build-angular-0.8.4.tgz: 95 vulnerabilities (highest severity is: 9.8)

[mend-bolt-for-github]

Vulnerable Library - build-angular-0.8.4.tgz

Path to dependency file: /ClientApp/package.json

Path to vulnerable library: /ClientApp/node_modules/uglify-js/package.json

Found in HEAD commit: b984cd05e6d24e7f9d2e92ad8183e9a4a732743c

Vulnerabilities

CVE	Severity	CVSS	Dependency	Type	Fixed in (build-angular version)	Remediation Possible**
WS-2021-0153	Critical	9.8	ejs-2.6.1.tgz	Transitive	0.10.1	❌
CVE-2023-42282	Critical	9.8	ip-1.1.5.tgz	Transitive	0.8.5	❌
CVE-2023-26136	Critical	9.8	tough-cookie-2.4.3.tgz	Transitive	0.1000.0	❌
CVE-2022-37601	Critical	9.8	detected in multiple dependencies	Transitive	0.901.0	❌
CVE-2022-37598	Critical	9.8	uglify-js-3.4.9.tgz	Transitive	0.10.1	❌
CVE-2022-29078	Critical	9.8	ejs-2.6.1.tgz	Transitive	0.10.1	❌
CVE-2022-0691	Critical	9.8	url-parse-1.4.3.tgz	Transitive	0.8.5	❌
CVE-2021-23440	Critical	9.8	detected in multiple dependencies	Transitive	0.8.5	❌
CVE-2021-23383	Critical	9.8	handlebars-4.0.11.tgz	Transitive	0.8.5	❌
CVE-2021-23369	Critical	9.8	handlebars-4.0.11.tgz	Transitive	0.8.5	❌
CVE-2020-7774	Critical	9.8	y18n-4.0.0.tgz	Transitive	0.8.5	❌
CVE-2019-19919	Critical	9.8	handlebars-4.0.11.tgz	Transitive	0.8.5	❌
CVE-2019-15599	Critical	9.8	tree-kill-1.2.0.tgz	Transitive	0.8.5	❌
CVE-2019-10747	Critical	9.8	detected in multiple dependencies	Transitive	0.8.5	❌
CVE-2019-10746	Critical	9.8	mixin-deep-1.3.1.tgz	Transitive	0.8.5	❌
CVE-2022-1650	Critical	9.3	eventsource-0.1.6.tgz	Transitive	0.8.5	❌
CVE-2024-29415	Critical	9.1	ip-1.1.5.tgz	Transitive	N/A*	❌
CVE-2022-0686	Critical	9.1	url-parse-1.4.3.tgz	Transitive	0.8.5	❌
CVE-2019-10744	Critical	9.1	lodash-4.17.10.tgz	Transitive	0.8.5	❌
CVE-2024-33883	High	8.8	ejs-2.6.1.tgz	Transitive	N/A*	❌
CVE-2023-45133	High	8.8	babel-traverse-6.26.0.tgz	Transitive	N/A*	❌
CVE-2022-46175	High	8.8	json5-0.5.1.tgz	Transitive	0.13.0	❌
CVE-2020-7660	High	8.1	serialize-javascript-1.5.0.tgz	Transitive	0.803.28	❌
CVE-2019-20920	High	8.1	handlebars-4.0.11.tgz	Transitive	0.8.5	❌
CVE-2018-11693	High	8.1	node-sass-4.9.3.tgz	Transitive	0.8.5	❌
CVE-2021-43138	High	7.8	async-2.6.1.tgz	Transitive	0.8.5	❌
CVE-2020-13822	High	7.7	elliptic-6.4.1.tgz	Transitive	0.8.5	❌
