Closed mend-bolt-for-github[bot] closed 2 years ago
:information_source: This issue was automatically closed by Mend because it is a duplicate of an existing issue: #157
:information_source: This issue was automatically closed by Mend because it is a duplicate of an existing issue: #157
Vulnerable Library - react-scripts-1.0.17.tgz
Path to dependency file: /src/Templating/src/Microsoft.DotNet.Web.Spa.ProjectTemplates/content/ReactRedux-CSharp/ClientApp/package.json
Path to vulnerable library: /src/Templating/src/Microsoft.DotNet.Web.Spa.ProjectTemplates/content/React-CSharp/ClientApp/node_modules/normalize-url/package.json,/src/Templating/src/Microsoft.DotNet.Web.Spa.ProjectTemplates/content/ReactRedux-CSharp/ClientApp/node_modules/normalize-url/package.json
Found in HEAD commit: ebe7c6237e41b2d6f63ad16df6b50fa372ea6b4d
Vulnerabilities
Details
CVE-2021-23369
### Vulnerable Library - handlebars-4.0.11.tgzHandlebars provides the power necessary to let you build semantic templates effectively with no frustration
Library home page: https://registry.npmjs.org/handlebars/-/handlebars-4.0.11.tgz
Path to dependency file: /src/Templating/src/Microsoft.DotNet.Web.Spa.ProjectTemplates/content/ReactRedux-CSharp/ClientApp/package.json
Path to vulnerable library: /src/Templating/src/Microsoft.DotNet.Web.Spa.ProjectTemplates/content/ReactRedux-CSharp/ClientApp/node_modules/handlebars/package.json,/src/Templating/src/Microsoft.DotNet.Web.Spa.ProjectTemplates/content/React-CSharp/ClientApp/node_modules/handlebars/package.json
Dependency Hierarchy: - react-scripts-1.0.17.tgz (Root Library) - jest-20.0.4.tgz - jest-cli-20.0.4.tgz - istanbul-api-1.2.1.tgz - istanbul-reports-1.1.3.tgz - :x: **handlebars-4.0.11.tgz** (Vulnerable Library)
Found in HEAD commit: ebe7c6237e41b2d6f63ad16df6b50fa372ea6b4d
Found in base branch: main
### Vulnerability DetailsThe package handlebars before 4.7.7 are vulnerable to Remote Code Execution (RCE) when selecting certain compiling options to compile templates coming from an untrusted source.
Publish Date: 2021-04-12
URL: CVE-2021-23369
### CVSS 3 Score Details (9.8)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23369
Release Date: 2021-04-12
Fix Resolution (handlebars): 4.1.2-0
Direct dependency fix Resolution (react-scripts): 1.1.0
Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)CVE-2018-3774
### Vulnerable Libraries - url-parse-1.2.0.tgz, url-parse-1.0.5.tgz### url-parse-1.2.0.tgz
Small footprint URL parser that works seamlessly across Node.js and browser environments
Library home page: https://registry.npmjs.org/url-parse/-/url-parse-1.2.0.tgz
Path to dependency file: /src/Templating/src/Microsoft.DotNet.Web.Spa.ProjectTemplates/content/ReactRedux-CSharp/ClientApp/package.json
Path to vulnerable library: /src/Templating/src/Microsoft.DotNet.Web.Spa.ProjectTemplates/content/ReactRedux-CSharp/ClientApp/node_modules/url-parse/package.json,/src/Templating/src/Microsoft.DotNet.Web.Spa.ProjectTemplates/content/React-CSharp/ClientApp/node_modules/url-parse/package.json
