gatsby-4.23.1.tgz: 12 vulnerabilities (highest severity is: 9.8) - autoclosed

[mend-for-github-com[bot]]

Vulnerable Library - gatsby-4.23.1.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/normalize-url/package.json

Found in HEAD commit: 86db508a480969116280ab0395277c510f01d828

Vulnerabilities

CVE	Severity	CVSS	Dependency	Type	Fixed in	Remediation Available
CVE-2020-7774	High	9.8	y18n-4.0.0.tgz	Transitive	N/A	❌
CVE-2022-2900	High	9.1	parse-url-7.0.2.tgz	Transitive	N/A	❌
CVE-2021-43138	High	7.8	async-1.5.2.tgz	Transitive	N/A	❌
CVE-2021-3807	High	7.5	detected in multiple dependencies	Transitive	N/A	❌
WS-2022-0237	High	7.5	parse-url-7.0.2.tgz	Transitive	N/A	❌
WS-2022-0238	High	7.5	parse-url-7.0.2.tgz	Transitive	N/A	❌
CVE-2021-23343	High	7.5	path-parse-1.0.6.tgz	Transitive	N/A	❌
CVE-2021-33502	High	7.5	normalize-url-4.5.0.tgz	Transitive	N/A	❌
CVE-2022-3224	Medium	6.1	parse-url-7.0.2.tgz	Transitive	N/A	❌
WS-2022-0239	Medium	6.1	parse-url-7.0.2.tgz	Transitive	N/A	❌
CVE-2022-33987	Medium	5.3	got-9.6.0.tgz	Transitive	N/A	❌
CVE-2021-23364	Medium	5.3	browserslist-4.14.0.tgz	Transitive	N/A	❌

Details

CVE-2020-7774

### Vulnerable Library - y18n-4.0.0.tgz

the bare-bones internationalization library used by yargs

Library home page: https://registry.npmjs.org/y18n/-/y18n-4.0.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/y18n/package.json

Dependency Hierarchy: - gatsby-4.23.1.tgz (Root Library) - gatsby-cli-4.23.1.tgz - yargs-15.4.1.tgz - :x: **y18n-4.0.0.tgz** (Vulnerable Library)

Found in HEAD commit: 86db508a480969116280ab0395277c510f01d828

Found in base branch: master

### Vulnerability Details

The package y18n before 3.2.2, 4.0.1 and 5.0.5, is vulnerable to Prototype Pollution.

Publish Date: 2020-11-17

URL: CVE-2020-7774

### CVSS 3 Score Details (9.8)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://www.npmjs.com/advisories/1654

Release Date: 2020-11-17

Fix Resolution: 3.2.2, 4.0.1, 5.0.5

CVE-2022-2900

### Vulnerable Library - parse-url-7.0.2.tgz

An advanced url parser supporting git urls too.

Library home page: https://registry.npmjs.org/parse-url/-/parse-url-7.0.2.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/parse-url/package.json

Dependency Hierarchy: - gatsby-4.23.1.tgz (Root Library) - gatsby-telemetry-3.23.0.tgz - git-up-6.0.0.tgz - :x: **parse-url-7.0.2.tgz** (Vulnerable Library)

Found in HEAD commit: 86db508a480969116280ab0395277c510f01d828

Found in base branch: master

### Vulnerability Details

Server-Side Request Forgery (SSRF) in GitHub repository ionicabizau/parse-url prior to 8.1.0.

Publish Date: 2022-09-14

URL: CVE-2022-2900

### CVSS 3 Score Details (9.1)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: None

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Release Date: 2022-09-14

Fix Resolution: parse-url - 8.0.0

CVE-2021-43138

### Vulnerable Library - async-1.5.2.tgz

Higher-order functions and common patterns for asynchronous code

Library home page: https://registry.npmjs.org/async/-/async-1.5.2.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/async/package.json

Dependency Hierarchy: - gatsby-4.23.1.tgz (Root Library) - cache-manager-2.11.1.tgz - :x: **async-1.5.2.tgz** (Vulnerable Library)

Found in HEAD commit: 86db508a480969116280ab0395277c510f01d828

Found in base branch: master

### Vulnerability Details

In Async before 2.6.4 and 3.x before 3.2.2, a malicious user can obtain privileges via the mapValues() method, aka lib/internal/iterator.js createObjectIterator prototype pollution.

