mend-for-github-com[bot]
commented
1 month ago :heavy_check_mark: This issue was automatically closed by Mend because the vulnerable library in the specific branch(es) was either marked as ignored or it is no longer part of the Mend inventory.
Path to dependency file: /nifi-registry/nifi-registry-core/nifi-registry-web-ui/src/main/package.json
Path to vulnerable library: /nifi-registry/nifi-registry-core/nifi-registry-web-ui/src/main/package.json
Vulnerabilities
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
CVE-2021-33623
### Vulnerable Library - trim-newlines-3.0.0.tgzTrim newlines from the start and/or end of a string
Library home page: https://registry.npmjs.org/trim-newlines/-/trim-newlines-3.0.0.tgz
Path to dependency file: /nifi-registry/nifi-registry-core/nifi-registry-web-ui/src/main/package.json
Path to vulnerable library: /nifi-registry/nifi-registry-core/nifi-registry-web-ui/src/main/package.json
Dependency Hierarchy: - stylelint-13.3.3.tgz (Root Library) - meow-6.1.1.tgz - :x: **trim-newlines-3.0.0.tgz** (Vulnerable Library)
Found in base branch: main
### Vulnerability DetailsThe trim-newlines package before 3.0.1 and 4.x before 4.0.1 for Node.js has an issue related to regular expression denial-of-service (ReDoS) for the .end() method.
Publish Date: 2021-05-28
URL: CVE-2021-33623
### CVSS 3 Score Details (7.5)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-33623
Release Date: 2021-05-28
Fix Resolution (trim-newlines): 3.0.1
Direct dependency fix Resolution (stylelint): 13.4.0
:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.
CVE-2020-7753
### Vulnerable Library - trim-0.0.1.tgzTrim string whitespace
Library home page: https://registry.npmjs.org/trim/-/trim-0.0.1.tgz
Path to dependency file: /nifi-registry/nifi-registry-core/nifi-registry-web-ui/src/main/package.json
Path to vulnerable library: /nifi-registry/nifi-registry-core/nifi-registry-web-ui/src/main/package.json
Dependency Hierarchy: - stylelint-13.3.3.tgz (Root Library) - postcss-markdown-0.36.1.tgz - remark-12.0.0.tgz - remark-parse-8.0.2.tgz - :x: **trim-0.0.1.tgz** (Vulnerable Library)
Found in base branch: main
### Vulnerability DetailsAll versions of package trim are vulnerable to Regular Expression Denial of Service (ReDoS) via trim().
Publish Date: 2020-10-27
URL: CVE-2020-7753
### CVSS 3 Score Details (7.5)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Release Date: 2020-10-27
Fix Resolution (trim): 0.0.3
Direct dependency fix Resolution (stylelint): 13.4.0
:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.
CVE-2020-15366
### Vulnerable Library - ajv-6.12.2.tgzAnother JSON Schema Validator
Library home page: https://registry.npmjs.org/ajv/-/ajv-6.12.2.tgz
Path to dependency file: /nifi-registry/nifi-registry-core/nifi-registry-web-ui/src/main/package.json
Path to vulnerable library: /nifi-registry/nifi-registry-core/nifi-registry-web-ui/src/main/package.json
Dependency Hierarchy: - stylelint-13.3.3.tgz (Root Library) - table-5.4.6.tgz - :x: **ajv-6.12.2.tgz** (Vulnerable Library)
Found in base branch: main
### Vulnerability DetailsAn issue was discovered in ajv.validate() in Ajv (aka Another JSON Schema Validator) 6.12.2. A carefully crafted JSON schema could be provided that allows execution of other code by prototype pollution. (While untrusted schemas are recommended against, the worst case of an untrusted schema should be a denial of service, not execution of code.)
Publish Date: 2020-07-15
URL: CVE-2020-15366
### CVSS 3 Score Details (5.6)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: High - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: Low - Integrity Impact: Low - Availability Impact: Low
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Release Date: 2020-07-15
Fix Resolution (ajv): 6.12.3
Direct dependency fix Resolution (stylelint): 13.4.0
:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.
CVE-2024-4067
### Vulnerable Library - micromatch-4.0.2.tgzGlob matching for javascript/node.js. A replacement and faster alternative to minimatch and multimatch.
Library home page: https://registry.npmjs.org/micromatch/-/micromatch-4.0.2.tgz
Path to dependency file: /nifi-registry/nifi-registry-core/nifi-registry-web-ui/src/main/package.json
Path to vulnerable library: /nifi-registry/nifi-registry-core/nifi-registry-web-ui/src/main/package.json
Dependency Hierarchy: - stylelint-13.3.3.tgz (Root Library) - :x: **micromatch-4.0.2.tgz** (Vulnerable Library)
Found in base branch: main
### Vulnerability DetailsThe NPM package `micromatch` prior to 4.0.8 is vulnerable to Regular Expression Denial of Service (ReDoS). The vulnerability occurs in `micromatch.braces()` in `index.js` because the pattern `.*` will greedily match anything. By passing a malicious payload, the pattern matching will keep backtracking to the input while it doesn't find the closing bracket. As the input size increases, the consumption time will also increase until it causes the application to hang or slow down. There was a merged fix but further testing shows the issue persists. This issue should be mitigated by using a safe pattern that won't start backtracking the regular expression due to greedy matching. This issue was fixed in version 4.0.8. Mend Note: After conducting a further research, it was concluded that CVE-2024-4067 should not reflect the security risk score in NVD, but will be kept for users' awareness.
