temporalio / graphql Goto Github PK

Vulnerable Library - spectaql-2.1.1.tgz

Path to dependency file: /package.json

Path to vulnerable library: /package.json

CVE-2022-46175

Vulnerable Library - json5-2.2.1.tgz

JSON for humans.

Library home page: https://registry.npmjs.org/json5/-/json5-2.2.1.tgz

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Dependency Hierarchy:

• spectaql-2.1.1.tgz (Root Library)
  • ❌ json5-2.2.1.tgz (Vulnerable Library)

Found in base branch: main

Vulnerability Details

JSON5 is an extension to the popular JSON file format that aims to be easier to write and maintain by hand (e.g. for config files). The parse method of the JSON5 library before and including versions 1.0.1 and 2.2.1 does not restrict parsing of keys named __proto__, allowing specially crafted strings to pollute the prototype of the resulting object. This vulnerability pollutes the prototype of the object returned by JSON5.parse and not the global Object prototype, which is the commonly understood definition of Prototype Pollution. However, polluting the prototype of a single object can have significant security impact for an application if the object is later used in trusted operations. This vulnerability could allow an attacker to set arbitrary and unexpected keys on the object returned from JSON5.parse. The actual impact will depend on how applications utilize the returned object and how they filter unwanted keys, but could include denial of service, cross-site scripting, elevation of privilege, and in extreme cases, remote code execution. JSON5.parse should restrict parsing of __proto__ keys when parsing JSON strings to objects. As a point of reference, the JSON.parse method included in JavaScript ignores __proto__ keys. Simply changing JSON5.parse to JSON.parse in the examples above mitigates this vulnerability. This vulnerability is patched in json5 versions 1.0.2, 2.2.2, and later.

Publish Date: 2022-12-24

URL: CVE-2022-46175

CVSS 3 Score Details (8.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: Low
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://www.cve.org/CVERecord?id=CVE-2022-46175

Release Date: 2022-12-24

Fix Resolution (json5): 2.2.2

Direct dependency fix Resolution (spectaql): 2.2.0

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2023-44270

Vulnerable Library - postcss-8.4.26.tgz

Library home page: https://registry.npmjs.org/postcss/-/postcss-8.4.26.tgz

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Dependency Hierarchy:

• spectaql-2.1.1.tgz (Root Library)
  • ❌ postcss-8.4.26.tgz (Vulnerable Library)

Found in base branch: main

Vulnerability Details

An issue was discovered in PostCSS before 8.4.31. The vulnerability affects linters using PostCSS to parse external untrusted CSS. An attacker can prepare CSS in such a way that it will contains parts parsed by PostCSS as a CSS comment. After processing by PostCSS, it will be included in the PostCSS output in CSS nodes (rules, properties) despite being included in a comment.

Publish Date: 2023-09-29

URL: CVE-2023-44270

CVSS 3 Score Details (5.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: Low
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://www.cve.org/CVERecord?id=CVE-2023-44270

Release Date: 2023-09-29

Fix Resolution: postcss - 8.4.31

CVE-2023-26144

Vulnerable Library - graphql-16.7.1.tgz

Library home page: https://registry.npmjs.org/graphql/-/graphql-16.7.1.tgz

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Dependency Hierarchy:

• spectaql-2.1.1.tgz (Root Library)
  • ❌ graphql-16.7.1.tgz (Vulnerable Library)

Found in base branch: main

Vulnerability Details

Versions of the package graphql from 16.3.0 and before 16.8.1 are vulnerable to Denial of Service (DoS) due to insufficient checks in the OverlappingFieldsCanBeMergedRule.ts file when parsing large queries. This vulnerability allows an attacker to degrade system performance.

Note: It was not proven that this vulnerability can crash the process.

Publish Date: 2023-09-20

URL: CVE-2023-26144

CVSS 3 Score Details (5.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: Low

Suggested Fix

Type: Upgrade version

Release Date: 2023-09-20

Fix Resolution: graphql - 16.8.1

Vulnerable Library - cli-2.11.1.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/jsonwebtoken/package.json

CVE-2022-35949

Vulnerable Library - undici-5.5.1.tgz

An HTTP/1.1 client, written from scratch for Node.js

Library home page: https://registry.npmjs.org/undici/-/undici-5.5.1.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/undici/package.json

Dependency Hierarchy:

• cli-2.11.1.tgz (Root Library)
  • fetch-0.0.2.tgz
    • ❌ undici-5.5.1.tgz (Vulnerable Library)

Found in base branch: main

Vulnerability Details

undici is an HTTP/1.1 client, written from scratch for Node.js.undici is vulnerable to SSRF (Server-side Request Forgery) when an application takes in user input into the path/pathname option of undici.request. If a user specifies a URL such as http://127.0.0.1 or //127.0.0.1 js const undici = require("undici") undici.request({origin: "http://example.com", pathname: "//127.0.0.1"}) Instead of processing the request as http://example.org//127.0.0.1 (or http://example.org/http://127.0.0.1 when http://127.0.0.1 is used), it actually processes the request as http://127.0.0.1/ and sends it to http://127.0.0.1. If a developer passes in user input into path parameter of undici.request, it can result in an SSRF as they will assume that the hostname cannot change, when in actual fact it can change because the specified path parameter is combined with the base URL. This issue was fixed in [email protected]. The best workaround is to validate user input before passing it to the undici.request call.

Publish Date: 2022-08-12

URL: CVE-2022-35949

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-35949

Release Date: 2022-08-12

Fix Resolution: undici - 5.8.2

CVE-2022-23539

Vulnerable Library - jsonwebtoken-8.5.1.tgz

JSON Web Token implementation (symmetric and asymmetric)

Library home page: https://registry.npmjs.org/jsonwebtoken/-/jsonwebtoken-8.5.1.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/jsonwebtoken/package.json

Dependency Hierarchy:

• cli-2.11.1.tgz (Root Library)
  • prisma-loader-7.2.14.tgz
    • ❌ jsonwebtoken-8.5.1.tgz (Vulnerable Library)

Found in base branch: main

Vulnerability Details

Versions <=8.5.1 of jsonwebtoken library could be misconfigured so that legacy, insecure key types are used for signature verification. For example, DSA keys could be used with the RS256 algorithm. You are affected if you are using an algorithm and a key type other than a combination listed in the GitHub Security Advisory as unaffected. This issue has been fixed, please update to version 9.0.0. This version validates for asymmetric key type and algorithm combinations. Please refer to the above mentioned algorithm / key type combinations for the valid secure configuration. After updating to version 9.0.0, if you still intend to continue with signing or verifying tokens using invalid key type/algorithm value combinations, you’ll need to set the allowInvalidAsymmetricKeyTypes option to true in the sign() and/or verify() functions.

Publish Date: 2022-12-23

URL: CVE-2022-23539

CVSS 3 Score Details (8.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: Low
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: GHSA-8cf7-32gw-wr33

Release Date: 2022-12-23

Fix Resolution (jsonwebtoken): 9.0.0

Direct dependency fix Resolution (@graphql-codegen/cli): 2.11.2

⛑️ Automatic Remediation is available for this issue

CVE-2022-23540

Vulnerable Library - jsonwebtoken-8.5.1.tgz

JSON Web Token implementation (symmetric and asymmetric)

Library home page: https://registry.npmjs.org/jsonwebtoken/-/jsonwebtoken-8.5.1.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/jsonwebtoken/package.json

Dependency Hierarchy:

• cli-2.11.1.tgz (Root Library)
  • prisma-loader-7.2.14.tgz
    • ❌ jsonwebtoken-8.5.1.tgz (Vulnerable Library)

Found in base branch: main

Vulnerability Details

In versions <=8.5.1 of jsonwebtoken library, lack of algorithm definition in the jwt.verify() function can lead to signature validation bypass due to defaulting to the none algorithm for signature verification. Users are affected if you do not specify algorithms in the jwt.verify() function. This issue has been fixed, please update to version 9.0.0 which removes the default support for the none algorithm in the jwt.verify() method. There will be no impact, if you update to version 9.0.0 and you don’t need to allow for the none algorithm. If you need 'none' algorithm, you have to explicitly specify that in jwt.verify() options.

