log4brains-1.0.1.tgz: 21 vulnerabilities (highest severity is: 9.8) - autoclosed

[mend-bolt-for-github]

Vulnerable Library - log4brains-1.0.1.tgz

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Found in HEAD commit: fc42a04502ba9c0732a2588e905a4fde245bef77

Vulnerabilities

CVE	Severity	CVSS	Dependency	Type	Fixed in (log4brains version)	Remediation Possible**
CVE-2022-37601	Critical	9.8	loader-utils-1.2.3.tgz	Transitive	N/A*	❌
CVE-2022-25912	Critical	9.8	simple-git-2.48.0.tgz	Transitive	N/A*	❌
CVE-2022-24433	Critical	9.8	simple-git-2.48.0.tgz	Transitive	N/A*	❌
CVE-2022-24066	Critical	9.8	simple-git-2.48.0.tgz	Transitive	N/A*	❌
CVE-2021-42740	Critical	9.8	shell-quote-1.7.2.tgz	Transitive	N/A*	❌
CVE-2022-2900	Critical	9.1	parse-url-6.0.5.tgz	Transitive	N/A*	❌
WS-2022-0238	High	7.5	parse-url-6.0.5.tgz	Transitive	N/A*	❌
WS-2022-0237	High	7.5	parse-url-6.0.5.tgz	Transitive	N/A*	❌
CVE-2024-37890	High	7.5	ws-7.4.6.tgz	Transitive	N/A*	❌
CVE-2022-37603	High	7.5	loader-utils-1.2.3.tgz	Transitive	N/A*	❌
CVE-2022-23646	High	7.5	next-10.2.3.tgz	Transitive	N/A*	❌
CVE-2021-43803	High	7.5	next-10.2.3.tgz	Transitive	N/A*	❌
CVE-2021-3803	High	7.5	nth-check-1.0.2.tgz	Transitive	N/A*	❌
CVE-2022-0624	High	7.3	parse-path-4.0.4.tgz	Transitive	N/A*	❌
WS-2022-0239	Medium	6.1	parse-url-6.0.5.tgz	Transitive	N/A*	❌
CVE-2022-3224	Medium	6.1	parse-url-6.0.5.tgz	Transitive	N/A*	❌
CVE-2022-0235	Medium	6.1	node-fetch-2.6.1.tgz	Transitive	N/A*	❌
CVE-2021-37699	Medium	6.1	next-10.2.3.tgz	Transitive	N/A*	❌
CVE-2023-44270	Medium	5.3	postcss-8.2.13.tgz	Transitive	N/A*	❌
CVE-2022-21670	Medium	5.3	markdown-it-11.0.1.tgz	Transitive	N/A*	❌
CVE-2017-16137	Low	3.7	debug-4.1.1.tgz	Transitive	N/A*	❌

*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.

**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation

Details

CVE-2022-37601

Vulnerable Library - loader-utils-1.2.3.tgz

utils for webpack loaders

Library home page: https://registry.npmjs.org/loader-utils/-/loader-utils-1.2.3.tgz

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Dependency Hierarchy:

• log4brains-1.0.1.tgz (Root Library)
  • web-1.0.1.tgz
    • next-10.2.3.tgz
      • styled-jsx-3.3.2.tgz
        • ❌ loader-utils-1.2.3.tgz (Vulnerable Library)

Found in HEAD commit: fc42a04502ba9c0732a2588e905a4fde245bef77

Found in base branch: main

Vulnerability Details

Prototype pollution vulnerability in function parseQuery in parseQuery.js in webpack loader-utils 2.0.0 via the name variable in parseQuery.js.

Publish Date: 2022-10-12

URL: CVE-2022-37601

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-76p3-8jx3-jpfq

Release Date: 2022-10-12

Fix Resolution: loader-utils - 1.4.1,2.0.3

Step up your Open Source Security Game with Mend here

CVE-2022-25912

Vulnerable Library - simple-git-2.48.0.tgz

Simple GIT interface for node.js

Library home page: https://registry.npmjs.org/simple-git/-/simple-git-2.48.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Dependency Hierarchy:

• log4brains-1.0.1.tgz (Root Library)
  • cli-1.0.0.tgz
    • core-1.0.0.tgz
      • ❌ simple-git-2.48.0.tgz (Vulnerable Library)

Found in HEAD commit: fc42a04502ba9c0732a2588e905a4fde245bef77

Found in base branch: main

Vulnerability Details

The package simple-git before 3.15.0 are vulnerable to Remote Code Execution (RCE) when enabling the ext transport protocol, which makes it exploitable via clone() method. This vulnerability exists due to an incomplete fix of CVE-2022-24066.

