Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

react-scripts-1.0.17.tgz: 107 vulnerabilities (highest severity is: 9.8) #46

Open
mend-for-github-com bot opened this issue Nov 15, 2024 · 0 comments
Labels
Mend: dependency security vulnerability Security vulnerability detected by Mend

Comments

@mend-for-github-com
Copy link

mend-for-github-com bot commented Nov 15, 2024

Vulnerable Library - react-scripts-1.0.17.tgz

Found in HEAD commit: caf38324f5719d5c85806c516ecfb8f0177e29c0

Vulnerabilities

CVE Severity CVSS Dependency Type Fixed in (react-scripts version) Remediation Possible** Reachability
CVE-2023-42282 Critical 9.8 ip-1.1.5.tgz Transitive 1.1.0
CVE-2022-37601 Critical 9.8 detected in multiple dependencies Transitive 4.0.0
CVE-2022-0691 Critical 9.8 detected in multiple dependencies Transitive 1.1.0
CVE-2021-44906 Critical 9.8 detected in multiple dependencies Transitive 1.1.0
CVE-2021-42740 Critical 9.8 shell-quote-1.6.1.tgz Transitive 5.0.0
CVE-2021-3918 Critical 9.8 json-schema-0.2.3.tgz Transitive 1.1.0
CVE-2020-7720 Critical 9.8 node-forge-0.6.33.tgz Transitive 1.1.0
CVE-2018-6342 Critical 9.8 react-dev-utils-4.2.1.tgz Transitive 1.1.0
CVE-2018-3774 Critical 9.8 detected in multiple dependencies Transitive 1.1.0
CVE-2018-16492 Critical 9.8 extend-3.0.1.tgz Transitive 1.1.0
CVE-2018-13797 Critical 9.8 macaddress-0.2.8.tgz Transitive 1.1.0
CVE-2018-1000620 Critical 9.8 cryptiles-3.1.2.tgz Transitive 1.1.1
CVE-2023-45133 Critical 9.3 babel-traverse-6.26.0.tgz Transitive N/A*
CVE-2024-48949 Critical 9.1 detected in multiple dependencies Transitive 1.1.0
CVE-2024-29415 Critical 9.1 ip-1.1.5.tgz Transitive N/A*
CVE-2022-0686 Critical 9.1 detected in multiple dependencies Transitive 1.1.0
CVE-2019-10744 Critical 9.1 lodash.template-4.4.0.tgz Transitive 1.1.0
WS-2019-0063 High 8.1 detected in multiple dependencies Transitive 2.0.0
CVE-2022-1650 High 8.1 eventsource-0.1.6.tgz Transitive 2.1.3
CVE-2021-43138 High 7.8 async-2.6.0.tgz Transitive 1.1.0
CVE-2021-23386 High 7.7 dns-packet-1.2.2.tgz Transitive 1.1.0
CVE-2020-13822 High 7.7 elliptic-6.4.0.tgz Transitive 1.1.0
WS-2021-0152 High 7.5 color-string-0.3.0.tgz Transitive 2.0.0
WS-2020-0450 High 7.5 handlebars-4.5.3.tgz Transitive 1.1.0
WS-2019-0541 High 7.5 macaddress-0.2.8.tgz Transitive 1.1.0
WS-2019-0032 High 7.5 detected in multiple dependencies Transitive 2.0.0
CVE-2024-52798 High 7.5 path-to-regexp-0.1.7.tgz Transitive N/A*
CVE-2024-45590 High 7.5 body-parser-1.18.2.tgz Transitive N/A*
