search

hatemhosny / racing-bars

Bar chart race made easy 🎉
https://racing-bars.hatemhosny.dev/
MIT License
75 stars 4 forks source link

jest-26.0.1.tgz: 5 vulnerabilities (highest severity is: 9.8) #130

Closed mend-bolt-for-github[bot] closed 2 months ago

mend-bolt-for-github[bot] commented 8 months ago
Vulnerable Library - jest-26.0.1.tgz

Path to dependency file: /tmp/ws-scm/racing-bars-history/package.json

Path to vulnerable library: /tmp/ws-scm/racing-bars-history/node_modules/node-notifier/package.json

Vulnerabilities

CVE Severity CVSS Dependency Type Fixed in (jest version) Remediation Possible**
CVE-2023-26136 Critical 9.8 detected in multiple dependencies Transitive 26.1.0
CVE-2021-3807 High 7.5 ansi-regex-5.0.0.tgz Transitive 26.1.0
CVE-2021-3777 High 7.5 tmpl-1.0.4.tgz Transitive 26.1.0
CVE-2020-7789 Medium 5.6 node-notifier-7.0.0.tgz Transitive 26.1.0
CVE-2021-32640 Medium 5.3 ws-7.2.5.tgz Transitive 26.1.0

**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation

Details

CVE-2023-26136 ### Vulnerable Libraries - tough-cookie-3.0.1.tgz, tough-cookie-2.5.0.tgz

### tough-cookie-3.0.1.tgz

RFC6265 Cookies and Cookie Jar for node.js

Library home page: https://registry.npmjs.org/tough-cookie/-/tough-cookie-3.0.1.tgz

Path to dependency file: /tmp/ws-scm/racing-bars-history/package.json

Path to vulnerable library: /tmp/ws-scm/racing-bars-history/node_modules/tough-cookie/package.json

Dependency Hierarchy: - jest-26.0.1.tgz (Root Library) - core-26.0.1.tgz - jest-config-26.0.1.tgz - jest-environment-jsdom-26.0.1.tgz - jsdom-16.2.2.tgz - :x: **tough-cookie-3.0.1.tgz** (Vulnerable Library) ### tough-cookie-2.5.0.tgz

RFC6265 Cookies and Cookie Jar for node.js

Library home page: https://registry.npmjs.org/tough-cookie/-/tough-cookie-2.5.0.tgz

Path to dependency file: /tmp/ws-scm/racing-bars-history/src/angular/package.json

Path to vulnerable library: /tmp/ws-scm/racing-bars-history/src/angular/node_modules/tough-cookie/package.json,/tmp/ws-scm/racing-bars-history/src/angular/node_modules/tough-cookie/package.json

Dependency Hierarchy: - jest-26.0.1.tgz (Root Library) - core-26.0.1.tgz - jest-config-26.0.1.tgz - jest-environment-jsdom-26.0.1.tgz - jsdom-16.2.2.tgz - request-promise-native-1.0.8.tgz - :x: **tough-cookie-2.5.0.tgz** (Vulnerable Library)

Found in base branch: develop

### Vulnerability Details

Versions of the package tough-cookie before 4.1.3 are vulnerable to Prototype Pollution due to improper handling of Cookies when using CookieJar in rejectPublicSuffixes=false mode. This issue arises from the manner in which the objects are initialized.

Publish Date: 2023-07-01

URL: CVE-2023-26136

### CVSS 3 Score Details (9.8)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://www.cve.org/CVERecord?id=CVE-2023-26136

Release Date: 2023-07-01

Fix Resolution (tough-cookie): 4.1.3

Direct dependency fix Resolution (jest): 26.1.0

Fix Resolution (tough-cookie): 4.1.3

Direct dependency fix Resolution (jest): 26.1.0

Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
CVE-2021-3807 ### Vulnerable Library - ansi-regex-5.0.0.tgz

Regular expression for matching ANSI escape codes

Library home page: https://registry.npmjs.org/ansi-regex/-/ansi-regex-5.0.0.tgz

Path to dependency file: /tmp/ws-scm/racing-bars-history/src/angular/package.json

Path to vulnerable library: /tmp/ws-scm/racing-bars-history/node_modules/jest/node_modules/ansi-regex/package.json,/tmp/ws-scm/racing-bars-history/node_modules/jest/node_modules/ansi-regex/package.json

Dependency Hierarchy: - jest-26.0.1.tgz (Root Library) - core-26.0.1.tgz - jest-runtime-26.0.1.tgz - yargs-15.3.1.tgz - cliui-6.0.0.tgz - strip-ansi-6.0.0.tgz - :x: **ansi-regex-5.0.0.tgz** (Vulnerable Library)

Found in base branch: develop

### Vulnerability Details

ansi-regex is vulnerable to Inefficient Regular Expression Complexity

Publish Date: 2021-09-17

URL: CVE-2021-3807

### CVSS 3 Score Details (7.5)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://huntr.dev/bounties/5b3cf33b-ede0-4398-9974-800876dfd994/

Release Date: 2021-09-17

Fix Resolution (ansi-regex): 5.0.1

Direct dependency fix Resolution (jest): 26.1.0

Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
CVE-2021-3777 ### Vulnerable Library - tmpl-1.0.4.tgz

JavaScript micro templates.

