*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
Partial details (19 vulnerabilities) are displayed below due to a content size limitation in GitHub. To view information on the remaining vulnerabilities, navigate to the Mend Application.
Eran Hammer cryptiles version 4.1.1 earlier contains a CWE-331: Insufficient Entropy vulnerability in randomDigits() method that can result in An attacker is more likely to be able to brute force something that was supposed to be random.. This attack appear to be exploitable via Depends upon the calling application.. This vulnerability appears to have been fixed in 4.1.2.
hoek node module before 4.2.0 and 5.0.x before 5.0.3 suffers from a Modification of Assumed-Immutable Data (MAID) vulnerability via 'merge' and 'applyToDefaults' functions, which allows a malicious user to modify the prototype of "Object" via __proto__, causing the addition or modification of an existing property that will exist on all objects.
A vulnerability was found in the minimatch package. This flaw allows a Regular Expression Denial of Service (ReDoS) when calling the braceExpand function with specific arguments, resulting in a Denial of Service.
Path to dependency file: /hadoop-yarn-project/hadoop-yarn/hadoop-yarn-ui/src/main/webapp/package.json
Path to vulnerable library: /hadoop-yarn-project/hadoop-yarn/hadoop-yarn-ui/src/main/webapp/node_modules/phantomjs-prebuilt/node_modules/qs/package.json
qs before 6.10.3, as used in Express before 4.17.3 and other products, allows attackers to cause a Node process hang for an Express application because an __ proto__ key can be used. In many typical Express use cases, an unauthenticated remote attacker can place the attack payload in the query string of the URL that is used to visit the application, such as a[__proto__]=b&a[__proto__]&a[length]=100000000. The fix was backported to qs 6.9.7, 6.8.3, 6.7.3, 6.6.1, 6.5.3, 6.4.1, 6.3.3, and 6.2.4 (and therefore Express 4.17.3, which has "deps: qs@6.9.7" in its release description, is not vulnerable).
Hawk is an HTTP authentication scheme providing mechanisms for making authenticated HTTP requests with partial cryptographic verification of the request and response, covering the HTTP method, request URI, host, and optionally the request payload. Hawk used a regular expression to parse `Host` HTTP header (`Hawk.utils.parseHost()`), which was subject to regular expression DoS attack - meaning each added character in the attacker's input increases the computation time exponentially. `parseHost()` was patched in `9.0.1` to use built-in `URL` class to parse hostname instead. `Hawk.authenticate()` accepts `options` argument. If that contains `host` and `port`, those would be used instead of a call to `utils.parseHost()`.
Versions of the package tough-cookie before 4.1.3 are vulnerable to Prototype Pollution due to improper handling of Cookies when using CookieJar in rejectPublicSuffixes=false mode. This issue arises from the manner in which the objects are initialized.
Path to dependency file: /hadoop-yarn-project/hadoop-yarn/hadoop-yarn-ui/src/main/webapp/package.json
Path to vulnerable library: /hadoop-yarn-project/hadoop-yarn/hadoop-yarn-ui/src/main/webapp/node_modules/phantomjs-prebuilt/node_modules/request/package.json
The Request package through 2.88.1 for Node.js allows a bypass of SSRF mitigations via an attacker-controller server that does a cross-protocol redirect (HTTP to HTTPS, or HTTPS to HTTP). NOTE: This vulnerability only affects products that are no longer supported by the maintainer.
### Reachability Analysis
This vulnerability is potentially reachable
```
lodash-4.17.15/lodash.js (Application)
-> ❌ yarn-ui-0.0.1/app/controllers/yarn-flow-activity.js (Vulnerable Component)
```
### Vulnerability Details
Lodash versions prior to 4.17.21 are vulnerable to Regular Expression Denial of Service (ReDoS) via the toNumber, trim and trimEnd functions.
Mend Note: After conducting further research, Mend has determined that CVE-2020-28500 only affects environments with versions 4.0.0 to 4.17.20 of Lodash.
Versions of lodash lower than 4.17.12 are vulnerable to Prototype Pollution. The function defaultsDeep could be tricked into adding or modifying properties of Object.prototype using a constructor payload.
In Async before 2.6.4 and 3.x before 3.2.2, a malicious user can obtain privileges via the mapValues() method, aka lib/internal/iterator.js createObjectIterator prototype pollution.
Path to dependency file: /hadoop-yarn-project/hadoop-yarn/hadoop-yarn-ui/src/main/webapp/package.json
Path to vulnerable library: /hadoop-yarn-project/hadoop-yarn/hadoop-yarn-ui/src/main/webapp/node_modules/phantomjs-prebuilt/node_modules/bl/package.json
A buffer over-read vulnerability exists in bl <4.0.3, <3.0.1, <2.2.1, and <1.2.3 which could allow an attacker to supply user input (even typed) that if it ends up in consume() argument and can become negative, the BufferList state can be corrupted, tricking it into exposing uninitialized memory via regular .slice() calls.
lodash node module before 4.17.5 suffers from a Modification of Assumed-Immutable Data (MAID) vulnerability via defaultsDeep, merge, and mergeWith functions, which allows a malicious user to modify the prototype of "Object" via __proto__, causing the addition or modification of an existing property that will exist on all objects.