CVE-2024-45296 High 7.5 detected in multiple dependencies Transitive 2.0.1
CVE-2024-4068 High 7.5 braces-1.8.5.tgz Transitive N/A*
CVE-2024-21536 High 7.5 http-proxy-middleware-0.17.4.tgz Transitive N/A*
CVE-2022-37620 High 7.5 html-minifier-3.5.6.tgz Transitive N/A*
CVE-2022-37603 High 7.5 loader-utils-1.1.0.tgz Transitive 1.1.0
CVE-2022-3517 High 7.5 minimatch-3.0.3.tgz Transitive N/A*
CVE-2022-24999 High 7.5 qs-6.5.1.tgz Transitive 1.1.0
CVE-2022-24772 High 7.5 node-forge-0.6.33.tgz Transitive 5.0.0
CVE-2022-24771 High 7.5 node-forge-0.6.33.tgz Transitive 5.0.0
CVE-2021-3803 High 7.5 nth-check-1.0.1.tgz Transitive 1.1.0
CVE-2021-3777 High 7.5 tmpl-1.0.4.tgz Transitive 1.1.0
CVE-2021-33623 High 7.5 trim-newlines-1.0.0.tgz Transitive 2.0.1
CVE-2021-29059 High 7.5 is-svg-2.1.0.tgz Transitive 2.0.0
CVE-2021-28092 High 7.5 is-svg-2.1.0.tgz Transitive 2.0.0
CVE-2021-27516 High 7.5 urijs-1.19.0.tgz Transitive 1.1.0
CVE-2021-23424 High 7.5 ansi-html-0.0.7.tgz Transitive 5.0.0
CVE-2020-7662 High 7.5 websocket-extensions-0.1.3.tgz Transitive 1.1.0
CVE-2018-3737 High 7.5 sshpk-1.13.1.tgz Transitive 1.1.0
CVE-2018-16469 High 7.5 merge-1.2.0.tgz Transitive 1.1.0
CVE-2018-14732 High 7.5 webpack-dev-server-2.9.4.tgz Transitive 2.0.0
WS-2018-0588 High 7.4 detected in multiple dependencies Transitive 1.1.0
CVE-2022-29167 High 7.4 hawk-6.0.2.tgz Transitive 1.1.1
CVE-2020-8116 High 7.3 dot-prop-3.0.0.tgz Transitive 1.1.0
CVE-2020-7788 High 7.3 ini-1.3.4.tgz Transitive 1.1.0
CVE-2020-28499 High 7.3 merge-1.2.0.tgz Transitive 3.0.0
CVE-2018-3750 High 7.3 deep-extend-0.4.2.tgz Transitive 1.1.0
WS-2018-0590 High 7.1 diff-3.4.0.tgz Transitive 1.1.0
CVE-2022-46175 High 7.1 json5-0.5.1.tgz Transitive 3.0.0
CVE-2020-28498 Medium 6.8 elliptic-6.4.0.tgz Transitive 1.1.0
WS-2022-0008 Medium 6.6 node-forge-0.6.33.tgz Transitive 5.0.0
CVE-2023-26136 Medium 6.5 tough-cookie-2.3.3.tgz Transitive 4.0.0
CVE-2022-0613 Medium 6.5 urijs-1.19.0.tgz Transitive N/A*
CVE-2020-26291 Medium 6.5 urijs-1.19.0.tgz Transitive 1.1.0
CVE-2018-21270 Medium 6.5 stringstream-0.0.5.tgz Transitive 1.1.0
CVE-2024-43788 Medium 6.4 webpack-3.8.1.tgz Transitive N/A*
CVE-2024-29041 Medium 6.1 express-4.16.2.tgz Transitive N/A*
CVE-2023-28155 Medium 6.1 request-2.83.0.tgz Transitive N/A*
CVE-2022-1243 Medium 6.1 urijs-1.19.0.tgz Transitive 1.1.0
CVE-2022-1233 Medium 6.1 urijs-1.19.0.tgz Transitive 1.1.0
CVE-2022-0868 Medium 6.1 urijs-1.19.0.tgz Transitive 1.1.0
CVE-2022-0122 Medium 6.1 node-forge-0.6.33.tgz Transitive 5.0.0
