cli-7.5.1.tgz: 2 vulnerabilities (highest severity is: 7.5)

[mend-bolt-for-github[bot]]

Vulnerable Library - cli-7.5.1.tgz

Path to dependency file: /components/discovery/yarn.lock

Path to vulnerable library: /docs/node_modules/terser/package.json,/components/dashboard/node_modules/terser/package.json,/components/discovery/yarn.lock

Vulnerabilities

CVE	Severity	CVSS	Dependency	Type	Fixed in (cli version)	Remediation Available
CVE-2022-25858	High	7.5	terser-4.8.0.tgz	Transitive	7.5.2	❌
CVE-2022-0144	High	7.1	shelljs-0.8.4.tgz	Transitive	8.1.7	❌

Details

CVE-2022-25858

### Vulnerable Library - terser-4.8.0.tgz

JavaScript parser, mangler/compressor and beautifier toolkit for ES6+

Library home page: https://registry.npmjs.org/terser/-/terser-4.8.0.tgz

Path to dependency file: /docs/package.json

Path to vulnerable library: /docs/node_modules/terser/package.json,/components/dashboard/node_modules/terser/package.json,/components/discovery/yarn.lock

Dependency Hierarchy: - cli-7.5.1.tgz (Root Library) - webpack-4.44.1.tgz - terser-webpack-plugin-1.4.5.tgz - :x: **terser-4.8.0.tgz** (Vulnerable Library)

Found in base branch: main

### Vulnerability Details

The package terser before 4.8.1, from 5.0.0 and before 5.14.2 are vulnerable to Regular Expression Denial of Service (ReDoS) due to insecure usage of regular expressions.

Publish Date: 2022-07-15

URL: CVE-2022-25858

### CVSS 3 Score Details (7.5)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-25858

Release Date: 2022-07-15

Fix Resolution (terser): 4.8.1

Direct dependency fix Resolution (@nestjs/cli): 7.5.2

Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)

CVE-2022-0144

### Vulnerable Library - shelljs-0.8.4.tgz

Portable Unix shell commands for Node.js

Library home page: https://registry.npmjs.org/shelljs/-/shelljs-0.8.4.tgz

Path to dependency file: /components/dashboard/node_modules/shelljs/package.json

Path to vulnerable library: /components/dashboard/node_modules/shelljs/package.json,/docs/node_modules/shelljs/package.json,/components/discovery/yarn.lock

Dependency Hierarchy: - cli-7.5.1.tgz (Root Library) - :x: **shelljs-0.8.4.tgz** (Vulnerable Library)

Found in base branch: main

### Vulnerability Details

shelljs is vulnerable to Improper Privilege Management

Publish Date: 2022-01-11

URL: CVE-2022-0144

### CVSS 3 Score Details (7.1)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Local - Attack Complexity: Low - Privileges Required: Low - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: None - Availability Impact: High

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Release Date: 2022-01-11

Fix Resolution (shelljs): 0.8.5

Direct dependency fix Resolution (@nestjs/cli): 8.1.7

Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)

[mend-bolt-for-github[bot]]

:heavy_check_mark: This issue was automatically closed by Mend because the vulnerable library in the specific branch(es) was either marked as ignored or it is no longer part of the Mend inventory.

[mend-bolt-for-github[bot]]

:information_source: This issue was automatically re-opened by Mend because the vulnerable library in the specific branch(es) has been detected in the Mend inventory.

[stale[bot]]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.