Open dev-mend-for-github-com[bot] opened 2 years ago
:heavy_check_mark: This issue was automatically closed by WhiteSource because the vulnerable library in the specific branch(es) was either marked as ignored or it is no longer part of the WhiteSource inventory.
:information_source: This issue was automatically re-opened by Mend because the vulnerable library in the specific branch(es) has been detected in the Mend inventory.
Vulnerable Library - css-loader-0.28.4.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/is-svg/package.json
Found in HEAD commit: 6e4b88be793d288f8840c262fa7858c93a549abf
Vulnerabilities
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
WS-2019-0063
### Vulnerable Library - js-yaml-3.7.0.tgzYAML 1.2 parser and serializer
Library home page: https://registry.npmjs.org/js-yaml/-/js-yaml-3.7.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/js-yaml/package.json
Dependency Hierarchy: - css-loader-0.28.4.tgz (Root Library) - cssnano-3.10.0.tgz - postcss-svgo-2.1.6.tgz - svgo-0.7.2.tgz - :x: **js-yaml-3.7.0.tgz** (Vulnerable Library)
Found in HEAD commit: 6e4b88be793d288f8840c262fa7858c93a549abf
Found in base branch: master
### Vulnerability DetailsJs-yaml prior to 3.13.1 are vulnerable to Code Injection. The load() function may execute arbitrary code injected through a malicious YAML file.
Publish Date: 2019-04-05
URL: WS-2019-0063
### CVSS 3 Score Details (8.1)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: High - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://www.npmjs.com/advisories/813
Release Date: 2019-04-05
Fix Resolution (js-yaml): 3.13.1
Direct dependency fix Resolution (css-loader): 1.0.0
:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.WS-2021-0152
### Vulnerable Library - color-string-0.3.0.tgzParser and generator for CSS color strings
Library home page: https://registry.npmjs.org/color-string/-/color-string-0.3.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/color-string/package.json
Dependency Hierarchy: - css-loader-0.28.4.tgz (Root Library) - cssnano-3.10.0.tgz - postcss-colormin-2.2.2.tgz - colormin-1.1.2.tgz - color-0.11.4.tgz - :x: **color-string-0.3.0.tgz** (Vulnerable Library)
Found in HEAD commit: 6e4b88be793d288f8840c262fa7858c93a549abf
Found in base branch: master
### Vulnerability DetailsRegular Expression Denial of Service (ReDoS) was found in color-string before 1.5.5.
Publish Date: 2021-03-12
URL: WS-2021-0152
### CVSS 3 Score Details (7.5)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Release Date: 2021-03-12
Fix Resolution (color-string): 1.5.5
Direct dependency fix Resolution (css-loader): 1.0.0
:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.WS-2019-0032
### Vulnerable Library - js-yaml-3.7.0.tgzYAML 1.2 parser and serializer
Library home page: https://registry.npmjs.org/js-yaml/-/js-yaml-3.7.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/js-yaml/package.json
Dependency Hierarchy: - css-loader-0.28.4.tgz (Root Library) - cssnano-3.10.0.tgz - postcss-svgo-2.1.6.tgz - svgo-0.7.2.tgz - :x: **js-yaml-3.7.0.tgz** (Vulnerable Library)
Found in HEAD commit: 6e4b88be793d288f8840c262fa7858c93a549abf
Found in base branch: master
### Vulnerability DetailsVersions js-yaml prior to 3.13.0 are vulnerable to Denial of Service. By parsing a carefully-crafted YAML file, the node process stalls and may exhaust system resources leading to a Denial of Service.
