CVE-2021-27290 (High) detected in ssri-6.0.1.tgz, ssri-7.1.0.tgz - autoclosed

## CVE-2021-27290 - High Severity Vulnerability
<details><summary><img src='https://whitesource-resources.whitesourcesoftware.com/vulnerability_details.png' width=19 height=20> Vulnerable Libraries - ssri-6.0.1.tgz, ssri-7.1.0.tgz</summary>


<details><summary>ssri-6.0.1.tgz</summary>

Standard Subresource Integrity library -- parses, serializes, generates, and verifies integrity metadata according to the SRI spec.
Library home page: <a href="https://registry.npmjs.org/ssri/-/ssri-6.0.1.tgz">https://registry.npmjs.org/ssri/-/ssri-6.0.1.tgz</a>
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/webpack/node_modules/ssri/package.json


Dependency Hierarchy:
 - react-scripts-3.4.3.tgz (Root Library)
 - webpack-4.42.0.tgz
 - terser-webpack-plugin-1.4.5.tgz
 - cacache-12.0.4.tgz
 - :x: **ssri-6.0.1.tgz** (Vulnerable Library)
</details>
<details><summary>ssri-7.1.0.tgz</summary>

Standard Subresource Integrity library -- parses, serializes, generates, and verifies integrity metadata according to the SRI spec.
Library home page: <a href="https://registry.npmjs.org/ssri/-/ssri-7.1.0.tgz">https://registry.npmjs.org/ssri/-/ssri-7.1.0.tgz</a>
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/ssri/package.json


Dependency Hierarchy:
 - react-scripts-3.4.3.tgz (Root Library)
 - terser-webpack-plugin-2.3.8.tgz
 - cacache-13.0.1.tgz
 - :x: **ssri-7.1.0.tgz** (Vulnerable Library)
</details>

Found in HEAD commit: <a href="https://github.com/pactflow/https-github.com-pactflow-example-bi-directional-consumer-playwright/commit/874cb20f9370ccd4701dc2ff3464bb8ed6902695">874cb20f9370ccd4701dc2ff3464bb8ed6902695</a>
Found in base branch: main

</details>

<details><summary><img src='https://whitesource-resources.whitesourcesoftware.com/high_vul.png' width=19 height=20> Vulnerability Details</summary>
 
 
ssri 5.2.2-8.0.0, fixed in 8.0.1, processes SRIs using a regular expression which is vulnerable to a denial of service. Malicious SRIs could take an extremely long time to process, leading to denial of service. This issue only affects consumers using the strict option.

Publish Date: 2021-03-12
URL: <a href=https://vuln.whitesourcesoftware.com/vulnerability/CVE-2021-27290>CVE-2021-27290</a>

</details>

<details><summary><img src='https://whitesource-resources.whitesourcesoftware.com/cvss3.png' width=19 height=20> CVSS 3 Score Details (7.5)</summary>


Base Score Metrics:
- Exploitability Metrics:
 - Attack Vector: Network
 - Attack Complexity: Low
 - Privileges Required: None
 - User Interaction: None
 - Scope: Unchanged
- Impact Metrics:
 - Confidentiality Impact: None
 - Integrity Impact: None
 - Availability Impact: High

For more information on CVSS3 Scores, click <a href="https://www.first.org/cvss/calculator/3.0">here</a>.

</details>

<details><summary><img src='https://whitesource-resources.whitesourcesoftware.com/suggested_fix.png' width=19 height=20> Suggested Fix</summary>


Type: Upgrade version
Origin: <a href="https://github.com/advisories/GHSA-vx3p-948g-6vhq">https://github.com/advisories/GHSA-vx3p-948g-6vhq</a>
Release Date: 2021-03-12
Fix Resolution (ssri): 6.0.2
Direct dependency fix Resolution (react-scripts): 3.4.4Fix Resolution (ssri): 7.1.1
Direct dependency fix Resolution (react-scripts): 3.4.4


</details>


***

- [ ] Check this box to open an automated fix PR

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

CVE-2021-27290 (High) detected in ssri-6.0.1.tgz, ssri-7.1.0.tgz - autoclosed #3

CVE-2021-27290 - High Severity Vulnerability

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

CVE-2021-27290 (High) detected in ssri-6.0.1.tgz, ssri-7.1.0.tgz - autoclosed #3

Description

CVE-2021-27290 - High Severity Vulnerability

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions