imagemin-webpack-plugin-2.4.2.tgz: 11 vulnerabilities (highest severity is: 9.8)

[mend-for-github-com]

Vulnerable Library - imagemin-webpack-plugin-2.4.2.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/nth-check/package.json

Found in HEAD commit: 7b22d0a7359c50785295f4edb6dc17a5631e26e0

Vulnerabilities

CVE	Severity	CVSS	Dependency	Type	Fixed in (imagemin-webpack-plugin version)	Remediation Possible**
CVE-2021-44906	Critical	9.8	minimist-0.0.8.tgz	Transitive	N/A*	❌
CVE-2024-4068	High	7.5	braces-2.3.2.tgz	Transitive	N/A*	❌
CVE-2022-38900	High	7.5	decode-uri-component-0.2.0.tgz	Transitive	N/A*	❌
CVE-2022-3517	High	7.5	minimatch-3.0.4.tgz	Transitive	N/A*	❌
CVE-2021-3803	High	7.5	nth-check-1.0.2.tgz	Transitive	N/A*	❌
CVE-2021-29059	High	7.5	is-svg-3.0.0.tgz	Transitive	N/A*	❌
CVE-2021-28092	High	7.5	is-svg-3.0.0.tgz	Transitive	N/A*	❌
CVE-2020-28469	High	7.5	glob-parent-3.1.0.tgz	Transitive	N/A*	❌
CVE-2019-20149	High	7.5	kind-of-6.0.2.tgz	Transitive	N/A*	❌
CVE-2020-7598	Medium	5.6	minimist-0.0.8.tgz	Transitive	N/A*	❌
CVE-2024-4067	Medium	5.3	micromatch-3.1.10.tgz	Transitive	N/A*	❌

*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.

**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation

Details

CVE-2021-44906

Vulnerable Library - minimist-0.0.8.tgz

parse argument options

Library home page: https://registry.npmjs.org/minimist/-/minimist-0.0.8.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/mkdirp/node_modules/minimist/package.json

Dependency Hierarchy:

• imagemin-webpack-plugin-2.4.2.tgz (Root Library)
  • mkdirp-0.5.1.tgz
    • ❌ minimist-0.0.8.tgz (Vulnerable Library)

Found in HEAD commit: 7b22d0a7359c50785295f4edb6dc17a5631e26e0

Found in base branch: main

Vulnerability Details

Minimist <=1.2.5 is vulnerable to Prototype Pollution via file index.js, function setKey() (lines 69-95).

Publish Date: 2022-03-17

URL: CVE-2021-44906

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-xvch-5gv4-984h

Release Date: 2022-03-17

Fix Resolution: minimist - 0.2.4,1.2.6

CVE-2024-4068

Vulnerable Library - braces-2.3.2.tgz

Bash-like brace expansion, implemented in JavaScript. Safer than other brace expansion libs, with complete support for the Bash 4.3 braces specification, without sacrificing speed.

Library home page: https://registry.npmjs.org/braces/-/braces-2.3.2.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/braces/package.json

Dependency Hierarchy:

• imagemin-webpack-plugin-2.4.2.tgz (Root Library)
  • imagemin-6.1.0.tgz
    • globby-8.0.2.tgz
      • fast-glob-2.2.7.tgz
        • micromatch-3.1.10.tgz
          • ❌ braces-2.3.2.tgz (Vulnerable Library)

Found in HEAD commit: 7b22d0a7359c50785295f4edb6dc17a5631e26e0

Found in base branch: main

Vulnerability Details

The NPM package braces, versions prior to 3.0.3, fails to limit the number of characters it can handle, which could lead to Memory Exhaustion. In lib/parse.js, if a malicious user sends "imbalanced braces" as input, the parsing will enter a loop, which will cause the program to start allocating heap memory without freeing it at any moment of the loop. Eventually, the JavaScript heap limit is reached, and the program will crash.
Mend Note: After conducting a further research, it was concluded that CVE-2024-4068 does not contain a high security risk that reflects the NVD score, but should be kept for users' awareness. Users of braces should follow the fix recommendation as noted.

