mihirjayavant / flowbotjs Goto Github PK

Vulnerable Library - uglify-js-3.8.0.tgz

JavaScript parser, mangler/compressor and beautifier toolkit

Library home page: https://registry.npmjs.org/uglify-js/-/uglify-js-3.8.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/uglify-js/package.json

Dependency Hierarchy:

• typedoc-0.16.11.tgz (Root Library)
  • handlebars-4.7.3.tgz
    • ❌ uglify-js-3.8.0.tgz (Vulnerable Library)

Vulnerability Details

** DISPUTED ** Prototype pollution vulnerability in function DEFNODE in ast.js in mishoo UglifyJS 3.13.2 via the name variable in ast.js. NOTE: the vendor considers this an invalid report.

Publish Date: 2022-10-20

URL: CVE-2022-37598

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Release Date: 2022-10-20

Fix Resolution (uglify-js): 3.13.10

Direct dependency fix Resolution (typedoc): 0.17.0-0

Vulnerable Library - semver-regex-2.0.0.tgz

Regular expression for matching semver versions

Library home page: https://registry.npmjs.org/semver-regex/-/semver-regex-2.0.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/semver-regex/package.json

Dependency Hierarchy:

• husky-4.2.3.tgz (Root Library)
  • find-versions-3.2.0.tgz
    • ❌ semver-regex-2.0.0.tgz (Vulnerable Library)

Vulnerability Details

semver-regex is vulnerable to Inefficient Regular Expression Complexity

Publish Date: 2021-09-15

URL: CVE-2021-3795

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Release Date: 2021-09-15

Fix Resolution (semver-regex): 3.1.3

Direct dependency fix Resolution (husky): 4.3.7

Vulnerable Library - normalize-url-3.3.0.tgz

Normalize a URL

Library home page: https://registry.npmjs.org/normalize-url/-/normalize-url-3.3.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/normalize-url/package.json

Dependency Hierarchy:

• lerna-3.20.2.tgz (Root Library)
  • version-3.20.2.tgz
    • github-client-3.16.5.tgz
      • git-url-parse-11.1.2.tgz
        • git-up-4.0.1.tgz
          • parse-url-5.0.1.tgz
            • ❌ normalize-url-3.3.0.tgz (Vulnerable Library)

Vulnerability Details

The normalize-url package before 4.5.1, 5.x before 5.3.1, and 6.x before 6.0.1 for Node.js has a ReDoS (regular expression denial of service) issue because it has exponential performance for data: URLs.

Publish Date: 2021-05-24

URL: CVE-2021-33502

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-33502

Release Date: 2021-05-24

Fix Resolution: normalize-url - 4.5.1,5.3.1,6.0.1

Vulnerable Library - parse-path-4.0.1.tgz

Parse paths (local paths, urls: ssh/git/etc)

Library home page: https://registry.npmjs.org/parse-path/-/parse-path-4.0.1.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/parse-path/package.json

Dependency Hierarchy:

• lerna-3.20.2.tgz (Root Library)
  • version-3.20.2.tgz
    • github-client-3.16.5.tgz
      • git-url-parse-11.1.2.tgz
        • git-up-4.0.1.tgz
          • parse-url-5.0.1.tgz
            • ❌ parse-path-4.0.1.tgz (Vulnerable Library)

Vulnerability Details

Authorization Bypass Through User-Controlled Key in GitHub repository ionicabizau/parse-path prior to 5.0.0.