CVE-2021-3647 Medium 6.1 urijs-1.19.0.tgz Transitive 1.1.0
WS-2019-0427 Medium 5.9 elliptic-6.4.0.tgz Transitive 1.1.0
WS-2019-0424 Medium 5.9 elliptic-6.4.0.tgz Transitive 1.1.0
CVE-2021-24033 Medium 5.6 react-dev-utils-4.2.1.tgz Transitive 4.0.0
CVE-2021-23383 Medium 5.6 handlebars-4.5.3.tgz Transitive 1.1.0
CVE-2021-23369 Medium 5.6 handlebars-4.5.3.tgz Transitive 1.1.0
CVE-2020-7789 Medium 5.6 node-notifier-5.1.2.tgz Transitive 1.1.0
CVE-2020-7598 Medium 5.6 detected in multiple dependencies Transitive 1.1.0
CVE-2020-15366 Medium 5.6 ajv-5.3.0.tgz Transitive 2.0.0
WS-2019-0017 Medium 5.3 clean-css-4.1.9.tgz Transitive 1.1.0
WS-2018-0347 Medium 5.3 eslint-4.10.0.tgz Transitive 2.0.0
WS-2017-3757 Medium 5.3 content-type-parser-1.0.2.tgz Transitive N/A*
CVE-2024-4067 Medium 5.3 micromatch-2.3.11.tgz Transitive N/A*
CVE-2023-44270 Medium 5.3 detected in multiple dependencies Transitive N/A*
CVE-2022-33987 Medium 5.3 got-5.7.1.tgz Transitive 2.0.1
CVE-2022-24773 Medium 5.3 node-forge-0.6.33.tgz Transitive 5.0.0
CVE-2022-24723 Medium 5.3 urijs-1.19.0.tgz Transitive 1.1.0
CVE-2022-0639 Medium 5.3 detected in multiple dependencies Transitive 1.1.0
CVE-2022-0512 Medium 5.3 detected in multiple dependencies Transitive 1.1.0
CVE-2021-3664 Medium 5.3 detected in multiple dependencies Transitive 1.1.0
CVE-2021-29060 Medium 5.3 color-string-0.3.0.tgz Transitive 2.0.0
CVE-2021-27515 Medium 5.3 detected in multiple dependencies Transitive 1.1.0
CVE-2021-23382 Medium 5.3 detected in multiple dependencies Transitive 3.0.0
CVE-2021-23362 Medium 5.3 hosted-git-info-2.5.0.tgz Transitive 1.1.0
CVE-2021-23343 Medium 5.3 path-parse-1.0.5.tgz Transitive 1.1.0
CVE-2020-8124 Medium 5.3 detected in multiple dependencies Transitive 1.1.0
CVE-2020-7693 Medium 5.3 sockjs-0.3.18.tgz Transitive 3.4.2
CVE-2020-7608 Medium 5.3 detected in multiple dependencies Transitive 2.0.0
CVE-2020-28469 Medium 5.3 glob-parent-2.0.0.tgz Transitive 5.0.0
CVE-2017-16028 Medium 5.3 randomatic-1.1.7.tgz Transitive 1.1.0
WS-2019-0307 Medium 5.1 mem-1.1.0.tgz Transitive 2.0.0
CVE-2024-43800 Medium 5.0 serve-static-1.13.1.tgz Transitive N/A*
CVE-2024-43799 Medium 5.0 send-0.16.1.tgz Transitive N/A*
CVE-2024-43796 Medium 5.0 express-4.16.2.tgz Transitive N/A*
WS-2018-0103 Medium 4.8 stringstream-0.0.5.tgz Transitive 1.1.0
CVE-2024-48948 Medium 4.8 detected in multiple dependencies Transitive N/A*
WS-2018-0589 Low 3.7 nwmatcher-1.4.3.tgz Transitive 1.1.0
CVE-2024-27088 Low 0.0 es5-ext-0.10.35.tgz Transitive 1.1.0

