core-2.0.0-beta.18.tgz: 9 vulnerabilities (highest severity is: 7.8) - autoclosed

[mend-for-github-com]

Vulnerable Library - core-2.0.0-beta.18.tgz

Path to dependency file: /packages/docs/package.json

Path to vulnerable library: /packages/docs/node_modules/node-forge/package.json

Found in HEAD commit: fd77ceda0a8ab39fc542f3e9ee2875d074496775

Vulnerabilities

CVE	Severity	CVSS	Dependency	Type	Fixed in	Remediation Available
CVE-2021-43138	High	7.8	async-2.6.3.tgz	Transitive	N/A	❌
CVE-2021-3807	High	7.5	ansi-regex-5.0.0.tgz	Transitive	N/A	❌
CVE-2020-7753	High	7.5	trim-0.0.1.tgz	Transitive	N/A	❌
CVE-2022-24772	High	7.5	node-forge-1.2.1.tgz	Transitive	N/A	❌
CVE-2022-24771	High	7.5	node-forge-1.2.1.tgz	Transitive	N/A	❌
CVE-2021-3803	High	7.5	nth-check-1.0.2.tgz	Transitive	N/A	❌
CVE-2022-33987	Medium	5.3	got-9.6.0.tgz	Transitive	N/A	❌
CVE-2022-24773	Medium	5.3	node-forge-1.2.1.tgz	Transitive	N/A	❌
CVE-2021-44906	Medium	5.0	minimist-1.2.5.tgz	Transitive	N/A	❌

Details

CVE-2021-43138

Vulnerable Library - async-2.6.3.tgz

Higher-order functions and common patterns for asynchronous code

Library home page: https://registry.npmjs.org/async/-/async-2.6.3.tgz

Path to dependency file: /packages/docs/package.json

Path to vulnerable library: /packages/docs/node_modules/async/package.json

Dependency Hierarchy:

• core-2.0.0-beta.18.tgz (Root Library)
  • webpack-dev-server-4.7.4.tgz
    • portfinder-1.0.28.tgz
      • ❌ async-2.6.3.tgz (Vulnerable Library)

Found in HEAD commit: fd77ceda0a8ab39fc542f3e9ee2875d074496775

Found in base branch: main

Vulnerability Details

In Async before 2.6.4 and 3.x before 3.2.2, a malicious user can obtain privileges via the mapValues() method, aka lib/internal/iterator.js createObjectIterator prototype pollution.

Publish Date: 2022-04-06

URL: CVE-2021-43138

CVSS 3 Score Details (7.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Local
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2021-43138

Release Date: 2022-04-06

Fix Resolution: async - 2.6.4,3.2.2

CVE-2021-3807

Vulnerable Library - ansi-regex-5.0.0.tgz

Regular expression for matching ANSI escape codes

Library home page: https://registry.npmjs.org/ansi-regex/-/ansi-regex-5.0.0.tgz

Path to dependency file: /packages/docs/package.json

Path to vulnerable library: /packages/docs/node_modules/ansi-regex/package.json

Dependency Hierarchy:

• core-2.0.0-beta.18.tgz (Root Library)
  • cli-table3-0.6.2.tgz
    • string-width-4.2.2.tgz
      • strip-ansi-6.0.0.tgz
        • ❌ ansi-regex-5.0.0.tgz (Vulnerable Library)

Found in HEAD commit: fd77ceda0a8ab39fc542f3e9ee2875d074496775

Found in base branch: main

Vulnerability Details

ansi-regex is vulnerable to Inefficient Regular Expression Complexity

Publish Date: 2021-09-17

URL: CVE-2021-3807

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://huntr.dev/bounties/5b3cf33b-ede0-4398-9974-800876dfd994/

Release Date: 2021-09-17

Fix Resolution: ansi-regex - 5.0.1,6.0.1

CVE-2020-7753

Vulnerable Library - trim-0.0.1.tgz

Trim string whitespace

Library home page: https://registry.npmjs.org/trim/-/trim-0.0.1.tgz

Path to dependency file: /packages/docs/package.json

Path to vulnerable library: /packages/docs/node_modules/trim/package.json

Dependency Hierarchy:

• core-2.0.0-beta.18.tgz (Root Library)
  • mdx-loader-2.0.0-beta.18.tgz
    • mdx-1.6.22.tgz
      • remark-parse-8.0.3.tgz
        • ❌ trim-0.0.1.tgz (Vulnerable Library)

Found in HEAD commit: fd77ceda0a8ab39fc542f3e9ee2875d074496775

Found in base branch: main

Vulnerability Details

All versions of package trim are vulnerable to Regular Expression Denial of Service (ReDoS) via trim().

