webpack-4.29.6.tgz: 13 vulnerabilities (highest severity is: 9.1) - autoclosed

Vulnerable Library - webpack-4.29.6.tgz

Packs CommonJs/AMD modules for the browser. Allows to split your codebase into multiple bundles, which can be loaded on demand. Support loaders to preprocess files, i.e. json, jsx, es7, css, less, ... and your custom stuff.

Library home page: https://registry.npmjs.org/webpack/-/webpack-4.29.6.tgz

Path to dependency file: /nifi-registry/nifi-registry-core/nifi-registry-web-ui/src/main/package.json

Path to vulnerable library: /nifi-registry/nifi-registry-core/nifi-registry-web-ui/src/main/package.json

Vulnerabilities

CVE	Severity	CVSS	Dependency	Type	Fixed in (webpack version)	Remediation Possible**
CVE-2024-42461	Critical	9.1	elliptic-6.4.1.tgz	Transitive	N/A*	❌
CVE-2020-13822	High	7.7	elliptic-6.4.1.tgz	Transitive	4.30.0	✅
CVE-2024-4068	High	7.5	braces-3.0.2.tgz	Transitive	N/A*	❌
CVE-2021-27290	High	7.5	ssri-6.0.1.tgz	Transitive	4.30.0	✅
CVE-2020-28498	Medium	6.8	elliptic-6.4.1.tgz	Transitive	4.30.0	✅
CVE-2023-46234	Medium	6.5	browserify-sign-4.0.4.tgz	Transitive	4.30.0	✅
CVE-2024-43788	Medium	6.4	webpack-4.29.6.tgz	Direct	webpack - 5.94.0	✅
WS-2019-0427	Medium	5.9	elliptic-6.4.1.tgz	Transitive	4.30.0	✅
WS-2019-0424	Medium	5.9	elliptic-6.4.1.tgz	Transitive	4.30.0	✅
CVE-2020-15366	Medium	5.6	ajv-6.10.0.tgz	Transitive	4.30.0	✅
CVE-2024-42460	Medium	5.3	elliptic-6.4.1.tgz	Transitive	N/A*	❌
CVE-2024-42459	Medium	5.3	elliptic-6.4.1.tgz	Transitive	N/A*	❌
CVE-2020-28469	Medium	5.3	glob-parent-5.1.1.tgz	Transitive	5.0.0	✅

*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.

**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation

Details

CVE-2024-42461

### Vulnerable Library - elliptic-6.4.1.tgz

EC cryptography

Library home page: https://registry.npmjs.org/elliptic/-/elliptic-6.4.1.tgz

Path to dependency file: /nifi-registry/nifi-registry-core/nifi-registry-web-ui/src/main/package.json

Path to vulnerable library: /nifi-registry/nifi-registry-core/nifi-registry-web-ui/src/main/package.json

Dependency Hierarchy: - webpack-4.29.6.tgz (Root Library) - node-libs-browser-2.2.0.tgz - crypto-browserify-3.12.0.tgz - browserify-sign-4.0.4.tgz - :x: **elliptic-6.4.1.tgz** (Vulnerable Library)

Found in base branch: main

### Vulnerability Details

In the Elliptic package 6.5.6 for Node.js, ECDSA signature malleability occurs because BER-encoded signatures are allowed.

Publish Date: 2024-08-02

URL: CVE-2024-42461

### CVSS 3 Score Details (9.1)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: None

For more information on CVSS3 Scores, click here.

CVE-2020-13822

### Vulnerable Library - elliptic-6.4.1.tgz

EC cryptography

Library home page: https://registry.npmjs.org/elliptic/-/elliptic-6.4.1.tgz

Path to dependency file: /nifi-registry/nifi-registry-core/nifi-registry-web-ui/src/main/package.json

Path to vulnerable library: /nifi-registry/nifi-registry-core/nifi-registry-web-ui/src/main/package.json

Dependency Hierarchy: - webpack-4.29.6.tgz (Root Library) - node-libs-browser-2.2.0.tgz - crypto-browserify-3.12.0.tgz - browserify-sign-4.0.4.tgz - :x: **elliptic-6.4.1.tgz** (Vulnerable Library)

Found in base branch: main

### Vulnerability Details

The Elliptic package 6.5.2 for Node.js allows ECDSA signature malleability via variations in encoding, leading '\0' bytes, or integer overflows. This could conceivably have a security-relevant impact if an application relied on a single canonical signature.

