.8.tgz

Get the MAC addresses (hardware addresses) of the hosts network interfaces.

Library home page: https://registry.npmjs.org/macaddress/-/macaddress-0.2.8.tgz

Path to dependency file: /src/Templating/src/Microsoft.DotNet.Web.Spa.ProjectTemplates/content/React-CSharp/ClientApp/package.json

Path to vulnerable library: /src/Templating/src/Microsoft.DotNet.Web.Spa.ProjectTemplates/content/React-CSharp/ClientApp/node_modules/macaddress/package.json,/src/Templating/src/Microsoft.DotNet.Web.Spa.ProjectTemplates/content/ReactRedux-CSharp/ClientApp/node_modules/macaddress/package.json

Dependency Hierarchy: - react-scripts-1.0.17.tgz (Root Library) - css-loader-0.28.7.tgz - cssnano-3.10.0.tgz - postcss-filter-plugins-2.0.2.tgz - uniqid-4.1.1.tgz - :x: **macaddress-0.2.8.tgz** (Vulnerable Library)

Found in HEAD commit: ebe7c6237e41b2d6f63ad16df6b50fa372ea6b4d

Found in base branch: main

### Vulnerability Details

The macaddress module before 0.2.9 for Node.js is prone to an arbitrary command injection flaw, due to allowing unsanitized input to an exec (rather than execFile) call.

Publish Date: 2018-07-10

URL: CVE-2018-13797

### CVSS 3 Score Details (9.8)

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2018-13797

Release Date: 2018-07-10

Fix Resolution (macaddress): 0.2.9

Direct dependency fix Resolution (react-scripts): 1.1.0

Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)

CVE-2018-1000620

### Vulnerable Library - cryptiles-3.1.2.tgz

General purpose crypto utilities

Library home page: https://registry.npmjs.org/cryptiles/-/cryptiles-3.1.2.tgz

Path to dependency file: /src/SignalR/clients/ts/webdriver-tap-runner/package.json

Path to vulnerable library: /src/SignalR/clients/ts/webdriver-tap-runner/node_modules/chromedriver/node_modules/cryptiles/package.json,/src/Templating/src/Microsoft.DotNet.Web.Spa.ProjectTemplates/content/ReactRedux-CSharp/ClientApp/node_modules/cryptiles/package.json,/src/Templating/src/Microsoft.DotNet.Web.Spa.ProjectTemplates/content/React-CSharp/ClientApp/node_modules/cryptiles/package.json

Dependency Hierarchy: - react-scripts-1.0.17.tgz (Root Library) - jest-20.0.4.tgz - jest-cli-20.0.4.tgz - jest-environment-jsdom-20.0.3.tgz - jsdom-9.12.0.tgz - request-2.83.0.tgz - hawk-6.0.2.tgz - :x: **cryptiles-3.1.2.tgz** (Vulnerable Library)

Found in HEAD commit: ebe7c6237e41b2d6f63ad16df6b50fa372ea6b4d

Found in base branch: main

### Vulnerability Details

Eran Hammer cryptiles version 4.1.1 earlier contains a CWE-331: Insufficient Entropy vulnerability in randomDigits() method that can result in An attacker is more likely to be able to brute force something that was supposed to be random.. This attack appear to be exploitable via Depends upon the calling application.. This vulnerability appears to have been fixed in 4.1.2.

Publish Date: 2018-07-09

URL: CVE-2018-1000620

### CVSS 3 Score Details (9.8)

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-1000620

Release Date: 2018-07-09

Fix Resolution (cryptiles): 4.1.2

Direct dependency fix Resolution (react-scripts): 1.1.0

Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)

CVE-2020-28499

### Vulnerable Library - merge-1.2.0.tgz

Merge multiple objects into one, optionally creating a new cloned object. Similar to the jQuery.extend but more flexible. Works in Node.js and the browser.

Library home page: https://registry.npmjs.org/merge/-/merge-1.2.0.tgz

Path to dependency file: /src/Templating/src/Microsoft.DotNet.Web.Spa.ProjectTemplates/content/ReactRedux-CSharp/ClientApp/package.json

Path to vulnerable library: /src/Templating/src/Microsoft.DotNet.Web.Spa.ProjectTemplates/content/ReactRedux-CSharp/ClientApp/node_modules/merge/package.json,/src/Templating/src/Microsoft.DotNet.Web.Spa.ProjectTemplates/content/React-CSharp/ClientApp/node_modules/merge/package.json

Dependency Hierarchy: - react-scripts-1.0.17.tgz (Root Library) - jest-20.0.4.tgz - jest-cli-20.0.4.tgz - jest-haste-map-20.0.5.tgz - sane-1.6.0.tgz - exec-sh-0.2.1.tgz - :x: **merge-1.2.0.tgz** (Vulnerable Library)

Found in HEAD commit: ebe7c6237e41b2d6f63ad16df6b50fa372ea6b4d

Found in base branch: main

### Vulnerability Details

All versions of package merge are vulnerable to Prototype Pollution via _recursiveMerge .