Dependency Hierarchy: - react-scripts-1.0.17.tgz (Root Library) - react-dev-utils-4.2.1.tgz - sockjs-client-1.1.4.tgz - :x: **url-parse-1.2.0.tgz** (Vulnerable Library) ### url-parse-1.0.5.tgz
Small footprint URL parser that works seamlessly across Node.js and browser environments
Library home page: https://registry.npmjs.org/url-parse/-/url-parse-1.0.5.tgz
Path to dependency file: /src/Templating/src/Microsoft.DotNet.Web.Spa.ProjectTemplates/content/ReactRedux-CSharp/ClientApp/package.json
Path to vulnerable library: /src/Templating/src/Microsoft.DotNet.Web.Spa.ProjectTemplates/content/ReactRedux-CSharp/ClientApp/node_modules/original/node_modules/url-parse/package.json,/src/Templating/src/Microsoft.DotNet.Web.Spa.ProjectTemplates/content/React-CSharp/ClientApp/node_modules/original/node_modules/url-parse/package.json
Dependency Hierarchy: - react-scripts-1.0.17.tgz (Root Library) - react-dev-utils-4.2.1.tgz - sockjs-client-1.1.4.tgz - eventsource-0.1.6.tgz - original-1.0.0.tgz - :x: **url-parse-1.0.5.tgz** (Vulnerable Library)
Found in HEAD commit: ebe7c6237e41b2d6f63ad16df6b50fa372ea6b4d
Found in base branch: main
### Vulnerability DetailsIncorrect parsing in url-parse <1.4.3 returns wrong hostname which leads to multiple vulnerabilities such as SSRF, Open Redirect, Bypass Authentication Protocol.
Publish Date: 2018-08-12
URL: CVE-2018-3774
### CVSS 3 Score Details (9.8)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2018-3774
Release Date: 2018-08-12
Fix Resolution (url-parse): 1.4.3
Direct dependency fix Resolution (react-scripts): 1.1.0
Fix Resolution (url-parse): 1.4.3
Direct dependency fix Resolution (react-scripts): 1.1.0
Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)CVE-2019-19919
### Vulnerable Library - handlebars-4.0.11.tgzHandlebars provides the power necessary to let you build semantic templates effectively with no frustration
Library home page: https://registry.npmjs.org/handlebars/-/handlebars-4.0.11.tgz
Path to dependency file: /src/Templating/src/Microsoft.DotNet.Web.Spa.ProjectTemplates/content/ReactRedux-CSharp/ClientApp/package.json
Path to vulnerable library: /src/Templating/src/Microsoft.DotNet.Web.Spa.ProjectTemplates/content/ReactRedux-CSharp/ClientApp/node_modules/handlebars/package.json,/src/Templating/src/Microsoft.DotNet.Web.Spa.ProjectTemplates/content/React-CSharp/ClientApp/node_modules/handlebars/package.json
Dependency Hierarchy: - react-scripts-1.0.17.tgz (Root Library) - jest-20.0.4.tgz - jest-cli-20.0.4.tgz - istanbul-api-1.2.1.tgz - istanbul-reports-1.1.3.tgz - :x: **handlebars-4.0.11.tgz** (Vulnerable Library)
Found in HEAD commit: ebe7c6237e41b2d6f63ad16df6b50fa372ea6b4d
Found in base branch: main
### Vulnerability DetailsVersions of handlebars prior to 4.3.0 are vulnerable to Prototype Pollution leading to Remote Code Execution. Templates may alter an Object's __proto__ and __defineGetter__ properties, which may allow an attacker to execute arbitrary code through crafted payloads.
