search

bitbar / test-samples

Sample test scripts and applications for Bitbar Cloud
https://docs.bitbar.com/testing/index.html
Apache License 2.0
109 stars 222 forks source link

CVE-2022-22912 (High) detected in plist-2.0.1.tgz, plist-1.2.0.tgz - autoclosed #387

Closed mend-for-github-com[bot] closed 2 years ago

mend-for-github-com[bot] commented 2 years ago

CVE-2022-22912 - High Severity Vulnerability

Vulnerable Libraries - plist-2.0.1.tgz, plist-1.2.0.tgz

plist-2.0.1.tgz

Mac OS X Plist parser/builder for Node.js and browsers

Library home page: https://registry.npmjs.org/plist/-/plist-2.0.1.tgz

Path to dependency file: /samples/testing-frameworks/detox/react-native/package.json

Path to vulnerable library: /samples/testing-frameworks/detox/react-native/node_modules/simple-plist/node_modules/plist/package.json

Dependency Hierarchy: - react-native-0.54.4.tgz (Root Library) - xcode-0.9.3.tgz - simple-plist-0.2.1.tgz - :x: **plist-2.0.1.tgz** (Vulnerable Library)

plist-1.2.0.tgz

Mac OS X Plist parser/builder for Node.js and browsers

Library home page: https://registry.npmjs.org/plist/-/plist-1.2.0.tgz

Path to dependency file: /samples/testing-frameworks/detox/react-native/package.json

Path to vulnerable library: /samples/testing-frameworks/detox/react-native/node_modules/plist/package.json

Dependency Hierarchy: - react-native-0.54.4.tgz (Root Library) - :x: **plist-1.2.0.tgz** (Vulnerable Library)

Found in HEAD commit: 12af4f854b64888df6e4492ecc94e141388e939a

Found in base branch: master

Vulnerability Details

Prototype pollution vulnerability via .parse() in Plist before v3.0.4 allows attackers to cause a Denial of Service (DoS) and may lead to remote code execution.

Publish Date: 2022-02-17

URL: CVE-2022-22912

CVSS 3 Score Details (9.8)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22912

Release Date: 2022-02-17

Fix Resolution (plist): 3.0.4

Direct dependency fix Resolution (react-native): 0.59.0

Fix Resolution (plist): 3.0.4

Direct dependency fix Resolution (react-native): 0.59.0

:rescue_worker_helmet: Automatic Remediation is available for this issue

mend-for-github-com[bot] commented 2 years ago

:heavy_check_mark: This issue was automatically closed by Mend because the vulnerable library in the specific branch(es) was either marked as ignored or it is no longer part of the Mend inventory.