CVE-2021-44906 (Critical) detected in multiple libraries

[mend-bolt-for-github[bot]]

CVE-2021-44906 - Critical Severity Vulnerability

Vulnerable Libraries - minimist-0.1.0.tgz, minimist-1.2.5.tgz, minimist-1.2.0.tgz, minimist-0.0.10.tgz, minimist-0.0.8.tgz

minimist-0.1.0.tgz

parse argument options

Library home page: https://registry.npmjs.org/minimist/-/minimist-0.1.0.tgz

Path to dependency file: /aws-python-rest-api-with-pynamodb/package.json

Path to vulnerable library: /aws-python-rest-api-with-pynamodb/node_modules/minimist/package.json,/aws-python-pynamodb-s3-sigurl/node_modules/minimist/package.json

Dependency Hierarchy: - serverless-python-requirements-2.4.1.tgz (Root Library) - glob-all-3.1.0.tgz - yargs-1.2.6.tgz - :x: **minimist-0.1.0.tgz** (Vulnerable Library)

minimist-1.2.5.tgz

parse argument options

Library home page: https://registry.npmjs.org/minimist/-/minimist-1.2.5.tgz

Path to dependency file: /aws-node-auth0-custom-authorizers-api/package.json

Path to vulnerable library: /aws-node-auth0-custom-authorizers-api/node_modules/minimist/package.json,/aws-node-puppeteer/node_modules/rc/node_modules/minimist/package.json,/aws-node-vue-nuxt-ssr/node_modules/minimist/package.json,/aws-golang-dynamo-stream-to-elasticsearch/node_modules/minimist/package.json,/aws-node-http-api-typescript-dynamodb/node_modules/minimist/package.json,/azure-node-line-bot/node_modules/minimist/package.json,/aws-node-typescript-nest/node_modules/portfinder/node_modules/minimist/package.json,/aws-node-rest-api-typescript-simple/node_modules/minimist/package.json,/aws-node-typescript-kinesis/node_modules/minimist/package.json,/azure-node-telegram-bot/node_modules/azure-functions-core-tools/node_modules/minimist/package.json,/azure-node-typescript-servicebus-trigger-endpoint/node_modules/azure-functions-core-tools/node_modules/minimist/package.json,/azure-node-telegram-bot/node_modules/minimist/package.json,/azure-node-typescript-servicebus-trigger-endpoint/node_modules/serverless-azure-functions/node_modules/azure-functions-core-tools/node_modules/minimist/package.json,/aws-node-dynamic-image-resizer/node_modules/minimist/package.json,/aws-rust-simple-http-endpoint/node_modules/minimist/package.json,/google-node-typescript-http-endpoint/node_modules/minimist/package.json,/azure-node-line-bot/node_modules/azure-functions-core-tools/node_modules/minimist/package.json,/aws-node-typescript-rest-api-with-dynamodb/node_modules/minimist/package.json,/aws-node-signed-uploads/node_modules/minimist/package.json,/aws-node-function-compiled-with-babel/node_modules/minimist/package.json,/aws-node-typescript-apollo-lambda/node_modules/minimist/package.json,/aws-node-rest-api-with-dynamodb-and-offline/node_modules/minimist/package.json,/aws-golang-auth-examples/node_modules/minimist/package.json,/aws-node-http-api-typescript/node_modules/minimist/package.json,/aws-python-auth0-custom-authorizers-api/node_modules/minimist/package.json,/aws-node-http-api-dynamodb-local/node_modules/minimist/package.json,/aws-node-stripe-integration/node_modules/minimist/package.json,/aws-node-ses-receive-email-body/node_modules/minimist/package.json,/aws-node-rest-api-typescript/node_modules/minimist/package.json,/azure-node-typescript-servicebus-trigger-endpoint/node_modules/minimist/package.json

Dependency Hierarchy: - eslint-6.6.0.tgz (Root Library) - mkdirp-0.5.5.tgz - :x: **minimist-1.2.5.tgz** (Vulnerable Library)

