gatsby-plugin-sharp-2.3.10.tgz: 13 vulnerabilities (highest severity is: 9.8) - autoclosed

Vulnerable Library - gatsby-plugin-sharp-2.3.10.tgz

Wrapper of the Sharp image manipulation library for Gatsby plugins

Library home page: https://registry.npmjs.org/gatsby-plugin-sharp/-/gatsby-plugin-sharp-2.3.10.tgz

Path to dependency file: /SingularityUI/node/npm/docs/package.json

Path to vulnerable library: /SingularityUI/node/npm/docs/package.json

Vulnerabilities

CVE	Severity	CVSS	Dependency	Type	Fixed in (gatsby-plugin-sharp version)	Fix PR available
CVE-2021-3918	Critical	9.8	json-schema-0.2.3.tgz	Transitive	2.6.31	❌
CVE-2020-12265	Critical	9.8	detected in multiple dependencies	Transitive	N/A*	❌
CVE-2023-26136	Critical	9.8	tough-cookie-2.4.3.tgz	Transitive	N/A*	❌
CVE-2022-24999	High	7.5	qs-6.5.2.tgz	Transitive	2.6.31	❌
CVE-2021-33623	High	7.5	trim-newlines-1.0.0.tgz	Transitive	2.6.31	✅
WS-2020-0044	High	7.5	decompress-4.2.0.tgz	Transitive	2.6.31	✅
CVE-2021-3795	High	7.5	semver-regex-2.0.0.tgz	Transitive	N/A*	❌
CVE-2022-25851	High	7.5	jpeg-js-0.3.6.tgz	Transitive	2.6.31	✅
CVE-2021-43307	High	7.5	semver-regex-2.0.0.tgz	Transitive	N/A*	❌
CVE-2020-8244	Medium	6.5	bl-1.2.2.tgz	Transitive	2.6.31	✅
CVE-2020-8175	Medium	5.5	jpeg-js-0.3.6.tgz	Transitive	2.6.31	✅
CVE-2023-0842	Medium	5.3	xml2js-0.4.23.tgz	Transitive	N/A*	❌
CVE-2023-30548	Medium	4.3	gatsby-plugin-sharp-2.3.10.tgz	Direct	N/A	❌

*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.

**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation

Details

CVE-2021-3918

### Vulnerable Library - json-schema-0.2.3.tgz

JSON Schema validation and specifications

Library home page: https://registry.npmjs.org/json-schema/-/json-schema-0.2.3.tgz

Dependency Hierarchy: - gatsby-plugin-sharp-2.3.10.tgz (Root Library) - probe-image-size-4.1.1.tgz - request-2.88.0.tgz - http-signature-1.2.0.tgz - jsprim-1.4.1.tgz - :x: **json-schema-0.2.3.tgz** (Vulnerable Library)

Found in base branch: master

### Vulnerability Details

json-schema is vulnerable to Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')

Publish Date: 2021-11-13

URL: CVE-2021-3918

### CVSS 3 Score Details (9.8)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2021-3918

Release Date: 2021-11-13

Fix Resolution (json-schema): json-schema - 0.4.0

Direct dependency fix Resolution (gatsby-plugin-sharp): 2.6.31

CVE-2020-12265

### Vulnerable Libraries - decompress-4.2.0.tgz, decompress-tar-4.1.1.tgz

### decompress-4.2.0.tgz

Extracting archives made easy

Library home page: https://registry.npmjs.org/decompress/-/decompress-4.2.0.tgz

Path to dependency file: /SingularityUI/node/npm/docs/package.json

Path to vulnerable library: /SingularityUI/node/npm/docs/package.json

Dependency Hierarchy: - gatsby-plugin-sharp-2.3.10.tgz (Root Library) - imagemin-mozjpeg-8.0.0.tgz - mozjpeg-6.0.1.tgz - bin-build-3.0.0.tgz - :x: **decompress-4.2.0.tgz** (Vulnerable Library) ### decompress-tar-4.1.1.tgz

decompress tar plugin

Library home page: https://registry.npmjs.org/decompress-tar/-/decompress-tar-4.1.1.tgz

