semantic-release-4.3.5.tgz: 15 vulnerabilities (highest severity is: 9.8) #100
Description
Vulnerable Library - semantic-release-4.3.5.tgz
automated semver compliant package publishing
Library home page: https://registry.npmjs.org/semantic-release/-/semantic-release-4.3.5.tgz
Path to dependency file: /justapis-javascript-sdk/package.json
Path to vulnerable library: /node_modules/semantic-release/package.json
Vulnerabilities
| CVE | Severity |  CVSS |
Dependency | Type | Fixed in (semantic-release version) | Remediation Available |
|---|---|---|---|---|---|---|
| CVE-2021-3918 |  High |
9.8 | json-schema-0.2.3.tgz | Transitive | 5.0.0 | ✅ |
| CVE-2020-7788 | High |
9.8 | ini-1.3.5.tgz | Transitive | 5.0.0 | ✅ |
| CVE-2019-10744 | High |
9.1 | lodash-3.10.1.tgz | Transitive | 8.0.1 | ✅ |
| CVE-2020-26226 | High |
8.1 | semantic-release-4.3.5.tgz | Direct | 17.2.3 | ✅ |
| CVE-2022-24999 | High |
7.5 | qs-6.5.2.tgz | Transitive | 5.0.0 | ✅ |
| CVE-2021-33623 | High |
7.5 | trim-newlines-1.0.0.tgz | Transitive | 11.0.0 | ✅ |
| CVE-2020-8203 | High |
7.4 | lodash-3.10.1.tgz | Transitive | 8.0.1 | ✅ |
| CVE-2021-23337 | High |
7.2 | lodash-3.10.1.tgz | Transitive | 8.0.1 | ✅ |
| CVE-2019-1010266 |  Medium |
6.5 | lodash-3.10.1.tgz | Transitive | 8.0.1 | ✅ |
| CVE-2018-3721 | Medium |
6.5 | lodash-3.10.1.tgz | Transitive | 8.0.1 | ✅ |
| CVE-2020-15366 | Medium |
5.6 | ajv-6.10.0.tgz | Transitive | 5.0.0 | ✅ |
| CVE-2018-16487 | Medium |
5.6 | lodash-3.10.1.tgz | Transitive | 8.0.1 | ✅ |
| CVE-2023-28155 | Medium |
5.5 | request-2.88.0.tgz | Transitive | N/A* | ❌ |
| CVE-2020-28500 | Medium |
5.3 | lodash-3.10.1.tgz | Transitive | 8.0.1 | ✅ |
| CVE-2021-23362 | Medium |
5.3 | hosted-git-info-2.7.1.tgz | Transitive | 5.0.0 | ✅ |
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.
Details
CVE-2021-3918
Vulnerable Library - json-schema-0.2.3.tgz
JSON Schema validation and specifications
Library home page: https://registry.npmjs.org/json-schema/-/json-schema-0.2.3.tgz
Path to dependency file: /justapis-javascript-sdk/package.json
Path to vulnerable library: /node_modules/mochify/node_modules/json-schema/package.json
Dependency Hierarchy:
- semantic-release-4.3.5.tgz (Root Library)
- last-release-npm-1.2.1.tgz
- npm-registry-client-7.5.0.tgz
- request-2.88.0.tgz
- http-signature-1.2.0.tgz
- jsprim-1.4.1.tgz
- ❌ json-schema-0.2.3.tgz (Vulnerable Library)
- jsprim-1.4.1.tgz
- http-signature-1.2.0.tgz
- request-2.88.0.tgz
- npm-registry-client-7.5.0.tgz
- last-release-npm-1.2.1.tgz
Vulnerability Details
json-schema is vulnerable to Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')
Publish Date: 2021-11-13
URL: CVE-2021-3918
CVSS 3 Score Details (9.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2021-3918
Release Date: 2021-11-13
Fix Resolution (json-schema): 0.4.0
Direct dependency fix Resolution (semantic-release): 5.0.0
⛑️ Automatic Remediation is available for this issue
CVE-2020-7788
Vulnerable Library - ini-1.3.5.tgz
An ini encoder/decoder for node
Library home page: https://registry.npmjs.org/ini/-/ini-1.3.5.tgz
Path to dependency file: /justapis-javascript-sdk/package.json
Path to vulnerable library: /node_modules/ini/package.json
Dependency Hierarchy:
- semantic-release-4.3.5.tgz (Root Library)
- npmconf-2.1.3.tgz
- ❌ ini-1.3.5.tgz (Vulnerable Library)
- npmconf-2.1.3.tgz
Vulnerability Details
This affects the package ini before 1.3.6. If an attacker submits a malicious INI file to an application that parses it with ini.parse, they will pollute the prototype on the application. This can be exploited further depending on the context.