WS-2020-0450	High	7.5	handlebars-4.0.11.tgz	Transitive	0.8.5	❌
WS-2020-0042	High	7.5	acorn-5.7.3.tgz	Transitive	0.8.5	❌
CVE-2024-4068	High	7.5	braces-2.3.2.tgz	Transitive	N/A*	❌
CVE-2023-46234	High	7.5	browserify-sign-4.0.4.tgz	Transitive	0.8.5	❌
CVE-2022-38900	High	7.5	decode-uri-component-0.2.0.tgz	Transitive	0.8.5	❌
CVE-2022-37620	High	7.5	html-minifier-3.5.20.tgz	Transitive	N/A*	❌
CVE-2022-37603	High	7.5	loader-utils-1.1.0.tgz	Transitive	0.8.5	❌
CVE-2022-3517	High	7.5	minimatch-3.0.4.tgz	Transitive	N/A*	❌
CVE-2022-25883	High	7.5	detected in multiple dependencies	Transitive	N/A*	❌
CVE-2022-24999	High	7.5	detected in multiple dependencies	Transitive	0.8.5	❌
CVE-2022-24772	High	7.5	node-forge-0.7.5.tgz	Transitive	13.2.0	❌
CVE-2022-24771	High	7.5	node-forge-0.7.5.tgz	Transitive	13.2.0	❌
CVE-2022-21222	High	7.5	css-what-2.1.0.tgz	Transitive	0.8.5	❌
CVE-2021-3807	High	7.5	ansi-regex-3.0.0.tgz	Transitive	0.8.5	❌
CVE-2021-3803	High	7.5	nth-check-1.0.1.tgz	Transitive	0.8.5	❌
CVE-2021-27290	High	7.5	ssri-5.3.0.tgz	Transitive	0.13.10	❌
CVE-2021-23424	High	7.5	ansi-html-0.0.7.tgz	Transitive	0.8.5	❌
CVE-2021-23382	High	7.5	postcss-6.0.23.tgz	Transitive	0.1102.13	❌
CVE-2020-7662	High	7.5	websocket-extensions-0.1.3.tgz	Transitive	0.8.5	❌
CVE-2020-28469	High	7.5	glob-parent-3.1.0.tgz	Transitive	13.0.0	❌
CVE-2019-20922	High	7.5	handlebars-4.0.11.tgz	Transitive	0.8.5	❌
CVE-2019-20149	High	7.5	kind-of-6.0.2.tgz	Transitive	0.8.5	❌
CVE-2024-29180	High	7.4	webpack-dev-middleware-3.4.0.tgz	Transitive	15.1.0	❌
CVE-2020-8203	High	7.4	lodash-4.17.10.tgz	Transitive	0.8.5	❌
WS-2019-0064	High	7.3	handlebars-4.0.11.tgz	Transitive	0.8.5	❌
CVE-2020-7720	High	7.3	node-forge-0.7.5.tgz	Transitive	0.8.5	❌
CVE-2018-11499	High	7.3	node-sass-4.9.3.tgz	Transitive	0.8.5	❌
CVE-2021-23337	High	7.2	lodash-4.17.10.tgz	Transitive	0.8.5	❌
CVE-2020-28498	Medium	6.8	elliptic-6.4.1.tgz	Transitive	0.8.5	❌
WS-2022-0008	Medium	6.6	node-forge-0.7.5.tgz	Transitive	13.2.0	❌
CVE-2021-23386	Medium	6.5	dns-packet-1.3.1.tgz	Transitive	0.8.5	❌
CVE-2019-6286	Medium	6.5	node-sass-4.9.3.tgz	Transitive	N/A*	❌
CVE-2019-6284	Medium	6.5	node-sass-4.9.3.tgz	Transitive	0.800.0	❌
CVE-2019-6283	Medium	6.5	node-sass-4.9.3.tgz	Transitive	N/A*	❌