Path to dependency file: /SingularityUI/node/npm/docs/package.json

Path to vulnerable library: /SingularityUI/node/npm/docs/package.json

Dependency Hierarchy: - gatsby-plugin-sharp-2.3.10.tgz (Root Library) - imagemin-mozjpeg-8.0.0.tgz - mozjpeg-6.0.1.tgz - bin-build-3.0.0.tgz - decompress-4.2.0.tgz - :x: **decompress-tar-4.1.1.tgz** (Vulnerable Library)

Found in base branch: master

### Vulnerability Details

The decompress package before 4.2.1 for Node.js is vulnerable to Arbitrary File Write via ../ in an archive member, when a symlink is used, because of Directory Traversal. Mend Note: Decompress versions prior to 4.2.1 are vulnerable to CVE-2020-12265 which could lead to Path Traversal. decompress-tar is a tar plugin for decompress and is also vulnerable to CVE-2020-12265 and there is no fixed version for decompress-tar.

Publish Date: 2020-04-26

URL: CVE-2020-12265

### CVSS 3 Score Details (9.8)

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-12265

Release Date: 2020-04-26

Fix Resolution: decompress - 4.2.1

CVE-2023-26136

### Vulnerable Library - tough-cookie-2.4.3.tgz

RFC6265 Cookies and Cookie Jar for node.js

Library home page: https://registry.npmjs.org/tough-cookie/-/tough-cookie-2.4.3.tgz

Path to dependency file: /SingularityUI/node/npm/package.json

Path to vulnerable library: /SingularityUI/node/npm/node_modules/tough-cookie/package.json,/SingularityUI/node/npm/docs/package.json

Dependency Hierarchy: - gatsby-plugin-sharp-2.3.10.tgz (Root Library) - probe-image-size-4.1.1.tgz - request-2.88.0.tgz - :x: **tough-cookie-2.4.3.tgz** (Vulnerable Library)

Found in base branch: master

### Vulnerability Details

Versions of the package tough-cookie before 4.1.3 are vulnerable to Prototype Pollution due to improper handling of Cookies when using CookieJar in rejectPublicSuffixes=false mode. This issue arises from the manner in which the objects are initialized.

Publish Date: 2023-07-01

URL: CVE-2023-26136

### CVSS 3 Score Details (9.8)

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://www.cve.org/CVERecord?id=CVE-2023-26136

Release Date: 2023-07-01

Fix Resolution: tough-cookie - 4.1.3

CVE-2022-24999

### Vulnerable Library - qs-6.5.2.tgz

A querystring parser that supports nesting and arrays, with a depth limit

Library home page: https://registry.npmjs.org/qs/-/qs-6.5.2.tgz

Dependency Hierarchy: - gatsby-plugin-sharp-2.3.10.tgz (Root Library) - probe-image-size-4.1.1.tgz - request-2.88.0.tgz - :x: **qs-6.5.2.tgz** (Vulnerable Library)

Found in base branch: master

### Vulnerability Details

qs before 6.10.3, as used in Express before 4.17.3 and other products, allows attackers to cause a Node process hang for an Express application because an __ proto__ key can be used. In many typical Express use cases, an unauthenticated remote attacker can place the attack payload in the query string of the URL that is used to visit the application, such as a[__proto__]=b&a[__proto__]&a[length]=100000000. The fix was backported to qs 6.9.7, 6.8.3, 6.7.3, 6.6.1, 6.5.3, 6.4.1, 6.3.3, and 6.2.4 (and therefore Express 4.17.3, which has "deps: qs@6.9.7" in its release description, is not vulnerable).

