eslint-plugin-import-2.8.0.tgz: 3 vulnerabilities (highest severity is: 7.5)

[dev-mend-for-github-com]

Vulnerable Library - eslint-plugin-import-2.8.0.tgz

Path to dependency file: /npm_and_yarn/spec/fixtures/projects/yarn/lockfile_only_change/package.json

Path to vulnerable library: /npm_and_yarn/spec/fixtures/projects/yarn/lockfile_only_change/node_modules/hosted-git-info/package.json,/npm_and_yarn/spec/fixtures/projects/yarn/lockfile_only_change/node_modules/hosted-git-info/package.json

Vulnerabilities

CVE	Severity	CVSS	Dependency	Type	Fixed in (eslint-plugin-import version)	Remediation Possible**	Reachability
CVE-2022-3517	High	7.5	minimatch-3.0.4.tgz	Transitive	N/A*	❌
CVE-2021-23362	Medium	5.3	hosted-git-info-2.5.0.tgz	Transitive	2.9.0	✅
CVE-2021-23343	Medium	5.3	path-parse-1.0.5.tgz	Transitive	2.9.0	✅

*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.

**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation

Details

CVE-2022-3517

Vulnerable Library - minimatch-3.0.4.tgz

a glob matcher in javascript

Library home page: https://registry.npmjs.org/minimatch/-/minimatch-3.0.4.tgz

Path to dependency file: /npm_and_yarn/spec/fixtures/projects/yarn/dist_tag/package.json

Path to vulnerable library: /npm_and_yarn/spec/fixtures/projects/yarn/dist_tag/node_modules/npm/node_modules/npm-lifecycle/node_modules/node-gyp/node_modules/minimatch/package.json,/npm_and_yarn/spec/fixtures/projects/npm6/peer_dependency_switch/node_modules/minimatch/package.json,/npm_and_yarn/spec/fixtures/projects/yarn/peer_dependency_switch/node_modules/minimatch/package.json,/npm_and_yarn/spec/fixtures/projects/npm8/peer_dependency_switch/node_modules/minimatch/package.json,/npm_and_yarn/spec/fixtures/projects/npm6/os_mismatch/package.json,/npm_and_yarn/spec/fixtures/projects/npm8/peer_dependency_multiple/node_modules/minimatch/package.json,/npm_and_yarn/spec/fixtures/projects/yarn/peer_dependency_multiple/node_modules/minimatch/package.json,/npm_and_yarn/spec/fixtures/projects/yarn/dist_tag/node_modules/npm/node_modules/pacote/node_modules/minimatch/package.json,/npm_and_yarn/spec/fixtures/projects/npm6/peer_dependency_multiple/node_modules/minimatch/package.json,/npm_and_yarn/spec/fixtures/projects/yarn/dist_tag/node_modules/npm/node_modules/npm-packlist/node_modules/ignore-walk/node_modules/minimatch/package.json,/npm_and_yarn/spec/fixtures/projects/yarn/dist_tag/node_modules/minimatch/package.json,/npm_and_yarn/spec/fixtures/projects/yarn/lockfile_only_change/node_modules/minimatch/package.json,/npm_and_yarn/spec/fixtures/projects/yarn/github_dependency_slash/package.json,/npm_and_yarn/spec/fixtures/projects/npm8/os_mismatch/package.json,/npm_and_yarn/spec/fixtures/projects/yarn/dist_tag/node_modules/npm/node_modules/glob/node_modules/minimatch/package.json

Dependency Hierarchy:

• eslint-plugin-import-2.8.0.tgz (Root Library)
  • ❌ minimatch-3.0.4.tgz (Vulnerable Library)

Found in base branch: main

Vulnerability Details

A vulnerability was found in the minimatch package. This flaw allows a Regular Expression Denial of Service (ReDoS) when calling the braceExpand function with specific arguments, resulting in a Denial of Service.

Publish Date: 2022-10-17

URL: CVE-2022-3517

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2022-10-17

Fix Resolution: minimatch - 3.0.5

CVE-2021-23362

Vulnerable Library - hosted-git-info-2.5.0.tgz

Provides metadata and conversions from repository urls for Github, Bitbucket and Gitlab

Library home page: https://registry.npmjs.org/hosted-git-info/-/hosted-git-info-2.5.0.tgz

Path to dependency file: /npm_and_yarn/spec/fixtures/projects/yarn/lockfile_only_change/package.json

Path to vulnerable library: /npm_and_yarn/spec/fixtures/projects/yarn/lockfile_only_change/node_modules/hosted-git-info/package.json,/npm_and_yarn/spec/fixtures/projects/yarn/lockfile_only_change/node_modules/hosted-git-info/package.json

Dependency Hierarchy:

• eslint-plugin-import-2.8.0.tgz (Root Library)
  • read-pkg-up-2.0.0.tgz
    • read-pkg-2.0.0.tgz
      • normalize-package-data-2.4.0.tgz
        • ❌ hosted-git-info-2.5.0.tgz (Vulnerable Library)

Found in base branch: main

Vulnerability Details

The package hosted-git-info before 3.0.8 are vulnerable to Regular Expression Denial of Service (ReDoS) via regular expression shortcutMatch in the fromUrl function in index.js. The affected regular expression exhibits polynomial worst-case time complexity.

Publish Date: 2021-03-23

URL: CVE-2021-23362

CVSS 3 Score Details (5.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-43f8-2h32-f4cj

Release Date: 2021-03-23

Fix Resolution (hosted-git-info): 2.8.9

Direct dependency fix Resolution (eslint-plugin-import): 2.9.0

In order to enable automatic remediation, please create workflow rules

CVE-2021-23343

Vulnerable Library - path-parse-1.0.5.tgz

Node.js path.parse() ponyfill

Library home page: https://registry.npmjs.org/path-parse/-/path-parse-1.0.5.tgz

Path to dependency file: /npm_and_yarn/spec/fixtures/projects/yarn/lockfile_only_change/package.json

Path to vulnerable library: /npm_and_yarn/spec/fixtures/projects/yarn/lockfile_only_change/node_modules/path-parse/package.json

Dependency Hierarchy:

• eslint-plugin-import-2.8.0.tgz (Root Library)
  • eslint-import-resolver-node-0.3.1.tgz
    • resolve-1.5.0.tgz
      • ❌ path-parse-1.0.5.tgz (Vulnerable Library)

Found in base branch: main

Vulnerability Details

All versions of package path-parse are vulnerable to Regular Expression Denial of Service (ReDoS) via splitDeviceRe, splitTailRe, and splitPathRe regular expressions. ReDoS exhibits polynomial worst-case time complexity.

Publish Date: 2021-05-04

URL: CVE-2021-23343

CVSS 3 Score Details (5.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2021-05-04

Fix Resolution (path-parse): 1.0.7

Direct dependency fix Resolution (eslint-plugin-import): 2.9.0

In order to enable automatic remediation, please create workflow rules

---

In order to enable automatic remediation for this issue, please create workflow rules