react-scripts-1.0.17.tgz: 97 vulnerabilities (highest severity is: 9.8)

[mend-for-github-com]

Vulnerable Library - react-scripts-1.0.17.tgz

Path to dependency file: /fixtures/expiration/package.json

Path to vulnerable library: /fixtures/packaging/systemjs-builder/prod/node_modules/es5-ext/package.json,/fixtures/packaging/systemjs-builder/dev/node_modules/es5-ext/package.json,/fixtures/expiration/node_modules/es5-ext/package.json

Found in HEAD commit: e4ce85c3d01611eeb661de5f903c01d4063186b7

Vulnerabilities

CVE	Severity	CVSS	Exploit Maturity	EPSS	Dependency	Type	Fixed in (react-scripts version)	Remediation Possible**	Reachability
CVE-2023-42282	Critical	9.8	Not Defined	0.1%	ip-1.1.5.tgz	Transitive	1.1.0	❌
CVE-2023-26136	Critical	9.8	Not Defined	0.1%	tough-cookie-2.3.3.tgz	Transitive	4.0.0	❌
CVE-2022-37601	Critical	9.8	Not Defined	0.70000005%	detected in multiple dependencies	Transitive	4.0.0	✅
CVE-2022-37598	Critical	9.8	Not Defined	0.5%	uglify-js-3.7.3.tgz	Transitive	3.3.1	❌
CVE-2022-0691	Critical	9.8	Not Defined	0.3%	detected in multiple dependencies	Transitive	1.1.0	✅
CVE-2021-44906	Critical	9.8	Not Defined	1.2%	detected in multiple dependencies	Transitive	1.1.0	✅
CVE-2021-42740	Critical	9.8	Not Defined	0.2%	shell-quote-1.6.1.tgz	Transitive	5.0.0	✅
CVE-2021-3918	Critical	9.8	Not Defined	0.4%	json-schema-0.2.3.tgz	Transitive	1.1.0	✅
CVE-2021-23383	Critical	9.8	Not Defined	3.3%	handlebars-4.5.3.tgz	Transitive	1.1.0	✅
CVE-2021-23369	Critical	9.8	Not Defined	14.900001%	handlebars-4.5.3.tgz	Transitive	1.1.0	✅
CVE-2020-7788	Critical	9.8	Not Defined	1.2%	ini-1.3.4.tgz	Transitive	1.1.0	✅
CVE-2020-28499	Critical	9.8	Not Defined	0.4%	merge-1.2.0.tgz	Transitive	3.0.0	❌
CVE-2018-6342	Critical	9.8	Not Defined	0.2%	react-dev-utils-4.2.1.tgz	Transitive	1.1.0	✅
CVE-2018-3774	Critical	9.8	Not Defined	0.3%	detected in multiple dependencies	Transitive	1.1.0	✅
CVE-2018-16492	Critical	9.8	Not Defined	0.4%	extend-3.0.1.tgz	Transitive	1.1.0	✅
CVE-2018-13797	Critical	9.8	Not Defined	0.3%	macaddress-0.2.8.tgz	Transitive	1.1.0	❌
CVE-2018-1000620	Critical	9.8	Not Defined	0.2%	cryptiles-3.1.2.tgz	Transitive	1.1.1	✅
CVE-2022-1650	Critical	9.3	Not Defined	0.2%	eventsource-0.1.6.tgz	Transitive	2.1.3	✅
CVE-2022-0686	Critical	9.1	Not Defined	0.2%	detected in multiple dependencies	Transitive	1.1.0	✅
CVE-2019-10744	Critical	9.1	Not Defined	1.5%	lodash.template-4.4.0.tgz	Transitive	1.1.0	❌
CVE-2023-45133	High	8.8	Not Defined	0.1%	babel-traverse-6.26.0.tgz	Transitive	N/A*	❌
CVE-2022-46175	High	8.8	Not Defined	0.6%	json5-0.5.1.tgz	Transitive	3.0.0	✅
WS-2019-0063	High	8.1	Not Defined		detected in multiple dependencies	Transitive	2.0.0	✅
CVE-2021-43138	High	7.8	Not Defined	0.1%	async-2.6.0.tgz	Transitive	1.1.0	✅
CVE-2020-13822	High	7.7	Not Defined	0.4%	elliptic-6.4.0.tgz	Transitive	1.1.0	❌
WS-2021-0152	High	7.5	Not Defined		color-string-0.3.0.tgz	Transitive	2.0.0	✅