Publish Date: 2022-06-28

URL: CVE-2022-0624

CVSS 3 Score Details (7.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: Low

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0624

Release Date: 2022-06-28

Fix Resolution (parse-path): 6.0.0

Direct dependency fix Resolution (lerna): 5.1.8

Vulnerable Library - acorn-6.4.0.tgz

ECMAScript parser

Library home page: https://registry.npmjs.org/acorn/-/acorn-6.4.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/acorn-globals/node_modules/acorn/package.json

Dependency Hierarchy:

• jest-25.1.0.tgz (Root Library)
  • core-25.1.0.tgz
    • jest-config-25.1.0.tgz
      • jest-environment-jsdom-25.1.0.tgz
        • jsdom-15.2.1.tgz
          • acorn-globals-4.3.4.tgz
            • ❌ acorn-6.4.0.tgz (Vulnerable Library)

Vulnerability Details

acorn is vulnerable to REGEX DoS. A regex of the form /[x-\ud800]/u causes the parser to enter an infinite loop. attackers may leverage the vulnerability leading to a Denial of Service since the string is not valid UTF16 and it results in it being sanitized before reaching the parser.

Publish Date: 2020-03-01

URL: WS-2020-0042

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: GHSA-6chw-6frg-f759

Release Date: 2020-03-01

Fix Resolution (acorn): 6.4.1

Direct dependency fix Resolution (jest): 25.2.0

Vulnerable Library - parse-url-5.0.1.tgz

An advanced url parser supporting git urls too.

Library home page: https://registry.npmjs.org/parse-url/-/parse-url-5.0.1.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/parse-url/package.json

Dependency Hierarchy:

• lerna-3.20.2.tgz (Root Library)
  • version-3.20.2.tgz
    • github-client-3.16.5.tgz
      • git-url-parse-11.1.2.tgz
        • git-up-4.0.1.tgz
          • ❌ parse-url-5.0.1.tgz (Vulnerable Library)

Vulnerability Details

Cross-site Scripting (XSS) - Generic in GitHub repository ionicabizau/parse-url prior to 7.0.0.

Publish Date: 2022-06-27

URL: CVE-2022-2217

CVSS 3 Score Details (6.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://huntr.dev/bounties/4e046c63-b1ca-4bcc-b418-29796918a71b/

Release Date: 2022-06-27

Fix Resolution (parse-url): 6.0.3

Direct dependency fix Resolution (lerna): 3.21.0

Vulnerability Details

Minimist <=1.2.5 is vulnerable to Prototype Pollution via file index.js, function setKey() (lines 69-95).

Publish Date: 2022-03-17

URL: CVE-2021-44906

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Release Date: 2022-03-17

Fix Resolution (minimist): 1.2.6

Direct dependency fix Resolution (eslint): 7.15.0

Fix Resolution (minimist): 1.2.6

Direct dependency fix Resolution (jest): 27.0.0

Vulnerable Library - semver-regex-2.0.0.tgz

Regular expression for matching semver versions

Library home page: https://registry.npmjs.org/semver-regex/-/semver-regex-2.0.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/semver-regex/package.json

Dependency Hierarchy:

• husky-4.2.3.tgz (Root Library)
  • find-versions-3.2.0.tgz
    • ❌ semver-regex-2.0.0.tgz (Vulnerable Library)

Vulnerability Details

An exponential ReDoS (Regular Expression Denial of Service) can be triggered in the semver-regex npm package, when an attacker is able to supply arbitrary input to the test() method

Publish Date: 2022-06-02

URL: CVE-2021-43307

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://research.jfrog.com/vulnerabilities/semver-regex-redos-xray-211349/

Release Date: 2022-06-02

Fix Resolution (semver-regex): 3.1.4

Direct dependency fix Resolution (husky): 4.3.7

Vulnerable Library - parse-url-5.0.1.tgz

An advanced url parser supporting git urls too.

Library home page: https://registry.npmjs.org/parse-url/-/parse-url-5.0.1.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/parse-url/package.json

Dependency Hierarchy:

• lerna-3.20.2.tgz (Root Library)
  • version-3.20.2.tgz
    • github-client-3.16.5.tgz
      • git-url-parse-11.1.2.tgz
        • git-up-4.0.1.tgz
          • ❌ parse-url-5.0.1.tgz (Vulnerable Library)

Vulnerability Details

Cross-Site Scripting via Improper Input Validation (parser differential) in parse-url before 8.0.0.
Through this vulnerability, an attacker is capable to execute malicious JS codes.