Publish Date: 2024-05-14

URL: CVE-2024-4068

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2024-05-14

Fix Resolution: braces - 3.0.3

CVE-2022-38900

Vulnerable Library - decode-uri-component-0.2.0.tgz

A better decodeURIComponent

Library home page: https://registry.npmjs.org/decode-uri-component/-/decode-uri-component-0.2.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/decode-uri-component/package.json

Dependency Hierarchy:

• imagemin-webpack-plugin-2.4.2.tgz (Root Library)
  • imagemin-6.1.0.tgz
    • globby-8.0.2.tgz
      • fast-glob-2.2.7.tgz
        • micromatch-3.1.10.tgz
          • snapdragon-0.8.2.tgz
            • source-map-resolve-0.5.3.tgz
              • ❌ decode-uri-component-0.2.0.tgz (Vulnerable Library)

Found in HEAD commit: 7b22d0a7359c50785295f4edb6dc17a5631e26e0

Found in base branch: main

Vulnerability Details

decode-uri-component 0.2.0 is vulnerable to Improper Input Validation resulting in DoS.

Publish Date: 2022-11-28

URL: CVE-2022-38900

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-w573-4hg7-7wgq

Release Date: 2022-11-28

Fix Resolution: decode-uri-component - 0.2.1

CVE-2022-3517

Vulnerable Library - minimatch-3.0.4.tgz

a glob matcher in javascript

Library home page: https://registry.npmjs.org/minimatch/-/minimatch-3.0.4.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/minimatch/package.json

Dependency Hierarchy:

• imagemin-webpack-plugin-2.4.2.tgz (Root Library)
  • ❌ minimatch-3.0.4.tgz (Vulnerable Library)

Found in HEAD commit: 7b22d0a7359c50785295f4edb6dc17a5631e26e0

Found in base branch: main

Vulnerability Details

A vulnerability was found in the minimatch package. This flaw allows a Regular Expression Denial of Service (ReDoS) when calling the braceExpand function with specific arguments, resulting in a Denial of Service.

Publish Date: 2022-10-17

URL: CVE-2022-3517

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2022-10-17

Fix Resolution: minimatch - 3.0.5

CVE-2021-3803

Vulnerable Library - nth-check-1.0.2.tgz

performant nth-check parser & compiler

Library home page: https://registry.npmjs.org/nth-check/-/nth-check-1.0.2.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/nth-check/package.json

Dependency Hierarchy:

• imagemin-webpack-plugin-2.4.2.tgz (Root Library)
  • imagemin-svgo-7.0.0.tgz
    • svgo-1.3.2.tgz
      • css-select-2.1.0.tgz
        • ❌ nth-check-1.0.2.tgz (Vulnerable Library)

Found in HEAD commit: 7b22d0a7359c50785295f4edb6dc17a5631e26e0

Found in base branch: main

Vulnerability Details

nth-check is vulnerable to Inefficient Regular Expression Complexity

Publish Date: 2021-09-17

URL: CVE-2021-3803

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2021-09-17

Fix Resolution: nth-check - v2.0.1

CVE-2021-29059

Vulnerable Library - is-svg-3.0.0.tgz

Check if a string or buffer is SVG

Library home page: https://registry.npmjs.org/is-svg/-/is-svg-3.0.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/is-svg/package.json

Dependency Hierarchy:

• imagemin-webpack-plugin-2.4.2.tgz (Root Library)
  • imagemin-svgo-7.0.0.tgz
    • ❌ is-svg-3.0.0.tgz (Vulnerable Library)

Found in HEAD commit: 7b22d0a7359c50785295f4edb6dc17a5631e26e0

Found in base branch: main

Vulnerability Details

A vulnerability was discovered in IS-SVG version 2.1.0 to 4.2.2 and below where a Regular Expression Denial of Service (ReDOS) occurs if the application is provided and checks a crafted invalid SVG string.

Publish Date: 2021-06-21

URL: CVE-2021-29059

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2021-06-21

Fix Resolution: is-svg - 4.3.0

CVE-2021-28092

Vulnerable Library - is-svg-3.0.0.tgz

Check if a string or buffer is SVG

Library home page: https://registry.npmjs.org/is-svg/-/is-svg-3.0.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/is-svg/package.json

Dependency Hierarchy:

• imagemin-webpack-plugin-2.4.2.tgz (Root Library)
  • imagemin-svgo-7.0.0.tgz
    • ❌ is-svg-3.0.0.tgz (Vulnerable Library)

Found in HEAD commit: 7b22d0a7359c50785295f4edb6dc17a5631e26e0

Found in base branch: main

Vulnerability Details

The is-svg package 2.1.0 through 4.2.1 for Node.js uses a regular expression that is vulnerable to Regular Expression Denial of Service (ReDoS). If an attacker provides a malicious string, is-svg will get stuck processing the input for a very long time.