Publish Date: 2021-02-18

URL: CVE-2020-28499

### CVSS 3 Score Details (9.8)

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Release Date: 2021-02-18

Fix Resolution (merge): 2.1.0

Direct dependency fix Resolution (react-scripts): 3.0.0

Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)

CVE-2021-23383

### Vulnerable Library - handlebars-4.0.11.tgz

Handlebars provides the power necessary to let you build semantic templates effectively with no frustration

Library home page: https://registry.npmjs.org/handlebars/-/handlebars-4.0.11.tgz

Path to dependency file: /src/Templating/src/Microsoft.DotNet.Web.Spa.ProjectTemplates/content/ReactRedux-CSharp/ClientApp/package.json

Found in HEAD commit: ebe7c6237e41b2d6f63ad16df6b50fa372ea6b4d

Found in base branch: main

### Vulnerability Details

The package handlebars before 4.7.7 are vulnerable to Prototype Pollution when selecting certain compiling options to compile templates coming from an untrusted source.

Publish Date: 2021-05-04

URL: CVE-2021-23383

### CVSS 3 Score Details (9.8)

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23383

Release Date: 2021-05-04

Fix Resolution (handlebars): 4.1.2-0

Direct dependency fix Resolution (react-scripts): 1.1.0

Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)

CVE-2018-3750

### Vulnerable Library - deep-extend-0.4.2.tgz

Recursive object extending

Library home page: https://registry.npmjs.org/deep-extend/-/deep-extend-0.4.2.tgz

Path to dependency file: /src/Templating/src/Microsoft.DotNet.Web.Spa.ProjectTemplates/content/React-CSharp/ClientApp/package.json

Path to vulnerable library: /src/Templating/src/Microsoft.DotNet.Web.Spa.ProjectTemplates/content/React-CSharp/ClientApp/node_modules/deep-extend/package.json,/src/Templating/src/Microsoft.DotNet.Web.Spa.ProjectTemplates/content/ReactRedux-CSharp/ClientApp/node_modules/deep-extend/package.json

Dependency Hierarchy: - react-scripts-1.0.17.tgz (Root Library) - sw-precache-webpack-plugin-0.11.4.tgz - sw-precache-5.2.0.tgz - update-notifier-1.0.3.tgz - latest-version-2.0.0.tgz - package-json-2.4.0.tgz - registry-auth-token-3.3.1.tgz - rc-1.2.2.tgz - :x: **deep-extend-0.4.2.tgz** (Vulnerable Library)

Found in HEAD commit: ebe7c6237e41b2d6f63ad16df6b50fa372ea6b4d

Found in base branch: main

### Vulnerability Details

The utilities function in all versions <= 0.5.0 of the deep-extend node module can be tricked into modifying the prototype of Object when the attacker can control part of the structure passed to this function. This can let an attacker add or modify existing properties that will exist on all objects.

Publish Date: 2018-07-03

URL: CVE-2018-3750

### CVSS 3 Score Details (9.8)

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-3750

Release Date: 2018-07-03

Fix Resolution (deep-extend): 0.5.1

Direct dependency fix Resolution (react-scripts): 1.1.0

Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)

CVE-2022-0691

### Vulnerable Libraries - url-parse-1.0.5.tgz, url-parse-1.2.0.tgz

### url-parse-1.0.5.tgz

Small footprint URL parser that works seamlessly across Node.js and browser environments

Library home page: https://registry.npmjs.org/url-parse/-/url-parse-1.0.5.tgz

Path to dependency file: /src/Templating/src/Microsoft.DotNet.Web.Spa.ProjectTemplates/content/ReactRedux-CSharp/ClientApp/package.json

Small footprint URL parser that works seamlessly across Node.js and browser environments

Library home page: https://registry.npmjs.org/url-parse/-/url-parse-1.2.0.tgz

Path to dependency file: /src/Templating/src/Microsoft.DotNet.Web.Spa.ProjectTemplates/content/ReactRedux-CSharp/ClientApp/package.json

Dependency Hierarchy: - react-scripts-1.0.17.tgz (Root Library) - react-dev-utils-4.2.1.tgz - sockjs-client-1.1.4.tgz - :x: **url-parse-1.2.0.tgz** (Vulnerable Library)

Found in HEAD commit: ebe7c6237e41b2d6f63ad16df6b50fa372ea6b4d

Found in base branch: main

### Vulnerability Details

Authorization Bypass Through User-Controlled Key in NPM url-parse prior to 1.5.9.