*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.

**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation

Details

Partial details (15 vulnerabilities) are displayed below due to a content size limitation in GitHub. To view information on the remaining vulnerabilities, navigate to the Mend Application.

CVE-2023-42282

Vulnerable Library - ip-1.1.5.tgz

[![](https://badge.fury.io/js/ip.svg)](https://www.npmjs.com/package/ip)

Library home page: https://registry.npmjs.org/ip/-/ip-1.1.5.tgz

Dependency Hierarchy:

  • react-scripts-1.0.17.tgz (Root Library)
    • webpack-dev-server-2.9.4.tgz
      • ip-1.1.5.tgz (Vulnerable Library)

Found in HEAD commit: caf38324f5719d5c85806c516ecfb8f0177e29c0

Found in base branch: main

Vulnerability Details

The ip package before 1.1.9 for Node.js might allow SSRF because some IP addresses (such as 0x7f.1) are improperly categorized as globally routable via isPublic.

Publish Date: 2024-02-08

URL: CVE-2023-42282

CVSS 3 Score Details (9.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2023-42282

Release Date: 2024-02-08

Fix Resolution (ip): 1.1.9

Direct dependency fix Resolution (react-scripts): 1.1.0

CVE-2022-37601

Vulnerable Libraries - loader-utils-0.2.17.tgz, loader-utils-1.1.0.tgz

loader-utils-0.2.17.tgz

utils for webpack loaders

Library home page: https://registry.npmjs.org/loader-utils/-/loader-utils-0.2.17.tgz

Dependency Hierarchy:

  • react-scripts-1.0.17.tgz (Root Library)
    • html-webpack-plugin-2.29.0.tgz
      • loader-utils-0.2.17.tgz (Vulnerable Library)

loader-utils-1.1.0.tgz

utils for webpack loaders

Library home page: https://registry.npmjs.org/loader-utils/-/loader-utils-1.1.0.tgz

Dependency Hierarchy:

  • react-scripts-1.0.17.tgz (Root Library)
    • eslint-loader-1.9.0.tgz
      • loader-utils-1.1.0.tgz (Vulnerable Library)

Found in HEAD commit: caf38324f5719d5c85806c516ecfb8f0177e29c0

Found in base branch: main

Vulnerability Details

Prototype pollution vulnerability in function parseQuery in parseQuery.js in webpack loader-utils via the name variable in parseQuery.js. This affects all versions prior to 1.4.1 and 2.0.3.

Publish Date: 2022-10-12

URL: CVE-2022-37601

CVSS 3 Score Details (9.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-76p3-8jx3-jpfq

Release Date: 2022-10-12

Fix Resolution (loader-utils): 1.4.1

Direct dependency fix Resolution (react-scripts): 4.0.0

Fix Resolution (loader-utils): 1.4.1

Direct dependency fix Resolution (react-scripts): 4.0.0

CVE-2022-0691

Vulnerable Libraries - url-parse-1.0.5.tgz, url-parse-1.2.0.tgz

url-parse-1.0.5.tgz

Small footprint URL parser that works seamlessly across Node.js and browser environments

Library home page: https://registry.npmjs.org/url-parse/-/url-parse-1.0.5.tgz

Dependency Hierarchy:

  • react-scripts-1.0.17.tgz (Root Library)
    • react-dev-utils-4.2.1.tgz
      • sockjs-client-1.1.4.tgz
        • eventsource-0.1.6.tgz
          • original-1.0.0.tgz
            • url-parse-1.0.5.tgz (Vulnerable Library)

url-parse-1.2.0.tgz

Small footprint URL parser that works seamlessly across Node.js and browser environments

Library home page: https://registry.npmjs.org/url-parse/-/url-parse-1.2.0.tgz

Dependency Hierarchy:

  • react-scripts-1.0.17.tgz (Root Library)
    • react-dev-utils-4.2.1.tgz
      • sockjs-client-1.1.4.tgz
        • url-parse-1.2.0.tgz (Vulnerable Library)

Found in HEAD commit: caf38324f5719d5c85806c516ecfb8f0177e29c0

Found in base branch: main

Vulnerability Details

Authorization Bypass Through User-Controlled Key in NPM url-parse prior to 1.5.9.

Publish Date: 2022-02-21

URL: CVE-2022-0691

CVSS 3 Score Details (9.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0691

Release Date: 2022-02-21

Fix Resolution (url-parse): 1.5.9

Direct dependency fix Resolution (react-scripts): 1.1.0

Fix Resolution (url-parse): 1.5.9

Direct dependency fix Resolution (react-scripts): 1.1.0

CVE-2021-44906

Vulnerable Libraries - minimist-1.2.0.tgz, minimist-0.0.8.tgz, minimist-0.0.10.tgz

minimist-1.2.0.tgz

parse argument options

Library home page: https://registry.npmjs.org/minimist/-/minimist-1.2.0.tgz

Dependency Hierarchy:

  • react-scripts-1.0.17.tgz (Root Library)
    • jest-20.0.4.tgz
      • jest-cli-20.0.4.tgz
        • jest-haste-map-20.0.5.tgz
          • sane-1.6.0.tgz
            • minimist-1.2.0.tgz (Vulnerable Library)

minimist-0.0.8.tgz

parse argument options

Library home page: https://registry.npmjs.org/minimist/-/minimist-0.0.8.tgz

Dependency Hierarchy:

  • react-scripts-1.0.17.tgz (Root Library)
    • babel-loader-7.1.2.tgz
      • mkdirp-0.5.1.tgz
        • minimist-0.0.8.tgz (Vulnerable Library)

minimist-0.0.10.tgz

parse argument options

Library home page: https://registry.npmjs.org/minimist/-/minimist-0.0.10.tgz

Dependency Hierarchy:

  • react-scripts-1.0.17.tgz (Root Library)
    • jest-20.0.4.tgz
      • jest-cli-20.0.4.tgz
        • istanbul-api-1.2.1.tgz
          • istanbul-reports-1.1.3.tgz
            • handlebars-4.5.3.tgz
              • optimist-0.6.1.tgz
                • minimist-0.0.10.tgz (Vulnerable Library)

Found in HEAD commit: caf38324f5719d5c85806c516ecfb8f0177e29c0

Found in base branch: main

Vulnerability Details

Minimist <=1.2.5 is vulnerable to Prototype Pollution via file index.js, function setKey() (lines 69-95).