Publish Date: 2020-06-04

URL: CVE-2020-13822

### CVSS 3 Score Details (7.7)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: High - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: Low

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Release Date: 2024-08-01

Fix Resolution (elliptic): 6.5.3

Direct dependency fix Resolution (webpack): 4.30.0

:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.

CVE-2024-4068

### Vulnerable Library - braces-3.0.2.tgz

Bash-like brace expansion, implemented in JavaScript. Safer than other brace expansion libs, with complete support for the Bash 4.3 braces specification, without sacrificing speed.

Library home page: https://registry.npmjs.org/braces/-/braces-3.0.2.tgz

Path to dependency file: /nifi-registry/nifi-registry-core/nifi-registry-web-ui/src/main/package.json

Path to vulnerable library: /nifi-registry/nifi-registry-core/nifi-registry-web-ui/src/main/package.json

Dependency Hierarchy: - webpack-4.29.6.tgz (Root Library) - watchpack-1.7.2.tgz - chokidar-3.4.0.tgz - :x: **braces-3.0.2.tgz** (Vulnerable Library)

Found in base branch: main

### Vulnerability Details

The NPM package `braces`, versions prior to 3.0.3, fails to limit the number of characters it can handle, which could lead to Memory Exhaustion. In `lib/parse.js,` if a malicious user sends "imbalanced braces" as input, the parsing will enter a loop, which will cause the program to start allocating heap memory without freeing it at any moment of the loop. Eventually, the JavaScript heap limit is reached, and the program will crash. Mend Note: After conducting a further research, it was concluded that CVE-2024-4068 does not contain a high security risk that reflects the NVD score, but should be kept for users' awareness. Users of braces should follow the fix recommendation as noted.

Publish Date: 2024-05-13

URL: CVE-2024-4068

### CVSS 3 Score Details (7.5)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Release Date: 2024-05-13

Fix Resolution: braces - 3.0.3

CVE-2021-27290

### Vulnerable Library - ssri-6.0.1.tgz

Standard Subresource Integrity library -- parses, serializes, generates, and verifies integrity metadata according to the SRI spec.

Library home page: https://registry.npmjs.org/ssri/-/ssri-6.0.1.tgz

Path to dependency file: /nifi-registry/nifi-registry-core/nifi-registry-web-ui/src/main/package.json

Path to vulnerable library: /nifi-registry/nifi-registry-core/nifi-registry-web-ui/src/main/package.json

Dependency Hierarchy: - webpack-4.29.6.tgz (Root Library) - terser-webpack-plugin-1.4.3.tgz - cacache-12.0.3.tgz - :x: **ssri-6.0.1.tgz** (Vulnerable Library)

Found in base branch: main

### Vulnerability Details

ssri 5.2.2-8.0.0, fixed in 8.0.1, processes SRIs using a regular expression which is vulnerable to a denial of service. Malicious SRIs could take an extremely long time to process, leading to denial of service. This issue only affects consumers using the strict option.

Publish Date: 2021-03-12

URL: CVE-2021-27290

### CVSS 3 Score Details (7.5)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://github.com/advisories/GHSA-vx3p-948g-6vhq

Release Date: 2021-03-12

Fix Resolution (ssri): 6.0.2

Direct dependency fix Resolution (webpack): 4.30.0

:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.