Publish Date: 2022-02-21

URL: CVE-2022-0691

### CVSS 3 Score Details (9.8)

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0691

Release Date: 2022-02-21

Fix Resolution (url-parse): 1.5.9

Direct dependency fix Resolution (react-scripts): 1.1.0

Fix Resolution (url-parse): 1.5.9

Direct dependency fix Resolution (react-scripts): 1.1.0

Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)

CVE-2018-6342

### Vulnerable Library - react-dev-utils-4.2.1.tgz

Webpack utilities used by Create React App

Library home page: https://registry.npmjs.org/react-dev-utils/-/react-dev-utils-4.2.1.tgz

Path to dependency file: /src/Templating/src/Microsoft.DotNet.Web.Spa.ProjectTemplates/content/ReactRedux-CSharp/ClientApp/package.json

Path to vulnerable library: /src/Templating/src/Microsoft.DotNet.Web.Spa.ProjectTemplates/content/ReactRedux-CSharp/ClientApp/node_modules/react-dev-utils/package.json,/src/Templating/src/Microsoft.DotNet.Web.Spa.ProjectTemplates/content/React-CSharp/ClientApp/node_modules/react-dev-utils/package.json

Dependency Hierarchy: - react-scripts-1.0.17.tgz (Root Library) - :x: **react-dev-utils-4.2.1.tgz** (Vulnerable Library)

Found in HEAD commit: ebe7c6237e41b2d6f63ad16df6b50fa372ea6b4d

Found in base branch: main

### Vulnerability Details

react-dev-utils on Windows allows developers to run a local webserver for accepting various commands, including a command to launch an editor. The input to that command was not properly sanitized, allowing an attacker who can make a network request to the server (either via CSRF or by direct request) to execute arbitrary commands on the targeted system. This issue affects multiple branches: 1.x.x prior to 1.0.4, 2.x.x prior to 2.0.2, 3.x.x prior to 3.1.2, 4.x.x prior to 4.2.2, and 5.x.x prior to 5.0.2.

Publish Date: 2018-12-31

URL: CVE-2018-6342

### CVSS 3 Score Details (9.8)

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6342

Release Date: 2018-12-31

Fix Resolution (react-dev-utils): 4.2.2

Direct dependency fix Resolution (react-scripts): 1.1.0

Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)

CVE-2021-42740

### Vulnerable Library - shell-quote-1.6.1.tgz

quote and parse shell commands

Library home page: https://registry.npmjs.org/shell-quote/-/shell-quote-1.6.1.tgz

Path to dependency file: /src/Templating/src/Microsoft.DotNet.Web.Spa.ProjectTemplates/content/React-CSharp/ClientApp/package.json

Path to vulnerable library: /src/Templating/src/Microsoft.DotNet.Web.Spa.ProjectTemplates/content/React-CSharp/ClientApp/node_modules/shell-quote/package.json,/src/Templating/src/Microsoft.DotNet.Web.Spa.ProjectTemplates/content/ReactRedux-CSharp/ClientApp/node_modules/shell-quote/package.json

Dependency Hierarchy: - react-scripts-1.0.17.tgz (Root Library) - react-dev-utils-4.2.1.tgz - :x: **shell-quote-1.6.1.tgz** (Vulnerable Library)

Found in HEAD commit: ebe7c6237e41b2d6f63ad16df6b50fa372ea6b4d

Found in base branch: main

### Vulnerability Details

The shell-quote package before 1.7.3 for Node.js allows command injection. An attacker can inject unescaped shell metacharacters through a regex designed to support Windows drive letters. If the output of this package is passed to a real shell as a quoted argument to a command with exec(), an attacker can inject arbitrary commands. This is because the Windows drive letter regex character class is {A-z] instead of the correct {A-Za-z]. Several shell metacharacters exist in the space between capital letter Z and lower case letter a, such as the backtick character.

