@scaffold-eth/react-app-1.0.0.tgz: 35 vulnerabilities (highest severity is: 9.8)

[mend-bolt-for-github]

Vulnerable Library - @scaffold-eth/react-app-1.0.0.tgz

Found in HEAD commit: 92754ee55025bfd0d7a64d23f989a7333a0a8d5d

Vulnerabilities

CVE	Severity	CVSS	Dependency	Type	Fixed in	Remediation Available
CVE-2022-0691	High	9.8	url-parse-1.5.3.tgz	Transitive	N/A	❌
WS-2021-0153	High	9.8	ejs-2.7.4.tgz	Transitive	N/A	❌
CVE-2021-23436	High	9.8	immer-8.0.1.tgz	Transitive	N/A	❌
CVE-2020-28499	High	9.8	merge-1.2.1.tgz	Transitive	N/A	❌
CVE-2020-28472	High	9.8	aws-sdk-2.647.0.tgz	Transitive	N/A	❌
CVE-2021-44906	High	9.8	minimist-1.2.3.tgz	Transitive	N/A	❌
CVE-2021-3757	High	9.8	immer-8.0.1.tgz	Transitive	N/A	❌
CVE-2022-0686	High	9.1	url-parse-1.5.3.tgz	Transitive	N/A	❌
CVE-2021-43138	High	7.8	async-3.2.0.tgz	Transitive	N/A	❌
CVE-2020-13822	High	7.7	elliptic-6.5.2.tgz	Transitive	N/A	❌
CVE-2021-23424	High	7.5	ansi-html-0.0.7.tgz	Transitive	N/A	❌
CVE-2020-28469	High	7.5	glob-parent-3.1.0.tgz	Transitive	N/A	❌
CVE-2021-33502	High	7.5	multiple	Transitive	N/A	❌
CVE-2021-33623	High	7.5	trim-newlines-2.0.0.tgz	Transitive	N/A	❌
CVE-2022-24772	High	7.5	node-forge-0.10.0.tgz	Transitive	N/A	❌
CVE-2022-24771	High	7.5	node-forge-0.10.0.tgz	Transitive	N/A	❌
CVE-2021-3803	High	7.5	multiple	Transitive	N/A	❌
CVE-2021-3807	High	7.5	ansi-regex-4.1.0.tgz	Transitive	N/A	❌
CVE-2021-33587	High	7.5	css-what-3.4.2.tgz	Transitive	N/A	❌
CVE-2022-24785	High	7.5	moment-2.29.1.tgz	Transitive	N/A	❌
CVE-2020-28498	Medium	6.8	elliptic-6.5.2.tgz	Transitive	N/A	❌
WS-2022-0008	Medium	6.6	node-forge-0.10.0.tgz	Transitive	N/A	❌
CVE-2022-0155	Medium	6.5	follow-redirects-1.5.10.tgz	Transitive	N/A	❌
CVE-2022-0122	Medium	6.1	node-forge-0.10.0.tgz	Transitive	N/A	❌
CVE-2022-0536	Medium	5.9	multiple	Transitive	N/A	❌
CVE-2020-28168	Medium	5.9	axios-0.18.1.tgz	Transitive	N/A	❌
WS-2019-0424	Medium	5.9	elliptic-6.5.2.tgz	Transitive	N/A	❌
CVE-2021-23566	Medium	5.5	nanoid-3.1.23.tgz	Transitive	N/A	❌
CVE-2022-0512	Medium	5.3	url-parse-1.5.3.tgz	Transitive	N/A	❌
CVE-2021-32640	Medium	5.3	ws-7.3.0.tgz	Transitive	N/A	❌
CVE-2022-24773	Medium	5.3	node-forge-0.10.0.tgz	Transitive	N/A	❌
CVE-2020-7608	Medium	5.3	yargs-parser-10.1.0.tgz	Transitive	N/A	❌
CVE-2022-0639	Medium	5.3	url-parse-1.5.3.tgz	Transitive	N/A	❌
CVE-2022-21670	Medium	5.3	markdown-it-12.2.0.tgz	Transitive	N/A	❌
CVE-2021-23364	Medium	5.3	browserslist-4.14.2.tgz	Transitive	N/A	❌

Details

Partial details (8 vulnerabilities) are displayed below due to a content size limitation in GitHub. To view information on the remaining vulnerabilities, navigate to the WhiteSource Application.