Publish Date: 2020-12-11
URL: CVE-2020-7788
CVSS 3 Score Details (9.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7788
Release Date: 2020-12-11
Fix Resolution (ini): 1.3.6
Direct dependency fix Resolution (semantic-release): 5.0.0
⛑️ Automatic Remediation is available for this issue
CVE-2019-10744
Vulnerable Library - lodash-3.10.1.tgz
The modern build of lodash modular utilities.
Library home page: https://registry.npmjs.org/lodash/-/lodash-3.10.1.tgz
Path to dependency file: /justapis-javascript-sdk/package.json
Path to vulnerable library: /node_modules/conventional-changelog/node_modules/lodash/package.json
Dependency Hierarchy:
- semantic-release-4.3.5.tgz (Root Library)
- ❌ lodash-3.10.1.tgz (Vulnerable Library)
Vulnerability Details
Versions of lodash lower than 4.17.12 are vulnerable to Prototype Pollution. The function defaultsDeep could be tricked into adding or modifying properties of Object.prototype using a constructor payload.
Publish Date: 2019-07-26
URL: CVE-2019-10744
CVSS 3 Score Details (9.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: High
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: GHSA-jf85-cpcp-j695
Release Date: 2019-07-26
Fix Resolution (lodash): 4.17.12
Direct dependency fix Resolution (semantic-release): 8.0.1
⛑️ Automatic Remediation is available for this issue
CVE-2020-26226
Vulnerable Library - semantic-release-4.3.5.tgz
automated semver compliant package publishing
Library home page: https://registry.npmjs.org/semantic-release/-/semantic-release-4.3.5.tgz
Path to dependency file: /justapis-javascript-sdk/package.json
Path to vulnerable library: /node_modules/semantic-release/package.json
Dependency Hierarchy:
- ❌ semantic-release-4.3.5.tgz (Vulnerable Library)
Vulnerability Details
In the npm package semantic-release before version 17.2.3, secrets that would normally be masked by semantic-release can be accidentally disclosed if they contain characters that become encoded when included in a URL. Secrets that do not contain characters that become encoded when included in a URL are already masked properly. The issue is fixed in version 17.2.3.
Publish Date: 2020-11-18
URL: CVE-2020-26226
CVSS 3 Score Details (8.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Origin: GHSA-r2j6-p67h-q639
Release Date: 2020-11-18
Fix Resolution: 17.2.3
⛑️ Automatic Remediation is available for this issue
CVE-2022-24999
Vulnerable Library - qs-6.5.2.tgz
A querystring parser that supports nesting and arrays, with a depth limit
Library home page: https://registry.npmjs.org/qs/-/qs-6.5.2.tgz
Path to dependency file: /justapis-javascript-sdk/package.json
Path to vulnerable library: /node_modules/request/node_modules/qs/package.json
Dependency Hierarchy:
- semantic-release-4.3.5.tgz (Root Library)
- last-release-npm-1.2.1.tgz
- npm-registry-client-7.5.0.tgz
- request-2.88.0.tgz
- ❌ qs-6.5.2.tgz (Vulnerable Library)
- request-2.88.0.tgz
- npm-registry-client-7.5.0.tgz
- last-release-npm-1.2.1.tgz
Vulnerability Details
qs before 6.10.3, as used in Express before 4.17.3 and other products, allows attackers to cause a Node process hang for an Express application because an __ proto__ key can be used. In many typical Express use cases, an unauthenticated remote attacker can place the attack payload in the query string of the URL that is used to visit the application, such as a[proto]=b&a[proto]&a[length]=100000000. The fix was backported to qs 6.9.7, 6.8.3, 6.7.3, 6.6.1, 6.5.3, 6.4.1, 6.3.3, and 6.2.4 (and therefore Express 4.17.3, which has "deps: qs@6.9.7" in its release description, is not vulnerable).