WS-2020-0450	High	7.5	Not Defined		handlebars-4.5.3.tgz	Transitive	1.1.0	✅
WS-2019-0541	High	7.5	Not Defined		macaddress-0.2.8.tgz	Transitive	1.1.0	❌
WS-2019-0032	High	7.5	Not Defined		detected in multiple dependencies	Transitive	2.0.0	✅
CVE-2024-4068	High	7.5	Not Defined	0.0%	braces-1.8.5.tgz	Transitive	N/A*	❌
CVE-2022-37620	High	7.5	Not Defined	0.1%	html-minifier-3.5.6.tgz	Transitive	N/A*	❌
CVE-2022-37603	High	7.5	Not Defined	0.6%	loader-utils-1.1.0.tgz	Transitive	1.1.0	✅
CVE-2022-3517	High	7.5	Not Defined	0.2%	minimatch-3.0.3.tgz	Transitive	N/A*	❌
CVE-2022-29167	High	7.5	Not Defined	0.1%	hawk-6.0.2.tgz	Transitive	1.1.1	✅
CVE-2022-24999	High	7.5	Not Defined	0.9%	qs-6.5.1.tgz	Transitive	1.1.0	✅
CVE-2022-24772	High	7.5	Not Defined	0.1%	node-forge-0.6.33.tgz	Transitive	5.0.0	✅
CVE-2022-24771	High	7.5	Not Defined	0.1%	node-forge-0.6.33.tgz	Transitive	5.0.0	✅
CVE-2021-3803	High	7.5	Not Defined	0.2%	nth-check-1.0.1.tgz	Transitive	1.1.0	❌
CVE-2021-3777	High	7.5	Not Defined	0.1%	tmpl-1.0.4.tgz	Transitive	1.1.0	✅
CVE-2021-33623	High	7.5	Not Defined	0.2%	trim-newlines-1.0.0.tgz	Transitive	2.0.1	❌
CVE-2021-29059	High	7.5	Not Defined	0.4%	is-svg-2.1.0.tgz	Transitive	2.0.0	✅
CVE-2021-28092	High	7.5	Not Defined	0.2%	is-svg-2.1.0.tgz	Transitive	2.0.0	✅
CVE-2021-27516	High	7.5	Not Defined	0.2%	urijs-1.19.0.tgz	Transitive	1.1.0	✅
CVE-2021-23424	High	7.5	Not Defined	0.2%	ansi-html-0.0.7.tgz	Transitive	5.0.0	❌
CVE-2021-23382	High	7.5	Not Defined	0.2%	detected in multiple dependencies	Transitive	3.0.0	✅
CVE-2021-23343	High	7.5	Not Defined	0.3%	path-parse-1.0.5.tgz	Transitive	1.1.0	✅
CVE-2020-7662	High	7.5	Not Defined	0.2%	websocket-extensions-0.1.3.tgz	Transitive	1.1.0	✅
CVE-2020-28469	High	7.5	Not Defined	1.2%	glob-parent-2.0.0.tgz	Transitive	5.0.0	✅
CVE-2018-3737	High	7.5	Not Defined	0.2%	sshpk-1.13.1.tgz	Transitive	1.1.0	❌
CVE-2018-16469	High	7.5	Not Defined	0.1%	merge-1.2.0.tgz	Transitive	1.1.0	❌
CVE-2018-14732	High	7.5	Not Defined	0.3%	webpack-dev-server-2.9.4.tgz	Transitive	2.0.0	✅
WS-2018-0588	High	7.4	Not Defined		detected in multiple dependencies	Transitive	1.1.0	✅
CVE-2020-8116	High	7.3	Not Defined	0.2%	dot-prop-3.0.0.tgz	Transitive	1.1.0	❌
CVE-2020-7720	High	7.3	Not Defined	0.2%	node-forge-0.6.33.tgz	Transitive	1.1.0	✅
CVE-2018-3750	High	7.3	Not Defined	0.3%	deep-extend-0.4.2.tgz	Transitive	1.1.0	✅
WS-2018-0590	High	7.1	Not Defined		diff-3.4.0.tgz	Transitive	1.1.0	✅
CVE-2020-28498	Medium	6.8	Not Defined	0.1%	elliptic-6.4.0.tgz	Transitive	1.1.0	❌
WS-2022-0008	Medium	6.6	Not Defined		node-forge-0.6.33.tgz	Transitive	5.0.0	✅
CVE-2022-0613	Medium	6.5	Not Defined	0.1%	urijs-1.19.0.tgz	Transitive	N/A*	❌
CVE-2021-23386	Medium	6.5	Not Defined	0.1%	dns-packet-1.2.2.tgz	Transitive	1.1.0	❌
CVE-2020-26291	Medium	6.5	Not Defined	0.1%	urijs-1.19.0.tgz	Transitive	1.1.0	✅
CVE-2018-21270	Medium	6.5	Not Defined	0.2%	stringstream-0.0.5.tgz	Transitive	1.1.0	✅
