mend-bolt-for-github[bot]
commented
1 year ago :heavy_check_mark: This issue was automatically closed by Mend because the vulnerable library in the specific branch(es) was either marked as ignored or it is no longer part of the Mend inventory.
Path to dependency file: /app/package.json
Path to vulnerable library: /app/node_modules/json5/package.json
Found in HEAD commit: 0deb97dca63193d326c0a75e778430c564444e7c
Vulnerabilities
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the section "Details" below to see if there is a version of transitive dependency where vulnerability is fixed.
Details
CVE-2022-0691
### Vulnerable Library - url-parse-1.5.3.tgzSmall footprint URL parser that works seamlessly across Node.js and browser environments
Library home page: https://registry.npmjs.org/url-parse/-/url-parse-1.5.3.tgz
Path to dependency file: /app/package.json
Path to vulnerable library: /app/node_modules/url-parse/package.json
Dependency Hierarchy: - strapi-admin-3.6.5.tgz (Root Library) - webpack-dev-server-3.11.2.tgz - sockjs-client-1.5.1.tgz - :x: **url-parse-1.5.3.tgz** (Vulnerable Library)
Found in HEAD commit: 0deb97dca63193d326c0a75e778430c564444e7c
Found in base branch: develop
### Vulnerability DetailsAuthorization Bypass Through User-Controlled Key in NPM url-parse prior to 1.5.9.
Publish Date: 2022-02-21
URL: CVE-2022-0691
### CVSS 3 Score Details (9.8)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0691
Release Date: 2022-02-21
Fix Resolution (url-parse): 1.5.9
Direct dependency fix Resolution (strapi-admin): 3.6.6
Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
CVE-2022-37601
### Vulnerable Libraries - loader-utils-0.2.17.tgz, loader-utils-1.4.0.tgz### loader-utils-0.2.17.tgz
utils for webpack loaders
Library home page: https://registry.npmjs.org/loader-utils/-/loader-utils-0.2.17.tgz
Path to dependency file: /app/package.json
Path to vulnerable library: /app/node_modules/html-webpack-plugin/node_modules/loader-utils/package.json
Dependency Hierarchy: - strapi-admin-3.6.5.tgz (Root Library) - html-webpack-plugin-3.2.0.tgz - :x: **loader-utils-0.2.17.tgz** (Vulnerable Library) ### loader-utils-1.4.0.tgz
utils for webpack loaders
Library home page: https://registry.npmjs.org/loader-utils/-/loader-utils-1.4.0.tgz
Path to dependency file: /app/package.json
Path to vulnerable library: /app/node_modules/loader-utils/package.json
Dependency Hierarchy: - strapi-admin-3.6.5.tgz (Root Library) - webpack-cli-3.3.12.tgz - :x: **loader-utils-1.4.0.tgz** (Vulnerable Library)
Found in HEAD commit: 0deb97dca63193d326c0a75e778430c564444e7c
Found in base branch: develop
### Vulnerability DetailsPrototype pollution vulnerability in function parseQuery in parseQuery.js in webpack loader-utils 2.0.0 via the name variable in parseQuery.js.
Publish Date: 2022-10-12
URL: CVE-2022-37601
### CVSS 3 Score Details (9.8)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Release Date: 2022-10-12
Fix Resolution: loader-utils - v2.0.0
Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
CVE-2022-23540
### Vulnerable Library - jsonwebtoken-8.5.1.tgzJSON Web Token implementation (symmetric and asymmetric)
Library home page: https://registry.npmjs.org/jsonwebtoken/-/jsonwebtoken-8.5.1.tgz
Path to dependency file: /app/package.json
Path to vulnerable library: /app/node_modules/jsonwebtoken/package.json
Dependency Hierarchy: - strapi-admin-3.6.5.tgz (Root Library) - :x: **jsonwebtoken-8.5.1.tgz** (Vulnerable Library)
Found in HEAD commit: 0deb97dca63193d326c0a75e778430c564444e7c
Found in base branch: develop
### Vulnerability DetailsIn versions `<=8.5.1` of `jsonwebtoken` library, lack of algorithm definition in the `jwt.verify()` function can lead to signature validation bypass due to defaulting to the `none` algorithm for signature verification. Users are affected if you do not specify algorithms in the `jwt.verify()` function. This issue has been fixed, please update to version 9.0.0 which removes the default support for the none algorithm in the `jwt.verify()` method. There will be no impact, if you update to version 9.0.0 and you don’t need to allow for the `none` algorithm. If you need 'none' algorithm, you have to explicitly specify that in `jwt.verify()` options.
Publish Date: 2022-12-22
URL: CVE-2022-23540
### CVSS 3 Score Details (9.8)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://www.cve.org/CVERecord?id=CVE-2022-23540
Release Date: 2022-12-22
Fix Resolution: jsonwebtoken - 9.0.0
Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
CVE-2022-23541
### Vulnerable Library - jsonwebtoken-8.5.1.tgzJSON Web Token implementation (symmetric and asymmetric)
Library home page: https://registry.npmjs.org/jsonwebtoken/-/jsonwebtoken-8.5.1.tgz
Path to dependency file: /app/package.json
Path to vulnerable library: /app/node_modules/jsonwebtoken/package.json
Dependency Hierarchy: - strapi-admin-3.6.5.tgz (Root Library) - :x: **jsonwebtoken-8.5.1.tgz** (Vulnerable Library)
Found in HEAD commit: 0deb97dca63193d326c0a75e778430c564444e7c
Found in base branch: develop
### Vulnerability Detailsjsonwebtoken is an implementation of JSON Web Tokens. Versions `<= 8.5.1` of `jsonwebtoken` library can be misconfigured so that passing a poorly implemented key retrieval function referring to the `secretOrPublicKey` argument from the readme link will result in incorrect verification of tokens. There is a possibility of using a different algorithm and key combination in verification, other than the one that was used to sign the tokens. Specifically, tokens signed with an asymmetric public key could be verified with a symmetric HS256 algorithm. This can lead to successful validation of forged tokens. If your application is supporting usage of both symmetric key and asymmetric key in jwt.verify() implementation with the same key retrieval function. This issue has been patched, please update to version 9.0.0.
Publish Date: 2022-12-22
URL: CVE-2022-23541
### CVSS 3 Score Details (9.8)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://github.com/auth0/node-jsonwebtoken/security/advisories/GHSA-hjrf-2m68-5959
Release Date: 2022-12-22
Fix Resolution: jsonwebtoken - 9.0.0
Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
CVE-2021-23436
### Vulnerable Library - immer-8.0.4.tgzCreate your next immutable state by mutating the current one
Library home page: https://registry.npmjs.org/immer/-/immer-8.0.4.tgz
Path to dependency file: /app/package.json
Path to vulnerable library: /app/node_modules/immer/package.json
Dependency Hierarchy: - strapi-admin-3.6.5.tgz (Root Library) - :x: **immer-8.0.4.tgz** (Vulnerable Library)
Found in HEAD commit: 0deb97dca63193d326c0a75e778430c564444e7c
Found in base branch: develop
### Vulnerability DetailsThis affects the package immer before 9.0.6. A type confusion vulnerability can lead to a bypass of CVE-2020-28477 when the user-provided keys used in the path parameter are arrays. In particular, this bypass is possible because the condition (p === "__proto__" || p === "constructor") in applyPatches_ returns false if p is ['__proto__'] (or ['constructor']). The === operator (strict equality operator) returns false if the operands have different type.
Publish Date: 2021-09-01
URL: CVE-2021-23436
### CVSS 3 Score Details (9.8)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23436
Release Date: 2021-09-01
Fix Resolution: immer - 9.0.6
Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
CVE-2022-23529
### Vulnerable Library - jsonwebtoken-8.5.1.tgzJSON Web Token implementation (symmetric and asymmetric)
Library home page: https://registry.npmjs.org/jsonwebtoken/-/jsonwebtoken-8.5.1.tgz
Path to dependency file: /app/package.json
Path to vulnerable library: /app/node_modules/jsonwebtoken/package.json
Dependency Hierarchy: - strapi-admin-3.6.5.tgz (Root Library) - :x: **jsonwebtoken-8.5.1.tgz** (Vulnerable Library)
Found in HEAD commit: 0deb97dca63193d326c0a75e778430c564444e7c
Found in base branch: develop
### Vulnerability Detailsnode-jsonwebtoken is a JsonWebToken implementation for node.js. For versions `<= 8.5.1` of `jsonwebtoken` library, if a malicious actor has the ability to modify the key retrieval parameter (referring to the `secretOrPublicKey` argument from the readme link of the `jwt.verify()` function, they can write arbitrary files on the host machine. Users are affected only if untrusted entities are allowed to modify the key retrieval parameter of the `jwt.verify()` on a host that you control. This issue has been fixed, please update to version 9.0.0.
