gitmoji-changelog-2.3.0.tgz: 12 vulnerabilities (highest severity is: 9.8)

[mend-bolt-for-github]

Vulnerable Library - gitmoji-changelog-2.3.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/request/package.json

Found in HEAD commit: 798d1157e236e6d0cd62e0a0effd08c6c1a04b46

Vulnerabilities

CVE	Severity	CVSS	Dependency	Type	Fixed in (gitmoji-changelog version)	Remediation Possible**
CVE-2023-42282	Critical	9.8	ip-1.1.5.tgz	Transitive	N/A*	❌
CVE-2023-26136	Critical	9.8	tough-cookie-2.5.0.tgz	Transitive	N/A*	❌
CVE-2022-25912	Critical	9.8	simple-git-1.132.0.tgz	Transitive	N/A*	❌
CVE-2022-24433	Critical	9.8	simple-git-1.132.0.tgz	Transitive	N/A*	❌
CVE-2022-24066	Critical	9.8	simple-git-1.132.0.tgz	Transitive	N/A*	❌
CVE-2022-25883	High	7.5	detected in multiple dependencies	Transitive	N/A*	❌
CVE-2022-25881	High	7.5	http-cache-semantics-3.8.1.tgz	Transitive	N/A*	❌
CVE-2024-28863	Medium	6.5	tar-4.4.19.tgz	Transitive	N/A*	❌
CVE-2023-28155	Medium	6.1	request-2.88.2.tgz	Transitive	N/A*	❌
CVE-2023-0842	Medium	5.3	xml2js-0.4.23.tgz	Transitive	N/A*	❌
CVE-2020-7608	Medium	5.3	yargs-parser-7.0.0.tgz	Transitive	N/A*	❌
WS-2019-0307	Medium	5.1	mem-1.1.0.tgz	Transitive	N/A*	❌

*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.

**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation

Details

CVE-2023-42282

Vulnerable Library - ip-1.1.5.tgz

[](https://www.npmjs.com/package/ip)

Library home page: https://registry.npmjs.org/ip/-/ip-1.1.5.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/ip/package.json

Dependency Hierarchy:

• gitmoji-changelog-2.3.0.tgz (Root Library)
  • libnpm-3.0.1.tgz
    • pacote-9.5.12.tgz
      • make-fetch-happen-5.0.2.tgz
        • socks-proxy-agent-4.0.2.tgz
          • socks-2.3.3.tgz
            • ❌ ip-1.1.5.tgz (Vulnerable Library)

Found in HEAD commit: 798d1157e236e6d0cd62e0a0effd08c6c1a04b46

Found in base branch: main

Vulnerability Details

The ip package before 1.1.9 for Node.js might allow SSRF because some IP addresses (such as 0x7f.1) are improperly categorized as globally routable via isPublic.

Publish Date: 2024-02-08

URL: CVE-2023-42282

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-78xj-cgh5-2h22

Release Date: 2024-02-08

Fix Resolution: ip - 1.1.9,2.0.1

Step up your Open Source Security Game with Mend here

CVE-2023-26136

Vulnerable Library - tough-cookie-2.5.0.tgz

RFC6265 Cookies and Cookie Jar for node.js

Library home page: https://registry.npmjs.org/tough-cookie/-/tough-cookie-2.5.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/tough-cookie/package.json

Dependency Hierarchy:

• gitmoji-changelog-2.3.0.tgz (Root Library)
  • libnpm-3.0.1.tgz
    • npm-lifecycle-3.1.5.tgz
      • node-gyp-5.1.1.tgz
        • request-2.88.2.tgz
          • ❌ tough-cookie-2.5.0.tgz (Vulnerable Library)

Found in HEAD commit: 798d1157e236e6d0cd62e0a0effd08c6c1a04b46

Found in base branch: main

Vulnerability Details

Versions of the package tough-cookie before 4.1.3 are vulnerable to Prototype Pollution due to improper handling of Cookies when using CookieJar in rejectPublicSuffixes=false mode. This issue arises from the manner in which the objects are initialized.

