preset-classic-2.0.0-alpha.65.tgz: 7 vulnerabilities (highest severity is: 9.8)

[mend-bolt-for-github]

Vulnerable Library - preset-classic-2.0.0-alpha.65.tgz

Path to dependency file: /docs/package.json

Path to vulnerable library: /docs/node_modules/node-fetch/package.json

Vulnerabilities

CVE	Severity	CVSS	Dependency	Type	Fixed in (preset-classic version)	Remediation Available
CVE-2021-23433	High	9.8	algoliasearch-helper-3.2.2.tgz	Transitive	2.0.0	❌
CVE-2021-23341	High	7.5	prismjs-1.22.0.tgz	Transitive	2.0.0	❌
CVE-2021-3801	Medium	6.5	prismjs-1.22.0.tgz	Transitive	2.0.0	❌
CVE-2021-32723	Medium	6.5	prismjs-1.22.0.tgz	Transitive	2.0.0	❌
CVE-2022-23647	Medium	6.1	prismjs-1.22.0.tgz	Transitive	2.0.0	❌
CVE-2022-0235	Medium	6.1	node-fetch-1.7.3.tgz	Transitive	N/A*	❌
CVE-2020-15168	Medium	5.3	node-fetch-1.7.3.tgz	Transitive	2.0.0	❌

*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.

Details

CVE-2021-23433

Vulnerable Library - algoliasearch-helper-3.2.2.tgz

Helper for implementing advanced search features with algolia

Library home page: https://registry.npmjs.org/algoliasearch-helper/-/algoliasearch-helper-3.2.2.tgz

Path to dependency file: /docs/package.json

Path to vulnerable library: /docs/node_modules/algoliasearch-helper/package.json

Dependency Hierarchy:

• preset-classic-2.0.0-alpha.65.tgz (Root Library)
  • theme-search-algolia-2.0.0-alpha.65.tgz
    • ❌ algoliasearch-helper-3.2.2.tgz (Vulnerable Library)

Found in base branch: main

Vulnerability Details

The package algoliasearch-helper before 3.6.2 are vulnerable to Prototype Pollution due to use of the merge function in src/SearchParameters/index.jsSearchParameters._parseNumbers without any protection against prototype properties. Note that this vulnerability is only exploitable if the implementation allows users to define arbitrary search patterns.

Publish Date: 2021-11-19

URL: CVE-2021-23433

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23433

Release Date: 2021-11-19

Fix Resolution (algoliasearch-helper): 3.6.2

Direct dependency fix Resolution (@docusaurus/preset-classic): 2.0.0

Step up your Open Source Security Game with Mend here

CVE-2021-23341

Vulnerable Library - prismjs-1.22.0.tgz

Lightweight, robust, elegant syntax highlighting. A spin-off project from Dabblet.

Library home page: https://registry.npmjs.org/prismjs/-/prismjs-1.22.0.tgz

Path to dependency file: /docs/package.json

Path to vulnerable library: /docs/node_modules/prismjs/package.json

Dependency Hierarchy:

• preset-classic-2.0.0-alpha.65.tgz (Root Library)
  • theme-classic-2.0.0-alpha.65.tgz
    • ❌ prismjs-1.22.0.tgz (Vulnerable Library)

Found in base branch: main

Vulnerability Details

The package prismjs before 1.23.0 are vulnerable to Regular Expression Denial of Service (ReDoS) via the prism-asciidoc, prism-rest, prism-tap and prism-eiffel components.

Publish Date: 2021-02-18

URL: CVE-2021-23341

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23341

Release Date: 2021-02-18

Fix Resolution (prismjs): 1.23.0

Direct dependency fix Resolution (@docusaurus/preset-classic): 2.0.0

Step up your Open Source Security Game with Mend here

CVE-2021-3801

Vulnerable Library - prismjs-1.22.0.tgz

Lightweight, robust, elegant syntax highlighting. A spin-off project from Dabblet.

Library home page: https://registry.npmjs.org/prismjs/-/prismjs-1.22.0.tgz

Path to dependency file: /docs/package.json

Path to vulnerable library: /docs/node_modules/prismjs/package.json

Dependency Hierarchy:

• preset-classic-2.0.0-alpha.65.tgz (Root Library)
  • theme-classic-2.0.0-alpha.65.tgz
    • ❌ prismjs-1.22.0.tgz (Vulnerable Library)

Found in base branch: main

Vulnerability Details

prism is vulnerable to Inefficient Regular Expression Complexity

Publish Date: 2021-09-15

URL: CVE-2021-3801

CVSS 3 Score Details (6.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2021-3801

Release Date: 2021-09-15

Fix Resolution (prismjs): 1.25.0

Direct dependency fix Resolution (@docusaurus/preset-classic): 2.0.0

Step up your Open Source Security Game with Mend here

CVE-2021-32723

Vulnerable Library - prismjs-1.22.0.tgz

Lightweight, robust, elegant syntax highlighting. A spin-off project from Dabblet.

