Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CVE-2021-3795 (High) detected in semver-regex-1.0.0.tgz #1155

Closed
mend-for-github-com bot opened this issue Jan 14, 2022 · 0 comments · Fixed by #1105
Closed

CVE-2021-3795 (High) detected in semver-regex-1.0.0.tgz #1155

mend-for-github-com bot opened this issue Jan 14, 2022 · 0 comments · Fixed by #1105
Labels
cve Security vulnerabilities detected by Dependabot or Mend high severity High severity CVE Mend: dependency security vulnerability Security vulnerability detected by Mend v2.0.0

Comments

@mend-for-github-com
Copy link

CVE-2021-3795 - High Severity Vulnerability

Vulnerable Library - semver-regex-1.0.0.tgz

Regular expression for matching semver versions

Library home page: https://registry.npmjs.org/semver-regex/-/semver-regex-1.0.0.tgz

Dependency Hierarchy:

  • @osd/ui-framework-1.0.0.tgz (Root Library)
    • yo-2.0.6.tgz
      • yeoman-doctor-3.0.2.tgz
        • bin-version-check-3.0.0.tgz
          • bin-version-2.0.0.tgz
            • find-versions-2.0.0.tgz
              • semver-regex-1.0.0.tgz (Vulnerable Library)

Found in HEAD commit: ddb2cc42e9e43fdc2358fe14019ab9679e775671

Found in base branch: main

Vulnerability Details

semver-regex is vulnerable to Inefficient Regular Expression Complexity

Publish Date: 2021-09-15

URL: CVE-2021-3795

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://github.com/sindresorhus/semver-regex/releases/tag/v4.0.1

Release Date: 2021-09-15

Fix Resolution: semver-regex - 3.1.3,4.0.1
@mend-for-github-com mend-for-github-com bot added the Mend: dependency security vulnerability Security vulnerability detected by Mend label Jan 14, 2022
@tmarkley tmarkley added cve Security vulnerabilities detected by Dependabot or Mend high severity High severity CVE labels Jan 14, 2022
This was referenced Jan 25, 2022
Closed
Closed
Merged
@tmarkley tmarkley added the v2.0.0 label Feb 4, 2022
AMoo-Miki pushed a commit to AMoo-Miki/OpenSearch-Dashboards that referenced this issue Feb 9, 2022
@rshen91
feat(a11y): add data table for screen readers (sunburst, treemap, ici…
183154c 
…cle, flame) (opensearch-project#1155)

Fixes opensearch-project#1154
AMoo-Miki pushed a commit to AMoo-Miki/OpenSearch-Dashboards that referenced this issue Feb 10, 2022
@rshen91
feat(a11y): add data table for screen readers (sunburst, treemap, ici…
a1a68fe 
…cle, flame) (opensearch-project#1155)

Fixes opensearch-project#1154
AMoo-Miki pushed a commit to AMoo-Miki/OpenSearch-Dashboards that referenced this issue Feb 10, 2022
@semantic-release-bot
chore(release): 30.2.0 [skip ci]
4c9e3bf 
# [30.2.0](elastic/elastic-charts@v30.1.0...v30.2.0) (2021-06-10)

### Features

* **a11y:** add data table for screen readers (sunburst,  treemap, icicle, flame) ([opensearch-project#1155](elastic/elastic-charts#1155)) ([a1a68fe](elastic/elastic-charts@a1a68fe)), closes [opensearch-project#1154](elastic/elastic-charts#1154)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
cve Security vulnerabilities detected by Dependabot or Mend high severity High severity CVE Mend: dependency security vulnerability Security vulnerability detected by Mend v2.0.0
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Removes KUI Generator and related dependencies tmarkley/OpenSearch-Dashboards
1 participant
@tmarkley