CVE-2019-18797	Medium	6.5	node-sass-4.9.3.tgz	Transitive	0.8.5	❌
CVE-2019-1010266	Medium	6.5	lodash-4.17.10.tgz	Transitive	0.8.5	❌
CVE-2018-20822	Medium	6.5	node-sass-4.9.3.tgz	Transitive	0.8.5	❌
CVE-2018-20821	Medium	6.5	node-sass-4.9.3.tgz	Transitive	N/A*	❌
CVE-2018-20190	Medium	6.5	node-sass-4.9.3.tgz	Transitive	N/A*	❌
CVE-2018-19838	Medium	6.5	node-sass-4.9.3.tgz	Transitive	0.8.5	❌
CVE-2018-19837	Medium	6.5	node-sass-4.9.3.tgz	Transitive	0.8.5	❌
CVE-2024-29041	Medium	6.1	express-4.16.3.tgz	Transitive	N/A*	❌
CVE-2023-28155	Medium	6.1	detected in multiple dependencies	Transitive	N/A*	❌
CVE-2022-0122	Medium	6.1	node-forge-0.7.5.tgz	Transitive	13.2.0	❌
WS-2019-0427	Medium	5.9	elliptic-6.4.1.tgz	Transitive	0.8.5	❌
WS-2019-0424	Medium	5.9	elliptic-6.4.1.tgz	Transitive	0.8.5	❌
WS-2019-0103	Medium	5.6	handlebars-4.0.11.tgz	Transitive	0.8.5	❌
CVE-2020-15366	Medium	5.6	detected in multiple dependencies	Transitive	0.803.29	❌
CVE-2018-19827	Medium	5.6	node-sass-4.9.3.tgz	Transitive	N/A*	❌
CVE-2018-16487	Medium	5.6	lodash-4.17.10.tgz	Transitive	0.8.5	❌
CVE-2018-11696	Medium	5.6	node-sass-4.9.3.tgz	Transitive	0.8.5	❌
CVE-2018-11694	Medium	5.6	node-sass-4.9.3.tgz	Transitive	N/A*	❌
CVE-2019-16769	Medium	5.4	serialize-javascript-1.5.0.tgz	Transitive	0.13.10	❌
CVE-2024-4067	Medium	5.3	micromatch-3.1.10.tgz	Transitive	13.0.0	❌
CVE-2022-24773	Medium	5.3	node-forge-0.7.5.tgz	Transitive	13.2.0	❌
CVE-2022-0639	Medium	5.3	url-parse-1.4.3.tgz	Transitive	0.8.5	❌
CVE-2022-0512	Medium	5.3	url-parse-1.4.3.tgz	Transitive	0.8.5	❌
CVE-2021-3664	Medium	5.3	url-parse-1.4.3.tgz	Transitive	0.8.5	❌
CVE-2021-27515	Medium	5.3	url-parse-1.4.3.tgz	Transitive	0.8.5	❌
CVE-2020-8124	Medium	5.3	url-parse-1.4.3.tgz	Transitive	0.8.5	❌
CVE-2020-7693	Medium	5.3	sockjs-0.3.19.tgz	Transitive	0.8.5	❌
CVE-2020-7608	Medium	5.3	yargs-parser-10.1.0.tgz	Transitive	0.8.5	❌
CVE-2020-28500	Medium	5.3	lodash-4.17.10.tgz	Transitive	0.8.5	❌
CVE-2020-24025	Medium	5.3	node-sass-4.9.3.tgz	Transitive	0.800.0	❌
CVE-2018-11697	Medium	4.8	node-sass-4.9.3.tgz	Transitive	0.8.5	❌
CVE-2018-19839	Low	3.7	node-sass-4.9.3.tgz	Transitive	N/A*	❌
CVE-2018-19797	Low	3.7	node-sass-4.9.3.tgz	Transitive	N/A*	❌
CVE-2017-16137	Low	3.7	debug-3.2.5.tgz	Transitive	0.8.5	❌

