search

mmukul / DevOpsTrainingCourse

DevOps Training Program
1 stars 3 forks source link

react-scripts-5.0.0.tgz: 8 vulnerabilities (highest severity is: 9.8) - autoclosed #7

Closed mend-bolt-for-github[bot] closed 1 year ago

mend-bolt-for-github[bot] commented 1 year ago
Vulnerable Library - react-scripts-5.0.0.tgz

Path to dependency file: /devsecops_class/Demos/AWSGoat/modules/module-1/src/package.json

Path to vulnerable library: /devsecops_class/Demos/AWSGoat/modules/module-1/src/node_modules/babel-loader/node_modules/loader-utils/package.json

Found in HEAD commit: 2347d85842bdf9673c5d1b5b40e6473ee4de1cbc

Vulnerabilities

CVE Severity CVSS Dependency Type Fixed in (react-scripts version) Remediation Available
CVE-2022-37601 High 9.8 loader-utils-1.4.0.tgz Transitive 5.0.1
CVE-2022-29078 High 9.8 ejs-3.1.6.tgz Transitive 5.0.1
CVE-2021-43138 High 7.8 detected in multiple dependencies Transitive 5.0.1
CVE-2022-25858 High 7.5 terser-5.10.0.tgz Transitive 5.0.1
CVE-2022-37603 High 7.5 detected in multiple dependencies Transitive 5.0.1
CVE-2022-3517 High 7.5 minimatch-3.0.4.tgz Transitive N/A*
CVE-2022-37599 High 7.5 loader-utils-2.0.2.tgz Transitive 5.0.1
CVE-2021-3803 High 7.5 nth-check-1.0.2.tgz Transitive 5.0.1

*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the section "Details" below to see if there is a version of transitive dependency where vulnerability is fixed.

Details

CVE-2022-37601 ### Vulnerable Library - loader-utils-1.4.0.tgz

utils for webpack loaders

Library home page: https://registry.npmjs.org/loader-utils/-/loader-utils-1.4.0.tgz

Path to dependency file: /devsecops_class/Demos/AWSGoat/modules/module-1/src/package.json

Path to vulnerable library: /devsecops_class/Demos/AWSGoat/modules/module-1/src/node_modules/babel-loader/node_modules/loader-utils/package.json

Dependency Hierarchy: - react-scripts-5.0.0.tgz (Root Library) - babel-loader-8.2.3.tgz - :x: **loader-utils-1.4.0.tgz** (Vulnerable Library)

Found in HEAD commit: 2347d85842bdf9673c5d1b5b40e6473ee4de1cbc

Found in base branch: main

### Vulnerability Details

Prototype pollution vulnerability in function parseQuery in parseQuery.js in webpack loader-utils 2.0.0 via the name variable in parseQuery.js.

Publish Date: 2022-10-12

URL: CVE-2022-37601

### CVSS 3 Score Details (9.8)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Release Date: 2022-10-12

Fix Resolution (loader-utils): 1.4.1

Direct dependency fix Resolution (react-scripts): 5.0.1

Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
CVE-2022-29078 ### Vulnerable Library - ejs-3.1.6.tgz

Embedded JavaScript templates

Library home page: https://registry.npmjs.org/ejs/-/ejs-3.1.6.tgz

Path to dependency file: /devsecops_class/Demos/AWSGoat/modules/module-1/src/package.json

Path to vulnerable library: /devsecops_class/Demos/AWSGoat/modules/module-1/src/node_modules/ejs/package.json

Dependency Hierarchy: - react-scripts-5.0.0.tgz (Root Library) - workbox-webpack-plugin-6.4.2.tgz - workbox-build-6.4.2.tgz - rollup-plugin-off-main-thread-2.2.3.tgz - :x: **ejs-3.1.6.tgz** (Vulnerable Library)

Found in HEAD commit: 2347d85842bdf9673c5d1b5b40e6473ee4de1cbc

Found in base branch: main

### Vulnerability Details

The ejs (aka Embedded JavaScript templates) package 3.1.6 for Node.js allows server-side template injection in settings[view options][outputFunctionName]. This is parsed as an internal option, and overwrites the outputFunctionName option with an arbitrary OS command (which is executed upon template compilation).

Publish Date: 2022-04-25

URL: CVE-2022-29078

### CVSS 3 Score Details (9.8)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-29078~

Release Date: 2022-04-25

Fix Resolution (ejs): 3.1.7

Direct dependency fix Resolution (react-scripts): 5.0.1

Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
CVE-2021-43138 ### Vulnerable Libraries - async-0.9.2.tgz, async-2.6.3.tgz

### async-0.9.2.tgz

Higher-order functions and common patterns for asynchronous code

Library home page: https://registry.npmjs.org/async/-/async-0.9.2.tgz

Path to dependency file: /devsecops_class/Demos/AWSGoat/modules/module-1/src/package.json

Path to vulnerable library: /devsecops_class/Demos/AWSGoat/modules/module-1/src/node_modules/jake/node_modules/async/package.json

