search

rsoreq / zenbot

Zenbot is a command-line cryptocurrency trading bot using Node.js and MongoDB.
MIT License
0 stars 0 forks source link

snyk-1.374.0.tgz: 3 vulnerabilities (highest severity is: 8.7) #940

Open mend-for-github-com[bot] opened 4 months ago

mend-for-github-com[bot] commented 4 months ago
Vulnerable Library - snyk-1.374.0.tgz

snyk library and cli utility

Library home page: https://registry.npmjs.org/snyk/-/snyk-1.374.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Vulnerabilities

CVE Severity CVSS Exploit Maturity EPSS Dependency Type Fixed in (snyk version) Remediation Possible** Reachability
CVE-2021-3807 High 8.7 Not Defined 0.4% ansi-regex-3.0.0.tgz Transitive 1.375.0
CVE-2022-40764 High 8.5 Not Defined 0.1% snyk-1.374.0.tgz Direct 1.996.0
CVE-2022-33987 Medium 6.9 Not Defined 0.1% got-11.5.2.tgz Transitive 1.685.0

**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation

Details

CVE-2021-3807 ### Vulnerable Library - ansi-regex-3.0.0.tgz

Regular expression for matching ANSI escape codes

Library home page: https://registry.npmjs.org/ansi-regex/-/ansi-regex-3.0.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Dependency Hierarchy: - snyk-1.374.0.tgz (Root Library) - inquirer-6.2.2-patch.tgz - string-width-2.1.1.tgz - strip-ansi-4.0.0.tgz - :x: **ansi-regex-3.0.0.tgz** (Vulnerable Library)

Found in base branch: unstable

### Vulnerability Details

ansi-regex is vulnerable to Inefficient Regular Expression Complexity

Publish Date: 2021-09-17

URL: CVE-2021-3807

### Threat Assessment

Exploit Maturity: Not Defined

EPSS: 0.4%

### CVSS 4 Score Details (8.7)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: N/A - Impact Metrics: - Confidentiality Impact: N/A - Integrity Impact: N/A - Availability Impact: N/A

For more information on CVSS4 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://huntr.dev/bounties/5b3cf33b-ede0-4398-9974-800876dfd994/

Release Date: 2021-09-17

Fix Resolution (ansi-regex): 3.0.1

Direct dependency fix Resolution (snyk): 1.375.0

In order to enable automatic remediation, please create workflow rules

CVE-2022-40764 ### Vulnerable Library - snyk-1.374.0.tgz

snyk library and cli utility

Library home page: https://registry.npmjs.org/snyk/-/snyk-1.374.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Dependency Hierarchy: - :x: **snyk-1.374.0.tgz** (Vulnerable Library)

Found in base branch: unstable

### Vulnerability Details

Snyk CLI before 1.996.0 allows arbitrary command execution, affecting Snyk IDE plugins and the snyk npm package. Exploitation could follow from the common practice of viewing untrusted files in the Visual Studio Code editor, for example. The original demonstration was with shell metacharacters in the vendor.json ignore field, affecting snyk-go-plugin before 1.19.1. This affects, for example, the Snyk TeamCity plugin (which does not update automatically) before 20220930.142957.

Publish Date: 2022-10-03

URL: CVE-2022-40764

### Threat Assessment

Exploit Maturity: Not Defined

EPSS: 0.1%

### CVSS 4 Score Details (8.5)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Local - Attack Complexity: Low - Privileges Required: Low - User Interaction: None - Scope: N/A - Impact Metrics: - Confidentiality Impact: N/A - Integrity Impact: N/A - Availability Impact: N/A

For more information on CVSS4 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://github.com/advisories/GHSA-hpqj-7cj6-hfj8

Release Date: 2022-10-03

Fix Resolution: 1.996.0

In order to enable automatic remediation, please create workflow rules

CVE-2022-33987 ### Vulnerable Library - got-11.5.2.tgz

Human-friendly and powerful HTTP request library for Node.js

Library home page: https://registry.npmjs.org/got/-/got-11.5.2.tgz

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Dependency Hierarchy: - snyk-1.374.0.tgz (Root Library) - snyk-nodejs-lockfile-parser-1.26.3.tgz - core-2.1.1.tgz - :x: **got-11.5.2.tgz** (Vulnerable Library)

Found in base branch: unstable

### Vulnerability Details

The got package before 12.1.0 (also fixed in 11.8.5) for Node.js allows a redirect to a UNIX socket.

Publish Date: 2022-06-18

URL: CVE-2022-33987

### Threat Assessment

Exploit Maturity: Not Defined

EPSS: 0.1%

### CVSS 4 Score Details (6.9)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: N/A - Impact Metrics: - Confidentiality Impact: N/A - Integrity Impact: N/A - Availability Impact: N/A

For more information on CVSS4 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-33987

Release Date: 2022-06-18

Fix Resolution (got): 11.8.6

Direct dependency fix Resolution (snyk): 1.685.0

In order to enable automatic remediation, please create workflow rules

In order to enable automatic remediation for this issue, please create workflow rules