Skip to content
This repository has been archived by the owner on Apr 27, 2022. It is now read-only.

build-angular-13.3.3.tgz: 4 vulnerabilities (highest severity is: 7.8) #89

Open
mend-bolt-for-github bot opened this issue Apr 22, 2022 · 0 comments
Open

build-angular-13.3.3.tgz: 4 vulnerabilities (highest severity is: 7.8) #89

mend-bolt-for-github bot opened this issue Apr 22, 2022 · 0 comments
Labels
security vulnerability Security vulnerability detected by WhiteSource

Comments

@mend-bolt-for-github
Copy link
Contributor

mend-bolt-for-github bot commented Apr 22, 2022
edited
Loading

Vulnerable Library - build-angular-13.3.3.tgz

Path to dependency file: /angular/package.json

Path to vulnerable library: /angular/node_modules/async/package.json

Found in HEAD commit: 2f6811d1524ee5c5357ac1bc44db8755973358c4

Vulnerabilities

CVE Severity CVSS Dependency Type Fixed in Remediation Available
CVE-2021-43138 High 7.8 async-2.6.3.tgz Transitive N/A
CVE-2020-28469 High 7.5 glob-parent-5.1.1.tgz Transitive N/A
CVE-2021-23386 Medium 6.5 dns-packet-1.3.1.tgz Transitive N/A
CVE-2021-23364 Medium 5.3 browserslist-4.15.0.tgz Transitive N/A

Details

CVE-2021-43138

Vulnerable Library - async-2.6.3.tgz

Higher-order functions and common patterns for asynchronous code

Library home page: https://registry.npmjs.org/async/-/async-2.6.3.tgz

Path to dependency file: /angular/package.json

Path to vulnerable library: /angular/node_modules/async/package.json

Dependency Hierarchy:

  • build-angular-13.3.3.tgz (Root Library)
    • webpack-dev-server-4.7.3.tgz
      • portfinder-1.0.28.tgz
        • async-2.6.3.tgz (Vulnerable Library)

Found in HEAD commit: 2f6811d1524ee5c5357ac1bc44db8755973358c4

Found in base branch: develop

Vulnerability Details

A vulnerability exists in Async through 3.2.1 (fixed in 3.2.2) , which could let a malicious user obtain privileges via the mapValues() method.

Publish Date: 2022-04-06

URL: CVE-2021-43138

CVSS 3 Score Details (7.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Local
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2021-43138

Release Date: 2022-04-06

Fix Resolution: async - v3.2.2

Step up your Open Source Security Game with WhiteSource here

CVE-2020-28469

Vulnerable Library - glob-parent-5.1.1.tgz

Extract the non-magic parent path from a glob string.

Library home page: https://registry.npmjs.org/glob-parent/-/glob-parent-5.1.1.tgz

Path to dependency file: /angular/package.json

Path to vulnerable library: /angular/node_modules/glob-parent/package.json

Dependency Hierarchy:

  • build-angular-13.3.3.tgz (Root Library)
    • webpack-dev-server-4.7.3.tgz
      • del-6.0.0.tgz
        • globby-11.0.1.tgz
          • fast-glob-3.2.4.tgz
            • glob-parent-5.1.1.tgz (Vulnerable Library)

Found in HEAD commit: 2f6811d1524ee5c5357ac1bc44db8755973358c4

Found in base branch: develop

Vulnerability Details

This affects the package glob-parent before 5.1.2. The enclosure regex used to check for strings ending in enclosure containing path separator.

Publish Date: 2021-06-03

URL: CVE-2020-28469

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-28469

Release Date: 2021-06-03

Fix Resolution: glob-parent - 5.1.2

Step up your Open Source Security Game with WhiteSource here

CVE-2021-23386

Vulnerable Library - dns-packet-1.3.1.tgz

An abstract-encoding compliant module for encoding / decoding DNS packets

Library home page: https://registry.npmjs.org/dns-packet/-/dns-packet-1.3.1.tgz

Path to dependency file: /angular/package.json

Path to vulnerable library: /angular/node_modules/dns-packet/package.json

Dependency Hierarchy:

  • build-angular-13.3.3.tgz (Root Library)
    • webpack-dev-server-4.7.3.tgz
      • bonjour-3.5.0.tgz
        • multicast-dns-6.2.3.tgz
          • dns-packet-1.3.1.tgz (Vulnerable Library)

Found in HEAD commit: 2f6811d1524ee5c5357ac1bc44db8755973358c4

Found in base branch: develop

Vulnerability Details

This affects the package dns-packet before 5.2.2. It creates buffers with allocUnsafe and does not always fill them before forming network packets. This can expose internal application memory over unencrypted network when querying crafted invalid domain names.

Publish Date: 2021-05-20

URL: CVE-2021-23386

CVSS 3 Score Details (6.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: Low
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: None
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23386

Release Date: 2021-05-20

Fix Resolution: dns-packet - 5.2.2

Step up your Open Source Security Game with WhiteSource here

CVE-2021-23364

Vulnerable Library - browserslist-4.15.0.tgz

Share target browsers between different front-end tools, like Autoprefixer, Stylelint and babel-env-preset

Library home page: https://registry.npmjs.org/browserslist/-/browserslist-4.15.0.tgz

Path to dependency file: /angular/package.json

Path to vulnerable library: /angular/node_modules/@angular-devkit/build-angular/node_modules/browserslist/package.json

Dependency Hierarchy:

  • build-angular-13.3.3.tgz (Root Library)
    • browserslist-4.15.0.tgz (Vulnerable Library)

Found in HEAD commit: 2f6811d1524ee5c5357ac1bc44db8755973358c4

Found in base branch: develop

Vulnerability Details

The package browserslist from 4.0.0 and before 4.16.5 are vulnerable to Regular Expression Denial of Service (ReDoS) during parsing of queries.

Publish Date: 2021-04-28

URL: CVE-2021-23364

CVSS 3 Score Details (5.3)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23364

Release Date: 2021-04-28

Fix Resolution: browserslist - 4.16.5

Step up your Open Source Security Game with WhiteSource here
@mend-bolt-for-github mend-bolt-for-github bot added the security vulnerability Security vulnerability detected by WhiteSource label Apr 22, 2022
@mend-bolt-for-github mend-bolt-for-github bot changed the title build-angular-13.3.3.tgz: 3 vulnerabilities (highest severity is: 7.8) build-angular-13.3.3.tgz: 4 vulnerabilities (highest severity is: 7.8) Apr 23, 2022
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
security vulnerability Security vulnerability detected by WhiteSource
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
0 participants