minimist-1.2.0.tgz

parse argument options

Library home page: https://registry.npmjs.org/minimist/-/minimist-1.2.0.tgz

Path to dependency file: /aws-node-fullstack/frontend/package.json

Path to vulnerable library: /aws-node-fullstack/frontend/package.json,/aws-node-typescript-nest/node_modules/subarg/node_modules/minimist/package.json,/aws-dotnet-rest-api-with-dynamodb/src/DotNetServerless.Lambda/node_modules/tabtab/node_modules/minimist/package.json,/aws-dotnet-rest-api-with-dynamodb/src/DotNetServerless.Lambda/node_modules/serverless/node_modules/minimist/package.json,/aws-node-typescript-sqs-standard/node_modules/minimist/package.json,/aws-node-github-check/package.json,/aws-node-typescript-nest/package.json,/aws-node-typescript-nest/node_modules/@babel/core/node_modules/minimist/package.json,/node_modules/markdown-toc/node_modules/minimist/package.json,/aws-node-typescript-nest/node_modules/ts-jest/node_modules/minimist/package.json,/aws-node-typescript-nest/node_modules/tsconfig-paths/node_modules/minimist/package.json,/aws-node-github-check/node_modules/ts-node/node_modules/minimist/package.json,/aws-node-typescript-nest/node_modules/sane/node_modules/minimist/package.json,/aws-dotnet-rest-api-with-dynamodb/src/DotNetServerless.Lambda/node_modules/rc/node_modules/minimist/package.json,/aws-node-typescript-nest/node_modules/detective/node_modules/minimist/package.json,/aws-node-fullstack/frontend/node_modules/minimist/package.json,/aws-node-oauth-dropbox-api/node_modules/minimist/package.json,/aws-node-typescript-nest/node_modules/rc/node_modules/minimist/package.json,/aws-node-typescript-sqs-standard/package.json,/aws-node-typescript-nest/node_modules/watch/node_modules/minimist/package.json,/aws-node-typescript-nest/node_modules/ts-node/node_modules/minimist/package.json

Dependency Hierarchy: - webpack-4.41.2.tgz (Root Library) - watchpack-1.6.0.tgz - chokidar-2.1.8.tgz - fsevents-1.2.9.tgz - node-pre-gyp-0.12.0.tgz - rc-1.2.8.tgz - :x: **minimist-1.2.0.tgz** (Vulnerable Library)

minimist-0.0.10.tgz

parse argument options

Library home page: https://registry.npmjs.org/minimist/-/minimist-0.0.10.tgz

Path to dependency file: /aws-node-fullstack/frontend/package.json

Path to vulnerable library: /aws-node-fullstack/frontend/node_modules/optimist/node_modules/minimist/package.json

Dependency Hierarchy: - react-scripts-2.1.8.tgz (Root Library) - jest-23.6.0.tgz - jest-cli-23.6.0.tgz - istanbul-api-1.3.7.tgz - istanbul-reports-1.5.1.tgz - handlebars-4.1.1.tgz - optimist-0.6.1.tgz - :x: **minimist-0.0.10.tgz** (Vulnerable Library)

minimist-0.0.8.tgz

parse argument options

Library home page: https://registry.npmjs.org/minimist/-/minimist-0.0.8.tgz

Path to dependency file: /aws-node-typescript-nest/package.json

Path to vulnerable library: /aws-node-typescript-nest/package.json,/aws-node-fullstack/frontend/package.json,/aws-node-puppeteer/node_modules/extract-zip/node_modules/minimist/package.json,/node_modules/minimist/package.json,/aws-dotnet-rest-api-with-dynamodb/src/DotNetServerless.Lambda/node_modules/mkdirp/node_modules/minimist/package.json,/aws-node-typescript-nest/node_modules/minimist/package.json,/aws-node-github-check/node_modules/minimist/package.json,/aws-node-typescript-sqs-standard/node_modules/mkdirp/node_modules/minimist/package.json,/aws-node-oauth-dropbox-api/node_modules/mkdirp/node_modules/minimist/package.json,/aws-node-fullstack/frontend/node_modules/mkdirp/node_modules/minimist/package.json,/aws-node-puppeteer/node_modules/minimist/package.json,/aws-node-github-check/package.json,/aws-node-typescript-sqs-standard/package.json

Dependency Hierarchy: - eslint-6.6.0.tgz (Root Library) - mkdirp-0.5.1.tgz - :x: **minimist-0.0.8.tgz** (Vulnerable Library)

Found in HEAD commit: dcbe4aefe4b3685f4b15493a01db0f19b118a0c4

Found in base branch: master

Vulnerability Details

Minimist <=1.2.5 is vulnerable to Prototype Pollution via file index.js, function setKey() (lines 69-95).

Publish Date: 2022-03-17

URL: CVE-2021-44906

CVSS 3 Score Details (9.8)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://github.com/advisories/GHSA-xvch-5gv4-984h

Release Date: 2022-03-17

Fix Resolution (minimist): 0.2.4

Direct dependency fix Resolution (serverless-python-requirements): 2.5.0

Fix Resolution (minimist): 0.2.4

Direct dependency fix Resolution (eslint): 6.7.0

Fix Resolution (minimist): 0.2.4

Direct dependency fix Resolution (webpack): 4.41.3

Fix Resolution (minimist): 0.2.4

Direct dependency fix Resolution (react-scripts): 3.0.0

Fix Resolution (minimist): 0.2.4

Direct dependency fix Resolution (eslint): 6.7.0

---

Step up your Open Source Security Game with Mend here

[mend-bolt-for-github[bot]]

:heavy_check_mark: This issue was automatically closed by Mend because the vulnerable library in the specific branch(es) was either marked as ignored or it is no longer part of the Mend inventory.

[mend-bolt-for-github[bot]]

:information_source: This issue was automatically re-opened by Mend because the vulnerable library in the specific branch(es) has been detected in the Mend inventory.