CVE-2024-29041	Medium	6.1	Not Defined	0.0%	express-4.16.2.tgz	Transitive	N/A*	❌
CVE-2023-28155	Medium	6.1	Not Defined	0.1%	request-2.83.0.tgz	Transitive	N/A*	❌
CVE-2022-1243	Medium	6.1	Not Defined	0.1%	urijs-1.19.0.tgz	Transitive	1.1.0	✅
CVE-2022-1233	Medium	6.1	Not Defined	0.1%	urijs-1.19.0.tgz	Transitive	1.1.0	✅
CVE-2022-0868	Medium	6.1	Not Defined	0.1%	urijs-1.19.0.tgz	Transitive	1.1.0	✅
CVE-2022-0122	Medium	6.1	Not Defined	0.1%	node-forge-0.6.33.tgz	Transitive	5.0.0	✅
CVE-2021-3647	Medium	6.1	Not Defined	0.1%	urijs-1.19.0.tgz	Transitive	1.1.0	✅
WS-2019-0427	Medium	5.9	Not Defined		elliptic-6.4.0.tgz	Transitive	1.1.0	❌
WS-2019-0424	Medium	5.9	Not Defined		elliptic-6.4.0.tgz	Transitive	1.1.0	❌
CVE-2021-24033	Medium	5.6	Not Defined	0.2%	react-dev-utils-4.2.1.tgz	Transitive	4.0.0	✅
CVE-2020-7789	Medium	5.6	Not Defined	0.2%	node-notifier-5.1.2.tgz	Transitive	1.1.0	✅
CVE-2020-7598	Medium	5.6	Not Defined	0.1%	detected in multiple dependencies	Transitive	1.1.0	✅
CVE-2020-15366	Medium	5.6	Not Defined	0.3%	ajv-5.3.0.tgz	Transitive	2.0.0	✅
CVE-2024-29415	Medium	5.5	Not Defined		ip-1.1.5.tgz	Transitive	N/A*	❌
WS-2019-0017	Medium	5.3	Not Defined		clean-css-4.1.9.tgz	Transitive	1.1.0	✅
WS-2018-0347	Medium	5.3	Not Defined		eslint-4.10.0.tgz	Transitive	2.0.0	✅
WS-2017-3757	Medium	5.3	Not Defined		content-type-parser-1.0.2.tgz	Transitive	N/A*	❌
CVE-2024-4067	Medium	5.3	Not Defined	0.0%	micromatch-2.3.11.tgz	Transitive	5.0.0	✅
CVE-2022-33987	Medium	5.3	Not Defined	0.1%	got-5.7.1.tgz	Transitive	2.0.1	❌
CVE-2022-24773	Medium	5.3	Not Defined	0.1%	node-forge-0.6.33.tgz	Transitive	5.0.0	✅
CVE-2022-24723	Medium	5.3	Not Defined	0.1%	urijs-1.19.0.tgz	Transitive	1.1.0	✅
CVE-2022-0639	Medium	5.3	Not Defined	0.1%	detected in multiple dependencies	Transitive	1.1.0	✅
CVE-2022-0512	Medium	5.3	Not Defined	0.1%	detected in multiple dependencies	Transitive	1.1.0	✅
CVE-2021-3664	Medium	5.3	Not Defined	0.1%	detected in multiple dependencies	Transitive	1.1.0	✅
CVE-2021-29060	Medium	5.3	Not Defined	0.2%	color-string-0.3.0.tgz	Transitive	2.0.0	✅
CVE-2021-27515	Medium	5.3	Not Defined	0.2%	detected in multiple dependencies	Transitive	1.1.0	✅
CVE-2021-23362	Medium	5.3	Not Defined	0.3%	hosted-git-info-2.5.0.tgz	Transitive	1.1.0	❌
CVE-2020-8124	Medium	5.3	Not Defined	0.1%	detected in multiple dependencies	Transitive	1.1.0	✅
CVE-2020-7693	Medium	5.3	Not Defined	0.6%	sockjs-0.3.18.tgz	Transitive	3.4.2	✅
CVE-2020-7608	Medium	5.3	Not Defined	0.0%	detected in multiple dependencies	Transitive	2.0.0	✅
CVE-2017-16028	Medium	5.3	Not Defined	0.1%	randomatic-1.1.7.tgz	Transitive	1.1.0	✅
WS-2019-0307	Medium	5.1	Not Defined		mem-1.1.0.tgz	Transitive	2.0.0	✅
WS-2018-0103	Medium	4.8	Not Defined		stringstream-0.0.5.tgz	Transitive	1.1.0	✅
WS-2018-0589	Low	3.7	Not Defined		nwmatcher-1.4.3.tgz	Transitive	1.1.0	✅
CVE-2024-27088	Low	0.0	Not Defined	0.0%	es5-ext-0.10.35.tgz	Transitive	1.1.0	✅

