Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

CVE-2021-3807 (High) detected in ansi-regex-3.0.0.tgz, ansi-regex-4.1.0.tgz #1084

Closed
mend-for-github-com bot opened this issue Jan 4, 2022 · 7 comments · Fixed by #1320
Closed

CVE-2021-3807 (High) detected in ansi-regex-3.0.0.tgz, ansi-regex-4.1.0.tgz #1084

mend-for-github-com bot opened this issue Jan 4, 2022 · 7 comments · Fixed by #1320
Labels
cve Security vulnerabilities detected by Dependabot or Mend high severity High severity CVE Mend: dependency security vulnerability Security vulnerability detected by Mend v2.0.0

Comments

@mend-for-github-com
Copy link

mend-for-github-com bot commented Jan 4, 2022

CVE-2021-3807 - High Severity Vulnerability

Vulnerable Libraries - ansi-regex-3.0.0.tgz, ansi-regex-4.1.0.tgz

ansi-regex-3.0.0.tgz

Regular expression for matching ANSI escape codes

Library home page: https://registry.npmjs.org/ansi-regex/-/ansi-regex-3.0.0.tgz

Dependency Hierarchy:

  • has-ansi-3.0.0.tgz (Root Library)
    • ansi-regex-3.0.0.tgz (Vulnerable Library)
ansi-regex-4.1.0.tgz

Regular expression for matching ANSI escape codes

Library home page: https://registry.npmjs.org/ansi-regex/-/ansi-regex-4.1.0.tgz

Dependency Hierarchy:

  • github-checks-reporter-0.0.20-b3.tgz (Root Library)
    • strip-ansi-5.2.0.tgz
      • ansi-regex-4.1.0.tgz (Vulnerable Library)

Found in HEAD commit: 4fd064970b66ce555f48c22dfab6ed965d0e260a

Found in base branch: main

Vulnerability Details

ansi-regex is vulnerable to Inefficient Regular Expression Complexity

Publish Date: 2021-09-17

URL: CVE-2021-3807

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://huntr.dev/bounties/5b3cf33b-ede0-4398-9974-800876dfd994/

Release Date: 2021-09-17

Fix Resolution (ansi-regex): 5.0.1

Direct dependency fix Resolution (has-ansi): 5.0.0

@mend-for-github-com mend-for-github-com bot added the Mend: dependency security vulnerability Security vulnerability detected by Mend label Jan 4, 2022
@tmarkley tmarkley added high severity High severity CVE cve Security vulnerabilities detected by Dependabot or Mend labels Jan 4, 2022
@tmarkley
Copy link
Contributor

tmarkley commented Jan 6, 2022

$ yarn why ansi-regex
yarn why v1.22.17
[1/4] Why do we have the module "ansi-regex"...?
[2/4] Initialising dependency graph...
warning Resolution field "typescript@4.0.2" is incompatible with requested version "typescript@~4.5.2"
[3/4] Finding dependency...
[4/4] Calculating file sizes...
=> Found "ansi-regex@2.1.1"
info Has been hoisted to "ansi-regex"
info Reasons this module exists
   - "workspace-aggregator-951a1914-7a65-48a8-9ec3-0f4c55d91856" depends on it
   - Hoisted from "_project_#elasticsearch#chalk#has-ansi#ansi-regex"
   - Hoisted from "_project_#sass-lint#eslint#inquirer#ansi-regex"
   - Hoisted from "_project_#elasticsearch#chalk#strip-ansi#ansi-regex"
   - Hoisted from "_project_#listr#listr-update-renderer#strip-ansi#ansi-regex"
   - Hoisted from "_project_#@elastic#makelogs#update-notifier#chalk#has-ansi#ansi-regex"
   - Hoisted from "_project_#@osd#ui-framework#node-sass#chalk#has-ansi#ansi-regex"
   - Hoisted from "_project_#sass-lint#eslint#chalk#has-ansi#ansi-regex"
   - Hoisted from "_project_#listr#listr-update-renderer#chalk#has-ansi#ansi-regex"
   - Hoisted from "_project_#@elastic#makelogs#update-notifier#chalk#strip-ansi#ansi-regex"
   - Hoisted from "_project_#@osd#ui-framework#node-sass#chalk#strip-ansi#ansi-regex"
   - Hoisted from "_project_#sass-lint#eslint#chalk#strip-ansi#ansi-regex"
   - Hoisted from "_project_#listr#listr-update-renderer#cli-truncate#string-width#strip-ansi#ansi-regex"
   - Hoisted from "_project_#@osd#ui-framework#node-sass#npmlog#gauge#strip-ansi#ansi-regex"
info Disk size without dependencies: "16KB"
info Disk size with unique dependencies: "16KB"
info Disk size with transitive dependencies: "16KB"
info Number of shared dependencies: 0
=> Found "has-ansi#ansi-regex@3.0.0"
info This module exists because "_project_#has-ansi" depends on it.
info Disk size without dependencies: "16KB"
info Disk size with unique dependencies: "16KB"
info Disk size with transitive dependencies: "16KB"
info Number of shared dependencies: 0
=> Found "pretty-format#ansi-regex@5.0.0"
info This module exists because "_project_#pretty-format" depends on it.
info Disk size without dependencies: "20KB"
info Disk size with unique dependencies: "20KB"
info Disk size with transitive dependencies: "20KB"
info Number of shared dependencies: 0
=> Found "strip-ansi#ansi-regex@5.0.1"
info This module exists because "_project_#strip-ansi" depends on it.
info Disk size without dependencies: "20KB"
info Disk size with unique dependencies: "20KB"
info Disk size with transitive dependencies: "20KB"
info Number of shared dependencies: 0
=> Found "grunt-run#ansi-regex@2.1.1"
info Reasons this module exists
   - "_project_#grunt-run#strip-ansi" depends on it
   - Hoisted from "_project_#grunt-run#strip-ansi#ansi-regex"
   - in the nohoist list ["/_project_/**/@types/*","/_project_/**/@types/*/**","/_project_/**/grunt-*","/_project_/**/grunt-*/**","/_project_/@elastic/eui/rehype-react","/_project_/@elastic/eui/remark-rehype","/_project_/@elastic/eui/remark-rehype/**"]
info Disk size without dependencies: "16KB"
info Disk size with unique dependencies: "16KB"
info Disk size with transitive dependencies: "16KB"
info Number of shared dependencies: 0
=> Found "@types/strip-ansi#ansi-regex@4.1.0"
info Reasons this module exists
   - "_project_#@types#strip-ansi#strip-ansi" depends on it
   - Hoisted from "_project_#@types#strip-ansi#strip-ansi#ansi-regex"
   - in the nohoist list ["/_project_/**/@types/*","/_project_/**/@types/*/**","/_project_/**/grunt-*","/_project_/**/grunt-*/**","/_project_/@elastic/eui/rehype-react","/_project_/@elastic/eui/remark-rehype","/_project_/@elastic/eui/remark-rehype/**"]
info Disk size without dependencies: "16KB"
info Disk size with unique dependencies: "16KB"
info Disk size with transitive dependencies: "16KB"
info Number of shared dependencies: 0
=> Found "@elastic/github-checks-reporter#ansi-regex@4.1.0"
info Reasons this module exists
   - "_project_#@elastic#github-checks-reporter#strip-ansi" depends on it
   - Hoisted from "_project_#@elastic#github-checks-reporter#strip-ansi#ansi-regex"
info Disk size without dependencies: "16KB"
info Disk size with unique dependencies: "16KB"
