swagger-ui-3.2.2.tgz: 35 vulnerabilities (highest severity is: 9.8) - autoclosed

[mend-for-github-com]

Vulnerable Library - swagger-ui-3.2.2.tgz

[](http://badge.fury.io/js/swagger-ui)

Library home page: https://registry.npmjs.org/swagger-ui/-/swagger-ui-3.2.2.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/swagger-ui/package.json

Found in HEAD commit: e263f4c15af0c3b33faf1d0c1660af18d97b9e79

Vulnerabilities

CVE	Severity	CVSS	Dependency	Type	Fixed in (swagger-ui version)	Fix PR available
CVE-2018-3750	High	9.8	deep-extend-0.4.1.tgz	Transitive	3.26.0	✅
CVE-2022-37601	High	9.8	loader-utils-0.2.17.tgz	Transitive	3.26.0	✅
CVE-2021-23440	High	9.8	set-value-2.0.1.tgz	Transitive	3.26.0	✅
CVE-2019-17495	High	9.8	swagger-ui-3.2.2.tgz	Direct	3.26.0	✅
CVE-2022-1650	High	9.3	eventsource-0.1.6.tgz	Transitive	3.26.0	✅
CVE-2019-10744	High	9.1	lodash-4.17.2.tgz	Transitive	3.26.0	✅
CVE-2022-46175	High	8.8	json5-0.5.1.tgz	Transitive	3.26.0	✅
CVE-2021-23424	High	7.5	ansi-html-0.0.7.tgz	Transitive	3.26.0	✅
CVE-2020-28469	High	7.5	glob-parent-2.0.0.tgz	Transitive	3.26.0	✅
CVE-2021-33623	High	7.5	trim-newlines-1.0.0.tgz	Transitive	3.26.0	✅
CVE-2022-24772	High	7.5	node-forge-0.10.0.tgz	Transitive	3.26.0	✅
CVE-2022-24771	High	7.5	node-forge-0.10.0.tgz	Transitive	3.26.0	✅
CVE-2022-25887	High	7.5	sanitize-html-1.27.5.tgz	Transitive	3.26.0	✅
CVE-2018-14732	High	7.5	webpack-dev-server-2.5.0.tgz	Transitive	3.26.0	✅
CVE-2020-8203	High	7.4	lodash-4.17.2.tgz	Transitive	3.26.0	✅
CVE-2021-23337	High	7.2	lodash-4.17.2.tgz	Transitive	3.26.0	✅
WS-2022-0008	Medium	6.6	node-forge-0.10.0.tgz	Transitive	3.26.0	✅
WS-2019-0172	Medium	6.5	swagger-ui-3.2.2.tgz	Direct	3.26.0	✅
CVE-2019-1010266	Medium	6.5	lodash-4.17.2.tgz	Transitive	3.26.0	✅
CVE-2018-3721	Medium	6.5	lodash-4.17.2.tgz	Transitive	3.26.0	✅
CVE-2022-0235	Medium	6.1	node-fetch-1.7.3.tgz	Transitive	N/A*	❌
WS-2017-3770	Medium	6.1	autolinker-0.28.1.tgz	Transitive	3.26.0	✅
CVE-2022-0122	Medium	6.1	node-forge-0.10.0.tgz	Transitive	3.26.0	✅
CVE-2018-16487	Medium	5.6	lodash-4.17.2.tgz	Transitive	3.26.0	✅
WS-2018-0593	Medium	5.4	swagger-ui-3.2.2.tgz	Direct	3.26.0	✅
CVE-2020-7693	Medium	5.3	sockjs-0.3.18.tgz	Transitive	3.26.0	✅
CVE-2021-26539	Medium	5.3	sanitize-html-1.27.5.tgz	Transitive	3.26.0	✅
CVE-2020-28500	Medium	5.3	lodash-4.17.2.tgz	Transitive	3.26.0	✅
CVE-2021-26540	Medium	5.3	sanitize-html-1.27.5.tgz	Transitive	3.26.0	✅
CVE-2022-24773	Medium	5.3	node-forge-0.10.0.tgz	Transitive	3.26.0	✅
CVE-2020-7608	Medium	5.3	yargs-parser-4.2.1.tgz	Transitive	3.26.0	✅
CVE-2020-15168	Medium	5.3	node-fetch-1.7.3.tgz	Transitive	N/A*	❌
WS-2019-0540	Medium	5.3	autolinker-0.28.1.tgz	Transitive	3.26.0	✅
CVE-2018-25031	Medium	4.3	swagger-ui-3.2.2.tgz	Direct	N/A	❌
WS-2019-0171	Medium	4.3	swagger-ui-3.2.2.tgz	Direct	3.26.0	✅

*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the section "Details" below to see if there is a version of transitive dependency where vulnerability is fixed.