*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.

**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation

Details

Partial details (16 vulnerabilities) are displayed below due to a content size limitation in GitHub. To view information on the remaining vulnerabilities, navigate to the Mend Application.

WS-2021-0153

Vulnerable Library - ejs-2.6.1.tgz

Embedded JavaScript templates

Library home page: https://registry.npmjs.org/ejs/-/ejs-2.6.1.tgz

Path to dependency file: /ClientApp/package.json

Path to vulnerable library: /ClientApp/node_modules/ejs/package.json

Dependency Hierarchy:

• build-angular-0.8.4.tgz (Root Library)
  • license-webpack-plugin-1.5.0.tgz
    • ❌ ejs-2.6.1.tgz (Vulnerable Library)

Found in HEAD commit: b984cd05e6d24e7f9d2e92ad8183e9a4a732743c

Found in base branch: master

Vulnerability Details

Arbitrary Code Injection vulnerability was found in ejs before 3.1.6. Caused by filename which isn't sanitized for display.

Publish Date: 2021-01-22

URL: WS-2021-0153

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2021-01-22

Fix Resolution (ejs): 3.1.6

Direct dependency fix Resolution (@angular-devkit/build-angular): 0.10.1

Step up your Open Source Security Game with Mend here

CVE-2023-42282

Vulnerable Library - ip-1.1.5.tgz

[](https://www.npmjs.com/package/ip)

Library home page: https://registry.npmjs.org/ip/-/ip-1.1.5.tgz

Path to dependency file: /ClientApp/package.json

Path to vulnerable library: /ClientApp/node_modules/ip/package.json

Dependency Hierarchy:

• build-angular-0.8.4.tgz (Root Library)
  • webpack-dev-server-3.1.9.tgz
    • ❌ ip-1.1.5.tgz (Vulnerable Library)

Found in HEAD commit: b984cd05e6d24e7f9d2e92ad8183e9a4a732743c

Found in base branch: master

Vulnerability Details

The ip package before 1.1.9 for Node.js might allow SSRF because some IP addresses (such as 0x7f.1) are improperly categorized as globally routable via isPublic.

Publish Date: 2024-02-08

URL: CVE-2023-42282

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-78xj-cgh5-2h22

Release Date: 2024-02-08

Fix Resolution (ip): 1.1.9

Direct dependency fix Resolution (@angular-devkit/build-angular): 0.8.5

Step up your Open Source Security Game with Mend here

CVE-2023-26136

Vulnerable Library - tough-cookie-2.4.3.tgz

RFC6265 Cookies and Cookie Jar for node.js

Library home page: https://registry.npmjs.org/tough-cookie/-/tough-cookie-2.4.3.tgz

Path to dependency file: /ClientApp/package.json

Path to vulnerable library: /ClientApp/node_modules/request/node_modules/tough-cookie/package.json

Dependency Hierarchy:

• build-angular-0.8.4.tgz (Root Library)
  • less-3.8.1.tgz
    • request-2.88.0.tgz
      • ❌ tough-cookie-2.4.3.tgz (Vulnerable Library)

Found in HEAD commit: b984cd05e6d24e7f9d2e92ad8183e9a4a732743c

Found in base branch: master

Vulnerability Details

Versions of the package tough-cookie before 4.1.3 are vulnerable to Prototype Pollution due to improper handling of Cookies when using CookieJar in rejectPublicSuffixes=false mode. This issue arises from the manner in which the objects are initialized.

Publish Date: 2023-07-01

URL: CVE-2023-26136

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://www.cve.org/CVERecord?id=CVE-2023-26136

Release Date: 2023-07-01

Fix Resolution (tough-cookie): 4.1.3

Direct dependency fix Resolution (@angular-devkit/build-angular): 0.1000.0

Step up your Open Source Security Game with Mend here

CVE-2022-37601

Vulnerable Libraries - loader-utils-0.2.17.tgz, loader-utils-1.1.0.tgz

loader-utils-0.2.17.tgz

utils for webpack loaders

Library home page: https://registry.npmjs.org/loader-utils/-/loader-utils-0.2.17.tgz

Path to dependency file: /ClientApp/package.json

Path to vulnerable library: /ClientApp/node_modules/html-webpack-plugin/node_modules/loader-utils/package.json

Dependency Hierarchy:

• build-angular-0.8.4.tgz (Root Library)
  • html-webpack-plugin-3.2.0.tgz
    • ❌ loader-utils-0.2.17.tgz (Vulnerable Library)

loader-utils-1.1.0.tgz

utils for webpack loaders

Library home page: https://registry.npmjs.org/loader-utils/-/loader-utils-1.1.0.tgz

Path to dependency file: /ClientApp/package.json

Path to vulnerable library: /ClientApp/node_modules/loader-utils/package.json

Dependency Hierarchy:

• build-angular-0.8.4.tgz (Root Library)
  • ❌ loader-utils-1.1.0.tgz (Vulnerable Library)

Found in HEAD commit: b984cd05e6d24e7f9d2e92ad8183e9a4a732743c

Found in base branch: master

Vulnerability Details

Prototype pollution vulnerability in function parseQuery in parseQuery.js in webpack loader-utils 2.0.0 via the name variable in parseQuery.js.

