Closed mend-bolt-for-github[bot] closed 2 years ago
:heavy_check_mark: This issue was automatically closed by WhiteSource because the vulnerable library in the specific branch(es) was either marked as ignored or it is no longer part of the WhiteSource inventory.
Vulnerable Library - ng-packagr-11.2.4.tgz
Path to dependency file: /angular/package.json
Path to vulnerable library: /angular/node_modules/postcss/package.json
Found in HEAD commit: 8e3c9be039ea15d724955615b082116fe57fa5c4
Vulnerabilities
Details
CVE-2021-44906
### Vulnerable Library - minimist-1.2.5.tgzparse argument options
Library home page: https://registry.npmjs.org/minimist/-/minimist-1.2.5.tgz
Path to dependency file: /angular/package.json
Path to vulnerable library: /angular/node_modules/minimist/package.json
Dependency Hierarchy: - ng-packagr-11.2.4.tgz (Root Library) - cssnano-4.1.11.tgz - cssnano-preset-default-4.0.8.tgz - postcss-svgo-4.0.3.tgz - svgo-1.3.2.tgz - mkdirp-0.5.5.tgz - :x: **minimist-1.2.5.tgz** (Vulnerable Library)
Found in HEAD commit: 8e3c9be039ea15d724955615b082116fe57fa5c4
Found in base branch: develop
### Vulnerability DetailsMinimist <=1.2.5 is vulnerable to Prototype Pollution via file index.js, function setKey() (lines 69-95).
Publish Date: 2022-03-17
URL: CVE-2021-44906
### CVSS 3 Score Details (9.8)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://github.com/substack/minimist/issues/164
Release Date: 2022-03-17
Fix Resolution (minimist): 1.2.6
Direct dependency fix Resolution (ng-packagr): 12.0.0-next.9
Step up your Open Source Security Game with WhiteSource [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)CVE-2021-33587
### Vulnerable Library - css-what-3.4.2.tgza CSS selector parser
Library home page: https://registry.npmjs.org/css-what/-/css-what-3.4.2.tgz
Path to dependency file: /angular/package.json
Path to vulnerable library: /angular/node_modules/css-what/package.json
Dependency Hierarchy: - ng-packagr-11.2.4.tgz (Root Library) - cssnano-4.1.11.tgz - cssnano-preset-default-4.0.8.tgz - postcss-svgo-4.0.3.tgz - svgo-1.3.2.tgz - css-select-2.1.0.tgz - :x: **css-what-3.4.2.tgz** (Vulnerable Library)
Found in HEAD commit: 8e3c9be039ea15d724955615b082116fe57fa5c4
Found in base branch: develop
### Vulnerability DetailsThe css-what package 4.0.0 through 5.0.0 for Node.js does not ensure that attribute parsing has Linear Time Complexity relative to the size of the input.
Publish Date: 2021-05-28
URL: CVE-2021-33587
### CVSS 3 Score Details (7.5)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-33587
Release Date: 2021-05-28
Fix Resolution (css-what): 5.0.1
Direct dependency fix Resolution (ng-packagr): 12.0.0-next.9
Step up your Open Source Security Game with WhiteSource [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)CVE-2021-3807
### Vulnerable Library - ansi-regex-5.0.0.tgzRegular expression for matching ANSI escape codes
Library home page: https://registry.npmjs.org/ansi-regex/-/ansi-regex-5.0.0.tgz
Path to dependency file: /angular/package.json
Path to vulnerable library: /angular/node_modules/strip-ansi/node_modules/ansi-regex/package.json
Dependency Hierarchy: - ng-packagr-11.2.4.tgz (Root Library) - ora-5.1.0.tgz - strip-ansi-6.0.0.tgz - :x: **ansi-regex-5.0.0.tgz** (Vulnerable Library)
Found in HEAD commit: 8e3c9be039ea15d724955615b082116fe57fa5c4
Found in base branch: develop
### Vulnerability Detailsansi-regex is vulnerable to Inefficient Regular Expression Complexity
Publish Date: 2021-09-17
URL: CVE-2021-3807
### CVSS 3 Score Details (7.5)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://huntr.dev/bounties/5b3cf33b-ede0-4398-9974-800876dfd994/
Release Date: 2021-09-17
Fix Resolution (ansi-regex): 5.0.1
Direct dependency fix Resolution (ng-packagr): 12.0.0-next.0
Step up your Open Source Security Game with WhiteSource [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)WS-2021-0152
### Vulnerable Library - color-string-1.5.4.tgzParser and generator for CSS color strings
Library home page: https://registry.npmjs.org/color-string/-/color-string-1.5.4.tgz
Path to dependency file: /angular/package.json
Path to vulnerable library: /angular/node_modules/color-string/package.json
Dependency Hierarchy: - ng-packagr-11.2.4.tgz (Root Library) - cssnano-4.1.11.tgz - cssnano-preset-default-4.0.8.tgz - postcss-colormin-4.0.3.tgz - color-3.1.3.tgz - :x: **color-string-1.5.4.tgz** (Vulnerable Library)