Publish Date: 2022-12-21
URL: CVE-2022-23529
### CVSS 3 Score Details (9.8)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://github.com/auth0/node-jsonwebtoken/security/advisories/GHSA-27h2-hvpr-p74q
Release Date: 2022-12-21
Fix Resolution: jsonwebtoken - 9.0.0
Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
CVE-2022-37598
### Vulnerable Library - uglify-js-3.4.10.tgzJavaScript parser, mangler/compressor and beautifier toolkit
Library home page: https://registry.npmjs.org/uglify-js/-/uglify-js-3.4.10.tgz
Path to dependency file: /app/package.json
Path to vulnerable library: /app/node_modules/uglify-js/package.json
Dependency Hierarchy: - strapi-admin-3.6.5.tgz (Root Library) - html-loader-0.5.5.tgz - html-minifier-3.5.21.tgz - :x: **uglify-js-3.4.10.tgz** (Vulnerable Library)
Found in HEAD commit: 0deb97dca63193d326c0a75e778430c564444e7c
Found in base branch: develop
### Vulnerability Details** DISPUTED ** Prototype pollution vulnerability in function DEFNODE in ast.js in mishoo UglifyJS 3.13.2 via the name variable in ast.js. NOTE: the vendor considers this an invalid report.
Publish Date: 2022-10-20
URL: CVE-2022-37598
### CVSS 3 Score Details (9.8)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Release Date: 2022-10-20
Fix Resolution: uglify-js - 3.13.10
Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
CVE-2020-7707
### Vulnerable Library - property-expr-1.5.1.tgztiny util for getting and setting deep object props safely
Library home page: https://registry.npmjs.org/property-expr/-/property-expr-1.5.1.tgz
Path to dependency file: /app/package.json
Path to vulnerable library: /app/node_modules/@buffetjs/utils/node_modules/property-expr/package.json
Dependency Hierarchy: - strapi-admin-3.6.5.tgz (Root Library) - utils-3.3.6.tgz - yup-0.27.0.tgz - :x: **property-expr-1.5.1.tgz** (Vulnerable Library)
Found in HEAD commit: 0deb97dca63193d326c0a75e778430c564444e7c
Found in base branch: develop
### Vulnerability DetailsThe package property-expr before 2.0.3 are vulnerable to Prototype Pollution via the setter function.
Publish Date: 2020-08-18
URL: CVE-2020-7707
### CVSS 3 Score Details (9.8)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7707
Release Date: 2020-08-18
Fix Resolution (property-expr): 2.0.3
Direct dependency fix Resolution (strapi-admin): 3.6.6
Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
CVE-2021-44906
### Vulnerable Library - minimist-1.2.5.tgzparse argument options
Library home page: https://registry.npmjs.org/minimist/-/minimist-1.2.5.tgz
Path to dependency file: /app/package.json
Path to vulnerable library: /app/node_modules/minimist/package.json
Dependency Hierarchy: - strapi-admin-3.6.5.tgz (Root Library) - webpack-4.46.0.tgz - mkdirp-0.5.5.tgz - :x: **minimist-1.2.5.tgz** (Vulnerable Library)
Found in HEAD commit: 0deb97dca63193d326c0a75e778430c564444e7c
Found in base branch: develop
### Vulnerability DetailsMinimist <=1.2.5 is vulnerable to Prototype Pollution via file index.js, function setKey() (lines 69-95).
