Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

react-scripts-1.0.11.tgz: 44 vulnerabilities (highest severity is: 9.8) - autoclosed #97

Closed
mend-for-github-com bot opened this issue Nov 15, 2024 · 2 comments
Labels
Mend: dependency security vulnerability Security vulnerability detected by Mend

Comments

@mend-for-github-com
Copy link

Vulnerable Library - react-scripts-1.0.11.tgz

Found in HEAD commit: e860641c6c1a3b39daa0fa29dbca45ac5104d93d

Vulnerabilities

CVE Severity CVSS Dependency Type Fixed in (react-scripts version) Remediation Possible** Reachability
CVE-2022-0691 Critical 9.8 url-parse-1.1.9.tgz Transitive 1.0.12
CVE-2018-6342 Critical 9.8 react-dev-utils-3.1.1.tgz Transitive 1.0.12
CVE-2018-3774 Critical 9.8 url-parse-1.1.9.tgz Transitive 1.0.12
CVE-2022-0686 Critical 9.1 url-parse-1.1.9.tgz Transitive 1.0.12
WS-2019-0063 High 8.1 js-yaml-3.9.1.tgz Transitive 2.0.0
CVE-2021-43138 High 7.8 async-2.5.0.tgz Transitive 1.0.12
WS-2020-0091 High 7.5 http-proxy-1.16.2.tgz Transitive 1.0.12
WS-2019-0032 High 7.5 js-yaml-3.9.1.tgz Transitive 2.0.0
CVE-2024-21540 High 7.5 source-map-support-0.4.16.tgz Transitive N/A*
CVE-2022-37620 High 7.5 html-minifier-3.5.3.tgz Transitive N/A*
CVE-2022-24999 High 7.5 qs-6.5.0.tgz Transitive 1.0.12
CVE-2021-27516 High 7.5 urijs-1.18.12.tgz Transitive 1.0.12
CVE-2020-7662 High 7.5 websocket-extensions-0.1.1.tgz Transitive 1.0.12
CVE-2018-14732 High 7.5 webpack-dev-server-2.7.1.tgz Transitive 2.0.0
CVE-2017-16138 High 7.5 mime-1.3.6.tgz Transitive 1.0.15
CVE-2017-16118 High 7.5 forwarded-0.1.0.tgz Transitive 1.0.12
CVE-2017-16099 High 7.5 no-case-2.3.1.tgz Transitive 1.0.12
WS-2018-0590 High 7.1 diff-3.3.0.tgz Transitive 1.0.12
CVE-2022-0613 Medium 6.5 urijs-1.18.12.tgz Transitive N/A*
CVE-2020-26291 Medium 6.5 urijs-1.18.12.tgz Transitive 1.0.12
CVE-2024-43788 Medium 6.4 webpack-3.5.1.tgz Transitive N/A*
CVE-2024-29041 Medium 6.1 express-4.15.4.tgz Transitive N/A*
CVE-2022-1243 Medium 6.1 urijs-1.18.12.tgz Transitive 1.0.12
CVE-2022-1233 Medium 6.1 urijs-1.18.12.tgz Transitive 1.0.12
CVE-2022-0868 Medium 6.1 urijs-1.18.12.tgz Transitive 1.0.12
CVE-2021-3647 Medium 6.1 urijs-1.18.12.tgz Transitive 1.0.12
CVE-2021-24033 Medium 5.6 react-dev-utils-3.1.1.tgz Transitive 4.0.0
CVE-2020-15366 Medium 5.6 ajv-5.2.2.tgz Transitive 2.0.0
WS-2019-0017 Medium 5.3 clean-css-4.1.7.tgz Transitive 1.0.12
WS-2018-0347 Medium 5.3 eslint-4.4.1.tgz Transitive 2.0.0
WS-2017-3757 Medium 5.3 content-type-parser-1.0.1.tgz Transitive N/A*
CVE-2023-44270 Medium 5.3 detected in multiple dependencies Transitive N/A*
CVE-2022-24723 Medium 5.3 urijs-1.18.12.tgz Transitive 1.0.12
CVE-2022-0639 Medium 5.3 url-parse-1.1.9.tgz Transitive 1.0.12
CVE-2022-0512 Medium 5.3 url-parse-1.1.9.tgz Transitive 1.0.12
CVE-2021-3664 Medium 5.3 url-parse-1.1.9.tgz Transitive 1.0.12
CVE-2021-27515 Medium 5.3 url-parse-1.1.9.tgz Transitive 1.0.12
CVE-2021-23382 Medium 5.3 detected in multiple dependencies Transitive 3.0.0
CVE-2020-8124 Medium 5.3 url-parse-1.1.9.tgz Transitive 1.0.12
CVE-2024-43800 Medium 5.0 serve-static-1.12.4.tgz Transitive N/A*
CVE-2024-43799 Medium 5.0 send-0.15.4.tgz Transitive N/A*
CVE-2024-43796 Medium 5.0 express-4.15.4.tgz Transitive N/A*
WS-2018-0589 Low 3.7 nwmatcher-1.4.1.tgz Transitive 1.0.12
CVE-2024-27088 Low 0.0 es5-ext-0.10.29.tgz Transitive 1.0.12