Publish Date: 2022-12-22

URL: CVE-2022-23540

CVSS 3 Score Details (7.6)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: Low
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: High
  • Availability Impact: Low

Suggested Fix

Type: Upgrade version

Origin: https://www.cve.org/CVERecord?id=CVE-2022-23540

Release Date: 2022-12-22

Fix Resolution (jsonwebtoken): 9.0.0

Direct dependency fix Resolution (@graphql-codegen/cli): 2.11.2

⛑️ Automatic Remediation is available for this issue

CVE-2023-24807

Vulnerable Libraries - undici-5.5.1.tgz, undici-5.8.2.tgz

undici-5.5.1.tgz

An HTTP/1.1 client, written from scratch for Node.js

Library home page: https://registry.npmjs.org/undici/-/undici-5.5.1.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/undici/package.json

Dependency Hierarchy:

• cli-2.11.1.tgz (Root Library)
  • fetch-0.0.2.tgz
    • ❌ undici-5.5.1.tgz (Vulnerable Library)

undici-5.8.2.tgz

An HTTP/1.1 client, written from scratch for Node.js

Library home page: https://registry.npmjs.org/undici/-/undici-5.8.2.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/@graphql-codegen/cli/node_modules/undici/package.json

Dependency Hierarchy:

• cli-2.11.1.tgz (Root Library)
  • apollo-engine-loader-7.3.9.tgz
    • fetch-0.2.9.tgz
      • ❌ undici-5.8.2.tgz (Vulnerable Library)

Found in base branch: main

Vulnerability Details

Undici is an HTTP/1.1 client for Node.js. Prior to version 5.19.1, the Headers.set() and Headers.append() methods are vulnerable to Regular Expression Denial of Service (ReDoS) attacks when untrusted values are passed into the functions. This is due to the inefficient regular expression used to normalize the values in the headerValueNormalize() utility function. This vulnerability was patched in v5.19.1. No known workarounds are available.

Publish Date: 2023-02-16

URL: CVE-2023-24807

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: GHSA-r6ch-mqf9-qc9w

Release Date: 2023-02-16

Fix Resolution (undici): 5.19.1

Direct dependency fix Resolution (@graphql-codegen/cli): 2.11.2

Fix Resolution (undici): 5.19.1

Direct dependency fix Resolution (@graphql-codegen/cli): 2.11.2

⛑️ Automatic Remediation is available for this issue

CVE-2022-31151

Vulnerable Library - undici-5.5.1.tgz

An HTTP/1.1 client, written from scratch for Node.js

Library home page: https://registry.npmjs.org/undici/-/undici-5.5.1.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/undici/package.json

Dependency Hierarchy:

• cli-2.11.1.tgz (Root Library)
  • fetch-0.0.2.tgz
    • ❌ undici-5.5.1.tgz (Vulnerable Library)

Found in base branch: main

Vulnerability Details

Authorization headers are cleared on cross-origin redirect. However, cookie headers which are sensitive headers and are official headers found in the spec, remain uncleared. There are active users using cookie headers in undici. This may lead to accidental leakage of cookie to a 3rd-party site or a malicious attacker who can control the redirection target (ie. an open redirector) to leak the cookie to the 3rd party site. This was patched in v5.7.1. By default, this vulnerability is not exploitable. Do not enable redirections, i.e. maxRedirections: 0 (the default).

Publish Date: 2022-07-21

URL: CVE-2022-31151

CVSS 3 Score Details (6.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: GHSA-q768-x9m6-m9qp

Release Date: 2022-07-21

Fix Resolution (undici): 5.8.0

Direct dependency fix Resolution (@graphql-codegen/cli): 2.11.2

⛑️ Automatic Remediation is available for this issue

CVE-2022-31150

Vulnerable Library - undici-5.5.1.tgz

An HTTP/1.1 client, written from scratch for Node.js

Library home page: https://registry.npmjs.org/undici/-/undici-5.5.1.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/undici/package.json

Dependency Hierarchy:

• cli-2.11.1.tgz (Root Library)
  • fetch-0.0.2.tgz
    • ❌ undici-5.5.1.tgz (Vulnerable Library)

Found in base branch: main

Vulnerability Details

undici is an HTTP/1.1 client, written from scratch for Node.js. It is possible to inject CRLF sequences into request headers in undici in versions less than 5.7.1. A fix was released in version 5.8.0. Sanitizing all HTTP headers from untrusted sources to eliminate \r\n is a workaround for this issue.

Publish Date: 2022-07-19

URL: CVE-2022-31150

CVSS 3 Score Details (6.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-31150

Release Date: 2022-07-19

Fix Resolution (undici): 5.8.0

Direct dependency fix Resolution (@graphql-codegen/cli): 2.11.2

⛑️ Automatic Remediation is available for this issue

CVE-2022-23541

Vulnerable Library - jsonwebtoken-8.5.1.tgz

JSON Web Token implementation (symmetric and asymmetric)

Library home page: https://registry.npmjs.org/jsonwebtoken/-/jsonwebtoken-8.5.1.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/jsonwebtoken/package.json

Dependency Hierarchy:

• cli-2.11.1.tgz (Root Library)
  • prisma-loader-7.2.14.tgz
    • ❌ jsonwebtoken-8.5.1.tgz (Vulnerable Library)

Found in base branch: main

Vulnerability Details

jsonwebtoken is an implementation of JSON Web Tokens. Versions <= 8.5.1 of jsonwebtoken library can be misconfigured so that passing a poorly implemented key retrieval function referring to the secretOrPublicKey argument from the readme link will result in incorrect verification of tokens. There is a possibility of using a different algorithm and key combination in verification, other than the one that was used to sign the tokens. Specifically, tokens signed with an asymmetric public key could be verified with a symmetric HS256 algorithm. This can lead to successful validation of forged tokens. If your application is supporting usage of both symmetric key and asymmetric key in jwt.verify() implementation with the same key retrieval function. This issue has been patched, please update to version 9.0.0.

Publish Date: 2022-12-22

URL: CVE-2022-23541

CVSS 3 Score Details (6.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: Low
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: Low

Suggested Fix

Type: Upgrade version

Origin: GHSA-hjrf-2m68-5959

Release Date: 2022-12-22

Fix Resolution (jsonwebtoken): 9.0.0

Direct dependency fix Resolution (@graphql-codegen/cli): 2.11.2

⛑️ Automatic Remediation is available for this issue

CVE-2023-23936

Vulnerable Libraries - undici-5.5.1.tgz, undici-5.8.2.tgz

undici-5.5.1.tgz

An HTTP/1.1 client, written from scratch for Node.js

Library home page: https://registry.npmjs.org/undici/-/undici-5.5.1.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/undici/package.json

Dependency Hierarchy:

• cli-2.11.1.tgz (Root Library)
  • fetch-0.0.2.tgz
    • ❌ undici-5.5.1.tgz (Vulnerable Library)

undici-5.8.2.tgz

An HTTP/1.1 client, written from scratch for Node.js

Library home page: https://registry.npmjs.org/undici/-/undici-5.8.2.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/@graphql-codegen/cli/node_modules/undici/package.json

Dependency Hierarchy:

• cli-2.11.1.tgz (Root Library)
  • apollo-engine-loader-7.3.9.tgz
    • fetch-0.2.9.tgz
      • ❌ undici-5.8.2.tgz (Vulnerable Library)

Found in base branch: main

Vulnerability Details

Undici is an HTTP/1.1 client for Node.js. Starting with version 2.0.0 and prior to version 5.19.1, the undici library does not protect host HTTP header from CRLF injection vulnerabilities. This issue is patched in Undici v5.19.1. As a workaround, sanitize the headers.host string before passing to undici.

Publish Date: 2023-02-16

URL: CVE-2023-23936

CVSS 3 Score Details (5.4)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: GHSA-5r9g-qh6m-jxff

Release Date: 2023-02-16

Fix Resolution (undici): 5.19.1

Direct dependency fix Resolution (@graphql-codegen/cli): 2.11.2

Fix Resolution (undici): 5.19.1

Direct dependency fix Resolution (@graphql-codegen/cli): 2.11.2

⛑️ Automatic Remediation is available for this issue

CVE-2022-35948

Vulnerable Library - undici-5.5.1.tgz

An HTTP/1.1 client, written from scratch for Node.js

Library home page: https://registry.npmjs.org/undici/-/undici-5.5.1.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/undici/package.json

Dependency Hierarchy:

• cli-2.11.1.tgz (Root Library)
  • fetch-0.0.2.tgz
    • ❌ undici-5.5.1.tgz (Vulnerable Library)

Found in base branch: main

Vulnerability Details

undici is an HTTP/1.1 client, written from scratch for Node.js.=< [email protected] users are vulnerable to CRLF Injection on headers when using unsanitized input as request headers, more specifically, inside the content-type header. Example: import { request } from 'undici' const unsanitizedContentTypeInput = 'application/json\r\n\r\nGET /foo2 HTTP/1.1' await request('http://localhost:3000, { method: 'GET', headers: { 'content-type': unsanitizedContentTypeInput }, }) The above snippet will perform two requests in a single request API call: 1) http://localhost:3000/ 2) http://localhost:3000/foo2 This issue was patched in Undici v5.8.1. Sanitize input when sending content-type headers using user input as a workaround.

Publish Date: 2022-08-15

URL: CVE-2022-35948

CVSS 3 Score Details (5.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: Low
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-35948

Release Date: 2022-08-15

Fix Resolution (undici): 5.8.2

Direct dependency fix Resolution (@graphql-codegen/cli): 2.11.2

⛑️ Automatic Remediation is available for this issue

CVE-2022-25883

Vulnerable Library - semver-5.7.1.tgz

The semantic version parser used by npm.