Publish Date: 2024-05-13
URL: CVE-2024-4067
### CVSS 3 Score Details (5.3)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: Low
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Release Date: 2024-05-13
Fix Resolution: micromatch - 4.0.8
CVE-2023-44270
### Vulnerable Library - postcss-7.0.29.tgzTool for transforming styles with JS plugins
Library home page: https://registry.npmjs.org/postcss/-/postcss-7.0.29.tgz
Path to dependency file: /nifi-registry/nifi-registry-core/nifi-registry-web-ui/src/main/package.json
Path to vulnerable library: /nifi-registry/nifi-registry-core/nifi-registry-web-ui/src/main/package.json
Dependency Hierarchy: - stylelint-13.3.3.tgz (Root Library) - :x: **postcss-7.0.29.tgz** (Vulnerable Library)
Found in base branch: main
### Vulnerability DetailsAn issue was discovered in PostCSS before 8.4.31. The vulnerability affects linters using PostCSS to parse external untrusted CSS. An attacker can prepare CSS in such a way that it will contains parts parsed by PostCSS as a CSS comment. After processing by PostCSS, it will be included in the PostCSS output in CSS nodes (rules, properties) despite being included in a comment.
Publish Date: 2023-09-29
URL: CVE-2023-44270
### CVSS 3 Score Details (5.3)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: Low - Availability Impact: None
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://github.com/advisories/GHSA-7fh5-64p2-3v2j
Release Date: 2023-09-29
Fix Resolution (postcss): 8.4.31
Direct dependency fix Resolution (stylelint): 16.0.0-0
:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.
CVE-2021-23382
### Vulnerable Library - postcss-7.0.29.tgzTool for transforming styles with JS plugins
Library home page: https://registry.npmjs.org/postcss/-/postcss-7.0.29.tgz
Path to dependency file: /nifi-registry/nifi-registry-core/nifi-registry-web-ui/src/main/package.json
Path to vulnerable library: /nifi-registry/nifi-registry-core/nifi-registry-web-ui/src/main/package.json
Dependency Hierarchy: - stylelint-13.3.3.tgz (Root Library) - :x: **postcss-7.0.29.tgz** (Vulnerable Library)
Found in base branch: main
### Vulnerability DetailsThe package postcss before 8.2.13 are vulnerable to Regular Expression Denial of Service (ReDoS) via getAnnotationURL() and loadAnnotation() in lib/previous-map.js. The vulnerable regexes are caused mainly by the sub-pattern \/\*\s* sourceMappingURL=(.*).
Publish Date: 2021-04-26
URL: CVE-2021-23382
### CVSS 3 Score Details (5.3)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: Low
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23382
Release Date: 2021-04-26
Fix Resolution (postcss): 7.0.36
Direct dependency fix Resolution (stylelint): 13.4.0
:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.
CVE-2021-23368
### Vulnerable Library - postcss-7.0.29.tgzTool for transforming styles with JS plugins
Library home page: https://registry.npmjs.org/postcss/-/postcss-7.0.29.tgz
Path to dependency file: /nifi-registry/nifi-registry-core/nifi-registry-web-ui/src/main/package.json
Path to vulnerable library: /nifi-registry/nifi-registry-core/nifi-registry-web-ui/src/main/package.json
Dependency Hierarchy: - stylelint-13.3.3.tgz (Root Library) - :x: **postcss-7.0.29.tgz** (Vulnerable Library)
Found in base branch: main
### Vulnerability DetailsThe package postcss from 7.0.0 and before 8.2.10 are vulnerable to Regular Expression Denial of Service (ReDoS) during source map parsing.
Publish Date: 2021-04-12
URL: CVE-2021-23368
### CVSS 3 Score Details (5.3)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: Low
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23368
Release Date: 2021-04-12
Fix Resolution (postcss): 7.0.36
Direct dependency fix Resolution (stylelint): 13.4.0
:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.
CVE-2021-23364
### Vulnerable Library - browserslist-4.12.0.tgzShare target browsers between different front-end tools, like Autoprefixer, Stylelint and babel-env-preset
Library home page: https://registry.npmjs.org/browserslist/-/browserslist-4.12.0.tgz
Path to dependency file: /nifi-registry/nifi-registry-core/nifi-registry-web-ui/src/main/package.json
Path to vulnerable library: /nifi-registry/nifi-registry-core/nifi-registry-web-ui/src/main/package.json
Dependency Hierarchy: - stylelint-13.3.3.tgz (Root Library) - autoprefixer-9.7.6.tgz - :x: **browserslist-4.12.0.tgz** (Vulnerable Library)
Found in base branch: main
### Vulnerability DetailsThe package browserslist from 4.0.0 and before 4.16.5 are vulnerable to Regular Expression Denial of Service (ReDoS) during parsing of queries.
Publish Date: 2021-04-28
URL: CVE-2021-23364
### CVSS 3 Score Details (5.3)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: Low
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23364
Release Date: 2021-04-28
Fix Resolution (browserslist): 4.16.5
Direct dependency fix Resolution (stylelint): 13.4.0
:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.:rescue_worker_helmet:Automatic Remediation will be attempted for this issue.