CVE-2020-28498

### Vulnerable Library - elliptic-6.4.1.tgz

EC cryptography

Library home page: https://registry.npmjs.org/elliptic/-/elliptic-6.4.1.tgz

Path to dependency file: /nifi-registry/nifi-registry-core/nifi-registry-web-ui/src/main/package.json

Path to vulnerable library: /nifi-registry/nifi-registry-core/nifi-registry-web-ui/src/main/package.json

Dependency Hierarchy: - webpack-4.29.6.tgz (Root Library) - node-libs-browser-2.2.0.tgz - crypto-browserify-3.12.0.tgz - browserify-sign-4.0.4.tgz - :x: **elliptic-6.4.1.tgz** (Vulnerable Library)

Found in base branch: main

### Vulnerability Details

The package elliptic before 6.5.4 are vulnerable to Cryptographic Issues via the secp256k1 implementation in elliptic/ec/key.js. There is no check to confirm that the public key point passed into the derive function actually exists on the secp256k1 curve. This results in the potential for the private key used in this implementation to be revealed after a number of ECDH operations are performed.

Publish Date: 2021-02-02

URL: CVE-2020-28498

### CVSS 3 Score Details (6.8)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: High - Privileges Required: None - User Interaction: None - Scope: Changed - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: None - Availability Impact: None

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://www.cve.org/CVERecord?id=CVE-2020-28498

Release Date: 2021-02-02

Fix Resolution (elliptic): 6.5.4

Direct dependency fix Resolution (webpack): 4.30.0

:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.

CVE-2023-46234

### Vulnerable Library - browserify-sign-4.0.4.tgz

adds node crypto signing for browsers

Library home page: https://registry.npmjs.org/browserify-sign/-/browserify-sign-4.0.4.tgz

Path to dependency file: /nifi-registry/nifi-registry-core/nifi-registry-web-ui/src/main/package.json

Path to vulnerable library: /nifi-registry/nifi-registry-core/nifi-registry-web-ui/src/main/package.json

Dependency Hierarchy: - webpack-4.29.6.tgz (Root Library) - node-libs-browser-2.2.0.tgz - crypto-browserify-3.12.0.tgz - :x: **browserify-sign-4.0.4.tgz** (Vulnerable Library)

Found in base branch: main

### Vulnerability Details

browserify-sign is a package to duplicate the functionality of node's crypto public key functions, much of this is based on Fedor Indutny's work on indutny/tls.js. An upper bound check issue in `dsaVerify` function allows an attacker to construct signatures that can be successfully verified by any public key, thus leading to a signature forgery attack. All places in this project that involve DSA verification of user-input signatures will be affected by this vulnerability. This issue has been patched in version 4.2.2.

Publish Date: 2023-10-26

URL: CVE-2023-46234

### CVSS 3 Score Details (6.5)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: Low - Integrity Impact: Low - Availability Impact: None

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://github.com/browserify/browserify-sign/security/advisories/GHSA-x9w5-v3q2-3rhw

Release Date: 2023-10-26

Fix Resolution (browserify-sign): 4.2.2

Direct dependency fix Resolution (webpack): 4.30.0

:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.

CVE-2024-43788

### Vulnerable Library - webpack-4.29.6.tgz

Library home page: https://registry.npmjs.org/webpack/-/webpack-4.29.6.tgz

Path to dependency file: /nifi-registry/nifi-registry-core/nifi-registry-web-ui/src/main/package.json

Path to vulnerable library: /nifi-registry/nifi-registry-core/nifi-registry-web-ui/src/main/package.json

Dependency Hierarchy: - :x: **webpack-4.29.6.tgz** (Vulnerable Library)

Found in base branch: main

### Vulnerability Details

Webpack is a module bundler. Its main purpose is to bundle JavaScript files for usage in a browser, yet it is also capable of transforming, bundling, or packaging just about any resource or asset. The webpack developers have discovered a DOM Clobbering vulnerability in Webpack’s `AutoPublicPathRuntimeModule`. The DOM Clobbering gadget in the module can lead to cross-site scripting (XSS) in web pages where scriptless attacker-controlled HTML elements (e.g., an `img` tag with an unsanitized `name` attribute) are present. Real-world exploitation of this gadget has been observed in the Canvas LMS which allows a XSS attack to happen through a javascript code compiled by Webpack (the vulnerable part is from Webpack). DOM Clobbering is a type of code-reuse attack where the attacker first embeds a piece of non-script, seemingly benign HTML markups in the webpage (e.g. through a post or comment) and leverages the gadgets (pieces of js code) living in the existing javascript code to transform it into executable code. This vulnerability can lead to cross-site scripting (XSS) on websites that include Webpack-generated files and allow users to inject certain scriptless HTML tags with improperly sanitized name or id attributes. This issue has been addressed in release version 5.94.0. All users are advised to upgrade. There are no known workarounds for this issue.