Library home page: https://registry.npmjs.org/semver/-/semver-5.7.1.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/jsonwebtoken/node_modules/semver/package.json

Dependency Hierarchy:

• cli-2.11.1.tgz (Root Library)
  • prisma-loader-7.2.14.tgz
    • jsonwebtoken-8.5.1.tgz
      • ❌ semver-5.7.1.tgz (Vulnerable Library)

Found in base branch: main

Vulnerability Details

Versions of the package semver before 7.5.2 are vulnerable to Regular Expression Denial of Service (ReDoS) via the function new Range, when untrusted user data is provided as a range.

Publish Date: 2023-06-21

URL: CVE-2022-25883

CVSS 3 Score Details (5.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: Low

Suggested Fix

Type: Upgrade version

Release Date: 2023-06-21

Fix Resolution (semver): 7.5.2

Direct dependency fix Resolution (@graphql-codegen/cli): 2.11.2

⛑️ Automatic Remediation is available for this issue

Vulnerable Library - graphql-cli-common-2.9.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /package.json

CVE-2021-23326

Vulnerable Library - git-loader-6.2.4.tgz

A set of utils for faster development of GraphQL tools

Library home page: https://registry.npmjs.org/@graphql-tools/git-loader/-/git-loader-6.2.4.tgz

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Dependency Hierarchy:

• graphql-cli-common-2.9.0.tgz (Root Library)
  • loaders-4.1.0.tgz
    • ❌ git-loader-6.2.4.tgz (Vulnerable Library)

Found in base branch: main

Vulnerability Details

This affects the package @graphql-tools/git-loader before 6.2.6. The use of exec and execSync in packages/loaders/git/src/load-git.ts allows arbitrary command injection.

Publish Date: 2021-01-20

URL: CVE-2021-23326

CVSS 3 Score Details (8.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Release Date: 2021-01-20

Fix Resolution: @graphql-tools/git-loader - 6.2.6

Vulnerable Library - introspect-2.1.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /package.json

CVE-2023-45133

Vulnerable Library - traverse-7.12.13.tgz

The Babel Traverse module maintains the overall tree state, and is responsible for replacing, removing, and adding nodes

Library home page: https://registry.npmjs.org/@babel/traverse/-/traverse-7.12.13.tgz

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Dependency Hierarchy:

• introspect-2.1.0.tgz (Root Library)
  • loaders-4.0.0.tgz
    • github-loader-6.2.5.tgz
      • graphql-tag-pluck-6.5.1.tgz
        • ❌ traverse-7.12.13.tgz (Vulnerable Library)

Found in base branch: main

Vulnerability Details

Babel is a compiler for writingJavaScript. In @babel/traverse prior to versions 7.23.2 and 8.0.0-alpha.4 and all versions of babel-traverse, using Babel to compile code that was specifically crafted by an attacker can lead to arbitrary code execution during compilation, when using plugins that rely on the path.evaluate()or path.evaluateTruthy() internal Babel methods. Known affected plugins are @babel/plugin-transform-runtime; @babel/preset-env when using its useBuiltIns option; and any "polyfill provider" plugin that depends on @babel/helper-define-polyfill-provider, such as babel-plugin-polyfill-corejs3, babel-plugin-polyfill-corejs2, babel-plugin-polyfill-es-shims, babel-plugin-polyfill-regenerator. No other plugins under the @babel/ namespace are impacted, but third-party plugins might be. Users that only compile trusted code are not impacted. The vulnerability has been fixed in @babel/[email protected] and @babel/[email protected]. Those who cannot upgrade @babel/traverse and are using one of the affected packages mentioned above should upgrade them to their latest version to avoid triggering the vulnerable code path in affected @babel/traverse versions: @babel/plugin-transform-runtime v7.23.2, @babel/preset-env v7.23.2, @babel/helper-define-polyfill-provider v0.4.3, babel-plugin-polyfill-corejs2 v0.4.6, babel-plugin-polyfill-corejs3 v0.8.5, babel-plugin-polyfill-es-shims v0.10.0, babel-plugin-polyfill-regenerator v0.5.3.

Publish Date: 2023-10-12

URL: CVE-2023-45133

CVSS 3 Score Details (8.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Local
  • Attack Complexity: Low
  • Privileges Required: Low
  • User Interaction: None
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: GHSA-67hx-6x53-jw92

Release Date: 2023-10-12

Fix Resolution: @babel/traverse - 7.23.2

CVE-2022-23539

Vulnerable Library - jsonwebtoken-8.5.1.tgz

JSON Web Token implementation (symmetric and asymmetric)

Library home page: https://registry.npmjs.org/jsonwebtoken/-/jsonwebtoken-8.5.1.tgz

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Dependency Hierarchy:

• introspect-2.1.0.tgz (Root Library)
  • loaders-4.0.0.tgz
    • prisma-loader-6.3.0.tgz
      • ❌ jsonwebtoken-8.5.1.tgz (Vulnerable Library)

Found in base branch: main

Vulnerability Details

Versions <=8.5.1 of jsonwebtoken library could be misconfigured so that legacy, insecure key types are used for signature verification. For example, DSA keys could be used with the RS256 algorithm. You are affected if you are using an algorithm and a key type other than a combination listed in the GitHub Security Advisory as unaffected. This issue has been fixed, please update to version 9.0.0. This version validates for asymmetric key type and algorithm combinations. Please refer to the above mentioned algorithm / key type combinations for the valid secure configuration. After updating to version 9.0.0, if you still intend to continue with signing or verifying tokens using invalid key type/algorithm value combinations, you’ll need to set the allowInvalidAsymmetricKeyTypes option to true in the sign() and/or verify() functions.

Publish Date: 2022-12-23

URL: CVE-2022-23539

CVSS 3 Score Details (8.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: Low
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: GHSA-8cf7-32gw-wr33

Release Date: 2022-12-23

Fix Resolution: jsonwebtoken - 9.0.0

CVE-2022-23540

Vulnerable Library - jsonwebtoken-8.5.1.tgz

JSON Web Token implementation (symmetric and asymmetric)

Library home page: https://registry.npmjs.org/jsonwebtoken/-/jsonwebtoken-8.5.1.tgz

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Dependency Hierarchy:

• introspect-2.1.0.tgz (Root Library)
  • loaders-4.0.0.tgz
    • prisma-loader-6.3.0.tgz
      • ❌ jsonwebtoken-8.5.1.tgz (Vulnerable Library)

Found in base branch: main

Vulnerability Details

In versions <=8.5.1 of jsonwebtoken library, lack of algorithm definition in the jwt.verify() function can lead to signature validation bypass due to defaulting to the none algorithm for signature verification. Users are affected if you do not specify algorithms in the jwt.verify() function. This issue has been fixed, please update to version 9.0.0 which removes the default support for the none algorithm in the jwt.verify() method. There will be no impact, if you update to version 9.0.0 and you don’t need to allow for the none algorithm. If you need 'none' algorithm, you have to explicitly specify that in jwt.verify() options.

Publish Date: 2022-12-22

URL: CVE-2022-23540

CVSS 3 Score Details (7.6)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: Low
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: High
  • Availability Impact: Low

Suggested Fix

Type: Upgrade version

Origin: https://www.cve.org/CVERecord?id=CVE-2022-23540

Release Date: 2022-12-22

Fix Resolution: jsonwebtoken - 9.0.0

CVE-2022-25883

Vulnerable Library - semver-5.7.1.tgz

The semantic version parser used by npm.

Library home page: https://registry.npmjs.org/semver/-/semver-5.7.1.tgz

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Dependency Hierarchy:

• introspect-2.1.0.tgz (Root Library)
  • loaders-4.0.0.tgz
    • prisma-loader-6.3.0.tgz
      • jsonwebtoken-8.5.1.tgz
        • ❌ semver-5.7.1.tgz (Vulnerable Library)

Found in base branch: main

Vulnerability Details

Versions of the package semver before 7.5.2 are vulnerable to Regular Expression Denial of Service (ReDoS) via the function new Range, when untrusted user data is provided as a range.