Found in HEAD commit: 8e3c9be039ea15d724955615b082116fe57fa5c4
Found in base branch: develop
### Vulnerability DetailsRegular Expression Denial of Service (ReDoS) was found in color-string before 1.5.5.
Publish Date: 2021-03-12
URL: WS-2021-0152
### CVSS 3 Score Details (7.5)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://github.com/Qix-/color-string/releases/tag/1.5.5
Release Date: 2021-03-12
Fix Resolution (color-string): 1.5.5
Direct dependency fix Resolution (ng-packagr): 12.0.0-next.0
Step up your Open Source Security Game with WhiteSource [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)CVE-2021-33502
### Vulnerable Library - normalize-url-3.3.0.tgzNormalize a URL
Library home page: https://registry.npmjs.org/normalize-url/-/normalize-url-3.3.0.tgz
Path to dependency file: /angular/package.json
Path to vulnerable library: /angular/node_modules/normalize-url/package.json
Dependency Hierarchy: - ng-packagr-11.2.4.tgz (Root Library) - cssnano-4.1.11.tgz - cssnano-preset-default-4.0.8.tgz - postcss-normalize-url-4.0.1.tgz - :x: **normalize-url-3.3.0.tgz** (Vulnerable Library)
Found in HEAD commit: 8e3c9be039ea15d724955615b082116fe57fa5c4
Found in base branch: develop
### Vulnerability DetailsThe normalize-url package before 4.5.1, 5.x before 5.3.1, and 6.x before 6.0.1 for Node.js has a ReDoS (regular expression denial of service) issue because it has exponential performance for data: URLs.
Publish Date: 2021-05-24
URL: CVE-2021-33502
### CVSS 3 Score Details (7.5)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-33502
Release Date: 2021-05-24
Fix Resolution (normalize-url): 4.5.1
Direct dependency fix Resolution (ng-packagr): 12.0.0-next.9
Step up your Open Source Security Game with WhiteSource [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)CVE-2021-23343
### Vulnerable Library - path-parse-1.0.6.tgzNode.js path.parse() ponyfill
Library home page: https://registry.npmjs.org/path-parse/-/path-parse-1.0.6.tgz
Path to dependency file: /angular/package.json
Path to vulnerable library: /angular/node_modules/path-parse/package.json,/aspnet-core/src/Thor.SSO.HttpApi.Host/node_modules/path-parse/package.json
Dependency Hierarchy: - ng-packagr-11.2.4.tgz (Root Library) - plugin-commonjs-17.1.0.tgz - resolve-1.19.0.tgz - :x: **path-parse-1.0.6.tgz** (Vulnerable Library)
Found in HEAD commit: 8e3c9be039ea15d724955615b082116fe57fa5c4
Found in base branch: develop
### Vulnerability DetailsAll versions of package path-parse are vulnerable to Regular Expression Denial of Service (ReDoS) via splitDeviceRe, splitTailRe, and splitPathRe regular expressions. ReDoS exhibits polynomial worst-case time complexity.
Publish Date: 2021-05-04
URL: CVE-2021-23343
### CVSS 3 Score Details (7.5)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://github.com/jbgutierrez/path-parse/issues/8
Release Date: 2021-05-04
Fix Resolution (path-parse): 1.0.7
Direct dependency fix Resolution (ng-packagr): 12.0.0-next.0
Step up your Open Source Security Game with WhiteSource [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)CVE-2021-3803
### Vulnerable Library - nth-check-1.0.2.tgzperformant nth-check parser & compiler
Library home page: https://registry.npmjs.org/nth-check/-/nth-check-1.0.2.tgz
Path to dependency file: /angular/package.json
Path to vulnerable library: /angular/node_modules/nth-check/package.json
Dependency Hierarchy: - ng-packagr-11.2.4.tgz (Root Library) - cssnano-4.1.11.tgz - cssnano-preset-default-4.0.8.tgz - postcss-svgo-4.0.3.tgz - svgo-1.3.2.tgz - css-select-2.1.0.tgz - :x: **nth-check-1.0.2.tgz** (Vulnerable Library)
Found in HEAD commit: 8e3c9be039ea15d724955615b082116fe57fa5c4
Found in base branch: develop
### Vulnerability Detailsnth-check is vulnerable to Inefficient Regular Expression Complexity
Publish Date: 2021-09-17
URL: CVE-2021-3803
### CVSS 3 Score Details (7.5)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://github.com/fb55/nth-check/compare/v2.0.0...v2.0.1
Release Date: 2021-09-17
Fix Resolution (nth-check): 2.0.1
Direct dependency fix Resolution (ng-packagr): 12.0.0-next.9
Step up your Open Source Security Game with WhiteSource [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)CVE-2021-23382
### Vulnerable Library - postcss-7.0.35.tgzTool for transforming styles with JS plugins
Library home page: https://registry.npmjs.org/postcss/-/postcss-7.0.35.tgz
Path to dependency file: /angular/package.json
Path to vulnerable library: /angular/node_modules/postcss/package.json
Dependency Hierarchy: - ng-packagr-11.2.4.tgz (Root Library) - cssnano-4.1.11.tgz - :x: **postcss-7.0.35.tgz** (Vulnerable Library)
Found in HEAD commit: 8e3c9be039ea15d724955615b082116fe57fa5c4
Found in base branch: develop
### Vulnerability DetailsThe package postcss before 8.2.13 are vulnerable to Regular Expression Denial of Service (ReDoS) via getAnnotationURL() and loadAnnotation() in lib/previous-map.js. The vulnerable regexes are caused mainly by the sub-pattern \/\*\s* sourceMappingURL=(.*).