Details

Partial details (23 vulnerabilities) are displayed below due to a content size limitation in GitHub. To view information on the remaining vulnerabilities, navigate to the Mend Application.

CVE-2018-3750

Vulnerable Library - deep-extend-0.4.1.tgz

Recursive object extending

Library home page: https://registry.npmjs.org/deep-extend/-/deep-extend-0.4.1.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/deep-extend/package.json

Dependency Hierarchy:

• swagger-ui-3.2.2.tgz (Root Library)
  • ❌ deep-extend-0.4.1.tgz (Vulnerable Library)

Found in HEAD commit: e263f4c15af0c3b33faf1d0c1660af18d97b9e79

Found in base branch: main

Vulnerability Details

The utilities function in all versions <= 0.5.0 of the deep-extend node module can be tricked into modifying the prototype of Object when the attacker can control part of the structure passed to this function. This can let an attacker add or modify existing properties that will exist on all objects.

Publish Date: 2018-07-03

URL: CVE-2018-3750

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-3750

Release Date: 2018-07-03

Fix Resolution (deep-extend): 0.5.1

Direct dependency fix Resolution (swagger-ui): 3.26.0

⛑️ Automatic Remediation is available for this issue

CVE-2022-37601

Vulnerable Library - loader-utils-0.2.17.tgz

utils for webpack loaders

Library home page: https://registry.npmjs.org/loader-utils/-/loader-utils-0.2.17.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/worker-loader/node_modules/loader-utils/package.json

Dependency Hierarchy:

• swagger-ui-3.2.2.tgz (Root Library)
  • worker-loader-0.7.1.tgz
    • ❌ loader-utils-0.2.17.tgz (Vulnerable Library)

Found in HEAD commit: e263f4c15af0c3b33faf1d0c1660af18d97b9e79

Found in base branch: main

Vulnerability Details

Prototype pollution vulnerability in function parseQuery in parseQuery.js in webpack loader-utils 2.0.0 via the name variable in parseQuery.js.

Publish Date: 2022-10-12

URL: CVE-2022-37601

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2022-10-12

Fix Resolution (loader-utils): loader-utils - v2.0.0

Direct dependency fix Resolution (swagger-ui): 3.26.0

⛑️ Automatic Remediation is available for this issue

CVE-2021-23440

Vulnerable Library - set-value-2.0.1.tgz

Create nested values and any intermediaries using dot notation (`'a.b.c'`) paths.

Library home page: https://registry.npmjs.org/set-value/-/set-value-2.0.1.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/set-value/package.json

Dependency Hierarchy:

• swagger-ui-3.2.2.tgz (Root Library)
  • webpack-dev-server-2.5.0.tgz
    • chokidar-1.7.0.tgz
      • readdirp-2.2.1.tgz
        • micromatch-3.1.10.tgz
          • snapdragon-0.8.2.tgz
            • base-0.11.2.tgz
              • cache-base-1.0.1.tgz
                • ❌ set-value-2.0.1.tgz (Vulnerable Library)

Found in HEAD commit: e263f4c15af0c3b33faf1d0c1660af18d97b9e79

Found in base branch: main

Vulnerability Details

This affects the package set-value before <2.0.1, >=3.0.0 <4.0.1. A type confusion vulnerability can lead to a bypass of CVE-2019-10747 when the user-provided keys used in the path parameter are arrays.
Mend Note: After conducting further research, Mend has determined that all versions of set-value up to version 4.0.0 are vulnerable to CVE-2021-23440.