Publish Date: 2022-10-12

URL: CVE-2022-37601

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-76p3-8jx3-jpfq

Release Date: 2022-10-12

Fix Resolution (loader-utils): 1.4.1

Direct dependency fix Resolution (@angular-devkit/build-angular): 0.901.0

Fix Resolution (loader-utils): 1.4.1

Direct dependency fix Resolution (@angular-devkit/build-angular): 0.901.0

Step up your Open Source Security Game with Mend here

CVE-2022-37598

Vulnerable Library - uglify-js-3.4.9.tgz

JavaScript parser, mangler/compressor and beautifier toolkit

Library home page: https://registry.npmjs.org/uglify-js/-/uglify-js-3.4.9.tgz

Path to dependency file: /ClientApp/package.json

Path to vulnerable library: /ClientApp/node_modules/uglify-js/package.json

Dependency Hierarchy:

• build-angular-0.8.4.tgz (Root Library)
  • html-webpack-plugin-3.2.0.tgz
    • html-minifier-3.5.20.tgz
      • ❌ uglify-js-3.4.9.tgz (Vulnerable Library)

Found in HEAD commit: b984cd05e6d24e7f9d2e92ad8183e9a4a732743c

Found in base branch: master

Vulnerability Details

Prototype pollution vulnerability in function DEFNODE in ast.js in mishoo UglifyJS 3.13.2 via the name variable in ast.js. NOTE: the vendor considers this an invalid report.

Publish Date: 2022-10-20

URL: CVE-2022-37598

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2022-10-20

Fix Resolution (uglify-js): 3.13.10

Direct dependency fix Resolution (@angular-devkit/build-angular): 0.10.1

Step up your Open Source Security Game with Mend here

CVE-2022-29078

Vulnerable Library - ejs-2.6.1.tgz

Embedded JavaScript templates

Library home page: https://registry.npmjs.org/ejs/-/ejs-2.6.1.tgz

Path to dependency file: /ClientApp/package.json

Path to vulnerable library: /ClientApp/node_modules/ejs/package.json

Dependency Hierarchy:

• build-angular-0.8.4.tgz (Root Library)
  • license-webpack-plugin-1.5.0.tgz
    • ❌ ejs-2.6.1.tgz (Vulnerable Library)

Found in HEAD commit: b984cd05e6d24e7f9d2e92ad8183e9a4a732743c

Found in base branch: master

Vulnerability Details

The ejs (aka Embedded JavaScript templates) package 3.1.6 for Node.js allows server-side template injection in settings[view options][outputFunctionName]. This is parsed as an internal option, and overwrites the outputFunctionName option with an arbitrary OS command (which is executed upon template compilation).

Publish Date: 2022-04-25

URL: CVE-2022-29078

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-29078~

Release Date: 2022-04-25

Fix Resolution (ejs): 3.1.7

Direct dependency fix Resolution (@angular-devkit/build-angular): 0.10.1

Step up your Open Source Security Game with Mend here

CVE-2022-0691

Vulnerable Library - url-parse-1.4.3.tgz

Small footprint URL parser that works seamlessly across Node.js and browser environments

Library home page: https://registry.npmjs.org/url-parse/-/url-parse-1.4.3.tgz

Path to dependency file: /ClientApp/package.json

Path to vulnerable library: /ClientApp/node_modules/url-parse/package.json

Dependency Hierarchy:

• build-angular-0.8.4.tgz (Root Library)
  • webpack-dev-server-3.1.9.tgz
    • sockjs-client-1.1.5.tgz
      • ❌ url-parse-1.4.3.tgz (Vulnerable Library)

Found in HEAD commit: b984cd05e6d24e7f9d2e92ad8183e9a4a732743c

Found in base branch: master

Vulnerability Details

Authorization Bypass Through User-Controlled Key in NPM url-parse prior to 1.5.9.

Publish Date: 2022-02-21

URL: CVE-2022-0691

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0691

Release Date: 2022-02-21

Fix Resolution (url-parse): 1.5.9

Direct dependency fix Resolution (@angular-devkit/build-angular): 0.8.5

Step up your Open Source Security Game with Mend here

CVE-2021-23440

Vulnerable Libraries - set-value-0.4.3.tgz, set-value-2.0.0.tgz

set-value-0.4.3.tgz

Create nested values and any intermediaries using dot notation (`'a.b.c'`) paths.

