cypress-3.3.1.tgz: 7 vulnerabilities (highest severity is: 9.8) - autoclosed

Vulnerable Library - cypress-3.3.1.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/nyc/node_modules/detect-indent/node_modules/minimist/package.json,/node_modules/coveralls/node_modules/minimist/package.json,/node_modules/rc/node_modules/minimist/package.json,/node_modules/meow/node_modules/minimist/package.json,/node_modules/cypress/node_modules/minimist/package.json

Found in HEAD commit: 9890cf392866ff74a91821d7ce185e0b438bc3d6

Vulnerabilities

CVE	Severity	CVSS	Dependency	Type	Fixed in (cypress version)	Remediation Available
CVE-2021-44906	High	9.8	minimist-1.2.0.tgz	Transitive	4.12.0	✅
CVE-2021-42581	High	9.1	ramda-0.24.1.tgz	Transitive	6.6.0	✅
CVE-2022-31129	High	7.5	moment-2.24.0.tgz	Transitive	6.9.0	✅
CVE-2022-24785	High	7.5	moment-2.24.0.tgz	Transitive	6.9.0	✅
CVE-2020-15366	Medium	5.6	ajv-6.10.0.tgz	Transitive	3.3.2	✅
CVE-2020-7598	Medium	5.6	minimist-1.2.0.tgz	Transitive	4.3.0	✅
CVE-2023-28155	Medium	5.5	request-2.88.0.tgz	Transitive	N/A*	❌

*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.

Details

CVE-2021-44906

### Vulnerable Library - minimist-1.2.0.tgz

parse argument options

Library home page: https://registry.npmjs.org/minimist/-/minimist-1.2.0.tgz

Path to dependency file: /package.json

Dependency Hierarchy: - cypress-3.3.1.tgz (Root Library) - :x: **minimist-1.2.0.tgz** (Vulnerable Library)

Found in HEAD commit: 9890cf392866ff74a91821d7ce185e0b438bc3d6

Found in base branch: main

### Vulnerability Details

Minimist <=1.2.5 is vulnerable to Prototype Pollution via file index.js, function setKey() (lines 69-95).

Publish Date: 2022-03-17

URL: CVE-2021-44906

### CVSS 3 Score Details (9.8)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Release Date: 2022-03-17

Fix Resolution (minimist): 1.2.6

Direct dependency fix Resolution (cypress): 4.12.0

In order to enable automatic remediation, please create workflow rules

CVE-2021-42581

### Vulnerable Library - ramda-0.24.1.tgz

A practical functional library for JavaScript programmers.

Library home page: https://registry.npmjs.org/ramda/-/ramda-0.24.1.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/ramda/package.json

Dependency Hierarchy: - cypress-3.3.1.tgz (Root Library) - :x: **ramda-0.24.1.tgz** (Vulnerable Library)

Found in HEAD commit: 9890cf392866ff74a91821d7ce185e0b438bc3d6

Found in base branch: main

### Vulnerability Details

** DISPUTED ** Prototype poisoning in function mapObjIndexed in Ramda 0.27.0 and earlier allows attackers to compromise integrity or availability of application via supplying a crafted object (that contains an own property "__proto__") as an argument to the function. NOTE: the vendor disputes this because the observed behavior only means that a user can create objects that the user didn't know would contain custom prototypes.

Publish Date: 2022-05-10

URL: CVE-2021-42581

### CVSS 3 Score Details (9.1)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: High - Availability Impact: High

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-42581

Release Date: 2022-05-10

Fix Resolution (ramda): 0.27.1

Direct dependency fix Resolution (cypress): 6.6.0

In order to enable automatic remediation, please create workflow rules

CVE-2022-31129

### Vulnerable Library - moment-2.24.0.tgz

Parse, validate, manipulate, and display dates

Library home page: https://registry.npmjs.org/moment/-/moment-2.24.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/moment/package.json

Dependency Hierarchy: - cypress-3.3.1.tgz (Root Library) - :x: **moment-2.24.0.tgz** (Vulnerable Library)

Found in HEAD commit: 9890cf392866ff74a91821d7ce185e0b438bc3d6

Found in base branch: main

### Vulnerability Details

moment is a JavaScript date library for parsing, validating, manipulating, and formatting dates. Affected versions of moment were found to use an inefficient parsing algorithm. Specifically using string-to-date parsing in moment (more specifically rfc2822 parsing, which is tried by default) has quadratic (N^2) complexity on specific inputs. Users may notice a noticeable slowdown is observed with inputs above 10k characters. Users who pass user-provided strings without sanity length checks to moment constructor are vulnerable to (Re)DoS attacks. The problem is patched in 2.29.4, the patch can be applied to all affected versions with minimal tweaking. Users are advised to upgrade. Users unable to upgrade should consider limiting date lengths accepted from user input.