Publish Date: 2022-03-17

URL: CVE-2021-44906

CVSS 3 Score Details (9.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-xvch-5gv4-984h

Release Date: 2022-03-17

Fix Resolution (minimist): 1.2.6

Direct dependency fix Resolution (react-scripts): 1.1.0

Fix Resolution (minimist): 1.2.6

Direct dependency fix Resolution (react-scripts): 1.1.0

Fix Resolution (minimist): 1.2.6

Direct dependency fix Resolution (react-scripts): 1.1.0

CVE-2021-42740

Vulnerable Library - shell-quote-1.6.1.tgz

quote and parse shell commands

Library home page: https://registry.npmjs.org/shell-quote/-/shell-quote-1.6.1.tgz

Dependency Hierarchy:

  • react-scripts-1.0.17.tgz (Root Library)
    • react-dev-utils-4.2.1.tgz
      • shell-quote-1.6.1.tgz (Vulnerable Library)

Found in HEAD commit: caf38324f5719d5c85806c516ecfb8f0177e29c0

Found in base branch: main

Vulnerability Details

The shell-quote package before 1.7.3 for Node.js allows command injection. An attacker can inject unescaped shell metacharacters through a regex designed to support Windows drive letters. If the output of this package is passed to a real shell as a quoted argument to a command with exec(), an attacker can inject arbitrary commands. This is because the Windows drive letter regex character class is {A-z] instead of the correct {A-Za-z]. Several shell metacharacters exist in the space between capital letter Z and lower case letter a, such as the backtick character.

Publish Date: 2021-10-21

URL: CVE-2021-42740

CVSS 3 Score Details (9.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-42740

Release Date: 2021-10-21

Fix Resolution (shell-quote): 1.7.3

Direct dependency fix Resolution (react-scripts): 5.0.0

CVE-2021-3918

Vulnerable Library - json-schema-0.2.3.tgz

JSON Schema validation and specifications

Library home page: https://registry.npmjs.org/json-schema/-/json-schema-0.2.3.tgz

Dependency Hierarchy:

  • react-scripts-1.0.17.tgz (Root Library)
    • jest-20.0.4.tgz
      • jest-cli-20.0.4.tgz
        • jest-environment-jsdom-20.0.3.tgz
          • jsdom-9.12.0.tgz
            • request-2.83.0.tgz
              • http-signature-1.2.0.tgz
                • jsprim-1.4.1.tgz
                  • json-schema-0.2.3.tgz (Vulnerable Library)

Found in HEAD commit: caf38324f5719d5c85806c516ecfb8f0177e29c0

Found in base branch: main

Vulnerability Details

json-schema is vulnerable to Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')

Publish Date: 2021-11-13

URL: CVE-2021-3918

CVSS 3 Score Details (9.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2021-3918

Release Date: 2021-11-13

Fix Resolution (json-schema): 0.4.0

Direct dependency fix Resolution (react-scripts): 1.1.0

CVE-2020-7720

Vulnerable Library - node-forge-0.6.33.tgz

JavaScript implementations of network transports, cryptography, ciphers, PKI, message digests, and various utilities.

Library home page: https://registry.npmjs.org/node-forge/-/node-forge-0.6.33.tgz

Dependency Hierarchy:

  • react-scripts-1.0.17.tgz (Root Library)
    • webpack-dev-server-2.9.4.tgz
      • selfsigned-1.10.1.tgz
        • node-forge-0.6.33.tgz (Vulnerable Library)

Found in HEAD commit: caf38324f5719d5c85806c516ecfb8f0177e29c0

Found in base branch: main

Vulnerability Details

The package node-forge before 0.10.0 is vulnerable to Prototype Pollution via the util.setPath function. Note: Version 0.10.0 is a breaking change removing the vulnerable functions.