Library home page: https://registry.npmjs.org/set-value/-/set-value-0.4.3.tgz

Path to dependency file: /ClientApp/package.json

Path to vulnerable library: /ClientApp/node_modules/union-value/node_modules/set-value/package.json

Dependency Hierarchy:

• build-angular-0.8.4.tgz (Root Library)
  • webpack-4.20.2.tgz
    • micromatch-3.1.10.tgz
      • snapdragon-0.8.2.tgz
        • base-0.11.2.tgz
          • cache-base-1.0.1.tgz
            • union-value-1.0.0.tgz
              • ❌ set-value-0.4.3.tgz (Vulnerable Library)

set-value-2.0.0.tgz

Create nested values and any intermediaries using dot notation (`'a.b.c'`) paths.

Library home page: https://registry.npmjs.org/set-value/-/set-value-2.0.0.tgz

Path to dependency file: /ClientApp/package.json

Path to vulnerable library: /ClientApp/node_modules/set-value/package.json

Dependency Hierarchy:

• build-angular-0.8.4.tgz (Root Library)
  • webpack-4.20.2.tgz
    • micromatch-3.1.10.tgz
      • snapdragon-0.8.2.tgz
        • base-0.11.2.tgz
          • cache-base-1.0.1.tgz
            • ❌ set-value-2.0.0.tgz (Vulnerable Library)

Found in HEAD commit: b984cd05e6d24e7f9d2e92ad8183e9a4a732743c

Found in base branch: master

Vulnerability Details

Mend Note: After conducting further research, Mend has determined that all versions of set-value before versions 2.0.1, 4.0.1 are vulnerable to CVE-2021-23440.

Publish Date: 2021-09-12

URL: CVE-2021-23440

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://www.huntr.dev/bounties/2eae1159-01de-4f82-a177-7478a408c4a2/

Release Date: 2021-09-12

Fix Resolution (set-value): 2.0.1

Direct dependency fix Resolution (@angular-devkit/build-angular): 0.8.5

Fix Resolution (set-value): 2.0.1

Direct dependency fix Resolution (@angular-devkit/build-angular): 0.8.5

Step up your Open Source Security Game with Mend here

CVE-2021-23383

Vulnerable Library - handlebars-4.0.11.tgz

Handlebars provides the power necessary to let you build semantic templates effectively with no frustration

Library home page: https://registry.npmjs.org/handlebars/-/handlebars-4.0.11.tgz

Path to dependency file: /ClientApp/package.json

Path to vulnerable library: /ClientApp/node_modules/handlebars/package.json

Dependency Hierarchy:

• build-angular-0.8.4.tgz (Root Library)
  • istanbul-0.4.5.tgz
    • ❌ handlebars-4.0.11.tgz (Vulnerable Library)

Found in HEAD commit: b984cd05e6d24e7f9d2e92ad8183e9a4a732743c

Found in base branch: master

Vulnerability Details

The package handlebars before 4.7.7 are vulnerable to Prototype Pollution when selecting certain compiling options to compile templates coming from an untrusted source.

Publish Date: 2021-05-04

URL: CVE-2021-23383

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23383

Release Date: 2021-05-04

Fix Resolution (handlebars): 4.1.2-0

Direct dependency fix Resolution (@angular-devkit/build-angular): 0.8.5

Step up your Open Source Security Game with Mend here

CVE-2021-23369

Vulnerable Library - handlebars-4.0.11.tgz

Handlebars provides the power necessary to let you build semantic templates effectively with no frustration

Library home page: https://registry.npmjs.org/handlebars/-/handlebars-4.0.11.tgz

Path to dependency file: /ClientApp/package.json

Path to vulnerable library: /ClientApp/node_modules/handlebars/package.json

Dependency Hierarchy:

• build-angular-0.8.4.tgz (Root Library)
  • istanbul-0.4.5.tgz
    • ❌ handlebars-4.0.11.tgz (Vulnerable Library)

Found in HEAD commit: b984cd05e6d24e7f9d2e92ad8183e9a4a732743c

Found in base branch: master

Vulnerability Details

The package handlebars before 4.7.7 are vulnerable to Remote Code Execution (RCE) when selecting certain compiling options to compile templates coming from an untrusted source.