Publish Date: 2022-07-02

URL: WS-2022-0239

CVSS 3 Score Details (6.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://huntr.dev/bounties/5fa3115f-5c97-4928-874c-3cc6302e154e

Release Date: 2022-07-02

Fix Resolution (parse-url): 8.0.0

Direct dependency fix Resolution (lerna): 5.1.8

Vulnerable Library - node-notifier-6.0.0.tgz

A Node.js module for sending notifications on native Mac, Windows (post and pre 8) and Linux (or Growl as fallback)

Library home page: https://registry.npmjs.org/node-notifier/-/node-notifier-6.0.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/node-notifier/package.json

Dependency Hierarchy:

• jest-25.1.0.tgz (Root Library)
  • core-25.1.0.tgz
    • reporters-25.1.0.tgz
      • ❌ node-notifier-6.0.0.tgz (Vulnerable Library)

Vulnerability Details

This affects the package node-notifier before 9.0.0. It allows an attacker to run arbitrary commands on Linux machines due to the options params not being sanitised when being passed an array.

Publish Date: 2020-12-11

URL: CVE-2020-7789

CVSS 3 Score Details (5.6)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: Low

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7789

Release Date: 2020-12-11

Fix Resolution (node-notifier): 8.0.1

Direct dependency fix Resolution (jest): 26.0.0

Vulnerability Details

The package glob-parent before 6.0.1 are vulnerable to Regular Expression Denial of Service (ReDoS)

Publish Date: 2021-06-22

URL: CVE-2021-35065

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: GHSA-cj88-88mr-972w

Release Date: 2021-06-22

Fix Resolution (glob-parent): 6.0.1

Direct dependency fix Resolution (lerna): 5.1.8

Fix Resolution (glob-parent): 6.0.1

Direct dependency fix Resolution (eslint): 8.0.0

Vulnerable Libraries - kind-of-3.2.2.tgz, kind-of-4.0.0.tgz, kind-of-6.0.2.tgz, kind-of-5.1.0.tgz

Found in HEAD commit: 75d878235e1174473693b31aa1f0f68c0b68d0d0

Vulnerability Details

ctorName in index.js in kind-of v6.0.2 allows external user input to overwrite certain internal attributes via a conflicting name, as demonstrated by 'constructor': {'name':'Symbol'}. Hence, a crafted payload can overwrite this builtin attribute to manipulate the type detection result.

Publish Date: 2019-12-30

URL: CVE-2019-20149

CVSS 2 Score Details (5.0)

Base Score Metrics not available

Vulnerability Details

This affects the package glob-parent before 5.1.2. The enclosure regex used to check for strings ending in enclosure containing path separator.

Publish Date: 2021-06-03

URL: CVE-2020-28469

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-28469

Release Date: 2021-06-03

Fix Resolution (glob-parent): 5.1.2

Direct dependency fix Resolution (lerna): 3.21.0

Fix Resolution (glob-parent): 5.1.2

Direct dependency fix Resolution (eslint): 7.0.0

Vulnerable Library - parse-url-5.0.1.tgz

An advanced url parser supporting git urls too.

Library home page: https://registry.npmjs.org/parse-url/-/parse-url-5.0.1.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/parse-url/package.json

Dependency Hierarchy:

• lerna-3.20.2.tgz (Root Library)
  • version-3.20.2.tgz
    • github-client-3.16.5.tgz
      • git-url-parse-11.1.2.tgz
        • git-up-4.0.1.tgz
          • ❌ parse-url-5.0.1.tgz (Vulnerable Library)

Vulnerability Details

Regular Expression Denial of Service (ReDoS) in ionicabizau/parse-url before 8.0.0.
It allows cause a denial of service when calling function parse-url

Publish Date: 2022-07-04

URL: WS-2022-0237

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Release Date: 2022-07-04

Fix Resolution (parse-url): 8.0.0

Direct dependency fix Resolution (lerna): 5.1.8

Vulnerable Library - highlight.js-9.18.1.tgz

Syntax highlighting with language autodetection.