Publish Date: 2023-06-21

URL: CVE-2022-25883

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: GHSA-c2qf-rxjj-qqgw

Release Date: 2023-06-21

Fix Resolution: semver - 5.7.2,6.3.1,7.5.2;org.webjars.npm:semver:7.5.2

CVE-2022-23541

Vulnerable Library - jsonwebtoken-8.5.1.tgz

JSON Web Token implementation (symmetric and asymmetric)

Library home page: https://registry.npmjs.org/jsonwebtoken/-/jsonwebtoken-8.5.1.tgz

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Dependency Hierarchy:

• introspect-2.1.0.tgz (Root Library)
  • loaders-4.0.0.tgz
    • prisma-loader-6.3.0.tgz
      • ❌ jsonwebtoken-8.5.1.tgz (Vulnerable Library)

Found in base branch: main

Vulnerability Details

jsonwebtoken is an implementation of JSON Web Tokens. Versions <= 8.5.1 of jsonwebtoken library can be misconfigured so that passing a poorly implemented key retrieval function referring to the secretOrPublicKey argument from the readme link will result in incorrect verification of tokens. There is a possibility of using a different algorithm and key combination in verification, other than the one that was used to sign the tokens. Specifically, tokens signed with an asymmetric public key could be verified with a symmetric HS256 algorithm. This can lead to successful validation of forged tokens. If your application is supporting usage of both symmetric key and asymmetric key in jwt.verify() implementation with the same key retrieval function. This issue has been patched, please update to version 9.0.0.

Publish Date: 2022-12-22

URL: CVE-2022-23541

CVSS 3 Score Details (6.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: Low
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: Low

Suggested Fix

Type: Upgrade version

Origin: GHSA-hjrf-2m68-5959

Release Date: 2022-12-22

Fix Resolution: jsonwebtoken - 9.0.0

CVE-2022-0235

Vulnerable Library - node-fetch-2.6.1.tgz

A light-weight module that brings window.fetch to node.js

Library home page: https://registry.npmjs.org/node-fetch/-/node-fetch-2.6.1.tgz

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Dependency Hierarchy:

• introspect-2.1.0.tgz (Root Library)
  • loaders-4.0.0.tgz
    • url-loader-6.10.1.tgz
      • cross-fetch-3.1.4.tgz
        • ❌ node-fetch-2.6.1.tgz (Vulnerable Library)

Found in base branch: main

Vulnerability Details

node-fetch is vulnerable to Exposure of Sensitive Information to an Unauthorized Actor

Publish Date: 2022-01-16

URL: CVE-2022-0235

CVSS 3 Score Details (6.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: GHSA-r683-j2x4-v87g

Release Date: 2022-01-16

Fix Resolution: node-fetch - 2.6.7,3.1.1

CVE-2021-32640

Vulnerable Library - ws-7.4.5.tgz

Simple to use, blazing fast and thoroughly tested websocket client and server for Node.js

Library home page: https://registry.npmjs.org/ws/-/ws-7.4.5.tgz

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Dependency Hierarchy:

• introspect-2.1.0.tgz (Root Library)
  • loaders-4.0.0.tgz
    • url-loader-6.10.1.tgz
      • ❌ ws-7.4.5.tgz (Vulnerable Library)

Found in base branch: main

Vulnerability Details

ws is an open source WebSocket client and server library for Node.js. A specially crafted value of the Sec-Websocket-Protocol header can be used to significantly slow down a ws server. The vulnerability has been fixed in [email protected] (websockets/ws@00c425e). In vulnerable versions of ws, the issue can be mitigated by reducing the maximum allowed length of the request headers using the --max-http-header-size=size and/or the maxHeaderSize options.

Publish Date: 2021-05-25

URL: CVE-2021-32640

CVSS 3 Score Details (5.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: Low

Suggested Fix

Type: Upgrade version

Origin: GHSA-6fc8-4gx4-v693

Release Date: 2021-05-25

Fix Resolution: 5.2.3,6.2.2,7.4.6

Vulnerable Library - apollo-server-3.6.7.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/apollo-server-core/package.json

WS-2022-0362

Vulnerable Library - apollo-server-core-3.6.7.tgz

Core engine for Apollo GraphQL server

Library home page: https://registry.npmjs.org/apollo-server-core/-/apollo-server-core-3.6.7.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/apollo-server-core/package.json

Dependency Hierarchy:

• apollo-server-3.6.7.tgz (Root Library)
  • ❌ apollo-server-core-3.6.7.tgz (Vulnerable Library)

Found in base branch: main

Vulnerability Details

Batched HTTP requests may set incorrect cache-control response header.

Publish Date: 2022-11-02

URL: WS-2022-0362

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: None
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: GHSA-8r69-3cvp-wxc3

Release Date: 2022-11-02

Fix Resolution (apollo-server-core): 3.11.0

Direct dependency fix Resolution (apollo-server): 3.6.8

⛑️ Automatic Remediation is available for this issue

WS-2022-0276

Vulnerable Library - apollo-server-core-3.6.7.tgz

Core engine for Apollo GraphQL server

Library home page: https://registry.npmjs.org/apollo-server-core/-/apollo-server-core-3.6.7.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/apollo-server-core/package.json

Dependency Hierarchy:

• apollo-server-3.6.7.tgz (Root Library)
  • ❌ apollo-server-core-3.6.7.tgz (Vulnerable Library)

Found in base branch: main

Vulnerability Details

The default landing page contained HTML to display a sample curl command which is made visible if the full landing page bundle could not be fetched from Apollo's CDN. The server's URL is directly interpolated into this command inside the browser from window.location.href. On some older browsers such as IE11, this value is not URI-encoded. On such browsers, opening a malicious URL pointing at an Apollo Router could cause execution of attacker-controlled JavaScript.

Publish Date: 2022-08-22

URL: WS-2022-0276

CVSS 3 Score Details (6.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: GHSA-2fvv-qxrq-7jq6

Release Date: 2022-08-22

Fix Resolution (apollo-server-core): 3.10.1

Direct dependency fix Resolution (apollo-server): 3.6.8

⛑️ Automatic Remediation is available for this issue

Vulnerable Library - typescript-2.4.8.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/@babel/core/node_modules/semver/package.json,/node_modules/@babel/helper-compilation-targets/node_modules/semver/package.json

CVE-2022-25883

Vulnerable Library - semver-6.3.0.tgz

The semantic version parser used by npm.

Library home page: https://registry.npmjs.org/semver/-/semver-6.3.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/@babel/core/node_modules/semver/package.json,/node_modules/@babel/helper-compilation-targets/node_modules/semver/package.json

Dependency Hierarchy:

• typescript-2.4.8.tgz (Root Library)
  • visitor-plugin-common-2.7.4.tgz
    • relay-operation-optimizer-6.4.5.tgz
      • relay-compiler-12.0.0.tgz
        • core-7.17.8.tgz
          • ❌ semver-6.3.0.tgz (Vulnerable Library)

Found in base branch: main

Vulnerability Details

Versions of the package semver before 7.5.2 are vulnerable to Regular Expression Denial of Service (ReDoS) via the function new Range, when untrusted user data is provided as a range.

Publish Date: 2023-06-21

URL: CVE-2022-25883

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: GHSA-c2qf-rxjj-qqgw

Release Date: 2023-06-21

Fix Resolution (semver): 7.5.2

Direct dependency fix Resolution (@graphql-codegen/typescript): 4.0.1

⛑️ Automatic Remediation will be attempted for this issue.

Vulnerable Library - common-0.23.0.tgz

Path to dependency file: /package.json

CVE-2023-36665

Vulnerable Library - protobufjs-6.11.2.tgz

Protocol Buffers for JavaScript (& TypeScript).

Library home page: https://registry.npmjs.org/protobufjs/-/protobufjs-6.11.2.tgz

Dependency Hierarchy:

• common-0.23.0.tgz (Root Library)
  • proto3-json-serializer-0.1.9.tgz
    • ❌ protobufjs-6.11.2.tgz (Vulnerable Library)

Found in base branch: main

Vulnerability Details

"protobuf.js (aka protobufjs) 6.10.0 through 7.x before 7.2.5 allows Prototype Pollution, a different vulnerability than CVE-2022-25878. A user-controlled protobuf message can be used by an attacker to pollute the prototype of Object.prototype by adding and overwriting its data and functions. Exploitation can involve: (1) using the function parse to parse protobuf messages on the fly, (2) loading .proto files by using load/loadSync functions, or (3) providing untrusted input to the functions ReflectionObject.setParsedOption and util.setProperty.

Publish Date: 2023-07-05

URL: CVE-2023-36665

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: GHSA-h755-8qp9-cq85

Release Date: 2023-07-05

Fix Resolution: protobufjs - 6.11.4,7.2.4

CVE-2022-25878

Vulnerable Library - protobufjs-6.11.2.tgz

Protocol Buffers for JavaScript (& TypeScript).

