mend-for-github-com[bot]
commented
4 months ago :information_source: This issue was automatically closed by Mend because it is a duplicate of an existing issue: #935
Closed mend-for-github-com[bot] closed 4 months ago
mend-for-github-com[bot]
commented
4 months ago :information_source: This issue was automatically closed by Mend because it is a duplicate of an existing issue: #935
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Found in HEAD commit: 7f99c836ea749efa113ef0ccdc60bfe4cbbfa856
Vulnerabilities
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
CVE-2020-15256
### Vulnerable Library - object-path-0.11.4.tgzAccess deep object properties using a path
Library home page: https://registry.npmjs.org/object-path/-/object-path-0.11.4.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy: - resolve-url-loader-3.1.1.tgz (Root Library) - adjust-sourcemap-loader-2.0.0.tgz - :x: **object-path-0.11.4.tgz** (Vulnerable Library)
Found in HEAD commit: 7f99c836ea749efa113ef0ccdc60bfe4cbbfa856
Found in base branch: unstable
### Vulnerability DetailsA prototype pollution vulnerability has been found in `object-path` <= 0.11.4 affecting the `set()` method. The vulnerability is limited to the `includeInheritedProps` mode (if version >= 0.11.0 is used), which has to be explicitly enabled by creating a new instance of `object-path` and setting the option `includeInheritedProps: true`, or by using the default `withInheritedProps` instance. The default operating mode is not affected by the vulnerability if version >= 0.11.0 is used. Any usage of `set()` in versions < 0.11.0 is vulnerable. The issue is fixed in object-path version 0.11.5 As a workaround, don't use the `includeInheritedProps: true` options or the `withInheritedProps` instance if using a version >= 0.11.0.
Publish Date: 2020-10-19
URL: CVE-2020-15256
### Threat AssessmentExploit Maturity: Not Defined
EPSS: 0.3%
### CVSS 4 Score Details (9.3)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: N/A - Impact Metrics: - Confidentiality Impact: N/A - Integrity Impact: N/A - Availability Impact: N/A
For more information on CVSS4 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://github.com/mariocasciaro/object-path/security/advisories/GHSA-cwx2-736x-mf6w
Release Date: 2020-10-19
Fix Resolution (object-path): 0.11.5
Direct dependency fix Resolution (resolve-url-loader): 3.1.2
In order to enable automatic remediation, please create workflow rules
CVE-2021-23434
### Vulnerable Library - object-path-0.11.4.tgzAccess deep object properties using a path
Library home page: https://registry.npmjs.org/object-path/-/object-path-0.11.4.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy: - resolve-url-loader-3.1.1.tgz (Root Library) - adjust-sourcemap-loader-2.0.0.tgz - :x: **object-path-0.11.4.tgz** (Vulnerable Library)
Found in HEAD commit: 7f99c836ea749efa113ef0ccdc60bfe4cbbfa856
Found in base branch: unstable
### Vulnerability DetailsThis affects the package object-path before 0.11.6. A type confusion vulnerability can lead to a bypass of CVE-2020-15256 when the path components used in the path parameter are arrays. In particular, the condition currentPath === '__proto__' returns false if currentPath is ['__proto__']. This is because the === operator returns always false when the type of the operands is different.
Publish Date: 2021-08-27
URL: CVE-2021-23434
### Threat AssessmentExploit Maturity: Not Defined
EPSS: 0.3%
### CVSS 4 Score Details (8.8)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: N/A - Impact Metrics: - Confidentiality Impact: N/A - Integrity Impact: N/A - Availability Impact: N/A
For more information on CVSS4 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23434
Release Date: 2021-08-27
Fix Resolution (object-path): 0.11.6
Direct dependency fix Resolution (resolve-url-loader): 3.1.2
In order to enable automatic remediation, please create workflow rules
CVE-2022-38900
### Vulnerable Library - decode-uri-component-0.2.0.tgzA better decodeURIComponent
Library home page: https://registry.npmjs.org/decode-uri-component/-/decode-uri-component-0.2.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy: - resolve-url-loader-3.1.1.tgz (Root Library) - rework-1.0.1.tgz - css-2.2.4.tgz - source-map-resolve-0.5.2.tgz - :x: **decode-uri-component-0.2.0.tgz** (Vulnerable Library)