Publish Date: 2021-04-12

URL: CVE-2021-23369

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2021-04-12

Fix Resolution (handlebars): 4.1.2-0

Direct dependency fix Resolution (@angular-devkit/build-angular): 0.8.5

Step up your Open Source Security Game with Mend here

CVE-2020-7774

Vulnerable Library - y18n-4.0.0.tgz

the bare-bones internationalization library used by yargs

Library home page: https://registry.npmjs.org/y18n/-/y18n-4.0.0.tgz

Path to dependency file: /ClientApp/package.json

Path to vulnerable library: /ClientApp/node_modules/y18n/package.json

Dependency Hierarchy:

• build-angular-0.8.4.tgz (Root Library)
  • uglifyjs-webpack-plugin-1.3.0.tgz
    • cacache-10.0.4.tgz
      • ❌ y18n-4.0.0.tgz (Vulnerable Library)

Found in HEAD commit: b984cd05e6d24e7f9d2e92ad8183e9a4a732743c

Found in base branch: master

Vulnerability Details

The package y18n before 3.2.2, 4.0.1 and 5.0.5, is vulnerable to Prototype Pollution.

Publish Date: 2020-11-17

URL: CVE-2020-7774

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://www.npmjs.com/advisories/1654

Release Date: 2020-11-17

Fix Resolution (y18n): 4.0.1

Direct dependency fix Resolution (@angular-devkit/build-angular): 0.8.5

Step up your Open Source Security Game with Mend here

CVE-2019-19919

Vulnerable Library - handlebars-4.0.11.tgz

Handlebars provides the power necessary to let you build semantic templates effectively with no frustration

Library home page: https://registry.npmjs.org/handlebars/-/handlebars-4.0.11.tgz

Path to dependency file: /ClientApp/package.json

Path to vulnerable library: /ClientApp/node_modules/handlebars/package.json

Dependency Hierarchy:

• build-angular-0.8.4.tgz (Root Library)
  • istanbul-0.4.5.tgz
    • ❌ handlebars-4.0.11.tgz (Vulnerable Library)

Found in HEAD commit: b984cd05e6d24e7f9d2e92ad8183e9a4a732743c

Found in base branch: master

Vulnerability Details

Versions of handlebars prior to 4.3.0 are vulnerable to Prototype Pollution leading to Remote Code Execution. Templates may alter an Object's proto and defineGetter properties, which may allow an attacker to execute arbitrary code through crafted payloads.
Mend Note: Converted from WS-2019-0368, on 2022-11-08.

Publish Date: 2019-12-20

URL: CVE-2019-19919

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-w457-6q6x-cgp9

Release Date: 2019-12-20

Fix Resolution (handlebars): 4.3.0

Direct dependency fix Resolution (@angular-devkit/build-angular): 0.8.5

Step up your Open Source Security Game with Mend here

CVE-2019-15599

Vulnerable Library - tree-kill-1.2.0.tgz

kill trees of processes

Library home page: https://registry.npmjs.org/tree-kill/-/tree-kill-1.2.0.tgz

Path to dependency file: /ClientApp/package.json

Path to vulnerable library: /ClientApp/node_modules/tree-kill/package.json

Dependency Hierarchy:

• build-angular-0.8.4.tgz (Root Library)
  • ❌ tree-kill-1.2.0.tgz (Vulnerable Library)

Found in HEAD commit: b984cd05e6d24e7f9d2e92ad8183e9a4a732743c

Found in base branch: master

Vulnerability Details

A Code Injection exists in tree-kill on Windows which allows a remote code execution when an attacker is able to control the input into the command.
Mend Note: Converted from WS-2020-0005, on 2022-11-08.

Publish Date: 2019-12-18

URL: CVE-2019-15599

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://hackerone.com/reports/701183

Release Date: 2019-12-18

Fix Resolution (tree-kill): 1.2.2

Direct dependency fix Resolution (@angular-devkit/build-angular): 0.8.5

Step up your Open Source Security Game with Mend here

CVE-2019-10747

Vulnerable Libraries - set-value-2.0.0.tgz, set-value-0.4.3.tgz

set-value-2.0.0.tgz

Create nested values and any intermediaries using dot notation (`'a.b.c'`) paths.

Library home page: https://registry.npmjs.org/set-value/-/set-value-2.0.0.tgz

Path to dependency file: /ClientApp/package.json

Path to vulnerable library: /ClientApp/node_modules/set-value/package.json

Dependency Hierarchy:

• build-angular-0.8.4.tgz (Root Library)
  • webpack-4.20.2.tgz
    • micromatch-3.1.10.tgz
      • snapdragon-0.8.2.tgz
        • base-0.11.2.tgz
          • cache-base-1.0.1.tgz
            • ❌ set-value-2.0.0.tgz (Vulnerable Library)

set-value-0.4.3.tgz

Create nested values and any intermediaries using dot notation (`'a.b.c'`) paths.