Publish Date: 2024-08-27

URL: CVE-2024-43788

### CVSS 3 Score Details (6.4)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: High - Privileges Required: Low - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: Low - Integrity Impact: Low - Availability Impact: High

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://github.com/webpack/webpack/security/advisories/GHSA-4vvj-4cpr-p986

Release Date: 2024-08-27

Fix Resolution: webpack - 5.94.0

:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.

WS-2019-0427

### Vulnerable Library - elliptic-6.4.1.tgz

EC cryptography

Library home page: https://registry.npmjs.org/elliptic/-/elliptic-6.4.1.tgz

Path to dependency file: /nifi-registry/nifi-registry-core/nifi-registry-web-ui/src/main/package.json

Path to vulnerable library: /nifi-registry/nifi-registry-core/nifi-registry-web-ui/src/main/package.json

Dependency Hierarchy: - webpack-4.29.6.tgz (Root Library) - node-libs-browser-2.2.0.tgz - crypto-browserify-3.12.0.tgz - browserify-sign-4.0.4.tgz - :x: **elliptic-6.4.1.tgz** (Vulnerable Library)

Found in base branch: main

### Vulnerability Details

The function getNAF() in elliptic library has information leakage. This issue is mitigated in version 6.5.2

Publish Date: 2019-11-22

URL: WS-2019-0427

### CVSS 3 Score Details (5.9)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Adjacent - Attack Complexity: High - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: Low - Integrity Impact: High - Availability Impact: None

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Release Date: 2019-11-22

Fix Resolution (elliptic): 6.5.2

Direct dependency fix Resolution (webpack): 4.30.0

:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.

WS-2019-0424

### Vulnerable Library - elliptic-6.4.1.tgz

EC cryptography

Library home page: https://registry.npmjs.org/elliptic/-/elliptic-6.4.1.tgz

Path to dependency file: /nifi-registry/nifi-registry-core/nifi-registry-web-ui/src/main/package.json

Path to vulnerable library: /nifi-registry/nifi-registry-core/nifi-registry-web-ui/src/main/package.json

Dependency Hierarchy: - webpack-4.29.6.tgz (Root Library) - node-libs-browser-2.2.0.tgz - crypto-browserify-3.12.0.tgz - browserify-sign-4.0.4.tgz - :x: **elliptic-6.4.1.tgz** (Vulnerable Library)

Found in base branch: main

### Vulnerability Details

all versions of elliptic are vulnerable to Timing Attack through side-channels.

Publish Date: 2019-11-13

URL: WS-2019-0424

### CVSS 3 Score Details (5.9)

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/WS-2019-0424

Release Date: 2019-11-13

Fix Resolution (elliptic): 6.5.3

Direct dependency fix Resolution (webpack): 4.30.0

:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.

CVE-2020-15366

### Vulnerable Library - ajv-6.10.0.tgz

Another JSON Schema Validator

Library home page: https://registry.npmjs.org/ajv/-/ajv-6.10.0.tgz

Path to dependency file: /nifi-registry/nifi-registry-core/nifi-registry-web-ui/src/main/package.json

Path to vulnerable library: /nifi-registry/nifi-registry-core/nifi-registry-web-ui/src/main/package.json

Dependency Hierarchy: - webpack-4.29.6.tgz (Root Library) - :x: **ajv-6.10.0.tgz** (Vulnerable Library)

Found in base branch: main

### Vulnerability Details

An issue was discovered in ajv.validate() in Ajv (aka Another JSON Schema Validator) 6.12.2. A carefully crafted JSON schema could be provided that allows execution of other code by prototype pollution. (While untrusted schemas are recommended against, the worst case of an untrusted schema should be a denial of service, not execution of code.)