Publish Date: 2019-12-20
URL: CVE-2019-19919
### CVSS 3 Score Details (9.8)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19919
Release Date: 2019-12-20
Fix Resolution (handlebars): 4.3.0
Direct dependency fix Resolution (react-scripts): 1.1.0
Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)CVE-2018-13797
### Vulnerable Library - macaddress-0.2.8.tgzGet the MAC addresses (hardware addresses) of the hosts network interfaces.
Library home page: https://registry.npmjs.org/macaddress/-/macaddress-0.2.8.tgz
Path to dependency file: /src/Templating/src/Microsoft.DotNet.Web.Spa.ProjectTemplates/content/React-CSharp/ClientApp/package.json
Path to vulnerable library: /src/Templating/src/Microsoft.DotNet.Web.Spa.ProjectTemplates/content/React-CSharp/ClientApp/node_modules/macaddress/package.json,/src/Templating/src/Microsoft.DotNet.Web.Spa.ProjectTemplates/content/ReactRedux-CSharp/ClientApp/node_modules/macaddress/package.json
Dependency Hierarchy: - react-scripts-1.0.17.tgz (Root Library) - css-loader-0.28.7.tgz - cssnano-3.10.0.tgz - postcss-filter-plugins-2.0.2.tgz - uniqid-4.1.1.tgz - :x: **macaddress-0.2.8.tgz** (Vulnerable Library)
Found in HEAD commit: ebe7c6237e41b2d6f63ad16df6b50fa372ea6b4d
Found in base branch: main
### Vulnerability DetailsThe macaddress module before 0.2.9 for Node.js is prone to an arbitrary command injection flaw, due to allowing unsanitized input to an exec (rather than execFile) call.
Publish Date: 2018-07-10
URL: CVE-2018-13797
### CVSS 3 Score Details (9.8)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2018-13797
Release Date: 2018-07-10
Fix Resolution (macaddress): 0.2.9
Direct dependency fix Resolution (react-scripts): 1.1.0
Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)CVE-2018-1000620
### Vulnerable Library - cryptiles-3.1.2.tgzGeneral purpose crypto utilities
Library home page: https://registry.npmjs.org/cryptiles/-/cryptiles-3.1.2.tgz
Path to dependency file: /src/SignalR/clients/ts/webdriver-tap-runner/package.json
Path to vulnerable library: /src/SignalR/clients/ts/webdriver-tap-runner/node_modules/chromedriver/node_modules/cryptiles/package.json,/src/Templating/src/Microsoft.DotNet.Web.Spa.ProjectTemplates/content/ReactRedux-CSharp/ClientApp/node_modules/cryptiles/package.json,/src/Templating/src/Microsoft.DotNet.Web.Spa.ProjectTemplates/content/React-CSharp/ClientApp/node_modules/cryptiles/package.json
Dependency Hierarchy: - react-scripts-1.0.17.tgz (Root Library) - jest-20.0.4.tgz - jest-cli-20.0.4.tgz - jest-environment-jsdom-20.0.3.tgz - jsdom-9.12.0.tgz - request-2.83.0.tgz - hawk-6.0.2.tgz - :x: **cryptiles-3.1.2.tgz** (Vulnerable Library)
Found in HEAD commit: ebe7c6237e41b2d6f63ad16df6b50fa372ea6b4d
Found in base branch: main
### Vulnerability DetailsEran Hammer cryptiles version 4.1.1 earlier contains a CWE-331: Insufficient Entropy vulnerability in randomDigits() method that can result in An attacker is more likely to be able to brute force something that was supposed to be random.. This attack appear to be exploitable via Depends upon the calling application.. This vulnerability appears to have been fixed in 4.1.2.
Publish Date: 2018-07-09
URL: CVE-2018-1000620
### CVSS 3 Score Details (9.8)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-1000620
Release Date: 2018-07-09
Fix Resolution (cryptiles): 4.1.2
Direct dependency fix Resolution (react-scripts): 1.1.0
Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)CVE-2020-28499
### Vulnerable Library - merge-1.2.0.tgzMerge multiple objects into one, optionally creating a new cloned object. Similar to the jQuery.extend but more flexible. Works in Node.js and the browser.