Publish Date: 2021-03-12

URL: CVE-2021-28092

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-28092

Release Date: 2021-03-12

Fix Resolution: v4.2.2

CVE-2020-28469

Vulnerable Library - glob-parent-3.1.0.tgz

Strips glob magic from a string to provide the parent directory path

Library home page: https://registry.npmjs.org/glob-parent/-/glob-parent-3.1.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/glob-parent/package.json

Dependency Hierarchy:

• imagemin-webpack-plugin-2.4.2.tgz (Root Library)
  • imagemin-6.1.0.tgz
    • globby-8.0.2.tgz
      • fast-glob-2.2.7.tgz
        • ❌ glob-parent-3.1.0.tgz (Vulnerable Library)

Found in HEAD commit: 7b22d0a7359c50785295f4edb6dc17a5631e26e0

Found in base branch: main

Vulnerability Details

This affects the package glob-parent before 5.1.2. The enclosure regex used to check for strings ending in enclosure containing path separator.

Publish Date: 2021-06-03

URL: CVE-2020-28469

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-28469

Release Date: 2021-06-03

Fix Resolution: glob-parent - 5.1.2

CVE-2019-20149

Vulnerable Library - kind-of-6.0.2.tgz

Get the native type of a value.

Library home page: https://registry.npmjs.org/kind-of/-/kind-of-6.0.2.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/is-data-descriptor/node_modules/kind-of/package.json,/node_modules/kind-of/package.json

Dependency Hierarchy:

• imagemin-webpack-plugin-2.4.2.tgz (Root Library)
  • imagemin-6.1.0.tgz
    • globby-8.0.2.tgz
      • fast-glob-2.2.7.tgz
        • micromatch-3.1.10.tgz
          • ❌ kind-of-6.0.2.tgz (Vulnerable Library)

Found in HEAD commit: 7b22d0a7359c50785295f4edb6dc17a5631e26e0

Found in base branch: main

Vulnerability Details

ctorName in index.js in kind-of v6.0.2 allows external user input to overwrite certain internal attributes via a conflicting name, as demonstrated by 'constructor': {'name':'Symbol'}. Hence, a crafted payload can overwrite this builtin attribute to manipulate the type detection result.

Publish Date: 2019-12-30

URL: CVE-2019-20149

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: High
  • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-20149

Release Date: 2019-12-30

Fix Resolution: 6.0.3

CVE-2020-7598

Vulnerable Library - minimist-0.0.8.tgz

parse argument options

Library home page: https://registry.npmjs.org/minimist/-/minimist-0.0.8.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/mkdirp/node_modules/minimist/package.json

Dependency Hierarchy:

• imagemin-webpack-plugin-2.4.2.tgz (Root Library)
  • mkdirp-0.5.1.tgz
    • ❌ minimist-0.0.8.tgz (Vulnerable Library)

Found in HEAD commit: 7b22d0a7359c50785295f4edb6dc17a5631e26e0

Found in base branch: main

Vulnerability Details

minimist before 1.2.2 could be tricked into adding or modifying properties of Object.prototype using a "constructor" or "proto" payload.

Publish Date: 2020-03-11

URL: CVE-2020-7598

CVSS 3 Score Details (5.6)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2020-03-11

Fix Resolution: minimist - 0.2.1,1.2.3

CVE-2024-4067

Vulnerable Library - micromatch-3.1.10.tgz

Glob matching for javascript/node.js. A drop-in replacement and faster alternative to minimatch and multimatch.

Library home page: https://registry.npmjs.org/micromatch/-/micromatch-3.1.10.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/micromatch/package.json

Dependency Hierarchy:

• imagemin-webpack-plugin-2.4.2.tgz (Root Library)
  • imagemin-6.1.0.tgz
    • globby-8.0.2.tgz
      • fast-glob-2.2.7.tgz
        • ❌ micromatch-3.1.10.tgz (Vulnerable Library)

Found in HEAD commit: 7b22d0a7359c50785295f4edb6dc17a5631e26e0

Found in base branch: main

Vulnerability Details

The NPM package micromatch is vulnerable to Regular Expression Denial of Service (ReDoS). The vulnerability occurs in micromatch.braces() in index.js because the pattern .* will greedily match anything. By passing a malicious payload, the pattern matching will keep backtracking to the input while it doesn't find the closing bracket. As the input size increases, the consumption time will also increase until it causes the application to hang or slow down. There was a merged fix but further testing shows the issue persists. This issue should be mitigated by using a safe pattern that won't start backtracking the regular expression due to greedy matching.
Mend Note: After conducting a further research, it was concluded that CVE-2024-4067 does not contain a high security risk that reflects the NVD score, but should be kept for users' awareness. Users of micromatch should follow the fix recommendation as noted.

Publish Date: 2024-05-14

URL: CVE-2024-4067

CVSS 3 Score Details (5.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2024-05-14

Fix Resolution: micromatch - 4.0.6