Publish Date: 2022-12-06

URL: CVE-2022-25912

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://www.cve.org/CVERecord?id=CVE-2022-25912

Release Date: 2022-12-06

Fix Resolution: simple-git - 3.15.0

Step up your Open Source Security Game with Mend here

CVE-2022-24433

Vulnerable Library - simple-git-2.48.0.tgz

Simple GIT interface for node.js

Library home page: https://registry.npmjs.org/simple-git/-/simple-git-2.48.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Dependency Hierarchy:

• log4brains-1.0.1.tgz (Root Library)
  • cli-1.0.0.tgz
    • core-1.0.0.tgz
      • ❌ simple-git-2.48.0.tgz (Vulnerable Library)

Found in HEAD commit: fc42a04502ba9c0732a2588e905a4fde245bef77

Found in base branch: main

Vulnerability Details

The package simple-git before 3.3.0 are vulnerable to Command Injection via argument injection. When calling the .fetch(remote, branch, handlerFn) function, both the remote and branch parameters are passed to the git fetch subcommand. By injecting some git options it was possible to get arbitrary command execution.

Publish Date: 2022-03-11

URL: CVE-2022-24433

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-3f95-r44v-8mrg

Release Date: 2022-03-11

Fix Resolution: simple-git - 3.3.0

Step up your Open Source Security Game with Mend here

CVE-2022-24066

Vulnerable Library - simple-git-2.48.0.tgz

Simple GIT interface for node.js

Library home page: https://registry.npmjs.org/simple-git/-/simple-git-2.48.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Dependency Hierarchy:

• log4brains-1.0.1.tgz (Root Library)
  • cli-1.0.0.tgz
    • core-1.0.0.tgz
      • ❌ simple-git-2.48.0.tgz (Vulnerable Library)

Found in HEAD commit: fc42a04502ba9c0732a2588e905a4fde245bef77

Found in base branch: main

Vulnerability Details

The package simple-git before 3.5.0 are vulnerable to Command Injection due to an incomplete fix of CVE-2022-24433 which only patches against the git fetch attack vector. A similar use of the --upload-pack feature of git is also supported for git clone, which the prior fix didn't cover.

Publish Date: 2022-04-01

URL: CVE-2022-24066

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-28xr-mwxg-3qc8

Release Date: 2022-04-01

Fix Resolution: simple-git - 3.5.0

Step up your Open Source Security Game with Mend here

CVE-2021-42740

Vulnerable Library - shell-quote-1.7.2.tgz

quote and parse shell commands

Library home page: https://registry.npmjs.org/shell-quote/-/shell-quote-1.7.2.tgz

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Dependency Hierarchy:

• log4brains-1.0.1.tgz (Root Library)
  • web-1.0.1.tgz
    • next-10.2.3.tgz
      • react-dev-overlay-10.2.3.tgz
        • ❌ shell-quote-1.7.2.tgz (Vulnerable Library)

Found in HEAD commit: fc42a04502ba9c0732a2588e905a4fde245bef77

Found in base branch: main

Vulnerability Details

The shell-quote package before 1.7.3 for Node.js allows command injection. An attacker can inject unescaped shell metacharacters through a regex designed to support Windows drive letters. If the output of this package is passed to a real shell as a quoted argument to a command with exec(), an attacker can inject arbitrary commands. This is because the Windows drive letter regex character class is {A-z] instead of the correct {A-Za-z]. Several shell metacharacters exist in the space between capital letter Z and lower case letter a, such as the backtick character.

Publish Date: 2021-10-21

URL: CVE-2021-42740

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-42740

Release Date: 2021-10-21

Fix Resolution: shell-quote - 1.7.3

Step up your Open Source Security Game with Mend here

CVE-2022-2900

Vulnerable Library - parse-url-6.0.5.tgz

An advanced url parser supporting git urls too.

