netlify-cms-app-2.12.19.tgz: 13 vulnerabilities (highest severity is: 9.8) - autoclosed

[mend-for-github-com[bot]]

Vulnerable Library - netlify-cms-app-2.12.19.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/immer/package.json

Found in HEAD commit: 5df11d63d2ec14dabae2ea2de08e3f2e8f6a261c

Vulnerabilities

CVE	Severity	CVSS	Dependency	Type	Fixed in (netlify-cms-app version)	Remediation Available
CVE-2021-23436	Critical	9.8	immer-3.3.0.tgz	Transitive	2.12.20	✅
CVE-2022-37601	Critical	9.8	loader-utils-1.4.0.tgz	Transitive	2.12.20	✅
CVE-2021-3757	Critical	9.8	immer-3.3.0.tgz	Transitive	2.12.20	✅
CVE-2020-28477	High	7.5	immer-3.3.0.tgz	Transitive	2.12.20	✅
CVE-2021-27292	High	7.5	ua-parser-js-0.7.21.tgz	Transitive	2.12.20	✅
CVE-2022-31129	High	7.5	moment-2.27.0.tgz	Transitive	N/A*	❌
CVE-2022-37603	High	7.5	loader-utils-1.4.0.tgz	Transitive	2.12.20	✅
CVE-2022-24785	High	7.5	moment-2.27.0.tgz	Transitive	2.15.70	✅
CVE-2020-7733	High	7.5	ua-parser-js-0.7.21.tgz	Transitive	2.12.20	✅
CVE-2020-7753	High	7.5	trim-0.0.1.tgz	Transitive	N/A*	❌
CVE-2020-7793	High	7.5	ua-parser-js-0.7.21.tgz	Transitive	2.12.20	✅
CVE-2022-0235	Medium	6.1	node-fetch-1.7.3.tgz	Transitive	2.12.20	✅
CVE-2020-15168	Medium	5.3	node-fetch-1.7.3.tgz	Transitive	2.12.20	✅

*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the section "Details" below to see if there is a version of transitive dependency where vulnerability is fixed.

Details

CVE-2021-23436

### Vulnerable Library - immer-3.3.0.tgz

Create your next immutable state by mutating the current one

Library home page: https://registry.npmjs.org/immer/-/immer-3.3.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/immer/package.json

Dependency Hierarchy: - netlify-cms-app-2.12.19.tgz (Root Library) - netlify-cms-core-2.30.3.tgz - :x: **immer-3.3.0.tgz** (Vulnerable Library)

Found in HEAD commit: 5df11d63d2ec14dabae2ea2de08e3f2e8f6a261c

Found in base branch: master

### Vulnerability Details

This affects the package immer before 9.0.6. A type confusion vulnerability can lead to a bypass of CVE-2020-28477 when the user-provided keys used in the path parameter are arrays. In particular, this bypass is possible because the condition (p === "__proto__" || p === "constructor") in applyPatches_ returns false if p is ['__proto__'] (or ['constructor']). The === operator (strict equality operator) returns false if the operands have different type.

Publish Date: 2021-09-01

URL: CVE-2021-23436

### CVSS 3 Score Details (9.8)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23436

Release Date: 2021-09-01

Fix Resolution (immer): 9.0.6

Direct dependency fix Resolution (netlify-cms-app): 2.12.20

:rescue_worker_helmet: Automatic Remediation is available for this issue

CVE-2022-37601

### Vulnerable Library - loader-utils-1.4.0.tgz

utils for webpack loaders

Library home page: https://registry.npmjs.org/loader-utils/-/loader-utils-1.4.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/loader-utils/package.json

Dependency Hierarchy: - netlify-cms-app-2.12.19.tgz (Root Library) - netlify-cms-core-2.30.3.tgz - react-hot-loader-4.12.21.tgz - :x: **loader-utils-1.4.0.tgz** (Vulnerable Library)

Found in HEAD commit: 5df11d63d2ec14dabae2ea2de08e3f2e8f6a261c

Found in base branch: master

### Vulnerability Details

Prototype pollution vulnerability in function parseQuery in parseQuery.js in webpack loader-utils 2.0.0 via the name variable in parseQuery.js.