Publish Date: 2022-04-06

URL: CVE-2021-43138

### CVSS 3 Score Details (7.8)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Local - Attack Complexity: Low - Privileges Required: None - User Interaction: Required - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2021-43138

Release Date: 2022-04-06

Fix Resolution: async - 2.6.4,3.2.2

CVE-2021-3807

### Vulnerable Libraries - ansi-regex-5.0.0.tgz, ansi-regex-4.1.0.tgz

### ansi-regex-5.0.0.tgz

Regular expression for matching ANSI escape codes

Library home page: https://registry.npmjs.org/ansi-regex/-/ansi-regex-5.0.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/ansi-regex/package.json,/node_modules/strip-ansi/node_modules/ansi-regex/package.json

Dependency Hierarchy: - gatsby-4.23.1.tgz (Root Library) - webpack-hot-middleware-2.25.3.tgz - strip-ansi-6.0.0.tgz - :x: **ansi-regex-5.0.0.tgz** (Vulnerable Library) ### ansi-regex-4.1.0.tgz

Regular expression for matching ANSI escape codes

Library home page: https://registry.npmjs.org/ansi-regex/-/ansi-regex-4.1.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/ansi-regex/package.json,/node_modules/strip-ansi/node_modules/ansi-regex/package.json

Dependency Hierarchy: - gatsby-4.23.1.tgz (Root Library) - gatsby-cli-4.23.1.tgz - yurnalist-2.1.0.tgz - strip-ansi-5.2.0.tgz - :x: **ansi-regex-4.1.0.tgz** (Vulnerable Library)

Found in HEAD commit: 86db508a480969116280ab0395277c510f01d828

Found in base branch: master

### Vulnerability Details

ansi-regex is vulnerable to Inefficient Regular Expression Complexity

Publish Date: 2021-09-17

URL: CVE-2021-3807

### CVSS 3 Score Details (7.5)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://huntr.dev/bounties/5b3cf33b-ede0-4398-9974-800876dfd994/

Release Date: 2021-09-17

Fix Resolution: ansi-regex - 5.0.1,6.0.1

WS-2022-0237

### Vulnerable Library - parse-url-7.0.2.tgz

An advanced url parser supporting git urls too.

Library home page: https://registry.npmjs.org/parse-url/-/parse-url-7.0.2.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/parse-url/package.json

Dependency Hierarchy: - gatsby-4.23.1.tgz (Root Library) - gatsby-telemetry-3.23.0.tgz - git-up-6.0.0.tgz - :x: **parse-url-7.0.2.tgz** (Vulnerable Library)

Found in HEAD commit: 86db508a480969116280ab0395277c510f01d828

Found in base branch: master

### Vulnerability Details

Regular Expression Denial of Service (ReDoS) in ionicabizau/parse-url before 8.0.0. It allows cause a denial of service when calling function parse-url

Publish Date: 2022-07-04

URL: WS-2022-0237

### CVSS 3 Score Details (7.5)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Release Date: 2022-07-04

Fix Resolution: parse-url - 8.0.0

WS-2022-0238

### Vulnerable Library - parse-url-7.0.2.tgz

An advanced url parser supporting git urls too.

Library home page: https://registry.npmjs.org/parse-url/-/parse-url-7.0.2.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/parse-url/package.json

Dependency Hierarchy: - gatsby-4.23.1.tgz (Root Library) - gatsby-telemetry-3.23.0.tgz - git-up-6.0.0.tgz - :x: **parse-url-7.0.2.tgz** (Vulnerable Library)

Found in HEAD commit: 86db508a480969116280ab0395277c510f01d828

Found in base branch: master

### Vulnerability Details

File Protocol Spoofing in parse-url before 8.0.0 can lead to attacks, such as XSS, Arbitrary Read/Write File, and Remote Code Execution.

Publish Date: 2022-06-30

URL: WS-2022-0238

### CVSS 3 Score Details (7.5)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: High - Privileges Required: None - User Interaction: Required - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://huntr.dev/bounties/52060edb-e426-431b-a0d0-e70407e44f18/

Release Date: 2022-06-30

Fix Resolution: parse-url - 8.0.0

CVE-2021-23343

### Vulnerable Library - path-parse-1.0.6.tgz

Node.js path.parse() ponyfill

Library home page: https://registry.npmjs.org/path-parse/-/path-parse-1.0.6.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/path-parse/package.json

Dependency Hierarchy: - gatsby-4.23.1.tgz (Root Library) - webpack-asset-relocator-loader-1.7.3.tgz - resolve-1.17.0.tgz - :x: **path-parse-1.0.6.tgz** (Vulnerable Library)

Found in HEAD commit: 86db508a480969116280ab0395277c510f01d828

Found in base branch: master

### Vulnerability Details

All versions of package path-parse are vulnerable to Regular Expression Denial of Service (ReDoS) via splitDeviceRe, splitTailRe, and splitPathRe regular expressions. ReDoS exhibits polynomial worst-case time complexity.

Publish Date: 2021-05-04

URL: CVE-2021-23343

### CVSS 3 Score Details (7.5)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Release Date: 2021-05-04

Fix Resolution: path-parse - 1.0.7

CVE-2021-33502

### Vulnerable Library - normalize-url-4.5.0.tgz

Normalize a URL

Library home page: https://registry.npmjs.org/normalize-url/-/normalize-url-4.5.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/normalize-url/package.json

Dependency Hierarchy: - gatsby-4.23.1.tgz (Root Library) - latest-version-5.1.0.tgz - package-json-6.5.0.tgz - got-9.6.0.tgz - cacheable-request-6.1.0.tgz - :x: **normalize-url-4.5.0.tgz** (Vulnerable Library)

Found in HEAD commit: 86db508a480969116280ab0395277c510f01d828

Found in base branch: master

### Vulnerability Details

The normalize-url package before 4.5.1, 5.x before 5.3.1, and 6.x before 6.0.1 for Node.js has a ReDoS (regular expression denial of service) issue because it has exponential performance for data: URLs.