Library home page: https://registry.npmjs.org/parse-url/-/parse-url-6.0.5.tgz

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Dependency Hierarchy:

• log4brains-1.0.1.tgz (Root Library)
  • cli-1.0.0.tgz
    • core-1.0.0.tgz
      • git-url-parse-11.6.0.tgz
        • git-up-4.0.5.tgz
          • ❌ parse-url-6.0.5.tgz (Vulnerable Library)

Found in HEAD commit: fc42a04502ba9c0732a2588e905a4fde245bef77

Found in base branch: main

Vulnerability Details

Server-Side Request Forgery (SSRF) in GitHub repository ionicabizau/parse-url prior to 8.1.0.

Publish Date: 2022-09-14

URL: CVE-2022-2900

CVSS 3 Score Details (9.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2022-09-14

Fix Resolution: parse-url - 8.0.0

Step up your Open Source Security Game with Mend here

WS-2022-0238

Vulnerable Library - parse-url-6.0.5.tgz

An advanced url parser supporting git urls too.

Library home page: https://registry.npmjs.org/parse-url/-/parse-url-6.0.5.tgz

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Dependency Hierarchy:

• log4brains-1.0.1.tgz (Root Library)
  • cli-1.0.0.tgz
    • core-1.0.0.tgz
      • git-url-parse-11.6.0.tgz
        • git-up-4.0.5.tgz
          • ❌ parse-url-6.0.5.tgz (Vulnerable Library)

Found in HEAD commit: fc42a04502ba9c0732a2588e905a4fde245bef77

Found in base branch: main

Vulnerability Details

File Protocol Spoofing in parse-url before 8.0.0 can lead to attacks, such as XSS, Arbitrary Read/Write File, and Remote Code Execution.

Publish Date: 2022-06-30

URL: WS-2022-0238

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://huntr.dev/bounties/52060edb-e426-431b-a0d0-e70407e44f18/

Release Date: 2022-06-30

Fix Resolution: parse-url - 8.0.0

Step up your Open Source Security Game with Mend here

WS-2022-0237

Vulnerable Library - parse-url-6.0.5.tgz

An advanced url parser supporting git urls too.

Library home page: https://registry.npmjs.org/parse-url/-/parse-url-6.0.5.tgz

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Dependency Hierarchy:

• log4brains-1.0.1.tgz (Root Library)
  • cli-1.0.0.tgz
    • core-1.0.0.tgz
      • git-url-parse-11.6.0.tgz
        • git-up-4.0.5.tgz
          • ❌ parse-url-6.0.5.tgz (Vulnerable Library)

Found in HEAD commit: fc42a04502ba9c0732a2588e905a4fde245bef77

Found in base branch: main

Vulnerability Details

Regular Expression Denial of Service (ReDoS) in ionicabizau/parse-url before 8.0.0.
It allows cause a denial of service when calling function parse-url

Publish Date: 2022-07-04

URL: WS-2022-0237

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2022-07-04

Fix Resolution: parse-url - 8.0.0

Step up your Open Source Security Game with Mend here

CVE-2024-37890

Vulnerable Library - ws-7.4.6.tgz

Simple to use, blazing fast and thoroughly tested websocket client and server for Node.js

Library home page: https://registry.npmjs.org/ws/-/ws-7.4.6.tgz

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Dependency Hierarchy:

• log4brains-1.0.1.tgz (Root Library)
  • web-1.0.1.tgz
    • socket.io-client-2.5.0.tgz
      • engine.io-client-3.5.3.tgz
        • ❌ ws-7.4.6.tgz (Vulnerable Library)

Found in HEAD commit: fc42a04502ba9c0732a2588e905a4fde245bef77

Found in base branch: main

Vulnerability Details

ws is an open source WebSocket client and server for Node.js. A request with a number of headers exceeding theserver.maxHeadersCount threshold could be used to crash a ws server. The vulnerability was fixed in [email protected] (e55e510) and backported to [email protected] (22c2876), [email protected] (eeb76d3), and [email protected] (4abd8f6). In vulnerable versions of ws, the issue can be mitigated in the following ways: 1. Reduce the maximum allowed length of the request headers using the --max-http-header-size=size and/or the maxHeaderSize options so that no more headers than the server.maxHeadersCount limit can be sent. 2. Set server.maxHeadersCount to 0 so that no limit is applied.