Library home page: https://registry.npmjs.org/prismjs/-/prismjs-1.22.0.tgz

Path to dependency file: /docs/package.json

Path to vulnerable library: /docs/node_modules/prismjs/package.json

Dependency Hierarchy:

• preset-classic-2.0.0-alpha.65.tgz (Root Library)
  • theme-classic-2.0.0-alpha.65.tgz
    • ❌ prismjs-1.22.0.tgz (Vulnerable Library)

Found in base branch: main

Vulnerability Details

Prism is a syntax highlighting library. Some languages before 1.24.0 are vulnerable to Regular Expression Denial of Service (ReDoS). When Prism is used to highlight untrusted (user-given) text, an attacker can craft a string that will take a very very long time to highlight. This problem has been fixed in Prism v1.24. As a workaround, do not use ASCIIDoc or ERB to highlight untrusted text. Other languages are not affected and can be used to highlight untrusted text.

Publish Date: 2021-06-28

URL: CVE-2021-32723

CVSS 3 Score Details (6.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-gj77-59wh-66hg

Release Date: 2021-06-28

Fix Resolution (prismjs): 1.24.0

Direct dependency fix Resolution (@docusaurus/preset-classic): 2.0.0

Step up your Open Source Security Game with Mend here

CVE-2022-23647

Vulnerable Library - prismjs-1.22.0.tgz

Lightweight, robust, elegant syntax highlighting. A spin-off project from Dabblet.

Library home page: https://registry.npmjs.org/prismjs/-/prismjs-1.22.0.tgz

Path to dependency file: /docs/package.json

Path to vulnerable library: /docs/node_modules/prismjs/package.json

Dependency Hierarchy:

• preset-classic-2.0.0-alpha.65.tgz (Root Library)
  • theme-classic-2.0.0-alpha.65.tgz
    • ❌ prismjs-1.22.0.tgz (Vulnerable Library)

Found in base branch: main

Vulnerability Details

Prism is a syntax highlighting library. Starting with version 1.14.0 and prior to version 1.27.0, Prism's command line plugin can be used by attackers to achieve a cross-site scripting attack. The command line plugin did not properly escape its output, leading to the input text being inserted into the DOM as HTML code. Server-side usage of Prism is not impacted. Websites that do not use the Command Line plugin are also not impacted. This bug has been fixed in v1.27.0. As a workaround, do not use the command line plugin on untrusted inputs, or sanitize all code blocks (remove all HTML code text) from all code blocks that use the command line plugin.

Publish Date: 2022-02-18

URL: CVE-2022-23647

CVSS 3 Score Details (6.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-3949-f494-cm99

Release Date: 2022-02-18

Fix Resolution (prismjs): 1.27.0

Direct dependency fix Resolution (@docusaurus/preset-classic): 2.0.0

Step up your Open Source Security Game with Mend here

CVE-2022-0235

Vulnerable Library - node-fetch-1.7.3.tgz

A light-weight module that brings window.fetch to node.js and io.js

Library home page: https://registry.npmjs.org/node-fetch/-/node-fetch-1.7.3.tgz

Path to dependency file: /docs/package.json

Path to vulnerable library: /docs/node_modules/node-fetch/package.json

Dependency Hierarchy:

• preset-classic-2.0.0-alpha.65.tgz (Root Library)
  • plugin-debug-2.0.0-alpha.65.tgz
    • react-json-view-1.19.1.tgz
      • flux-3.1.3.tgz
        • fbjs-0.8.17.tgz
          • isomorphic-fetch-2.2.1.tgz
            • ❌ node-fetch-1.7.3.tgz (Vulnerable Library)

Found in base branch: main

Vulnerability Details

node-fetch is vulnerable to Exposure of Sensitive Information to an Unauthorized Actor

Publish Date: 2022-01-16

URL: CVE-2022-0235

CVSS 3 Score Details (6.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-r683-j2x4-v87g

Release Date: 2022-01-16

Fix Resolution: node-fetch - 2.6.7,3.1.1

Step up your Open Source Security Game with Mend here

CVE-2020-15168

Vulnerable Library - node-fetch-1.7.3.tgz

A light-weight module that brings window.fetch to node.js and io.js

Library home page: https://registry.npmjs.org/node-fetch/-/node-fetch-1.7.3.tgz

Path to dependency file: /docs/package.json

Path to vulnerable library: /docs/node_modules/node-fetch/package.json

Dependency Hierarchy:

• preset-classic-2.0.0-alpha.65.tgz (Root Library)
  • plugin-debug-2.0.0-alpha.65.tgz
    • react-json-view-1.19.1.tgz
      • flux-3.1.3.tgz
        • fbjs-0.8.17.tgz
          • isomorphic-fetch-2.2.1.tgz
            • ❌ node-fetch-1.7.3.tgz (Vulnerable Library)

Found in base branch: main

Vulnerability Details

node-fetch before versions 2.6.1 and 3.0.0-beta.9 did not honor the size option after following a redirect, which means that when a content size was over the limit, a FetchError would never get thrown and the process would end without failure. For most people, this fix will have a little or no impact. However, if you are relying on node-fetch to gate files above a size, the impact could be significant, for example: If you don't double-check the size of the data after fetch() has completed, your JS thread could get tied up doing work on a large file (DoS) and/or cost you money in computing.

Publish Date: 2020-09-10

URL: CVE-2020-15168

CVSS 3 Score Details (5.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-w7rc-rwvf-8q5r

Release Date: 2020-09-17

Fix Resolution (node-fetch): 2.6.1

Direct dependency fix Resolution (@docusaurus/preset-classic): 2.0.0

Step up your Open Source Security Game with Mend here