mend-for-github-com[bot]
commented
2 years ago :heavy_check_mark: This issue was automatically closed by WhiteSource because the vulnerable library in the specific branch(es) was either marked as ignored or it is no longer part of the WhiteSource inventory.
Vulnerabilities
Details
CVE-2021-33587
### Vulnerable Library - css-what-3.4.2.tgza CSS selector parser
Library home page: https://registry.npmjs.org/css-what/-/css-what-3.4.2.tgz
Dependency Hierarchy: - @zgriesinger/single-page-app-file:frontend/single-page-app.tgz (Root Library) - react-scripts-5.0.0.tgz - webpack-5.5.0.tgz - plugin-svgo-5.5.0.tgz - svgo-1.3.2.tgz - css-select-2.1.0.tgz - :x: **css-what-3.4.2.tgz** (Vulnerable Library)
Found in base branch: main
### Vulnerability DetailsThe css-what package 4.0.0 through 5.0.0 for Node.js does not ensure that attribute parsing has Linear Time Complexity relative to the size of the input.
Publish Date: 2021-05-28
URL: CVE-2021-33587
### CVSS 3 Score Details (7.5)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-33587
Release Date: 2021-05-28
Fix Resolution: css-what - 5.0.1
CVE-2021-3807
### Vulnerable Libraries - ansi-regex-4.1.0.tgz, ansi-regex-3.0.0.tgz### ansi-regex-4.1.0.tgz
Regular expression for matching ANSI escape codes
Library home page: https://registry.npmjs.org/ansi-regex/-/ansi-regex-4.1.0.tgz
Dependency Hierarchy: - @zgriesinger/single-page-app-file:frontend/single-page-app.tgz (Root Library) - react-md-editor-3.9.0.tgz - react-markdown-preview-3.4.5.tgz - rehype-prism-0.8.0.tgz - mrm-3.0.10.tgz - libnpx-10.2.4.tgz - yargs-14.2.3.tgz - string-width-3.1.0.tgz - strip-ansi-5.2.0.tgz - :x: **ansi-regex-4.1.0.tgz** (Vulnerable Library) ### ansi-regex-3.0.0.tgz
Regular expression for matching ANSI escape codes
Library home page: https://registry.npmjs.org/ansi-regex/-/ansi-regex-3.0.0.tgz
Dependency Hierarchy: - @zgriesinger/single-page-app-file:frontend/single-page-app.tgz (Root Library) - react-md-editor-3.9.0.tgz - react-markdown-preview-3.4.5.tgz - rehype-prism-0.8.0.tgz - mrm-3.0.10.tgz - libnpx-10.2.4.tgz - update-notifier-2.5.0.tgz - boxen-1.3.0.tgz - string-width-2.1.1.tgz - strip-ansi-4.0.0.tgz - :x: **ansi-regex-3.0.0.tgz** (Vulnerable Library)
Found in base branch: main
### Vulnerability Detailsansi-regex is vulnerable to Inefficient Regular Expression Complexity
Publish Date: 2021-09-17
URL: CVE-2021-3807
### CVSS 3 Score Details (7.5)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://huntr.dev/bounties/5b3cf33b-ede0-4398-9974-800876dfd994/
Release Date: 2021-09-17
Fix Resolution: ansi-regex - 5.0.1,6.0.1
CVE-2021-3803
### Vulnerable Libraries - nth-check-1.0.2.tgz, nth-check-2.0.0.tgz### nth-check-1.0.2.tgz
performant nth-check parser & compiler
Library home page: https://registry.npmjs.org/nth-check/-/nth-check-1.0.2.tgz
Dependency Hierarchy: - @zgriesinger/single-page-app-file:frontend/single-page-app.tgz (Root Library) - react-scripts-5.0.0.tgz - webpack-5.5.0.tgz - plugin-svgo-5.5.0.tgz - svgo-1.3.2.tgz - css-select-2.1.0.tgz - :x: **nth-check-1.0.2.tgz** (Vulnerable Library) ### nth-check-2.0.0.tgz
Parses and compiles CSS nth-checks to highly optimized functions.
Library home page: https://registry.npmjs.org/nth-check/-/nth-check-2.0.0.tgz
Dependency Hierarchy: - @zgriesinger/single-page-app-file:frontend/single-page-app.tgz (Root Library) - react-md-editor-3.9.0.tgz - react-markdown-preview-3.4.5.tgz - rehype-rewrite-3.0.4.tgz - hast-util-select-5.0.1.tgz - :x: **nth-check-2.0.0.tgz** (Vulnerable Library)
Found in base branch: main
### Vulnerability Detailsnth-check is vulnerable to Inefficient Regular Expression Complexity
Publish Date: 2021-09-17
URL: CVE-2021-3803
### CVSS 3 Score Details (7.5)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://github.com/fb55/nth-check/compare/v2.0.0...v2.0.1
Release Date: 2021-09-17
Fix Resolution: nth-check - v2.0.1
WS-2022-0008
### Vulnerable Library - node-forge-0.10.0.tgzJavaScript implementations of network transports, cryptography, ciphers, PKI, message digests, and various utilities.
Library home page: https://registry.npmjs.org/node-forge/-/node-forge-0.10.0.tgz
Dependency Hierarchy: - @zgriesinger/single-page-app-file:frontend/single-page-app.tgz (Root Library) - react-scripts-5.0.0.tgz - webpack-dev-server-4.6.0.tgz - selfsigned-1.10.11.tgz - :x: **node-forge-0.10.0.tgz** (Vulnerable Library)
Found in base branch: main
### Vulnerability DetailsThe forge.debug API had a potential prototype pollution issue if called with untrusted input. The API was only used for internal debug purposes in a safe way and never documented or advertised. It is suspected that uses of this API, if any exist, would likely not have used untrusted inputs in a vulnerable way.