Publish Date: 2022-07-06

URL: CVE-2022-31129

### CVSS 3 Score Details (7.5)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://github.com/moment/moment/security/advisories/GHSA-wc69-rhjr-hc9g

Release Date: 2022-07-06

Fix Resolution (moment): 2.29.4

Direct dependency fix Resolution (cypress): 6.9.0

In order to enable automatic remediation, please create workflow rules

CVE-2022-24785

### Vulnerable Library - moment-2.24.0.tgz

Parse, validate, manipulate, and display dates

Library home page: https://registry.npmjs.org/moment/-/moment-2.24.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/moment/package.json

Dependency Hierarchy: - cypress-3.3.1.tgz (Root Library) - :x: **moment-2.24.0.tgz** (Vulnerable Library)

Found in HEAD commit: 9890cf392866ff74a91821d7ce185e0b438bc3d6

Found in base branch: main

### Vulnerability Details

Moment.js is a JavaScript date library for parsing, validating, manipulating, and formatting dates. A path traversal vulnerability impacts npm (server) users of Moment.js between versions 1.0.1 and 2.29.1, especially if a user-provided locale string is directly used to switch moment locale. This problem is patched in 2.29.2, and the patch can be applied to all affected versions. As a workaround, sanitize the user-provided locale name before passing it to Moment.js.

Publish Date: 2022-04-04

URL: CVE-2022-24785

### CVSS 3 Score Details (7.5)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: High - Availability Impact: None

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://github.com/moment/moment/security/advisories/GHSA-8hfj-j24r-96c4

Release Date: 2022-04-04

Fix Resolution (moment): 2.29.2

Direct dependency fix Resolution (cypress): 6.9.0

In order to enable automatic remediation, please create workflow rules

CVE-2020-15366

### Vulnerable Library - ajv-6.10.0.tgz

Another JSON Schema Validator

Library home page: https://registry.npmjs.org/ajv/-/ajv-6.10.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/ajv/package.json

Dependency Hierarchy: - cypress-3.3.1.tgz (Root Library) - request-2.88.0.tgz - har-validator-5.1.3.tgz - :x: **ajv-6.10.0.tgz** (Vulnerable Library)

Found in HEAD commit: 9890cf392866ff74a91821d7ce185e0b438bc3d6

Found in base branch: main

### Vulnerability Details

An issue was discovered in ajv.validate() in Ajv (aka Another JSON Schema Validator) 6.12.2. A carefully crafted JSON schema could be provided that allows execution of other code by prototype pollution. (While untrusted schemas are recommended against, the worst case of an untrusted schema should be a denial of service, not execution of code.)

Publish Date: 2020-07-15

URL: CVE-2020-15366

### CVSS 3 Score Details (5.6)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: High - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: Low - Integrity Impact: Low - Availability Impact: Low

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Release Date: 2020-07-15

Fix Resolution (ajv): 6.12.3

Direct dependency fix Resolution (cypress): 3.3.2

In order to enable automatic remediation, please create workflow rules

CVE-2020-7598

### Vulnerable Library - minimist-1.2.0.tgz

parse argument options

Library home page: https://registry.npmjs.org/minimist/-/minimist-1.2.0.tgz

Path to dependency file: /package.json

Dependency Hierarchy: - cypress-3.3.1.tgz (Root Library) - :x: **minimist-1.2.0.tgz** (Vulnerable Library)

Found in HEAD commit: 9890cf392866ff74a91821d7ce185e0b438bc3d6

Found in base branch: main

### Vulnerability Details

minimist before 1.2.2 could be tricked into adding or modifying properties of Object.prototype using a "constructor" or "__proto__" payload.

Publish Date: 2020-03-11

URL: CVE-2020-7598

### CVSS 3 Score Details (5.6)

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Release Date: 2020-03-11

Fix Resolution (minimist): 1.2.3

Direct dependency fix Resolution (cypress): 4.3.0

In order to enable automatic remediation, please create workflow rules

CVE-2023-28155

### Vulnerable Library - request-2.88.0.tgz

Simplified HTTP request client.

Library home page: https://registry.npmjs.org/request/-/request-2.88.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/cypress/node_modules/request/package.json

Dependency Hierarchy: - cypress-3.3.1.tgz (Root Library) - :x: **request-2.88.0.tgz** (Vulnerable Library)

Found in HEAD commit: 9890cf392866ff74a91821d7ce185e0b438bc3d6

Found in base branch: main

### Vulnerability Details

** UNSUPPORTED WHEN ASSIGNED ** The Request package through 2.88.1 for Node.js allows a bypass of SSRF mitigations via an attacker-controller server that does a cross-protocol redirect (HTTP to HTTPS, or HTTPS to HTTP). NOTE: This vulnerability only affects products that are no longer supported by the maintainer.

Publish Date: 2023-03-16

URL: CVE-2023-28155

### CVSS 3 Score Details (5.5)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Local - Attack Complexity: Low - Privileges Required: None - User Interaction: Required - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High

For more information on CVSS3 Scores, click here.

In order to enable automatic remediation for this issue, please create workflow rules

clindseywsdemo / JS-Demo

cypress-3.3.1.tgz: 7 vulnerabilities (highest severity is: 9.8) - autoclosed #30

Vulnerabilities

Details