Publish Date: 2022-10-12

URL: CVE-2022-37601

### CVSS 3 Score Details (9.8)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Release Date: 2022-10-12

Fix Resolution (loader-utils): 1.4.1

Direct dependency fix Resolution (netlify-cms-app): 2.12.20

:rescue_worker_helmet: Automatic Remediation is available for this issue

CVE-2021-3757

### Vulnerable Library - immer-3.3.0.tgz

Create your next immutable state by mutating the current one

Library home page: https://registry.npmjs.org/immer/-/immer-3.3.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/immer/package.json

Dependency Hierarchy: - netlify-cms-app-2.12.19.tgz (Root Library) - netlify-cms-core-2.30.3.tgz - :x: **immer-3.3.0.tgz** (Vulnerable Library)

Found in HEAD commit: 5df11d63d2ec14dabae2ea2de08e3f2e8f6a261c

Found in base branch: master

### Vulnerability Details

immer is vulnerable to Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')

Publish Date: 2021-09-02

URL: CVE-2021-3757

### CVSS 3 Score Details (9.8)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://huntr.dev/bounties/23d38099-71cd-42ed-a77a-71e68094adfa/

Release Date: 2021-09-02

Fix Resolution (immer): 9.0.6

Direct dependency fix Resolution (netlify-cms-app): 2.12.20

:rescue_worker_helmet: Automatic Remediation is available for this issue

CVE-2020-28477

### Vulnerable Library - immer-3.3.0.tgz

Create your next immutable state by mutating the current one

Library home page: https://registry.npmjs.org/immer/-/immer-3.3.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/immer/package.json

Dependency Hierarchy: - netlify-cms-app-2.12.19.tgz (Root Library) - netlify-cms-core-2.30.3.tgz - :x: **immer-3.3.0.tgz** (Vulnerable Library)

Found in HEAD commit: 5df11d63d2ec14dabae2ea2de08e3f2e8f6a261c

Found in base branch: master

### Vulnerability Details

This affects all versions of package immer.

Publish Date: 2021-01-19

URL: CVE-2020-28477

### CVSS 3 Score Details (7.5)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Release Date: 2021-01-19

Fix Resolution (immer): 8.0.1

Direct dependency fix Resolution (netlify-cms-app): 2.12.20

:rescue_worker_helmet: Automatic Remediation is available for this issue

CVE-2021-27292

### Vulnerable Library - ua-parser-js-0.7.21.tgz

Lightweight JavaScript-based user-agent string parser

Library home page: https://registry.npmjs.org/ua-parser-js/-/ua-parser-js-0.7.21.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/ua-parser-js/package.json

Dependency Hierarchy: - netlify-cms-app-2.12.19.tgz (Root Library) - netlify-cms-widget-date-2.5.2.tgz - react-datetime-2.16.3.tgz - create-react-class-15.6.3.tgz - fbjs-0.8.17.tgz - :x: **ua-parser-js-0.7.21.tgz** (Vulnerable Library)

Found in HEAD commit: 5df11d63d2ec14dabae2ea2de08e3f2e8f6a261c

Found in base branch: master

### Vulnerability Details

ua-parser-js >= 0.7.14, fixed in 0.7.24, uses a regular expression which is vulnerable to denial of service. If an attacker sends a malicious User-Agent header, ua-parser-js will get stuck processing it for an extended period of time.

Publish Date: 2021-03-17

URL: CVE-2021-27292

### CVSS 3 Score Details (7.5)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Release Date: 2021-03-17

Fix Resolution (ua-parser-js): 0.7.24

Direct dependency fix Resolution (netlify-cms-app): 2.12.20

:rescue_worker_helmet: Automatic Remediation is available for this issue

CVE-2022-31129

### Vulnerable Library - moment-2.27.0.tgz

Parse, validate, manipulate, and display dates

Library home page: https://registry.npmjs.org/moment/-/moment-2.27.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/moment/package.json

Dependency Hierarchy: - netlify-cms-app-2.12.19.tgz (Root Library) - :x: **moment-2.27.0.tgz** (Vulnerable Library)

Found in HEAD commit: 5df11d63d2ec14dabae2ea2de08e3f2e8f6a261c

Found in base branch: master

### Vulnerability Details

moment is a JavaScript date library for parsing, validating, manipulating, and formatting dates. Affected versions of moment were found to use an inefficient parsing algorithm. Specifically using string-to-date parsing in moment (more specifically rfc2822 parsing, which is tried by default) has quadratic (N^2) complexity on specific inputs. Users may notice a noticeable slowdown is observed with inputs above 10k characters. Users who pass user-provided strings without sanity length checks to moment constructor are vulnerable to (Re)DoS attacks. The problem is patched in 2.29.4, the patch can be applied to all affected versions with minimal tweaking. Users are advised to upgrade. Users unable to upgrade should consider limiting date lengths accepted from user input.

