eRez-ws / expensify-app

0 stars 0 forks source link

css-loader-0.28.4.tgz: 6 vulnerabilities (highest severity is: 8.1) #2

Open dev-mend-for-github-com[bot] opened 2 years ago

dev-mend-for-github-com[bot] commented 2 years ago
Vulnerable Library - css-loader-0.28.4.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/is-svg/package.json

Found in HEAD commit: 6e4b88be793d288f8840c262fa7858c93a549abf

Vulnerabilities

CVE Severity CVSS Dependency Type Fixed in (css-loader version) Remediation Possible**
WS-2019-0063 High 8.1 js-yaml-3.7.0.tgz Transitive 1.0.0
WS-2021-0152 High 7.5 color-string-0.3.0.tgz Transitive 1.0.0
WS-2019-0032 High 7.5 js-yaml-3.7.0.tgz Transitive 1.0.0
CVE-2021-33502 High 7.5 normalize-url-1.9.1.tgz Transitive N/A*
CVE-2021-28092 High 7.5 is-svg-2.1.0.tgz Transitive 1.0.0
CVE-2021-23382 Medium 5.3 detected in multiple dependencies Transitive 2.0.0

*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.

**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation

Details

WS-2019-0063 ### Vulnerable Library - js-yaml-3.7.0.tgz

YAML 1.2 parser and serializer

Library home page: https://registry.npmjs.org/js-yaml/-/js-yaml-3.7.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/js-yaml/package.json

Dependency Hierarchy: - css-loader-0.28.4.tgz (Root Library) - cssnano-3.10.0.tgz - postcss-svgo-2.1.6.tgz - svgo-0.7.2.tgz - :x: **js-yaml-3.7.0.tgz** (Vulnerable Library)

Found in HEAD commit: 6e4b88be793d288f8840c262fa7858c93a549abf

Found in base branch: master

### Vulnerability Details

Js-yaml prior to 3.13.1 are vulnerable to Code Injection. The load() function may execute arbitrary code injected through a malicious YAML file.

Publish Date: 2019-04-05

URL: WS-2019-0063

### CVSS 3 Score Details (8.1)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: High - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://www.npmjs.com/advisories/813

Release Date: 2019-04-05

Fix Resolution (js-yaml): 3.13.1

Direct dependency fix Resolution (css-loader): 1.0.0

:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.
WS-2021-0152 ### Vulnerable Library - color-string-0.3.0.tgz

Parser and generator for CSS color strings

Library home page: https://registry.npmjs.org/color-string/-/color-string-0.3.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/color-string/package.json

Dependency Hierarchy: - css-loader-0.28.4.tgz (Root Library) - cssnano-3.10.0.tgz - postcss-colormin-2.2.2.tgz - colormin-1.1.2.tgz - color-0.11.4.tgz - :x: **color-string-0.3.0.tgz** (Vulnerable Library)

Found in HEAD commit: 6e4b88be793d288f8840c262fa7858c93a549abf

Found in base branch: master

### Vulnerability Details

Regular Expression Denial of Service (ReDoS) was found in color-string before 1.5.5.

Publish Date: 2021-03-12

URL: WS-2021-0152

### CVSS 3 Score Details (7.5)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Release Date: 2021-03-12

Fix Resolution (color-string): 1.5.5

Direct dependency fix Resolution (css-loader): 1.0.0

:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.
WS-2019-0032 ### Vulnerable Library - js-yaml-3.7.0.tgz

YAML 1.2 parser and serializer

Library home page: https://registry.npmjs.org/js-yaml/-/js-yaml-3.7.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/js-yaml/package.json

Dependency Hierarchy: - css-loader-0.28.4.tgz (Root Library) - cssnano-3.10.0.tgz - postcss-svgo-2.1.6.tgz - svgo-0.7.2.tgz - :x: **js-yaml-3.7.0.tgz** (Vulnerable Library)

Found in HEAD commit: 6e4b88be793d288f8840c262fa7858c93a549abf

Found in base branch: master

### Vulnerability Details

Versions js-yaml prior to 3.13.0 are vulnerable to Denial of Service. By parsing a carefully-crafted YAML file, the node process stalls and may exhaust system resources leading to a Denial of Service.