*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.

**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation

Details

Partial details (12 vulnerabilities) are displayed below due to a content size limitation in GitHub. To view information on the remaining vulnerabilities, navigate to the Mend Application.

CVE-2023-42282

Vulnerable Library - ip-1.1.5.tgz

[](https://www.npmjs.com/package/ip)

Library home page: https://registry.npmjs.org/ip/-/ip-1.1.5.tgz

Dependency Hierarchy:

• react-scripts-1.0.17.tgz (Root Library)
  • webpack-dev-server-2.9.4.tgz
    • ❌ ip-1.1.5.tgz (Vulnerable Library)

Found in HEAD commit: e4ce85c3d01611eeb661de5f903c01d4063186b7

Found in base branch: main

Vulnerability Details

The ip package before 1.1.9 for Node.js might allow SSRF because some IP addresses (such as 0x7f.1) are improperly categorized as globally routable via isPublic.

Publish Date: 2024-02-08

URL: CVE-2023-42282

Threat Assessment

Exploit Maturity: Not Defined

EPSS: 0.1%

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2023-42282

Release Date: 2024-02-08

Fix Resolution (ip): 1.1.9

Direct dependency fix Resolution (react-scripts): 1.1.0

CVE-2023-26136

Vulnerable Library - tough-cookie-2.3.3.tgz

RFC6265 Cookies and Cookie Jar for node.js

Library home page: https://registry.npmjs.org/tough-cookie/-/tough-cookie-2.3.3.tgz

Dependency Hierarchy:

• react-scripts-1.0.17.tgz (Root Library)
  • jest-20.0.4.tgz
    • jest-cli-20.0.4.tgz
      • jest-environment-jsdom-20.0.3.tgz
        • jsdom-9.12.0.tgz
          • ❌ tough-cookie-2.3.3.tgz (Vulnerable Library)

Found in HEAD commit: e4ce85c3d01611eeb661de5f903c01d4063186b7

Found in base branch: main

Vulnerability Details

Versions of the package tough-cookie before 4.1.3 are vulnerable to Prototype Pollution due to improper handling of Cookies when using CookieJar in rejectPublicSuffixes=false mode. This issue arises from the manner in which the objects are initialized.

Publish Date: 2023-07-01

URL: CVE-2023-26136

Threat Assessment

Exploit Maturity: Not Defined

EPSS: 0.1%

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://www.cve.org/CVERecord?id=CVE-2023-26136

Release Date: 2023-07-01

Fix Resolution (tough-cookie): 4.1.3

Direct dependency fix Resolution (react-scripts): 4.0.0

CVE-2022-37601

Vulnerable Libraries - loader-utils-0.2.17.tgz, loader-utils-1.1.0.tgz

loader-utils-0.2.17.tgz

utils for webpack loaders

Library home page: https://registry.npmjs.org/loader-utils/-/loader-utils-0.2.17.tgz

Path to dependency file: /fixtures/attribute-behavior/package.json

Path to vulnerable library: /fixtures/attribute-behavior/package.json,/fixtures/packaging/webpack/prod/node_modules/loader-utils/package.json,/fixtures/packaging/webpack-alias/prod/node_modules/loader-utils/package.json,/fixtures/packaging/webpack/dev/node_modules/loader-utils/package.json,/fixtures/packaging/webpack-alias/dev/node_modules/loader-utils/package.json,/fixtures/expiration/node_modules/html-webpack-plugin/node_modules/loader-utils/package.json,/fixtures/concurrent/time-slicing/node_modules/html-webpack-plugin/node_modules/loader-utils/package.json