Publish Date: 2024-06-17

URL: CVE-2024-37890

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-3h5v-q93c-6h6q

Release Date: 2024-06-17

Fix Resolution: ws - 5.2.4,6.2.3,7.5.10,8.17.1

Step up your Open Source Security Game with Mend here

CVE-2022-37603

Vulnerable Library - loader-utils-1.2.3.tgz

utils for webpack loaders

Library home page: https://registry.npmjs.org/loader-utils/-/loader-utils-1.2.3.tgz

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Dependency Hierarchy:

• log4brains-1.0.1.tgz (Root Library)
  • web-1.0.1.tgz
    • next-10.2.3.tgz
      • styled-jsx-3.3.2.tgz
        • ❌ loader-utils-1.2.3.tgz (Vulnerable Library)

Found in HEAD commit: fc42a04502ba9c0732a2588e905a4fde245bef77

Found in base branch: main

Vulnerability Details

A Regular expression denial of service (ReDoS) flaw was found in Function interpolateName in interpolateName.js in webpack loader-utils 2.0.0 via the url variable in interpolateName.js.

Publish Date: 2022-10-14

URL: CVE-2022-37603

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-3rfm-jhwj-7488

Release Date: 2022-10-14

Fix Resolution: loader-utils - 1.4.2,2.0.4,3.2.1

Step up your Open Source Security Game with Mend here

CVE-2022-23646

Vulnerable Library - next-10.2.3.tgz

The React Framework

Library home page: https://registry.npmjs.org/next/-/next-10.2.3.tgz

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Dependency Hierarchy:

• log4brains-1.0.1.tgz (Root Library)
  • web-1.0.1.tgz
    • ❌ next-10.2.3.tgz (Vulnerable Library)

Found in HEAD commit: fc42a04502ba9c0732a2588e905a4fde245bef77

Found in base branch: main

Vulnerability Details

Next.js is a React framework. Starting with version 10.0.0 and prior to version 12.1.0, Next.js is vulnerable to User Interface (UI) Misrepresentation of Critical Information. In order to be affected, the next.config.js file must have an images.domains array assigned and the image host assigned in images.domains must allow user-provided SVG. If the next.config.js file has images.loader assigned to something other than default, the instance is not affected. Version 12.1.0 contains a patch for this issue. As a workaround, change next.config.js to use a different loader configuration other than the default.

Publish Date: 2022-02-17

URL: CVE-2022-23646

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: High
  • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23646

Release Date: 2022-02-17

Fix Resolution: next - 12.1.0

Step up your Open Source Security Game with Mend here

CVE-2021-43803

Vulnerable Library - next-10.2.3.tgz

The React Framework

Library home page: https://registry.npmjs.org/next/-/next-10.2.3.tgz

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Dependency Hierarchy:

• log4brains-1.0.1.tgz (Root Library)
  • web-1.0.1.tgz
    • ❌ next-10.2.3.tgz (Vulnerable Library)

Found in HEAD commit: fc42a04502ba9c0732a2588e905a4fde245bef77

Found in base branch: main

Vulnerability Details

Next.js is a React framework. In versions of Next.js prior to 12.0.5 or 11.1.3, invalid or malformed URLs could lead to a server crash. In order to be affected by this issue, the deployment must use Next.js versions above 11.1.0 and below 12.0.5, Node.js above 15.0.0, and next start or a custom server. Deployments on Vercel are not affected, along with similar environments where invalid requests are filtered before reaching Next.js. Versions 12.0.5 and 11.1.3 contain patches for this issue.