Library home page: https://registry.npmjs.org/protobufjs/-/protobufjs-6.11.2.tgz

Dependency Hierarchy:

• common-0.23.0.tgz (Root Library)
  • proto3-json-serializer-0.1.9.tgz
    • ❌ protobufjs-6.11.2.tgz (Vulnerable Library)

Found in base branch: main

Vulnerability Details

The package protobufjs before 6.11.3 are vulnerable to Prototype Pollution which can allow an attacker to add/modify properties of the Object.prototype. This vulnerability can occur in multiple ways: 1. by providing untrusted user input to util.setProperty or to ReflectionObject.setParsedOption functions 2. by parsing/loading .proto files

Publish Date: 2022-05-27

URL: CVE-2022-25878

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: High
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-25878

Release Date: 2022-05-27

Fix Resolution (protobufjs): 6.11.3

Direct dependency fix Resolution (@temporalio/common): 1.0.1

Vulnerable Library - cli-2.9.1.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/undici/package.json

CVE-2022-31151

Vulnerable Library - undici-5.5.1.tgz

An HTTP/1.1 client, written from scratch for Node.js

Library home page: https://registry.npmjs.org/undici/-/undici-5.5.1.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/undici/package.json

Dependency Hierarchy:

• cli-2.9.1.tgz (Root Library)
  • cross-undici-fetch-0.4.14.tgz
    • ❌ undici-5.5.1.tgz (Vulnerable Library)

Found in base branch: main

Vulnerability Details

Authorization headers are cleared on cross-origin redirect. However, cookie headers which are sensitive headers and are official headers found in the spec, remain uncleared. There are active users using cookie headers in undici. This may lead to accidental leakage of cookie to a 3rd-party site or a malicious attacker who can control the redirection target (ie. an open redirector) to leak the cookie to the 3rd party site. This was patched in v5.7.1. By default, this vulnerability is not exploitable. Do not enable redirections, i.e. maxRedirections: 0 (the default).

Publish Date: 2022-07-21

URL: CVE-2022-31151

CVSS 3 Score Details (6.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: GHSA-q768-x9m6-m9qp

Release Date: 2022-07-21

Fix Resolution: undici - 5.8.0

CVE-2022-31150

Vulnerable Library - undici-5.5.1.tgz

An HTTP/1.1 client, written from scratch for Node.js

Library home page: https://registry.npmjs.org/undici/-/undici-5.5.1.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/undici/package.json

Dependency Hierarchy:

• cli-2.9.1.tgz (Root Library)
  • cross-undici-fetch-0.4.14.tgz
    • ❌ undici-5.5.1.tgz (Vulnerable Library)

Found in base branch: main

Vulnerability Details

undici is an HTTP/1.1 client, written from scratch for Node.js. It is possible to inject CRLF sequences into request headers in undici in versions less than 5.7.1. A fix was released in version 5.8.0. Sanitizing all HTTP headers from untrusted sources to eliminate \r\n is a workaround for this issue.

Publish Date: 2022-07-19

URL: CVE-2022-31150

CVSS 3 Score Details (6.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-31150

Release Date: 2022-07-19

Fix Resolution: undici - 5.8.0

Vulnerable Library - cli-2.6.2.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/got/package.json

CVE-2022-25645

Vulnerable Library - dset-3.1.1.tgz

A tiny (194B) utility for safely writing deep Object values~!

Library home page: https://registry.npmjs.org/dset/-/dset-3.1.1.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/dset/package.json

Dependency Hierarchy:

• cli-2.6.2.tgz (Root Library)
  • url-loader-7.9.8.tgz
    • ❌ dset-3.1.1.tgz (Vulnerable Library)

Found in base branch: main

Vulnerability Details

All versions of package dset are vulnerable to Prototype Pollution via 'dset/merge' mode, as the dset function checks for prototype pollution by validating if the top-level path contains proto, constructor or protorype. By crafting a malicious object, it is possible to bypass this check and achieve prototype pollution.

Publish Date: 2022-05-01

URL: CVE-2022-25645

CVSS 3 Score Details (8.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: GHSA-23wx-cgxq-vpwx

Release Date: 2022-05-01

Fix Resolution: dset - 3.1.2

CVE-2022-32210

Vulnerable Library - undici-5.0.0.tgz

An HTTP/1.1 client, written from scratch for Node.js

Library home page: https://registry.npmjs.org/undici/-/undici-5.0.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/undici/package.json

Dependency Hierarchy:

• cli-2.6.2.tgz (Root Library)
  • apollo-engine-loader-7.2.6.tgz
    • cross-undici-fetch-0.1.28.tgz
      • ❌ undici-5.0.0.tgz (Vulnerable Library)

Found in base branch: main

Vulnerability Details

Undici.ProxyAgent never verifies the remote server's certificate, and always exposes all request & response data to the proxy. This unexpectedly means that proxies can MitM all HTTPS traffic, and if the proxy's URL is HTTP then it also means that nominally HTTPS requests are actually sent via plain-text HTTP between Undici and the proxy server.

Publish Date: 2022-07-14

URL: CVE-2022-32210

CVSS 3 Score Details (7.7)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: High
  • User Interaction: None
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: GHSA-pgw7-wx7w-2w33

Release Date: 2022-07-14

Fix Resolution (undici): 5.5.1

Direct dependency fix Resolution (@graphql-codegen/cli): 2.6.4

⛑️ Automatic Remediation is available for this issue

CVE-2022-33987

Vulnerable Library - got-9.6.0.tgz

Simplified HTTP requests

Library home page: https://registry.npmjs.org/got/-/got-9.6.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/got/package.json

Dependency Hierarchy:

• cli-2.6.2.tgz (Root Library)
  • latest-version-5.1.0.tgz
    • package-json-6.5.0.tgz
      • ❌ got-9.6.0.tgz (Vulnerable Library)

Found in base branch: main

Vulnerability Details

The got package before 12.1.0 (also fixed in 11.8.5) for Node.js allows a redirect to a UNIX socket.

Publish Date: 2022-06-18

URL: CVE-2022-33987

CVSS 3 Score Details (5.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: Low
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-33987

Release Date: 2022-06-18

Fix Resolution (got): 12.0.0-beta.1

Direct dependency fix Resolution (@graphql-codegen/cli): 2.6.4

⛑️ Automatic Remediation is available for this issue

CVE-2022-31150

Vulnerable Library - undici-5.0.0.tgz

An HTTP/1.1 client, written from scratch for Node.js

Library home page: https://registry.npmjs.org/undici/-/undici-5.0.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/undici/package.json

Dependency Hierarchy:

• cli-2.6.2.tgz (Root Library)
  • apollo-engine-loader-7.2.6.tgz
    • cross-undici-fetch-0.1.28.tgz
      • ❌ undici-5.0.0.tgz (Vulnerable Library)

Found in base branch: main

Vulnerability Details

undici is an HTTP/1.1 client, written from scratch for Node.js. It is possible to inject CRLF sequences into request headers in undici in versions less than 5.7.1. A fix was released in version 5.8.0. Sanitizing all HTTP headers from untrusted sources to eliminate \r\n is a workaround for this issue.

Publish Date: 2022-07-19

URL: CVE-2022-31150

CVSS 3 Score Details (5.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: Low
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-31150

Release Date: 2022-07-19

Fix Resolution: undici - 5.8.0

CVE-2022-31151

Vulnerable Library - undici-5.0.0.tgz

An HTTP/1.1 client, written from scratch for Node.js

Library home page: https://registry.npmjs.org/undici/-/undici-5.0.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/undici/package.json

Dependency Hierarchy:

• cli-2.6.2.tgz (Root Library)
  • apollo-engine-loader-7.2.6.tgz
    • cross-undici-fetch-0.1.28.tgz
      • ❌ undici-5.0.0.tgz (Vulnerable Library)

Found in base branch: main

Vulnerability Details

Authorization headers are cleared on cross-origin redirect. However, cookie headers which are sensitive headers and are official headers found in the spec, remain uncleared. There are active users using cookie headers in undici. This may lead to accidental leakage of cookie to a 3rd-party site or a malicious attacker who can control the redirection target (ie. an open redirector) to leak the cookie to the 3rd party site. This was patched in v5.7.1. By default, this vulnerability is not exploitable. Do not enable redirections, i.e. maxRedirections: 0 (the default).

Publish Date: 2022-07-21

URL: CVE-2022-31151

CVSS 3 Score Details (3.7)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: Low
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: GHSA-q768-x9m6-m9qp

Release Date: 2022-07-21

Fix Resolution: undici - 5.8.0

Vulnerable Library - typescript-4.0.1.tgz

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Found in HEAD commit: eb9fd879e34c06c42d739852c80d49b975a0cc75

CVE-2022-25883

Vulnerable Library - semver-6.3.0.tgz

The semantic version parser used by npm.

Library home page: https://registry.npmjs.org/semver/-/semver-6.3.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Dependency Hierarchy:

• typescript-4.0.1.tgz (Root Library)
  • visitor-plugin-common-4.0.1.tgz
    • relay-operation-optimizer-7.0.0.tgz
      • relay-compiler-12.0.0.tgz
        • core-7.17.8.tgz
          • ❌ semver-6.3.0.tgz (Vulnerable Library)

Found in HEAD commit: eb9fd879e34c06c42d739852c80d49b975a0cc75

Found in base branch: main

Vulnerability Details

Versions of the package semver before 7.5.2 are vulnerable to Regular Expression Denial of Service (ReDoS) via the function new Range, when untrusted user data is provided as a range.