CVE-2022-0691

Vulnerable Library - url-parse-1.5.3.tgz

Small footprint URL parser that works seamlessly across Node.js and browser environments

Library home page: https://registry.npmjs.org/url-parse/-/url-parse-1.5.3.tgz

Dependency Hierarchy:

• @scaffold-eth/react-app-1.0.0.tgz (Root Library)
  • react-scripts-4.0.0.tgz
    • webpack-dev-server-3.11.0.tgz
      • sockjs-client-1.4.0.tgz
        • ❌ url-parse-1.5.3.tgz (Vulnerable Library)

Found in HEAD commit: 92754ee55025bfd0d7a64d23f989a7333a0a8d5d

Found in base branch: master

Vulnerability Details

Authorization Bypass Through User-Controlled Key in NPM url-parse prior to 1.5.9.

Publish Date: 2022-02-21

URL: CVE-2022-0691

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0691

Release Date: 2022-02-21

Fix Resolution: url-parse - 1.5.9

Step up your Open Source Security Game with WhiteSource here

WS-2021-0153

Vulnerable Library - ejs-2.7.4.tgz

Embedded JavaScript templates

Library home page: https://registry.npmjs.org/ejs/-/ejs-2.7.4.tgz

Dependency Hierarchy:

• @scaffold-eth/react-app-1.0.0.tgz (Root Library)
  • react-scripts-4.0.0.tgz
    • workbox-webpack-plugin-5.1.4.tgz
      • workbox-build-5.1.4.tgz
        • rollup-plugin-off-main-thread-1.4.2.tgz
          • ❌ ejs-2.7.4.tgz (Vulnerable Library)

Found in HEAD commit: 92754ee55025bfd0d7a64d23f989a7333a0a8d5d

Found in base branch: master

Vulnerability Details

Arbitrary Code Injection vulnerability was found in ejs before 3.1.6. Caused by filename which isn't sanitized for display.

Publish Date: 2021-01-22

URL: WS-2021-0153

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: mde/ejs#571

Release Date: 2021-01-22

Fix Resolution: ejs - 3.1.6

Step up your Open Source Security Game with WhiteSource here

CVE-2021-23436

Vulnerable Library - immer-8.0.1.tgz

Create your next immutable state by mutating the current one

Library home page: https://registry.npmjs.org/immer/-/immer-8.0.1.tgz

Dependency Hierarchy:

• @scaffold-eth/react-app-1.0.0.tgz (Root Library)
  • react-scripts-4.0.0.tgz
    • react-dev-utils-11.0.4.tgz
      • ❌ immer-8.0.1.tgz (Vulnerable Library)

Found in HEAD commit: 92754ee55025bfd0d7a64d23f989a7333a0a8d5d

Found in base branch: master

Vulnerability Details

This affects the package immer before 9.0.6. A type confusion vulnerability can lead to a bypass of CVE-2020-28477 when the user-provided keys used in the path parameter are arrays. In particular, this bypass is possible because the condition (p === "proto" || p === "constructor") in applyPatches_ returns false if p is ['proto'] (or ['constructor']). The === operator (strict equality operator) returns false if the operands have different type.

Publish Date: 2021-09-01

URL: CVE-2021-23436

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23436

Release Date: 2021-09-01

Fix Resolution: immer - 9.0.6

Step up your Open Source Security Game with WhiteSource here

CVE-2020-28499

Vulnerable Library - merge-1.2.1.tgz

Merge multiple objects into one, optionally creating a new cloned object. Similar to the jQuery.extend but more flexible. Works in Node.js and the browser.

Library home page: https://registry.npmjs.org/merge/-/merge-1.2.1.tgz

Dependency Hierarchy:

• @scaffold-eth/react-app-1.0.0.tgz (Root Library)
  • searchico-1.2.1.tgz
    • ❌ merge-1.2.1.tgz (Vulnerable Library)

Found in HEAD commit: 92754ee55025bfd0d7a64d23f989a7333a0a8d5d

Found in base branch: master

Vulnerability Details

All versions of package merge are vulnerable to Prototype Pollution via _recursiveMerge .