Publish Date: 2021-12-10

URL: CVE-2021-43803

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-25mp-g6fv-mqxx

Release Date: 2021-12-10

Fix Resolution: next - 11.1.3,12.0.5

Step up your Open Source Security Game with Mend here

CVE-2021-3803

Vulnerable Library - nth-check-1.0.2.tgz

performant nth-check parser & compiler

Library home page: https://registry.npmjs.org/nth-check/-/nth-check-1.0.2.tgz

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Dependency Hierarchy:

• log4brains-1.0.1.tgz (Root Library)
  • cli-1.0.0.tgz
    • core-1.0.0.tgz
      • cheerio-1.0.0-rc.3.tgz
        • css-select-1.2.0.tgz
          • ❌ nth-check-1.0.2.tgz (Vulnerable Library)

Found in HEAD commit: fc42a04502ba9c0732a2588e905a4fde245bef77

Found in base branch: main

Vulnerability Details

nth-check is vulnerable to Inefficient Regular Expression Complexity

Publish Date: 2021-09-17

URL: CVE-2021-3803

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2021-09-17

Fix Resolution: nth-check - v2.0.1

Step up your Open Source Security Game with Mend here

CVE-2022-0624

Vulnerable Library - parse-path-4.0.4.tgz

Parse paths (local paths, urls: ssh/git/etc)

Library home page: https://registry.npmjs.org/parse-path/-/parse-path-4.0.4.tgz

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Dependency Hierarchy:

• log4brains-1.0.1.tgz (Root Library)
  • cli-1.0.0.tgz
    • core-1.0.0.tgz
      • git-url-parse-11.6.0.tgz
        • git-up-4.0.5.tgz
          • parse-url-6.0.5.tgz
            • ❌ parse-path-4.0.4.tgz (Vulnerable Library)

Found in HEAD commit: fc42a04502ba9c0732a2588e905a4fde245bef77

Found in base branch: main

Vulnerability Details

Authorization Bypass Through User-Controlled Key in GitHub repository ionicabizau/parse-path prior to 5.0.0.

Publish Date: 2022-06-28

URL: CVE-2022-0624

CVSS 3 Score Details (7.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0624

Release Date: 2022-06-28

Fix Resolution: parse-path - 5.0.0

Step up your Open Source Security Game with Mend here

WS-2022-0239

Vulnerable Library - parse-url-6.0.5.tgz

An advanced url parser supporting git urls too.

Library home page: https://registry.npmjs.org/parse-url/-/parse-url-6.0.5.tgz

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Dependency Hierarchy:

• log4brains-1.0.1.tgz (Root Library)
  • cli-1.0.0.tgz
    • core-1.0.0.tgz
      • git-url-parse-11.6.0.tgz
        • git-up-4.0.5.tgz
          • ❌ parse-url-6.0.5.tgz (Vulnerable Library)

Found in HEAD commit: fc42a04502ba9c0732a2588e905a4fde245bef77

Found in base branch: main

Vulnerability Details

Cross-Site Scripting via Improper Input Validation (parser differential) in parse-url before 8.0.0.
Through this vulnerability, an attacker is capable to execute malicious JS codes.

Publish Date: 2022-07-02

URL: WS-2022-0239

CVSS 3 Score Details (6.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://huntr.dev/bounties/5fa3115f-5c97-4928-874c-3cc6302e154e

Release Date: 2022-07-02

Fix Resolution: parse-url - 8.0.0

Step up your Open Source Security Game with Mend here

CVE-2022-3224

Vulnerable Library - parse-url-6.0.5.tgz

An advanced url parser supporting git urls too.

Library home page: https://registry.npmjs.org/parse-url/-/parse-url-6.0.5.tgz

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Dependency Hierarchy:

• log4brains-1.0.1.tgz (Root Library)
  • cli-1.0.0.tgz
    • core-1.0.0.tgz
      • git-url-parse-11.6.0.tgz
        • git-up-4.0.5.tgz
          • ❌ parse-url-6.0.5.tgz (Vulnerable Library)

Found in HEAD commit: fc42a04502ba9c0732a2588e905a4fde245bef77

Found in base branch: main

Vulnerability Details

Misinterpretation of Input in GitHub repository ionicabizau/parse-url prior to 8.1.0.