*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.

**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation

Details

Partial details (24 vulnerabilities) are displayed below due to a content size limitation in GitHub. To view information on the remaining vulnerabilities, navigate to the Mend Application.

CVE-2022-0691

Vulnerable Library - url-parse-1.1.9.tgz

Small footprint URL parser that works seamlessly across Node.js and browser environments

Library home page: https://registry.npmjs.org/url-parse/-/url-parse-1.1.9.tgz

Dependency Hierarchy:

  • react-scripts-1.0.11.tgz (Root Library)
    • webpack-dev-server-2.7.1.tgz
      • sockjs-client-1.1.4.tgz
        • url-parse-1.1.9.tgz (Vulnerable Library)

Found in HEAD commit: e860641c6c1a3b39daa0fa29dbca45ac5104d93d

Found in base branch: main

Vulnerability Details

Authorization Bypass Through User-Controlled Key in NPM url-parse prior to 1.5.9.

Publish Date: 2022-02-21

URL: CVE-2022-0691

CVSS 3 Score Details (9.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0691

Release Date: 2022-02-21

Fix Resolution (url-parse): 1.5.9

Direct dependency fix Resolution (react-scripts): 1.0.12

CVE-2018-6342

Vulnerable Library - react-dev-utils-3.1.1.tgz

Webpack utilities used by Create React App

Library home page: https://registry.npmjs.org/react-dev-utils/-/react-dev-utils-3.1.1.tgz

Dependency Hierarchy:

  • react-scripts-1.0.11.tgz (Root Library)
    • react-dev-utils-3.1.1.tgz (Vulnerable Library)

Found in HEAD commit: e860641c6c1a3b39daa0fa29dbca45ac5104d93d

Found in base branch: main

Vulnerability Details

react-dev-utils on Windows allows developers to run a local webserver for accepting various commands, including a command to launch an editor. The input to that command was not properly sanitized, allowing an attacker who can make a network request to the server (either via CSRF or by direct request) to execute arbitrary commands on the targeted system. This issue affects multiple branches: 1.x.x prior to 1.0.4, 2.x.x prior to 2.0.2, 3.x.x prior to 3.1.2, 4.x.x prior to 4.2.2, and 5.x.x prior to 5.0.2.

Publish Date: 2018-12-31

URL: CVE-2018-6342

CVSS 3 Score Details (9.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6342

Release Date: 2018-12-31

Fix Resolution (react-dev-utils): 3.1.2

Direct dependency fix Resolution (react-scripts): 1.0.12

CVE-2018-3774

Vulnerable Library - url-parse-1.1.9.tgz

Small footprint URL parser that works seamlessly across Node.js and browser environments

Library home page: https://registry.npmjs.org/url-parse/-/url-parse-1.1.9.tgz

Dependency Hierarchy:

  • react-scripts-1.0.11.tgz (Root Library)
    • webpack-dev-server-2.7.1.tgz
      • sockjs-client-1.1.4.tgz
        • url-parse-1.1.9.tgz (Vulnerable Library)

Found in HEAD commit: e860641c6c1a3b39daa0fa29dbca45ac5104d93d

Found in base branch: main

Vulnerability Details

Incorrect parsing in url-parse <1.4.3 returns wrong hostname which leads to multiple vulnerabilities such as SSRF, Open Redirect, Bypass Authentication Protocol.

