Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

react-scripts-1.0.11.tgz: 38 vulnerabilities (highest severity is: 9.8) #63

Open
mend-for-github-com bot opened this issue May 22, 2024 · 0 comments
Labels
Mend: dependency security vulnerability Security vulnerability detected by Mend

Comments

@mend-for-github-com
Copy link
Contributor

Vulnerable Library - react-scripts-1.0.11.tgz

Path to dependency file: /fixtures/attribute-behavior/package.json

Path to vulnerable library: /fixtures/attribute-behavior/package.json

Found in HEAD commit: e4ce85c3d01611eeb661de5f903c01d4063186b7

Vulnerabilities

CVE Severity CVSS Exploit Maturity EPSS Dependency Type Fixed in (react-scripts version) Remediation Possible** Reachability
CVE-2022-0691 Critical 9.8 Not Defined 0.3% url-parse-1.1.9.tgz Transitive 1.0.12
CVE-2018-6342 Critical 9.8 Not Defined 0.2% react-dev-utils-3.1.1.tgz Transitive 1.0.12
CVE-2018-3774 Critical 9.8 Not Defined 0.3% url-parse-1.1.9.tgz Transitive 1.0.12
CVE-2022-0686 Critical 9.1 Not Defined 0.2% url-parse-1.1.9.tgz Transitive 1.0.12
WS-2019-0063 High 8.1 Not Defined js-yaml-3.9.1.tgz Transitive 2.0.0
CVE-2021-43138 High 7.8 Not Defined 0.1% async-2.5.0.tgz Transitive 1.0.12
WS-2020-0091 High 7.5 Not Defined http-proxy-1.16.2.tgz Transitive 1.0.12
WS-2019-0032 High 7.5 Not Defined js-yaml-3.9.1.tgz Transitive 2.0.0
CVE-2022-37620 High 7.5 Not Defined 0.1% html-minifier-3.5.3.tgz Transitive N/A*
CVE-2022-24999 High 7.5 Not Defined 0.9% qs-6.5.0.tgz Transitive 1.0.12
CVE-2021-27516 High 7.5 Not Defined 0.2% urijs-1.18.12.tgz Transitive 1.0.12
CVE-2021-23382 High 7.5 Not Defined 0.2% detected in multiple dependencies Transitive 3.0.0
CVE-2020-7662 High 7.5 Not Defined 0.2% websocket-extensions-0.1.1.tgz Transitive 1.0.12
CVE-2018-14732 High 7.5 Not Defined 0.3% webpack-dev-server-2.7.1.tgz Transitive 2.0.0
CVE-2017-16138 High 7.5 Not Defined 0.1% mime-1.3.6.tgz Transitive 1.0.15
CVE-2017-16118 High 7.5 Not Defined 0.1% forwarded-0.1.0.tgz Transitive 1.0.12
CVE-2017-16099 High 7.5 Not Defined 0.1% no-case-2.3.1.tgz Transitive 1.0.12
WS-2018-0590 High 7.1 Not Defined diff-3.3.0.tgz Transitive 1.0.12
CVE-2022-0613 Medium 6.5 Not Defined 0.1% urijs-1.18.12.tgz Transitive N/A*
CVE-2020-26291 Medium 6.5 Not Defined 0.1% urijs-1.18.12.tgz Transitive 1.0.12
CVE-2024-29041 Medium 6.1 Not Defined 0.0% express-4.15.4.tgz Transitive N/A*
CVE-2022-1243 Medium 6.1 Not Defined 0.1% urijs-1.18.12.tgz Transitive 1.0.12
CVE-2022-1233 Medium 6.1 Not Defined 0.1% urijs-1.18.12.tgz Transitive 1.0.12
CVE-2022-0868 Medium 6.1 Not Defined 0.1% urijs-1.18.12.tgz Transitive 1.0.12
CVE-2021-3647 Medium 6.1 Not Defined 0.1% urijs-1.18.12.tgz Transitive 1.0.12
CVE-2021-24033 Medium 5.6 Not Defined 0.2% react-dev-utils-3.1.1.tgz Transitive 4.0.0
CVE-2020-15366 Medium 5.6 Not Defined 0.3% ajv-5.2.2.tgz Transitive 2.0.0
WS-2019-0017 Medium 5.3 Not Defined clean-css-4.1.7.tgz Transitive 1.0.12
WS-2018-0347 Medium 5.3 Not Defined eslint-4.4.1.tgz Transitive 2.0.0
WS-2017-3757 Medium 5.3 Not Defined content-type-parser-1.0.1.tgz Transitive N/A*
CVE-2022-24723 Medium 5.3 Not Defined 0.1% urijs-1.18.12.tgz Transitive 1.0.12
CVE-2022-0639 Medium 5.3 Not Defined 0.1% url-parse-1.1.9.tgz Transitive 1.0.12
CVE-2022-0512 Medium 5.3 Not Defined 0.1% url-parse-1.1.9.tgz Transitive 1.0.12
CVE-2021-3664 Medium 5.3 Not Defined 0.1% url-parse-1.1.9.tgz Transitive 1.0.12
CVE-2021-27515 Medium 5.3 Not Defined 0.2% url-parse-1.1.9.tgz Transitive 1.0.12
CVE-2020-8124 Medium 5.3 Not Defined 0.1% url-parse-1.1.9.tgz Transitive 1.0.12
WS-2018-0589 Low 3.7 Not Defined nwmatcher-1.4.1.tgz Transitive 1.0.12
CVE-2024-27088 Low 0.0 Not Defined 0.0% es5-ext-0.10.29.tgz Transitive 1.0.12