Publish Date: 2022-09-15

URL: CVE-2022-3224

CVSS 3 Score Details (6.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-3224

Release Date: 2022-09-15

Fix Resolution: parse-url - 8.1.0

Step up your Open Source Security Game with Mend here

CVE-2022-0235

Vulnerable Library - node-fetch-2.6.1.tgz

A light-weight module that brings window.fetch to node.js

Library home page: https://registry.npmjs.org/node-fetch/-/node-fetch-2.6.1.tgz

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Dependency Hierarchy:

• log4brains-1.0.1.tgz (Root Library)
  • web-1.0.1.tgz
    • next-10.2.3.tgz
      • ❌ node-fetch-2.6.1.tgz (Vulnerable Library)

Found in HEAD commit: fc42a04502ba9c0732a2588e905a4fde245bef77

Found in base branch: main

Vulnerability Details

node-fetch is vulnerable to Exposure of Sensitive Information to an Unauthorized Actor

Publish Date: 2022-01-16

URL: CVE-2022-0235

CVSS 3 Score Details (6.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-r683-j2x4-v87g

Release Date: 2022-01-16

Fix Resolution: node-fetch - 2.6.7,3.1.1

Step up your Open Source Security Game with Mend here

CVE-2021-37699

Vulnerable Library - next-10.2.3.tgz

The React Framework

Library home page: https://registry.npmjs.org/next/-/next-10.2.3.tgz

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Dependency Hierarchy:

• log4brains-1.0.1.tgz (Root Library)
  • web-1.0.1.tgz
    • ❌ next-10.2.3.tgz (Vulnerable Library)

Found in HEAD commit: fc42a04502ba9c0732a2588e905a4fde245bef77

Found in base branch: main

Vulnerability Details

Next.js is an open source website development framework to be used with the React library. In affected versions specially encoded paths could be used when pages/_error.js was statically generated allowing an open redirect to occur to an external site. In general, this redirect does not directly harm users although can allow for phishing attacks by redirecting to an attacker's domain from a trusted domain. We recommend everyone to upgrade regardless of whether you can reproduce the issue or not. The issue has been patched in release 11.1.0.

Publish Date: 2021-08-12

URL: CVE-2021-37699

CVSS 3 Score Details (6.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-vxf5-wxwp-m7g9

Release Date: 2021-08-12

Fix Resolution: next - 11.1.0

Step up your Open Source Security Game with Mend here

CVE-2023-44270

Vulnerable Library - postcss-8.2.13.tgz

Tool for transforming styles with JS plugins

Library home page: https://registry.npmjs.org/postcss/-/postcss-8.2.13.tgz

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Dependency Hierarchy:

• log4brains-1.0.1.tgz (Root Library)
  • web-1.0.1.tgz
    • next-10.2.3.tgz
      • ❌ postcss-8.2.13.tgz (Vulnerable Library)

Found in HEAD commit: fc42a04502ba9c0732a2588e905a4fde245bef77

Found in base branch: main

Vulnerability Details

An issue was discovered in PostCSS before 8.4.31. The vulnerability affects linters using PostCSS to parse external untrusted CSS. An attacker can prepare CSS in such a way that it will contains parts parsed by PostCSS as a CSS comment. After processing by PostCSS, it will be included in the PostCSS output in CSS nodes (rules, properties) despite being included in a comment.

Publish Date: 2023-09-29

URL: CVE-2023-44270

CVSS 3 Score Details (5.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: Low
  • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://www.cve.org/CVERecord?id=CVE-2023-44270

Release Date: 2023-09-29

Fix Resolution: postcss - 8.4.31

Step up your Open Source Security Game with Mend here

CVE-2022-21670

Vulnerable Library - markdown-it-11.0.1.tgz

Markdown-it - modern pluggable markdown parser.

Library home page: https://registry.npmjs.org/markdown-it/-/markdown-it-11.0.1.tgz

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Dependency Hierarchy:

• log4brains-1.0.1.tgz (Root Library)
  • cli-1.0.0.tgz
    • core-1.0.0.tgz
      • ❌ markdown-it-11.0.1.tgz (Vulnerable Library)

Found in HEAD commit: fc42a04502ba9c0732a2588e905a4fde245bef77

Found in base branch: main

Vulnerability Details

markdown-it is a Markdown parser. Prior to version 1.3.2, special patterns with length greater than 50 thousand characterss could slow down the parser significantly. Users should upgrade to version 12.3.2 to receive a patch. There are no known workarounds aside from upgrading.

