Path to dependency file: /npm_and_yarn/spec/fixtures/projects/npm6/os_mismatch/package.json
Path to vulnerable library: /npm_and_yarn/spec/fixtures/projects/npm6/os_mismatch/package.json,/npm_and_yarn/spec/fixtures/projects/npm7/os_mismatch/package.json
Path to dependency file: /npm_and_yarn/spec/fixtures/projects/npm6/os_mismatch/package.json
Path to vulnerable library: /npm_and_yarn/spec/fixtures/projects/npm6/os_mismatch/package.json,/npm_and_yarn/spec/fixtures/projects/npm7/os_mismatch/package.json
This package has been identified by Mend as containing potential malicious functionality. The severity of the functionality can change depending on where the library is running (user's machine or backend server). The following risks were identified: Malware dropper – this package contains a Trojan horse, allowing the unauthorized installation of other potentially malicious software.
Path to dependency file: /npm_and_yarn/spec/fixtures/projects/npm6/os_mismatch/package.json
Path to vulnerable library: /npm_and_yarn/spec/fixtures/projects/npm6/os_mismatch/package.json,/npm_and_yarn/spec/fixtures/projects/npm7/os_mismatch/package.json
This package has been identified by Mend as containing potential malicious functionality. The severity of the functionality can change depending on where the library is running (user's machine or backend server). The following risks were identified: Malware dropper – this package contains a Trojan horse, allowing the unauthorized installation of other potentially malicious software.
Path to dependency file: /npm_and_yarn/spec/fixtures/projects/npm6/os_mismatch/package.json
Path to vulnerable library: /npm_and_yarn/spec/fixtures/projects/npm6/os_mismatch/package.json,/npm_and_yarn/spec/fixtures/projects/npm7/os_mismatch/package.json
fsevents before 1.2.11 depends on the https://fsevents-binaries.s3-us-west-2.amazonaws.com URL, which might allow an adversary to execute arbitrary code if any JavaScript project (that depends on fsevents) distributes code that was obtained from that URL at a time when it was controlled by an adversary. NOTE: some sources feel that this means that no version is affected any longer, because the URL is not controlled by an adversary.
Vulnerable Library - fsevents-1.2.2.tgz
Native Access to Mac OS-X FSEvents
Library home page: https://registry.npmjs.org/fsevents/-/fsevents-1.2.2.tgz
Path to dependency file: /npm_and_yarn/spec/fixtures/projects/npm6/os_mismatch/package.json
Path to vulnerable library: /npm_and_yarn/spec/fixtures/projects/npm6/os_mismatch/package.json,/npm_and_yarn/spec/fixtures/projects/npm7/os_mismatch/package.json
Vulnerabilities
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
MSC-2023-16605
### Vulnerable Library - fsevents-1.2.2.tgzNative Access to Mac OS-X FSEvents
Library home page: https://registry.npmjs.org/fsevents/-/fsevents-1.2.2.tgz
Path to dependency file: /npm_and_yarn/spec/fixtures/projects/npm6/os_mismatch/package.json
Path to vulnerable library: /npm_and_yarn/spec/fixtures/projects/npm6/os_mismatch/package.json,/npm_and_yarn/spec/fixtures/projects/npm7/os_mismatch/package.json
Dependency Hierarchy: - :x: **fsevents-1.2.2.tgz** (Vulnerable Library)
Found in base branch: main
### Vulnerability DetailsThis package has been identified by Mend as containing potential malicious functionality. The severity of the functionality can change depending on where the library is running (user's machine or backend server). The following risks were identified: Malware dropper – this package contains a Trojan horse, allowing the unauthorized installation of other potentially malicious software.
Publish Date: 2023-09-20
URL: MSC-2023-16605
### CVSS 3 Score Details (9.8)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High
For more information on CVSS3 Scores, click here.MSC-2023-16603
### Vulnerable Library - fsevents-1.2.2.tgzNative Access to Mac OS-X FSEvents
Library home page: https://registry.npmjs.org/fsevents/-/fsevents-1.2.2.tgz
Path to dependency file: /npm_and_yarn/spec/fixtures/projects/npm6/os_mismatch/package.json
Path to vulnerable library: /npm_and_yarn/spec/fixtures/projects/npm6/os_mismatch/package.json,/npm_and_yarn/spec/fixtures/projects/npm7/os_mismatch/package.json
Dependency Hierarchy: - :x: **fsevents-1.2.2.tgz** (Vulnerable Library)
Found in base branch: main
### Vulnerability DetailsThis package has been identified by Mend as containing potential malicious functionality. The severity of the functionality can change depending on where the library is running (user's machine or backend server). The following risks were identified: Malware dropper – this package contains a Trojan horse, allowing the unauthorized installation of other potentially malicious software.
Publish Date: 2023-09-20
URL: MSC-2023-16603
### CVSS 3 Score Details (9.8)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High
For more information on CVSS3 Scores, click here.CVE-2023-45311
### Vulnerable Library - fsevents-1.2.2.tgzNative Access to Mac OS-X FSEvents
Library home page: https://registry.npmjs.org/fsevents/-/fsevents-1.2.2.tgz
Path to dependency file: /npm_and_yarn/spec/fixtures/projects/npm6/os_mismatch/package.json
Path to vulnerable library: /npm_and_yarn/spec/fixtures/projects/npm6/os_mismatch/package.json,/npm_and_yarn/spec/fixtures/projects/npm7/os_mismatch/package.json
Dependency Hierarchy: - :x: **fsevents-1.2.2.tgz** (Vulnerable Library)
Found in base branch: main
### Vulnerability Detailsfsevents before 1.2.11 depends on the https://fsevents-binaries.s3-us-west-2.amazonaws.com URL, which might allow an adversary to execute arbitrary code if any JavaScript project (that depends on fsevents) distributes code that was obtained from that URL at a time when it was controlled by an adversary. NOTE: some sources feel that this means that no version is affected any longer, because the URL is not controlled by an adversary.
Publish Date: 2023-10-06
URL: CVE-2023-45311
### CVSS 3 Score Details (9.8)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://www.cve.org/CVERecord?id=CVE-2023-45311
Release Date: 2023-10-06
Fix Resolution: 1.2.11
:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.:rescue_worker_helmet:Automatic Remediation will be attempted for this issue.