Publish Date: 2021-09-12

URL: CVE-2021-23440

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2021-09-12

Fix Resolution (set-value): set-value - 4.0.1

Direct dependency fix Resolution (swagger-ui): 3.26.0

⛑️ Automatic Remediation is available for this issue

CVE-2019-17495

Vulnerable Library - swagger-ui-3.2.2.tgz

[](http://badge.fury.io/js/swagger-ui)

Library home page: https://registry.npmjs.org/swagger-ui/-/swagger-ui-3.2.2.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/swagger-ui/package.json

Dependency Hierarchy:

• ❌ swagger-ui-3.2.2.tgz (Vulnerable Library)

Found in HEAD commit: e263f4c15af0c3b33faf1d0c1660af18d97b9e79

Found in base branch: main

Vulnerability Details

A Cascading Style Sheets (CSS) injection vulnerability in Swagger UI before 3.23.11 allows attackers to use the Relative Path Overwrite (RPO) technique to perform CSS-based input field value exfiltration, such as exfiltration of a CSRF token value. In other words, this product intentionally allows the embedding of untrusted JSON data from remote servers, but it was not previously known that <style>@import within the JSON data was a functional attack method.

Publish Date: 2019-10-10

URL: CVE-2019-17495

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17495

Release Date: 2019-10-10

Fix Resolution (swagger-ui): 3.23.11

Direct dependency fix Resolution (swagger-ui): 3.26.0

⛑️ Automatic Remediation is available for this issue

CVE-2022-1650

Vulnerable Library - eventsource-0.1.6.tgz

W3C compliant EventSource client for Node.js

Library home page: https://registry.npmjs.org/eventsource/-/eventsource-0.1.6.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/eventsource/package.json

Dependency Hierarchy:

• swagger-ui-3.2.2.tgz (Root Library)
  • webpack-dev-server-2.5.0.tgz
    • sockjs-client-1.1.2.tgz
      • ❌ eventsource-0.1.6.tgz (Vulnerable Library)

Found in HEAD commit: e263f4c15af0c3b33faf1d0c1660af18d97b9e79

Found in base branch: main

Vulnerability Details

Exposure of Sensitive Information to an Unauthorized Actor in GitHub repository eventsource/eventsource prior to v2.0.2.

Publish Date: 2022-05-12

URL: CVE-2022-1650

CVSS 3 Score Details (9.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2022-05-12

Fix Resolution (eventsource): eventsource - 1.1.1,2.0.2

Direct dependency fix Resolution (swagger-ui): 3.26.0

⛑️ Automatic Remediation is available for this issue

CVE-2019-10744

Vulnerable Library - lodash-4.17.2.tgz

Lodash modular utilities.

Library home page: https://registry.npmjs.org/lodash/-/lodash-4.17.2.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/lodash/package.json

Dependency Hierarchy:

• swagger-ui-3.2.2.tgz (Root Library)
  • ❌ lodash-4.17.2.tgz (Vulnerable Library)

Found in HEAD commit: e263f4c15af0c3b33faf1d0c1660af18d97b9e79

Found in base branch: main

Vulnerability Details

Versions of lodash lower than 4.17.12 are vulnerable to Prototype Pollution. The function defaultsDeep could be tricked into adding or modifying properties of Object.prototype using a constructor payload.

Publish Date: 2019-07-26

URL: CVE-2019-10744

CVSS 3 Score Details (9.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: High
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-jf85-cpcp-j695

Release Date: 2019-07-26

Fix Resolution (lodash): lodash-4.17.12, lodash-amd-4.17.12, lodash-es-4.17.12, lodash.defaultsdeep-4.6.1, lodash.merge- 4.6.2, lodash.mergewith-4.6.2, lodash.template-4.5.0

Direct dependency fix Resolution (swagger-ui): 3.26.0

⛑️ Automatic Remediation is available for this issue

CVE-2022-46175

Vulnerable Library - json5-0.5.1.tgz

JSON for the ES5 era.