*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.

**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation

Details

Partial details (20 vulnerabilities) are displayed below due to a content size limitation in GitHub. To view information on the remaining vulnerabilities, navigate to the Mend Application.

CVE-2022-0691

Vulnerable Library - url-parse-1.1.9.tgz

Small footprint URL parser that works seamlessly across Node.js and browser environments

Library home page: https://registry.npmjs.org/url-parse/-/url-parse-1.1.9.tgz

Path to dependency file: /fixtures/attribute-behavior/package.json

Path to vulnerable library: /fixtures/attribute-behavior/package.json

Dependency Hierarchy:

  • react-scripts-1.0.11.tgz (Root Library)
    • webpack-dev-server-2.7.1.tgz
      • sockjs-client-1.1.4.tgz
        • url-parse-1.1.9.tgz (Vulnerable Library)

Found in HEAD commit: e4ce85c3d01611eeb661de5f903c01d4063186b7

Found in base branch: main

Vulnerability Details

Authorization Bypass Through User-Controlled Key in NPM url-parse prior to 1.5.9.

Publish Date: 2022-02-21

URL: CVE-2022-0691

Threat Assessment

Exploit Maturity: Not Defined

EPSS: 0.3%

CVSS 3 Score Details (9.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0691

Release Date: 2022-02-21

Fix Resolution (url-parse): 1.5.9

Direct dependency fix Resolution (react-scripts): 1.0.12

In order to enable automatic remediation, please create workflow rules

CVE-2018-6342

Vulnerable Library - react-dev-utils-3.1.1.tgz

Webpack utilities used by Create React App

Library home page: https://registry.npmjs.org/react-dev-utils/-/react-dev-utils-3.1.1.tgz

Path to dependency file: /fixtures/attribute-behavior/package.json

Path to vulnerable library: /fixtures/attribute-behavior/package.json

Dependency Hierarchy:

  • react-scripts-1.0.11.tgz (Root Library)
    • react-dev-utils-3.1.1.tgz (Vulnerable Library)

Found in HEAD commit: e4ce85c3d01611eeb661de5f903c01d4063186b7

Found in base branch: main

Vulnerability Details

react-dev-utils on Windows allows developers to run a local webserver for accepting various commands, including a command to launch an editor. The input to that command was not properly sanitized, allowing an attacker who can make a network request to the server (either via CSRF or by direct request) to execute arbitrary commands on the targeted system. This issue affects multiple branches: 1.x.x prior to 1.0.4, 2.x.x prior to 2.0.2, 3.x.x prior to 3.1.2, 4.x.x prior to 4.2.2, and 5.x.x prior to 5.0.2.

