Open mend-for-github-com[bot] opened 1 month ago
Path to dependency file: /package.json
Path to vulnerable library: /package.json
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Regular expression for matching semver versions
Library home page: https://registry.npmjs.org/semver-regex/-/semver-regex-2.0.0.tgz
Dependency Hierarchy: - husky-4.2.5.tgz (Root Library) - find-versions-3.2.0.tgz - :x: **semver-regex-2.0.0.tgz** (Vulnerable Library)
Found in base branch: unstable
An exponential ReDoS (Regular Expression Denial of Service) can be triggered in the semver-regex npm package, when an attacker is able to supply arbitrary input to the test() method
Publish Date: 2022-06-02
URL: CVE-2021-43307
Exploit Maturity: Not Defined
EPSS: 0.1%
Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: N/A - Impact Metrics: - Confidentiality Impact: N/A - Integrity Impact: N/A - Availability Impact: N/A
Type: Upgrade version
Origin: https://research.jfrog.com/vulnerabilities/semver-regex-redos-xray-211349/
Release Date: 2022-06-02
Fix Resolution (semver-regex): 3.1.4
Direct dependency fix Resolution (husky): 4.3.7
In order to enable automatic remediation, please create workflow rules
semver-regex is vulnerable to Inefficient Regular Expression Complexity
Publish Date: 2021-09-15
URL: CVE-2021-3795
Release Date: 2021-09-15
Fix Resolution (semver-regex): 3.1.3
In order to enable automatic remediation for this issue, please create workflow rules
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Vulnerabilities
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
CVE-2021-43307
### Vulnerable Library - semver-regex-2.0.0.tgzRegular expression for matching semver versions
Library home page: https://registry.npmjs.org/semver-regex/-/semver-regex-2.0.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy: - husky-4.2.5.tgz (Root Library) - find-versions-3.2.0.tgz - :x: **semver-regex-2.0.0.tgz** (Vulnerable Library)
Found in base branch: unstable
### Vulnerability DetailsAn exponential ReDoS (Regular Expression Denial of Service) can be triggered in the semver-regex npm package, when an attacker is able to supply arbitrary input to the test() method
Publish Date: 2022-06-02
URL: CVE-2021-43307
### Threat AssessmentExploit Maturity: Not Defined
EPSS: 0.1%
### CVSS 4 Score Details (8.7)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: N/A - Impact Metrics: - Confidentiality Impact: N/A - Integrity Impact: N/A - Availability Impact: N/A
For more information on CVSS4 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://research.jfrog.com/vulnerabilities/semver-regex-redos-xray-211349/
Release Date: 2022-06-02
Fix Resolution (semver-regex): 3.1.4
Direct dependency fix Resolution (husky): 4.3.7
In order to enable automatic remediation, please create workflow rules
CVE-2021-3795
### Vulnerable Library - semver-regex-2.0.0.tgzRegular expression for matching semver versions
Library home page: https://registry.npmjs.org/semver-regex/-/semver-regex-2.0.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy: - husky-4.2.5.tgz (Root Library) - find-versions-3.2.0.tgz - :x: **semver-regex-2.0.0.tgz** (Vulnerable Library)
Found in base branch: unstable
### Vulnerability Detailssemver-regex is vulnerable to Inefficient Regular Expression Complexity
Publish Date: 2021-09-15
URL: CVE-2021-3795
### Threat AssessmentExploit Maturity: Not Defined
EPSS: 0.1%
### CVSS 4 Score Details (8.7)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: N/A - Impact Metrics: - Confidentiality Impact: N/A - Integrity Impact: N/A - Availability Impact: N/A
For more information on CVSS4 Scores, click here. ### Suggested FixType: Upgrade version
Release Date: 2021-09-15
Fix Resolution (semver-regex): 3.1.3
Direct dependency fix Resolution (husky): 4.3.7
In order to enable automatic remediation, please create workflow rules
In order to enable automatic remediation for this issue, please create workflow rules