Library home page: https://registry.npmjs.org/highlight.js/-/highlight.js-9.18.1.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/highlight.js/package.json

Dependency Hierarchy:

• typedoc-0.16.11.tgz (Root Library)
  • ❌ highlight.js-9.18.1.tgz (Vulnerable Library)

Vulnerability Details

If are you are using Highlight.js to highlight user-provided data you are possibly vulnerable. On the client-side (in a browser or Electron environment) risks could include lengthy freezes or crashes... On the server-side infinite freezes could occur... effectively preventing users from accessing your app or service (ie, Denial of Service). This is an issue with grammars shipped with the parser (and potentially 3rd party grammars also), not the parser itself. If you are using Highlight.js with any of the following grammars you are vulnerable. If you are using highlightAuto to detect the language (and have any of these grammars registered) you are vulnerable.

Publish Date: 2020-12-04

URL: WS-2020-0208

CVSS 3 Score Details (5.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: None
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Release Date: 2020-12-04

Fix Resolution (highlight.js): 10.4.1

Direct dependency fix Resolution (typedoc): 0.17.5

Vulnerable Library - parse-url-5.0.1.tgz

An advanced url parser supporting git urls too.

Library home page: https://registry.npmjs.org/parse-url/-/parse-url-5.0.1.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/parse-url/package.json

Dependency Hierarchy:

• lerna-3.20.2.tgz (Root Library)
  • version-3.20.2.tgz
    • github-client-3.16.5.tgz
      • git-url-parse-11.1.2.tgz
        • git-up-4.0.1.tgz
          • ❌ parse-url-5.0.1.tgz (Vulnerable Library)

Vulnerability Details

Server-Side Request Forgery (SSRF) in GitHub repository ionicabizau/parse-url prior to 7.0.0.

Publish Date: 2022-06-27

URL: CVE-2022-2216

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://huntr.dev/bounties/505a3d39-2723-4a06-b1f7-9b2d133c92e1/

Release Date: 2022-06-27

Fix Resolution (parse-url): 6.0.3

Direct dependency fix Resolution (lerna): 3.21.0

Vulnerable Library - node-fetch-2.6.0.tgz

A light-weight module that brings window.fetch to node.js

Library home page: https://registry.npmjs.org/node-fetch/-/node-fetch-2.6.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/node-fetch/package.json

Dependency Hierarchy:

• lerna-3.20.2.tgz (Root Library)
  • version-3.20.2.tgz
    • gitlab-client-3.15.0.tgz
      • ❌ node-fetch-2.6.0.tgz (Vulnerable Library)

Vulnerability Details

node-fetch before versions 2.6.1 and 3.0.0-beta.9 did not honor the size option after following a redirect, which means that when a content size was over the limit, a FetchError would never get thrown and the process would end without failure. For most people, this fix will have a little or no impact. However, if you are relying on node-fetch to gate files above a size, the impact could be significant, for example: If you don't double-check the size of the data after fetch() has completed, your JS thread could get tied up doing work on a large file (DoS) and/or cost you money in computing.

Publish Date: 2020-09-10

URL: CVE-2020-15168

CVSS 3 Score Details (5.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: Low

Suggested Fix

Type: Upgrade version

Origin: GHSA-w7rc-rwvf-8q5r

Release Date: 2020-09-17

Fix Resolution (node-fetch): 2.6.1

Direct dependency fix Resolution (lerna): 3.21.0

Vulnerable Library - underscore-1.9.2.tgz

JavaScript's functional programming helper library.