Publish Date: 2020-10-27

URL: CVE-2020-7753

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2020-10-27

Fix Resolution: trim - 0.0.3

CVE-2022-24772

Vulnerable Library - node-forge-1.2.1.tgz

JavaScript implementations of network transports, cryptography, ciphers, PKI, message digests, and various utilities.

Library home page: https://registry.npmjs.org/node-forge/-/node-forge-1.2.1.tgz

Path to dependency file: /packages/docs/package.json

Path to vulnerable library: /packages/docs/node_modules/node-forge/package.json

Dependency Hierarchy:

• core-2.0.0-beta.18.tgz (Root Library)
  • webpack-dev-server-4.7.4.tgz
    • selfsigned-2.0.0.tgz
      • ❌ node-forge-1.2.1.tgz (Vulnerable Library)

Found in HEAD commit: fd77ceda0a8ab39fc542f3e9ee2875d074496775

Found in base branch: main

Vulnerability Details

Forge (also called node-forge) is a native implementation of Transport Layer Security in JavaScript. Prior to version 1.3.0, RSA PKCS#1 v1.5 signature verification code does not check for tailing garbage bytes after decoding a DigestInfo ASN.1 structure. This can allow padding bytes to be removed and garbage data added to forge a signature when a low public exponent is being used. The issue has been addressed in node-forge version 1.3.0. There are currently no known workarounds.

Publish Date: 2022-03-18

URL: CVE-2022-24772

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: High
  • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24772

Release Date: 2022-03-18

Fix Resolution: node-forge - 1.3.0

CVE-2022-24771

Vulnerable Library - node-forge-1.2.1.tgz

JavaScript implementations of network transports, cryptography, ciphers, PKI, message digests, and various utilities.

Library home page: https://registry.npmjs.org/node-forge/-/node-forge-1.2.1.tgz

Path to dependency file: /packages/docs/package.json

Path to vulnerable library: /packages/docs/node_modules/node-forge/package.json

Dependency Hierarchy:

• core-2.0.0-beta.18.tgz (Root Library)
  • webpack-dev-server-4.7.4.tgz
    • selfsigned-2.0.0.tgz
      • ❌ node-forge-1.2.1.tgz (Vulnerable Library)

Found in HEAD commit: fd77ceda0a8ab39fc542f3e9ee2875d074496775

Found in base branch: main

Vulnerability Details

Forge (also called node-forge) is a native implementation of Transport Layer Security in JavaScript. Prior to version 1.3.0, RSA PKCS#1 v1.5 signature verification code is lenient in checking the digest algorithm structure. This can allow a crafted structure that steals padding bytes and uses unchecked portion of the PKCS#1 encoded message to forge a signature when a low public exponent is being used. The issue has been addressed in node-forge version 1.3.0. There are currently no known workarounds.

Publish Date: 2022-03-18

URL: CVE-2022-24771

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: High
  • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24771

Release Date: 2022-03-18

Fix Resolution: node-forge - 1.3.0

CVE-2021-3803

Vulnerable Library - nth-check-1.0.2.tgz

performant nth-check parser & compiler

Library home page: https://registry.npmjs.org/nth-check/-/nth-check-1.0.2.tgz

Path to dependency file: /packages/docs/package.json

Path to vulnerable library: /packages/docs/node_modules/@slorber/static-site-generator-webpack-plugin/node_modules/nth-check/package.json

Dependency Hierarchy:

• core-2.0.0-beta.18.tgz (Root Library)
  • static-site-generator-webpack-plugin-4.0.4.tgz
    • cheerio-0.22.0.tgz
      • css-select-1.2.0.tgz
        • ❌ nth-check-1.0.2.tgz (Vulnerable Library)