Library home page: https://registry.npmjs.org/merge/-/merge-1.2.0.tgz
Path to dependency file: /src/Templating/src/Microsoft.DotNet.Web.Spa.ProjectTemplates/content/ReactRedux-CSharp/ClientApp/package.json
Path to vulnerable library: /src/Templating/src/Microsoft.DotNet.Web.Spa.ProjectTemplates/content/ReactRedux-CSharp/ClientApp/node_modules/merge/package.json,/src/Templating/src/Microsoft.DotNet.Web.Spa.ProjectTemplates/content/React-CSharp/ClientApp/node_modules/merge/package.json
Dependency Hierarchy: - react-scripts-1.0.17.tgz (Root Library) - jest-20.0.4.tgz - jest-cli-20.0.4.tgz - jest-haste-map-20.0.5.tgz - sane-1.6.0.tgz - exec-sh-0.2.1.tgz - :x: **merge-1.2.0.tgz** (Vulnerable Library)
Found in HEAD commit: ebe7c6237e41b2d6f63ad16df6b50fa372ea6b4d
Found in base branch: main
### Vulnerability DetailsAll versions of package merge are vulnerable to Prototype Pollution via _recursiveMerge .
Publish Date: 2021-02-18
URL: CVE-2020-28499
### CVSS 3 Score Details (9.8)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Release Date: 2021-02-18
Fix Resolution (merge): 2.1.0
Direct dependency fix Resolution (react-scripts): 3.0.0
Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)CVE-2021-23383
### Vulnerable Library - handlebars-4.0.11.tgzHandlebars provides the power necessary to let you build semantic templates effectively with no frustration
Library home page: https://registry.npmjs.org/handlebars/-/handlebars-4.0.11.tgz
Path to dependency file: /src/Templating/src/Microsoft.DotNet.Web.Spa.ProjectTemplates/content/ReactRedux-CSharp/ClientApp/package.json
Path to vulnerable library: /src/Templating/src/Microsoft.DotNet.Web.Spa.ProjectTemplates/content/ReactRedux-CSharp/ClientApp/node_modules/handlebars/package.json,/src/Templating/src/Microsoft.DotNet.Web.Spa.ProjectTemplates/content/React-CSharp/ClientApp/node_modules/handlebars/package.json
Dependency Hierarchy: - react-scripts-1.0.17.tgz (Root Library) - jest-20.0.4.tgz - jest-cli-20.0.4.tgz - istanbul-api-1.2.1.tgz - istanbul-reports-1.1.3.tgz - :x: **handlebars-4.0.11.tgz** (Vulnerable Library)
Found in HEAD commit: ebe7c6237e41b2d6f63ad16df6b50fa372ea6b4d
Found in base branch: main
### Vulnerability DetailsThe package handlebars before 4.7.7 are vulnerable to Prototype Pollution when selecting certain compiling options to compile templates coming from an untrusted source.
Publish Date: 2021-05-04
URL: CVE-2021-23383
### CVSS 3 Score Details (9.8)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23383
Release Date: 2021-05-04
Fix Resolution (handlebars): 4.1.2-0
Direct dependency fix Resolution (react-scripts): 1.1.0
Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)CVE-2018-3750
### Vulnerable Library - deep-extend-0.4.2.tgzRecursive object extending
Library home page: https://registry.npmjs.org/deep-extend/-/deep-extend-0.4.2.tgz
Path to dependency file: /src/Templating/src/Microsoft.DotNet.Web.Spa.ProjectTemplates/content/React-CSharp/ClientApp/package.json
Path to vulnerable library: /src/Templating/src/Microsoft.DotNet.Web.Spa.ProjectTemplates/content/React-CSharp/ClientApp/node_modules/deep-extend/package.json,/src/Templating/src/Microsoft.DotNet.Web.Spa.ProjectTemplates/content/ReactRedux-CSharp/ClientApp/node_modules/deep-extend/package.json
Dependency Hierarchy: - react-scripts-1.0.17.tgz (Root Library) - sw-precache-webpack-plugin-0.11.4.tgz - sw-precache-5.2.0.tgz - update-notifier-1.0.3.tgz - latest-version-2.0.0.tgz - package-json-2.4.0.tgz - registry-auth-token-3.3.1.tgz - rc-1.2.2.tgz - :x: **deep-extend-0.4.2.tgz** (Vulnerable Library)
Found in HEAD commit: ebe7c6237e41b2d6f63ad16df6b50fa372ea6b4d
Found in base branch: main
### Vulnerability DetailsThe utilities function in all versions <= 0.5.0 of the deep-extend node module can be tricked into modifying the prototype of Object when the attacker can control part of the structure passed to this function. This can let an attacker add or modify existing properties that will exist on all objects.
