CVE-2021-43861 (High) detected in mermaid-8.0.0-rc.8.min.js, mermaid-8.0.0-rc.8.js

[mend-for-github-com[bot]]

CVE-2021-43861 - High Severity Vulnerability

Vulnerable Libraries - mermaid-8.0.0-rc.8.min.js, mermaid-8.0.0-rc.8.js

mermaid-8.0.0-rc.8.min.js

Markdownish syntax for generating flowcharts, sequence diagrams, class diagrams and gantt charts.

Library home page: https://cdnjs.cloudflare.com/ajax/libs/mermaid/8.0.0-rc.8/mermaid.min.js

Path to vulnerable library: /public/mermaid/mermaid.min.js

Dependency Hierarchy: - :x: **mermaid-8.0.0-rc.8.min.js** (Vulnerable Library)

mermaid-8.0.0-rc.8.js

Markdownish syntax for generating flowcharts, sequence diagrams, class diagrams and gantt charts.

Library home page: https://cdnjs.cloudflare.com/ajax/libs/mermaid/8.0.0-rc.8/mermaid.js

Path to vulnerable library: /public/mermaid/mermaid.js

Dependency Hierarchy: - :x: **mermaid-8.0.0-rc.8.js** (Vulnerable Library)

Found in HEAD commit: 86334f0df744f6cfa35a438987cbb4d18d65b5c2

Found in base branch: master

Vulnerability Details

Mermaid is a Javascript based diagramming and charting tool that uses Markdown-inspired text definitions and a renderer to create and modify complex diagrams. Prior to version 8.13.8, malicious diagrams can run javascript code at diagram readers' machines. Users should upgrade to version 8.13.8 to receive a patch. There are no known workarounds aside from upgrading.

Publish Date: 2021-12-30

URL: CVE-2021-43861

CVSS 3 Score Details (7.2)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: High - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-43861

Release Date: 2021-12-30

Fix Resolution: mermaid - 8.13.8