Found in HEAD commit: fd77ceda0a8ab39fc542f3e9ee2875d074496775

Found in base branch: main

Vulnerability Details

nth-check is vulnerable to Inefficient Regular Expression Complexity

Publish Date: 2021-09-17

URL: CVE-2021-3803

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2021-09-17

Fix Resolution: nth-check - v2.0.1

CVE-2022-33987

Vulnerable Library - got-9.6.0.tgz

Simplified HTTP requests

Library home page: https://registry.npmjs.org/got/-/got-9.6.0.tgz

Path to dependency file: /packages/docs/package.json

Path to vulnerable library: /packages/docs/node_modules/got/package.json

Dependency Hierarchy:

• core-2.0.0-beta.18.tgz (Root Library)
  • update-notifier-5.1.0.tgz
    • latest-version-5.1.0.tgz
      • package-json-6.5.0.tgz
        • ❌ got-9.6.0.tgz (Vulnerable Library)

Found in HEAD commit: fd77ceda0a8ab39fc542f3e9ee2875d074496775

Found in base branch: main

Vulnerability Details

The got package before 12.1.0 (also fixed in 11.8.5) for Node.js allows a redirect to a UNIX socket.

Publish Date: 2022-06-18

URL: CVE-2022-33987

CVSS 3 Score Details (5.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: Low
  • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-33987

Release Date: 2022-06-18

Fix Resolution: got - 11.8.5,12.1.0

CVE-2022-24773

Vulnerable Library - node-forge-1.2.1.tgz

JavaScript implementations of network transports, cryptography, ciphers, PKI, message digests, and various utilities.

Library home page: https://registry.npmjs.org/node-forge/-/node-forge-1.2.1.tgz

Path to dependency file: /packages/docs/package.json

Path to vulnerable library: /packages/docs/node_modules/node-forge/package.json

Dependency Hierarchy:

• core-2.0.0-beta.18.tgz (Root Library)
  • webpack-dev-server-4.7.4.tgz
    • selfsigned-2.0.0.tgz
      • ❌ node-forge-1.2.1.tgz (Vulnerable Library)

Found in HEAD commit: fd77ceda0a8ab39fc542f3e9ee2875d074496775

Found in base branch: main

Vulnerability Details

Forge (also called node-forge) is a native implementation of Transport Layer Security in JavaScript. Prior to version 1.3.0, RSA PKCS#1 v1.5 signature verification code does not properly check DigestInfo for a proper ASN.1 structure. This can lead to successful verification with signatures that contain invalid structures but a valid digest. The issue has been addressed in node-forge version 1.3.0. There are currently no known workarounds.

Publish Date: 2022-03-18

URL: CVE-2022-24773

CVSS 3 Score Details (5.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: Low
  • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24773

Release Date: 2022-03-18

Fix Resolution: node-forge - 1.3.0

CVE-2021-44906

Vulnerable Library - minimist-1.2.5.tgz

parse argument options

Library home page: https://registry.npmjs.org/minimist/-/minimist-1.2.5.tgz

Path to dependency file: /packages/docs/package.json

Path to vulnerable library: /packages/docs/node_modules/minimist/package.json

Dependency Hierarchy:

• core-2.0.0-beta.18.tgz (Root Library)
  • wait-on-6.0.1.tgz
    • ❌ minimist-1.2.5.tgz (Vulnerable Library)

Found in HEAD commit: fd77ceda0a8ab39fc542f3e9ee2875d074496775

Found in base branch: main

Vulnerability Details

Minimist <=1.2.5 is vulnerable to Prototype Pollution via file index.js, function setKey() (lines 69-95).

Publish Date: 2022-03-17

URL: CVE-2021-44906

CVSS 3 Score Details (5.0)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: Low
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2022-03-17

Fix Resolution: minimist - 1.2.6

[mend-for-github-com]

✔️ This issue was automatically closed by Mend because the vulnerable library in the specific branch(es) was either marked as ignored or it is no longer part of the Mend inventory.