Publish Date: 2021-04-26
URL: CVE-2021-23382
### CVSS 3 Score Details (5.3)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: Low
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23382
Release Date: 2021-04-26
Fix Resolution (postcss): 7.0.36
Direct dependency fix Resolution (ng-packagr): 12.0.0-next.0
Step up your Open Source Security Game with WhiteSource [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)CVE-2021-23364
### Vulnerable Library - browserslist-4.15.0.tgzShare target browsers between different front-end tools, like Autoprefixer, Stylelint and babel-env-preset
Library home page: https://registry.npmjs.org/browserslist/-/browserslist-4.15.0.tgz
Path to dependency file: /angular/package.json
Path to vulnerable library: /angular/node_modules/browserslist/package.json
Dependency Hierarchy: - ng-packagr-11.2.4.tgz (Root Library) - cssnano-4.1.11.tgz - cssnano-preset-default-4.0.8.tgz - postcss-colormin-4.0.3.tgz - :x: **browserslist-4.15.0.tgz** (Vulnerable Library)
Found in HEAD commit: 8e3c9be039ea15d724955615b082116fe57fa5c4
Found in base branch: develop
### Vulnerability DetailsThe package browserslist from 4.0.0 and before 4.16.5 are vulnerable to Regular Expression Denial of Service (ReDoS) during parsing of queries.
Publish Date: 2021-04-28
URL: CVE-2021-23364
### CVSS 3 Score Details (5.3)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: Low
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23364
Release Date: 2021-04-28
Fix Resolution (browserslist): 4.16.5
Direct dependency fix Resolution (ng-packagr): 12.0.0-next.0
Step up your Open Source Security Game with WhiteSource [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)CVE-2021-29060
### Vulnerable Library - color-string-1.5.4.tgzParser and generator for CSS color strings
Library home page: https://registry.npmjs.org/color-string/-/color-string-1.5.4.tgz
Path to dependency file: /angular/package.json
Path to vulnerable library: /angular/node_modules/color-string/package.json
Dependency Hierarchy: - ng-packagr-11.2.4.tgz (Root Library) - cssnano-4.1.11.tgz - cssnano-preset-default-4.0.8.tgz - postcss-colormin-4.0.3.tgz - color-3.1.3.tgz - :x: **color-string-1.5.4.tgz** (Vulnerable Library)
Found in HEAD commit: 8e3c9be039ea15d724955615b082116fe57fa5c4
Found in base branch: develop
### Vulnerability DetailsA Regular Expression Denial of Service (ReDOS) vulnerability was discovered in Color-String version 1.5.5 and below which occurs when the application is provided and checks a crafted invalid HWB string.
Publish Date: 2021-06-21
URL: CVE-2021-29060
### CVSS 3 Score Details (5.3)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: Low
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://github.com/advisories/GHSA-257v-vj4p-3w2h
Release Date: 2021-06-21
Fix Resolution (color-string): 1.5.5
Direct dependency fix Resolution (ng-packagr): 12.0.0-next.0
Step up your Open Source Security Game with WhiteSource [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)CVE-2021-23368
### Vulnerable Library - postcss-7.0.35.tgzTool for transforming styles with JS plugins
Library home page: https://registry.npmjs.org/postcss/-/postcss-7.0.35.tgz
Path to dependency file: /angular/package.json
Path to vulnerable library: /angular/node_modules/postcss/package.json
Dependency Hierarchy: - ng-packagr-11.2.4.tgz (Root Library) - cssnano-4.1.11.tgz - :x: **postcss-7.0.35.tgz** (Vulnerable Library)
Found in HEAD commit: 8e3c9be039ea15d724955615b082116fe57fa5c4
Found in base branch: develop
### Vulnerability DetailsThe package postcss from 7.0.0 and before 8.2.10 are vulnerable to Regular Expression Denial of Service (ReDoS) during source map parsing.
Publish Date: 2021-04-12
URL: CVE-2021-23368
### CVSS 3 Score Details (5.3)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: Low
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23368
Release Date: 2021-04-12
Fix Resolution (postcss): 7.0.36
Direct dependency fix Resolution (ng-packagr): 12.0.0-next.0
Step up your Open Source Security Game with WhiteSource [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)