Publish Date: 2022-11-26

URL: CVE-2022-24999

### CVSS 3 Score Details (7.5)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://www.cve.org/CVERecord?id=CVE-2022-24999

Release Date: 2022-11-26

Fix Resolution (qs): qs - 6.2.4,6.3.3,6.4.1,6.5.3,6.6.1,6.7.3,6.8.3,6.9.7,6.10.3

Direct dependency fix Resolution (gatsby-plugin-sharp): 2.6.31

CVE-2021-33623

### Vulnerable Library - trim-newlines-1.0.0.tgz

Trim newlines from the start and/or end of a string

Library home page: https://registry.npmjs.org/trim-newlines/-/trim-newlines-1.0.0.tgz

Path to dependency file: /SingularityUI/node/npm/docs/package.json

Path to vulnerable library: /SingularityUI/node/npm/docs/package.json

Dependency Hierarchy: - gatsby-plugin-sharp-2.3.10.tgz (Root Library) - imagemin-mozjpeg-8.0.0.tgz - mozjpeg-6.0.1.tgz - logalot-2.1.0.tgz - squeak-1.3.0.tgz - lpad-align-1.1.2.tgz - meow-3.7.0.tgz - :x: **trim-newlines-1.0.0.tgz** (Vulnerable Library)

Found in base branch: master

### Vulnerability Details

The trim-newlines package before 3.0.1 and 4.x before 4.0.1 for Node.js has an issue related to regular expression denial-of-service (ReDoS) for the .end() method.

Publish Date: 2021-05-28

URL: CVE-2021-33623

### CVSS 3 Score Details (7.5)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-33623

Release Date: 2021-05-28

Fix Resolution (trim-newlines): trim-newlines - 3.0.1, 4.0.1

Direct dependency fix Resolution (gatsby-plugin-sharp): 2.6.31

:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.

WS-2020-0044

### Vulnerable Library - decompress-4.2.0.tgz

Extracting archives made easy

Library home page: https://registry.npmjs.org/decompress/-/decompress-4.2.0.tgz

Path to dependency file: /SingularityUI/node/npm/docs/package.json

Path to vulnerable library: /SingularityUI/node/npm/docs/package.json

Dependency Hierarchy: - gatsby-plugin-sharp-2.3.10.tgz (Root Library) - imagemin-mozjpeg-8.0.0.tgz - mozjpeg-6.0.1.tgz - bin-build-3.0.0.tgz - :x: **decompress-4.2.0.tgz** (Vulnerable Library)

Found in base branch: master

### Vulnerability Details

decompress in all its versions is vulnerable to arbitrary file write. the package fails to prevent an extraction of files with relative paths which allows attackers to write to any folder in the system.

Publish Date: 2020-03-08

URL: WS-2020-0044

### CVSS 3 Score Details (7.5)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: High - Availability Impact: None

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Release Date: 2020-03-08

Fix Resolution (decompress): 4.2.1

Direct dependency fix Resolution (gatsby-plugin-sharp): 2.6.31

:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.

CVE-2021-3795

### Vulnerable Library - semver-regex-2.0.0.tgz

Regular expression for matching semver versions

Library home page: https://registry.npmjs.org/semver-regex/-/semver-regex-2.0.0.tgz

Path to dependency file: /SingularityUI/node/npm/docs/package.json

Path to vulnerable library: /SingularityUI/node/npm/docs/package.json

Dependency Hierarchy: - gatsby-plugin-sharp-2.3.10.tgz (Root Library) - imagemin-mozjpeg-8.0.0.tgz - mozjpeg-6.0.1.tgz - bin-wrapper-4.1.0.tgz - bin-version-check-4.0.0.tgz - bin-version-3.1.0.tgz - find-versions-3.2.0.tgz - :x: **semver-regex-2.0.0.tgz** (Vulnerable Library)

Found in base branch: master

### Vulnerability Details

semver-regex is vulnerable to Inefficient Regular Expression Complexity

Publish Date: 2021-09-15

URL: CVE-2021-3795

### CVSS 3 Score Details (7.5)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Release Date: 2021-09-15

Fix Resolution: semver-regex - 3.1.3,4.0.1

CVE-2022-25851

### Vulnerable Library - jpeg-js-0.3.6.tgz

A pure javascript JPEG encoder and decoder

Library home page: https://registry.npmjs.org/jpeg-js/-/jpeg-js-0.3.6.tgz

Path to dependency file: /SingularityUI/node/npm/docs/package.json

Path to vulnerable library: /SingularityUI/node/npm/docs/package.json

Dependency Hierarchy: - gatsby-plugin-sharp-2.3.10.tgz (Root Library) - potrace-2.1.2.tgz - jimp-0.6.8.tgz - types-0.6.8.tgz - jpeg-0.6.8.tgz - :x: **jpeg-js-0.3.6.tgz** (Vulnerable Library)

Found in base branch: master

### Vulnerability Details

The package jpeg-js before 0.4.4 are vulnerable to Denial of Service (DoS) where a particular piece of input will cause to enter an infinite loop and never return.