Publish Date: 2020-09-01

URL: CVE-2020-7720

CVSS 3 Score Details (9.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2020-09-01

Fix Resolution (node-forge): 0.10.0

Direct dependency fix Resolution (react-scripts): 1.1.0

CVE-2018-6342

Vulnerable Library - react-dev-utils-4.2.1.tgz

Webpack utilities used by Create React App

Library home page: https://registry.npmjs.org/react-dev-utils/-/react-dev-utils-4.2.1.tgz

Dependency Hierarchy:

  • react-scripts-1.0.17.tgz (Root Library)
    • react-dev-utils-4.2.1.tgz (Vulnerable Library)

Found in HEAD commit: caf38324f5719d5c85806c516ecfb8f0177e29c0

Found in base branch: main

Vulnerability Details

react-dev-utils on Windows allows developers to run a local webserver for accepting various commands, including a command to launch an editor. The input to that command was not properly sanitized, allowing an attacker who can make a network request to the server (either via CSRF or by direct request) to execute arbitrary commands on the targeted system. This issue affects multiple branches: 1.x.x prior to 1.0.4, 2.x.x prior to 2.0.2, 3.x.x prior to 3.1.2, 4.x.x prior to 4.2.2, and 5.x.x prior to 5.0.2.

Publish Date: 2018-12-31

URL: CVE-2018-6342

CVSS 3 Score Details (9.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6342

Release Date: 2018-12-31

Fix Resolution (react-dev-utils): 4.2.2

Direct dependency fix Resolution (react-scripts): 1.1.0

CVE-2018-3774

Vulnerable Libraries - url-parse-1.0.5.tgz, url-parse-1.2.0.tgz

url-parse-1.0.5.tgz

Small footprint URL parser that works seamlessly across Node.js and browser environments

Library home page: https://registry.npmjs.org/url-parse/-/url-parse-1.0.5.tgz

Dependency Hierarchy:

  • react-scripts-1.0.17.tgz (Root Library)
    • react-dev-utils-4.2.1.tgz
      • sockjs-client-1.1.4.tgz
        • eventsource-0.1.6.tgz
          • original-1.0.0.tgz
            • url-parse-1.0.5.tgz (Vulnerable Library)

url-parse-1.2.0.tgz

Small footprint URL parser that works seamlessly across Node.js and browser environments

Library home page: https://registry.npmjs.org/url-parse/-/url-parse-1.2.0.tgz

Dependency Hierarchy:

  • react-scripts-1.0.17.tgz (Root Library)
    • react-dev-utils-4.2.1.tgz
      • sockjs-client-1.1.4.tgz
        • url-parse-1.2.0.tgz (Vulnerable Library)

Found in HEAD commit: caf38324f5719d5c85806c516ecfb8f0177e29c0

Found in base branch: main

Vulnerability Details

Incorrect parsing in url-parse <1.4.3 returns wrong hostname which leads to multiple vulnerabilities such as SSRF, Open Redirect, Bypass Authentication Protocol.

Publish Date: 2018-08-12

URL: CVE-2018-3774

CVSS 3 Score Details (9.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2018-3774

Release Date: 2018-08-12

Fix Resolution (url-parse): 1.4.3

Direct dependency fix Resolution (react-scripts): 1.1.0

Fix Resolution (url-parse): 1.4.3

Direct dependency fix Resolution (react-scripts): 1.1.0

CVE-2018-16492

Vulnerable Library - extend-3.0.1.tgz

Port of jQuery.extend for node.js and the browser

Library home page: https://registry.npmjs.org/extend/-/extend-3.0.1.tgz

Dependency Hierarchy:

  • react-scripts-1.0.17.tgz (Root Library)
    • jest-20.0.4.tgz
      • jest-cli-20.0.4.tgz
        • jest-environment-jsdom-20.0.3.tgz
          • jsdom-9.12.0.tgz
            • request-2.83.0.tgz
              • extend-3.0.1.tgz (Vulnerable Library)

Found in HEAD commit: caf38324f5719d5c85806c516ecfb8f0177e29c0

Found in base branch: main

Vulnerability Details

A prototype pollution vulnerability was found in module extend <2.0.2, ~<3.0.2 that allows an attacker to inject arbitrary properties onto Object.prototype.

Publish Date: 2019-02-01

URL: CVE-2018-16492

CVSS 3 Score Details (9.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://hackerone.com/reports/381185

Release Date: 2019-02-01

Fix Resolution (extend): 3.0.2

Direct dependency fix Resolution (react-scripts): 1.1.0

CVE-2018-13797

Vulnerable Library - macaddress-0.2.8.tgz

Get the MAC addresses (hardware addresses) of the hosts network interfaces.