Publish Date: 2022-03-17
URL: CVE-2021-44906
### CVSS 3 Score Details (9.8)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Release Date: 2022-03-17
Fix Resolution: minimist - 1.2.6
Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
CVE-2021-3757
### Vulnerable Library - immer-8.0.4.tgzCreate your next immutable state by mutating the current one
Library home page: https://registry.npmjs.org/immer/-/immer-8.0.4.tgz
Path to dependency file: /app/package.json
Path to vulnerable library: /app/node_modules/immer/package.json
Dependency Hierarchy: - strapi-admin-3.6.5.tgz (Root Library) - :x: **immer-8.0.4.tgz** (Vulnerable Library)
Found in HEAD commit: 0deb97dca63193d326c0a75e778430c564444e7c
Found in base branch: develop
### Vulnerability Detailsimmer is vulnerable to Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')
Publish Date: 2021-09-02
URL: CVE-2021-3757
### CVSS 3 Score Details (9.8)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://huntr.dev/bounties/23d38099-71cd-42ed-a77a-71e68094adfa/
Release Date: 2021-09-02
Fix Resolution: immer - 9.0.6
Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
CVE-2022-1650
### Vulnerable Library - eventsource-1.1.0.tgzW3C compliant EventSource client for Node.js and browser (polyfill)
Library home page: https://registry.npmjs.org/eventsource/-/eventsource-1.1.0.tgz
Path to dependency file: /app/package.json
Path to vulnerable library: /app/node_modules/eventsource/package.json
Dependency Hierarchy: - strapi-admin-3.6.5.tgz (Root Library) - webpack-dev-server-3.11.2.tgz - sockjs-client-1.5.1.tgz - :x: **eventsource-1.1.0.tgz** (Vulnerable Library)
Found in HEAD commit: 0deb97dca63193d326c0a75e778430c564444e7c
Found in base branch: develop
### Vulnerability DetailsExposure of Sensitive Information to an Unauthorized Actor in GitHub repository eventsource/eventsource prior to v2.0.2.
Publish Date: 2022-05-12
URL: CVE-2022-1650
### CVSS 3 Score Details (9.3)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: Required - Scope: Changed - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: None
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Release Date: 2022-05-12
Fix Resolution (eventsource): 1.1.1
Direct dependency fix Resolution (strapi-admin): 3.6.6
Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
CVE-2022-0686
### Vulnerable Library - url-parse-1.5.3.tgzSmall footprint URL parser that works seamlessly across Node.js and browser environments
Library home page: https://registry.npmjs.org/url-parse/-/url-parse-1.5.3.tgz
Path to dependency file: /app/package.json
Path to vulnerable library: /app/node_modules/url-parse/package.json
Dependency Hierarchy: - strapi-admin-3.6.5.tgz (Root Library) - webpack-dev-server-3.11.2.tgz - sockjs-client-1.5.1.tgz - :x: **url-parse-1.5.3.tgz** (Vulnerable Library)
Found in HEAD commit: 0deb97dca63193d326c0a75e778430c564444e7c
Found in base branch: develop
### Vulnerability DetailsAuthorization Bypass Through User-Controlled Key in NPM url-parse prior to 1.5.8.
Publish Date: 2022-02-20
URL: CVE-2022-0686
### CVSS 3 Score Details (9.1)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: None
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0686
Release Date: 2022-02-20
Fix Resolution (url-parse): 1.5.8
Direct dependency fix Resolution (strapi-admin): 3.6.6
Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
CVE-2022-46175
### Vulnerable Libraries - json5-0.5.1.tgz, json5-1.0.1.tgz, json5-2.2.0.tgz### json5-0.5.1.tgz
JSON for the ES5 era.
Library home page: https://registry.npmjs.org/json5/-/json5-0.5.1.tgz
Path to dependency file: /app/package.json
Path to vulnerable library: /app/node_modules/html-webpack-plugin/node_modules/json5/package.json
Dependency Hierarchy: - strapi-admin-3.6.5.tgz (Root Library) - html-webpack-plugin-3.2.0.tgz - loader-utils-0.2.17.tgz - :x: **json5-0.5.1.tgz** (Vulnerable Library) ### json5-1.0.1.tgz
JSON for humans.
Library home page: https://registry.npmjs.org/json5/-/json5-1.0.1.tgz
Path to dependency file: /app/package.json
Path to vulnerable library: /app/node_modules/loader-utils/node_modules/json5/package.json
Dependency Hierarchy: - strapi-admin-3.6.5.tgz (Root Library) - webpack-cli-3.3.12.tgz - loader-utils-1.4.0.tgz - :x: **json5-1.0.1.tgz** (Vulnerable Library) ### json5-2.2.0.tgz
JSON for humans.