Publish Date: 2018-12-31

URL: CVE-2018-6342

Threat Assessment

Exploit Maturity: Not Defined

EPSS: 0.2%

CVSS 3 Score Details (9.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6342

Release Date: 2018-12-31

Fix Resolution (react-dev-utils): 3.1.2

Direct dependency fix Resolution (react-scripts): 1.0.12

In order to enable automatic remediation, please create workflow rules

CVE-2018-3774

Vulnerable Library - url-parse-1.1.9.tgz

Small footprint URL parser that works seamlessly across Node.js and browser environments

Library home page: https://registry.npmjs.org/url-parse/-/url-parse-1.1.9.tgz

Path to dependency file: /fixtures/attribute-behavior/package.json

Path to vulnerable library: /fixtures/attribute-behavior/package.json

Dependency Hierarchy:

  • react-scripts-1.0.11.tgz (Root Library)
    • webpack-dev-server-2.7.1.tgz
      • sockjs-client-1.1.4.tgz
        • url-parse-1.1.9.tgz (Vulnerable Library)

Found in HEAD commit: e4ce85c3d01611eeb661de5f903c01d4063186b7

Found in base branch: main

Vulnerability Details

Incorrect parsing in url-parse <1.4.3 returns wrong hostname which leads to multiple vulnerabilities such as SSRF, Open Redirect, Bypass Authentication Protocol.

Publish Date: 2018-08-12

URL: CVE-2018-3774

Threat Assessment

Exploit Maturity: Not Defined

EPSS: 0.3%

CVSS 3 Score Details (9.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2018-3774

Release Date: 2018-08-12

Fix Resolution (url-parse): 1.4.3

Direct dependency fix Resolution (react-scripts): 1.0.12

In order to enable automatic remediation, please create workflow rules

CVE-2022-0686

Vulnerable Library - url-parse-1.1.9.tgz

Small footprint URL parser that works seamlessly across Node.js and browser environments

Library home page: https://registry.npmjs.org/url-parse/-/url-parse-1.1.9.tgz

Path to dependency file: /fixtures/attribute-behavior/package.json

Path to vulnerable library: /fixtures/attribute-behavior/package.json

Dependency Hierarchy:

  • react-scripts-1.0.11.tgz (Root Library)
    • webpack-dev-server-2.7.1.tgz
      • sockjs-client-1.1.4.tgz
        • url-parse-1.1.9.tgz (Vulnerable Library)

Found in HEAD commit: e4ce85c3d01611eeb661de5f903c01d4063186b7

Found in base branch: main

Vulnerability Details

Authorization Bypass Through User-Controlled Key in NPM url-parse prior to 1.5.8.

Publish Date: 2022-02-20

URL: CVE-2022-0686

Threat Assessment

Exploit Maturity: Not Defined

EPSS: 0.2%

CVSS 3 Score Details (9.1)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0686

Release Date: 2022-02-20

Fix Resolution (url-parse): 1.5.8

Direct dependency fix Resolution (react-scripts): 1.0.12

In order to enable automatic remediation, please create workflow rules

WS-2019-0063

Vulnerable Library - js-yaml-3.9.1.tgz

YAML 1.2 parser and serializer

Library home page: https://registry.npmjs.org/js-yaml/-/js-yaml-3.9.1.tgz

Path to dependency file: /fixtures/attribute-behavior/package.json

Path to vulnerable library: /fixtures/attribute-behavior/package.json

Dependency Hierarchy:

  • react-scripts-1.0.11.tgz (Root Library)
    • eslint-4.4.1.tgz
      • js-yaml-3.9.1.tgz (Vulnerable Library)

Found in HEAD commit: e4ce85c3d01611eeb661de5f903c01d4063186b7

Found in base branch: main

Vulnerability Details

Js-yaml prior to 3.13.1 are vulnerable to Code Injection. The load() function may execute arbitrary code injected through a malicious YAML file.

Publish Date: 2019-04-05

URL: WS-2019-0063

Threat Assessment

Exploit Maturity: Not Defined

EPSS:

CVSS 3 Score Details (8.1)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: High
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://www.npmjs.com/advisories/813

Release Date: 2019-04-05

Fix Resolution (js-yaml): 3.13.1

Direct dependency fix Resolution (react-scripts): 2.0.0

In order to enable automatic remediation, please create workflow rules

CVE-2021-43138

Vulnerable Library - async-2.5.0.tgz

Higher-order functions and common patterns for asynchronous code

Library home page: https://registry.npmjs.org/async/-/async-2.5.0.tgz

Path to dependency file: /fixtures/attribute-behavior/package.json

Path to vulnerable library: /fixtures/attribute-behavior/package.json

Dependency Hierarchy:

  • react-scripts-1.0.11.tgz (Root Library)
    • webpack-3.5.1.tgz
      • async-2.5.0.tgz (Vulnerable Library)

Found in HEAD commit: e4ce85c3d01611eeb661de5f903c01d4063186b7

Found in base branch: main

Vulnerability Details

In Async before 2.6.4 and 3.x before 3.2.2, a malicious user can obtain privileges via the mapValues() method, aka lib/internal/iterator.js createObjectIterator prototype pollution.

