mend-for-github-com[bot]
commented
2 years ago :heavy_check_mark: This issue was automatically closed by WhiteSource because the vulnerable library in the specific branch(es) was either marked as ignored or it is no longer part of the WhiteSource inventory.
Path to dependency file: /frontend/package.json
Path to vulnerable library: /frontend/node_modules/async/package.json
Found in HEAD commit: 91f5d7a169fd359bad9e33b954d19e6f8f7adac5
Vulnerabilities
Details
CVE-2022-0691
### Vulnerable Library - url-parse-1.5.1.tgzSmall footprint URL parser that works seamlessly across Node.js and browser environments
Library home page: https://registry.npmjs.org/url-parse/-/url-parse-1.5.1.tgz
Path to dependency file: /frontend/package.json
Path to vulnerable library: /frontend/node_modules/url-parse/package.json
Dependency Hierarchy: - cli-service-4.5.12.tgz (Root Library) - webpack-dev-server-3.11.2.tgz - sockjs-client-1.5.1.tgz - :x: **url-parse-1.5.1.tgz** (Vulnerable Library)
Found in HEAD commit: 91f5d7a169fd359bad9e33b954d19e6f8f7adac5
Found in base branch: main
### Vulnerability DetailsAuthorization Bypass Through User-Controlled Key in NPM url-parse prior to 1.5.9.
Publish Date: 2022-02-21
URL: CVE-2022-0691
### CVSS 3 Score Details (9.8)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0691
Release Date: 2022-02-21
Fix Resolution: url-parse - 1.5.9
WS-2021-0153
### Vulnerable Library - ejs-2.7.4.tgzEmbedded JavaScript templates
Library home page: https://registry.npmjs.org/ejs/-/ejs-2.7.4.tgz
Path to dependency file: /frontend/package.json
Path to vulnerable library: /frontend/node_modules/ejs/package.json
Dependency Hierarchy: - cli-service-4.5.12.tgz (Root Library) - webpack-bundle-analyzer-3.9.0.tgz - :x: **ejs-2.7.4.tgz** (Vulnerable Library)
Found in HEAD commit: 91f5d7a169fd359bad9e33b954d19e6f8f7adac5
Found in base branch: main
### Vulnerability DetailsArbitrary Code Injection vulnerability was found in ejs before 3.1.6. Caused by filename which isn't sanitized for display.
Publish Date: 2021-01-22
URL: WS-2021-0153
### CVSS 3 Score Details (9.8)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://github.com/mde/ejs/issues/571
Release Date: 2021-01-22
Fix Resolution: ejs - 3.1.6
CVE-2021-44906
### Vulnerable Library - minimist-1.2.5.tgzparse argument options
Library home page: https://registry.npmjs.org/minimist/-/minimist-1.2.5.tgz
Path to dependency file: /frontend/package.json
Path to vulnerable library: /frontend/node_modules/minimist/package.json
Dependency Hierarchy: - cli-service-4.5.12.tgz (Root Library) - :x: **minimist-1.2.5.tgz** (Vulnerable Library)
Found in HEAD commit: 91f5d7a169fd359bad9e33b954d19e6f8f7adac5
Found in base branch: main
### Vulnerability DetailsMinimist <=1.2.5 is vulnerable to Prototype Pollution via file index.js, function setKey() (lines 69-95).
Publish Date: 2022-03-17
URL: CVE-2021-44906
### CVSS 3 Score Details (9.8)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://github.com/substack/minimist/issues/164
Release Date: 2022-03-17
Fix Resolution: minimist - 1.2.6
CVE-2022-29078
### Vulnerable Library - ejs-2.7.4.tgzEmbedded JavaScript templates
Library home page: https://registry.npmjs.org/ejs/-/ejs-2.7.4.tgz
Path to dependency file: /frontend/package.json
Path to vulnerable library: /frontend/node_modules/ejs/package.json
Dependency Hierarchy: - cli-service-4.5.12.tgz (Root Library) - webpack-bundle-analyzer-3.9.0.tgz - :x: **ejs-2.7.4.tgz** (Vulnerable Library)
Found in HEAD commit: 91f5d7a169fd359bad9e33b954d19e6f8f7adac5
Found in base branch: main
### Vulnerability DetailsThe ejs (aka Embedded JavaScript templates) package 3.1.6 for Node.js allows server-side template injection in settings[view options][outputFunctionName]. This is parsed as an internal option, and overwrites the outputFunctionName option with an arbitrary OS command (which is executed upon template compilation).