Library home page: https://registry.npmjs.org/json5/-/json5-2.2.0.tgz
Path to dependency file: /app/package.json
Path to vulnerable library: /app/node_modules/json5/package.json
Dependency Hierarchy: - strapi-admin-3.6.5.tgz (Root Library) - core-7.14.8.tgz - :x: **json5-2.2.0.tgz** (Vulnerable Library)
Found in HEAD commit: 0deb97dca63193d326c0a75e778430c564444e7c
Found in base branch: develop
### Vulnerability DetailsJSON5 is an extension to the popular JSON file format that aims to be easier to write and maintain by hand (e.g. for config files). The `parse` method of the JSON5 library before and including versions 1.0.1 and 2.2.1 does not restrict parsing of keys named `__proto__`, allowing specially crafted strings to pollute the prototype of the resulting object. This vulnerability pollutes the prototype of the object returned by `JSON5.parse` and not the global Object prototype, which is the commonly understood definition of Prototype Pollution. However, polluting the prototype of a single object can have significant security impact for an application if the object is later used in trusted operations. This vulnerability could allow an attacker to set arbitrary and unexpected keys on the object returned from `JSON5.parse`. The actual impact will depend on how applications utilize the returned object and how they filter unwanted keys, but could include denial of service, cross-site scripting, elevation of privilege, and in extreme cases, remote code execution. `JSON5.parse` should restrict parsing of `__proto__` keys when parsing JSON strings to objects. As a point of reference, the `JSON.parse` method included in JavaScript ignores `__proto__` keys. Simply changing `JSON5.parse` to `JSON.parse` in the examples above mitigates this vulnerability. This vulnerability is patched in json5 versions 1.0.2, 2.2.2, and later.
Publish Date: 2022-12-24
URL: CVE-2022-46175
### CVSS 3 Score Details (8.8)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: Low - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://www.cve.org/CVERecord?id=CVE-2022-46175
Release Date: 2022-12-24
Fix Resolution (json5): 2.2.2
Direct dependency fix Resolution (strapi-admin): 3.6.6
Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
CVE-2022-23539
### Vulnerable Library - jsonwebtoken-8.5.1.tgzJSON Web Token implementation (symmetric and asymmetric)
Library home page: https://registry.npmjs.org/jsonwebtoken/-/jsonwebtoken-8.5.1.tgz
Path to dependency file: /app/package.json
Path to vulnerable library: /app/node_modules/jsonwebtoken/package.json
Dependency Hierarchy: - strapi-admin-3.6.5.tgz (Root Library) - :x: **jsonwebtoken-8.5.1.tgz** (Vulnerable Library)
Found in HEAD commit: 0deb97dca63193d326c0a75e778430c564444e7c
Found in base branch: develop
### Vulnerability DetailsVersions `<=8.5.1` of `jsonwebtoken` library could be misconfigured so that legacy, insecure key types are used for signature verification. For example, DSA keys could be used with the RS256 algorithm. You are affected if you are using an algorithm and a key type other than a combination listed in the GitHub Security Advisory as unaffected. This issue has been fixed, please update to version 9.0.0. This version validates for asymmetric key type and algorithm combinations. Please refer to the above mentioned algorithm / key type combinations for the valid secure configuration. After updating to version 9.0.0, if you still intend to continue with signing or verifying tokens using invalid key type/algorithm value combinations, you’ll need to set the `allowInvalidAsymmetricKeyTypes` option to `true` in the `sign()` and/or `verify()` functions.
Publish Date: 2022-12-23
URL: CVE-2022-23539
### CVSS 3 Score Details (8.1)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: Low - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: None
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://github.com/auth0/node-jsonwebtoken/security/advisories/GHSA-8cf7-32gw-wr33
Release Date: 2022-12-23
Fix Resolution: jsonwebtoken - 9.0.0
Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
CVE-2021-23424
### Vulnerable Library - ansi-html-0.0.7.tgzAn elegant lib that converts the chalked (ANSI) text to HTML.
Library home page: https://registry.npmjs.org/ansi-html/-/ansi-html-0.0.7.tgz
Path to dependency file: /app/package.json
Path to vulnerable library: /app/node_modules/ansi-html/package.json
Dependency Hierarchy: - strapi-admin-3.6.5.tgz (Root Library) - webpack-dev-server-3.11.2.tgz - :x: **ansi-html-0.0.7.tgz** (Vulnerable Library)
Found in HEAD commit: 0deb97dca63193d326c0a75e778430c564444e7c
Found in base branch: develop
### Vulnerability DetailsThis affects all versions of package ansi-html. If an attacker provides a malicious string, it will get stuck processing the input for an extremely long time.