Publish Date: 2018-08-12

URL: CVE-2018-3774

CVSS 3 Score Details (9.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2018-3774

Release Date: 2018-08-12

Fix Resolution (url-parse): 1.4.3

Direct dependency fix Resolution (react-scripts): 1.0.12

CVE-2022-0686

Vulnerable Library - url-parse-1.1.9.tgz

Small footprint URL parser that works seamlessly across Node.js and browser environments

Library home page: https://registry.npmjs.org/url-parse/-/url-parse-1.1.9.tgz

Dependency Hierarchy:

  • react-scripts-1.0.11.tgz (Root Library)
    • webpack-dev-server-2.7.1.tgz
      • sockjs-client-1.1.4.tgz
        • url-parse-1.1.9.tgz (Vulnerable Library)

Found in HEAD commit: e860641c6c1a3b39daa0fa29dbca45ac5104d93d

Found in base branch: main

Vulnerability Details

Authorization Bypass Through User-Controlled Key in NPM url-parse prior to 1.5.8.

Publish Date: 2022-02-20

URL: CVE-2022-0686

CVSS 3 Score Details (9.1)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0686

Release Date: 2022-02-20

Fix Resolution (url-parse): 1.5.8

Direct dependency fix Resolution (react-scripts): 1.0.12

WS-2019-0063

Vulnerable Library - js-yaml-3.9.1.tgz

YAML 1.2 parser and serializer

Library home page: https://registry.npmjs.org/js-yaml/-/js-yaml-3.9.1.tgz

Dependency Hierarchy:

  • react-scripts-1.0.11.tgz (Root Library)
    • postcss-loader-2.0.6.tgz
      • postcss-load-config-1.2.0.tgz
        • postcss-load-plugins-2.3.0.tgz
          • cosmiconfig-2.2.2.tgz
            • js-yaml-3.9.1.tgz (Vulnerable Library)

Found in HEAD commit: e860641c6c1a3b39daa0fa29dbca45ac5104d93d

Found in base branch: main

Vulnerability Details

Js-yaml prior to 3.13.1 are vulnerable to Code Injection. The load() function may execute arbitrary code injected through a malicious YAML file.

Publish Date: 2019-04-05

URL: WS-2019-0063

CVSS 3 Score Details (8.1)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: High
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://www.npmjs.com/advisories/813

Release Date: 2019-04-05

Fix Resolution (js-yaml): 3.13.1

Direct dependency fix Resolution (react-scripts): 2.0.0

CVE-2021-43138

Vulnerable Library - async-2.5.0.tgz

Higher-order functions and common patterns for asynchronous code

Library home page: https://registry.npmjs.org/async/-/async-2.5.0.tgz

Dependency Hierarchy:

  • react-scripts-1.0.11.tgz (Root Library)
    • webpack-3.5.1.tgz
      • async-2.5.0.tgz (Vulnerable Library)

Found in HEAD commit: e860641c6c1a3b39daa0fa29dbca45ac5104d93d

Found in base branch: main

Vulnerability Details

In Async before 2.6.4 and 3.x before 3.2.2, a malicious user can obtain privileges via the mapValues() method, aka lib/internal/iterator.js createObjectIterator prototype pollution.

Publish Date: 2022-04-06

URL: CVE-2021-43138

CVSS 3 Score Details (7.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Local
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2021-43138

Release Date: 2022-04-06

Fix Resolution (async): 2.6.4

Direct dependency fix Resolution (react-scripts): 1.0.12

WS-2020-0091

Vulnerable Library - http-proxy-1.16.2.tgz

HTTP proxying for the masses

Library home page: https://registry.npmjs.org/http-proxy/-/http-proxy-1.16.2.tgz

Dependency Hierarchy:

  • react-scripts-1.0.11.tgz (Root Library)
    • webpack-dev-server-2.7.1.tgz
      • http-proxy-middleware-0.17.4.tgz
        • http-proxy-1.16.2.tgz (Vulnerable Library)

Found in HEAD commit: e860641c6c1a3b39daa0fa29dbca45ac5104d93d

Found in base branch: main

Vulnerability Details

Versions of http-proxy prior to 1.18.1 are vulnerable to Denial of Service. An HTTP request with a long body triggers an ERR_HTTP_HEADERS_SENT unhandled exception that crashes the proxy server. This is only possible when the proxy server sets headers in the proxy request using the proxyReq.setHeader function.

Publish Date: 2020-05-14

URL: WS-2020-0091

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://www.npmjs.com/advisories/1486

Release Date: 2020-05-14

Fix Resolution (http-proxy): 1.18.1

Direct dependency fix Resolution (react-scripts): 1.0.12

WS-2019-0032

Vulnerable Library - js-yaml-3.9.1.tgz

YAML 1.2 parser and serializer

Library home page: https://registry.npmjs.org/js-yaml/-/js-yaml-3.9.1.tgz

Dependency Hierarchy:

  • react-scripts-1.0.11.tgz (Root Library)
    • postcss-loader-2.0.6.tgz
      • postcss-load-config-1.2.0.tgz
        • postcss-load-plugins-2.3.0.tgz
          • cosmiconfig-2.2.2.tgz
            • js-yaml-3.9.1.tgz (Vulnerable Library)

Found in HEAD commit: e860641c6c1a3b39daa0fa29dbca45ac5104d93d

Found in base branch: main

Vulnerability Details

Versions js-yaml prior to 3.13.0 are vulnerable to Denial of Service. By parsing a carefully-crafted YAML file, the node process stalls and may exhaust system resources leading to a Denial of Service.

Publish Date: 2019-03-20

URL: WS-2019-0032

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://www.npmjs.com/advisories/788/versions

Release Date: 2019-03-20

Fix Resolution (js-yaml): 3.13.0

Direct dependency fix Resolution (react-scripts): 2.0.0

CVE-2024-21540

Vulnerable Library - source-map-support-0.4.16.tgz

Fixes stack traces for files with source maps

Library home page: https://registry.npmjs.org/source-map-support/-/source-map-support-0.4.16.tgz

Dependency Hierarchy:

  • react-scripts-1.0.11.tgz (Root Library)
    • babel-jest-20.0.3.tgz
      • babel-core-6.26.0.tgz
        • babel-register-6.26.0.tgz
          • source-map-support-0.4.16.tgz (Vulnerable Library)

Found in HEAD commit: e860641c6c1a3b39daa0fa29dbca45ac5104d93d

Found in base branch: main

Vulnerability Details

All versions of the package source-map-support are vulnerable to Directory Traversal in the retrieveSourceMap function.

Publish Date: 2024-11-13

URL: CVE-2024-21540

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: None
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

CVE-2022-37620

Vulnerable Library - html-minifier-3.5.3.tgz

Highly configurable, well-tested, JavaScript-based HTML minifier.

Library home page: https://registry.npmjs.org/html-minifier/-/html-minifier-3.5.3.tgz

Dependency Hierarchy:

  • react-scripts-1.0.11.tgz (Root Library)
    • html-webpack-plugin-2.29.0.tgz
      • html-minifier-3.5.3.tgz (Vulnerable Library)

Found in HEAD commit: e860641c6c1a3b39daa0fa29dbca45ac5104d93d

Found in base branch: main

Vulnerability Details

A Regular Expression Denial of Service (ReDoS) flaw was found in kangax html-minifier 4.0.0 via the candidate variable in htmlminifier.js.

Publish Date: 2022-10-31

URL: CVE-2022-37620

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

CVE-2022-24999

Vulnerable Library - qs-6.5.0.tgz

A querystring parser that supports nesting and arrays, with a depth limit

Library home page: https://registry.npmjs.org/qs/-/qs-6.5.0.tgz

Dependency Hierarchy:

  • react-scripts-1.0.11.tgz (Root Library)
    • webpack-dev-server-2.7.1.tgz
      • express-4.15.4.tgz
        • qs-6.5.0.tgz (Vulnerable Library)

Found in HEAD commit: e860641c6c1a3b39daa0fa29dbca45ac5104d93d

Found in base branch: main

Vulnerability Details

qs before 6.10.3, as used in Express before 4.17.3 and other products, allows attackers to cause a Node process hang for an Express application because an __ proto__ key can be used. In many typical Express use cases, an unauthenticated remote attacker can place the attack payload in the query string of the URL that is used to visit the application, such as a[proto]=b&a[proto]&a[length]=100000000. The fix was backported to qs 6.9.7, 6.8.3, 6.7.3, 6.6.1, 6.5.3, 6.4.1, 6.3.3, and 6.2.4 (and therefore Express 4.17.3, which has "deps: qs@6.9.7" in its release description, is not vulnerable).

Publish Date: 2022-11-26

URL: CVE-2022-24999

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://www.cve.org/CVERecord?id=CVE-2022-24999

Release Date: 2022-11-26

Fix Resolution (qs): 6.5.3

Direct dependency fix Resolution (react-scripts): 1.0.12

CVE-2021-27516

Vulnerable Library - urijs-1.18.12.tgz

URI.js is a Javascript library for working with URLs.

