search

snowdensb / dependabot-core

🤖 The core logic behind Dependabot's update PR creation, and the public issue tracker for all things Dependabot
https://github.com/features/security
Other
0 stars 0 forks source link

eslint-7.31.0.tgz: 1 vulnerabilities (highest severity is: 7.5) #1123

Open mend-for-github-com[bot] opened 4 months ago

mend-for-github-com[bot] commented 4 months ago
Vulnerable Library - eslint-7.31.0.tgz

Path to dependency file: /npm_and_yarn/helpers/package.json

Path to vulnerable library: /npm_and_yarn/spec/fixtures/projects/npm6/peer_dependency_typescript_no_lockfile/node_modules/ansi-regex/package.json,/npm_and_yarn/helpers/node_modules/ansi-regex/package.json

Vulnerabilities

CVE Severity CVSS Dependency Type Fixed in (eslint version) Remediation Possible** Reachability
CVE-2021-3807 High 7.5 ansi-regex-5.0.0.tgz Transitive 7.32.0

**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation

Details

CVE-2021-3807 ### Vulnerable Library - ansi-regex-5.0.0.tgz

Regular expression for matching ANSI escape codes

Library home page: https://registry.npmjs.org/ansi-regex/-/ansi-regex-5.0.0.tgz

Path to dependency file: /npm_and_yarn/spec/fixtures/projects/npm6/peer_dependency_typescript_no_lockfile/package.json

Path to vulnerable library: /npm_and_yarn/spec/fixtures/projects/npm6/peer_dependency_typescript_no_lockfile/node_modules/ansi-regex/package.json,/npm_and_yarn/helpers/node_modules/ansi-regex/package.json

Dependency Hierarchy: - eslint-7.31.0.tgz (Root Library) - strip-ansi-6.0.0.tgz - :x: **ansi-regex-5.0.0.tgz** (Vulnerable Library)

Found in base branch: main

### Vulnerability Details

ansi-regex is vulnerable to Inefficient Regular Expression Complexity

Publish Date: 2021-09-17

URL: CVE-2021-3807

### CVSS 3 Score Details (7.5)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://github.com/advisories/GHSA-93q8-gq69-wqmw

Release Date: 2021-09-17

Fix Resolution (ansi-regex): 5.0.1

Direct dependency fix Resolution (eslint): 7.32.0

:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.

:rescue_worker_helmet:Automatic Remediation will be attempted for this issue.