Publish Date: 2022-01-08
URL: WS-2022-0008
### CVSS 3 Score Details (6.6)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: High - Privileges Required: High - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://github.com/advisories/GHSA-5rrq-pxf6-6jx5
Release Date: 2022-01-08
Fix Resolution: node-forge - 1.0.0
CVE-2022-0122
### Vulnerable Library - node-forge-0.10.0.tgzJavaScript implementations of network transports, cryptography, ciphers, PKI, message digests, and various utilities.
Library home page: https://registry.npmjs.org/node-forge/-/node-forge-0.10.0.tgz
Dependency Hierarchy: - @zgriesinger/single-page-app-file:frontend/single-page-app.tgz (Root Library) - react-scripts-5.0.0.tgz - webpack-dev-server-4.6.0.tgz - selfsigned-1.10.11.tgz - :x: **node-forge-0.10.0.tgz** (Vulnerable Library)
Found in base branch: main
### Vulnerability Detailsforge is vulnerable to URL Redirection to Untrusted Site
Publish Date: 2022-01-06
URL: CVE-2022-0122
### CVSS 3 Score Details (6.1)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: Required - Scope: Changed - Impact Metrics: - Confidentiality Impact: Low - Integrity Impact: Low - Availability Impact: None
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://github.com/advisories/GHSA-gf8q-jrpm-jvxq
Release Date: 2022-01-06
Fix Resolution: node-forge - 1.0.0
CVE-2022-23647
### Vulnerable Library - prismjs-1.25.0.tgzLightweight, robust, elegant syntax highlighting. A spin-off project from Dabblet.
Library home page: https://registry.npmjs.org/prismjs/-/prismjs-1.25.0.tgz
Dependency Hierarchy: - @zgriesinger/single-page-app-file:frontend/single-page-app.tgz (Root Library) - react-md-editor-3.9.0.tgz - react-markdown-preview-3.4.5.tgz - rehype-prism-0.8.0.tgz - refractor-3.5.0.tgz - :x: **prismjs-1.25.0.tgz** (Vulnerable Library)
Found in base branch: main
### Vulnerability DetailsPrism is a syntax highlighting library. Starting with version 1.14.0 and prior to version 1.27.0, Prism's command line plugin can be used by attackers to achieve a cross-site scripting attack. The command line plugin did not properly escape its output, leading to the input text being inserted into the DOM as HTML code. Server-side usage of Prism is not impacted. Websites that do not use the Command Line plugin are also not impacted. This bug has been fixed in v1.27.0. As a workaround, do not use the command line plugin on untrusted inputs, or sanitize all code blocks (remove all HTML code text) from all code blocks that use the command line plugin.
Publish Date: 2022-02-18
URL: CVE-2022-23647
### CVSS 3 Score Details (6.1)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: Required - Scope: Changed - Impact Metrics: - Confidentiality Impact: Low - Integrity Impact: Low - Availability Impact: None
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://github.com/PrismJS/prism/security/advisories/GHSA-3949-f494-cm99
Release Date: 2022-02-18
Fix Resolution: prismjs- v1.27.0
CVE-2022-0235
### Vulnerable Library - node-fetch-1.7.3.tgzA light-weight module that brings window.fetch to node.js and io.js
Library home page: https://registry.npmjs.org/node-fetch/-/node-fetch-1.7.3.tgz
Dependency Hierarchy: - @zgriesinger/single-page-app-file:frontend/single-page-app.tgz (Root Library) - evergreen-ui-6.6.3.tgz - glamor-2.20.40.tgz - fbjs-0.8.18.tgz - isomorphic-fetch-2.2.1.tgz - :x: **node-fetch-1.7.3.tgz** (Vulnerable Library)
Found in base branch: main
### Vulnerability Detailsnode-fetch is vulnerable to Exposure of Sensitive Information to an Unauthorized Actor
Publish Date: 2022-01-16
URL: CVE-2022-0235
### CVSS 3 Score Details (6.1)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: Required - Scope: Changed - Impact Metrics: - Confidentiality Impact: Low - Integrity Impact: Low - Availability Impact: None
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://github.com/advisories/GHSA-r683-j2x4-v87g
Release Date: 2022-01-16
Fix Resolution: node-fetch - 2.6.7,3.1.1
CVE-2020-15168
### Vulnerable Library - node-fetch-1.7.3.tgzA light-weight module that brings window.fetch to node.js and io.js
Library home page: https://registry.npmjs.org/node-fetch/-/node-fetch-1.7.3.tgz
Dependency Hierarchy: - @zgriesinger/single-page-app-file:frontend/single-page-app.tgz (Root Library) - evergreen-ui-6.6.3.tgz - glamor-2.20.40.tgz - fbjs-0.8.18.tgz - isomorphic-fetch-2.2.1.tgz - :x: **node-fetch-1.7.3.tgz** (Vulnerable Library)
Found in base branch: main
### Vulnerability Detailsnode-fetch before versions 2.6.1 and 3.0.0-beta.9 did not honor the size option after following a redirect, which means that when a content size was over the limit, a FetchError would never get thrown and the process would end without failure. For most people, this fix will have a little or no impact. However, if you are relying on node-fetch to gate files above a size, the impact could be significant, for example: If you don't double-check the size of the data after fetch() has completed, your JS thread could get tied up doing work on a large file (DoS) and/or cost you money in computing.
Publish Date: 2020-09-10
URL: CVE-2020-15168
### CVSS 3 Score Details (5.3)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: Low
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://github.com/node-fetch/node-fetch/security/advisories/GHSA-w7rc-rwvf-8q5r
Release Date: 2020-09-17
Fix Resolution: 2.6.1,3.0.0-beta.9