info Disk size with transitive dependencies: "16KB"
info Number of shared dependencies: 0
=> Found "eslint#ansi-regex@4.1.0"
info Reasons this module exists
   - "_project_#eslint#strip-ansi" depends on it
   - Hoisted from "_project_#eslint#strip-ansi#ansi-regex"
info Disk size without dependencies: "16KB"
info Disk size with unique dependencies: "16KB"
info Disk size with transitive dependencies: "16KB"
info Number of shared dependencies: 0
=> Found "@types/jest#ansi-regex@5.0.0"
info Reasons this module exists
   - "_project_#@types#jest#pretty-format" depends on it
   - Hoisted from "_project_#@types#jest#pretty-format#ansi-regex"
   - in the nohoist list ["/_project_/**/@types/*","/_project_/**/@types/*/**","/_project_/**/grunt-*","/_project_/**/grunt-*/**","/_project_/@elastic/eui/rehype-react","/_project_/@elastic/eui/remark-rehype","/_project_/@elastic/eui/remark-rehype/**"]
info Disk size without dependencies: "20KB"
info Disk size with unique dependencies: "20KB"
info Disk size with transitive dependencies: "20KB"
info Number of shared dependencies: 0
=> Found "license-checker#ansi-regex@0.2.1"
info Reasons this module exists
   - "_project_#license-checker#chalk#has-ansi" depends on it
   - Hoisted from "_project_#license-checker#chalk#has-ansi#ansi-regex"
   - Hoisted from "_project_#license-checker#chalk#strip-ansi#ansi-regex"
info Disk size without dependencies: "12KB"
info Disk size with unique dependencies: "12KB"
info Disk size with transitive dependencies: "12KB"
info Number of shared dependencies: 0
=> Found "grunt-available-tasks#ansi-regex@2.1.1"
info Reasons this module exists
   - "_project_#grunt-available-tasks#chalk#has-ansi" depends on it
   - Hoisted from "_project_#grunt-available-tasks#chalk#has-ansi#ansi-regex"
   - Hoisted from "_project_#grunt-available-tasks#chalk#strip-ansi#ansi-regex"
   - in the nohoist list ["/_project_/**/@types/*","/_project_/**/@types/*/**","/_project_/**/grunt-*","/_project_/**/grunt-*/**","/_project_/@elastic/eui/rehype-react","/_project_/@elastic/eui/remark-rehype","/_project_/@elastic/eui/remark-rehype/**"]
info Disk size without dependencies: "16KB"
info Disk size with unique dependencies: "16KB"
info Disk size with transitive dependencies: "16KB"
info Number of shared dependencies: 0
=> Found "@osd/pm#ansi-regex@4.1.0"
info Reasons this module exists
   - "_project_#@osd#pm#@types#strip-ansi#strip-ansi" depends on it
   - Hoisted from "_project_#@osd#pm#@types#strip-ansi#strip-ansi#ansi-regex"
   - in the nohoist list ["/_project_/**/@types/*","/_project_/**/@types/*/**","/_project_/**/grunt-*","/_project_/**/grunt-*/**","/_project_/@elastic/eui/rehype-react","/_project_/@elastic/eui/remark-rehype","/_project_/@elastic/eui/remark-rehype/**"]
info Disk size without dependencies: "16KB"
info Disk size with unique dependencies: "16KB"
info Disk size with transitive dependencies: "16KB"
info Number of shared dependencies: 0
=> Found "@osd/test#ansi-regex@4.1.0"
info Reasons this module exists
   - "_project_#@osd#test#@types#strip-ansi#strip-ansi" depends on it
   - Hoisted from "_project_#@osd#test#@types#strip-ansi#strip-ansi#ansi-regex"
   - in the nohoist list ["/_project_/**/@types/*","/_project_/**/@types/*/**","/_project_/**/grunt-*","/_project_/**/grunt-*/**","/_project_/@elastic/eui/rehype-react","/_project_/@elastic/eui/remark-rehype","/_project_/@elastic/eui/remark-rehype/**"]
info Disk size without dependencies: "16KB"
info Disk size with unique dependencies: "16KB"
info Disk size with transitive dependencies: "16KB"
info Number of shared dependencies: 0
=> Found "yargs#ansi-regex@4.1.0"
info Reasons this module exists
   - "_project_#yargs#string-width#strip-ansi" depends on it
   - Hoisted from "_project_#yargs#string-width#strip-ansi#ansi-regex"
info Disk size without dependencies: "16KB"
info Disk size with unique dependencies: "16KB"
info Disk size with transitive dependencies: "16KB"
info Number of shared dependencies: 0
=> Found "cliui#ansi-regex@4.1.0"
info Reasons this module exists
   - "_project_#yargs#cliui#strip-ansi" depends on it
   - Hoisted from "_project_#yargs#cliui#strip-ansi#ansi-regex"
info Disk size without dependencies: "16KB"