Publish Date: 2022-06-10

URL: CVE-2022-25851

### CVSS 3 Score Details (7.5)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Release Date: 2022-06-10

Fix Resolution (jpeg-js): jpeg-js - 0.4.4

Direct dependency fix Resolution (gatsby-plugin-sharp): 2.6.31

:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.

CVE-2021-43307

### Vulnerable Library - semver-regex-2.0.0.tgz

Regular expression for matching semver versions

Library home page: https://registry.npmjs.org/semver-regex/-/semver-regex-2.0.0.tgz

Path to dependency file: /SingularityUI/node/npm/docs/package.json

Path to vulnerable library: /SingularityUI/node/npm/docs/package.json

Found in base branch: master

### Vulnerability Details

An exponential ReDoS (Regular Expression Denial of Service) can be triggered in the semver-regex npm package, when an attacker is able to supply arbitrary input to the test() method

Publish Date: 2022-06-02

URL: CVE-2021-43307

### CVSS 3 Score Details (7.5)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://research.jfrog.com/vulnerabilities/semver-regex-redos-xray-211349/

Release Date: 2022-06-02

Fix Resolution: semver-regex - 3.1.4,4.0.3

CVE-2020-8244

### Vulnerable Library - bl-1.2.2.tgz

Buffer List: collect buffers and access with a standard readable Buffer interface, streamable too!

Library home page: https://registry.npmjs.org/bl/-/bl-1.2.2.tgz

Path to dependency file: /SingularityUI/node/npm/docs/package.json

Path to vulnerable library: /SingularityUI/node/npm/docs/package.json

Dependency Hierarchy: - gatsby-plugin-sharp-2.3.10.tgz (Root Library) - imagemin-mozjpeg-8.0.0.tgz - mozjpeg-6.0.1.tgz - bin-build-3.0.0.tgz - decompress-4.2.0.tgz - decompress-tar-4.1.1.tgz - tar-stream-1.6.2.tgz - :x: **bl-1.2.2.tgz** (Vulnerable Library)

Found in base branch: master

### Vulnerability Details

A buffer over-read vulnerability exists in bl <4.0.3, <3.0.1, <2.2.1, and <1.2.3 which could allow an attacker to supply user input (even typed) that if it ends up in consume() argument and can become negative, the BufferList state can be corrupted, tricking it into exposing uninitialized memory via regular .slice() calls.

Publish Date: 2020-08-30

URL: CVE-2020-8244

### CVSS 3 Score Details (6.5)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: Low - Integrity Impact: None - Availability Impact: Low

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://github.com/advisories/GHSA-pp7h-53gx-mx7r

Release Date: 2020-08-30

Fix Resolution (bl): bl - 1.2.3,2.2.1,3.0.1,4.0.3

Direct dependency fix Resolution (gatsby-plugin-sharp): 2.6.31

:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.

CVE-2020-8175

### Vulnerable Library - jpeg-js-0.3.6.tgz

A pure javascript JPEG encoder and decoder

Library home page: https://registry.npmjs.org/jpeg-js/-/jpeg-js-0.3.6.tgz

Path to dependency file: /SingularityUI/node/npm/docs/package.json

Path to vulnerable library: /SingularityUI/node/npm/docs/package.json

Dependency Hierarchy: - gatsby-plugin-sharp-2.3.10.tgz (Root Library) - potrace-2.1.2.tgz - jimp-0.6.8.tgz - types-0.6.8.tgz - jpeg-0.6.8.tgz - :x: **jpeg-js-0.3.6.tgz** (Vulnerable Library)

Found in base branch: master

### Vulnerability Details

Uncontrolled resource consumption in `jpeg-js` before 0.4.0 may allow attacker to launch denial of service attacks using specially a crafted JPEG image.