Publish Date: 2022-04-06

URL: CVE-2021-43138

Threat Assessment

Exploit Maturity: Not Defined

EPSS: 0.1%

CVSS 3 Score Details (7.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Local
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2021-43138

Release Date: 2022-04-06

Fix Resolution (async): 2.6.4

Direct dependency fix Resolution (react-scripts): 1.0.12

In order to enable automatic remediation, please create workflow rules

WS-2020-0091

Vulnerable Library - http-proxy-1.16.2.tgz

HTTP proxying for the masses

Library home page: https://registry.npmjs.org/http-proxy/-/http-proxy-1.16.2.tgz

Path to dependency file: /fixtures/attribute-behavior/package.json

Path to vulnerable library: /fixtures/attribute-behavior/package.json

Dependency Hierarchy:

  • react-scripts-1.0.11.tgz (Root Library)
    • webpack-dev-server-2.7.1.tgz
      • http-proxy-middleware-0.17.4.tgz
        • http-proxy-1.16.2.tgz (Vulnerable Library)

Found in HEAD commit: e4ce85c3d01611eeb661de5f903c01d4063186b7

Found in base branch: main

Vulnerability Details

Versions of http-proxy prior to 1.18.1 are vulnerable to Denial of Service. An HTTP request with a long body triggers an ERR_HTTP_HEADERS_SENT unhandled exception that crashes the proxy server. This is only possible when the proxy server sets headers in the proxy request using the proxyReq.setHeader function.

Publish Date: 2020-05-14

URL: WS-2020-0091

Threat Assessment

Exploit Maturity: Not Defined

EPSS:

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://www.npmjs.com/advisories/1486

Release Date: 2020-05-14

Fix Resolution (http-proxy): 1.18.1

Direct dependency fix Resolution (react-scripts): 1.0.12

In order to enable automatic remediation, please create workflow rules

WS-2019-0032

Vulnerable Library - js-yaml-3.9.1.tgz

YAML 1.2 parser and serializer

Library home page: https://registry.npmjs.org/js-yaml/-/js-yaml-3.9.1.tgz

Path to dependency file: /fixtures/attribute-behavior/package.json

Path to vulnerable library: /fixtures/attribute-behavior/package.json

Dependency Hierarchy:

  • react-scripts-1.0.11.tgz (Root Library)
    • eslint-4.4.1.tgz
      • js-yaml-3.9.1.tgz (Vulnerable Library)

Found in HEAD commit: e4ce85c3d01611eeb661de5f903c01d4063186b7

Found in base branch: main

Vulnerability Details

Versions js-yaml prior to 3.13.0 are vulnerable to Denial of Service. By parsing a carefully-crafted YAML file, the node process stalls and may exhaust system resources leading to a Denial of Service.

Publish Date: 2019-03-20

URL: WS-2019-0032

Threat Assessment

Exploit Maturity: Not Defined

EPSS:

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://www.npmjs.com/advisories/788/versions

Release Date: 2019-03-20

Fix Resolution (js-yaml): 3.13.0

Direct dependency fix Resolution (react-scripts): 2.0.0

In order to enable automatic remediation, please create workflow rules

CVE-2022-37620

Vulnerable Library - html-minifier-3.5.3.tgz

Highly configurable, well-tested, JavaScript-based HTML minifier.

Library home page: https://registry.npmjs.org/html-minifier/-/html-minifier-3.5.3.tgz

Path to dependency file: /fixtures/attribute-behavior/package.json

Path to vulnerable library: /fixtures/attribute-behavior/package.json

Dependency Hierarchy:

  • react-scripts-1.0.11.tgz (Root Library)
    • html-webpack-plugin-2.29.0.tgz
      • html-minifier-3.5.3.tgz (Vulnerable Library)

Found in HEAD commit: e4ce85c3d01611eeb661de5f903c01d4063186b7

Found in base branch: main

Vulnerability Details

A Regular Expression Denial of Service (ReDoS) flaw was found in kangax html-minifier 4.0.0 via the candidate variable in htmlminifier.js.