Mend Note: Converted from WS-2019-0184, on 2022-11-08.
Vulnerable Library - em-table-0.12.0.tgz
Path to dependency file: /hadoop-yarn-project/hadoop-yarn/hadoop-yarn-ui/src/main/webapp/package.json
Path to vulnerable library: /hadoop-yarn-project/hadoop-yarn/hadoop-yarn-ui/src/main/webapp/node_modules/is-my-json-valid/package.json
Vulnerabilities
Reachable
Reachable
Reachable
Reachable
Reachable
Reachable
Reachable
Reachable
Reachable
Reachable
Reachable
Unreachable
Unreachable
Unreachable
Unreachable
Unreachable
Unreachable
Unreachable
Unreachable
Unreachable
Unreachable
Unreachable
Unreachable
Unreachable
Unreachable
Unreachable
Unreachable
Unreachable
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
CVE-2021-3918
### Vulnerable Library - json-schema-0.2.3.tgzJSON Schema validation and specifications
Library home page: https://registry.npmjs.org/json-schema/-/json-schema-0.2.3.tgz
Path to dependency file: /hadoop-yarn-project/hadoop-yarn/hadoop-yarn-ui/src/main/webapp/package.json
Path to vulnerable library: /hadoop-yarn-project/hadoop-yarn/hadoop-yarn-ui/src/main/webapp/node_modules/json-schema/package.json
Dependency Hierarchy: - em-table-0.12.0.tgz (Root Library) - phantomjs-prebuilt-2.1.13.tgz - request-2.74.0.tgz - http-signature-1.1.1.tgz - jsprim-1.4.1.tgz - :x: **json-schema-0.2.3.tgz** (Vulnerable Library)
Found in base branch: hubspot-3.3
### Reachability Analysis This vulnerability is potentially reachable ``` json-schema-0.2.3/lib/validate.js (Application) -> jsprim-1.4.1/lib/jsprim.js (Extension) -> http-signature-1.1.1/lib/signer.js (Extension) -> http-signature-1.1.1/lib/index.js (Extension) -> request-2.81.0/request.js (Extension) -> request-2.81.0/index.js (Extension) -> ❌ yarn-ui-0.0.1/bower_components/alasql/dist/alasql.fs.js (Vulnerable Component) ``` ### Vulnerability Detailsjson-schema is vulnerable to Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')
Publish Date: 2021-11-13
URL: CVE-2021-3918
### Threat AssessmentExploit Maturity: Not Defined
EPSS: 0.5%
### CVSS 3 Score Details (9.8)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2021-3918
Release Date: 2021-11-13
Fix Resolution (json-schema): 0.4.0
Direct dependency fix Resolution (em-table): 0.12.1
:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.CVE-2018-1000620
### Vulnerable Library - cryptiles-2.0.5.tgzGeneral purpose crypto utilities
Library home page: https://registry.npmjs.org/cryptiles/-/cryptiles-2.0.5.tgz
Path to dependency file: /hadoop-yarn-project/hadoop-yarn/hadoop-yarn-ui/src/main/webapp/package.json
Path to vulnerable library: /hadoop-yarn-project/hadoop-yarn/hadoop-yarn-ui/src/main/webapp/node_modules/cryptiles/package.json
Dependency Hierarchy: - em-table-0.12.0.tgz (Root Library) - phantomjs-prebuilt-2.1.13.tgz - request-2.74.0.tgz - hawk-3.1.3.tgz - :x: **cryptiles-2.0.5.tgz** (Vulnerable Library)
Found in base branch: hubspot-3.3
### Reachability Analysis This vulnerability is potentially reachable ``` cryptiles-2.0.5/lib/index.js (Application) -> hawk-3.1.3/lib/client.js (Extension) -> hawk-3.1.3/lib/index.js (Extension) -> request-2.81.0/request.js (Extension) -> request-2.81.0/index.js (Extension) -> ❌ yarn-ui-0.0.1/bower_components/alasql/dist/alasql.fs.js (Vulnerable Component) ``` ### Vulnerability DetailsEran Hammer cryptiles version 4.1.1 earlier contains a CWE-331: Insufficient Entropy vulnerability in randomDigits() method that can result in An attacker is more likely to be able to brute force something that was supposed to be random.. This attack appear to be exploitable via Depends upon the calling application.. This vulnerability appears to have been fixed in 4.1.2.