Publish Date: 2021-10-21

URL: CVE-2021-42740

### CVSS 3 Score Details (9.8)

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-42740

Release Date: 2021-10-21

Fix Resolution (shell-quote): 1.7.3

Direct dependency fix Resolution (react-scripts): 5.0.0

Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)

CVE-2022-1650

### Vulnerable Library - eventsource-0.1.6.tgz

W3C compliant EventSource client for Node.js

Library home page: https://registry.npmjs.org/eventsource/-/eventsource-0.1.6.tgz

Path to dependency file: /src/Templating/src/Microsoft.DotNet.Web.Spa.ProjectTemplates/content/React-CSharp/ClientApp/package.json

Path to vulnerable library: /src/Templating/src/Microsoft.DotNet.Web.Spa.ProjectTemplates/content/React-CSharp/ClientApp/node_modules/eventsource/package.json,/src/Templating/src/Microsoft.DotNet.Web.Spa.ProjectTemplates/content/ReactRedux-CSharp/ClientApp/node_modules/eventsource/package.json

Dependency Hierarchy: - react-scripts-1.0.17.tgz (Root Library) - react-dev-utils-4.2.1.tgz - sockjs-client-1.1.4.tgz - :x: **eventsource-0.1.6.tgz** (Vulnerable Library)

Found in HEAD commit: ebe7c6237e41b2d6f63ad16df6b50fa372ea6b4d

Found in base branch: main

### Vulnerability Details

Exposure of Sensitive Information to an Unauthorized Actor in GitHub repository eventsource/eventsource prior to v2.0.2.

Publish Date: 2022-05-12

URL: CVE-2022-1650

### CVSS 3 Score Details (9.3)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: Required - Scope: Changed - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: None

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Release Date: 2022-05-12

Fix Resolution (eventsource): 1.1.1

Direct dependency fix Resolution (react-scripts): 2.1.3

Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)

CVE-2019-10744

### Vulnerable Libraries - lodash-4.17.4.tgz, lodash.template-4.4.0.tgz

### lodash-4.17.4.tgz

Lodash modular utilities.

Library home page: https://registry.npmjs.org/lodash/-/lodash-4.17.4.tgz

Path to dependency file: /src/Templating/src/Microsoft.DotNet.Web.Spa.ProjectTemplates/content/ReactRedux-CSharp/ClientApp/package.json

Path to vulnerable library: /src/Templating/src/Microsoft.DotNet.Web.Spa.ProjectTemplates/content/ReactRedux-CSharp/ClientApp/node_modules/lodash/package.json,/src/Templating/src/Microsoft.DotNet.Web.Spa.ProjectTemplates/content/React-CSharp/ClientApp/node_modules/lodash/package.json

Dependency Hierarchy: - react-scripts-1.0.17.tgz (Root Library) - eslint-plugin-flowtype-2.39.1.tgz - :x: **lodash-4.17.4.tgz** (Vulnerable Library) ### lodash.template-4.4.0.tgz

The lodash method `_.template` exported as a module.

Library home page: https://registry.npmjs.org/lodash.template/-/lodash.template-4.4.0.tgz

Path to dependency file: /src/Templating/src/Microsoft.DotNet.Web.Spa.ProjectTemplates/content/ReactRedux-CSharp/ClientApp/package.json

Path to vulnerable library: /src/Templating/src/Microsoft.DotNet.Web.Spa.ProjectTemplates/content/ReactRedux-CSharp/ClientApp/node_modules/lodash.template/package.json,/src/Templating/src/Microsoft.DotNet.Web.Spa.ProjectTemplates/content/React-CSharp/ClientApp/node_modules/lodash.template/package.json

Dependency Hierarchy: - react-scripts-1.0.17.tgz (Root Library) - sw-precache-webpack-plugin-0.11.4.tgz - sw-precache-5.2.0.tgz - :x: **lodash.template-4.4.0.tgz** (Vulnerable Library)

Found in HEAD commit: ebe7c6237e41b2d6f63ad16df6b50fa372ea6b4d

Found in base branch: main

### Vulnerability Details

Versions of lodash lower than 4.17.12 are vulnerable to Prototype Pollution. The function defaultsDeep could be tricked into adding or modifying properties of Object.prototype using a constructor payload.

Publish Date: 2019-07-26

URL: CVE-2019-10744

### CVSS 3 Score Details (9.1)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: High - Availability Impact: High

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://github.com/advisories/GHSA-jf85-cpcp-j695

Release Date: 2019-07-26

Fix Resolution (lodash): 4.17.12

Direct dependency fix Resolution (react-scripts): 1.1.0

Fix Resolution (lodash.template): 4.5.0

Direct dependency fix Resolution (react-scripts): 1.1.0

Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)

alieint / aspnetcore-2.1.24

react-scripts-1.0.17.tgz: 84 vulnerabilities (highest severity is: 9.8) - autoclosed #156

Vulnerabilities

Details