Publish Date: 2023-07-01

URL: CVE-2023-26136

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://www.cve.org/CVERecord?id=CVE-2023-26136

Release Date: 2023-07-01

Fix Resolution: tough-cookie - 4.1.3

Step up your Open Source Security Game with Mend here

CVE-2022-25912

Vulnerable Library - simple-git-1.132.0.tgz

Simple GIT interface for node.js

Library home page: https://registry.npmjs.org/simple-git/-/simple-git-1.132.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/simple-git/package.json

Dependency Hierarchy:

• gitmoji-changelog-2.3.0.tgz (Root Library)
  • ❌ simple-git-1.132.0.tgz (Vulnerable Library)

Found in HEAD commit: 798d1157e236e6d0cd62e0a0effd08c6c1a04b46

Found in base branch: main

Vulnerability Details

The package simple-git before 3.15.0 are vulnerable to Remote Code Execution (RCE) when enabling the ext transport protocol, which makes it exploitable via clone() method. This vulnerability exists due to an incomplete fix of CVE-2022-24066.

Publish Date: 2022-12-06

URL: CVE-2022-25912

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://www.cve.org/CVERecord?id=CVE-2022-25912

Release Date: 2022-12-06

Fix Resolution: simple-git - 3.15.0

Step up your Open Source Security Game with Mend here

CVE-2022-24433

Vulnerable Library - simple-git-1.132.0.tgz

Simple GIT interface for node.js

Library home page: https://registry.npmjs.org/simple-git/-/simple-git-1.132.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/simple-git/package.json

Dependency Hierarchy:

• gitmoji-changelog-2.3.0.tgz (Root Library)
  • ❌ simple-git-1.132.0.tgz (Vulnerable Library)

Found in HEAD commit: 798d1157e236e6d0cd62e0a0effd08c6c1a04b46

Found in base branch: main

Vulnerability Details

The package simple-git before 3.3.0 are vulnerable to Command Injection via argument injection. When calling the .fetch(remote, branch, handlerFn) function, both the remote and branch parameters are passed to the git fetch subcommand. By injecting some git options it was possible to get arbitrary command execution.

Publish Date: 2022-03-11

URL: CVE-2022-24433

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-3f95-r44v-8mrg

Release Date: 2022-03-11

Fix Resolution: simple-git - 3.3.0

Step up your Open Source Security Game with Mend here

CVE-2022-24066

Vulnerable Library - simple-git-1.132.0.tgz

Simple GIT interface for node.js

Library home page: https://registry.npmjs.org/simple-git/-/simple-git-1.132.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/simple-git/package.json

Dependency Hierarchy:

• gitmoji-changelog-2.3.0.tgz (Root Library)
  • ❌ simple-git-1.132.0.tgz (Vulnerable Library)

Found in HEAD commit: 798d1157e236e6d0cd62e0a0effd08c6c1a04b46

Found in base branch: main

Vulnerability Details

The package simple-git before 3.5.0 are vulnerable to Command Injection due to an incomplete fix of CVE-2022-24433 which only patches against the git fetch attack vector. A similar use of the --upload-pack feature of git is also supported for git clone, which the prior fix didn't cover.

Publish Date: 2022-04-01

URL: CVE-2022-24066

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-28xr-mwxg-3qc8

Release Date: 2022-04-01

Fix Resolution: simple-git - 3.5.0

Step up your Open Source Security Game with Mend here

CVE-2022-25883

Vulnerable Libraries - semver-7.3.5.tgz, semver-5.7.1.tgz, semver-6.3.0.tgz

semver-7.3.5.tgz

The semantic version parser used by npm.

Library home page: https://registry.npmjs.org/semver/-/semver-7.3.5.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/meow/node_modules/semver/package.json

Dependency Hierarchy:

• gitmoji-changelog-2.3.0.tgz (Root Library)
  • core-2.3.0.tgz
    • git-semver-tags-4.1.1.tgz
      • meow-8.1.2.tgz
        • normalize-package-data-3.0.3.tgz
          • ❌ semver-7.3.5.tgz (Vulnerable Library)

semver-5.7.1.tgz

The semantic version parser used by npm.

Library home page: https://registry.npmjs.org/semver/-/semver-5.7.1.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/semver/package.json

Dependency Hierarchy:

• gitmoji-changelog-2.3.0.tgz (Root Library)
  • ❌ semver-5.7.1.tgz (Vulnerable Library)

semver-6.3.0.tgz

The semantic version parser used by npm.