Publish Date: 2018-07-03
URL: CVE-2018-3750
### CVSS 3 Score Details (9.8)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-3750
Release Date: 2018-07-03
Fix Resolution (deep-extend): 0.5.1
Direct dependency fix Resolution (react-scripts): 1.1.0
Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)CVE-2022-0691
### Vulnerable Libraries - url-parse-1.0.5.tgz, url-parse-1.2.0.tgz### url-parse-1.0.5.tgz
Small footprint URL parser that works seamlessly across Node.js and browser environments
Library home page: https://registry.npmjs.org/url-parse/-/url-parse-1.0.5.tgz
Path to dependency file: /src/Templating/src/Microsoft.DotNet.Web.Spa.ProjectTemplates/content/ReactRedux-CSharp/ClientApp/package.json
Path to vulnerable library: /src/Templating/src/Microsoft.DotNet.Web.Spa.ProjectTemplates/content/ReactRedux-CSharp/ClientApp/node_modules/original/node_modules/url-parse/package.json,/src/Templating/src/Microsoft.DotNet.Web.Spa.ProjectTemplates/content/React-CSharp/ClientApp/node_modules/original/node_modules/url-parse/package.json
Dependency Hierarchy: - react-scripts-1.0.17.tgz (Root Library) - react-dev-utils-4.2.1.tgz - sockjs-client-1.1.4.tgz - eventsource-0.1.6.tgz - original-1.0.0.tgz - :x: **url-parse-1.0.5.tgz** (Vulnerable Library) ### url-parse-1.2.0.tgz
Small footprint URL parser that works seamlessly across Node.js and browser environments
Library home page: https://registry.npmjs.org/url-parse/-/url-parse-1.2.0.tgz
Path to dependency file: /src/Templating/src/Microsoft.DotNet.Web.Spa.ProjectTemplates/content/ReactRedux-CSharp/ClientApp/package.json
Path to vulnerable library: /src/Templating/src/Microsoft.DotNet.Web.Spa.ProjectTemplates/content/ReactRedux-CSharp/ClientApp/node_modules/url-parse/package.json,/src/Templating/src/Microsoft.DotNet.Web.Spa.ProjectTemplates/content/React-CSharp/ClientApp/node_modules/url-parse/package.json
Dependency Hierarchy: - react-scripts-1.0.17.tgz (Root Library) - react-dev-utils-4.2.1.tgz - sockjs-client-1.1.4.tgz - :x: **url-parse-1.2.0.tgz** (Vulnerable Library)