Publish Date: 2018-07-09
URL: CVE-2018-1000620
### Threat AssessmentExploit Maturity: Not Defined
EPSS: 0.2%
### CVSS 3 Score Details (9.8)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-1000620
Release Date: 2018-07-09
Fix Resolution: v4.1.2
CVE-2018-3728
### Vulnerable Library - hoek-2.16.3.tgzGeneral purpose node utilities
Library home page: https://registry.npmjs.org/hoek/-/hoek-2.16.3.tgz
Path to dependency file: /hadoop-yarn-project/hadoop-yarn/hadoop-yarn-ui/src/main/webapp/package.json
Path to vulnerable library: /hadoop-yarn-project/hadoop-yarn/hadoop-yarn-ui/src/main/webapp/node_modules/hoek/package.json
Dependency Hierarchy: - em-table-0.12.0.tgz (Root Library) - phantomjs-prebuilt-2.1.13.tgz - request-2.74.0.tgz - hawk-3.1.3.tgz - :x: **hoek-2.16.3.tgz** (Vulnerable Library)
Found in base branch: hubspot-3.3
### Reachability Analysis This vulnerability is potentially reachable ``` hoek-2.16.3/lib/index.js (Application) -> hawk-3.1.3/lib/client.js (Extension) -> hawk-3.1.3/lib/index.js (Extension) -> request-2.81.0/request.js (Extension) -> request-2.81.0/index.js (Extension) -> ❌ yarn-ui-0.0.1/bower_components/alasql/dist/alasql.fs.js (Vulnerable Component) ``` ### Vulnerability Detailshoek node module before 4.2.0 and 5.0.x before 5.0.3 suffers from a Modification of Assumed-Immutable Data (MAID) vulnerability via 'merge' and 'applyToDefaults' functions, which allows a malicious user to modify the prototype of "Object" via __proto__, causing the addition or modification of an existing property that will exist on all objects.
Publish Date: 2018-03-30
URL: CVE-2018-3728
### Threat AssessmentExploit Maturity: Not Defined
EPSS: 1.0%
### CVSS 3 Score Details (8.8)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: Low - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16082
Release Date: 2018-03-30
Fix Resolution: 4.2.0,5.0.3
CVE-2022-3517
### Vulnerable Library - minimatch-3.0.4.tgza glob matcher in javascript
Library home page: https://registry.npmjs.org/minimatch/-/minimatch-3.0.4.tgz
Path to dependency file: /hadoop-yarn-project/hadoop-yarn/hadoop-yarn-ui/src/main/webapp/package.json
Path to vulnerable library: /hadoop-yarn-project/hadoop-yarn/hadoop-yarn-ui/src/main/webapp/node_modules/minimatch/package.json
Dependency Hierarchy: - em-table-0.12.0.tgz (Root Library) - ember-cli-less-1.5.7.tgz - broccoli-merge-trees-1.2.4.tgz - rimraf-2.7.1.tgz - glob-7.1.6.tgz - :x: **minimatch-3.0.4.tgz** (Vulnerable Library)
Found in base branch: hubspot-3.3
### Reachability Analysis This vulnerability is potentially reachable ``` minimatch-3.0.4/minimatch.js (Application) -> glob-7.1.6/glob.js (Extension) -> ❌ bootstrap-v3.3.6/grunt/bs-raw-files-generator.js (Vulnerable Component) ``` ### Vulnerability DetailsA vulnerability was found in the minimatch package. This flaw allows a Regular Expression Denial of Service (ReDoS) when calling the braceExpand function with specific arguments, resulting in a Denial of Service.
Publish Date: 2022-10-17
URL: CVE-2022-3517
### Threat AssessmentExploit Maturity: Not Defined
EPSS: 0.2%
### CVSS 3 Score Details (7.5)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Release Date: 2022-10-17
Fix Resolution: minimatch - 3.0.5
CVE-2022-24999
### Vulnerable Libraries - qs-6.4.0.tgz, qs-6.2.3.tgz### qs-6.4.0.tgz
A querystring parser that supports nesting and arrays, with a depth limit
Library home page: https://registry.npmjs.org/qs/-/qs-6.4.0.tgz
Path to dependency file: /hadoop-yarn-project/hadoop-yarn/hadoop-yarn-ui/src/main/webapp/package.json
Path to vulnerable library: /hadoop-yarn-project/hadoop-yarn/hadoop-yarn-ui/src/main/webapp/node_modules/less/node_modules/qs/package.json
Dependency Hierarchy: - em-table-0.12.0.tgz (Root Library) - ember-cli-less-1.5.7.tgz - broccoli-less-single-0.6.4.tgz - less-2.7.3.tgz - request-2.81.0.tgz - :x: **qs-6.4.0.tgz** (Vulnerable Library) ### qs-6.2.3.tgz
A querystring parser that supports nesting and arrays, with a depth limit
Library home page: https://registry.npmjs.org/qs/-/qs-6.2.3.tgz
Path to dependency file: /hadoop-yarn-project/hadoop-yarn/hadoop-yarn-ui/src/main/webapp/package.json
Path to vulnerable library: /hadoop-yarn-project/hadoop-yarn/hadoop-yarn-ui/src/main/webapp/node_modules/phantomjs-prebuilt/node_modules/qs/package.json
Dependency Hierarchy: - em-table-0.12.0.tgz (Root Library) - phantomjs-prebuilt-2.1.13.tgz - request-2.74.0.tgz - :x: **qs-6.2.3.tgz** (Vulnerable Library)
Found in base branch: hubspot-3.3
### Reachability Analysis This vulnerability is potentially reachable ``` qs-6.4.0/lib/parse.js (Application) -> qs-6.4.0/lib/index.js (Extension) -> request-2.81.0/lib/querystring.js (Extension) -> request-2.81.0/request.js (Extension) -> request-2.81.0/index.js (Extension) -> ❌ yarn-ui-0.0.1/bower_components/alasql/dist/alasql.fs.js (Vulnerable Component) ``` ### Vulnerability Detailsqs before 6.10.3, as used in Express before 4.17.3 and other products, allows attackers to cause a Node process hang for an Express application because an __ proto__ key can be used. In many typical Express use cases, an unauthenticated remote attacker can place the attack payload in the query string of the URL that is used to visit the application, such as a[__proto__]=b&a[__proto__]&a[length]=100000000. The fix was backported to qs 6.9.7, 6.8.3, 6.7.3, 6.6.1, 6.5.3, 6.4.1, 6.3.3, and 6.2.4 (and therefore Express 4.17.3, which has "deps: qs@6.9.7" in its release description, is not vulnerable).