Library home page: https://registry.npmjs.org/tmpl/-/tmpl-1.0.4.tgz

Path to dependency file: /tmp/ws-scm/racing-bars-history/package.json

Path to vulnerable library: /tmp/ws-scm/racing-bars-history/node_modules/tmpl/package.json

Dependency Hierarchy: - jest-26.0.1.tgz (Root Library) - core-26.0.1.tgz - jest-haste-map-26.0.1.tgz - walker-1.0.7.tgz - makeerror-1.0.11.tgz - :x: **tmpl-1.0.4.tgz** (Vulnerable Library)

Found in base branch: develop

### Vulnerability Details

nodejs-tmpl is vulnerable to Inefficient Regular Expression Complexity

Publish Date: 2021-09-15

URL: CVE-2021-3777

### CVSS 3 Score Details (7.5)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Release Date: 2021-09-15

Fix Resolution (tmpl): 1.0.5

Direct dependency fix Resolution (jest): 26.1.0

Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
CVE-2020-7789 ### Vulnerable Library - node-notifier-7.0.0.tgz

A Node.js module for sending notifications on native Mac, Windows (post and pre 8) and Linux (or Growl as fallback)

Library home page: https://registry.npmjs.org/node-notifier/-/node-notifier-7.0.0.tgz

Path to dependency file: /tmp/ws-scm/racing-bars-history/package.json

Path to vulnerable library: /tmp/ws-scm/racing-bars-history/node_modules/node-notifier/package.json

Dependency Hierarchy: - jest-26.0.1.tgz (Root Library) - core-26.0.1.tgz - reporters-26.0.1.tgz - :x: **node-notifier-7.0.0.tgz** (Vulnerable Library)

Found in base branch: develop

### Vulnerability Details

This affects the package node-notifier before 9.0.0. It allows an attacker to run arbitrary commands on Linux machines due to the options params not being sanitised when being passed an array.

Publish Date: 2020-12-11

URL: CVE-2020-7789

### CVSS 3 Score Details (5.6)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: High - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: Low - Integrity Impact: Low - Availability Impact: Low

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://bugzilla.redhat.com/show_bug.cgi?id=1906853

Release Date: 2020-12-11

Fix Resolution (node-notifier): 8.0.1

Direct dependency fix Resolution (jest): 26.1.0

Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
CVE-2021-32640 ### Vulnerable Library - ws-7.2.5.tgz

Simple to use, blazing fast and thoroughly tested websocket client and server for Node.js

Library home page: https://registry.npmjs.org/ws/-/ws-7.2.5.tgz

Path to dependency file: /tmp/ws-scm/racing-bars-history/package.json

Path to vulnerable library: /tmp/ws-scm/racing-bars-history/node_modules/ws/package.json

Dependency Hierarchy: - jest-26.0.1.tgz (Root Library) - core-26.0.1.tgz - jest-config-26.0.1.tgz - jest-environment-jsdom-26.0.1.tgz - jsdom-16.2.2.tgz - :x: **ws-7.2.5.tgz** (Vulnerable Library)

Found in base branch: develop

### Vulnerability Details

ws is an open source WebSocket client and server library for Node.js. A specially crafted value of the `Sec-Websocket-Protocol` header can be used to significantly slow down a ws server. The vulnerability has been fixed in ws@7.4.6 (https://github.com/websockets/ws/commit/00c425ec77993773d823f018f64a5c44e17023ff). In vulnerable versions of ws, the issue can be mitigated by reducing the maximum allowed length of the request headers using the [`--max-http-header-size=size`](https://nodejs.org/api/cli.html#cli_max_http_header_size_size) and/or the [`maxHeaderSize`](https://nodejs.org/api/http.html#http_http_createserver_options_requestlistener) options.

Publish Date: 2021-05-25

URL: CVE-2021-32640

### CVSS 3 Score Details (5.3)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: Low

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://github.com/websockets/ws/security/advisories/GHSA-6fc8-4gx4-v693

Release Date: 2021-05-25

Fix Resolution (ws): 7.4.6

Direct dependency fix Resolution (jest): 26.1.0

Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)