Publish Date: 2020-07-24

URL: CVE-2020-8175

### CVSS 3 Score Details (5.5)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Local - Attack Complexity: Low - Privileges Required: None - User Interaction: Required - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8175

Release Date: 2020-07-27

Fix Resolution (jpeg-js): 0.4.0

Direct dependency fix Resolution (gatsby-plugin-sharp): 2.6.31

:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.

CVE-2023-0842

### Vulnerable Library - xml2js-0.4.23.tgz

Simple XML to JavaScript object converter.

Library home page: https://registry.npmjs.org/xml2js/-/xml2js-0.4.23.tgz

Path to dependency file: /SingularityUI/node/npm/docs/package.json

Path to vulnerable library: /SingularityUI/node/npm/docs/package.json

Dependency Hierarchy: - gatsby-plugin-sharp-2.3.10.tgz (Root Library) - potrace-2.1.2.tgz - jimp-0.6.8.tgz - custom-0.6.8.tgz - core-0.6.8.tgz - load-bmfont-1.4.0.tgz - parse-bmfont-xml-1.1.4.tgz - :x: **xml2js-0.4.23.tgz** (Vulnerable Library)

Found in base branch: master

### Vulnerability Details

xml2js version 0.4.23 allows an external attacker to edit or add new properties to an object. This is possible because the application does not properly validate incoming JSON keys, thus allowing the __proto__ property to be edited.

Publish Date: 2023-04-05

URL: CVE-2023-0842

### CVSS 3 Score Details (5.3)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: Low - Availability Impact: None

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://www.cve.org/CVERecord?id=CVE-2023-0842

Release Date: 2023-04-05

Fix Resolution: xml2js - 0.5.0

CVE-2023-30548

### Vulnerable Library - gatsby-plugin-sharp-2.3.10.tgz

Wrapper of the Sharp image manipulation library for Gatsby plugins

Library home page: https://registry.npmjs.org/gatsby-plugin-sharp/-/gatsby-plugin-sharp-2.3.10.tgz

Path to dependency file: /SingularityUI/node/npm/docs/package.json

Path to vulnerable library: /SingularityUI/node/npm/docs/package.json

Dependency Hierarchy: - :x: **gatsby-plugin-sharp-2.3.10.tgz** (Vulnerable Library)

Found in base branch: master

### Vulnerability Details

gatsby-plugin-sharp is a plugin for the gatsby framework which exposes functions built on the Sharp image processing library. The gatsby-plugin-sharp plugin prior to versions 5.8.1 and 4.25.1 contains a path traversal vulnerability exposed when running the Gatsby develop server (`gatsby develop`). It should be noted that by default gatsby develop is only accessible via the localhost 127.0.0.1, and one would need to intentionally expose the server to other interfaces to exploit this vulnerability by using server options such as --host 0.0.0.0, -H 0.0.0.0, or the GATSBY_HOST=0.0.0.0 environment variable. Attackers exploiting this vulnerability will have read access to all files within the scope of the server process. A patch has been introduced in gatsby-plugin-sharp@5.8.1 and gatsby-plugin-sharp@4.25.1 which mitigates the issue by ensuring that included paths remain within the project directory. As stated above, by default gatsby develop is only exposed to the localhost 127.0.0.1. For those using the develop server in the default configuration no risk is posed. If other ranges are required, preventing the develop server from being exposed to untrusted interfaces or IP address ranges would mitigate the risk from this vulnerability. Users are non the less encouraged to upgrade to a safe version.

Publish Date: 2023-04-17

URL: CVE-2023-30548

### CVSS 3 Score Details (4.3)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: Low - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: Low - Integrity Impact: None - Availability Impact: None

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: gatsby-plugin-sharp

Release Date: 2023-04-17

Fix Resolution: gatsby-plugin-sharp - 4.25.1,5.8.1

In order to enable automatic remediation, please create workflow rules

:rescue_worker_helmet:Automatic Remediation will be attempted for this issue.

jgeraigery / Singularity-4567321

gatsby-plugin-sharp-2.3.10.tgz: 13 vulnerabilities (highest severity is: 9.8) - autoclosed #181

Vulnerabilities

Details