Library home page: https://registry.npmjs.org/urijs/-/urijs-1.18.12.tgz

Dependency Hierarchy:

  • react-scripts-1.0.11.tgz (Root Library)
    • sw-precache-webpack-plugin-0.11.4.tgz
      • sw-precache-5.2.0.tgz
        • dom-urls-1.1.0.tgz
          • urijs-1.18.12.tgz (Vulnerable Library)

Found in HEAD commit: e860641c6c1a3b39daa0fa29dbca45ac5104d93d

Found in base branch: main

Vulnerability Details

URI.js (aka urijs) before 1.19.6 mishandles certain uses of backslash such as http:/ and interprets the URI as a relative path.

Publish Date: 2021-02-21

URL: CVE-2021-27516

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: None
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-27516

Release Date: 2021-02-21

Fix Resolution (urijs): 1.19.6

Direct dependency fix Resolution (react-scripts): 1.0.12

CVE-2020-7662

Vulnerable Library - websocket-extensions-0.1.1.tgz

Generic extension manager for WebSocket connections

Library home page: https://registry.npmjs.org/websocket-extensions/-/websocket-extensions-0.1.1.tgz

Dependency Hierarchy:

  • react-scripts-1.0.11.tgz (Root Library)
    • webpack-dev-server-2.7.1.tgz
      • sockjs-0.3.18.tgz
        • faye-websocket-0.10.0.tgz
          • websocket-driver-0.6.5.tgz
            • websocket-extensions-0.1.1.tgz (Vulnerable Library)

Found in HEAD commit: e860641c6c1a3b39daa0fa29dbca45ac5104d93d

Found in base branch: main

Vulnerability Details

websocket-extensions npm module prior to 0.1.4 allows Denial of Service (DoS) via Regex Backtracking. The extension parser may take quadratic time when parsing a header containing an unclosed string parameter value whose content is a repeating two-byte sequence of a backslash and some other character. This could be abused by an attacker to conduct Regex Denial Of Service (ReDoS) on a single-threaded server by providing a malicious payload with the Sec-WebSocket-Extensions header.

Publish Date: 2020-06-02

URL: CVE-2020-7662

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-g78m-2chm-r7qv

Release Date: 2020-06-02

Fix Resolution (websocket-extensions): 0.1.4

Direct dependency fix Resolution (react-scripts): 1.0.12

CVE-2018-14732

Vulnerable Library - webpack-dev-server-2.7.1.tgz

Serves a webpack app. Updates the browser on changes.

Library home page: https://registry.npmjs.org/webpack-dev-server/-/webpack-dev-server-2.7.1.tgz

Dependency Hierarchy:

  • react-scripts-1.0.11.tgz (Root Library)
    • webpack-dev-server-2.7.1.tgz (Vulnerable Library)

Found in HEAD commit: e860641c6c1a3b39daa0fa29dbca45ac5104d93d

Found in base branch: main

Vulnerability Details

An issue was discovered in lib/Server.js in webpack-dev-server before 3.1.6. Attackers are able to steal developer's code because the origin of requests is not checked by the WebSocket server, which is used for HMR (Hot Module Replacement). Anyone can receive the HMR message sent by the WebSocket server via a ws://127.0.0.1:8080/ connection from any origin.

Publish Date: 2018-09-21

URL: CVE-2018-14732

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: None
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2018-14732

Release Date: 2018-09-21

Fix Resolution (webpack-dev-server): 3.1.6

Direct dependency fix Resolution (react-scripts): 2.0.0

CVE-2017-16138

Vulnerable Library - mime-1.3.6.tgz

A comprehensive library for mime-type mapping

Library home page: https://registry.npmjs.org/mime/-/mime-1.3.6.tgz

Dependency Hierarchy:

  • react-scripts-1.0.11.tgz (Root Library)
    • webpack-dev-server-2.7.1.tgz
      • webpack-dev-middleware-1.12.0.tgz
        • mime-1.3.6.tgz (Vulnerable Library)

Found in HEAD commit: e860641c6c1a3b39daa0fa29dbca45ac5104d93d

Found in base branch: main

Vulnerability Details

The mime module < 1.4.1, 2.0.1, 2.0.2 is vulnerable to regular expression denial of service when a mime lookup is performed on untrusted user input.
Mend Note: Converted from WS-2017-0330, on 2022-11-08.