Dependency Hierarchy: - react-scripts-5.0.0.tgz (Root Library) - workbox-webpack-plugin-6.4.2.tgz - workbox-build-6.4.2.tgz - rollup-plugin-off-main-thread-2.2.3.tgz - ejs-3.1.6.tgz - jake-10.8.2.tgz - :x: **async-0.9.2.tgz** (Vulnerable Library) ### async-2.6.3.tgz

Higher-order functions and common patterns for asynchronous code

Library home page: https://registry.npmjs.org/async/-/async-2.6.3.tgz

Path to dependency file: /devsecops_class/Demos/AWSGoat/modules/module-1/src/package.json

Path to vulnerable library: /devsecops_class/Demos/AWSGoat/modules/module-1/src/node_modules/async/package.json

Dependency Hierarchy: - react-scripts-5.0.0.tgz (Root Library) - webpack-dev-server-4.7.4.tgz - portfinder-1.0.28.tgz - :x: **async-2.6.3.tgz** (Vulnerable Library)

Found in HEAD commit: 2347d85842bdf9673c5d1b5b40e6473ee4de1cbc

Found in base branch: main

### Vulnerability Details

In Async before 2.6.4 and 3.x before 3.2.2, a malicious user can obtain privileges via the mapValues() method, aka lib/internal/iterator.js createObjectIterator prototype pollution.

Publish Date: 2022-04-06

URL: CVE-2021-43138

### CVSS 3 Score Details (7.8)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Local - Attack Complexity: Low - Privileges Required: None - User Interaction: Required - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2021-43138

Release Date: 2022-04-06

Fix Resolution (async): 2.6.4

Direct dependency fix Resolution (react-scripts): 5.0.1

Fix Resolution (async): 2.6.4

Direct dependency fix Resolution (react-scripts): 5.0.1

Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
CVE-2022-25858 ### Vulnerable Library - terser-5.10.0.tgz

JavaScript parser, mangler/compressor and beautifier toolkit for ES6+

Library home page: https://registry.npmjs.org/terser/-/terser-5.10.0.tgz

Path to dependency file: /devsecops_class/Demos/AWSGoat/modules/module-1/src/package.json

Path to vulnerable library: /devsecops_class/Demos/AWSGoat/modules/module-1/src/node_modules/terser/package.json

Dependency Hierarchy: - react-scripts-5.0.0.tgz (Root Library) - terser-webpack-plugin-5.3.1.tgz - :x: **terser-5.10.0.tgz** (Vulnerable Library)

Found in HEAD commit: 2347d85842bdf9673c5d1b5b40e6473ee4de1cbc

Found in base branch: main

### Vulnerability Details

The package terser before 4.8.1, from 5.0.0 and before 5.14.2 are vulnerable to Regular Expression Denial of Service (ReDoS) due to insecure usage of regular expressions.

Publish Date: 2022-07-15

URL: CVE-2022-25858

### CVSS 3 Score Details (7.5)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-25858

Release Date: 2022-07-15

Fix Resolution (terser): 5.15.0

Direct dependency fix Resolution (react-scripts): 5.0.1

Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
CVE-2022-37603 ### Vulnerable Libraries - loader-utils-3.2.0.tgz, loader-utils-2.0.2.tgz, loader-utils-1.4.0.tgz

### loader-utils-3.2.0.tgz

utils for webpack loaders

Library home page: https://registry.npmjs.org/loader-utils/-/loader-utils-3.2.0.tgz

Path to dependency file: /devsecops_class/Demos/AWSGoat/modules/module-1/src/package.json

Path to vulnerable library: /devsecops_class/Demos/AWSGoat/modules/module-1/src/node_modules/react-dev-utils/node_modules/loader-utils/package.json

Dependency Hierarchy: - react-scripts-5.0.0.tgz (Root Library) - react-dev-utils-12.0.0.tgz - :x: **loader-utils-3.2.0.tgz** (Vulnerable Library) ### loader-utils-2.0.2.tgz

utils for webpack loaders

Library home page: https://registry.npmjs.org/loader-utils/-/loader-utils-2.0.2.tgz

Path to dependency file: /devsecops_class/Demos/AWSGoat/modules/module-1/src/package.json

Path to vulnerable library: /devsecops_class/Demos/AWSGoat/modules/module-1/src/node_modules/loader-utils/package.json

Dependency Hierarchy: - react-scripts-5.0.0.tgz (Root Library) - file-loader-6.2.0.tgz - :x: **loader-utils-2.0.2.tgz** (Vulnerable Library) ### loader-utils-1.4.0.tgz

utils for webpack loaders

Library home page: https://registry.npmjs.org/loader-utils/-/loader-utils-1.4.0.tgz

Path to dependency file: /devsecops_class/Demos/AWSGoat/modules/module-1/src/package.json

Path to vulnerable library: /devsecops_class/Demos/AWSGoat/modules/module-1/src/node_modules/babel-loader/node_modules/loader-utils/package.json

Dependency Hierarchy: - react-scripts-5.0.0.tgz (Root Library) - babel-loader-8.2.3.tgz - :x: **loader-utils-1.4.0.tgz** (Vulnerable Library)

Found in HEAD commit: 2347d85842bdf9673c5d1b5b40e6473ee4de1cbc

Found in base branch: main

### Vulnerability Details

A Regular expression denial of service (ReDoS) flaw was found in Function interpolateName in interpolateName.js in webpack loader-utils 2.0.0 via the url variable in interpolateName.js.