Publish Date: 2022-11-26
URL: CVE-2022-24999
### Threat AssessmentExploit Maturity: Not Defined
EPSS: 1.9%
### CVSS 3 Score Details (7.5)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://www.cve.org/CVERecord?id=CVE-2022-24999
Release Date: 2022-11-26
Fix Resolution (qs): 6.4.1
Direct dependency fix Resolution (em-table): 0.12.1
Fix Resolution (qs): 6.4.1
Direct dependency fix Resolution (em-table): 0.12.1
:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.CVE-2022-29167
### Vulnerable Library - hawk-3.1.3.tgzHTTP Hawk Authentication Scheme
Library home page: https://registry.npmjs.org/hawk/-/hawk-3.1.3.tgz
Path to dependency file: /hadoop-yarn-project/hadoop-yarn/hadoop-yarn-ui/src/main/webapp/package.json
Path to vulnerable library: /hadoop-yarn-project/hadoop-yarn/hadoop-yarn-ui/src/main/webapp/node_modules/hawk/package.json
Dependency Hierarchy: - em-table-0.12.0.tgz (Root Library) - phantomjs-prebuilt-2.1.13.tgz - request-2.74.0.tgz - :x: **hawk-3.1.3.tgz** (Vulnerable Library)
Found in base branch: hubspot-3.3
### Reachability Analysis This vulnerability is potentially reachable ``` hawk-3.1.3/lib/utils.js (Application) -> hawk-3.1.3/lib/index.js (Extension) -> request-2.81.0/request.js (Extension) -> request-2.81.0/index.js (Extension) -> ❌ yarn-ui-0.0.1/bower_components/alasql/dist/alasql.fs.js (Vulnerable Component) ``` ### Vulnerability DetailsHawk is an HTTP authentication scheme providing mechanisms for making authenticated HTTP requests with partial cryptographic verification of the request and response, covering the HTTP method, request URI, host, and optionally the request payload. Hawk used a regular expression to parse `Host` HTTP header (`Hawk.utils.parseHost()`), which was subject to regular expression DoS attack - meaning each added character in the attacker's input increases the computation time exponentially. `parseHost()` was patched in `9.0.1` to use built-in `URL` class to parse hostname instead. `Hawk.authenticate()` accepts `options` argument. If that contains `host` and `port`, those would be used instead of a call to `utils.parseHost()`.
Publish Date: 2022-05-05
URL: CVE-2022-29167
### Threat AssessmentExploit Maturity: Not Defined
EPSS: 0.1%
### CVSS 3 Score Details (7.4)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: Required - Scope: Changed - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://github.com/mozilla/hawk/security/advisories/GHSA-44pw-h2cw-w3vq
Release Date: 2022-05-05
Fix Resolution: hawk - 9.0.1
CVE-2020-8203
### Vulnerable Library - lodash-4.17.15.tgzLodash modular utilities.
Library home page: https://registry.npmjs.org/lodash/-/lodash-4.17.15.tgz
Path to dependency file: /hadoop-yarn-project/hadoop-yarn/hadoop-yarn-ui/src/main/webapp/package.json
Path to vulnerable library: /hadoop-yarn-project/hadoop-yarn/hadoop-yarn-ui/src/main/webapp/node_modules/lodash/package.json
Dependency Hierarchy: - em-table-0.12.0.tgz (Root Library) - phantomjs-prebuilt-2.1.13.tgz - request-2.74.0.tgz - form-data-1.0.1.tgz - async-2.6.3.tgz - :x: **lodash-4.17.15.tgz** (Vulnerable Library)
Found in base branch: hubspot-3.3
### Reachability Analysis This vulnerability is potentially reachable ``` lodash-4.17.15/lodash.js (Application) -> ❌ yarn-ui-0.0.1/app/controllers/yarn-flow-activity.js (Vulnerable Component) ``` ### Vulnerability DetailsPrototype pollution attack when using _.zipObjectDeep in lodash before 4.17.20.