Publish Date: 2022-11-26
URL: CVE-2022-24999
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: https://www.cve.org/CVERecord?id=CVE-2022-24999
Release Date: 2022-11-26
Fix Resolution (qs): 6.5.3
Direct dependency fix Resolution (semantic-release): 5.0.0
⛑️ Automatic Remediation is available for this issue
CVE-2021-33623
Vulnerable Library - trim-newlines-1.0.0.tgz
Trim newlines from the start and/or end of a string
Library home page: https://registry.npmjs.org/trim-newlines/-/trim-newlines-1.0.0.tgz
Path to dependency file: /justapis-javascript-sdk/package.json
Path to vulnerable library: /node_modules/trim-newlines/package.json
Dependency Hierarchy:
- semantic-release-4.3.5.tgz (Root Library)
- commit-analyzer-2.0.0.tgz
- conventional-changelog-0.0.17.tgz
- dateformat-1.0.12.tgz
- meow-3.7.0.tgz
- ❌ trim-newlines-1.0.0.tgz (Vulnerable Library)
- meow-3.7.0.tgz
- dateformat-1.0.12.tgz
- conventional-changelog-0.0.17.tgz
- commit-analyzer-2.0.0.tgz
Vulnerability Details
The trim-newlines package before 3.0.1 and 4.x before 4.0.1 for Node.js has an issue related to regular expression denial-of-service (ReDoS) for the .end() method.
Publish Date: 2021-05-28
URL: CVE-2021-33623
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-33623
Release Date: 2021-05-28
Fix Resolution (trim-newlines): 3.0.1
Direct dependency fix Resolution (semantic-release): 11.0.0
⛑️ Automatic Remediation is available for this issue
CVE-2020-8203
Vulnerable Library - lodash-3.10.1.tgz
The modern build of lodash modular utilities.
Library home page: https://registry.npmjs.org/lodash/-/lodash-3.10.1.tgz
Path to dependency file: /justapis-javascript-sdk/package.json
Path to vulnerable library: /node_modules/conventional-changelog/node_modules/lodash/package.json
Dependency Hierarchy:
- semantic-release-4.3.5.tgz (Root Library)
- ❌ lodash-3.10.1.tgz (Vulnerable Library)
Vulnerability Details
Prototype pollution attack when using _.zipObjectDeep in lodash before 4.17.20.
Publish Date: 2020-07-15
URL: CVE-2020-8203
CVSS 3 Score Details (7.4)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: High
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: https://www.npmjs.com/advisories/1523
Release Date: 2020-07-15
Fix Resolution (lodash): 4.17.9
Direct dependency fix Resolution (semantic-release): 8.0.1
⛑️ Automatic Remediation is available for this issue
CVE-2021-23337
Vulnerable Library - lodash-3.10.1.tgz
The modern build of lodash modular utilities.
Library home page: https://registry.npmjs.org/lodash/-/lodash-3.10.1.tgz
Path to dependency file: /justapis-javascript-sdk/package.json
Path to vulnerable library: /node_modules/conventional-changelog/node_modules/lodash/package.json
Dependency Hierarchy:
- semantic-release-4.3.5.tgz (Root Library)
- ❌ lodash-3.10.1.tgz (Vulnerable Library)
Vulnerability Details
Lodash versions prior to 4.17.21 are vulnerable to Command Injection via the template function.
Publish Date: 2021-02-15
URL: CVE-2021-23337
CVSS 3 Score Details (7.2)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: High
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Release Date: 2021-02-15
Fix Resolution (lodash): 4.17.21
Direct dependency fix Resolution (semantic-release): 8.0.1
⛑️ Automatic Remediation is available for this issue
CVE-2019-1010266
Vulnerable Library - lodash-3.10.1.tgz
The modern build of lodash modular utilities.