Publish Date: 2022-07-06

URL: CVE-2022-31129

### CVSS 3 Score Details (7.5)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://github.com/moment/moment/security/advisories/GHSA-wc69-rhjr-hc9g

Release Date: 2022-07-06

Fix Resolution: moment - 2.29.4

CVE-2022-37603

### Vulnerable Library - loader-utils-1.4.0.tgz

utils for webpack loaders

Library home page: https://registry.npmjs.org/loader-utils/-/loader-utils-1.4.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/loader-utils/package.json

Dependency Hierarchy: - netlify-cms-app-2.12.19.tgz (Root Library) - netlify-cms-core-2.30.3.tgz - react-hot-loader-4.12.21.tgz - :x: **loader-utils-1.4.0.tgz** (Vulnerable Library)

Found in HEAD commit: 5df11d63d2ec14dabae2ea2de08e3f2e8f6a261c

Found in base branch: master

### Vulnerability Details

A Regular expression denial of service (ReDoS) flaw was found in Function interpolateName in interpolateName.js in webpack loader-utils 2.0.0 via the url variable in interpolateName.js.

Publish Date: 2022-10-14

URL: CVE-2022-37603

### CVSS 3 Score Details (7.5)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://github.com/advisories/GHSA-3rfm-jhwj-7488

Release Date: 2022-10-14

Fix Resolution (loader-utils): 2.0.4

Direct dependency fix Resolution (netlify-cms-app): 2.12.20

:rescue_worker_helmet: Automatic Remediation is available for this issue

CVE-2022-24785

### Vulnerable Library - moment-2.27.0.tgz

Parse, validate, manipulate, and display dates

Library home page: https://registry.npmjs.org/moment/-/moment-2.27.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/moment/package.json

Dependency Hierarchy: - netlify-cms-app-2.12.19.tgz (Root Library) - :x: **moment-2.27.0.tgz** (Vulnerable Library)

Found in HEAD commit: 5df11d63d2ec14dabae2ea2de08e3f2e8f6a261c

Found in base branch: master

### Vulnerability Details

Moment.js is a JavaScript date library for parsing, validating, manipulating, and formatting dates. A path traversal vulnerability impacts npm (server) users of Moment.js between versions 1.0.1 and 2.29.1, especially if a user-provided locale string is directly used to switch moment locale. This problem is patched in 2.29.2, and the patch can be applied to all affected versions. As a workaround, sanitize the user-provided locale name before passing it to Moment.js.

Publish Date: 2022-04-04

URL: CVE-2022-24785

### CVSS 3 Score Details (7.5)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: High - Availability Impact: None

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://github.com/moment/moment/security/advisories/GHSA-8hfj-j24r-96c4

Release Date: 2022-04-04

Fix Resolution (moment): 2.29.2

Direct dependency fix Resolution (netlify-cms-app): 2.15.70

:rescue_worker_helmet: Automatic Remediation is available for this issue

CVE-2020-7733

### Vulnerable Library - ua-parser-js-0.7.21.tgz

Lightweight JavaScript-based user-agent string parser

Library home page: https://registry.npmjs.org/ua-parser-js/-/ua-parser-js-0.7.21.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/ua-parser-js/package.json

Dependency Hierarchy: - netlify-cms-app-2.12.19.tgz (Root Library) - netlify-cms-widget-date-2.5.2.tgz - react-datetime-2.16.3.tgz - create-react-class-15.6.3.tgz - fbjs-0.8.17.tgz - :x: **ua-parser-js-0.7.21.tgz** (Vulnerable Library)

Found in HEAD commit: 5df11d63d2ec14dabae2ea2de08e3f2e8f6a261c

Found in base branch: master

### Vulnerability Details

The package ua-parser-js before 0.7.22 are vulnerable to Regular Expression Denial of Service (ReDoS) via the regex for Redmi Phones and Mi Pad Tablets UA.

Publish Date: 2020-09-16

URL: CVE-2020-7733

### CVSS 3 Score Details (7.5)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7733

Release Date: 2020-09-16

Fix Resolution (ua-parser-js): 0.7.22

Direct dependency fix Resolution (netlify-cms-app): 2.12.20

:rescue_worker_helmet: Automatic Remediation is available for this issue

CVE-2020-7753

### Vulnerable Library - trim-0.0.1.tgz

Trim string whitespace

Library home page: https://registry.npmjs.org/trim/-/trim-0.0.1.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/trim/package.json

Dependency Hierarchy: - netlify-cms-app-2.12.19.tgz (Root Library) - netlify-cms-widget-markdown-2.12.2.tgz - remark-parse-6.0.3.tgz - :x: **trim-0.0.1.tgz** (Vulnerable Library)

Found in HEAD commit: 5df11d63d2ec14dabae2ea2de08e3f2e8f6a261c

Found in base branch: master

### Vulnerability Details

All versions of package trim are vulnerable to Regular Expression Denial of Service (ReDoS) via trim().