Publish Date: 2022-10-31

URL: CVE-2022-37620

Threat Assessment

Exploit Maturity: Not Defined

EPSS: 0.1%

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

CVE-2022-24999

Vulnerable Library - qs-6.5.0.tgz

A querystring parser that supports nesting and arrays, with a depth limit

Library home page: https://registry.npmjs.org/qs/-/qs-6.5.0.tgz

Path to dependency file: /fixtures/attribute-behavior/package.json

Path to vulnerable library: /fixtures/attribute-behavior/package.json

Dependency Hierarchy:

  • react-scripts-1.0.11.tgz (Root Library)
    • webpack-dev-server-2.7.1.tgz
      • express-4.15.4.tgz
        • qs-6.5.0.tgz (Vulnerable Library)

Found in HEAD commit: e4ce85c3d01611eeb661de5f903c01d4063186b7

Found in base branch: main

Vulnerability Details

qs before 6.10.3, as used in Express before 4.17.3 and other products, allows attackers to cause a Node process hang for an Express application because an __ proto__ key can be used. In many typical Express use cases, an unauthenticated remote attacker can place the attack payload in the query string of the URL that is used to visit the application, such as a[proto]=b&a[proto]&a[length]=100000000. The fix was backported to qs 6.9.7, 6.8.3, 6.7.3, 6.6.1, 6.5.3, 6.4.1, 6.3.3, and 6.2.4 (and therefore Express 4.17.3, which has "deps: qs@6.9.7" in its release description, is not vulnerable).

Publish Date: 2022-11-26

URL: CVE-2022-24999

Threat Assessment

Exploit Maturity: Not Defined

EPSS: 0.9%

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://www.cve.org/CVERecord?id=CVE-2022-24999

Release Date: 2022-11-26

Fix Resolution (qs): 6.5.3

Direct dependency fix Resolution (react-scripts): 1.0.12

In order to enable automatic remediation, please create workflow rules

CVE-2021-27516

Vulnerable Library - urijs-1.18.12.tgz

URI.js is a Javascript library for working with URLs.

Library home page: https://registry.npmjs.org/urijs/-/urijs-1.18.12.tgz

Path to dependency file: /fixtures/attribute-behavior/package.json

Path to vulnerable library: /fixtures/attribute-behavior/package.json

Dependency Hierarchy:

  • react-scripts-1.0.11.tgz (Root Library)
    • sw-precache-webpack-plugin-0.11.4.tgz
      • sw-precache-5.2.0.tgz
        • dom-urls-1.1.0.tgz
          • urijs-1.18.12.tgz (Vulnerable Library)

Found in HEAD commit: e4ce85c3d01611eeb661de5f903c01d4063186b7

Found in base branch: main

Vulnerability Details

URI.js (aka urijs) before 1.19.6 mishandles certain uses of backslash such as http:/ and interprets the URI as a relative path.

Publish Date: 2021-02-22

URL: CVE-2021-27516

Threat Assessment

Exploit Maturity: Not Defined

EPSS: 0.2%

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: None
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-27516

Release Date: 2021-02-22

Fix Resolution (urijs): 1.19.6

Direct dependency fix Resolution (react-scripts): 1.0.12

In order to enable automatic remediation, please create workflow rules

CVE-2021-23382

Vulnerable Libraries - postcss-6.0.9.tgz, postcss-5.2.17.tgz

postcss-6.0.9.tgz

Tool for transforming styles with JS plugins

Library home page: https://registry.npmjs.org/postcss/-/postcss-6.0.9.tgz

Path to dependency file: /fixtures/attribute-behavior/package.json

Path to vulnerable library: /fixtures/attribute-behavior/package.json

Dependency Hierarchy:

  • react-scripts-1.0.11.tgz (Root Library)
    • autoprefixer-7.1.2.tgz
      • postcss-6.0.9.tgz (Vulnerable Library)

postcss-5.2.17.tgz

Tool for transforming styles with JS plugins

Library home page: https://registry.npmjs.org/postcss/-/postcss-5.2.17.tgz

Path to dependency file: /fixtures/attribute-behavior/package.json

Path to vulnerable library: /fixtures/attribute-behavior/package.json

Dependency Hierarchy:

  • react-scripts-1.0.11.tgz (Root Library)
    • css-loader-0.28.4.tgz
      • postcss-5.2.17.tgz (Vulnerable Library)

Found in HEAD commit: e4ce85c3d01611eeb661de5f903c01d4063186b7

Found in base branch: main

Vulnerability Details

The package postcss before 8.2.13 are vulnerable to Regular Expression Denial of Service (ReDoS) via getAnnotationURL() and loadAnnotation() in lib/previous-map.js. The vulnerable regexes are caused mainly by the sub-pattern /*\s* sourceMappingURL=(.*).