Publish Date: 2023-06-21

URL: CVE-2022-25883

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: GHSA-c2qf-rxjj-qqgw

Release Date: 2023-06-21

Fix Resolution: semver - 5.7.2,6.3.1,7.5.2;org.webjars.npm:semver:7.5.2

Vulnerable Library - cli-2.16.5.tgz

Path to dependency file: /package.json

Path to vulnerable library: /package.json

CVE-2023-45133

Vulnerable Library - traverse-7.17.3.tgz

The Babel Traverse module maintains the overall tree state, and is responsible for replacing, removing, and adding nodes

Library home page: https://registry.npmjs.org/@babel/traverse/-/traverse-7.17.3.tgz

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Dependency Hierarchy:

• cli-2.16.5.tgz (Root Library)
  • git-loader-7.3.0.tgz
    • graphql-tag-pluck-7.5.2.tgz
      • ❌ traverse-7.17.3.tgz (Vulnerable Library)

Found in base branch: main

Vulnerability Details

Babel is a compiler for writingJavaScript. In @babel/traverse prior to versions 7.23.2 and 8.0.0-alpha.4 and all versions of babel-traverse, using Babel to compile code that was specifically crafted by an attacker can lead to arbitrary code execution during compilation, when using plugins that rely on the path.evaluate()or path.evaluateTruthy() internal Babel methods. Known affected plugins are @babel/plugin-transform-runtime; @babel/preset-env when using its useBuiltIns option; and any "polyfill provider" plugin that depends on @babel/helper-define-polyfill-provider, such as babel-plugin-polyfill-corejs3, babel-plugin-polyfill-corejs2, babel-plugin-polyfill-es-shims, babel-plugin-polyfill-regenerator. No other plugins under the @babel/ namespace are impacted, but third-party plugins might be. Users that only compile trusted code are not impacted. The vulnerability has been fixed in @babel/[email protected] and @babel/[email protected]. Those who cannot upgrade @babel/traverse and are using one of the affected packages mentioned above should upgrade them to their latest version to avoid triggering the vulnerable code path in affected @babel/traverse versions: @babel/plugin-transform-runtime v7.23.2, @babel/preset-env v7.23.2, @babel/helper-define-polyfill-provider v0.4.3, babel-plugin-polyfill-corejs2 v0.4.6, babel-plugin-polyfill-corejs3 v0.8.5, babel-plugin-polyfill-es-shims v0.10.0, babel-plugin-polyfill-regenerator v0.5.3.

Publish Date: 2023-10-12

URL: CVE-2023-45133

CVSS 3 Score Details (8.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Local
  • Attack Complexity: Low
  • Privileges Required: Low
  • User Interaction: None
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: GHSA-67hx-6x53-jw92

Release Date: 2023-10-12

Fix Resolution (@babel/traverse): 7.23.2

Direct dependency fix Resolution (@graphql-codegen/cli): 3.0.0-v3rfc-20220824100538-d659bc2e8

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2023-24807

Vulnerable Library - undici-5.8.2.tgz

An HTTP/1.1 client, written from scratch for Node.js

Library home page: https://registry.npmjs.org/undici/-/undici-5.8.2.tgz

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Dependency Hierarchy:

• cli-2.16.5.tgz (Root Library)
  • apollo-engine-loader-7.3.9.tgz
    • fetch-0.2.9.tgz
      • ❌ undici-5.8.2.tgz (Vulnerable Library)

Found in base branch: main

Vulnerability Details

Undici is an HTTP/1.1 client for Node.js. Prior to version 5.19.1, the Headers.set() and Headers.append() methods are vulnerable to Regular Expression Denial of Service (ReDoS) attacks when untrusted values are passed into the functions. This is due to the inefficient regular expression used to normalize the values in the headerValueNormalize() utility function. This vulnerability was patched in v5.19.1. No known workarounds are available.

Publish Date: 2023-02-16

URL: CVE-2023-24807

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: GHSA-r6ch-mqf9-qc9w

Release Date: 2023-02-16

Fix Resolution (undici): 5.19.1

Direct dependency fix Resolution (@graphql-codegen/cli): 3.0.0-v3rfc-20220824100538-d659bc2e8

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2023-23936

Vulnerable Library - undici-5.8.2.tgz

An HTTP/1.1 client, written from scratch for Node.js

Library home page: https://registry.npmjs.org/undici/-/undici-5.8.2.tgz

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Dependency Hierarchy:

• cli-2.16.5.tgz (Root Library)
  • apollo-engine-loader-7.3.9.tgz
    • fetch-0.2.9.tgz
      • ❌ undici-5.8.2.tgz (Vulnerable Library)

Found in base branch: main

Vulnerability Details

Undici is an HTTP/1.1 client for Node.js. Starting with version 2.0.0 and prior to version 5.19.1, the undici library does not protect host HTTP header from CRLF injection vulnerabilities. This issue is patched in Undici v5.19.1. As a workaround, sanitize the headers.host string before passing to undici.

Publish Date: 2023-02-16

URL: CVE-2023-23936

CVSS 3 Score Details (5.4)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: GHSA-5r9g-qh6m-jxff

Release Date: 2023-02-16

Fix Resolution (undici): 5.19.1

Direct dependency fix Resolution (@graphql-codegen/cli): 3.0.0-v3rfc-20220824100538-d659bc2e8

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2023-45143

Vulnerable Library - undici-5.8.2.tgz

An HTTP/1.1 client, written from scratch for Node.js

Library home page: https://registry.npmjs.org/undici/-/undici-5.8.2.tgz

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Dependency Hierarchy:

• cli-2.16.5.tgz (Root Library)
  • apollo-engine-loader-7.3.9.tgz
    • fetch-0.2.9.tgz
      • ❌ undici-5.8.2.tgz (Vulnerable Library)

Found in base branch: main

Vulnerability Details

Undici is an HTTP/1.1 client written from scratch for Node.js. Prior to version 5.26.2, Undici already cleared Authorization headers on cross-origin redirects, but did not clear Cookie headers. By design, cookie headers are forbidden request headers, disallowing them to be set in RequestInit.headers in browser environments. Since undici handles headers more liberally than the spec, there was a disconnect from the assumptions the spec made, and undici's implementation of fetch. As such this may lead to accidental leakage of cookie to a third-party site or a malicious attacker who can control the redirection target (ie. an open redirector) to leak the cookie to the third party site. This was patched in version 5.26.2. There are no known workarounds.

Publish Date: 2023-10-12

URL: CVE-2023-45143

CVSS 3 Score Details (3.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: Low
  • User Interaction: Required
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: None
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: GHSA-wqq4-5wpv-mx2g

Release Date: 2023-10-12

Fix Resolution (undici): 5.26.2

Direct dependency fix Resolution (@graphql-codegen/cli): 3.0.0-v3rfc-20220824100538-d659bc2e8

⛑️ Automatic Remediation will be attempted for this issue.

Vulnerable Library - cli-3.3.1.tgz

Path to dependency file: /package.json

Path to vulnerable library: /package.json

CVE-2023-45133

Vulnerable Library - traverse-7.17.3.tgz

The Babel Traverse module maintains the overall tree state, and is responsible for replacing, removing, and adding nodes

Library home page: https://registry.npmjs.org/@babel/traverse/-/traverse-7.17.3.tgz

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Dependency Hierarchy:

• cli-3.3.1.tgz (Root Library)
  • git-loader-7.3.0.tgz
    • graphql-tag-pluck-7.5.2.tgz
      • ❌ traverse-7.17.3.tgz (Vulnerable Library)

Found in base branch: main

Vulnerability Details

Babel is a compiler for writingJavaScript. In @babel/traverse prior to versions 7.23.2 and 8.0.0-alpha.4 and all versions of babel-traverse, using Babel to compile code that was specifically crafted by an attacker can lead to arbitrary code execution during compilation, when using plugins that rely on the path.evaluate()or path.evaluateTruthy() internal Babel methods. Known affected plugins are @babel/plugin-transform-runtime; @babel/preset-env when using its useBuiltIns option; and any "polyfill provider" plugin that depends on @babel/helper-define-polyfill-provider, such as babel-plugin-polyfill-corejs3, babel-plugin-polyfill-corejs2, babel-plugin-polyfill-es-shims, babel-plugin-polyfill-regenerator. No other plugins under the @babel/ namespace are impacted, but third-party plugins might be. Users that only compile trusted code are not impacted. The vulnerability has been fixed in @babel/[email protected] and @babel/[email protected]. Those who cannot upgrade @babel/traverse and are using one of the affected packages mentioned above should upgrade them to their latest version to avoid triggering the vulnerable code path in affected @babel/traverse versions: @babel/plugin-transform-runtime v7.23.2, @babel/preset-env v7.23.2, @babel/helper-define-polyfill-provider v0.4.3, babel-plugin-polyfill-corejs2 v0.4.6, babel-plugin-polyfill-corejs3 v0.8.5, babel-plugin-polyfill-es-shims v0.10.0, babel-plugin-polyfill-regenerator v0.5.3.