Dependency Hierarchy:

• react-scripts-1.0.17.tgz (Root Library)
  • html-webpack-plugin-2.29.0.tgz
    • ❌ loader-utils-0.2.17.tgz (Vulnerable Library)

loader-utils-1.1.0.tgz

utils for webpack loaders

Library home page: https://registry.npmjs.org/loader-utils/-/loader-utils-1.1.0.tgz

Path to dependency file: /fixtures/expiration/package.json

Path to vulnerable library: /fixtures/expiration/node_modules/loader-utils/package.json,/fixtures/attribute-behavior/package.json

Dependency Hierarchy:

• react-scripts-1.0.17.tgz (Root Library)
  • webpack-3.8.1.tgz
    • ❌ loader-utils-1.1.0.tgz (Vulnerable Library)

Found in HEAD commit: e4ce85c3d01611eeb661de5f903c01d4063186b7

Found in base branch: main

Vulnerability Details

Prototype pollution vulnerability in function parseQuery in parseQuery.js in webpack loader-utils 2.0.0 via the name variable in parseQuery.js.

Publish Date: 2022-10-12

URL: CVE-2022-37601

Threat Assessment

Exploit Maturity: Not Defined

EPSS: 0.70000005%

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-76p3-8jx3-jpfq

Release Date: 2022-10-12

Fix Resolution (loader-utils): 1.4.1

Direct dependency fix Resolution (react-scripts): 4.0.0

Fix Resolution (loader-utils): 1.4.1

Direct dependency fix Resolution (react-scripts): 4.0.0

In order to enable automatic remediation, please create workflow rules

CVE-2022-37598

Vulnerable Library - uglify-js-3.7.3.tgz

JavaScript parser, mangler/compressor and beautifier toolkit

Library home page: https://registry.npmjs.org/uglify-js/-/uglify-js-3.7.3.tgz

Dependency Hierarchy:

• react-scripts-1.0.17.tgz (Root Library)
  • jest-20.0.4.tgz
    • jest-cli-20.0.4.tgz
      • istanbul-api-1.2.1.tgz
        • istanbul-reports-1.1.3.tgz
          • handlebars-4.5.3.tgz
            • ❌ uglify-js-3.7.3.tgz (Vulnerable Library)

Found in HEAD commit: e4ce85c3d01611eeb661de5f903c01d4063186b7

Found in base branch: main

Vulnerability Details

Prototype pollution vulnerability in function DEFNODE in ast.js in mishoo UglifyJS 3.13.2 via the name variable in ast.js. NOTE: the vendor considers this an invalid report.

Publish Date: 2022-10-20

URL: CVE-2022-37598

Threat Assessment

Exploit Maturity: Not Defined

EPSS: 0.5%

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2022-10-20

Fix Resolution (uglify-js): 3.13.10

Direct dependency fix Resolution (react-scripts): 3.3.1

CVE-2022-0691

Vulnerable Libraries - url-parse-1.0.5.tgz, url-parse-1.2.0.tgz

url-parse-1.0.5.tgz

Small footprint URL parser that works seamlessly across Node.js and browser environments

Library home page: https://registry.npmjs.org/url-parse/-/url-parse-1.0.5.tgz

Path to dependency file: /fixtures/attribute-behavior/package.json

Path to vulnerable library: /fixtures/attribute-behavior/package.json,/fixtures/expiration/node_modules/original/node_modules/url-parse/package.json

Dependency Hierarchy:

• react-scripts-1.0.17.tgz (Root Library)
  • react-dev-utils-4.2.1.tgz
    • sockjs-client-1.1.4.tgz
      • eventsource-0.1.6.tgz
        • original-1.0.0.tgz
          • ❌ url-parse-1.0.5.tgz (Vulnerable Library)

url-parse-1.2.0.tgz

Small footprint URL parser that works seamlessly across Node.js and browser environments

Library home page: https://registry.npmjs.org/url-parse/-/url-parse-1.2.0.tgz

Path to dependency file: /fixtures/expiration/package.json

Path to vulnerable library: /fixtures/expiration/node_modules/url-parse/package.json

Dependency Hierarchy:

• react-scripts-1.0.17.tgz (Root Library)
  • react-dev-utils-4.2.1.tgz
    • sockjs-client-1.1.4.tgz
      • ❌ url-parse-1.2.0.tgz (Vulnerable Library)

Found in HEAD commit: e4ce85c3d01611eeb661de5f903c01d4063186b7

Found in base branch: main

Vulnerability Details

Authorization Bypass Through User-Controlled Key in NPM url-parse prior to 1.5.9.