Found in HEAD commit: ebe7c6237e41b2d6f63ad16df6b50fa372ea6b4d
Found in base branch: main
### Vulnerability DetailsAuthorization Bypass Through User-Controlled Key in NPM url-parse prior to 1.5.9.
Publish Date: 2022-02-21
URL: CVE-2022-0691
### CVSS 3 Score Details (9.8)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0691
Release Date: 2022-02-21
Fix Resolution (url-parse): 1.5.9
Direct dependency fix Resolution (react-scripts): 1.1.0
Fix Resolution (url-parse): 1.5.9
Direct dependency fix Resolution (react-scripts): 1.1.0
Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)CVE-2018-6342
### Vulnerable Library - react-dev-utils-4.2.1.tgzWebpack utilities used by Create React App
Library home page: https://registry.npmjs.org/react-dev-utils/-/react-dev-utils-4.2.1.tgz
Path to dependency file: /src/Templating/src/Microsoft.DotNet.Web.Spa.ProjectTemplates/content/ReactRedux-CSharp/ClientApp/package.json
Path to vulnerable library: /src/Templating/src/Microsoft.DotNet.Web.Spa.ProjectTemplates/content/ReactRedux-CSharp/ClientApp/node_modules/react-dev-utils/package.json,/src/Templating/src/Microsoft.DotNet.Web.Spa.ProjectTemplates/content/React-CSharp/ClientApp/node_modules/react-dev-utils/package.json
Dependency Hierarchy: - react-scripts-1.0.17.tgz (Root Library) - :x: **react-dev-utils-4.2.1.tgz** (Vulnerable Library)
Found in HEAD commit: ebe7c6237e41b2d6f63ad16df6b50fa372ea6b4d
Found in base branch: main
### Vulnerability Detailsreact-dev-utils on Windows allows developers to run a local webserver for accepting various commands, including a command to launch an editor. The input to that command was not properly sanitized, allowing an attacker who can make a network request to the server (either via CSRF or by direct request) to execute arbitrary commands on the targeted system. This issue affects multiple branches: 1.x.x prior to 1.0.4, 2.x.x prior to 2.0.2, 3.x.x prior to 3.1.2, 4.x.x prior to 4.2.2, and 5.x.x prior to 5.0.2.
Publish Date: 2018-12-31
URL: CVE-2018-6342
### CVSS 3 Score Details (9.8)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6342
Release Date: 2018-12-31
Fix Resolution (react-dev-utils): 4.2.2
Direct dependency fix Resolution (react-scripts): 1.1.0
Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)CVE-2021-42740
### Vulnerable Library - shell-quote-1.6.1.tgzquote and parse shell commands
Library home page: https://registry.npmjs.org/shell-quote/-/shell-quote-1.6.1.tgz
Path to dependency file: /src/Templating/src/Microsoft.DotNet.Web.Spa.ProjectTemplates/content/React-CSharp/ClientApp/package.json
Path to vulnerable library: /src/Templating/src/Microsoft.DotNet.Web.Spa.ProjectTemplates/content/React-CSharp/ClientApp/node_modules/shell-quote/package.json,/src/Templating/src/Microsoft.DotNet.Web.Spa.ProjectTemplates/content/ReactRedux-CSharp/ClientApp/node_modules/shell-quote/package.json
Dependency Hierarchy: - react-scripts-1.0.17.tgz (Root Library) - react-dev-utils-4.2.1.tgz - :x: **shell-quote-1.6.1.tgz** (Vulnerable Library)
Found in HEAD commit: ebe7c6237e41b2d6f63ad16df6b50fa372ea6b4d
Found in base branch: main
### Vulnerability DetailsThe shell-quote package before 1.7.3 for Node.js allows command injection. An attacker can inject unescaped shell metacharacters through a regex designed to support Windows drive letters. If the output of this package is passed to a real shell as a quoted argument to a command with exec(), an attacker can inject arbitrary commands. This is because the Windows drive letter regex character class is {A-z] instead of the correct {A-Za-z]. Several shell metacharacters exist in the space between capital letter Z and lower case letter a, such as the backtick character.
Publish Date: 2021-10-21
URL: CVE-2021-42740
### CVSS 3 Score Details (9.8)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-42740
Release Date: 2021-10-21
Fix Resolution (shell-quote): 1.7.3
Direct dependency fix Resolution (react-scripts): 5.0.0
Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)CVE-2022-1650
### Vulnerable Library - eventsource-0.1.6.tgzW3C compliant EventSource client for Node.js
Library home page: https://registry.npmjs.org/eventsource/-/eventsource-0.1.6.tgz
Path to dependency file: /src/Templating/src/Microsoft.DotNet.Web.Spa.ProjectTemplates/content/React-CSharp/ClientApp/package.json
Path to vulnerable library: /src/Templating/src/Microsoft.DotNet.Web.Spa.ProjectTemplates/content/React-CSharp/ClientApp/node_modules/eventsource/package.json,/src/Templating/src/Microsoft.DotNet.Web.Spa.ProjectTemplates/content/ReactRedux-CSharp/ClientApp/node_modules/eventsource/package.json
Dependency Hierarchy: - react-scripts-1.0.17.tgz (Root Library) - react-dev-utils-4.2.1.tgz - sockjs-client-1.1.4.tgz - :x: **eventsource-0.1.6.tgz** (Vulnerable Library)
Found in HEAD commit: ebe7c6237e41b2d6f63ad16df6b50fa372ea6b4d
Found in base branch: main
### Vulnerability DetailsExposure of Sensitive Information to an Unauthorized Actor in GitHub repository eventsource/eventsource prior to v2.0.2.