Library home page: https://registry.npmjs.org/json5/-/json5-0.5.1.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/worker-loader/node_modules/json5/package.json

Dependency Hierarchy:

• swagger-ui-3.2.2.tgz (Root Library)
  • worker-loader-0.7.1.tgz
    • loader-utils-0.2.17.tgz
      • ❌ json5-0.5.1.tgz (Vulnerable Library)

Found in HEAD commit: e263f4c15af0c3b33faf1d0c1660af18d97b9e79

Found in base branch: main

Vulnerability Details

JSON5 is an extension to the popular JSON file format that aims to be easier to write and maintain by hand (e.g. for config files). The parse method of the JSON5 library before and including versions 1.0.1 and 2.2.1 does not restrict parsing of keys named __proto__, allowing specially crafted strings to pollute the prototype of the resulting object. This vulnerability pollutes the prototype of the object returned by JSON5.parse and not the global Object prototype, which is the commonly understood definition of Prototype Pollution. However, polluting the prototype of a single object can have significant security impact for an application if the object is later used in trusted operations. This vulnerability could allow an attacker to set arbitrary and unexpected keys on the object returned from JSON5.parse. The actual impact will depend on how applications utilize the returned object and how they filter unwanted keys, but could include denial of service, cross-site scripting, elevation of privilege, and in extreme cases, remote code execution. JSON5.parse should restrict parsing of __proto__ keys when parsing JSON strings to objects. As a point of reference, the JSON.parse method included in JavaScript ignores __proto__ keys. Simply changing JSON5.parse to JSON.parse in the examples above mitigates this vulnerability. This vulnerability is patched in json5 versions 1.0.2, 2.2.2, and later.

Publish Date: 2022-12-24

URL: CVE-2022-46175

CVSS 3 Score Details (8.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: Low
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://www.cve.org/CVERecord?id=CVE-2022-46175

Release Date: 2022-12-24

Fix Resolution (json5): json5 - 2.2.2

Direct dependency fix Resolution (swagger-ui): 3.26.0

⛑️ Automatic Remediation is available for this issue

CVE-2021-23424

Vulnerable Library - ansi-html-0.0.7.tgz

An elegant lib that converts the chalked (ANSI) text to HTML.

Library home page: https://registry.npmjs.org/ansi-html/-/ansi-html-0.0.7.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/ansi-html/package.json

Dependency Hierarchy:

• swagger-ui-3.2.2.tgz (Root Library)
  • webpack-dev-server-2.5.0.tgz
    • ❌ ansi-html-0.0.7.tgz (Vulnerable Library)

Found in HEAD commit: e263f4c15af0c3b33faf1d0c1660af18d97b9e79

Found in base branch: main

Vulnerability Details

This affects all versions of package ansi-html. If an attacker provides a malicious string, it will get stuck processing the input for an extremely long time.

Publish Date: 2021-08-18

URL: CVE-2021-23424

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2021-23424

Release Date: 2021-08-18

Fix Resolution (ansi-html): VueJS.NetCore - 1.1.1;Indianadavy.VueJsWebAPITemplate.CSharp - 1.0.1;NorDroN.AngularTemplate - 0.1.6;CoreVueWebTest - 3.0.101;dotnetng.template - 1.0.0.4;Fable.Template.Elmish.React - 0.1.6;SAFE.Template - 3.0.1;GR.PageRender.Razor - 1.8.0;Envisia.DotNet.Templates - 3.0.1

Direct dependency fix Resolution (swagger-ui): 3.26.0

⛑️ Automatic Remediation is available for this issue

CVE-2020-28469

Vulnerable Library - glob-parent-2.0.0.tgz

Strips glob magic from a string to provide the parent path

Library home page: https://registry.npmjs.org/glob-parent/-/glob-parent-2.0.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/glob-base/node_modules/glob-parent/package.json,/node_modules/webpack-dev-server/node_modules/glob-parent/package.json

Dependency Hierarchy:

• swagger-ui-3.2.2.tgz (Root Library)
  • webpack-dev-server-2.5.0.tgz
    • http-proxy-middleware-0.17.4.tgz
      • micromatch-2.3.11.tgz
        • parse-glob-3.0.4.tgz
          • glob-base-0.3.0.tgz
            • ❌ glob-parent-2.0.0.tgz (Vulnerable Library)

Found in HEAD commit: e263f4c15af0c3b33faf1d0c1660af18d97b9e79

Found in base branch: main

Vulnerability Details

This affects the package glob-parent before 5.1.2. The enclosure regex used to check for strings ending in enclosure containing path separator.