Publish Date: 2022-02-21

URL: CVE-2022-0691

Threat Assessment

Exploit Maturity: Not Defined

EPSS: 0.3%

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0691

Release Date: 2022-02-21

Fix Resolution (url-parse): 1.5.9

Direct dependency fix Resolution (react-scripts): 1.1.0

Fix Resolution (url-parse): 1.5.9

Direct dependency fix Resolution (react-scripts): 1.1.0

In order to enable automatic remediation, please create workflow rules

CVE-2021-44906

Vulnerable Libraries - minimist-0.0.8.tgz, minimist-0.0.10.tgz, minimist-1.2.0.tgz

minimist-0.0.8.tgz

parse argument options

Library home page: https://registry.npmjs.org/minimist/-/minimist-0.0.8.tgz

Dependency Hierarchy:

• react-scripts-1.0.17.tgz (Root Library)
  • babel-loader-7.1.2.tgz
    • mkdirp-0.5.1.tgz
      • ❌ minimist-0.0.8.tgz (Vulnerable Library)

minimist-0.0.10.tgz

parse argument options

Library home page: https://registry.npmjs.org/minimist/-/minimist-0.0.10.tgz

Dependency Hierarchy:

• react-scripts-1.0.17.tgz (Root Library)
  • jest-20.0.4.tgz
    • jest-cli-20.0.4.tgz
      • istanbul-api-1.2.1.tgz
        • istanbul-reports-1.1.3.tgz
          • handlebars-4.5.3.tgz
            • optimist-0.6.1.tgz
              • ❌ minimist-0.0.10.tgz (Vulnerable Library)

minimist-1.2.0.tgz

parse argument options

Library home page: https://registry.npmjs.org/minimist/-/minimist-1.2.0.tgz

Path to dependency file: /fixtures/packaging/browserify/dev/package.json

Path to vulnerable library: /fixtures/packaging/browserify/dev/node_modules/minimist/package.json,/fixtures/packaging/webpack-alias/dev/package.json,/fixtures/packaging/webpack/dev/package.json,/fixtures/packaging/browserify/prod/node_modules/minimist/package.json,/fixtures/attribute-behavior/package.json,/fixtures/expiration/node_modules/minimist/package.json,/fixtures/packaging/webpack-alias/prod/package.json,/fixtures/packaging/webpack/prod/package.json

Dependency Hierarchy:

• react-scripts-1.0.17.tgz (Root Library)
  • postcss-loader-2.0.8.tgz
    • postcss-load-config-1.2.0.tgz
      • cosmiconfig-2.2.2.tgz
        • ❌ minimist-1.2.0.tgz (Vulnerable Library)

Found in HEAD commit: e4ce85c3d01611eeb661de5f903c01d4063186b7

Found in base branch: main

Vulnerability Details

Minimist <=1.2.5 is vulnerable to Prototype Pollution via file index.js, function setKey() (lines 69-95).

Publish Date: 2022-03-17

URL: CVE-2021-44906

Threat Assessment

Exploit Maturity: Not Defined

EPSS: 1.2%

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-xvch-5gv4-984h

Release Date: 2022-03-17

Fix Resolution (minimist): 0.2.4

Direct dependency fix Resolution (react-scripts): 1.1.0

Fix Resolution (minimist): 0.2.4

Direct dependency fix Resolution (react-scripts): 1.1.0

Fix Resolution (minimist): 0.2.4

Direct dependency fix Resolution (react-scripts): 1.1.0

In order to enable automatic remediation, please create workflow rules

CVE-2021-42740

Vulnerable Library - shell-quote-1.6.1.tgz

quote and parse shell commands

Library home page: https://registry.npmjs.org/shell-quote/-/shell-quote-1.6.1.tgz

Path to dependency file: /fixtures/expiration/package.json

Path to vulnerable library: /fixtures/expiration/node_modules/shell-quote/package.json,/node_modules/fx-runner/node_modules/shell-quote/package.json,/fixtures/concurrent/time-slicing/node_modules/shell-quote/package.json,/fixtures/attribute-behavior/package.json

Dependency Hierarchy:

• react-scripts-1.0.17.tgz (Root Library)
  • react-dev-utils-4.2.1.tgz
    • ❌ shell-quote-1.6.1.tgz (Vulnerable Library)

Found in HEAD commit: e4ce85c3d01611eeb661de5f903c01d4063186b7

Found in base branch: main

Vulnerability Details

The shell-quote package before 1.7.3 for Node.js allows command injection. An attacker can inject unescaped shell metacharacters through a regex designed to support Windows drive letters. If the output of this package is passed to a real shell as a quoted argument to a command with exec(), an attacker can inject arbitrary commands. This is because the Windows drive letter regex character class is {A-z] instead of the correct {A-Za-z]. Several shell metacharacters exist in the space between capital letter Z and lower case letter a, such as the backtick character.