Publish Date: 2021-05-24

URL: CVE-2021-33502

### CVSS 3 Score Details (7.5)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-33502

Release Date: 2021-05-24

Fix Resolution: normalize-url - 4.5.1,5.3.1,6.0.1

CVE-2022-3224

### Vulnerable Library - parse-url-7.0.2.tgz

An advanced url parser supporting git urls too.

Library home page: https://registry.npmjs.org/parse-url/-/parse-url-7.0.2.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/parse-url/package.json

Dependency Hierarchy: - gatsby-4.23.1.tgz (Root Library) - gatsby-telemetry-3.23.0.tgz - git-up-6.0.0.tgz - :x: **parse-url-7.0.2.tgz** (Vulnerable Library)

Found in HEAD commit: 86db508a480969116280ab0395277c510f01d828

Found in base branch: master

### Vulnerability Details

Misinterpretation of Input in GitHub repository ionicabizau/parse-url prior to 8.1.0.

Publish Date: 2022-09-15

URL: CVE-2022-3224

### CVSS 3 Score Details (6.1)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: Required - Scope: Changed - Impact Metrics: - Confidentiality Impact: Low - Integrity Impact: Low - Availability Impact: None

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-3224

Release Date: 2022-09-15

Fix Resolution: parse-url - 8.1.0

WS-2022-0239

### Vulnerable Library - parse-url-7.0.2.tgz

An advanced url parser supporting git urls too.

Library home page: https://registry.npmjs.org/parse-url/-/parse-url-7.0.2.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/parse-url/package.json

Dependency Hierarchy: - gatsby-4.23.1.tgz (Root Library) - gatsby-telemetry-3.23.0.tgz - git-up-6.0.0.tgz - :x: **parse-url-7.0.2.tgz** (Vulnerable Library)

Found in HEAD commit: 86db508a480969116280ab0395277c510f01d828

Found in base branch: master

### Vulnerability Details

Cross-Site Scripting via Improper Input Validation (parser differential) in parse-url before 8.0.0. Through this vulnerability, an attacker is capable to execute malicious JS codes.

Publish Date: 2022-07-02

URL: WS-2022-0239

### CVSS 3 Score Details (6.1)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: Required - Scope: Changed - Impact Metrics: - Confidentiality Impact: Low - Integrity Impact: Low - Availability Impact: None

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://huntr.dev/bounties/5fa3115f-5c97-4928-874c-3cc6302e154e

Release Date: 2022-07-02

Fix Resolution: parse-url - 8.0.0

CVE-2022-33987

### Vulnerable Library - got-9.6.0.tgz

Simplified HTTP requests

Library home page: https://registry.npmjs.org/got/-/got-9.6.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/gatsby-source-filesystem/node_modules/got/package.json,/node_modules/got/package.json

Dependency Hierarchy: - gatsby-4.23.1.tgz (Root Library) - latest-version-5.1.0.tgz - package-json-6.5.0.tgz - :x: **got-9.6.0.tgz** (Vulnerable Library)

Found in HEAD commit: 86db508a480969116280ab0395277c510f01d828

Found in base branch: master

### Vulnerability Details

The got package before 12.1.0 (also fixed in 11.8.5) for Node.js allows a redirect to a UNIX socket.

Publish Date: 2022-06-18

URL: CVE-2022-33987

### CVSS 3 Score Details (5.3)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: Low - Availability Impact: None

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-33987

Release Date: 2022-06-18

Fix Resolution: got - 11.8.5,12.1.0

CVE-2021-23364

### Vulnerable Library - browserslist-4.14.0.tgz

Share target browsers between different front-end tools, like Autoprefixer, Stylelint and babel-env-preset

Library home page: https://registry.npmjs.org/browserslist/-/browserslist-4.14.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/browserslist/package.json

Dependency Hierarchy: - gatsby-4.23.1.tgz (Root Library) - css-minimizer-webpack-plugin-2.0.0.tgz - cssnano-5.1.13.tgz - cssnano-preset-default-5.2.12.tgz - postcss-merge-rules-5.1.2.tgz - caniuse-api-3.0.0.tgz - :x: **browserslist-4.14.0.tgz** (Vulnerable Library)

Found in HEAD commit: 86db508a480969116280ab0395277c510f01d828

Found in base branch: master

### Vulnerability Details

The package browserslist from 4.0.0 and before 4.16.5 are vulnerable to Regular Expression Denial of Service (ReDoS) during parsing of queries.

Publish Date: 2021-04-28

URL: CVE-2021-23364

### CVSS 3 Score Details (5.3)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: Low

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23364

Release Date: 2021-04-28

Fix Resolution: browserslist - 4.16.5

[mend-for-github-com[bot]]

:heavy_check_mark: This issue was automatically closed by Mend because the vulnerable library in the specific branch(es) was either marked as ignored or it is no longer part of the Mend inventory.