Publish Date: 2020-10-27

URL: CVE-2020-7753

### CVSS 3 Score Details (7.5)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Release Date: 2020-10-27

Fix Resolution: trim - 0.0.3

CVE-2020-7793

### Vulnerable Library - ua-parser-js-0.7.21.tgz

Lightweight JavaScript-based user-agent string parser

Library home page: https://registry.npmjs.org/ua-parser-js/-/ua-parser-js-0.7.21.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/ua-parser-js/package.json

Dependency Hierarchy: - netlify-cms-app-2.12.19.tgz (Root Library) - netlify-cms-widget-date-2.5.2.tgz - react-datetime-2.16.3.tgz - create-react-class-15.6.3.tgz - fbjs-0.8.17.tgz - :x: **ua-parser-js-0.7.21.tgz** (Vulnerable Library)

Found in HEAD commit: 5df11d63d2ec14dabae2ea2de08e3f2e8f6a261c

Found in base branch: master

### Vulnerability Details

The package ua-parser-js before 0.7.23 are vulnerable to Regular Expression Denial of Service (ReDoS) in multiple regexes (see linked commit for more info).

Publish Date: 2020-12-11

URL: CVE-2020-7793

### CVSS 3 Score Details (7.5)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Release Date: 2020-12-11

Fix Resolution (ua-parser-js): 0.7.23

Direct dependency fix Resolution (netlify-cms-app): 2.12.20

:rescue_worker_helmet: Automatic Remediation is available for this issue

CVE-2022-0235

### Vulnerable Library - node-fetch-1.7.3.tgz

A light-weight module that brings window.fetch to node.js and io.js

Library home page: https://registry.npmjs.org/node-fetch/-/node-fetch-1.7.3.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/node-fetch/package.json

Dependency Hierarchy: - netlify-cms-app-2.12.19.tgz (Root Library) - netlify-cms-widget-date-2.5.2.tgz - react-datetime-2.16.3.tgz - create-react-class-15.6.3.tgz - fbjs-0.8.17.tgz - isomorphic-fetch-2.2.1.tgz - :x: **node-fetch-1.7.3.tgz** (Vulnerable Library)

Found in HEAD commit: 5df11d63d2ec14dabae2ea2de08e3f2e8f6a261c

Found in base branch: master

### Vulnerability Details

node-fetch is vulnerable to Exposure of Sensitive Information to an Unauthorized Actor

Publish Date: 2022-01-16

URL: CVE-2022-0235

### CVSS 3 Score Details (6.1)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: Required - Scope: Changed - Impact Metrics: - Confidentiality Impact: Low - Integrity Impact: Low - Availability Impact: None

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://github.com/advisories/GHSA-r683-j2x4-v87g

Release Date: 2022-01-16

Fix Resolution (node-fetch): 2.6.7

Direct dependency fix Resolution (netlify-cms-app): 2.12.20

:rescue_worker_helmet: Automatic Remediation is available for this issue

CVE-2020-15168

### Vulnerable Library - node-fetch-1.7.3.tgz

A light-weight module that brings window.fetch to node.js and io.js

Library home page: https://registry.npmjs.org/node-fetch/-/node-fetch-1.7.3.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/node-fetch/package.json

Dependency Hierarchy: - netlify-cms-app-2.12.19.tgz (Root Library) - netlify-cms-widget-date-2.5.2.tgz - react-datetime-2.16.3.tgz - create-react-class-15.6.3.tgz - fbjs-0.8.17.tgz - isomorphic-fetch-2.2.1.tgz - :x: **node-fetch-1.7.3.tgz** (Vulnerable Library)

Found in HEAD commit: 5df11d63d2ec14dabae2ea2de08e3f2e8f6a261c

Found in base branch: master

### Vulnerability Details

node-fetch before versions 2.6.1 and 3.0.0-beta.9 did not honor the size option after following a redirect, which means that when a content size was over the limit, a FetchError would never get thrown and the process would end without failure. For most people, this fix will have a little or no impact. However, if you are relying on node-fetch to gate files above a size, the impact could be significant, for example: If you don't double-check the size of the data after fetch() has completed, your JS thread could get tied up doing work on a large file (DoS) and/or cost you money in computing.

Publish Date: 2020-09-10

URL: CVE-2020-15168

### CVSS 3 Score Details (5.3)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: Low

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://github.com/node-fetch/node-fetch/security/advisories/GHSA-w7rc-rwvf-8q5r

Release Date: 2020-09-17

Fix Resolution (node-fetch): 2.6.1

Direct dependency fix Resolution (netlify-cms-app): 2.12.20

:rescue_worker_helmet: Automatic Remediation is available for this issue

---

:rescue_worker_helmet: Automatic Remediation is available for this issue.

[mend-for-github-com[bot]]

:heavy_check_mark: This issue was automatically closed by Mend because the vulnerable library in the specific branch(es) was either marked as ignored or it is no longer part of the Mend inventory.