Publish Date: 2021-06-03

URL: CVE-2020-28469

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-28469

Release Date: 2021-06-03

Fix Resolution (glob-parent): glob-parent - 5.1.2

Direct dependency fix Resolution (swagger-ui): 3.26.0

⛑️ Automatic Remediation is available for this issue

CVE-2021-33623

Vulnerable Library - trim-newlines-1.0.0.tgz

Trim newlines from the start and/or end of a string

Library home page: https://registry.npmjs.org/trim-newlines/-/trim-newlines-1.0.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/trim-newlines/package.json

Dependency Hierarchy:

• swagger-ui-3.2.2.tgz (Root Library)
  • webpack-dev-server-2.5.0.tgz
    • internal-ip-1.2.0.tgz
      • meow-3.7.0.tgz
        • ❌ trim-newlines-1.0.0.tgz (Vulnerable Library)

Found in HEAD commit: e263f4c15af0c3b33faf1d0c1660af18d97b9e79

Found in base branch: main

Vulnerability Details

The trim-newlines package before 3.0.1 and 4.x before 4.0.1 for Node.js has an issue related to regular expression denial-of-service (ReDoS) for the .end() method.

Publish Date: 2021-05-28

URL: CVE-2021-33623

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-33623

Release Date: 2021-05-28

Fix Resolution (trim-newlines): trim-newlines - 3.0.1, 4.0.1

Direct dependency fix Resolution (swagger-ui): 3.26.0

⛑️ Automatic Remediation is available for this issue

CVE-2022-24772

Vulnerable Library - node-forge-0.10.0.tgz

JavaScript implementations of network transports, cryptography, ciphers, PKI, message digests, and various utilities.

Library home page: https://registry.npmjs.org/node-forge/-/node-forge-0.10.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/node-forge/package.json

Dependency Hierarchy:

• swagger-ui-3.2.2.tgz (Root Library)
  • webpack-dev-server-2.5.0.tgz
    • selfsigned-1.10.14.tgz
      • ❌ node-forge-0.10.0.tgz (Vulnerable Library)

Found in HEAD commit: e263f4c15af0c3b33faf1d0c1660af18d97b9e79

Found in base branch: main

Vulnerability Details

Forge (also called node-forge) is a native implementation of Transport Layer Security in JavaScript. Prior to version 1.3.0, RSA PKCS#1 v1.5 signature verification code does not check for tailing garbage bytes after decoding a DigestInfo ASN.1 structure. This can allow padding bytes to be removed and garbage data added to forge a signature when a low public exponent is being used. The issue has been addressed in node-forge version 1.3.0. There are currently no known workarounds.

Publish Date: 2022-03-18

URL: CVE-2022-24772

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: High
  • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24772

Release Date: 2022-03-18

Fix Resolution (node-forge): node-forge - 1.3.0

Direct dependency fix Resolution (swagger-ui): 3.26.0

⛑️ Automatic Remediation is available for this issue

CVE-2022-24771

Vulnerable Library - node-forge-0.10.0.tgz

JavaScript implementations of network transports, cryptography, ciphers, PKI, message digests, and various utilities.

Library home page: https://registry.npmjs.org/node-forge/-/node-forge-0.10.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/node-forge/package.json

Dependency Hierarchy:

• swagger-ui-3.2.2.tgz (Root Library)
  • webpack-dev-server-2.5.0.tgz
    • selfsigned-1.10.14.tgz
      • ❌ node-forge-0.10.0.tgz (Vulnerable Library)

Found in HEAD commit: e263f4c15af0c3b33faf1d0c1660af18d97b9e79

Found in base branch: main

Vulnerability Details

Forge (also called node-forge) is a native implementation of Transport Layer Security in JavaScript. Prior to version 1.3.0, RSA PKCS#1 v1.5 signature verification code is lenient in checking the digest algorithm structure. This can allow a crafted structure that steals padding bytes and uses unchecked portion of the PKCS#1 encoded message to forge a signature when a low public exponent is being used. The issue has been addressed in node-forge version 1.3.0. There are currently no known workarounds.