Library home page: https://registry.npmjs.org/lodash/-/lodash-3.10.1.tgz
Path to dependency file: /justapis-javascript-sdk/package.json
Path to vulnerable library: /node_modules/conventional-changelog/node_modules/lodash/package.json
Dependency Hierarchy:
- semantic-release-4.3.5.tgz (Root Library)
- ❌ lodash-3.10.1.tgz (Vulnerable Library)
Vulnerability Details
lodash prior to 4.17.11 is affected by: CWE-400: Uncontrolled Resource Consumption. The impact is: Denial of service. The component is: Date handler. The attack vector is: Attacker provides very long strings, which the library attempts to match using a regular expression. The fixed version is: 4.17.11.
Publish Date: 2019-07-17
URL: CVE-2019-1010266
CVSS 3 Score Details (6.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Release Date: 2019-07-17
Fix Resolution (lodash): 4.17.11
Direct dependency fix Resolution (semantic-release): 8.0.1
⛑️ Automatic Remediation is available for this issue
CVE-2018-3721
Vulnerable Library - lodash-3.10.1.tgz
The modern build of lodash modular utilities.
Library home page: https://registry.npmjs.org/lodash/-/lodash-3.10.1.tgz
Path to dependency file: /justapis-javascript-sdk/package.json
Path to vulnerable library: /node_modules/conventional-changelog/node_modules/lodash/package.json
Dependency Hierarchy:
- semantic-release-4.3.5.tgz (Root Library)
- ❌ lodash-3.10.1.tgz (Vulnerable Library)
Vulnerability Details
lodash node module before 4.17.5 suffers from a Modification of Assumed-Immutable Data (MAID) vulnerability via defaultsDeep, merge, and mergeWith functions, which allows a malicious user to modify the prototype of "Object" via proto, causing the addition or modification of an existing property that will exist on all objects.
Publish Date: 2018-06-07
URL: CVE-2018-3721
CVSS 3 Score Details (6.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: High
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Origin: https://www.npmjs.com/advisories/1067
Release Date: 2018-04-26
Fix Resolution (lodash): 4.17.5
Direct dependency fix Resolution (semantic-release): 8.0.1
⛑️ Automatic Remediation is available for this issue
CVE-2020-15366
Vulnerable Library - ajv-6.10.0.tgz
Another JSON Schema Validator
Library home page: https://registry.npmjs.org/ajv/-/ajv-6.10.0.tgz
Path to dependency file: /justapis-javascript-sdk/package.json
Path to vulnerable library: /node_modules/ajv/package.json
Dependency Hierarchy:
- semantic-release-4.3.5.tgz (Root Library)
- last-release-npm-1.2.1.tgz
- npm-registry-client-7.5.0.tgz
- request-2.88.0.tgz
- har-validator-5.1.3.tgz
- ❌ ajv-6.10.0.tgz (Vulnerable Library)
- har-validator-5.1.3.tgz
- request-2.88.0.tgz
- npm-registry-client-7.5.0.tgz
- last-release-npm-1.2.1.tgz
Vulnerability Details
An issue was discovered in ajv.validate() in Ajv (aka Another JSON Schema Validator) 6.12.2. A carefully crafted JSON schema could be provided that allows execution of other code by prototype pollution. (While untrusted schemas are recommended against, the worst case of an untrusted schema should be a denial of service, not execution of code.)
Publish Date: 2020-07-15
URL: CVE-2020-15366
CVSS 3 Score Details (5.6)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: Low
Suggested Fix
Type: Upgrade version
Release Date: 2020-07-15
Fix Resolution (ajv): 6.12.3
Direct dependency fix Resolution (semantic-release): 5.0.0
⛑️ Automatic Remediation is available for this issue
CVE-2018-16487
Vulnerable Library - lodash-3.10.1.tgz
The modern build of lodash modular utilities.
Library home page: https://registry.npmjs.org/lodash/-/lodash-3.10.1.tgz
Path to dependency file: /justapis-javascript-sdk/package.json
Path to vulnerable library: /node_modules/conventional-changelog/node_modules/lodash/package.json
Dependency Hierarchy:
- semantic-release-4.3.5.tgz (Root Library)
- ❌ lodash-3.10.1.tgz (Vulnerable Library)
Vulnerability Details
A prototype pollution vulnerability was found in lodash <4.17.11 where the functions merge, mergeWith, and defaultsDeep can be tricked into adding or modifying properties of Object.prototype.