Publish Date: 2023-10-12

URL: CVE-2023-45133

CVSS 3 Score Details (8.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Local
  • Attack Complexity: Low
  • Privileges Required: Low
  • User Interaction: None
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: GHSA-67hx-6x53-jw92

Release Date: 2023-10-12

Fix Resolution (@babel/traverse): 7.23.2

Direct dependency fix Resolution (@graphql-codegen/cli): 4.0.0

⛑️ Automatic Remediation will be attempted for this issue.

Vulnerable Library - typescript-2.4.9.tgz

Path to dependency file: /package.json

Path to vulnerable library: /package.json

CVE-2022-25883

Vulnerable Library - semver-6.3.0.tgz

The semantic version parser used by npm.

Library home page: https://registry.npmjs.org/semver/-/semver-6.3.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Dependency Hierarchy:

• typescript-2.4.9.tgz (Root Library)
  • visitor-plugin-common-2.7.5.tgz
    • relay-operation-optimizer-6.4.5.tgz
      • relay-compiler-12.0.0.tgz
        • core-7.17.8.tgz
          • ❌ semver-6.3.0.tgz (Vulnerable Library)

Found in base branch: main

Vulnerability Details

Versions of the package semver before 7.5.2 are vulnerable to Regular Expression Denial of Service (ReDoS) via the function new Range, when untrusted user data is provided as a range.

Publish Date: 2023-06-21

URL: CVE-2022-25883

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: GHSA-c2qf-rxjj-qqgw

Release Date: 2023-06-21

Fix Resolution (semver): 7.5.2

Direct dependency fix Resolution (@graphql-codegen/typescript): 4.0.1

⛑️ Automatic Remediation will be attempted for this issue.

Vulnerable Library - spectaql-1.4.2.tgz

Path to dependency file: /package.json

Path to vulnerable library: /package.json

CVE-2019-10744

Vulnerable Library - lodash-2.4.2.tgz

A utility library delivering consistency, customization, performance, & extras.

Library home page: https://registry.npmjs.org/lodash/-/lodash-2.4.2.tgz

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Dependency Hierarchy:

• spectaql-1.4.2.tgz (Root Library)
  • grunt-embed-0.0.1.tgz
    • resource-embedder-0.0.4.tgz
      • ❌ lodash-2.4.2.tgz (Vulnerable Library)

Found in base branch: main

Vulnerability Details

Versions of lodash lower than 4.17.12 are vulnerable to Prototype Pollution. The function defaultsDeep could be tricked into adding or modifying properties of Object.prototype using a constructor payload.

Publish Date: 2019-07-26

URL: CVE-2019-10744

CVSS 3 Score Details (9.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: GHSA-jf85-cpcp-j695

Release Date: 2019-07-26

Fix Resolution (lodash): 4.17.12

Direct dependency fix Resolution (spectaql): 2.0.0

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2022-46175

Vulnerable Library - json5-2.2.1.tgz

JSON for humans.

Library home page: https://registry.npmjs.org/json5/-/json5-2.2.1.tgz

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Dependency Hierarchy:

• spectaql-1.4.2.tgz (Root Library)
  • ❌ json5-2.2.1.tgz (Vulnerable Library)

Found in base branch: main

Vulnerability Details

JSON5 is an extension to the popular JSON file format that aims to be easier to write and maintain by hand (e.g. for config files). The parse method of the JSON5 library before and including versions 1.0.1 and 2.2.1 does not restrict parsing of keys named __proto__, allowing specially crafted strings to pollute the prototype of the resulting object. This vulnerability pollutes the prototype of the object returned by JSON5.parse and not the global Object prototype, which is the commonly understood definition of Prototype Pollution. However, polluting the prototype of a single object can have significant security impact for an application if the object is later used in trusted operations. This vulnerability could allow an attacker to set arbitrary and unexpected keys on the object returned from JSON5.parse. The actual impact will depend on how applications utilize the returned object and how they filter unwanted keys, but could include denial of service, cross-site scripting, elevation of privilege, and in extreme cases, remote code execution. JSON5.parse should restrict parsing of __proto__ keys when parsing JSON strings to objects. As a point of reference, the JSON.parse method included in JavaScript ignores __proto__ keys. Simply changing JSON5.parse to JSON.parse in the examples above mitigates this vulnerability. This vulnerability is patched in json5 versions 1.0.2, 2.2.2, and later.

Publish Date: 2022-12-24

URL: CVE-2022-46175

CVSS 3 Score Details (8.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: Low
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://www.cve.org/CVERecord?id=CVE-2022-46175

Release Date: 2022-12-24

Fix Resolution (json5): 2.2.2

Direct dependency fix Resolution (spectaql): 1.5.0

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2022-3517

Vulnerable Library - minimatch-2.0.10.tgz

a glob matcher in javascript

Library home page: https://registry.npmjs.org/minimatch/-/minimatch-2.0.10.tgz

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Dependency Hierarchy:

• spectaql-1.4.2.tgz (Root Library)
  • grunt-prettify-0.4.0.tgz
    • globby-0.1.1.tgz
      • glob-4.5.3.tgz
        • ❌ minimatch-2.0.10.tgz (Vulnerable Library)

Found in base branch: main

Vulnerability Details

A vulnerability was found in the minimatch package. This flaw allows a Regular Expression Denial of Service (ReDoS) when calling the braceExpand function with specific arguments, resulting in a Denial of Service.

Publish Date: 2022-10-17

URL: CVE-2022-3517

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Release Date: 2022-10-17

Fix Resolution: minimatch - 3.0.5

CVE-2020-8203

Vulnerable Library - lodash-2.4.2.tgz

A utility library delivering consistency, customization, performance, & extras.

Library home page: https://registry.npmjs.org/lodash/-/lodash-2.4.2.tgz

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Dependency Hierarchy:

• spectaql-1.4.2.tgz (Root Library)
  • grunt-embed-0.0.1.tgz
    • resource-embedder-0.0.4.tgz
      • ❌ lodash-2.4.2.tgz (Vulnerable Library)

Found in base branch: main

Vulnerability Details

Prototype pollution attack when using _.zipObjectDeep in lodash before 4.17.20.

Publish Date: 2020-07-15

URL: CVE-2020-8203

CVSS 3 Score Details (7.4)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://www.npmjs.com/advisories/1523

Release Date: 2020-07-15

Fix Resolution (lodash): 4.17.9

Direct dependency fix Resolution (spectaql): 2.0.0

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2021-23337

Vulnerable Library - lodash-2.4.2.tgz

A utility library delivering consistency, customization, performance, & extras.

Library home page: https://registry.npmjs.org/lodash/-/lodash-2.4.2.tgz

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Dependency Hierarchy:

• spectaql-1.4.2.tgz (Root Library)
  • grunt-embed-0.0.1.tgz
    • resource-embedder-0.0.4.tgz
      • ❌ lodash-2.4.2.tgz (Vulnerable Library)

Found in base branch: main

Vulnerability Details

Lodash versions prior to 4.17.21 are vulnerable to Command Injection via the template function.

Publish Date: 2021-02-15

URL: CVE-2021-23337

CVSS 3 Score Details (7.2)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: High
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: GHSA-35jh-r3h4-6jhm

Release Date: 2021-02-15

Fix Resolution (lodash): 4.17.21

Direct dependency fix Resolution (spectaql): 2.0.0

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2019-1010266

Vulnerable Library - lodash-2.4.2.tgz

A utility library delivering consistency, customization, performance, & extras.

Library home page: https://registry.npmjs.org/lodash/-/lodash-2.4.2.tgz

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Dependency Hierarchy:

• spectaql-1.4.2.tgz (Root Library)
  • grunt-embed-0.0.1.tgz
    • resource-embedder-0.0.4.tgz
      • ❌ lodash-2.4.2.tgz (Vulnerable Library)

Found in base branch: main

Vulnerability Details

lodash prior to 4.17.11 is affected by: CWE-400: Uncontrolled Resource Consumption. The impact is: Denial of service. The component is: Date handler. The attack vector is: Attacker provides very long strings, which the library attempts to match using a regular expression. The fixed version is: 4.17.11.

Publish Date: 2019-07-17

URL: CVE-2019-1010266

CVSS 3 Score Details (6.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: Low
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Release Date: 2019-07-17

Fix Resolution (lodash): 4.17.11

Direct dependency fix Resolution (spectaql): 2.0.0

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2018-16487

Vulnerable Library - lodash-2.4.2.tgz

A utility library delivering consistency, customization, performance, & extras.