Library home page: https://registry.npmjs.org/macaddress/-/macaddress-0.2.8.tgz

Dependency Hierarchy:

  • react-scripts-1.0.17.tgz (Root Library)
    • css-loader-0.28.7.tgz
      • cssnano-3.10.0.tgz
        • postcss-filter-plugins-2.0.2.tgz
          • uniqid-4.1.1.tgz
            • macaddress-0.2.8.tgz (Vulnerable Library)

Found in HEAD commit: caf38324f5719d5c85806c516ecfb8f0177e29c0

Found in base branch: main

Vulnerability Details

The macaddress module before 0.2.9 for Node.js is prone to an arbitrary command injection flaw, due to allowing unsanitized input to an exec (rather than execFile) call.

Publish Date: 2018-07-10

URL: CVE-2018-13797

CVSS 3 Score Details (9.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2018-13797

Release Date: 2022-10-03

Fix Resolution (macaddress): 0.2.9

Direct dependency fix Resolution (react-scripts): 1.1.0

CVE-2018-1000620

Vulnerable Library - cryptiles-3.1.2.tgz

General purpose crypto utilities

Library home page: https://registry.npmjs.org/cryptiles/-/cryptiles-3.1.2.tgz

Dependency Hierarchy:

  • react-scripts-1.0.17.tgz (Root Library)
    • jest-20.0.4.tgz
      • jest-cli-20.0.4.tgz
        • jest-environment-jsdom-20.0.3.tgz
          • jsdom-9.12.0.tgz
            • request-2.83.0.tgz
              • hawk-6.0.2.tgz
                • cryptiles-3.1.2.tgz (Vulnerable Library)

Found in HEAD commit: caf38324f5719d5c85806c516ecfb8f0177e29c0

Found in base branch: main

Vulnerability Details

Eran Hammer cryptiles version 4.1.1 earlier contains a CWE-331: Insufficient Entropy vulnerability in randomDigits() method that can result in An attacker is more likely to be able to brute force something that was supposed to be random.. This attack appear to be exploitable via Depends upon the calling application.. This vulnerability appears to have been fixed in 4.1.2.

Publish Date: 2018-07-09

URL: CVE-2018-1000620

CVSS 3 Score Details (9.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-1000620

Release Date: 2018-07-09

Fix Resolution (cryptiles): 4.1.2

Direct dependency fix Resolution (react-scripts): 1.1.1

CVE-2023-45133

Vulnerable Library - babel-traverse-6.26.0.tgz

The Babel Traverse module maintains the overall tree state, and is responsible for replacing, removing, and adding nodes

Library home page: https://registry.npmjs.org/babel-traverse/-/babel-traverse-6.26.0.tgz

Dependency Hierarchy:

  • react-scripts-1.0.17.tgz (Root Library)
    • babel-core-6.26.0.tgz
      • babel-traverse-6.26.0.tgz (Vulnerable Library)

Found in HEAD commit: caf38324f5719d5c85806c516ecfb8f0177e29c0

Found in base branch: main

Vulnerability Details

Babel is a compiler for writingJavaScript. In @babel/traverse prior to versions 7.23.2 and 8.0.0-alpha.4 and all versions of babel-traverse, using Babel to compile code that was specifically crafted by an attacker can lead to arbitrary code execution during compilation, when using plugins that rely on the path.evaluate()or path.evaluateTruthy() internal Babel methods. Known affected plugins are @babel/plugin-transform-runtime; @babel/preset-env when using its useBuiltIns option; and any "polyfill provider" plugin that depends on @babel/helper-define-polyfill-provider, such as babel-plugin-polyfill-corejs3, babel-plugin-polyfill-corejs2, babel-plugin-polyfill-es-shims, babel-plugin-polyfill-regenerator. No other plugins under the @babel/ namespace are impacted, but third-party plugins might be. Users that only compile trusted code are not impacted. The vulnerability has been fixed in @babel/traverse@7.23.2 and @babel/traverse@8.0.0-alpha.4. Those who cannot upgrade @babel/traverse and are using one of the affected packages mentioned above should upgrade them to their latest version to avoid triggering the vulnerable code path in affected @babel/traverse versions: @babel/plugin-transform-runtime v7.23.2, @babel/preset-env v7.23.2, @babel/helper-define-polyfill-provider v0.4.3, babel-plugin-polyfill-corejs2 v0.4.6, babel-plugin-polyfill-corejs3 v0.8.5, babel-plugin-polyfill-es-shims v0.10.0, babel-plugin-polyfill-regenerator v0.5.3.