Publish Date: 2018-06-07

URL: CVE-2017-16138

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16138

Release Date: 2018-04-26

Fix Resolution (mime): 1.4.1

Direct dependency fix Resolution (react-scripts): 1.0.15

CVE-2017-16118

Vulnerable Library - forwarded-0.1.0.tgz

Parse HTTP X-Forwarded-For header

Library home page: https://registry.npmjs.org/forwarded/-/forwarded-0.1.0.tgz

Dependency Hierarchy:

  • react-scripts-1.0.11.tgz (Root Library)
    • webpack-dev-server-2.7.1.tgz
      • express-4.15.4.tgz
        • proxy-addr-1.1.5.tgz
          • forwarded-0.1.0.tgz (Vulnerable Library)

Found in HEAD commit: e860641c6c1a3b39daa0fa29dbca45ac5104d93d

Found in base branch: main

Vulnerability Details

The forwarded module is used by the Express.js framework to handle the X-Forwarded-For header. It is vulnerable to a regular expression denial of service when it's passed specially crafted input to parse. This causes the event loop to be blocked causing a denial of service condition.

Publish Date: 2018-06-07

URL: CVE-2017-16118

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://www.npmjs.com/advisories/527/versions

Release Date: 2018-04-26

Fix Resolution (forwarded): 0.1.2

Direct dependency fix Resolution (react-scripts): 1.0.12

CVE-2017-16099

Vulnerable Library - no-case-2.3.1.tgz

Remove case from a string

Library home page: https://registry.npmjs.org/no-case/-/no-case-2.3.1.tgz

Dependency Hierarchy:

  • react-scripts-1.0.11.tgz (Root Library)
    • html-webpack-plugin-2.29.0.tgz
      • html-minifier-3.5.3.tgz
        • param-case-2.1.1.tgz
          • no-case-2.3.1.tgz (Vulnerable Library)

Found in HEAD commit: e860641c6c1a3b39daa0fa29dbca45ac5104d93d

Found in base branch: main

Vulnerability Details

The no-case module is vulnerable to regular expression denial of service. When malicious untrusted user input is passed into no-case it can block the event loop causing a denial of service condition.

Publish Date: 2018-06-07

URL: CVE-2017-16099

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://www.npmjs.com/advisories/529/versions

Release Date: 2018-06-07

Fix Resolution (no-case): 2.3.2

Direct dependency fix Resolution (react-scripts): 1.0.12

WS-2018-0590

Vulnerable Library - diff-3.3.0.tgz

A javascript text diff implementation.

Library home page: https://registry.npmjs.org/diff/-/diff-3.3.0.tgz

Dependency Hierarchy:

  • react-scripts-1.0.11.tgz (Root Library)
    • jest-20.0.4.tgz
      • jest-cli-20.0.4.tgz
        • jest-jasmine2-20.0.4.tgz
          • jest-diff-20.0.3.tgz
            • diff-3.3.0.tgz (Vulnerable Library)

Found in HEAD commit: e860641c6c1a3b39daa0fa29dbca45ac5104d93d

Found in base branch: main

Vulnerability Details

A vulnerability was found in diff before v3.5.0, the affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS) attacks.

Publish Date: 2018-03-05

URL: WS-2018-0590

CVSS 3 Score Details (7.1)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: High
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2018-03-05

Fix Resolution (diff): 3.5.0

Direct dependency fix Resolution (react-scripts): 1.0.12

CVE-2022-0613

Vulnerable Library - urijs-1.18.12.tgz

URI.js is a Javascript library for working with URLs.

Library home page: https://registry.npmjs.org/urijs/-/urijs-1.18.12.tgz

Dependency Hierarchy:

  • react-scripts-1.0.11.tgz (Root Library)
    • sw-precache-webpack-plugin-0.11.4.tgz
      • sw-precache-5.2.0.tgz
        • dom-urls-1.1.0.tgz
          • urijs-1.18.12.tgz (Vulnerable Library)

Found in HEAD commit: e860641c6c1a3b39daa0fa29dbca45ac5104d93d

Found in base branch: main

Vulnerability Details

Authorization Bypass Through User-Controlled Key in NPM urijs prior to 1.19.8.