Publish Date: 2021-08-18
URL: CVE-2021-23424
### CVSS 3 Score Details (7.5)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2021-23424
Release Date: 2021-08-18
Fix Resolution (ansi-html): 0.0.8
Direct dependency fix Resolution (strapi-admin): 3.6.6
Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
CVE-2022-25858
### Vulnerable Library - terser-4.8.0.tgzJavaScript parser, mangler/compressor and beautifier toolkit for ES6+
Library home page: https://registry.npmjs.org/terser/-/terser-4.8.0.tgz
Path to dependency file: /app/package.json
Path to vulnerable library: /app/node_modules/terser/package.json
Dependency Hierarchy: - strapi-admin-3.6.5.tgz (Root Library) - terser-webpack-plugin-1.4.5.tgz - :x: **terser-4.8.0.tgz** (Vulnerable Library)
Found in HEAD commit: 0deb97dca63193d326c0a75e778430c564444e7c
Found in base branch: develop
### Vulnerability DetailsThe package terser before 4.8.1, from 5.0.0 and before 5.14.2 are vulnerable to Regular Expression Denial of Service (ReDoS) due to insecure usage of regular expressions.
Publish Date: 2022-07-15
URL: CVE-2022-25858
### CVSS 3 Score Details (7.5)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-25858
Release Date: 2022-07-15
Fix Resolution (terser): 4.8.1
Direct dependency fix Resolution (strapi-admin): 3.6.6
Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
CVE-2020-28469
### Vulnerable Library - glob-parent-3.1.0.tgzStrips glob magic from a string to provide the parent directory path
Library home page: https://registry.npmjs.org/glob-parent/-/glob-parent-3.1.0.tgz
Path to dependency file: /app/package.json
Path to vulnerable library: /app/node_modules/watchpack-chokidar2/node_modules/glob-parent/package.json,/app/node_modules/webpack-dev-server/node_modules/glob-parent/package.json
Dependency Hierarchy: - strapi-admin-3.6.5.tgz (Root Library) - webpack-dev-server-3.11.2.tgz - chokidar-2.1.8.tgz - :x: **glob-parent-3.1.0.tgz** (Vulnerable Library)
Found in HEAD commit: 0deb97dca63193d326c0a75e778430c564444e7c
Found in base branch: develop
### Vulnerability DetailsThis affects the package glob-parent before 5.1.2. The enclosure regex used to check for strings ending in enclosure containing path separator.
Publish Date: 2021-06-03
URL: CVE-2020-28469
### CVSS 3 Score Details (7.5)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-28469
Release Date: 2021-06-03
Fix Resolution: glob-parent - 5.1.2
Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
CVE-2022-37620
### Vulnerable Library - html-minifier-3.5.21.tgzHighly configurable, well-tested, JavaScript-based HTML minifier.
Library home page: https://registry.npmjs.org/html-minifier/-/html-minifier-3.5.21.tgz
Path to dependency file: /app/package.json
Path to vulnerable library: /app/node_modules/html-minifier/package.json
Dependency Hierarchy: - strapi-admin-3.6.5.tgz (Root Library) - html-loader-0.5.5.tgz - :x: **html-minifier-3.5.21.tgz** (Vulnerable Library)
Found in HEAD commit: 0deb97dca63193d326c0a75e778430c564444e7c
Found in base branch: develop
### Vulnerability DetailsA Regular Expression Denial of Service (ReDoS) flaw was found in kangax html-minifier 4.0.0 via the candidate variable in htmlminifier.js.
Publish Date: 2022-10-31
URL: CVE-2022-37620
### CVSS 3 Score Details (7.5)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High
For more information on CVSS3 Scores, click here. Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
CVE-2022-38900
### Vulnerable Library - decode-uri-component-0.2.0.tgzA better decodeURIComponent
Library home page: https://registry.npmjs.org/decode-uri-component/-/decode-uri-component-0.2.0.tgz
Path to dependency file: /app/package.json
Path to vulnerable library: /app/node_modules/decode-uri-component/package.json
Dependency Hierarchy: - strapi-admin-3.6.5.tgz (Root Library) - webpack-4.46.0.tgz - micromatch-3.1.10.tgz - snapdragon-0.8.2.tgz - source-map-resolve-0.5.3.tgz - :x: **decode-uri-component-0.2.0.tgz** (Vulnerable Library)
Found in HEAD commit: 0deb97dca63193d326c0a75e778430c564444e7c
Found in base branch: develop
### Vulnerability Detailsdecode-uri-component 0.2.0 is vulnerable to Improper Input Validation resulting in DoS.
Publish Date: 2022-11-28
URL: CVE-2022-38900
### CVSS 3 Score Details (7.5)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://github.com/advisories/GHSA-w573-4hg7-7wgq
Release Date: 2022-11-28
Fix Resolution (decode-uri-component): 0.2.1
Direct dependency fix Resolution (strapi-admin): 3.6.6
Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
CVE-2022-24772
### Vulnerable Library - node-forge-0.10.0.tgzJavaScript implementations of network transports, cryptography, ciphers, PKI, message digests, and various utilities.