Publish Date: 2023-10-12

URL: CVE-2023-45133

CVSS 3 Score Details (9.3)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Local
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Changed
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-67hx-6x53-jw92

Release Date: 2023-10-12

Fix Resolution: @babel/traverse - 7.23.2

CVE-2024-48949

Vulnerable Libraries - elliptic-6.5.4.tgz, elliptic-6.4.0.tgz

elliptic-6.5.4.tgz

EC cryptography

Library home page: https://registry.npmjs.org/elliptic/-/elliptic-6.5.4.tgz

Dependency Hierarchy:

  • react-scripts-1.0.17.tgz (Root Library)
    • webpack-3.8.1.tgz
      • node-libs-browser-2.0.0.tgz
        • crypto-browserify-3.12.0.tgz
          • browserify-sign-4.2.2.tgz
            • elliptic-6.5.4.tgz (Vulnerable Library)

elliptic-6.4.0.tgz

EC cryptography

Library home page: https://registry.npmjs.org/elliptic/-/elliptic-6.4.0.tgz

Dependency Hierarchy:

  • react-scripts-1.0.17.tgz (Root Library)
    • webpack-3.8.1.tgz
      • node-libs-browser-2.0.0.tgz
        • crypto-browserify-3.12.0.tgz
          • create-ecdh-4.0.0.tgz
            • elliptic-6.4.0.tgz (Vulnerable Library)

Found in HEAD commit: caf38324f5719d5c85806c516ecfb8f0177e29c0

Found in base branch: main

Vulnerability Details

The verify function in lib/elliptic/eddsa/index.js in the Elliptic package before 6.5.6 for Node.js omits "sig.S().gte(sig.eddsa.curve.n) || sig.S().isNeg()" validation.

Publish Date: 2024-10-10

URL: CVE-2024-48949

CVSS 3 Score Details (9.1)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://www.cve.org/CVERecord?id=CVE-2024-48949

Release Date: 2024-10-10

Fix Resolution (elliptic): 6.5.6

Direct dependency fix Resolution (react-scripts): 1.1.0

Fix Resolution (elliptic): 6.5.6

Direct dependency fix Resolution (react-scripts): 1.1.0

CVE-2024-29415

Vulnerable Library - ip-1.1.5.tgz

[![](https://badge.fury.io/js/ip.svg)](https://www.npmjs.com/package/ip)

Library home page: https://registry.npmjs.org/ip/-/ip-1.1.5.tgz

Dependency Hierarchy:

  • react-scripts-1.0.17.tgz (Root Library)
    • webpack-dev-server-2.9.4.tgz
      • ip-1.1.5.tgz (Vulnerable Library)

Found in HEAD commit: caf38324f5719d5c85806c516ecfb8f0177e29c0

Found in base branch: main

Vulnerability Details

The ip package through 2.0.1 for Node.js might allow SSRF because some IP addresses (such as 127.1, 01200034567, 012.1.2.3, 000:0:0000::01, and ::fFFf:127.0.0.1) are improperly categorized as globally routable via isPublic. NOTE: this issue exists because of an incomplete fix for CVE-2023-42282.
Mend Note: We assigned a different CVSS score to this CVE because of its potential to result in a Server-Side Request Forgery (SSRF) vulnerability. Additionally, the package is no longer maintained, which increases the associated risk.

Publish Date: 2024-05-27

URL: CVE-2024-29415

CVSS 3 Score Details (9.1)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

@mend-for-github-com mend-for-github-com bot added the Mend: dependency security vulnerability Security vulnerability detected by Mend label Nov 15, 2024
@mend-for-github-com mend-for-github-com bot changed the title react-scripts-1.0.17.tgz: 107 vulnerabilities (highest severity is: 9.8) react-scripts-1.0.17.tgz: 106 vulnerabilities (highest severity is: 9.8) Nov 19, 2024
@mend-for-github-com mend-for-github-com bot changed the title react-scripts-1.0.17.tgz: 106 vulnerabilities (highest severity is: 9.8) react-scripts-1.0.17.tgz: 107 vulnerabilities (highest severity is: 9.8) Dec 6, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Mend: dependency security vulnerability Security vulnerability detected by Mend
Projects
None yet
Development

No branches or pull requests

0 participants