Publish Date: 2022-03-18

URL: CVE-2022-24771

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: High
  • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24771

Release Date: 2022-03-18

Fix Resolution (node-forge): node-forge - 1.3.0

Direct dependency fix Resolution (swagger-ui): 3.26.0

⛑️ Automatic Remediation is available for this issue

CVE-2022-25887

Vulnerable Library - sanitize-html-1.27.5.tgz

Clean up user-submitted HTML, preserving whitelisted elements and whitelisted attributes on a per-element basis

Library home page: https://registry.npmjs.org/sanitize-html/-/sanitize-html-1.27.5.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/sanitize-html/package.json

Dependency Hierarchy:

• swagger-ui-3.2.2.tgz (Root Library)
  • ❌ sanitize-html-1.27.5.tgz (Vulnerable Library)

Found in HEAD commit: e263f4c15af0c3b33faf1d0c1660af18d97b9e79

Found in base branch: main

Vulnerability Details

The package sanitize-html before 2.7.1 are vulnerable to Regular Expression Denial of Service (ReDoS) due to insecure global regular expression replacement logic of HTML comment removal.

Publish Date: 2022-08-30

URL: CVE-2022-25887

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-25887

Release Date: 2022-08-30

Fix Resolution (sanitize-html): sanitize-html - 2.7.1

Direct dependency fix Resolution (swagger-ui): 3.26.0

⛑️ Automatic Remediation is available for this issue

CVE-2018-14732

Vulnerable Library - webpack-dev-server-2.5.0.tgz

Serves a webpack app. Updates the browser on changes.

Library home page: https://registry.npmjs.org/webpack-dev-server/-/webpack-dev-server-2.5.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/webpack-dev-server/package.json

Dependency Hierarchy:

• swagger-ui-3.2.2.tgz (Root Library)
  • ❌ webpack-dev-server-2.5.0.tgz (Vulnerable Library)

Found in HEAD commit: e263f4c15af0c3b33faf1d0c1660af18d97b9e79

Found in base branch: main

Vulnerability Details

An issue was discovered in lib/Server.js in webpack-dev-server before 3.1.6. Attackers are able to steal developer's code because the origin of requests is not checked by the WebSocket server, which is used for HMR (Hot Module Replacement). Anyone can receive the HMR message sent by the WebSocket server via a ws://127.0.0.1:8080/ connection from any origin.

Publish Date: 2018-09-21

URL: CVE-2018-14732

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: None
  • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2018-14732

Release Date: 2018-09-21

Fix Resolution (webpack-dev-server): 3.1.6

Direct dependency fix Resolution (swagger-ui): 3.26.0

⛑️ Automatic Remediation is available for this issue

CVE-2020-8203

Vulnerable Library - lodash-4.17.2.tgz

Lodash modular utilities.

Library home page: https://registry.npmjs.org/lodash/-/lodash-4.17.2.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/lodash/package.json

Dependency Hierarchy:

• swagger-ui-3.2.2.tgz (Root Library)
  • ❌ lodash-4.17.2.tgz (Vulnerable Library)

Found in HEAD commit: e263f4c15af0c3b33faf1d0c1660af18d97b9e79

Found in base branch: main

Vulnerability Details

Prototype pollution attack when using _.zipObjectDeep in lodash before 4.17.20.

Publish Date: 2020-07-15

URL: CVE-2020-8203

CVSS 3 Score Details (7.4)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: High
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://www.npmjs.com/advisories/1523

Release Date: 2020-07-15

Fix Resolution (lodash): lodash - 4.17.19

Direct dependency fix Resolution (swagger-ui): 3.26.0

⛑️ Automatic Remediation is available for this issue

CVE-2021-23337

Vulnerable Library - lodash-4.17.2.tgz

Lodash modular utilities.

Library home page: https://registry.npmjs.org/lodash/-/lodash-4.17.2.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/lodash/package.json

Dependency Hierarchy:

• swagger-ui-3.2.2.tgz (Root Library)
  • ❌ lodash-4.17.2.tgz (Vulnerable Library)

Found in HEAD commit: e263f4c15af0c3b33faf1d0c1660af18d97b9e79

Found in base branch: main

Vulnerability Details

Lodash versions prior to 4.17.21 are vulnerable to Command Injection via the template function.