Publish Date: 2021-10-21

URL: CVE-2021-42740

Threat Assessment

Exploit Maturity: Not Defined

EPSS: 0.2%

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-42740

Release Date: 2021-10-21

Fix Resolution (shell-quote): 1.7.3

Direct dependency fix Resolution (react-scripts): 5.0.0

In order to enable automatic remediation, please create workflow rules

CVE-2021-3918

Vulnerable Library - json-schema-0.2.3.tgz

JSON Schema validation and specifications

Library home page: https://registry.npmjs.org/json-schema/-/json-schema-0.2.3.tgz

Path to dependency file: /fixtures/packaging/webpack-alias/prod/package.json

Path to vulnerable library: /fixtures/packaging/webpack-alias/prod/package.json,/scripts/bench/node_modules/json-schema/package.json,/fixtures/packaging/webpack-alias/dev/package.json,/fixtures/packaging/webpack/dev/package.json,/fixtures/expiration/node_modules/json-schema/package.json,/fixtures/packaging/webpack/prod/package.json,/fixtures/concurrent/time-slicing/node_modules/json-schema/package.json,/node_modules/json-schema/package.json,/fixtures/attribute-behavior/package.json

Dependency Hierarchy:

• react-scripts-1.0.17.tgz (Root Library)
  • jest-20.0.4.tgz
    • jest-cli-20.0.4.tgz
      • jest-environment-jsdom-20.0.3.tgz
        • jsdom-9.12.0.tgz
          • request-2.83.0.tgz
            • http-signature-1.2.0.tgz
              • jsprim-1.4.1.tgz
                • ❌ json-schema-0.2.3.tgz (Vulnerable Library)

Found in HEAD commit: e4ce85c3d01611eeb661de5f903c01d4063186b7

Found in base branch: main

Vulnerability Details

json-schema is vulnerable to Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')

Publish Date: 2021-11-13

URL: CVE-2021-3918

Threat Assessment

Exploit Maturity: Not Defined

EPSS: 0.4%

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2021-3918

Release Date: 2021-11-13

Fix Resolution (json-schema): 0.4.0

Direct dependency fix Resolution (react-scripts): 1.1.0

In order to enable automatic remediation, please create workflow rules

CVE-2021-23383

Vulnerable Library - handlebars-4.5.3.tgz

Handlebars provides the power necessary to let you build semantic templates effectively with no frustration

Library home page: https://registry.npmjs.org/handlebars/-/handlebars-4.5.3.tgz

Path to dependency file: /fixtures/attribute-behavior/package.json

Path to vulnerable library: /fixtures/attribute-behavior/package.json,/fixtures/expiration/node_modules/handlebars/package.json

Dependency Hierarchy:

• react-scripts-1.0.17.tgz (Root Library)
  • jest-20.0.4.tgz
    • jest-cli-20.0.4.tgz
      • istanbul-api-1.2.1.tgz
        • istanbul-reports-1.1.3.tgz
          • ❌ handlebars-4.5.3.tgz (Vulnerable Library)

Found in HEAD commit: e4ce85c3d01611eeb661de5f903c01d4063186b7

Found in base branch: main

Vulnerability Details

The package handlebars before 4.7.7 are vulnerable to Prototype Pollution when selecting certain compiling options to compile templates coming from an untrusted source.