Found in HEAD commit: 7f99c836ea749efa113ef0ccdc60bfe4cbbfa856
Found in base branch: unstable
### Vulnerability Detailsdecode-uri-component 0.2.0 is vulnerable to Improper Input Validation resulting in DoS.
Publish Date: 2022-11-28
URL: CVE-2022-38900
### Threat AssessmentExploit Maturity: Not Defined
EPSS: 0.2%
### CVSS 4 Score Details (8.7)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: N/A - Impact Metrics: - Confidentiality Impact: N/A - Integrity Impact: N/A - Availability Impact: N/A
For more information on CVSS4 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://github.com/advisories/GHSA-w573-4hg7-7wgq
Release Date: 2022-11-28
Fix Resolution (decode-uri-component): 0.2.1
Direct dependency fix Resolution (resolve-url-loader): 3.1.2
In order to enable automatic remediation, please create workflow rules
CVE-2021-3805
### Vulnerable Library - object-path-0.11.4.tgzAccess deep object properties using a path
Library home page: https://registry.npmjs.org/object-path/-/object-path-0.11.4.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy: - resolve-url-loader-3.1.1.tgz (Root Library) - adjust-sourcemap-loader-2.0.0.tgz - :x: **object-path-0.11.4.tgz** (Vulnerable Library)
Found in HEAD commit: 7f99c836ea749efa113ef0ccdc60bfe4cbbfa856
Found in base branch: unstable
### Vulnerability Detailsobject-path is vulnerable to Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')
Publish Date: 2021-09-17
URL: CVE-2021-3805
### Threat AssessmentExploit Maturity: Not Defined
EPSS: 0.2%
### CVSS 4 Score Details (8.7)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: N/A - Impact Metrics: - Confidentiality Impact: N/A - Integrity Impact: N/A - Availability Impact: N/A
For more information on CVSS4 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://huntr.dev/bounties/571e3baf-7c46-46e3-9003-ba7e4e623053/
Release Date: 2021-09-17
Fix Resolution (object-path): 0.11.8
Direct dependency fix Resolution (resolve-url-loader): 3.1.2
In order to enable automatic remediation, please create workflow rules
CVE-2021-23382
### Vulnerable Library - postcss-7.0.21.tgzTool for transforming styles with JS plugins
Library home page: https://registry.npmjs.org/postcss/-/postcss-7.0.21.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy: - resolve-url-loader-3.1.1.tgz (Root Library) - :x: **postcss-7.0.21.tgz** (Vulnerable Library)
Found in HEAD commit: 7f99c836ea749efa113ef0ccdc60bfe4cbbfa856
Found in base branch: unstable
### Vulnerability DetailsThe package postcss before 8.2.13 are vulnerable to Regular Expression Denial of Service (ReDoS) via getAnnotationURL() and loadAnnotation() in lib/previous-map.js. The vulnerable regexes are caused mainly by the sub-pattern \/\*\s* sourceMappingURL=(.*).
Publish Date: 2021-04-26
URL: CVE-2021-23382
### Threat AssessmentExploit Maturity: Not Defined
EPSS: 0.2%
### CVSS 4 Score Details (8.7)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: N/A - Impact Metrics: - Confidentiality Impact: N/A - Integrity Impact: N/A - Availability Impact: N/A
For more information on CVSS4 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23382
Release Date: 2021-04-26
Fix Resolution (postcss): 7.0.36
Direct dependency fix Resolution (resolve-url-loader): 3.1.4
In order to enable automatic remediation, please create workflow rules
CVE-2021-23368
### Vulnerable Library - postcss-7.0.21.tgzTool for transforming styles with JS plugins
Library home page: https://registry.npmjs.org/postcss/-/postcss-7.0.21.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy: - resolve-url-loader-3.1.1.tgz (Root Library) - :x: **postcss-7.0.21.tgz** (Vulnerable Library)
Found in HEAD commit: 7f99c836ea749efa113ef0ccdc60bfe4cbbfa856
Found in base branch: unstable
### Vulnerability DetailsThe package postcss from 7.0.0 and before 8.2.10 are vulnerable to Regular Expression Denial of Service (ReDoS) during source map parsing.
Publish Date: 2021-04-12
URL: CVE-2021-23368
### Threat AssessmentExploit Maturity: Not Defined
EPSS: 0.5%
### CVSS 4 Score Details (6.9)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: N/A - Impact Metrics: - Confidentiality Impact: N/A - Integrity Impact: N/A - Availability Impact: N/A
For more information on CVSS4 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23368
Release Date: 2021-04-12
Fix Resolution (postcss): 7.0.36
Direct dependency fix Resolution (resolve-url-loader): 3.1.4
In order to enable automatic remediation, please create workflow rules
In order to enable automatic remediation for this issue, please create workflow rules