Publish Date: 2021-04-26

URL: CVE-2021-23382

Threat Assessment

Exploit Maturity: Not Defined

EPSS: 0.2%

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23382

Release Date: 2021-04-26

Fix Resolution (postcss): 7.0.36

Direct dependency fix Resolution (react-scripts): 3.0.0

Fix Resolution (postcss): 7.0.36

Direct dependency fix Resolution (react-scripts): 3.0.0

In order to enable automatic remediation, please create workflow rules

CVE-2020-7662

Vulnerable Library - websocket-extensions-0.1.1.tgz

Generic extension manager for WebSocket connections

Library home page: https://registry.npmjs.org/websocket-extensions/-/websocket-extensions-0.1.1.tgz

Path to dependency file: /fixtures/attribute-behavior/package.json

Path to vulnerable library: /fixtures/attribute-behavior/package.json

Dependency Hierarchy:

  • react-scripts-1.0.11.tgz (Root Library)
    • webpack-dev-server-2.7.1.tgz
      • sockjs-0.3.18.tgz
        • faye-websocket-0.10.0.tgz
          • websocket-driver-0.6.5.tgz
            • websocket-extensions-0.1.1.tgz (Vulnerable Library)

Found in HEAD commit: e4ce85c3d01611eeb661de5f903c01d4063186b7

Found in base branch: main

Vulnerability Details

websocket-extensions npm module prior to 0.1.4 allows Denial of Service (DoS) via Regex Backtracking. The extension parser may take quadratic time when parsing a header containing an unclosed string parameter value whose content is a repeating two-byte sequence of a backslash and some other character. This could be abused by an attacker to conduct Regex Denial Of Service (ReDoS) on a single-threaded server by providing a malicious payload with the Sec-WebSocket-Extensions header.

Publish Date: 2020-06-02

URL: CVE-2020-7662

Threat Assessment

Exploit Maturity: Not Defined

EPSS: 0.2%

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-g78m-2chm-r7qv

Release Date: 2020-06-02

Fix Resolution (websocket-extensions): 0.1.4

Direct dependency fix Resolution (react-scripts): 1.0.12

In order to enable automatic remediation, please create workflow rules

CVE-2018-14732

Vulnerable Library - webpack-dev-server-2.7.1.tgz

Serves a webpack app. Updates the browser on changes.

Library home page: https://registry.npmjs.org/webpack-dev-server/-/webpack-dev-server-2.7.1.tgz

Path to dependency file: /fixtures/attribute-behavior/package.json

Path to vulnerable library: /fixtures/attribute-behavior/package.json

Dependency Hierarchy:

  • react-scripts-1.0.11.tgz (Root Library)
    • webpack-dev-server-2.7.1.tgz (Vulnerable Library)

Found in HEAD commit: e4ce85c3d01611eeb661de5f903c01d4063186b7

Found in base branch: main

Vulnerability Details

An issue was discovered in lib/Server.js in webpack-dev-server before 3.1.6. Attackers are able to steal developer's code because the origin of requests is not checked by the WebSocket server, which is used for HMR (Hot Module Replacement). Anyone can receive the HMR message sent by the WebSocket server via a ws://127.0.0.1:8080/ connection from any origin.

