color-1.0.3.tgz: 2 vulnerabilities (highest severity is: 7.5) reachable

[mend-for-github-com[bot]]

Vulnerable Library - color-1.0.3.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/color/node_modules/color-string/package.json

Vulnerabilities

CVE	Severity	CVSS	Exploit Maturity	EPSS	Dependency	Type	Fixed in (color version)	Remediation Possible**	Reachability
WS-2021-0152	High	7.5	Not Defined		color-string-1.5.2.tgz	Transitive	2.0.0	✅	Reachable
CVE-2021-29060	Medium	5.3	Not Defined	0.2%	color-string-1.5.2.tgz	Transitive	2.0.0	✅	Reachable

**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation

Details

WS-2021-0152

### Vulnerable Library - color-string-1.5.2.tgz

Parser and generator for CSS color strings

Library home page: https://registry.npmjs.org/color-string/-/color-string-1.5.2.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/color/node_modules/color-string/package.json

Dependency Hierarchy: - color-1.0.3.tgz (Root Library) - :x: **color-string-1.5.2.tgz** (Vulnerable Library)

Found in base branch: master

### Reachability Analysis This vulnerability is potentially reachable ``` metabase-0.0.0/frontend/src/metabase/visualizations/visualizations/Progress.jsx (Application) -> color-1.0.3/index.js (Extension) -> ❌ color-string-1.5.2/index.js (Vulnerable Component) ```

### Vulnerability Details

Regular Expression Denial of Service (ReDoS) was found in color-string before 1.5.5.

Publish Date: 2021-03-12

URL: WS-2021-0152

### Threat Assessment

Exploit Maturity: Not Defined

EPSS:

### CVSS 3 Score Details (7.5)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Release Date: 2021-03-12

Fix Resolution (color-string): 1.5.5

Direct dependency fix Resolution (color): 2.0.0

:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.

CVE-2021-29060

### Vulnerable Library - color-string-1.5.2.tgz

Parser and generator for CSS color strings

Library home page: https://registry.npmjs.org/color-string/-/color-string-1.5.2.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/color/node_modules/color-string/package.json

Dependency Hierarchy: - color-1.0.3.tgz (Root Library) - :x: **color-string-1.5.2.tgz** (Vulnerable Library)

Found in base branch: master

### Reachability Analysis This vulnerability is potentially reachable ``` metabase-0.0.0/frontend/src/metabase/visualizations/visualizations/Progress.jsx (Application) -> color-1.0.3/index.js (Extension) -> ❌ color-string-1.5.2/index.js (Vulnerable Component) ```

### Vulnerability Details

A Regular Expression Denial of Service (ReDOS) vulnerability was discovered in Color-String version 1.5.5 and below which occurs when the application is provided and checks a crafted invalid HWB string.

Publish Date: 2021-06-21

URL: CVE-2021-29060

### Threat Assessment

Exploit Maturity: Not Defined

EPSS: 0.2%

### CVSS 3 Score Details (5.3)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: Low

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://github.com/advisories/GHSA-257v-vj4p-3w2h

Release Date: 2021-06-21

Fix Resolution (color-string): 1.5.5

Direct dependency fix Resolution (color): 2.0.0

:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.

---

:rescue_worker_helmet:Automatic Remediation will be attempted for this issue.