Publish Date: 2022-04-25
URL: CVE-2022-29078
### CVSS 3 Score Details (9.8)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-29078~
Release Date: 2022-04-25
Fix Resolution: ejs - v3.1.7
CVE-2022-0686
### Vulnerable Library - url-parse-1.5.1.tgzSmall footprint URL parser that works seamlessly across Node.js and browser environments
Library home page: https://registry.npmjs.org/url-parse/-/url-parse-1.5.1.tgz
Path to dependency file: /frontend/package.json
Path to vulnerable library: /frontend/node_modules/url-parse/package.json
Dependency Hierarchy: - cli-service-4.5.12.tgz (Root Library) - webpack-dev-server-3.11.2.tgz - sockjs-client-1.5.1.tgz - :x: **url-parse-1.5.1.tgz** (Vulnerable Library)
Found in HEAD commit: 91f5d7a169fd359bad9e33b954d19e6f8f7adac5
Found in base branch: main
### Vulnerability DetailsAuthorization Bypass Through User-Controlled Key in NPM url-parse prior to 1.5.8.
Publish Date: 2022-02-20
URL: CVE-2022-0686
### CVSS 3 Score Details (9.1)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: None
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0686
Release Date: 2022-02-20
Fix Resolution: url-parse - 1.5.8
CVE-2021-43138
### Vulnerable Library - async-2.6.3.tgzHigher-order functions and common patterns for asynchronous code
Library home page: https://registry.npmjs.org/async/-/async-2.6.3.tgz
Path to dependency file: /frontend/package.json
Path to vulnerable library: /frontend/node_modules/async/package.json
Dependency Hierarchy: - cli-service-4.5.12.tgz (Root Library) - portfinder-1.0.28.tgz - :x: **async-2.6.3.tgz** (Vulnerable Library)
Found in HEAD commit: 91f5d7a169fd359bad9e33b954d19e6f8f7adac5
Found in base branch: main
### Vulnerability DetailsIn Async before 2.6.4 and 3.x before 3.2.2, a malicious user can obtain privileges via the mapValues() method, aka lib/internal/iterator.js createObjectIterator prototype pollution.
Publish Date: 2022-04-06
URL: CVE-2021-43138
### CVSS 3 Score Details (7.8)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Local - Attack Complexity: Low - Privileges Required: None - User Interaction: Required - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2021-43138
Release Date: 2022-04-06
Fix Resolution: async - v3.2.2
CVE-2021-23424
### Vulnerable Library - ansi-html-0.0.7.tgzAn elegant lib that converts the chalked (ANSI) text to HTML.
Library home page: https://registry.npmjs.org/ansi-html/-/ansi-html-0.0.7.tgz
Path to dependency file: /frontend/package.json
Path to vulnerable library: /frontend/node_modules/ansi-html/package.json
Dependency Hierarchy: - cli-service-4.5.12.tgz (Root Library) - webpack-dev-server-3.11.2.tgz - :x: **ansi-html-0.0.7.tgz** (Vulnerable Library)
Found in HEAD commit: 91f5d7a169fd359bad9e33b954d19e6f8f7adac5
Found in base branch: main
### Vulnerability DetailsThis affects all versions of package ansi-html. If an attacker provides a malicious string, it will get stuck processing the input for an extremely long time.
Publish Date: 2021-08-18
URL: CVE-2021-23424
### CVSS 3 Score Details (7.5)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2021-23424
Release Date: 2021-08-18
Fix Resolution: VueJS.NetCore - 1.1.1;Indianadavy.VueJsWebAPITemplate.CSharp - 1.0.1;NorDroN.AngularTemplate - 0.1.6;CoreVueWebTest - 3.0.101;dotnetng.template - 1.0.0.4;Fable.Template.Elmish.React - 0.1.6;SAFE.Template - 3.0.1;GR.PageRender.Razor - 1.8.0;Envisia.DotNet.Templates - 3.0.1
CVE-2020-28469
### Vulnerable Library - glob-parent-3.1.0.tgzStrips glob magic from a string to provide the parent directory path
Library home page: https://registry.npmjs.org/glob-parent/-/glob-parent-3.1.0.tgz
Path to dependency file: /frontend/package.json
Path to vulnerable library: /frontend/node_modules/glob-parent/package.json
Dependency Hierarchy: - cli-service-4.5.12.tgz (Root Library) - copy-webpack-plugin-5.1.2.tgz - :x: **glob-parent-3.1.0.tgz** (Vulnerable Library)
Found in HEAD commit: 91f5d7a169fd359bad9e33b954d19e6f8f7adac5
Found in base branch: main
### Vulnerability DetailsThis affects the package glob-parent before 5.1.2. The enclosure regex used to check for strings ending in enclosure containing path separator.