Publish Date: 2020-07-15
URL: CVE-2020-8203
### Threat AssessmentExploit Maturity: Not Defined
EPSS: 1.7%
### CVSS 3 Score Details (7.4)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: High - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: High - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://www.npmjs.com/advisories/1523
Release Date: 2020-07-15
Fix Resolution (lodash): 4.17.19
Direct dependency fix Resolution (em-table): 0.12.1
:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.CVE-2021-23337
### Vulnerable Library - lodash-4.17.15.tgzLodash modular utilities.
Library home page: https://registry.npmjs.org/lodash/-/lodash-4.17.15.tgz
Path to dependency file: /hadoop-yarn-project/hadoop-yarn/hadoop-yarn-ui/src/main/webapp/package.json
Path to vulnerable library: /hadoop-yarn-project/hadoop-yarn/hadoop-yarn-ui/src/main/webapp/node_modules/lodash/package.json
Dependency Hierarchy: - em-table-0.12.0.tgz (Root Library) - phantomjs-prebuilt-2.1.13.tgz - request-2.74.0.tgz - form-data-1.0.1.tgz - async-2.6.3.tgz - :x: **lodash-4.17.15.tgz** (Vulnerable Library)
Found in base branch: hubspot-3.3
### Reachability Analysis This vulnerability is potentially reachable ``` lodash-4.17.15/lodash.js (Application) -> ❌ yarn-ui-0.0.1/app/controllers/yarn-flow-activity.js (Vulnerable Component) ``` ### Vulnerability DetailsLodash versions prior to 4.17.21 are vulnerable to Command Injection via the template function.
Publish Date: 2021-02-15
URL: CVE-2021-23337
### Threat AssessmentExploit Maturity: Proof of concept
EPSS: 0.9%
### CVSS 3 Score Details (7.2)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: High - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://github.com/advisories/GHSA-35jh-r3h4-6jhm
Release Date: 2021-02-15
Fix Resolution (lodash): 4.17.21
Direct dependency fix Resolution (em-table): 0.12.1
:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.CVE-2023-26136
### Vulnerable Library - tough-cookie-2.3.4.tgzRFC6265 Cookies and Cookie Jar for node.js
Library home page: https://registry.npmjs.org/tough-cookie/-/tough-cookie-2.3.4.tgz
Path to dependency file: /hadoop-yarn-project/hadoop-yarn/hadoop-yarn-ui/src/main/webapp/package.json
Path to vulnerable library: /hadoop-yarn-project/hadoop-yarn/hadoop-yarn-ui/src/main/webapp/node_modules/tough-cookie/package.json
Dependency Hierarchy: - em-table-0.12.0.tgz (Root Library) - phantomjs-prebuilt-2.1.13.tgz - request-2.74.0.tgz - :x: **tough-cookie-2.3.4.tgz** (Vulnerable Library)
Found in base branch: hubspot-3.3
### Reachability Analysis This vulnerability is potentially reachable ``` tough-cookie-2.3.4/lib/memstore.js (Application) -> tough-cookie-2.3.4/lib/cookie.js (Extension) -> request-2.81.0/lib/cookies.js (Extension) -> request-2.81.0/index.js (Extension) -> ❌ yarn-ui-0.0.1/bower_components/alasql/dist/alasql.fs.js (Vulnerable Component) ``` ### Vulnerability DetailsVersions of the package tough-cookie before 4.1.3 are vulnerable to Prototype Pollution due to improper handling of Cookies when using CookieJar in rejectPublicSuffixes=false mode. This issue arises from the manner in which the objects are initialized.
Publish Date: 2023-07-01
URL: CVE-2023-26136
### Threat AssessmentExploit Maturity: Proof of concept
EPSS: 0.2%
### CVSS 3 Score Details (6.5)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: Low - Integrity Impact: Low - Availability Impact: None
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://www.cve.org/CVERecord?id=CVE-2023-26136
Release Date: 2023-07-01
Fix Resolution: tough-cookie - 4.1.3
CVE-2023-28155
### Vulnerable Libraries - request-2.81.0.tgz, request-2.74.0.tgz### request-2.81.0.tgz
Simplified HTTP request client.
Library home page: https://registry.npmjs.org/request/-/request-2.81.0.tgz
Path to dependency file: /hadoop-yarn-project/hadoop-yarn/hadoop-yarn-ui/src/main/webapp/package.json
Path to vulnerable library: /hadoop-yarn-project/hadoop-yarn/hadoop-yarn-ui/src/main/webapp/node_modules/less/node_modules/request/package.json
Dependency Hierarchy: - em-table-0.12.0.tgz (Root Library) - ember-cli-less-1.5.7.tgz - broccoli-less-single-0.6.4.tgz - less-2.7.3.tgz - :x: **request-2.81.0.tgz** (Vulnerable Library) ### request-2.74.0.tgz
Simplified HTTP request client.
Library home page: https://registry.npmjs.org/request/-/request-2.74.0.tgz
Path to dependency file: /hadoop-yarn-project/hadoop-yarn/hadoop-yarn-ui/src/main/webapp/package.json
Path to vulnerable library: /hadoop-yarn-project/hadoop-yarn/hadoop-yarn-ui/src/main/webapp/node_modules/phantomjs-prebuilt/node_modules/request/package.json
Dependency Hierarchy: - em-table-0.12.0.tgz (Root Library) - phantomjs-prebuilt-2.1.13.tgz - :x: **request-2.74.0.tgz** (Vulnerable Library)
Found in base branch: hubspot-3.3
### Reachability Analysis This vulnerability is potentially reachable ``` request-2.81.0/lib/redirect.js (Application) -> request-2.81.0/request.js (Extension) -> request-2.81.0/index.js (Extension) -> ❌ yarn-ui-0.0.1/bower_components/alasql/dist/alasql.fs.js (Vulnerable Component) ``` ### Vulnerability DetailsThe Request package through 2.88.1 for Node.js allows a bypass of SSRF mitigations via an attacker-controller server that does a cross-protocol redirect (HTTP to HTTPS, or HTTPS to HTTP). NOTE: This vulnerability only affects products that are no longer supported by the maintainer.
Publish Date: 2023-03-16
URL: CVE-2023-28155
### Threat AssessmentExploit Maturity: Not Defined
EPSS: 0.1%
### CVSS 3 Score Details (6.1)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: Required - Scope: Changed - Impact Metrics: - Confidentiality Impact: Low - Integrity Impact: Low - Availability Impact: None
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://github.com/advisories/GHSA-p8p7-x288-28g6
Release Date: 2023-03-16
Fix Resolution: @cypress/request - 3.0.0
CVE-2020-28500
### Vulnerable Library - lodash-4.17.15.tgzLodash modular utilities.
Library home page: https://registry.npmjs.org/lodash/-/lodash-4.17.15.tgz
Path to dependency file: /hadoop-yarn-project/hadoop-yarn/hadoop-yarn-ui/src/main/webapp/package.json
Path to vulnerable library: /hadoop-yarn-project/hadoop-yarn/hadoop-yarn-ui/src/main/webapp/node_modules/lodash/package.json
Dependency Hierarchy: - em-table-0.12.0.tgz (Root Library) - phantomjs-prebuilt-2.1.13.tgz - request-2.74.0.tgz - form-data-1.0.1.tgz - async-2.6.3.tgz - :x: **lodash-4.17.15.tgz** (Vulnerable Library)
Found in base branch: hubspot-3.3
### Reachability Analysis This vulnerability is potentially reachable ``` lodash-4.17.15/lodash.js (Application) -> ❌ yarn-ui-0.0.1/app/controllers/yarn-flow-activity.js (Vulnerable Component) ``` ### Vulnerability DetailsLodash versions prior to 4.17.21 are vulnerable to Regular Expression Denial of Service (ReDoS) via the toNumber, trim and trimEnd functions. Mend Note: After conducting further research, Mend has determined that CVE-2020-28500 only affects environments with versions 4.0.0 to 4.17.20 of Lodash.
Publish Date: 2021-02-15
URL: CVE-2020-28500
### Threat AssessmentExploit Maturity: Proof of concept
EPSS: 0.2%
### CVSS 3 Score Details (5.3)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: Low
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-28500
Release Date: 2021-02-15
Fix Resolution (lodash): 4.17.21
Direct dependency fix Resolution (em-table): 0.12.1
:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.WS-2020-0344
### Vulnerable Library - is-my-json-valid-2.20.0.tgzA [JSONSchema](https://json-schema.org/) validator that uses code generation to be extremely fast.
Library home page: https://registry.npmjs.org/is-my-json-valid/-/is-my-json-valid-2.20.0.tgz
Path to dependency file: /hadoop-yarn-project/hadoop-yarn/hadoop-yarn-ui/src/main/webapp/package.json
Path to vulnerable library: /hadoop-yarn-project/hadoop-yarn/hadoop-yarn-ui/src/main/webapp/node_modules/is-my-json-valid/package.json
Dependency Hierarchy: - em-table-0.12.0.tgz (Root Library) - phantomjs-prebuilt-2.1.13.tgz - request-2.74.0.tgz - har-validator-2.0.6.tgz - :x: **is-my-json-valid-2.20.0.tgz** (Vulnerable Library)
Found in base branch: hubspot-3.3
### Reachability AnalysisThe vulnerable code is unreachable
### Vulnerability DetailsArbitrary Code Execution vulnerability was found in is-my-json-valid before 2.20.3 via the fromatName function.
Publish Date: 2020-06-09
URL: WS-2020-0344
### Threat AssessmentExploit Maturity: Not Defined
EPSS:
### CVSS 3 Score Details (9.8)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Release Date: 2020-06-09
Fix Resolution (is-my-json-valid): 2.20.3
Direct dependency fix Resolution (em-table): 0.12.1
:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.CVE-2021-44906
### Vulnerable Library - minimist-0.0.8.tgzparse argument options
Library home page: https://registry.npmjs.org/minimist/-/minimist-0.0.8.tgz
Path to dependency file: /hadoop-yarn-project/hadoop-yarn/hadoop-yarn-ui/src/main/webapp/package.json
Path to vulnerable library: /hadoop-yarn-project/hadoop-yarn/hadoop-yarn-ui/src/main/webapp/node_modules/minimist/package.json
Dependency Hierarchy: - em-table-0.12.0.tgz (Root Library) - phantomjs-prebuilt-2.1.13.tgz - extract-zip-1.5.0.tgz - mkdirp-0.5.0.tgz - :x: **minimist-0.0.8.tgz** (Vulnerable Library)
Found in base branch: hubspot-3.3
### Reachability AnalysisThe vulnerable code is unreachable
### Vulnerability DetailsMinimist <=1.2.5 is vulnerable to Prototype Pollution via file index.js, function setKey() (lines 69-95).