Library home page: https://registry.npmjs.org/set-value/-/set-value-0.4.3.tgz

Path to dependency file: /ClientApp/package.json

Path to vulnerable library: /ClientApp/node_modules/union-value/node_modules/set-value/package.json

Dependency Hierarchy:

• build-angular-0.8.4.tgz (Root Library)
  • webpack-4.20.2.tgz
    • micromatch-3.1.10.tgz
      • snapdragon-0.8.2.tgz
        • base-0.11.2.tgz
          • cache-base-1.0.1.tgz
            • union-value-1.0.0.tgz
              • ❌ set-value-0.4.3.tgz (Vulnerable Library)

Found in HEAD commit: b984cd05e6d24e7f9d2e92ad8183e9a4a732743c

Found in base branch: master

Vulnerability Details

set-value is vulnerable to Prototype Pollution in versions lower than 3.0.1. The function mixin-deep could be tricked into adding or modifying properties of Object.prototype using any of the constructor, prototype and proto payloads.

Publish Date: 2019-08-23

URL: CVE-2019-10747

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2019-08-23

Fix Resolution (set-value): 2.0.1

Direct dependency fix Resolution (@angular-devkit/build-angular): 0.8.5

Fix Resolution (set-value): 2.0.1

Direct dependency fix Resolution (@angular-devkit/build-angular): 0.8.5

Step up your Open Source Security Game with Mend here

CVE-2019-10746

Vulnerable Library - mixin-deep-1.3.1.tgz

Deeply mix the properties of objects into the first object. Like merge-deep, but doesn't clone.

Library home page: https://registry.npmjs.org/mixin-deep/-/mixin-deep-1.3.1.tgz

Path to dependency file: /ClientApp/package.json

Path to vulnerable library: /ClientApp/node_modules/mixin-deep/package.json

Dependency Hierarchy:

• build-angular-0.8.4.tgz (Root Library)
  • webpack-4.20.2.tgz
    • micromatch-3.1.10.tgz
      • snapdragon-0.8.2.tgz
        • base-0.11.2.tgz
          • ❌ mixin-deep-1.3.1.tgz (Vulnerable Library)

Found in HEAD commit: b984cd05e6d24e7f9d2e92ad8183e9a4a732743c

Found in base branch: master

Vulnerability Details

mixin-deep is vulnerable to Prototype Pollution in versions before 1.3.2 and version 2.0.0. The function mixin-deep could be tricked into adding or modifying properties of Object.prototype using a constructor payload.

Publish Date: 2019-08-23

URL: CVE-2019-10746

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2019-08-23

Fix Resolution (mixin-deep): 1.3.2

Direct dependency fix Resolution (@angular-devkit/build-angular): 0.8.5

Step up your Open Source Security Game with Mend here

CVE-2022-1650

Vulnerable Library - eventsource-0.1.6.tgz

W3C compliant EventSource client for Node.js

Library home page: https://registry.npmjs.org/eventsource/-/eventsource-0.1.6.tgz

Path to dependency file: /ClientApp/package.json

Path to vulnerable library: /ClientApp/node_modules/eventsource/package.json

Dependency Hierarchy:

• build-angular-0.8.4.tgz (Root Library)
  • webpack-dev-server-3.1.9.tgz
    • sockjs-client-1.1.5.tgz
      • ❌ eventsource-0.1.6.tgz (Vulnerable Library)

Found in HEAD commit: b984cd05e6d24e7f9d2e92ad8183e9a4a732743c

Found in base branch: master

Vulnerability Details

Improper Removal of Sensitive Information Before Storage or Transfer in GitHub repository eventsource/eventsource prior to v2.0.2.

Publish Date: 2022-05-12

URL: CVE-2022-1650

CVSS 3 Score Details (9.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2022-05-12

Fix Resolution (eventsource): 1.1.1

Direct dependency fix Resolution (@angular-devkit/build-angular): 0.8.5

Step up your Open Source Security Game with Mend here