Publish Date: 2021-05-04

URL: CVE-2021-23383

Threat Assessment

Exploit Maturity: Not Defined

EPSS: 3.3%

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23383

Release Date: 2021-05-04

Fix Resolution (handlebars): 4.7.7

Direct dependency fix Resolution (react-scripts): 1.1.0

In order to enable automatic remediation, please create workflow rules

CVE-2021-23369

Vulnerable Library - handlebars-4.5.3.tgz

Handlebars provides the power necessary to let you build semantic templates effectively with no frustration

Library home page: https://registry.npmjs.org/handlebars/-/handlebars-4.5.3.tgz

Path to dependency file: /fixtures/attribute-behavior/package.json

Path to vulnerable library: /fixtures/attribute-behavior/package.json,/fixtures/expiration/node_modules/handlebars/package.json

Dependency Hierarchy:

• react-scripts-1.0.17.tgz (Root Library)
  • jest-20.0.4.tgz
    • jest-cli-20.0.4.tgz
      • istanbul-api-1.2.1.tgz
        • istanbul-reports-1.1.3.tgz
          • ❌ handlebars-4.5.3.tgz (Vulnerable Library)

Found in HEAD commit: e4ce85c3d01611eeb661de5f903c01d4063186b7

Found in base branch: main

Vulnerability Details

The package handlebars before 4.7.7 are vulnerable to Remote Code Execution (RCE) when selecting certain compiling options to compile templates coming from an untrusted source.

Publish Date: 2021-04-12

URL: CVE-2021-23369

Threat Assessment

Exploit Maturity: Not Defined

EPSS: 14.900001%

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2021-04-12

Fix Resolution (handlebars): 4.7.7

Direct dependency fix Resolution (react-scripts): 1.1.0

In order to enable automatic remediation, please create workflow rules

CVE-2020-7788

Vulnerable Library - ini-1.3.4.tgz

An ini encoder/decoder for node

Library home page: https://registry.npmjs.org/ini/-/ini-1.3.4.tgz

Path to dependency file: /fixtures/packaging/webpack-alias/dev/package.json

Path to vulnerable library: /fixtures/packaging/webpack-alias/dev/package.json,/fixtures/packaging/webpack-alias/prod/package.json,/fixtures/packaging/webpack/dev/package.json,/scripts/bench/node_modules/ini/package.json,/fixtures/expiration/node_modules/ini/package.json,/fixtures/attribute-behavior/package.json,/fixtures/packaging/webpack/prod/package.json

Dependency Hierarchy:

• react-scripts-1.0.17.tgz (Root Library)
  • sw-precache-webpack-plugin-0.11.4.tgz
    • sw-precache-5.2.0.tgz
      • update-notifier-1.0.3.tgz
        • latest-version-2.0.0.tgz
          • package-json-2.4.0.tgz
            • registry-auth-token-3.3.1.tgz
              • rc-1.2.2.tgz
                • ❌ ini-1.3.4.tgz (Vulnerable Library)

Found in HEAD commit: e4ce85c3d01611eeb661de5f903c01d4063186b7

Found in base branch: main

Vulnerability Details

This affects the package ini before 1.3.6. If an attacker submits a malicious INI file to an application that parses it with ini.parse, they will pollute the prototype on the application. This can be exploited further depending on the context.

Publish Date: 2020-12-11

URL: CVE-2020-7788

Threat Assessment

Exploit Maturity: Not Defined

EPSS: 1.2%

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7788

Release Date: 2020-12-11

Fix Resolution (ini): 1.3.6

Direct dependency fix Resolution (react-scripts): 1.1.0

In order to enable automatic remediation, please create workflow rules

CVE-2020-28499

Vulnerable Library - merge-1.2.0.tgz

Merge multiple objects into one, optionally creating a new cloned object. Similar to the jQuery.extend but more flexible. Works in Node.js and the browser.

Library home page: https://registry.npmjs.org/merge/-/merge-1.2.0.tgz

Dependency Hierarchy:

• react-scripts-1.0.17.tgz (Root Library)
  • jest-20.0.4.tgz
    • jest-cli-20.0.4.tgz
      • jest-haste-map-20.0.5.tgz
        • sane-1.6.0.tgz
          • exec-sh-0.2.1.tgz
            • ❌ merge-1.2.0.tgz (Vulnerable Library)

Found in HEAD commit: e4ce85c3d01611eeb661de5f903c01d4063186b7

Found in base branch: main

Vulnerability Details

All versions of package merge are vulnerable to Prototype Pollution via _recursiveMerge .
Mend Note: Converted from WS-2020-0218, on 2021-07-21.

Publish Date: 2021-02-18

URL: CVE-2020-28499

Threat Assessment

Exploit Maturity: Not Defined

EPSS: 0.4%

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2021-02-18

Fix Resolution (merge): 2.1.0

Direct dependency fix Resolution (react-scripts): 3.0.0

---

In order to enable automatic remediation for this issue, please create workflow rules