Publish Date: 2019-03-20

URL: WS-2019-0032

### CVSS 3 Score Details (7.5)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://www.npmjs.com/advisories/788/versions

Release Date: 2019-03-20

Fix Resolution (js-yaml): 3.13.0

Direct dependency fix Resolution (css-loader): 1.0.0

:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.
CVE-2021-33502 ### Vulnerable Library - normalize-url-1.9.1.tgz

Normalize a URL

Library home page: https://registry.npmjs.org/normalize-url/-/normalize-url-1.9.1.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/normalize-url/package.json

Dependency Hierarchy: - css-loader-0.28.4.tgz (Root Library) - cssnano-3.10.0.tgz - postcss-normalize-url-3.0.8.tgz - :x: **normalize-url-1.9.1.tgz** (Vulnerable Library)

Found in HEAD commit: 6e4b88be793d288f8840c262fa7858c93a549abf

Found in base branch: master

### Vulnerability Details

The normalize-url package before 4.5.1, 5.x before 5.3.1, and 6.x before 6.0.1 for Node.js has a ReDoS (regular expression denial of service) issue because it has exponential performance for data: URLs.

Publish Date: 2021-05-24

URL: CVE-2021-33502

### CVSS 3 Score Details (7.5)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-33502

Release Date: 2021-05-24

Fix Resolution: normalize-url - 4.5.1,5.3.1,6.0.1

CVE-2021-28092 ### Vulnerable Library - is-svg-2.1.0.tgz

Check if a string or buffer is SVG

Library home page: https://registry.npmjs.org/is-svg/-/is-svg-2.1.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/is-svg/package.json

Dependency Hierarchy: - css-loader-0.28.4.tgz (Root Library) - cssnano-3.10.0.tgz - postcss-svgo-2.1.6.tgz - :x: **is-svg-2.1.0.tgz** (Vulnerable Library)

Found in HEAD commit: 6e4b88be793d288f8840c262fa7858c93a549abf

Found in base branch: master

### Vulnerability Details

The is-svg package 2.1.0 through 4.2.1 for Node.js uses a regular expression that is vulnerable to Regular Expression Denial of Service (ReDoS). If an attacker provides a malicious string, is-svg will get stuck processing the input for a very long time.

Publish Date: 2021-03-12

URL: CVE-2021-28092

### CVSS 3 Score Details (7.5)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-28092

Release Date: 2021-03-12

Fix Resolution (is-svg): 4.2.2

Direct dependency fix Resolution (css-loader): 1.0.0

:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.
CVE-2021-23382 ### Vulnerable Libraries - postcss-5.2.18.tgz, postcss-6.0.23.tgz

### postcss-5.2.18.tgz

Tool for transforming styles with JS plugins

Library home page: https://registry.npmjs.org/postcss/-/postcss-5.2.18.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/postcss/package.json

Dependency Hierarchy: - css-loader-0.28.4.tgz (Root Library) - :x: **postcss-5.2.18.tgz** (Vulnerable Library) ### postcss-6.0.23.tgz

Tool for transforming styles with JS plugins

Library home page: https://registry.npmjs.org/postcss/-/postcss-6.0.23.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/postcss-modules-extract-imports/node_modules/postcss/package.json

Dependency Hierarchy: - css-loader-0.28.4.tgz (Root Library) - postcss-modules-extract-imports-1.2.1.tgz - :x: **postcss-6.0.23.tgz** (Vulnerable Library)

Found in HEAD commit: 6e4b88be793d288f8840c262fa7858c93a549abf

Found in base branch: master

### Vulnerability Details

The package postcss before 8.2.13 are vulnerable to Regular Expression Denial of Service (ReDoS) via getAnnotationURL() and loadAnnotation() in lib/previous-map.js. The vulnerable regexes are caused mainly by the sub-pattern \/\*\s* sourceMappingURL=(.*).

Publish Date: 2021-04-26

URL: CVE-2021-23382

### CVSS 3 Score Details (5.3)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: Low

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23382

Release Date: 2021-04-26

Fix Resolution (postcss): 7.0.36

Direct dependency fix Resolution (css-loader): 2.0.0

Fix Resolution (postcss): 7.0.36

Direct dependency fix Resolution (css-loader): 2.0.0

:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.

:rescue_worker_helmet:Automatic Remediation will be attempted for this issue.

dev-mend-for-github-com[bot] commented 2 years ago

:heavy_check_mark: This issue was automatically closed by WhiteSource because the vulnerable library in the specific branch(es) was either marked as ignored or it is no longer part of the WhiteSource inventory.

dev-mend-for-github-com[bot] commented 2 years ago

:information_source: This issue was automatically re-opened by Mend because the vulnerable library in the specific branch(es) has been detected in the Mend inventory.