search

amaybaum-dev / V-Achilles

0 stars 2 forks source link

mini-css-extract-plugin-0.11.3.tgz: 1 vulnerabilities (highest severity is: 7.5) - autoclosed #3

Closed dev-mend-for-github-com[bot] closed 7 months ago

dev-mend-for-github-com[bot] commented 10 months ago
Vulnerable Library - mini-css-extract-plugin-0.11.3.tgz

Path to dependency file: /baak-vizualization/package.json

Path to vulnerable library: /baak-vizualization/node_modules/normalize-url/package.json,/achilles-frontend/node_modules/normalize-url/package.json

Found in HEAD commit: b0d97dc16106b359f6dc70c65c2e468357a794b9

Vulnerabilities

CVE Severity CVSS Dependency Type Fixed in (mini-css-extract-plugin version) Remediation Possible** Reachability
CVE-2021-33502 High 7.5 normalize-url-1.9.1.tgz Transitive 1.1.0

**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation

Details

CVE-2021-33502 ### Vulnerable Library - normalize-url-1.9.1.tgz

Normalize a URL

Library home page: https://registry.npmjs.org/normalize-url/-/normalize-url-1.9.1.tgz

Path to dependency file: /baak-vizualization/package.json

Path to vulnerable library: /baak-vizualization/node_modules/normalize-url/package.json,/achilles-frontend/node_modules/normalize-url/package.json

Dependency Hierarchy: - mini-css-extract-plugin-0.11.3.tgz (Root Library) - :x: **normalize-url-1.9.1.tgz** (Vulnerable Library)

Found in HEAD commit: b0d97dc16106b359f6dc70c65c2e468357a794b9

Found in base branch: master

### Vulnerability Details

The normalize-url package before 4.5.1, 5.x before 5.3.1, and 6.x before 6.0.1 for Node.js has a ReDoS (regular expression denial of service) issue because it has exponential performance for data: URLs.

Publish Date: 2021-05-24

URL: CVE-2021-33502

### CVSS 3 Score Details (7.5)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-33502

Release Date: 2021-05-24

Fix Resolution (normalize-url): 4.5.1

Direct dependency fix Resolution (mini-css-extract-plugin): 1.1.0

In order to enable automatic remediation, please create workflow rules

In order to enable automatic remediation for this issue, please create workflow rules

dev-mend-for-github-com[bot] commented 7 months ago

:heavy_check_mark: This issue was automatically closed by Mend because the vulnerable library in the specific branch(es) was either marked as ignored or it is no longer part of the Mend inventory.