Publish Date: 2022-10-14

URL: CVE-2022-37603

### CVSS 3 Score Details (7.5)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://github.com/advisories/GHSA-3rfm-jhwj-7488

Release Date: 2022-10-14

Fix Resolution (loader-utils): 3.2.1

Direct dependency fix Resolution (react-scripts): 5.0.1

Fix Resolution (loader-utils): 2.0.4

Direct dependency fix Resolution (react-scripts): 5.0.1

Fix Resolution (loader-utils): 2.0.4

Direct dependency fix Resolution (react-scripts): 5.0.1

Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
CVE-2022-3517 ### Vulnerable Library - minimatch-3.0.4.tgz

a glob matcher in javascript

Library home page: https://registry.npmjs.org/minimatch/-/minimatch-3.0.4.tgz

Path to dependency file: /devsecops_class/Demos/AWSGoat/modules/module-1/src/package.json

Path to vulnerable library: /devsecops_class/Demos/AWSGoat/modules/module-1/src/node_modules/recursive-readdir/node_modules/minimatch/package.json

Dependency Hierarchy: - react-scripts-5.0.0.tgz (Root Library) - react-dev-utils-12.0.0.tgz - recursive-readdir-2.2.2.tgz - :x: **minimatch-3.0.4.tgz** (Vulnerable Library)

Found in HEAD commit: 2347d85842bdf9673c5d1b5b40e6473ee4de1cbc

Found in base branch: main

### Vulnerability Details

A vulnerability was found in the minimatch package. This flaw allows a Regular Expression Denial of Service (ReDoS) when calling the braceExpand function with specific arguments, resulting in a Denial of Service.

Publish Date: 2022-10-17

URL: CVE-2022-3517

### CVSS 3 Score Details (7.5)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Release Date: 2022-10-17

Fix Resolution: minimatch - 3.0.5

Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
CVE-2022-37599 ### Vulnerable Library - loader-utils-2.0.2.tgz

utils for webpack loaders

Library home page: https://registry.npmjs.org/loader-utils/-/loader-utils-2.0.2.tgz

Path to dependency file: /devsecops_class/Demos/AWSGoat/modules/module-1/src/package.json

Path to vulnerable library: /devsecops_class/Demos/AWSGoat/modules/module-1/src/node_modules/loader-utils/package.json

Dependency Hierarchy: - react-scripts-5.0.0.tgz (Root Library) - file-loader-6.2.0.tgz - :x: **loader-utils-2.0.2.tgz** (Vulnerable Library)

Found in HEAD commit: 2347d85842bdf9673c5d1b5b40e6473ee4de1cbc

Found in base branch: main

### Vulnerability Details

A Regular expression denial of service (ReDoS) flaw was found in Function interpolateName in interpolateName.js in webpack loader-utils 2.0.0 via the resourcePath variable in interpolateName.js.

Publish Date: 2022-10-11

URL: CVE-2022-37599

### CVSS 3 Score Details (7.5)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://github.com/advisories/GHSA-hhq3-ff78-jv3g

Release Date: 2022-10-11

Fix Resolution (loader-utils): 2.0.3

Direct dependency fix Resolution (react-scripts): 5.0.1

Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
CVE-2021-3803 ### Vulnerable Library - nth-check-1.0.2.tgz

performant nth-check parser & compiler

Library home page: https://registry.npmjs.org/nth-check/-/nth-check-1.0.2.tgz

Path to dependency file: /devsecops_class/Demos/AWSGoat/modules/module-1/src/package.json

Path to vulnerable library: /devsecops_class/Demos/AWSGoat/modules/module-1/src/node_modules/svgo/node_modules/nth-check/package.json

Dependency Hierarchy: - react-scripts-5.0.0.tgz (Root Library) - webpack-5.5.0.tgz - plugin-svgo-5.5.0.tgz - svgo-1.3.2.tgz - css-select-2.1.0.tgz - :x: **nth-check-1.0.2.tgz** (Vulnerable Library)

Found in HEAD commit: 2347d85842bdf9673c5d1b5b40e6473ee4de1cbc

Found in base branch: main

### Vulnerability Details

nth-check is vulnerable to Inefficient Regular Expression Complexity

Publish Date: 2021-09-17

URL: CVE-2021-3803

### CVSS 3 Score Details (7.5)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Release Date: 2021-09-17

Fix Resolution (nth-check): 2.0.1

Direct dependency fix Resolution (react-scripts): 5.0.1

Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
mend-bolt-for-github[bot] commented 1 year ago

:heavy_check_mark: This issue was automatically closed by Mend because the vulnerable library in the specific branch(es) was either marked as ignored or it is no longer part of the Mend inventory.