Publish Date: 2021-02-18

URL: CVE-2020-28499

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: swordev/merge#38

Release Date: 2021-02-18

Fix Resolution: merge - 2.1.0

Step up your Open Source Security Game with WhiteSource here

CVE-2020-28472

Vulnerable Library - aws-sdk-2.647.0.tgz

AWS SDK for JavaScript

Library home page: https://registry.npmjs.org/aws-sdk/-/aws-sdk-2.647.0.tgz

Dependency Hierarchy:

• @scaffold-eth/react-app-1.0.0.tgz (Root Library)
  • s3-folder-upload-2.3.5.tgz
    • ❌ aws-sdk-2.647.0.tgz (Vulnerable Library)

Found in HEAD commit: 92754ee55025bfd0d7a64d23f989a7333a0a8d5d

Found in base branch: master

Vulnerability Details

This affects the package @aws-sdk/shared-ini-file-loader before 1.0.0-rc.9; the package aws-sdk before 2.814.0. If an attacker submits a malicious INI file to an application that parses it with loadSharedConfigFiles , they will pollute the prototype on the application. This can be exploited further depending on the context.

Publish Date: 2021-01-19

URL: CVE-2020-28472

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2020-28472

Release Date: 2021-01-19

Fix Resolution: aws-sdk-2.814.0,@aws-sdk/shared-ini-file-loader-1.0.0-rc.9

Step up your Open Source Security Game with WhiteSource here

CVE-2021-44906

Vulnerable Library - minimist-1.2.3.tgz

parse argument options

Library home page: https://registry.npmjs.org/minimist/-/minimist-1.2.3.tgz

Dependency Hierarchy:

• @scaffold-eth/react-app-1.0.0.tgz (Root Library)
  • surge-0.21.7.tgz
    • ❌ minimist-1.2.3.tgz (Vulnerable Library)

Found in HEAD commit: 92754ee55025bfd0d7a64d23f989a7333a0a8d5d

Found in base branch: master

Vulnerability Details

Minimist <=1.2.5 is vulnerable to Prototype Pollution via file index.js, function setKey() (lines 69-95).

Publish Date: 2022-03-17

URL: CVE-2021-44906

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://github.com/substack/minimist/issues/164

Release Date: 2022-03-17

Fix Resolution: minimist - 1.2.6

Step up your Open Source Security Game with WhiteSource here

CVE-2021-3757

Vulnerable Library - immer-8.0.1.tgz

Create your next immutable state by mutating the current one

Library home page: https://registry.npmjs.org/immer/-/immer-8.0.1.tgz

Dependency Hierarchy:

• @scaffold-eth/react-app-1.0.0.tgz (Root Library)
  • react-scripts-4.0.0.tgz
    • react-dev-utils-11.0.4.tgz
      • ❌ immer-8.0.1.tgz (Vulnerable Library)

Found in HEAD commit: 92754ee55025bfd0d7a64d23f989a7333a0a8d5d

Found in base branch: master

Vulnerability Details

immer is vulnerable to Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')

Publish Date: 2021-09-02

URL: CVE-2021-3757

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://huntr.dev/bounties/23d38099-71cd-42ed-a77a-71e68094adfa/

Release Date: 2021-09-02

Fix Resolution: immer - 9.0.6

Step up your Open Source Security Game with WhiteSource here

CVE-2022-0686

Vulnerable Library - url-parse-1.5.3.tgz

Small footprint URL parser that works seamlessly across Node.js and browser environments

Library home page: https://registry.npmjs.org/url-parse/-/url-parse-1.5.3.tgz

Dependency Hierarchy:

• @scaffold-eth/react-app-1.0.0.tgz (Root Library)
  • react-scripts-4.0.0.tgz
    • webpack-dev-server-3.11.0.tgz
      • sockjs-client-1.4.0.tgz
        • ❌ url-parse-1.5.3.tgz (Vulnerable Library)

Found in HEAD commit: 92754ee55025bfd0d7a64d23f989a7333a0a8d5d

Found in base branch: master

Vulnerability Details

Authorization Bypass Through User-Controlled Key in NPM url-parse prior to 1.5.8.

Publish Date: 2022-02-20

URL: CVE-2022-0686

CVSS 3 Score Details (9.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0686

Release Date: 2022-02-20

Fix Resolution: url-parse - 1.5.8

Step up your Open Source Security Game with WhiteSource here