Open mend-bolt-for-github[bot] opened 2 years ago
:heavy_check_mark: This issue was automatically closed by Mend because the vulnerable library in the specific branch(es) was either marked as ignored or it is no longer part of the Mend inventory.
:information_source: This issue was automatically re-opened by Mend because the vulnerable library in the specific branch(es) has been detected in the Mend inventory.
Vulnerable Library - core-7.4.4.tgz
Nest - modern, fast, powerful node.js web framework (@core)
Library home page: https://registry.npmjs.org/@nestjs/core/-/core-7.4.4.tgz
Path to dependency file: /components/discovery/yarn.lock
Path to vulnerable library: /components/discovery/yarn.lock
Vulnerabilities
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.
Details
CVE-2022-0235
### Vulnerable Library - node-fetch-2.6.1.tgzA light-weight module that brings window.fetch to node.js
Library home page: https://registry.npmjs.org/node-fetch/-/node-fetch-2.6.1.tgz
Path to dependency file: /components/discovery/yarn.lock
Path to vulnerable library: /components/discovery/yarn.lock
Dependency Hierarchy: - core-7.4.4.tgz (Root Library) - opencollective-0.2.2.tgz - :x: **node-fetch-2.6.1.tgz** (Vulnerable Library)
Found in base branch: main
### Vulnerability Detailsnode-fetch is vulnerable to Exposure of Sensitive Information to an Unauthorized Actor
Publish Date: 2022-01-16
URL: CVE-2022-0235
### CVSS 3 Score Details (6.1)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: Required - Scope: Changed - Impact Metrics: - Confidentiality Impact: Low - Integrity Impact: Low - Availability Impact: None
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://github.com/advisories/GHSA-r683-j2x4-v87g
Release Date: 2022-01-16
Fix Resolution: node-fetch - 2.6.7,3.1.1
Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)CVE-2023-26108
### Vulnerable Library - core-7.4.4.tgzNest - modern, fast, powerful node.js web framework (@core)
Library home page: https://registry.npmjs.org/@nestjs/core/-/core-7.4.4.tgz
Path to dependency file: /components/discovery/yarn.lock
Path to vulnerable library: /components/discovery/yarn.lock
Dependency Hierarchy: - :x: **core-7.4.4.tgz** (Vulnerable Library)
Found in base branch: main
### Vulnerability DetailsVersions of the package @nestjs/core before 9.0.5 are vulnerable to Information Exposure via the StreamableFile pipe. Exploiting this vulnerability is possible when the client cancels a request while it is streaming a StreamableFile, the stream wrapped by the StreamableFile will be kept open.
Publish Date: 2023-03-06
URL: CVE-2023-26108
### CVSS 3 Score Details (5.3)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: Low - Integrity Impact: None - Availability Impact: None
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://www.cve.org/CVERecord?id=CVE-2023-26108
Release Date: 2023-03-06
Fix Resolution: 9.0.5
Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)