Publish Date: 2021-06-03
URL: CVE-2020-28469
### CVSS 3 Score Details (7.5)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-28469
Release Date: 2021-06-03
Fix Resolution: glob-parent - 5.1.2
CVE-2021-33502
### Vulnerable Libraries - normalize-url-1.9.1.tgz, normalize-url-3.3.0.tgz### normalize-url-1.9.1.tgz
Normalize a URL
Library home page: https://registry.npmjs.org/normalize-url/-/normalize-url-1.9.1.tgz
Path to dependency file: /frontend/package.json
Path to vulnerable library: /frontend/node_modules/normalize-url/package.json
Dependency Hierarchy: - cli-service-4.5.12.tgz (Root Library) - mini-css-extract-plugin-0.9.0.tgz - :x: **normalize-url-1.9.1.tgz** (Vulnerable Library) ### normalize-url-3.3.0.tgz
Normalize a URL
Library home page: https://registry.npmjs.org/normalize-url/-/normalize-url-3.3.0.tgz
Path to dependency file: /frontend/package.json
Path to vulnerable library: /frontend/node_modules/postcss-normalize-url/node_modules/normalize-url/package.json
Dependency Hierarchy: - cli-service-4.5.12.tgz (Root Library) - cssnano-4.1.10.tgz - cssnano-preset-default-4.0.7.tgz - postcss-normalize-url-4.0.1.tgz - :x: **normalize-url-3.3.0.tgz** (Vulnerable Library)
Found in HEAD commit: 91f5d7a169fd359bad9e33b954d19e6f8f7adac5
Found in base branch: main
### Vulnerability DetailsThe normalize-url package before 4.5.1, 5.x before 5.3.1, and 6.x before 6.0.1 for Node.js has a ReDoS (regular expression denial of service) issue because it has exponential performance for data: URLs.
Publish Date: 2021-05-24
URL: CVE-2021-33502
### CVSS 3 Score Details (7.5)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-33502
Release Date: 2021-05-24
Fix Resolution: normalize-url - 4.5.1,5.3.1,6.0.1
CVE-2021-27290
### Vulnerable Libraries - ssri-7.1.0.tgz, ssri-6.0.1.tgz### ssri-7.1.0.tgz
Standard Subresource Integrity library -- parses, serializes, generates, and verifies integrity metadata according to the SRI spec.
Library home page: https://registry.npmjs.org/ssri/-/ssri-7.1.0.tgz
Path to dependency file: /frontend/package.json
Path to vulnerable library: /frontend/node_modules/ssri/package.json
Dependency Hierarchy: - cli-service-4.5.12.tgz (Root Library) - :x: **ssri-7.1.0.tgz** (Vulnerable Library) ### ssri-6.0.1.tgz
Standard Subresource Integrity library -- parses, serializes, generates, and verifies integrity metadata according to the SRI spec.
Library home page: https://registry.npmjs.org/ssri/-/ssri-6.0.1.tgz
Path to dependency file: /frontend/package.json
Path to vulnerable library: /frontend/node_modules/cacache/node_modules/ssri/package.json
Dependency Hierarchy: - cli-service-4.5.12.tgz (Root Library) - copy-webpack-plugin-5.1.2.tgz - cacache-12.0.4.tgz - :x: **ssri-6.0.1.tgz** (Vulnerable Library)
Found in HEAD commit: 91f5d7a169fd359bad9e33b954d19e6f8f7adac5
Found in base branch: main
### Vulnerability Detailsssri 5.2.2-8.0.0, fixed in 8.0.1, processes SRIs using a regular expression which is vulnerable to a denial of service. Malicious SRIs could take an extremely long time to process, leading to denial of service. This issue only affects consumers using the strict option.
Publish Date: 2021-03-12
URL: CVE-2021-27290
### CVSS 3 Score Details (7.5)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://github.com/advisories/GHSA-vx3p-948g-6vhq
Release Date: 2021-03-12
Fix Resolution: ssri - 6.0.2,7.1.1,8.0.1
CVE-2021-29059
### Vulnerable Library - is-svg-3.0.0.tgzCheck if a string or buffer is SVG
Library home page: https://registry.npmjs.org/is-svg/-/is-svg-3.0.0.tgz
Path to dependency file: /frontend/package.json
Path to vulnerable library: /frontend/node_modules/is-svg/package.json
Dependency Hierarchy: - cli-service-4.5.12.tgz (Root Library) - cssnano-4.1.10.tgz - cssnano-preset-default-4.0.7.tgz - postcss-svgo-4.0.2.tgz - :x: **is-svg-3.0.0.tgz** (Vulnerable Library)
Found in HEAD commit: 91f5d7a169fd359bad9e33b954d19e6f8f7adac5
Found in base branch: main
### Vulnerability DetailsA vulnerability was discovered in IS-SVG version 2.1.0 to 4.2.2 and below where a Regular Expression Denial of Service (ReDOS) occurs if the application is provided and checks a crafted invalid SVG string.
Publish Date: 2021-06-21
URL: CVE-2021-29059
### CVSS 3 Score Details (7.5)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://github.com/sindresorhus/is-svg/releases/tag/v4.3.0
Release Date: 2021-06-21
Fix Resolution: is-svg - 4.3.0