Library home page: https://registry.npmjs.org/underscore/-/underscore-1.9.2.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/underscore/package.json

Dependency Hierarchy:

• typedoc-0.16.11.tgz (Root Library)
  • typedoc-default-themes-0.7.2.tgz
    • ❌ underscore-1.9.2.tgz (Vulnerable Library)

Vulnerability Details

The package underscore from 1.13.0-0 and before 1.13.0-2, from 1.3.2 and before 1.12.1 are vulnerable to Arbitrary Code Injection via the template function, particularly when a variable property is passed as an argument as it is not sanitized.

Publish Date: 2021-03-29

URL: CVE-2021-23358

CVSS 3 Score Details (7.2)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: High
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23358

Release Date: 2021-03-29

Fix Resolution (underscore): 1.12.1

Direct dependency fix Resolution (typedoc): 0.17.0-0

Vulnerable Library - parse-url-5.0.1.tgz

An advanced url parser supporting git urls too.

Library home page: https://registry.npmjs.org/parse-url/-/parse-url-5.0.1.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/parse-url/package.json

Dependency Hierarchy:

• lerna-3.20.2.tgz (Root Library)
  • version-3.20.2.tgz
    • github-client-3.16.5.tgz
      • git-url-parse-11.1.2.tgz
        • git-up-4.0.1.tgz
          • ❌ parse-url-5.0.1.tgz (Vulnerable Library)

Vulnerability Details

Server-Side Request Forgery (SSRF) in GitHub repository ionicabizau/parse-url prior to 8.1.0.

Publish Date: 2022-09-14

URL: CVE-2022-2900

CVSS 3 Score Details (9.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Release Date: 2022-09-14

Fix Resolution (parse-url): 8.0.0

Direct dependency fix Resolution (lerna): 5.1.8

Vulnerable Library - minimatch-3.0.4.tgz

a glob matcher in javascript

Library home page: https://registry.npmjs.org/minimatch/-/minimatch-3.0.4.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/minimatch/package.json

Dependency Hierarchy:

• eslint-6.8.0.tgz (Root Library)
  • ❌ minimatch-3.0.4.tgz (Vulnerable Library)

Vulnerability Details

A vulnerability was found in the minimatch package. This flaw allows a Regular Expression Denial of Service (ReDoS) when calling the braceExpand function with specific arguments, resulting in a Denial of Service.

Publish Date: 2022-10-17

URL: CVE-2022-3517

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Release Date: 2022-10-17

Fix Resolution: minimatch - 3.0.5

Vulnerable Library - node-fetch-2.6.0.tgz

A light-weight module that brings window.fetch to node.js

Library home page: https://registry.npmjs.org/node-fetch/-/node-fetch-2.6.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/node-fetch/package.json

Dependency Hierarchy:

• lerna-3.20.2.tgz (Root Library)
  • version-3.20.2.tgz
    • gitlab-client-3.15.0.tgz
      • ❌ node-fetch-2.6.0.tgz (Vulnerable Library)

Vulnerability Details

node-fetch is vulnerable to Exposure of Sensitive Information to an Unauthorized Actor

Publish Date: 2022-01-16

URL: CVE-2022-0235

CVSS 3 Score Details (6.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: GHSA-r683-j2x4-v87g

Release Date: 2022-01-16

Fix Resolution (node-fetch): 2.6.7

Direct dependency fix Resolution (lerna): 5.1.8

Vulnerable Libraries - dot-prop-3.0.0.tgz, dot-prop-4.2.0.tgz

Found in HEAD commit: 9f171f600c01ca960e935b20c68135cb2fbe681b

Vulnerability Details

Prototype pollution vulnerability in dot-prop npm package versions before 4.2.1 and versions 5.x before 5.1.1 allows an attacker to add arbitrary properties to JavaScript language constructs such as objects.

