*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Versions of the package tough-cookie before 4.1.3 are vulnerable to Prototype Pollution due to improper handling of Cookies when using CookieJar in rejectPublicSuffixes=false mode. This issue arises from the manner in which the objects are initialized.
less-openui5 is an npm package which enables building OpenUI5 themes with Less.js. In less-openui5 before version 0.10., when processing theming resources (i.e. `*.less` files) with less-openui5 that originate from an untrusted source, those resources might contain JavaScript code which will be executed in the context of the build process. While this is a feature of the Less.js library it is an unexpected behavior in the context of OpenUI5 and SAPUI5 development. Especially in the context of UI5 Tooling which relies on less-openui5. An attacker might create a library or theme-library containing a custom control or theme, hiding malicious JavaScript code in one of the .less files. Refer to the referenced GHSA-3crj-w4f5-gwh4 for examples. Starting with Less.js version 3.0.0, the Inline JavaScript feature is disabled by default. less-openui5 however currently uses a fork of Less.js v1.6.3. Note that disabling the Inline JavaScript feature in Less.js versions 1.x, still evaluates code has additional double codes around it. We decided to remove the inline JavaScript evaluation feature completely from the code of our Less.js fork. This fix is available in less-openui5 version 0.10.0.
When processing theming resources (i.e. *.less files) with less-openui5 before 0.10.0 that originate from an untrusted source, those resources might contain JavaScript code which will be executed in the context of the build process.
The mime module < 1.4.1, 2.0.1, 2.0.2 is vulnerable to regular expression denial of service when a mime lookup is performed on untrusted user input.
Mend Note: Converted from WS-2017-0330, on 2022-11-08.
The Request package through 2.88.1 for Node.js allows a bypass of SSRF mitigations via an attacker-controller server that does a cross-protocol redirect (HTTP to HTTPS, or HTTPS to HTTP). NOTE: This vulnerability only affects products that are no longer supported by the maintainer.
Version of clean-css prior to 4.1.11 are vulnerable to Regular Expression Denial of Service (ReDoS). Untrusted input may cause catastrophic backtracking while matching regular expressions. This can cause the application to be unresponsive leading to Denial of Service.
Vulnerable Library - less-openui5-0.1.2.tgz
Build OpenUI5 themes with Less.js
Library home page: https://registry.npmjs.org/less-openui5/-/less-openui5-0.1.2.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/less-openui5/package.json
Found in HEAD commit: c178a9193da7a9c0bd7f951a938ac8124848caa6
Vulnerabilities
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
CVE-2023-26136
### Vulnerable Library - tough-cookie-2.5.0.tgzRFC6265 Cookies and Cookie Jar for node.js
Library home page: https://registry.npmjs.org/tough-cookie/-/tough-cookie-2.5.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/tough-cookie/package.json
Dependency Hierarchy: - less-openui5-0.1.2.tgz (Root Library) - less-1.6.3.tgz - request-2.88.2.tgz - :x: **tough-cookie-2.5.0.tgz** (Vulnerable Library)
Found in HEAD commit: c178a9193da7a9c0bd7f951a938ac8124848caa6
Found in base branch: main
### Vulnerability DetailsVersions of the package tough-cookie before 4.1.3 are vulnerable to Prototype Pollution due to improper handling of Cookies when using CookieJar in rejectPublicSuffixes=false mode. This issue arises from the manner in which the objects are initialized.
Publish Date: 2023-07-01
URL: CVE-2023-26136
### CVSS 3 Score Details (9.8)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://www.cve.org/CVERecord?id=CVE-2023-26136
Release Date: 2023-07-01
Fix Resolution (tough-cookie): 4.1.3
Direct dependency fix Resolution (less-openui5): 0.9.0
In order to enable automatic remediation, please create workflow rules
CVE-2021-21316
### Vulnerable Library - less-openui5-0.1.2.tgzBuild OpenUI5 themes with Less.js
Library home page: https://registry.npmjs.org/less-openui5/-/less-openui5-0.1.2.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/less-openui5/package.json
Dependency Hierarchy: - :x: **less-openui5-0.1.2.tgz** (Vulnerable Library)
Found in HEAD commit: c178a9193da7a9c0bd7f951a938ac8124848caa6
Found in base branch: main
### Vulnerability Detailsless-openui5 is an npm package which enables building OpenUI5 themes with Less.js. In less-openui5 before version 0.10., when processing theming resources (i.e. `*.less` files) with less-openui5 that originate from an untrusted source, those resources might contain JavaScript code which will be executed in the context of the build process. While this is a feature of the Less.js library it is an unexpected behavior in the context of OpenUI5 and SAPUI5 development. Especially in the context of UI5 Tooling which relies on less-openui5. An attacker might create a library or theme-library containing a custom control or theme, hiding malicious JavaScript code in one of the .less files. Refer to the referenced GHSA-3crj-w4f5-gwh4 for examples. Starting with Less.js version 3.0.0, the Inline JavaScript feature is disabled by default. less-openui5 however currently uses a fork of Less.js v1.6.3. Note that disabling the Inline JavaScript feature in Less.js versions 1.x, still evaluates code has additional double codes around it. We decided to remove the inline JavaScript evaluation feature completely from the code of our Less.js fork. This fix is available in less-openui5 version 0.10.0.