Library home page: https://registry.npmjs.org/semver/-/semver-6.3.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/git-semver-tags/node_modules/semver/package.json

Dependency Hierarchy:

• gitmoji-changelog-2.3.0.tgz (Root Library)
  • core-2.3.0.tgz
    • git-semver-tags-4.1.1.tgz
      • ❌ semver-6.3.0.tgz (Vulnerable Library)

Found in HEAD commit: 798d1157e236e6d0cd62e0a0effd08c6c1a04b46

Found in base branch: main

Vulnerability Details

Versions of the package semver before 7.5.2 are vulnerable to Regular Expression Denial of Service (ReDoS) via the function new Range, when untrusted user data is provided as a range.

Publish Date: 2023-06-21

URL: CVE-2022-25883

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-c2qf-rxjj-qqgw

Release Date: 2023-06-21

Fix Resolution: semver - 5.7.2,6.3.1,7.5.2;org.webjars.npm:semver:7.5.2

Step up your Open Source Security Game with Mend here

CVE-2022-25881

Vulnerable Library - http-cache-semantics-3.8.1.tgz

Parses Cache-Control and other headers. Helps building correct HTTP caches and proxies

Library home page: https://registry.npmjs.org/http-cache-semantics/-/http-cache-semantics-3.8.1.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/http-cache-semantics/package.json

Dependency Hierarchy:

• gitmoji-changelog-2.3.0.tgz (Root Library)
  • libnpm-3.0.1.tgz
    • pacote-9.5.12.tgz
      • make-fetch-happen-5.0.2.tgz
        • ❌ http-cache-semantics-3.8.1.tgz (Vulnerable Library)

Found in HEAD commit: 798d1157e236e6d0cd62e0a0effd08c6c1a04b46

Found in base branch: main

Vulnerability Details

This affects versions of the package http-cache-semantics before 4.1.1. The issue can be exploited via malicious request header values sent to a server, when that server reads the cache policy from the request using this library.

Publish Date: 2023-01-31

URL: CVE-2022-25881

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-rc47-6667-2j5j

Release Date: 2023-01-31

Fix Resolution: http-cache-semantics - 4.1.1;org.webjars.npm:http-cache-semantics:4.1.1

Step up your Open Source Security Game with Mend here

CVE-2024-28863

Vulnerable Library - tar-4.4.19.tgz

tar for node

Library home page: https://registry.npmjs.org/tar/-/tar-4.4.19.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/tar/package.json

Dependency Hierarchy:

• gitmoji-changelog-2.3.0.tgz (Root Library)
  • libnpm-3.0.1.tgz
    • pacote-9.5.12.tgz
      • ❌ tar-4.4.19.tgz (Vulnerable Library)

Found in HEAD commit: 798d1157e236e6d0cd62e0a0effd08c6c1a04b46

Found in base branch: main

Vulnerability Details

node-tar is a Tar for Node.js. node-tar prior to version 6.2.1 has no limit on the number of sub-folders created in the folder creation process. An attacker who generates a large number of sub-folders can consume memory on the system running node-tar and even crash the Node.js client within few seconds of running it using a path with too many sub-folders inside. Version 6.2.1 fixes this issue by preventing extraction in excessively deep sub-folders.

Publish Date: 2024-03-21

URL: CVE-2024-28863

CVSS 3 Score Details (6.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-f5x3-32g6-xq36

Release Date: 2024-03-21

Fix Resolution: tar - 6.2.1

Step up your Open Source Security Game with Mend here

CVE-2023-28155

Vulnerable Library - request-2.88.2.tgz

Simplified HTTP request client.

Library home page: https://registry.npmjs.org/request/-/request-2.88.2.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/request/package.json

Dependency Hierarchy:

• gitmoji-changelog-2.3.0.tgz (Root Library)
  • libnpm-3.0.1.tgz
    • npm-lifecycle-3.1.5.tgz
      • node-gyp-5.1.1.tgz
        • ❌ request-2.88.2.tgz (Vulnerable Library)

Found in HEAD commit: 798d1157e236e6d0cd62e0a0effd08c6c1a04b46

Found in base branch: main

Vulnerability Details

The request package through 2.88.2 for Node.js and the @cypress/request package prior to 3.0.0 allow a bypass of SSRF mitigations via an attacker-controller server that does a cross-protocol redirect (HTTP to HTTPS, or HTTPS to HTTP).NOTE: The request package is no longer supported by the maintainer.