Publish Date: 2020-07-15

URL: CVE-2020-15366

### CVSS 3 Score Details (5.6)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: High - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: Low - Integrity Impact: Low - Availability Impact: Low

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Release Date: 2020-07-15

Fix Resolution (ajv): 6.12.3

Direct dependency fix Resolution (webpack): 4.30.0

:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.

CVE-2024-42460

### Vulnerable Library - elliptic-6.4.1.tgz

EC cryptography

Library home page: https://registry.npmjs.org/elliptic/-/elliptic-6.4.1.tgz

Path to dependency file: /nifi-registry/nifi-registry-core/nifi-registry-web-ui/src/main/package.json

Path to vulnerable library: /nifi-registry/nifi-registry-core/nifi-registry-web-ui/src/main/package.json

Dependency Hierarchy: - webpack-4.29.6.tgz (Root Library) - node-libs-browser-2.2.0.tgz - crypto-browserify-3.12.0.tgz - browserify-sign-4.0.4.tgz - :x: **elliptic-6.4.1.tgz** (Vulnerable Library)

Found in base branch: main

### Vulnerability Details

In the Elliptic package 6.5.6 for Node.js, ECDSA signature malleability occurs because there is a missing check for whether the leading bit of r and s is zero.

Publish Date: 2024-08-02

URL: CVE-2024-42460

### CVSS 3 Score Details (5.3)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: Low - Integrity Impact: None - Availability Impact: None

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Release Date: 2024-08-02

Fix Resolution: elliptic - 6.5.7

CVE-2024-42459

### Vulnerable Library - elliptic-6.4.1.tgz

EC cryptography

Library home page: https://registry.npmjs.org/elliptic/-/elliptic-6.4.1.tgz

Path to dependency file: /nifi-registry/nifi-registry-core/nifi-registry-web-ui/src/main/package.json

Path to vulnerable library: /nifi-registry/nifi-registry-core/nifi-registry-web-ui/src/main/package.json

Dependency Hierarchy: - webpack-4.29.6.tgz (Root Library) - node-libs-browser-2.2.0.tgz - crypto-browserify-3.12.0.tgz - browserify-sign-4.0.4.tgz - :x: **elliptic-6.4.1.tgz** (Vulnerable Library)

Found in base branch: main

### Vulnerability Details

In the Elliptic package 6.5.6 for Node.js, EDDSA signature malleability occurs because there is a missing signature length check, and thus zero-valued bytes can be removed or appended.

Publish Date: 2024-08-02

URL: CVE-2024-42459

### CVSS 3 Score Details (5.3)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: Low - Integrity Impact: None - Availability Impact: None

For more information on CVSS3 Scores, click here.

CVE-2020-28469

### Vulnerable Library - glob-parent-5.1.1.tgz

Extract the non-magic parent path from a glob string.

Library home page: https://registry.npmjs.org/glob-parent/-/glob-parent-5.1.1.tgz

Path to dependency file: /nifi-registry/nifi-registry-core/nifi-registry-web-ui/src/main/package.json

Path to vulnerable library: /nifi-registry/nifi-registry-core/nifi-registry-web-ui/src/main/package.json

Dependency Hierarchy: - webpack-4.29.6.tgz (Root Library) - watchpack-1.7.2.tgz - chokidar-3.4.0.tgz - :x: **glob-parent-5.1.1.tgz** (Vulnerable Library)

Found in base branch: main

### Vulnerability Details

This affects the package glob-parent before 5.1.2. The enclosure regex used to check for strings ending in enclosure containing path separator.

Publish Date: 2021-06-03

URL: CVE-2020-28469

### CVSS 3 Score Details (5.3)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: Low

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-28469

Release Date: 2021-06-03

Fix Resolution (glob-parent): 5.1.2

Direct dependency fix Resolution (webpack): 5.0.0

:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.

:rescue_worker_helmet:Automatic Remediation will be attempted for this issue.

snowdensb / nifi

webpack-4.29.6.tgz: 13 vulnerabilities (highest severity is: 9.1) - autoclosed #549

Vulnerabilities

Details