i18next-19.8.2.tgz: 2 vulnerabilities (highest severity is: 6.5) reachable

[mend-for-github-com[bot]]

Vulnerable Library - i18next-19.8.2.tgz

i18next internationalization framework

Library home page: https://registry.npmjs.org/i18next/-/i18next-19.8.2.tgz

Path to dependency file: /Source/CompanyCommunicator/ClientApp/package.json

Path to vulnerable library: /Source/CompanyCommunicator/ClientApp/node_modules/i18next/package.json

Vulnerabilities

CVE	Severity	CVSS	Dependency	Type	Fixed in (i18next version)	Remediation Possible**	Reachability
CVE-2020-8244	Medium	6.5	i18next-19.8.2.tgz	Direct	19.8.3	✅	Reachable
WS-2020-0438	Medium	4.8	i18next-19.8.2.tgz	Direct	19.8.3	✅	Reachable

**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation

Details

CVE-2020-8244

### Vulnerable Library - i18next-19.8.2.tgz

i18next internationalization framework

Library home page: https://registry.npmjs.org/i18next/-/i18next-19.8.2.tgz

Path to dependency file: /Source/CompanyCommunicator/ClientApp/package.json

Path to vulnerable library: /Source/CompanyCommunicator/ClientApp/node_modules/i18next/package.json

Dependency Hierarchy: - :x: **i18next-19.8.2.tgz** (Vulnerable Library)

Found in base branch: master

### Reachability Analysis This vulnerability is potentially reachable ``` company-communicator-5.1.0/src/i18n.ts (Application) -> ❌ i18next-19.8.2/dist/cjs/i18next.js (Vulnerable Component) ```

### Vulnerability Details

A buffer over-read vulnerability exists in bl <4.0.3, <3.0.1, <2.2.1, and <1.2.3 which could allow an attacker to supply user input (even typed) that if it ends up in consume() argument and can become negative, the BufferList state can be corrupted, tricking it into exposing uninitialized memory via regular .slice() calls.

Publish Date: 2020-08-30

URL: CVE-2020-8244

### CVSS 3 Score Details (6.5)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: Low - Integrity Impact: None - Availability Impact: Low

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://github.com/advisories/GHSA-pp7h-53gx-mx7r

Release Date: 2020-08-30

Fix Resolution: 19.8.3

:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.

WS-2020-0438

### Vulnerable Library - i18next-19.8.2.tgz

i18next internationalization framework

Library home page: https://registry.npmjs.org/i18next/-/i18next-19.8.2.tgz

Path to dependency file: /Source/CompanyCommunicator/ClientApp/package.json

Path to vulnerable library: /Source/CompanyCommunicator/ClientApp/node_modules/i18next/package.json

Dependency Hierarchy: - :x: **i18next-19.8.2.tgz** (Vulnerable Library)

Found in base branch: master

### Reachability Analysis This vulnerability is potentially reachable ``` company-communicator-5.1.0/src/i18n.ts (Application) -> ❌ i18next-19.8.2/dist/cjs/i18next.js (Vulnerable Component) ```

### Vulnerability Details

In i18next in versions v19.6.0 to v19.8.2 is vulnerable to prototype pollution, it allows to modify the prototype of a base object, which may result in DoS, XSS, RCE, etc.

Publish Date: 2020-02-12

URL: WS-2020-0438

### CVSS 3 Score Details (4.8)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: High - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: Low - Integrity Impact: Low - Availability Impact: None

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://hackerone.com/reports/968355

Release Date: 2020-02-12

Fix Resolution: 19.8.3

:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.

---

:rescue_worker_helmet:Automatic Remediation will be attempted for this issue.