Publish Date: 2018-09-21

URL: CVE-2018-14732

Threat Assessment

Exploit Maturity: Not Defined

EPSS: 0.3%

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: None
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2018-14732

Release Date: 2018-09-21

Fix Resolution (webpack-dev-server): 3.1.6

Direct dependency fix Resolution (react-scripts): 2.0.0

In order to enable automatic remediation, please create workflow rules

CVE-2017-16138

Vulnerable Library - mime-1.3.6.tgz

A comprehensive library for mime-type mapping

Library home page: https://registry.npmjs.org/mime/-/mime-1.3.6.tgz

Path to dependency file: /fixtures/attribute-behavior/package.json

Path to vulnerable library: /fixtures/attribute-behavior/package.json

Dependency Hierarchy:

  • react-scripts-1.0.11.tgz (Root Library)
    • webpack-dev-server-2.7.1.tgz
      • webpack-dev-middleware-1.12.0.tgz
        • mime-1.3.6.tgz (Vulnerable Library)

Found in HEAD commit: e4ce85c3d01611eeb661de5f903c01d4063186b7

Found in base branch: main

Vulnerability Details

The mime module < 1.4.1, 2.0.1, 2.0.2 is vulnerable to regular expression denial of service when a mime lookup is performed on untrusted user input.
Mend Note: Converted from WS-2017-0330, on 2022-11-08.

Publish Date: 2018-06-07

URL: CVE-2017-16138

Threat Assessment

Exploit Maturity: Not Defined

EPSS: 0.1%

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16138

Release Date: 2018-04-26

Fix Resolution (mime): 1.4.1

Direct dependency fix Resolution (react-scripts): 1.0.15

In order to enable automatic remediation, please create workflow rules

CVE-2017-16118

Vulnerable Library - forwarded-0.1.0.tgz

Parse HTTP X-Forwarded-For header

Library home page: https://registry.npmjs.org/forwarded/-/forwarded-0.1.0.tgz

Path to dependency file: /fixtures/attribute-behavior/package.json

Path to vulnerable library: /fixtures/attribute-behavior/package.json

Dependency Hierarchy:

  • react-scripts-1.0.11.tgz (Root Library)
    • webpack-dev-server-2.7.1.tgz
      • express-4.15.4.tgz
        • proxy-addr-1.1.5.tgz
          • forwarded-0.1.0.tgz (Vulnerable Library)

Found in HEAD commit: e4ce85c3d01611eeb661de5f903c01d4063186b7

Found in base branch: main

Vulnerability Details

The forwarded module is used by the Express.js framework to handle the X-Forwarded-For header. It is vulnerable to a regular expression denial of service when it's passed specially crafted input to parse. This causes the event loop to be blocked causing a denial of service condition.

Publish Date: 2018-06-07

URL: CVE-2017-16118

Threat Assessment

Exploit Maturity: Not Defined

EPSS: 0.1%

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://www.npmjs.com/advisories/527/versions

Release Date: 2018-04-26

Fix Resolution (forwarded): 0.1.2

Direct dependency fix Resolution (react-scripts): 1.0.12

In order to enable automatic remediation, please create workflow rules

CVE-2017-16099

Vulnerable Library - no-case-2.3.1.tgz

Remove case from a string

Library home page: https://registry.npmjs.org/no-case/-/no-case-2.3.1.tgz

Path to dependency file: /fixtures/attribute-behavior/package.json

Path to vulnerable library: /fixtures/attribute-behavior/package.json

Dependency Hierarchy:

  • react-scripts-1.0.11.tgz (Root Library)
    • html-webpack-plugin-2.29.0.tgz
      • html-minifier-3.5.3.tgz
        • param-case-2.1.1.tgz
          • no-case-2.3.1.tgz (Vulnerable Library)

Found in HEAD commit: e4ce85c3d01611eeb661de5f903c01d4063186b7

Found in base branch: main

Vulnerability Details

The no-case module is vulnerable to regular expression denial of service. When malicious untrusted user input is passed into no-case it can block the event loop causing a denial of service condition.

Publish Date: 2018-06-07

URL: CVE-2017-16099

Threat Assessment

Exploit Maturity: Not Defined

EPSS: 0.1%

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://www.npmjs.com/advisories/529/versions

Release Date: 2018-06-07

Fix Resolution (no-case): 2.3.2

Direct dependency fix Resolution (react-scripts): 1.0.12

In order to enable automatic remediation, please create workflow rules

WS-2018-0590

Vulnerable Library - diff-3.3.0.tgz

A javascript text diff implementation.