Publish Date: 2022-02-16

URL: CVE-2022-0613

CVSS 3 Score Details (6.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: Low
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://huntr.dev/bounties/f53d5c42-c108-40b8-917d-9dad51535083/

Release Date: 2022-02-16

Fix Resolution: uri.js - v1.19.8

CVE-2020-26291

Vulnerable Library - urijs-1.18.12.tgz

URI.js is a Javascript library for working with URLs.

Library home page: https://registry.npmjs.org/urijs/-/urijs-1.18.12.tgz

Dependency Hierarchy:

  • react-scripts-1.0.11.tgz (Root Library)
    • sw-precache-webpack-plugin-0.11.4.tgz
      • sw-precache-5.2.0.tgz
        • dom-urls-1.1.0.tgz
          • urijs-1.18.12.tgz (Vulnerable Library)

Found in HEAD commit: e860641c6c1a3b39daa0fa29dbca45ac5104d93d

Found in base branch: main

Vulnerability Details

URI.js is a javascript URL mutation library (npm package urijs). In URI.js before version 1.19.4, the hostname can be spoofed by using a backslash (\) character followed by an at (@) character. If the hostname is used in security decisions, the decision may be incorrect. Depending on library usage and attacker intent, impacts may include allow/block list bypasses, SSRF attacks, open redirects, or other undesired behavior. For example the URL https://expected-example.com\@observed-example.com will incorrectly return observed-example.com if using an affected version. Patched versions correctly return expected-example.com. Patched versions match the behavior of other parsers which implement the WHATWG URL specification, including web browsers and Node's built-in URL class. Version 1.19.4 is patched against all known payload variants. Version 1.19.3 has a partial patch but is still vulnerable to a payload variant.]

Publish Date: 2020-12-30

URL: CVE-2020-26291

CVSS 3 Score Details (6.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: Low
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: High
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-26291

Release Date: 2020-12-30

Fix Resolution (urijs): 1.19.4

Direct dependency fix Resolution (react-scripts): 1.0.12

CVE-2024-43788

Vulnerable Library - webpack-3.5.1.tgz

Packs CommonJs/AMD modules for the browser. Allows to split your codebase into multiple bundles, which can be loaded on demand. Support loaders to preprocess files, i.e. json, jsx, es7, css, less, ... and your custom stuff.

Library home page: https://registry.npmjs.org/webpack/-/webpack-3.5.1.tgz

Dependency Hierarchy:

  • react-scripts-1.0.11.tgz (Root Library)
    • webpack-3.5.1.tgz (Vulnerable Library)

Found in HEAD commit: e860641c6c1a3b39daa0fa29dbca45ac5104d93d

Found in base branch: main

Vulnerability Details

Webpack is a module bundler. Its main purpose is to bundle JavaScript files for usage in a browser, yet it is also capable of transforming, bundling, or packaging just about any resource or asset. The webpack developers have discovered a DOM Clobbering vulnerability in Webpack’s AutoPublicPathRuntimeModule. The DOM Clobbering gadget in the module can lead to cross-site scripting (XSS) in web pages where scriptless attacker-controlled HTML elements (e.g., an img tag with an unsanitized name attribute) are present. Real-world exploitation of this gadget has been observed in the Canvas LMS which allows a XSS attack to happen through a javascript code compiled by Webpack (the vulnerable part is from Webpack). DOM Clobbering is a type of code-reuse attack where the attacker first embeds a piece of non-script, seemingly benign HTML markups in the webpage (e.g. through a post or comment) and leverages the gadgets (pieces of js code) living in the existing javascript code to transform it into executable code. This vulnerability can lead to cross-site scripting (XSS) on websites that include Webpack-generated files and allow users to inject certain scriptless HTML tags with improperly sanitized name or id attributes. This issue has been addressed in release version 5.94.0. All users are advised to upgrade. There are no known workarounds for this issue.

Publish Date: 2024-08-27

URL: CVE-2024-43788

CVSS 3 Score Details (6.4)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: High
    • Privileges Required: Low
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: Low
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-4vvj-4cpr-p986

Release Date: 2024-08-27

Fix Resolution: webpack - 5.94.0

CVE-2024-29041

Vulnerable Library - express-4.15.4.tgz

Fast, unopinionated, minimalist web framework

Library home page: https://registry.npmjs.org/express/-/express-4.15.4.tgz

Dependency Hierarchy:

  • react-scripts-1.0.11.tgz (Root Library)
    • webpack-dev-server-2.7.1.tgz
      • express-4.15.4.tgz (Vulnerable Library)