Library home page: https://registry.npmjs.org/lodash/-/lodash-2.4.2.tgz

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Dependency Hierarchy:

• spectaql-1.4.2.tgz (Root Library)
  • grunt-embed-0.0.1.tgz
    • resource-embedder-0.0.4.tgz
      • ❌ lodash-2.4.2.tgz (Vulnerable Library)

Found in base branch: main

Vulnerability Details

A prototype pollution vulnerability was found in lodash <4.17.11 where the functions merge, mergeWith, and defaultsDeep can be tricked into adding or modifying properties of Object.prototype.

Publish Date: 2019-02-01

URL: CVE-2018-16487

CVSS 3 Score Details (5.6)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: Low

Suggested Fix

Type: Upgrade version

Origin: https://hackerone.com/reports/380873

Release Date: 2019-02-01

Fix Resolution (lodash): 4.17.11

Direct dependency fix Resolution (spectaql): 2.0.0

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2016-10540

Vulnerable Library - minimatch-2.0.10.tgz

a glob matcher in javascript

Library home page: https://registry.npmjs.org/minimatch/-/minimatch-2.0.10.tgz

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Dependency Hierarchy:

• spectaql-1.4.2.tgz (Root Library)
  • grunt-prettify-0.4.0.tgz
    • globby-0.1.1.tgz
      • glob-4.5.3.tgz
        • ❌ minimatch-2.0.10.tgz (Vulnerable Library)

Found in base branch: main

Vulnerability Details

Minimatch is a minimal matching utility that works by converting glob expressions into JavaScript RegExp objects. The primary function, minimatch(path, pattern) in Minimatch 3.0.1 and earlier is vulnerable to ReDoS in the pattern parameter.

Publish Date: 2018-05-31

URL: CVE-2016-10540

CVSS 3 Score Details (5.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Local
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2016-10540

Release Date: 2018-04-26

Fix Resolution (minimatch): 3.0.2

Direct dependency fix Resolution (spectaql): 2.0.0

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2018-3721

Vulnerable Library - lodash-2.4.2.tgz

A utility library delivering consistency, customization, performance, & extras.

Library home page: https://registry.npmjs.org/lodash/-/lodash-2.4.2.tgz

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Dependency Hierarchy:

• spectaql-1.4.2.tgz (Root Library)
  • grunt-embed-0.0.1.tgz
    • resource-embedder-0.0.4.tgz
      • ❌ lodash-2.4.2.tgz (Vulnerable Library)

Found in base branch: main

Vulnerability Details

lodash node module before 4.17.5 suffers from a Modification of Assumed-Immutable Data (MAID) vulnerability via defaultsDeep, merge, and mergeWith functions, which allows a malicious user to modify the prototype of "Object" via proto, causing the addition or modification of an existing property that will exist on all objects.
Mend Note: Converted from WS-2019-0184, on 2022-11-08.

Publish Date: 2018-06-07

URL: CVE-2018-3721

CVSS 3 Score Details (5.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Local
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://www.npmjs.com/advisories/1067

Release Date: 2018-04-26

Fix Resolution (lodash): 4.17.5

Direct dependency fix Resolution (spectaql): 2.0.0

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2023-26144

Vulnerable Library - graphql-16.5.0.tgz

A Query Language and Runtime which can target any service.

Library home page: https://registry.npmjs.org/graphql/-/graphql-16.5.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Dependency Hierarchy:

• spectaql-1.4.2.tgz (Root Library)
  • ❌ graphql-16.5.0.tgz (Vulnerable Library)

Found in base branch: main

Vulnerability Details

Versions of the package graphql from 16.3.0 and before 16.8.1 are vulnerable to Denial of Service (DoS) due to insufficient checks in the OverlappingFieldsCanBeMergedRule.ts file when parsing large queries. This vulnerability allows an attacker to degrade system performance.

Note: It was not proven that this vulnerability can crash the process.

Publish Date: 2023-09-20

URL: CVE-2023-26144

CVSS 3 Score Details (5.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: Low

Suggested Fix

Type: Upgrade version

Release Date: 2023-09-20

Fix Resolution: graphql - 16.8.1

CVE-2020-28500

Vulnerable Library - lodash-2.4.2.tgz

A utility library delivering consistency, customization, performance, & extras.

Library home page: https://registry.npmjs.org/lodash/-/lodash-2.4.2.tgz

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Dependency Hierarchy:

• spectaql-1.4.2.tgz (Root Library)
  • grunt-embed-0.0.1.tgz
    • resource-embedder-0.0.4.tgz
      • ❌ lodash-2.4.2.tgz (Vulnerable Library)

Found in base branch: main

Vulnerability Details

Lodash versions prior to 4.17.21 are vulnerable to Regular Expression Denial of Service (ReDoS) via the toNumber, trim and trimEnd functions.
Mend Note: After conducting further research, Mend has determined that CVE-2020-28500 only affects environments with versions 4.0.0 to 4.17.20 of Lodash.

Publish Date: 2021-02-15

URL: CVE-2020-28500

CVSS 3 Score Details (5.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: Low

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-28500

Release Date: 2021-02-15

Fix Resolution (lodash): 4.17.21

Direct dependency fix Resolution (spectaql): 2.0.0

⛑️ Automatic Remediation will be attempted for this issue.

Vulnerable Library - typescript-2.4.9.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/@babel/core/node_modules/semver/package.json,/node_modules/@babel/helper-compilation-targets/node_modules/semver/package.json,/package.json

CVE-2022-25883

Vulnerable Library - semver-6.3.0.tgz

The semantic version parser used by npm.

Library home page: https://registry.npmjs.org/semver/-/semver-6.3.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/@babel/core/node_modules/semver/package.json,/node_modules/@babel/helper-compilation-targets/node_modules/semver/package.json,/package.json

Dependency Hierarchy:

• typescript-2.4.9.tgz (Root Library)
  • visitor-plugin-common-2.7.5.tgz
    • relay-operation-optimizer-6.4.5.tgz
      • relay-compiler-12.0.0.tgz
        • core-7.17.8.tgz
          • ❌ semver-6.3.0.tgz (Vulnerable Library)

Found in base branch: main

Vulnerability Details

Versions of the package semver before 7.5.2 are vulnerable to Regular Expression Denial of Service (ReDoS) via the function new Range, when untrusted user data is provided as a range.

Publish Date: 2023-06-21

URL: CVE-2022-25883

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: GHSA-c2qf-rxjj-qqgw

Release Date: 2023-06-21

Fix Resolution (semver): 7.5.2

Direct dependency fix Resolution (@graphql-codegen/typescript): 4.0.1

⛑️ Automatic Remediation will be attempted for this issue.

Vulnerable Library - client-0.23.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /package.json

CVE-2023-36665

Vulnerable Library - protobufjs-6.11.2.tgz

Protocol Buffers for JavaScript (& TypeScript).

Library home page: https://registry.npmjs.org/protobufjs/-/protobufjs-6.11.2.tgz

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Dependency Hierarchy:

• client-0.23.0.tgz (Root Library)
  • ❌ protobufjs-6.11.2.tgz (Vulnerable Library)

Found in base branch: main

Vulnerability Details

"protobuf.js (aka protobufjs) 6.10.0 through 7.x before 7.2.5 allows Prototype Pollution, a different vulnerability than CVE-2022-25878. A user-controlled protobuf message can be used by an attacker to pollute the prototype of Object.prototype by adding and overwriting its data and functions. Exploitation can involve: (1) using the function parse to parse protobuf messages on the fly, (2) loading .proto files by using load/loadSync functions, or (3) providing untrusted input to the functions ReflectionObject.setParsedOption and util.setProperty.

Publish Date: 2023-07-05

URL: CVE-2023-36665

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: GHSA-h755-8qp9-cq85

Release Date: 2023-07-05

Fix Resolution: protobufjs - 6.11.4,7.2.4

CVE-2022-25878

Vulnerable Library - protobufjs-6.11.2.tgz

Protocol Buffers for JavaScript (& TypeScript).

Library home page: https://registry.npmjs.org/protobufjs/-/protobufjs-6.11.2.tgz

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Dependency Hierarchy:

• client-0.23.0.tgz (Root Library)
  • ❌ protobufjs-6.11.2.tgz (Vulnerable Library)

Found in base branch: main

Vulnerability Details

The package protobufjs before 6.11.3 are vulnerable to Prototype Pollution which can allow an attacker to add/modify properties of the Object.prototype. This vulnerability can occur in multiple ways: 1. by providing untrusted user input to util.setProperty or to ReflectionObject.setParsedOption functions 2. by parsing/loading .proto files

Publish Date: 2022-05-27

URL: CVE-2022-25878

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: High
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-25878

Release Date: 2022-05-27

Fix Resolution (protobufjs): 6.11.3

Direct dependency fix Resolution (@temporalio/client): 1.0.1

⛑️ Automatic Remediation will be attempted for this issue.