Library home page: https://registry.npmjs.org/diff/-/diff-3.3.0.tgz

Path to dependency file: /fixtures/attribute-behavior/package.json

Path to vulnerable library: /fixtures/attribute-behavior/package.json

Dependency Hierarchy:

  • react-scripts-1.0.11.tgz (Root Library)
    • jest-20.0.4.tgz
      • jest-cli-20.0.4.tgz
        • jest-jasmine2-20.0.4.tgz
          • jest-diff-20.0.3.tgz
            • diff-3.3.0.tgz (Vulnerable Library)

Found in HEAD commit: e4ce85c3d01611eeb661de5f903c01d4063186b7

Found in base branch: main

Vulnerability Details

A vulnerability was found in diff before v3.5.0, the affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS) attacks.

Publish Date: 2018-03-05

URL: WS-2018-0590

Threat Assessment

Exploit Maturity: Not Defined

EPSS:

CVSS 3 Score Details (7.1)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: High
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2018-03-05

Fix Resolution (diff): 3.5.0

Direct dependency fix Resolution (react-scripts): 1.0.12

In order to enable automatic remediation, please create workflow rules

CVE-2022-0613

Vulnerable Library - urijs-1.18.12.tgz

URI.js is a Javascript library for working with URLs.

Library home page: https://registry.npmjs.org/urijs/-/urijs-1.18.12.tgz

Path to dependency file: /fixtures/attribute-behavior/package.json

Path to vulnerable library: /fixtures/attribute-behavior/package.json

Dependency Hierarchy:

  • react-scripts-1.0.11.tgz (Root Library)
    • sw-precache-webpack-plugin-0.11.4.tgz
      • sw-precache-5.2.0.tgz
        • dom-urls-1.1.0.tgz
          • urijs-1.18.12.tgz (Vulnerable Library)

Found in HEAD commit: e4ce85c3d01611eeb661de5f903c01d4063186b7

Found in base branch: main

Vulnerability Details

Authorization Bypass Through User-Controlled Key in NPM urijs prior to 1.19.8.

Publish Date: 2022-02-16

URL: CVE-2022-0613

Threat Assessment

Exploit Maturity: Not Defined

EPSS: 0.1%

CVSS 3 Score Details (6.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: Low
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://huntr.dev/bounties/f53d5c42-c108-40b8-917d-9dad51535083/

Release Date: 2022-02-16

Fix Resolution: uri.js - v1.19.8

CVE-2020-26291

Vulnerable Library - urijs-1.18.12.tgz

URI.js is a Javascript library for working with URLs.

Library home page: https://registry.npmjs.org/urijs/-/urijs-1.18.12.tgz

Path to dependency file: /fixtures/attribute-behavior/package.json

Path to vulnerable library: /fixtures/attribute-behavior/package.json

Dependency Hierarchy:

  • react-scripts-1.0.11.tgz (Root Library)
    • sw-precache-webpack-plugin-0.11.4.tgz
      • sw-precache-5.2.0.tgz
        • dom-urls-1.1.0.tgz
          • urijs-1.18.12.tgz (Vulnerable Library)

Found in HEAD commit: e4ce85c3d01611eeb661de5f903c01d4063186b7

Found in base branch: main

Vulnerability Details

URI.js is a javascript URL mutation library (npm package urijs). In URI.js before version 1.19.4, the hostname can be spoofed by using a backslash (\) character followed by an at (@) character. If the hostname is used in security decisions, the decision may be incorrect. Depending on library usage and attacker intent, impacts may include allow/block list bypasses, SSRF attacks, open redirects, or other undesired behavior. For example the URL https://expected-example.com\@observed-example.com will incorrectly return observed-example.com if using an affected version. Patched versions correctly return expected-example.com. Patched versions match the behavior of other parsers which implement the WHATWG URL specification, including web browsers and Node's built-in URL class. Version 1.19.4 is patched against all known payload variants. Version 1.19.3 has a partial patch but is still vulnerable to a payload variant.]

Publish Date: 2020-12-31

URL: CVE-2020-26291

Threat Assessment

Exploit Maturity: Not Defined

EPSS: 0.1%

CVSS 3 Score Details (6.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: Low
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: High
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-26291

Release Date: 2020-12-31

Fix Resolution (urijs): 1.19.4

Direct dependency fix Resolution (react-scripts): 1.0.12

In order to enable automatic remediation, please create workflow rules


In order to enable automatic remediation for this issue, please create workflow rules

@mend-for-github-com mend-for-github-com bot added the Mend: dependency security vulnerability Security vulnerability detected by Mend label May 22, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Mend: dependency security vulnerability Security vulnerability detected by Mend
Projects
None yet
Development

No branches or pull requests

0 participants