A vulnerability was discovered in IS-SVG version 2.1.0 to 4.2.2 and below where a Regular Expression Denial of Service (ReDOS) occurs if the application is provided and checks a crafted invalid SVG string.
The is-svg package 2.1.0 through 4.2.1 for Node.js uses a regular expression that is vulnerable to Regular Expression Denial of Service (ReDoS). If an attacker provides a malicious string, is-svg will get stuck processing the input for a very long time.
A Regular Expression Denial of Service (ReDOS) vulnerability was discovered in Color-String version 1.5.5 and below which occurs when the application is provided and checks a crafted invalid HWB string.
Path to dependency file: /ui/package.json
Path to vulnerable library: /ui/node_modules/is-svg/package.json
Vulnerabilities
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
WS-2021-0152
### Vulnerable Library - color-string-1.5.3.tgzParser and generator for CSS color strings
Library home page: https://registry.npmjs.org/color-string/-/color-string-1.5.3.tgz
Path to dependency file: /ui/package.json
Path to vulnerable library: /ui/node_modules/color-string/package.json
Dependency Hierarchy: - optimize-css-assets-webpack-plugin-5.0.3.tgz (Root Library) - cssnano-4.1.10.tgz - cssnano-preset-default-4.0.7.tgz - postcss-colormin-4.0.3.tgz - color-3.1.2.tgz - :x: **color-string-1.5.3.tgz** (Vulnerable Library)
Found in base branch: master
### Vulnerability DetailsRegular Expression Denial of Service (ReDoS) was found in color-string before 1.5.5.
Publish Date: 2021-03-12
URL: WS-2021-0152
### CVSS 3 Score Details (7.5)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Release Date: 2021-03-12
Fix Resolution (color-string): 1.5.5
Direct dependency fix Resolution (optimize-css-assets-webpack-plugin): 5.0.4
:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.
CVE-2021-29059
### Vulnerable Library - is-svg-3.0.0.tgzCheck if a string or buffer is SVG
Library home page: https://registry.npmjs.org/is-svg/-/is-svg-3.0.0.tgz
Path to dependency file: /ui/package.json
Path to vulnerable library: /ui/node_modules/is-svg/package.json
Dependency Hierarchy: - optimize-css-assets-webpack-plugin-5.0.3.tgz (Root Library) - cssnano-4.1.10.tgz - cssnano-preset-default-4.0.7.tgz - postcss-svgo-4.0.2.tgz - :x: **is-svg-3.0.0.tgz** (Vulnerable Library)
Found in base branch: master
### Vulnerability DetailsA vulnerability was discovered in IS-SVG version 2.1.0 to 4.2.2 and below where a Regular Expression Denial of Service (ReDOS) occurs if the application is provided and checks a crafted invalid SVG string.
Publish Date: 2021-06-21
URL: CVE-2021-29059
### CVSS 3 Score Details (7.5)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Release Date: 2021-06-21
Fix Resolution (is-svg): 4.3.0
Direct dependency fix Resolution (optimize-css-assets-webpack-plugin): 5.0.4
:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.
CVE-2021-28092
### Vulnerable Library - is-svg-3.0.0.tgzCheck if a string or buffer is SVG
Library home page: https://registry.npmjs.org/is-svg/-/is-svg-3.0.0.tgz
Path to dependency file: /ui/package.json
Path to vulnerable library: /ui/node_modules/is-svg/package.json
Dependency Hierarchy: - optimize-css-assets-webpack-plugin-5.0.3.tgz (Root Library) - cssnano-4.1.10.tgz - cssnano-preset-default-4.0.7.tgz - postcss-svgo-4.0.2.tgz - :x: **is-svg-3.0.0.tgz** (Vulnerable Library)
Found in base branch: master
### Vulnerability DetailsThe is-svg package 2.1.0 through 4.2.1 for Node.js uses a regular expression that is vulnerable to Regular Expression Denial of Service (ReDoS). If an attacker provides a malicious string, is-svg will get stuck processing the input for a very long time.
Publish Date: 2021-03-12
URL: CVE-2021-28092
### CVSS 3 Score Details (7.5)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-28092
Release Date: 2021-03-12
Fix Resolution (is-svg): 4.2.2
Direct dependency fix Resolution (optimize-css-assets-webpack-plugin): 5.0.4
:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.
CVE-2021-29060
### Vulnerable Library - color-string-1.5.3.tgzParser and generator for CSS color strings
Library home page: https://registry.npmjs.org/color-string/-/color-string-1.5.3.tgz
Path to dependency file: /ui/package.json
Path to vulnerable library: /ui/node_modules/color-string/package.json
Dependency Hierarchy: - optimize-css-assets-webpack-plugin-5.0.3.tgz (Root Library) - cssnano-4.1.10.tgz - cssnano-preset-default-4.0.7.tgz - postcss-colormin-4.0.3.tgz - color-3.1.2.tgz - :x: **color-string-1.5.3.tgz** (Vulnerable Library)
Found in base branch: master
### Vulnerability DetailsA Regular Expression Denial of Service (ReDOS) vulnerability was discovered in Color-String version 1.5.5 and below which occurs when the application is provided and checks a crafted invalid HWB string.
Publish Date: 2021-06-21
URL: CVE-2021-29060
### CVSS 3 Score Details (5.3)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: Low
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://github.com/advisories/GHSA-257v-vj4p-3w2h
Release Date: 2021-06-21
Fix Resolution (color-string): 1.5.5
Direct dependency fix Resolution (optimize-css-assets-webpack-plugin): 5.0.4
:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.:rescue_worker_helmet:Automatic Remediation will be attempted for this issue.