Publish Date: 2021-02-16
URL: CVE-2021-21316
### CVSS 3 Score Details (7.8)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Local - Attack Complexity: Low - Privileges Required: None - User Interaction: Required - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://github.com/SAP/less-openui5/security/advisories/GHSA-3crj-w4f5-gwh4
Release Date: 2021-02-16
Fix Resolution: 0.10.0
In order to enable automatic remediation, please create workflow rules
WS-2021-0009
### Vulnerable Library - less-openui5-0.1.2.tgzBuild OpenUI5 themes with Less.js
Library home page: https://registry.npmjs.org/less-openui5/-/less-openui5-0.1.2.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/less-openui5/package.json
Dependency Hierarchy: - :x: **less-openui5-0.1.2.tgz** (Vulnerable Library)
Found in HEAD commit: c178a9193da7a9c0bd7f951a938ac8124848caa6
Found in base branch: main
### Vulnerability DetailsWhen processing theming resources (i.e. *.less files) with less-openui5 before 0.10.0 that originate from an untrusted source, those resources might contain JavaScript code which will be executed in the context of the build process.
Publish Date: 2021-01-29
URL: WS-2021-0009
### CVSS 3 Score Details (7.5)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: None - Availability Impact: None
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://github.com/advisories/GHSA-3crj-w4f5-gwh4
Release Date: 2021-01-29
Fix Resolution: 0.10.0
In order to enable automatic remediation, please create workflow rules
CVE-2017-16138
### Vulnerable Library - mime-1.2.11.tgzA comprehensive library for mime-type mapping
Library home page: https://registry.npmjs.org/mime/-/mime-1.2.11.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/mime/package.json
Dependency Hierarchy: - less-openui5-0.1.2.tgz (Root Library) - less-1.6.3.tgz - :x: **mime-1.2.11.tgz** (Vulnerable Library)
Found in HEAD commit: c178a9193da7a9c0bd7f951a938ac8124848caa6
Found in base branch: main
### Vulnerability DetailsThe mime module < 1.4.1, 2.0.1, 2.0.2 is vulnerable to regular expression denial of service when a mime lookup is performed on untrusted user input. Mend Note: Converted from WS-2017-0330, on 2022-11-08.
Publish Date: 2018-06-07
URL: CVE-2017-16138
### CVSS 3 Score Details (7.5)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16138
Release Date: 2018-04-26
Fix Resolution (mime): 1.4.1
Direct dependency fix Resolution (less-openui5): 0.8.0
In order to enable automatic remediation, please create workflow rules
CVE-2023-28155
### Vulnerable Library - request-2.88.2.tgzSimplified HTTP request client.
Library home page: https://registry.npmjs.org/request/-/request-2.88.2.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/request/package.json
Dependency Hierarchy: - less-openui5-0.1.2.tgz (Root Library) - less-1.6.3.tgz - :x: **request-2.88.2.tgz** (Vulnerable Library)
Found in HEAD commit: c178a9193da7a9c0bd7f951a938ac8124848caa6
Found in base branch: main
### Vulnerability DetailsThe Request package through 2.88.1 for Node.js allows a bypass of SSRF mitigations via an attacker-controller server that does a cross-protocol redirect (HTTP to HTTPS, or HTTPS to HTTP). NOTE: This vulnerability only affects products that are no longer supported by the maintainer.
Publish Date: 2023-03-16
URL: CVE-2023-28155
### CVSS 3 Score Details (6.1)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: Required - Scope: Changed - Impact Metrics: - Confidentiality Impact: Low - Integrity Impact: Low - Availability Impact: None
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://github.com/advisories/GHSA-p8p7-x288-28g6
Release Date: 2023-03-16
Fix Resolution: @cypress/request - 3.0.0
WS-2019-0017
### Vulnerable Library - clean-css-2.0.8.tgzA well-tested CSS minifier
Library home page: https://registry.npmjs.org/clean-css/-/clean-css-2.0.8.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/clean-css/package.json
Dependency Hierarchy: - less-openui5-0.1.2.tgz (Root Library) - less-1.6.3.tgz - :x: **clean-css-2.0.8.tgz** (Vulnerable Library)
Found in HEAD commit: c178a9193da7a9c0bd7f951a938ac8124848caa6
Found in base branch: main
### Vulnerability DetailsVersion of clean-css prior to 4.1.11 are vulnerable to Regular Expression Denial of Service (ReDoS). Untrusted input may cause catastrophic backtracking while matching regular expressions. This can cause the application to be unresponsive leading to Denial of Service.
Publish Date: 2018-03-06
URL: WS-2019-0017
### CVSS 3 Score Details (5.3)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: Low
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://github.com/advisories/GHSA-wxhq-pm8v-cw75
Release Date: 2018-03-06
Fix Resolution (clean-css): 4.1.11
Direct dependency fix Resolution (less-openui5): 0.8.0
In order to enable automatic remediation, please create workflow rules
In order to enable automatic remediation for this issue, please create workflow rules