Publish Date: 2019-02-01
URL: CVE-2018-16487
CVSS 3 Score Details (5.6)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: Low
Suggested Fix
Type: Upgrade version
Origin: https://hackerone.com/reports/380873
Release Date: 2019-02-01
Fix Resolution (lodash): 4.17.11
Direct dependency fix Resolution (semantic-release): 8.0.1
⛑️ Automatic Remediation is available for this issue
CVE-2023-28155
Vulnerable Library - request-2.88.0.tgz
Simplified HTTP request client.
Library home page: https://registry.npmjs.org/request/-/request-2.88.0.tgz
Path to dependency file: /justapis-javascript-sdk/package.json
Path to vulnerable library: /node_modules/request/package.json
Dependency Hierarchy:
- semantic-release-4.3.5.tgz (Root Library)
- last-release-npm-1.2.1.tgz
- npm-registry-client-7.5.0.tgz
- ❌ request-2.88.0.tgz (Vulnerable Library)
- npm-registry-client-7.5.0.tgz
- last-release-npm-1.2.1.tgz
Vulnerability Details
** UNSUPPORTED WHEN ASSIGNED ** The Request package through 2.88.1 for Node.js allows a bypass of SSRF mitigations via an attacker-controller server that does a cross-protocol redirect (HTTP to HTTPS, or HTTPS to HTTP). NOTE: This vulnerability only affects products that are no longer supported by the maintainer.
Publish Date: 2023-03-16
URL: CVE-2023-28155
CVSS 3 Score Details (5.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Local
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
CVE-2020-28500
Vulnerable Library - lodash-3.10.1.tgz
The modern build of lodash modular utilities.
Library home page: https://registry.npmjs.org/lodash/-/lodash-3.10.1.tgz
Path to dependency file: /justapis-javascript-sdk/package.json
Path to vulnerable library: /node_modules/conventional-changelog/node_modules/lodash/package.json
Dependency Hierarchy:
- semantic-release-4.3.5.tgz (Root Library)
- ❌ lodash-3.10.1.tgz (Vulnerable Library)
Vulnerability Details
Lodash versions prior to 4.17.21 are vulnerable to Regular Expression Denial of Service (ReDoS) via the toNumber, trim and trimEnd functions.
Mend Note: After conducting further research, Mend has determined that CVE-2020-28500 only affects environments with versions 4.0.0 to 4.17.20 of Lodash.
Publish Date: 2021-02-15
URL: CVE-2020-28500
CVSS 3 Score Details (5.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: Low
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-28500
Release Date: 2021-02-15
Fix Resolution (lodash): 4.17.21
Direct dependency fix Resolution (semantic-release): 8.0.1
⛑️ Automatic Remediation is available for this issue
CVE-2021-23362
Vulnerable Library - hosted-git-info-2.7.1.tgz
Provides metadata and conversions from repository urls for Github, Bitbucket and Gitlab
Library home page: https://registry.npmjs.org/hosted-git-info/-/hosted-git-info-2.7.1.tgz
Path to dependency file: /justapis-javascript-sdk/package.json
Path to vulnerable library: /node_modules/hosted-git-info/package.json
Dependency Hierarchy:
- semantic-release-4.3.5.tgz (Root Library)
- last-release-npm-1.2.1.tgz
- npm-registry-client-7.5.0.tgz
- npm-package-arg-4.2.1.tgz
- ❌ hosted-git-info-2.7.1.tgz (Vulnerable Library)
- npm-package-arg-4.2.1.tgz
- npm-registry-client-7.5.0.tgz
- last-release-npm-1.2.1.tgz
Vulnerability Details
The package hosted-git-info before 3.0.8 are vulnerable to Regular Expression Denial of Service (ReDoS) via regular expression shortcutMatch in the fromUrl function in index.js. The affected regular expression exhibits polynomial worst-case time complexity.
Publish Date: 2021-03-23
URL: CVE-2021-23362
CVSS 3 Score Details (5.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: Low
Suggested Fix
Type: Upgrade version
Origin: GHSA-43f8-2h32-f4cj
Release Date: 2021-03-23
Fix Resolution (hosted-git-info): 2.8.9
Direct dependency fix Resolution (semantic-release): 5.0.0
⛑️ Automatic Remediation is available for this issue
⛑️ Automatic Remediation is available for this issue.