New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Bulk vulnerability fix - Lockfile fix #1

Merged

PhatchanaDebricked merged 1 commit into develop from debricked-fix-bulk_fix-1b2d0c94e0b5b4ef

Jul 23, 2021

debricked bot commented Jul 23, 2021

Bulk vulnerability fix - Lockfile fix

This pull request will update your transitive dependencies within the allowed version intervals provided by your direct dependencies.

Fixed vulnerabilities:

CVE–2021–23364

Description

GitHub

Regular Expression Denial of Service in browserslist

The package browserslist from 4.0.0 and before 4.16.5 are vulnerable to Regular Expression Denial of Service (ReDoS) during parsing of queries.

NVD

The package browserslist from 4.0.0 and before 4.16.5 are vulnerable to Regular Expression Denial of Service (ReDoS) during parsing of queries.
CVSS details - 5.3

CVSS3 metrics

Attack Vector Network

Attack Complexity Low

Privileges Required None

User interaction None

Scope Unchanged

Confidentiality None

Integrity None

Availability Low
References

    Fix unsafe regexp · browserslist/browserslist@c091916 · GitHub
    Fix ReDoS by yetingli · Pull Request #593 · browserslist/browserslist · GitHub
    MISC
    Regular Expression Denial of Service in browserslist · CVE-2021-23364 · GitHub Advisory Database · GitHub
    browserslist/index.js at e82f32d1d4100d6bc79ea0b6b6a2d281a561e33c · browserslist/browserslist · GitHub
    NVD - CVE-2021-23364

CVE–2021–23343

Description

NVD

All versions of package path-parse are vulnerable to Regular Expression Denial of Service (ReDoS) via splitDeviceRe, splitTailRe, and splitPathRe regular expressions. ReDoS exhibits polynomial worst-case time complexity.
CVSS details - 7.5

CVSS3 metrics

Attack Vector Network

Attack Complexity Low

Privileges Required None

User interaction None

Scope Unchanged

Confidentiality None

Integrity None

Availability High
References

    ReDoS in path-parse · Issue #8 · jbgutierrez/path-parse · GitHub
    Pony Mail!
    fixed regexes to avoid ReDoS attacks by jeffrey-pinyan-ithreat · Pull Request #10 · jbgutierrez/path-parse · GitHub

CVE–2021–23362

Description

GitHub

Regular Expression Denial of Service in hosted-git-info

The npm package hosted-git-info before 3.0.8 are vulnerable to Regular Expression Denial of Service (ReDoS) via regular expression shortcutMatch in the fromUrl function in index.js. The affected regular expression exhibits polynomial worst-case time complexity

NVD

The package hosted-git-info before 3.0.8 are vulnerable to Regular Expression Denial of Service (ReDoS) via regular expression shortcutMatch in the fromUrl function in index.js. The affected regular expression exhibits polynomial worst-case time complexity.
CVSS details - 5.3

CVSS3 metrics

Attack Vector Network

Attack Complexity Low

Privileges Required None

User interaction None

Scope Unchanged

Confidentiality None

Integrity None

Availability Low
References

    Commits · npm/hosted-git-info · GitHub
    fix: backport regex fix from #76 · npm/hosted-git-info@29adfe5 · GitHub
    chore(release): 2.8.9 · npm/hosted-git-info@8d4b369 · GitHub
    fix: simplify the regular expression for shortcut matching · npm/hosted-git-info@bede0dc · GitHub
    NVD - CVE-2021-23362
    Regular Expression Denial of Service in hosted-git-info · CVE-2021-23362 · GitHub Advisory Database · GitHub

Related information

📌 Remember! Check the changes to ensure they don't introduce any breaking changes.
📚 Read more at Debricked


          Bulk fix vulnerabilities

270eafb

PhatchanaDebricked merged commit 128be70 into develop

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet