jasmine-reporters-2.5.0.tgz: 2 vulnerabilities (highest severity is: 6.5)

[dev-mend-for-github-com]

Vulnerable Library - jasmine-reporters-2.5.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Vulnerabilities

Vulnerability	Severity	CVSS	Dependency	Type	Fixed in (jasmine-reporters version)	Remediation Possible**	Reachability
CVE-2021-32796	Medium	6.5	xmldom-0.7.9.tgz	Transitive	N/A*	❌
CVE-2024-4011	Low	3.1	xmldom-0.7.9.tgz	Transitive	N/A*	❌

*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.

**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation

Details

CVE-2021-32796

Vulnerable Library - xmldom-0.7.9.tgz

A pure JavaScript W3C standard-based (XML DOM Level 2 Core) DOMParser and XMLSerializer module.

Library home page: https://registry.npmjs.org/@xmldom/xmldom/-/xmldom-0.7.9.tgz

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Dependency Hierarchy:

• jasmine-reporters-2.5.0.tgz (Root Library)
  • ❌ xmldom-0.7.9.tgz (Vulnerable Library)

Found in base branch: electron-upgrade

Vulnerability Details

xmldom is an open source pure JavaScript W3C standard-based (XML DOM Level 2 Core) DOMParser and XMLSerializer module. xmldom versions 0.6.0 and older do not correctly escape special characters when serializing elements removed from their ancestor. This may lead to unexpected syntactic changes during XML processing in some downstream applications. This issue has been resolved in version 0.7.0. As a workaround downstream applications can validate the input and reject the maliciously crafted documents.
Mend Note:

Publish Date: 2021-07-27

URL: CVE-2021-32796

CVSS 3 Score Details (6.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-5fg8-2547-mr8q

Release Date: 2021-07-27

Fix Resolution: @xmldom/xmldom - 0.7.0

CVE-2024-4011

Vulnerable Library - xmldom-0.7.9.tgz

A pure JavaScript W3C standard-based (XML DOM Level 2 Core) DOMParser and XMLSerializer module.

Library home page: https://registry.npmjs.org/@xmldom/xmldom/-/xmldom-0.7.9.tgz

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Dependency Hierarchy:

• jasmine-reporters-2.5.0.tgz (Root Library)
  • ❌ xmldom-0.7.9.tgz (Vulnerable Library)

Found in base branch: electron-upgrade

Vulnerability Details

An issue was discovered in GitLab CE/EE affecting all versions starting from 16.1 prior to 16.11.5, starting from 17.0 prior to 17.0.3, and starting from 17.1 prior to 17.1.1, which allows non-project member to promote key results to objectives.

Publish Date: 2024-06-26

URL: CVE-2024-4011

CVSS 3 Score Details (3.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: Low
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: Low
  • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://www.cve.org/CVERecord?id=CVE-2024-4011

Release Date: 2024-06-26

Fix Resolution: v16.11.5,v17.0.3,v17.1.1