Publish Date: 2021-02-15

URL: CVE-2021-23337

CVSS 3 Score Details (7.2)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: High
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2021-02-15

Fix Resolution (lodash): lodash - 4.17.21

Direct dependency fix Resolution (swagger-ui): 3.26.0

⛑️ Automatic Remediation is available for this issue

WS-2022-0008

Vulnerable Library - node-forge-0.10.0.tgz

JavaScript implementations of network transports, cryptography, ciphers, PKI, message digests, and various utilities.

Library home page: https://registry.npmjs.org/node-forge/-/node-forge-0.10.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/node-forge/package.json

Dependency Hierarchy:

• swagger-ui-3.2.2.tgz (Root Library)
  • webpack-dev-server-2.5.0.tgz
    • selfsigned-1.10.14.tgz
      • ❌ node-forge-0.10.0.tgz (Vulnerable Library)

Found in HEAD commit: e263f4c15af0c3b33faf1d0c1660af18d97b9e79

Found in base branch: main

Vulnerability Details

The forge.debug API had a potential prototype pollution issue if called with untrusted input. The API was only used for internal debug purposes in a safe way and never documented or advertised. It is suspected that uses of this API, if any exist, would likely not have used untrusted inputs in a vulnerable way.

Publish Date: 2022-01-08

URL: WS-2022-0008

CVSS 3 Score Details (6.6)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: High
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-5rrq-pxf6-6jx5

Release Date: 2022-01-08

Fix Resolution (node-forge): node-forge - 1.0.0

Direct dependency fix Resolution (swagger-ui): 3.26.0

⛑️ Automatic Remediation is available for this issue

WS-2019-0172

Vulnerable Library - swagger-ui-3.2.2.tgz

[](http://badge.fury.io/js/swagger-ui)

Library home page: https://registry.npmjs.org/swagger-ui/-/swagger-ui-3.2.2.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/swagger-ui/package.json

Dependency Hierarchy:

• ❌ swagger-ui-3.2.2.tgz (Vulnerable Library)

Found in HEAD commit: e263f4c15af0c3b33faf1d0c1660af18d97b9e79

Found in base branch: main

Vulnerability Details

swagger-ui before 3.20.9 fails to sanitize URLs used in the OAuth auth flow, which may allow attackers to execute arbitrary JavaScript. that leads to Cross-Site Scripting

Publish Date: 2019-02-23

URL: WS-2019-0172

CVSS 3 Score Details (6.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://www.npmjs.com/advisories/976

Release Date: 2019-02-23

Fix Resolution (swagger-ui): 3.20.9

Direct dependency fix Resolution (swagger-ui): 3.26.0

⛑️ Automatic Remediation is available for this issue

CVE-2019-1010266

Vulnerable Library - lodash-4.17.2.tgz

Lodash modular utilities.

Library home page: https://registry.npmjs.org/lodash/-/lodash-4.17.2.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/lodash/package.json

Dependency Hierarchy:

• swagger-ui-3.2.2.tgz (Root Library)
  • ❌ lodash-4.17.2.tgz (Vulnerable Library)

Found in HEAD commit: e263f4c15af0c3b33faf1d0c1660af18d97b9e79

Found in base branch: main

Vulnerability Details

lodash prior to 4.17.11 is affected by: CWE-400: Uncontrolled Resource Consumption. The impact is: Denial of service. The component is: Date handler. The attack vector is: Attacker provides very long strings, which the library attempts to match using a regular expression. The fixed version is: 4.17.11.

Publish Date: 2019-07-17

URL: CVE-2019-1010266

CVSS 3 Score Details (6.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: Low
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1010266

Release Date: 2019-07-17

Fix Resolution (lodash): 4.17.11

Direct dependency fix Resolution (swagger-ui): 3.26.0

⛑️ Automatic Remediation is available for this issue

CVE-2018-3721

Vulnerable Library - lodash-4.17.2.tgz

Lodash modular utilities.

Library home page: https://registry.npmjs.org/lodash/-/lodash-4.17.2.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/lodash/package.json

Dependency Hierarchy:

• swagger-ui-3.2.2.tgz (Root Library)
  • ❌ lodash-4.17.2.tgz (Vulnerable Library)

Found in HEAD commit: e263f4c15af0c3b33faf1d0c1660af18d97b9e79

Found in base branch: main

Vulnerability Details

lodash node module before 4.17.5 suffers from a Modification of Assumed-Immutable Data (MAID) vulnerability via defaultsDeep, merge, and mergeWith functions, which allows a malicious user to modify the prototype of "Object" via proto, causing the addition or modification of an existing property that will exist on all objects.