Found in HEAD commit: e860641c6c1a3b39daa0fa29dbca45ac5104d93d

Found in base branch: main

Vulnerability Details

Express.js minimalist web framework for node. Versions of Express.js prior to 4.19.0 and all pre-release alpha and beta versions of 5.0 are affected by an open redirect vulnerability using malformed URLs. When a user of Express performs a redirect using a user-provided URL Express performs an encode using encodeurl on the contents before passing it to the location header. This can cause malformed URLs to be evaluated in unexpected ways by common redirect allow list implementations in Express applications, leading to an Open Redirect via bypass of a properly implemented allow list. The main method impacted is res.location() but this is also called from within res.redirect(). The vulnerability is fixed in 4.19.2 and 5.0.0-beta.3.

Publish Date: 2024-03-25

URL: CVE-2024-29041

CVSS 3 Score Details (6.1)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Changed
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: Low
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-rv95-896h-c2vc

Release Date: 2024-03-25

Fix Resolution: express - 4.19.0

CVE-2022-1243

Vulnerable Library - urijs-1.18.12.tgz

URI.js is a Javascript library for working with URLs.

Library home page: https://registry.npmjs.org/urijs/-/urijs-1.18.12.tgz

Dependency Hierarchy:

  • react-scripts-1.0.11.tgz (Root Library)
    • sw-precache-webpack-plugin-0.11.4.tgz
      • sw-precache-5.2.0.tgz
        • dom-urls-1.1.0.tgz
          • urijs-1.18.12.tgz (Vulnerable Library)

Found in HEAD commit: e860641c6c1a3b39daa0fa29dbca45ac5104d93d

Found in base branch: main

Vulnerability Details

CRHTLF can lead to invalid protocol extraction potentially leading to XSS in GitHub repository medialize/uri.js prior to 1.19.11.

Publish Date: 2022-04-05

URL: CVE-2022-1243

CVSS 3 Score Details (6.1)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Changed
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: Low
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://huntr.dev/bounties/8c5afc47-1553-4eba-a98e-024e4cc3dfb7/

Release Date: 2022-04-05

Fix Resolution (urijs): 1.19.11

Direct dependency fix Resolution (react-scripts): 1.0.12

CVE-2022-1233

Vulnerable Library - urijs-1.18.12.tgz

URI.js is a Javascript library for working with URLs.

Library home page: https://registry.npmjs.org/urijs/-/urijs-1.18.12.tgz

Dependency Hierarchy:

  • react-scripts-1.0.11.tgz (Root Library)
    • sw-precache-webpack-plugin-0.11.4.tgz
      • sw-precache-5.2.0.tgz
        • dom-urls-1.1.0.tgz
          • urijs-1.18.12.tgz (Vulnerable Library)

Found in HEAD commit: e860641c6c1a3b39daa0fa29dbca45ac5104d93d

Found in base branch: main

Vulnerability Details

URL Confusion When Scheme Not Supplied in GitHub repository medialize/uri.js prior to 1.19.11.

Publish Date: 2022-04-04

URL: CVE-2022-1233

CVSS 3 Score Details (6.1)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Changed
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: Low
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-1233

Release Date: 2022-04-04

Fix Resolution (urijs): 1.19.11

Direct dependency fix Resolution (react-scripts): 1.0.12

@mend-for-github-com mend-for-github-com bot added the Mend: dependency security vulnerability Security vulnerability detected by Mend label Nov 15, 2024
@mend-for-github-com mend-for-github-com bot changed the title react-scripts-1.0.11.tgz: 44 vulnerabilities (highest severity is: 9.8) react-scripts-1.0.11.tgz: 44 vulnerabilities (highest severity is: 9.8) - autoclosed Nov 15, 2024
@mend-for-github-com mend-for-github-com bot changed the title react-scripts-1.0.11.tgz: 44 vulnerabilities (highest severity is: 9.8) react-scripts-1.0.11.tgz: 44 vulnerabilities (highest severity is: 9.8) - autoclosed Nov 15, 2024
Copy link
Author

ℹ️ This issue was automatically closed by Mend because it is a duplicate of an existing issue: #98

1 similar comment
Copy link
Author

ℹ️ This issue was automatically closed by Mend because it is a duplicate of an existing issue: #98

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Mend: dependency security vulnerability Security vulnerability detected by Mend
Projects
None yet
Development

No branches or pull requests

0 participants