Publish Date: 2022-03-17
URL: CVE-2021-44906
### Threat AssessmentExploit Maturity: Not Defined
EPSS: 3.5%
### CVSS 3 Score Details (9.8)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://github.com/advisories/GHSA-xvch-5gv4-984h
Release Date: 2022-03-17
Fix Resolution: minimist - 0.2.4,1.2.6
CVE-2019-10744
### Vulnerable Library - lodash.merge-3.3.2.tgzThe modern build of lodash’s `_.merge` as a module.
Library home page: https://registry.npmjs.org/lodash.merge/-/lodash.merge-3.3.2.tgz
Path to dependency file: /hadoop-yarn-project/hadoop-yarn/hadoop-yarn-ui/src/main/webapp/package.json
Path to vulnerable library: /hadoop-yarn-project/hadoop-yarn/hadoop-yarn-ui/src/main/webapp/node_modules/lodash.merge/package.json
Dependency Hierarchy: - em-table-0.12.0.tgz (Root Library) - ember-cli-less-1.5.7.tgz - :x: **lodash.merge-3.3.2.tgz** (Vulnerable Library)
Found in base branch: hubspot-3.3
### Reachability AnalysisThe vulnerable code is unreachable
### Vulnerability DetailsVersions of lodash lower than 4.17.12 are vulnerable to Prototype Pollution. The function defaultsDeep could be tricked into adding or modifying properties of Object.prototype using a constructor payload.
Publish Date: 2019-07-25
URL: CVE-2019-10744
### Threat AssessmentExploit Maturity: Not Defined
EPSS: 2.1%
### CVSS 3 Score Details (9.1)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: High - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://github.com/advisories/GHSA-jf85-cpcp-j695
Release Date: 2019-07-25
Fix Resolution: lodash-4.17.12, lodash-amd-4.17.12, lodash-es-4.17.12, lodash.defaultsdeep-4.6.1, lodash.merge- 4.6.2, lodash.mergewith-4.6.2, lodash.template-4.5.0
WS-2020-0345
### Vulnerable Library - jsonpointer-4.0.1.tgzSimple JSON Addressing.
Library home page: https://registry.npmjs.org/jsonpointer/-/jsonpointer-4.0.1.tgz
Path to dependency file: /hadoop-yarn-project/hadoop-yarn/hadoop-yarn-ui/src/main/webapp/package.json
Path to vulnerable library: /hadoop-yarn-project/hadoop-yarn/hadoop-yarn-ui/src/main/webapp/node_modules/jsonpointer/package.json
Dependency Hierarchy: - em-table-0.12.0.tgz (Root Library) - phantomjs-prebuilt-2.1.13.tgz - request-2.74.0.tgz - har-validator-2.0.6.tgz - is-my-json-valid-2.20.0.tgz - :x: **jsonpointer-4.0.1.tgz** (Vulnerable Library)
Found in base branch: hubspot-3.3
### Reachability AnalysisThe vulnerable code is unreachable
### Vulnerability DetailsPrototype Pollution vulnerability was found in jsonpointer before 4.1.0 via the set function.
Publish Date: 2020-07-03
URL: WS-2020-0345
### Threat AssessmentExploit Maturity: Not Defined
EPSS:
### CVSS 3 Score Details (8.2)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: Low - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Release Date: 2020-07-03
Fix Resolution (jsonpointer): 4.1.0
Direct dependency fix Resolution (em-table): 0.12.1
:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.CVE-2021-43138
### Vulnerable Library - async-2.6.3.tgzHigher-order functions and common patterns for asynchronous code
Library home page: https://registry.npmjs.org/async/-/async-2.6.3.tgz
Path to dependency file: /hadoop-yarn-project/hadoop-yarn/hadoop-yarn-ui/src/main/webapp/package.json
Path to vulnerable library: /hadoop-yarn-project/hadoop-yarn/hadoop-yarn-ui/src/main/webapp/node_modules/async/package.json
Dependency Hierarchy: - em-table-0.12.0.tgz (Root Library) - phantomjs-prebuilt-2.1.13.tgz - request-2.74.0.tgz - form-data-1.0.1.tgz - :x: **async-2.6.3.tgz** (Vulnerable Library)
Found in base branch: hubspot-3.3
### Reachability AnalysisThe vulnerable code is unreachable
### Vulnerability DetailsIn Async before 2.6.4 and 3.x before 3.2.2, a malicious user can obtain privileges via the mapValues() method, aka lib/internal/iterator.js createObjectIterator prototype pollution.