Publish Date: 2018-06-07

URL: CVE-2018-3721

CVSS 3 Score Details (6.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: Low
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: High
  • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2018-3721

Release Date: 2018-04-26

Fix Resolution (lodash): 4.17.5

Direct dependency fix Resolution (swagger-ui): 3.26.0

⛑️ Automatic Remediation is available for this issue

CVE-2022-0235

Vulnerable Library - node-fetch-1.7.3.tgz

A light-weight module that brings window.fetch to node.js and io.js

Library home page: https://registry.npmjs.org/node-fetch/-/node-fetch-1.7.3.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/node-fetch/package.json

Dependency Hierarchy:

• swagger-ui-3.2.2.tgz (Root Library)
  • react-addons-perf-15.4.2.tgz
    • fbjs-0.8.18.tgz
      • isomorphic-fetch-2.2.1.tgz
        • ❌ node-fetch-1.7.3.tgz (Vulnerable Library)

Found in HEAD commit: e263f4c15af0c3b33faf1d0c1660af18d97b9e79

Found in base branch: main

Vulnerability Details

node-fetch is vulnerable to Exposure of Sensitive Information to an Unauthorized Actor

Publish Date: 2022-01-16

URL: CVE-2022-0235

CVSS 3 Score Details (6.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-r683-j2x4-v87g

Release Date: 2022-01-16

Fix Resolution: node-fetch - 2.6.7,3.1.1

WS-2017-3770

Vulnerable Library - autolinker-0.28.1.tgz

Utility to automatically link the URLs, email addresses, and Twitter handles in a given block of text/HTML

Library home page: https://registry.npmjs.org/autolinker/-/autolinker-0.28.1.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/autolinker/package.json

Dependency Hierarchy:

• swagger-ui-3.2.2.tgz (Root Library)
  • react-remarkable-1.1.1.tgz
    • remarkable-1.7.4.tgz
      • ❌ autolinker-0.28.1.tgz (Vulnerable Library)

Found in HEAD commit: e263f4c15af0c3b33faf1d0c1660af18d97b9e79

Found in base branch: main

Vulnerability Details

Cross-site Scripting (XSS) vulnerability was found in autolinker before 3.14.0. User input passed to the innerHTML tags isn't sanitized.

Publish Date: 2017-02-15

URL: WS-2017-3770

CVSS 3 Score Details (6.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2017-02-15

Fix Resolution (autolinker): autolinker - 3.14.0

Direct dependency fix Resolution (swagger-ui): 3.26.0

⛑️ Automatic Remediation is available for this issue

CVE-2022-0122

Vulnerable Library - node-forge-0.10.0.tgz

JavaScript implementations of network transports, cryptography, ciphers, PKI, message digests, and various utilities.

Library home page: https://registry.npmjs.org/node-forge/-/node-forge-0.10.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/node-forge/package.json

Dependency Hierarchy:

• swagger-ui-3.2.2.tgz (Root Library)
  • webpack-dev-server-2.5.0.tgz
    • selfsigned-1.10.14.tgz
      • ❌ node-forge-0.10.0.tgz (Vulnerable Library)

Found in HEAD commit: e263f4c15af0c3b33faf1d0c1660af18d97b9e79

Found in base branch: main

Vulnerability Details

forge is vulnerable to URL Redirection to Untrusted Site

Publish Date: 2022-01-06

URL: CVE-2022-0122

CVSS 3 Score Details (6.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-gf8q-jrpm-jvxq

Release Date: 2022-01-06

Fix Resolution (node-forge): node-forge - 1.0.0

Direct dependency fix Resolution (swagger-ui): 3.26.0

⛑️ Automatic Remediation is available for this issue

---

⛑️ Automatic Remediation is available for this issue.

[mend-for-github-com]

✔️ This issue was automatically closed by Mend because the vulnerable library in the specific branch(es) was either marked as ignored or it is no longer part of the Mend inventory.