Publish Date: 2022-01-10

URL: CVE-2022-21670

CVSS 3 Score Details (5.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-6vfc-qv3f-vr6c

Release Date: 2022-01-10

Fix Resolution: markdown-it - 12.3.2

Step up your Open Source Security Game with Mend here

CVE-2017-16137

Vulnerable Library - debug-4.1.1.tgz

small debugging utility

Library home page: https://registry.npmjs.org/debug/-/debug-4.1.1.tgz

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Dependency Hierarchy:

• log4brains-1.0.1.tgz (Root Library)
  • web-1.0.1.tgz
    • socket.io-2.5.0.tgz
      • ❌ debug-4.1.1.tgz (Vulnerable Library)

Found in HEAD commit: fc42a04502ba9c0732a2588e905a4fde245bef77

Found in base branch: main

Vulnerability Details

The debug module is vulnerable to regular expression denial of service when untrusted user input is passed into the o formatter. It takes around 50k characters to block for 2 seconds making this a low severity issue.

Publish Date: 2018-06-07

URL: CVE-2017-16137

CVSS 3 Score Details (3.7)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-gxpj-cx7g-858c

Release Date: 2018-04-26

Fix Resolution: debug - 2.6.9,3.1.0,3.2.7,4.3.1

Step up your Open Source Security Game with Mend here

[mend-bolt-for-github]

✔️ This issue was automatically closed by Mend because the vulnerable library in the specific branch(es) was either marked as ignored or it is no longer part of the Mend inventory.

[mend-bolt-for-github]

ℹ️ This issue was automatically re-opened by Mend because the vulnerable library in the specific branch(es) has been detected in the Mend inventory.

[mend-bolt-for-github]

✔️ This issue was automatically closed by Mend because the vulnerable library in the specific branch(es) was either marked as ignored or it is no longer part of the Mend inventory.

[mend-bolt-for-github]

ℹ️ This issue was automatically re-opened by Mend because the vulnerable library in the specific branch(es) has been detected in the Mend inventory.

[mend-bolt-for-github]

✔️ This issue was automatically closed by Mend because the vulnerable library in the specific branch(es) was either marked as ignored or it is no longer part of the Mend inventory.

[mend-bolt-for-github]

ℹ️ This issue was automatically re-opened by Mend because the vulnerable library in the specific branch(es) has been detected in the Mend inventory.

[mend-bolt-for-github]

✔️ This issue was automatically closed by Mend because the vulnerable library in the specific branch(es) was either marked as ignored or it is no longer part of the Mend inventory.

[mend-bolt-for-github]

ℹ️ This issue was automatically re-opened by Mend because the vulnerable library in the specific branch(es) has been detected in the Mend inventory.

[mend-bolt-for-github]

✔️ This issue was automatically closed by Mend because the vulnerable library in the specific branch(es) was either marked as ignored or it is no longer part of the Mend inventory.

[mend-bolt-for-github]

ℹ️ This issue was automatically re-opened by Mend because the vulnerable library in the specific branch(es) has been detected in the Mend inventory.

[mend-bolt-for-github]

✔️ This issue was automatically closed by Mend because the vulnerable library in the specific branch(es) was either marked as ignored or it is no longer part of the Mend inventory.

[mend-bolt-for-github]

ℹ️ This issue was automatically re-opened by Mend because the vulnerable library in the specific branch(es) has been detected in the Mend inventory.

[mend-bolt-for-github]

✔️ This issue was automatically closed by Mend because the vulnerable library in the specific branch(es) was either marked as ignored or it is no longer part of the Mend inventory.

[mend-bolt-for-github]

ℹ️ This issue was automatically re-opened by Mend because the vulnerable library in the specific branch(es) has been detected in the Mend inventory.

[mend-bolt-for-github]

✔️ This issue was automatically closed by Mend because the vulnerable library in the specific branch(es) was either marked as ignored or it is no longer part of the Mend inventory.

[mend-bolt-for-github]

ℹ️ This issue was automatically re-opened by Mend because the vulnerable library in the specific branch(es) has been detected in the Mend inventory.

[mend-bolt-for-github]

✔️ This issue was automatically closed by Mend because the vulnerable library in the specific branch(es) was either marked as ignored or it is no longer part of the Mend inventory.

[mend-bolt-for-github]

ℹ️ This issue was automatically re-opened by Mend because the vulnerable library in the specific branch(es) has been detected in the Mend inventory.

[mend-bolt-for-github]

✔️ This issue was automatically closed by Mend because the vulnerable library in the specific branch(es) was either marked as ignored or it is no longer part of the Mend inventory.