Publish Date: 2022-04-06
URL: CVE-2021-43138
### Threat AssessmentExploit Maturity: Not Defined
EPSS: 0.2%
### CVSS 3 Score Details (7.8)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Local - Attack Complexity: Low - Privileges Required: None - User Interaction: Required - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2021-43138
Release Date: 2022-04-06
Fix Resolution (async): 2.6.4
Direct dependency fix Resolution (em-table): 0.12.1
:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.WS-2020-0342
### Vulnerable Library - is-my-json-valid-2.20.0.tgzA [JSONSchema](https://json-schema.org/) validator that uses code generation to be extremely fast.
Library home page: https://registry.npmjs.org/is-my-json-valid/-/is-my-json-valid-2.20.0.tgz
Path to dependency file: /hadoop-yarn-project/hadoop-yarn/hadoop-yarn-ui/src/main/webapp/package.json
Path to vulnerable library: /hadoop-yarn-project/hadoop-yarn/hadoop-yarn-ui/src/main/webapp/node_modules/is-my-json-valid/package.json
Dependency Hierarchy: - em-table-0.12.0.tgz (Root Library) - phantomjs-prebuilt-2.1.13.tgz - request-2.74.0.tgz - har-validator-2.0.6.tgz - :x: **is-my-json-valid-2.20.0.tgz** (Vulnerable Library)
Found in base branch: hubspot-3.3
### Reachability AnalysisThe vulnerable code is unreachable
### Vulnerability DetailsRegular Expression Denial of Service (ReDoS) vulnerability was found in is-my-json-valid before 2.20.2 via the style format.
Publish Date: 2020-06-27
URL: WS-2020-0342
### Threat AssessmentExploit Maturity: Not Defined
EPSS:
### CVSS 3 Score Details (7.5)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Release Date: 2020-06-27
Fix Resolution (is-my-json-valid): 2.20.2
Direct dependency fix Resolution (em-table): 0.12.1
:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.CVE-2020-8244
### Vulnerable Library - bl-1.1.2.tgzBuffer List: collect buffers and access with a standard readable Buffer interface, streamable too!
Library home page: https://registry.npmjs.org/bl/-/bl-1.1.2.tgz
Path to dependency file: /hadoop-yarn-project/hadoop-yarn/hadoop-yarn-ui/src/main/webapp/package.json
Path to vulnerable library: /hadoop-yarn-project/hadoop-yarn/hadoop-yarn-ui/src/main/webapp/node_modules/phantomjs-prebuilt/node_modules/bl/package.json
Dependency Hierarchy: - em-table-0.12.0.tgz (Root Library) - phantomjs-prebuilt-2.1.13.tgz - request-2.74.0.tgz - :x: **bl-1.1.2.tgz** (Vulnerable Library)
Found in base branch: hubspot-3.3
### Reachability AnalysisThe vulnerable code is unreachable
### Vulnerability DetailsA buffer over-read vulnerability exists in bl <4.0.3, <3.0.1, <2.2.1, and <1.2.3 which could allow an attacker to supply user input (even typed) that if it ends up in consume() argument and can become negative, the BufferList state can be corrupted, tricking it into exposing uninitialized memory via regular .slice() calls.
Publish Date: 2020-08-30
URL: CVE-2020-8244
### Threat AssessmentExploit Maturity: Not Defined
EPSS: 0.1%
### CVSS 3 Score Details (6.5)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: Low - Integrity Impact: None - Availability Impact: Low
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://github.com/advisories/GHSA-pp7h-53gx-mx7r
Release Date: 2020-08-30
Fix Resolution: bl - 1.2.3,2.2.1,3.0.1,4.0.3
CVE-2018-3721
### Vulnerable Library - lodash.merge-3.3.2.tgzThe modern build of lodash’s `_.merge` as a module.
Library home page: https://registry.npmjs.org/lodash.merge/-/lodash.merge-3.3.2.tgz
Path to dependency file: /hadoop-yarn-project/hadoop-yarn/hadoop-yarn-ui/src/main/webapp/package.json
Path to vulnerable library: /hadoop-yarn-project/hadoop-yarn/hadoop-yarn-ui/src/main/webapp/node_modules/lodash.merge/package.json
Dependency Hierarchy: - em-table-0.12.0.tgz (Root Library) - ember-cli-less-1.5.7.tgz - :x: **lodash.merge-3.3.2.tgz** (Vulnerable Library)
Found in base branch: hubspot-3.3
### Reachability AnalysisThe vulnerable code is unreachable
### Vulnerability Detailslodash node module before 4.17.5 suffers from a Modification of Assumed-Immutable Data (MAID) vulnerability via defaultsDeep, merge, and mergeWith functions, which allows a malicious user to modify the prototype of "Object" via __proto__, causing the addition or modification of an existing property that will exist on all objects. Mend Note: Converted from WS-2019-0184, on 2022-11-08.
Publish Date: 2018-04-26
URL: CVE-2018-3721
### Threat AssessmentExploit Maturity: Not Defined
EPSS: 0.1%
### CVSS 3 Score Details (6.5)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: Low - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: High - Availability Impact: None
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://www.npmjs.com/advisories/1067
Release Date: 2018-04-26
Fix Resolution: lodash 4.17.5
:rescue_worker_helmet:Automatic Remediation will be attempted for this issue.