Publish Date: 2020-02-04

URL: CVE-2020-8116

CVSS 3 Score Details (7.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: Low

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8116

Release Date: 2020-02-04

Fix Resolution (dot-prop): 4.2.1

Direct dependency fix Resolution (lerna): 3.21.0

Fix Resolution (dot-prop): 4.2.1

Direct dependency fix Resolution (lerna): 3.21.0

Vulnerability Details

minimist before 1.2.2 could be tricked into adding or modifying properties of Object.prototype using a "constructor" or "proto" payload.

Publish Date: 2020-03-11

URL: CVE-2020-7598

CVSS 3 Score Details (5.6)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: Low

Suggested Fix

Type: Upgrade version

Release Date: 2020-03-11

Fix Resolution (minimist): 0.2.1

Direct dependency fix Resolution (eslint): 7.0.0

Fix Resolution (minimist): 1.2.3

Direct dependency fix Resolution (jest): 25.2.0

Vulnerable Library - parse-url-5.0.1.tgz

An advanced url parser supporting git urls too.

Library home page: https://registry.npmjs.org/parse-url/-/parse-url-5.0.1.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/parse-url/package.json

Dependency Hierarchy:

• lerna-3.20.2.tgz (Root Library)
  • version-3.20.2.tgz
    • github-client-3.16.5.tgz
      • git-url-parse-11.1.2.tgz
        • git-up-4.0.1.tgz
          • ❌ parse-url-5.0.1.tgz (Vulnerable Library)

Vulnerability Details

Exposure of Sensitive Information to an Unauthorized Actor in GitHub repository ionicabizau/parse-url prior to 7.0.0.

Publish Date: 2022-06-27

URL: CVE-2022-0722

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: None
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://huntr.dev/bounties/2490ef6d-5577-4714-a4dd-9608251b4226

Release Date: 2022-06-27

Fix Resolution (parse-url): 6.0.3

Direct dependency fix Resolution (lerna): 3.21.0

Vulnerable Library - thenify-3.3.0.tgz

Promisify a callback-based function

Library home page: https://registry.npmjs.org/thenify/-/thenify-3.3.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/thenify/package.json

Dependency Hierarchy:

• lerna-3.20.2.tgz (Root Library)
  • bootstrap-3.20.0.tgz
    • symlink-binary-3.17.0.tgz
      • create-symlink-3.16.2.tgz
        • cmd-shim-3.1.0.tgz
          • mz-2.7.0.tgz
            • thenify-all-1.6.0.tgz
              • ❌ thenify-3.3.0.tgz (Vulnerable Library)

Vulnerability Details

This affects the package thenify before 3.3.1. The name argument provided to the package can be controlled by users without any sanitization, and this is provided to the eval function without any sanitization.

Publish Date: 2022-07-25

URL: CVE-2020-7677

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: GHSA-29xr-v42j-r956

Release Date: 2020-07-21

Fix Resolution (thenify): 3.3.1

Direct dependency fix Resolution (lerna): 3.21.0

Vulnerable Library - parse-url-5.0.1.tgz

An advanced url parser supporting git urls too.

Library home page: https://registry.npmjs.org/parse-url/-/parse-url-5.0.1.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/parse-url/package.json

Dependency Hierarchy:

• lerna-3.20.2.tgz (Root Library)
  • version-3.20.2.tgz
    • github-client-3.16.5.tgz
      • git-url-parse-11.1.2.tgz
        • git-up-4.0.1.tgz
          • ❌ parse-url-5.0.1.tgz (Vulnerable Library)

Vulnerability Details

Misinterpretation of Input in GitHub repository ionicabizau/parse-url prior to 8.1.0.