Publish Date: 2019-03-20
URL: WS-2019-0032
### CVSS 3 Score Details (7.5)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://www.npmjs.com/advisories/788/versions
Release Date: 2019-03-20
Fix Resolution (js-yaml): 3.13.0
Direct dependency fix Resolution (css-loader): 1.0.0
:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.CVE-2021-33502
### Vulnerable Library - normalize-url-1.9.1.tgzNormalize a URL
Library home page: https://registry.npmjs.org/normalize-url/-/normalize-url-1.9.1.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/normalize-url/package.json
Dependency Hierarchy: - css-loader-0.28.4.tgz (Root Library) - cssnano-3.10.0.tgz - postcss-normalize-url-3.0.8.tgz - :x: **normalize-url-1.9.1.tgz** (Vulnerable Library)
Found in HEAD commit: 6e4b88be793d288f8840c262fa7858c93a549abf
Found in base branch: master
### Vulnerability DetailsThe normalize-url package before 4.5.1, 5.x before 5.3.1, and 6.x before 6.0.1 for Node.js has a ReDoS (regular expression denial of service) issue because it has exponential performance for data: URLs.
Publish Date: 2021-05-24
URL: CVE-2021-33502
### CVSS 3 Score Details (7.5)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-33502
Release Date: 2021-05-24
Fix Resolution: normalize-url - 4.5.1,5.3.1,6.0.1
CVE-2021-28092
### Vulnerable Library - is-svg-2.1.0.tgzCheck if a string or buffer is SVG
Library home page: https://registry.npmjs.org/is-svg/-/is-svg-2.1.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/is-svg/package.json
Dependency Hierarchy: - css-loader-0.28.4.tgz (Root Library) - cssnano-3.10.0.tgz - postcss-svgo-2.1.6.tgz - :x: **is-svg-2.1.0.tgz** (Vulnerable Library)
Found in HEAD commit: 6e4b88be793d288f8840c262fa7858c93a549abf
Found in base branch: master
### Vulnerability DetailsThe is-svg package 2.1.0 through 4.2.1 for Node.js uses a regular expression that is vulnerable to Regular Expression Denial of Service (ReDoS). If an attacker provides a malicious string, is-svg will get stuck processing the input for a very long time.
Publish Date: 2021-03-12
URL: CVE-2021-28092
### CVSS 3 Score Details (7.5)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-28092
Release Date: 2021-03-12
Fix Resolution (is-svg): 4.2.2
Direct dependency fix Resolution (css-loader): 1.0.0
:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.CVE-2021-23382
### Vulnerable Libraries - postcss-5.2.18.tgz, postcss-6.0.23.tgz### postcss-5.2.18.tgz
Tool for transforming styles with JS plugins
Library home page: https://registry.npmjs.org/postcss/-/postcss-5.2.18.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/postcss/package.json
Dependency Hierarchy: - css-loader-0.28.4.tgz (Root Library) - :x: **postcss-5.2.18.tgz** (Vulnerable Library) ### postcss-6.0.23.tgz
Tool for transforming styles with JS plugins
Library home page: https://registry.npmjs.org/postcss/-/postcss-6.0.23.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/postcss-modules-extract-imports/node_modules/postcss/package.json
Dependency Hierarchy: - css-loader-0.28.4.tgz (Root Library) - postcss-modules-extract-imports-1.2.1.tgz - :x: **postcss-6.0.23.tgz** (Vulnerable Library)
Found in HEAD commit: 6e4b88be793d288f8840c262fa7858c93a549abf
Found in base branch: master
### Vulnerability DetailsThe package postcss before 8.2.13 are vulnerable to Regular Expression Denial of Service (ReDoS) via getAnnotationURL() and loadAnnotation() in lib/previous-map.js. The vulnerable regexes are caused mainly by the sub-pattern \/\*\s* sourceMappingURL=(.*).
Publish Date: 2021-04-26
URL: CVE-2021-23382
### CVSS 3 Score Details (5.3)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: Low
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23382
Release Date: 2021-04-26
Fix Resolution (postcss): 7.0.36
Direct dependency fix Resolution (css-loader): 2.0.0
Fix Resolution (postcss): 7.0.36
Direct dependency fix Resolution (css-loader): 2.0.0
:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.:rescue_worker_helmet:Automatic Remediation will be attempted for this issue.