Publish Date: 2023-03-16

URL: CVE-2023-28155

CVSS 3 Score Details (6.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-p8p7-x288-28g6

Release Date: 2023-03-16

Fix Resolution: @cypress/request - 3.0.0

Step up your Open Source Security Game with Mend here

CVE-2023-0842

Vulnerable Library - xml2js-0.4.23.tgz

Simple XML to JavaScript object converter.

Library home page: https://registry.npmjs.org/xml2js/-/xml2js-0.4.23.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/xml2js/package.json

Dependency Hierarchy:

• gitmoji-changelog-2.3.0.tgz (Root Library)
  • pom-parser-1.2.0.tgz
    • ❌ xml2js-0.4.23.tgz (Vulnerable Library)

Found in HEAD commit: 798d1157e236e6d0cd62e0a0effd08c6c1a04b46

Found in base branch: main

Vulnerability Details

xml2js version 0.4.23 allows an external attacker to edit or add new properties to an object. This is possible because the application does not properly validate incoming JSON keys, thus allowing the proto property to be edited.

Publish Date: 2023-04-05

URL: CVE-2023-0842

CVSS 3 Score Details (5.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: Low
  • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://www.cve.org/CVERecord?id=CVE-2023-0842

Release Date: 2023-04-05

Fix Resolution: xml2js - 0.5.0

Step up your Open Source Security Game with Mend here

CVE-2020-7608

Vulnerable Library - yargs-parser-7.0.0.tgz

the mighty option parser used by yargs

Library home page: https://registry.npmjs.org/yargs-parser/-/yargs-parser-7.0.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/@iarna/cli/node_modules/yargs-parser/package.json

Dependency Hierarchy:

• gitmoji-changelog-2.3.0.tgz (Root Library)
  • libnpm-3.0.1.tgz
    • lock-verify-2.2.1.tgz
      • cli-1.2.0.tgz
        • yargs-8.0.2.tgz
          • ❌ yargs-parser-7.0.0.tgz (Vulnerable Library)

Found in HEAD commit: 798d1157e236e6d0cd62e0a0effd08c6c1a04b46

Found in base branch: main

Vulnerability Details

yargs-parser could be tricked into adding or modifying properties of Object.prototype using a "proto" payload.

Publish Date: 2020-03-16

URL: CVE-2020-7608

CVSS 3 Score Details (5.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Local
  • Attack Complexity: Low
  • Privileges Required: Low
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2020-03-16

Fix Resolution: 5.0.1;13.1.2;15.0.1;18.1.1

Step up your Open Source Security Game with Mend here

WS-2019-0307

Vulnerable Library - mem-1.1.0.tgz

Memoize functions - An optimization used to speed up consecutive function calls by caching the result of calls with identical input

Library home page: https://registry.npmjs.org/mem/-/mem-1.1.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/mem/package.json

Dependency Hierarchy:

• gitmoji-changelog-2.3.0.tgz (Root Library)
  • libnpm-3.0.1.tgz
    • lock-verify-2.2.1.tgz
      • cli-1.2.0.tgz
        • yargs-8.0.2.tgz
          • os-locale-2.1.0.tgz
            • ❌ mem-1.1.0.tgz (Vulnerable Library)

Found in HEAD commit: 798d1157e236e6d0cd62e0a0effd08c6c1a04b46

Found in base branch: main

Vulnerability Details

In 'mem' before v4.0.0 there is a Denial of Service (DoS) vulnerability as a result of a failure in removal old values from the cache.

Publish Date: 2018-08-27

URL: WS-2019-0307

CVSS 3 Score Details (5.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Local
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: None
  • Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://www.npmjs.com/advisories/1084

Release Date: 2018-08-27

Fix Resolution: mem - 4.0.0

Step up your Open Source Security Game with Mend here