Publish Date: 2022-09-15

URL: CVE-2022-3224

CVSS 3 Score Details (6.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-3224

Release Date: 2022-09-15

Fix Resolution: parse-url - 8.1.0

Vulnerable Library - yargs-parser-10.1.0.tgz

the mighty option parser used by yargs

Library home page: https://registry.npmjs.org/yargs-parser/-/yargs-parser-10.1.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/meow/node_modules/yargs-parser/package.json

Dependency Hierarchy:

• lerna-3.20.2.tgz (Root Library)
  • version-3.20.2.tgz
    • conventional-commits-3.18.5.tgz
      • conventional-changelog-core-3.2.3.tgz
        • conventional-changelog-writer-4.0.11.tgz
          • meow-5.0.0.tgz
            • ❌ yargs-parser-10.1.0.tgz (Vulnerable Library)

Found in HEAD commit: 3c801c83a1bfc8cb4b3215f9e3e8f4ffdf239a4b

Vulnerability Details

yargs-parser could be tricked into adding or modifying properties of Object.prototype using a "proto" payload.

Publish Date: 2020-03-16

URL: CVE-2020-7608

CVSS 3 Score Details (5.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Local
  • Attack Complexity: Low
  • Privileges Required: Low
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: Low

Suggested Fix

Type: Upgrade version

Release Date: 2020-03-16

Fix Resolution (yargs-parser): 13.1.2

Direct dependency fix Resolution (lerna): 3.21.0

Vulnerable Library - parse-url-5.0.1.tgz

An advanced url parser supporting git urls too.

Library home page: https://registry.npmjs.org/parse-url/-/parse-url-5.0.1.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/parse-url/package.json

Dependency Hierarchy:

• lerna-3.20.2.tgz (Root Library)
  • version-3.20.2.tgz
    • github-client-3.16.5.tgz
      • git-url-parse-11.1.2.tgz
        • git-up-4.0.1.tgz
          • ❌ parse-url-5.0.1.tgz (Vulnerable Library)

Vulnerability Details

File Protocol Spoofing in parse-url before 8.0.0 can lead to attacks, such as XSS, Arbitrary Read/Write File, and Remote Code Execution.

Publish Date: 2022-06-30

URL: WS-2022-0238

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://huntr.dev/bounties/52060edb-e426-431b-a0d0-e70407e44f18/

Release Date: 2022-06-30

Fix Resolution (parse-url): 8.0.0

Direct dependency fix Resolution (lerna): 5.1.8

Vulnerable Library - decode-uri-component-0.2.0.tgz

A better decodeURIComponent

Library home page: https://registry.npmjs.org/decode-uri-component/-/decode-uri-component-0.2.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/decode-uri-component/package.json

Dependency Hierarchy:

• jest-25.1.0.tgz (Root Library)
  • core-25.1.0.tgz
    • jest-haste-map-25.1.0.tgz
      • sane-4.1.0.tgz
        • micromatch-3.1.10.tgz
          • snapdragon-0.8.2.tgz
            • source-map-resolve-0.5.3.tgz
              • ❌ decode-uri-component-0.2.0.tgz (Vulnerable Library)

Vulnerability Details

decode-uri-component 0.2.0 is vulnerable to Improper Input Validation resulting in DoS.

Publish Date: 2022-11-28

URL: CVE-2022-38900

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Vulnerable Library - parse-url-5.0.1.tgz

An advanced url parser supporting git urls too.

Library home page: https://registry.npmjs.org/parse-url/-/parse-url-5.0.1.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/parse-url/package.json

Dependency Hierarchy:

• lerna-3.20.2.tgz (Root Library)
  • version-3.20.2.tgz
    • github-client-3.16.5.tgz
      • git-url-parse-11.1.2.tgz
        • git-up-4.0.1.tgz
          • ❌ parse-url-5.0.1.tgz (Vulnerable Library)

Vulnerability Details

Cross-site Scripting (XSS) - Stored in GitHub repository ionicabizau/parse-url prior to 7.0.0.

Publish Date: 2022-06-27

URL: CVE-2022-2218

CVSS 3 Score Details (6.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://huntr.dev/bounties/024912d3-f103-4daf-a1d0-567f4d9f2bf5/

Release Date: 2022-06-27

Fix Resolution (parse-url): 6.0.3

Direct dependency fix Resolution (lerna): 3.21.0