Library home page: https://registry.npmjs.org/node-forge/-/node-forge-0.10.0.tgz
Path to dependency file: /app/package.json
Path to vulnerable library: /app/node_modules/node-forge/package.json
Dependency Hierarchy: - strapi-admin-3.6.5.tgz (Root Library) - webpack-dev-server-3.11.2.tgz - selfsigned-1.10.11.tgz - :x: **node-forge-0.10.0.tgz** (Vulnerable Library)
Found in HEAD commit: 0deb97dca63193d326c0a75e778430c564444e7c
Found in base branch: develop
### Vulnerability DetailsForge (also called `node-forge`) is a native implementation of Transport Layer Security in JavaScript. Prior to version 1.3.0, RSA PKCS#1 v1.5 signature verification code does not check for tailing garbage bytes after decoding a `DigestInfo` ASN.1 structure. This can allow padding bytes to be removed and garbage data added to forge a signature when a low public exponent is being used. The issue has been addressed in `node-forge` version 1.3.0. There are currently no known workarounds.
Publish Date: 2022-03-18
URL: CVE-2022-24772
### CVSS 3 Score Details (7.5)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: High - Availability Impact: None
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24772
Release Date: 2022-03-18
Fix Resolution: node-forge - 1.3.0
Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
CVE-2021-3749
### Vulnerable Library - axios-0.21.1.tgzPromise based HTTP client for the browser and node.js
Library home page: https://registry.npmjs.org/axios/-/axios-0.21.1.tgz
Path to dependency file: /app/package.json
Path to vulnerable library: /app/node_modules/axios/package.json
Dependency Hierarchy: - strapi-admin-3.6.5.tgz (Root Library) - :x: **axios-0.21.1.tgz** (Vulnerable Library)
Found in HEAD commit: 0deb97dca63193d326c0a75e778430c564444e7c
Found in base branch: develop
### Vulnerability Detailsaxios is vulnerable to Inefficient Regular Expression Complexity
Publish Date: 2021-08-31
URL: CVE-2021-3749
### CVSS 3 Score Details (7.5)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://huntr.dev/bounties/1e8f07fc-c384-4ff9-8498-0690de2e8c31/
Release Date: 2021-08-31
Fix Resolution (axios): 0.21.2
Direct dependency fix Resolution (strapi-admin): 3.6.6
Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
CVE-2022-24771
### Vulnerable Library - node-forge-0.10.0.tgzJavaScript implementations of network transports, cryptography, ciphers, PKI, message digests, and various utilities.
Library home page: https://registry.npmjs.org/node-forge/-/node-forge-0.10.0.tgz
Path to dependency file: /app/package.json
Path to vulnerable library: /app/node_modules/node-forge/package.json
Dependency Hierarchy: - strapi-admin-3.6.5.tgz (Root Library) - webpack-dev-server-3.11.2.tgz - selfsigned-1.10.11.tgz - :x: **node-forge-0.10.0.tgz** (Vulnerable Library)
Found in HEAD commit: 0deb97dca63193d326c0a75e778430c564444e7c
Found in base branch: develop
### Vulnerability DetailsForge (also called `node-forge`) is a native implementation of Transport Layer Security in JavaScript. Prior to version 1.3.0, RSA PKCS#1 v1.5 signature verification code is lenient in checking the digest algorithm structure. This can allow a crafted structure that steals padding bytes and uses unchecked portion of the PKCS#1 encoded message to forge a signature when a low public exponent is being used. The issue has been addressed in `node-forge` version 1.3.0. There are currently no known workarounds.
Publish Date: 2022-03-18
URL: CVE-2022-24771
### CVSS 3 Score Details (7.5)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: High - Availability Impact: None
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24771
Release Date: 2022-03-18
Fix Resolution: node-forge - 1.3.0
Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)