Publish Date: 2022-05-12
URL: CVE-2022-1650
### CVSS 3 Score Details (9.3)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: Required - Scope: Changed - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: None
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Release Date: 2022-05-12
Fix Resolution (eventsource): 1.1.1
Direct dependency fix Resolution (react-scripts): 2.1.3
Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)CVE-2019-10744
### Vulnerable Libraries - lodash-4.17.4.tgz, lodash.template-4.4.0.tgz### lodash-4.17.4.tgz
Lodash modular utilities.
Library home page: https://registry.npmjs.org/lodash/-/lodash-4.17.4.tgz
Path to dependency file: /src/Templating/src/Microsoft.DotNet.Web.Spa.ProjectTemplates/content/ReactRedux-CSharp/ClientApp/package.json
Path to vulnerable library: /src/Templating/src/Microsoft.DotNet.Web.Spa.ProjectTemplates/content/ReactRedux-CSharp/ClientApp/node_modules/lodash/package.json,/src/Templating/src/Microsoft.DotNet.Web.Spa.ProjectTemplates/content/React-CSharp/ClientApp/node_modules/lodash/package.json
Dependency Hierarchy: - react-scripts-1.0.17.tgz (Root Library) - eslint-plugin-flowtype-2.39.1.tgz - :x: **lodash-4.17.4.tgz** (Vulnerable Library) ### lodash.template-4.4.0.tgz
The lodash method `_.template` exported as a module.
Library home page: https://registry.npmjs.org/lodash.template/-/lodash.template-4.4.0.tgz
Path to dependency file: /src/Templating/src/Microsoft.DotNet.Web.Spa.ProjectTemplates/content/ReactRedux-CSharp/ClientApp/package.json
Path to vulnerable library: /src/Templating/src/Microsoft.DotNet.Web.Spa.ProjectTemplates/content/ReactRedux-CSharp/ClientApp/node_modules/lodash.template/package.json,/src/Templating/src/Microsoft.DotNet.Web.Spa.ProjectTemplates/content/React-CSharp/ClientApp/node_modules/lodash.template/package.json
Dependency Hierarchy: - react-scripts-1.0.17.tgz (Root Library) - sw-precache-webpack-plugin-0.11.4.tgz - sw-precache-5.2.0.tgz - :x: **lodash.template-4.4.0.tgz** (Vulnerable Library)
Found in HEAD commit: ebe7c6237e41b2d6f63ad16df6b50fa372ea6b4d
Found in base branch: main
### Vulnerability DetailsVersions of lodash lower than 4.17.12 are vulnerable to Prototype Pollution. The function defaultsDeep could be tricked into adding or modifying properties of Object.prototype using a constructor payload.
Publish Date: 2019-07-26
URL: CVE-2019-10744
### CVSS 3 Score Details (9.1)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: High - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://github.com/advisories/GHSA-jf85-cpcp-j695
Release Date: 2019-07-26
Fix Resolution (lodash): 4.17.12
Direct dependency fix Resolution (react-scripts): 1.1.0
Fix Resolution (lodash.template): 4.5.0
Direct dependency fix Resolution (react-scripts): 1.1.0
Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)