info Disk size with unique dependencies: "16KB"
info Disk size with transitive dependencies: "16KB"
info Number of shared dependencies: 0
=> Found "@types/testing-library__jest-dom#ansi-regex@5.0.0"
info Reasons this module exists
   - "_project_#@types#testing-library__jest-dom#@types#jest#pretty-format" depends on it
   - Hoisted from "_project_#@types#testing-library__jest-dom#@types#jest#pretty-format#ansi-regex"
   - in the nohoist list ["/_project_/**/@types/*","/_project_/**/@types/*/**","/_project_/**/grunt-*","/_project_/**/grunt-*/**","/_project_/@elastic/eui/rehype-react","/_project_/@elastic/eui/remark-rehype","/_project_/@elastic/eui/remark-rehype/**"]
info Disk size without dependencies: "20KB"
info Disk size with unique dependencies: "20KB"
info Disk size with transitive dependencies: "20KB"
info Number of shared dependencies: 0
=> Found "webpack-dev-server#ansi-regex@6.0.1"
info Reasons this module exists
   - "_project_#@osd#ui-framework#webpack-dev-server#strip-ansi" depends on it
   - Hoisted from "_project_#@osd#ui-framework#webpack-dev-server#strip-ansi#ansi-regex"
info Disk size without dependencies: "20KB"
info Disk size with unique dependencies: "20KB"
info Disk size with transitive dependencies: "20KB"
info Number of shared dependencies: 0
=> Found "@osd/ui-framework#ansi-regex@2.1.1"
info Reasons this module exists
   - "_project_#@osd#ui-framework#grunt-contrib-copy#chalk#has-ansi" depends on it
   - Hoisted from "_project_#@osd#ui-framework#grunt-contrib-copy#chalk#has-ansi#ansi-regex"
   - Hoisted from "_project_#@osd#ui-framework#grunt-contrib-copy#chalk#strip-ansi#ansi-regex"
   - in the nohoist list ["/_project_/**/@types/*","/_project_/**/@types/*/**","/_project_/**/grunt-*","/_project_/**/grunt-*/**","/_project_/@elastic/eui/rehype-react","/_project_/@elastic/eui/remark-rehype","/_project_/@elastic/eui/remark-rehype/**"]
info Disk size without dependencies: "16KB"
info Disk size with unique dependencies: "16KB"
info Disk size with transitive dependencies: "16KB"
info Number of shared dependencies: 0
=> Found "wide-align#ansi-regex@3.0.0"
info Reasons this module exists
   - "_project_#mocha#wide-align#string-width#strip-ansi" depends on it
   - Hoisted from "_project_#mocha#wide-align#string-width#strip-ansi#ansi-regex"
info Disk size without dependencies: "16KB"
info Disk size with unique dependencies: "16KB"
info Disk size with transitive dependencies: "16KB"
info Number of shared dependencies: 0
=> Found "wrap-ansi#ansi-regex@4.1.0"
info Reasons this module exists
   - "_project_#yargs#cliui#wrap-ansi#strip-ansi" depends on it
   - Hoisted from "_project_#yargs#cliui#wrap-ansi#strip-ansi#ansi-regex"
info Disk size without dependencies: "16KB"
info Disk size with unique dependencies: "16KB"
info Disk size with transitive dependencies: "16KB"
info Number of shared dependencies: 0
=> Found "table#ansi-regex@4.1.0"
info Reasons this module exists
   - "_project_#eslint#table#string-width#strip-ansi" depends on it
   - Hoisted from "_project_#eslint#table#string-width#strip-ansi#ansi-regex"
info Disk size without dependencies: "16KB"
info Disk size with unique dependencies: "16KB"
info Disk size with transitive dependencies: "16KB"
info Number of shared dependencies: 0
=> Found "@testing-library/jest-dom#ansi-regex@5.0.0"
info Reasons this module exists
   - "_project_#@testing-library#jest-dom#@types#testing-library__jest-dom#@types#jest#pretty-format" depends on it
   - Hoisted from "_project_#@testing-library#jest-dom#@types#testing-library__jest-dom#@types#jest#pretty-format#ansi-regex"
   - in the nohoist list ["/_project_/**/@types/*","/_project_/**/@types/*/**","/_project_/**/grunt-*","/_project_/**/grunt-*/**","/_project_/@elastic/eui/rehype-react","/_project_/@elastic/eui/remark-rehype","/_project_/@elastic/eui/remark-rehype/**"]
info Disk size without dependencies: "20KB"
info Disk size with unique dependencies: "20KB"
info Disk size with transitive dependencies: "20KB"
info Number of shared dependencies: 0
=> Found "sass-lint#table#ansi-regex@3.0.0"
info Reasons this module exists
   - "_project_#sass-lint#eslint#table#string-width#strip-ansi" depends on it
   - Hoisted from "_project_#sass-lint#eslint#table#string-width#strip-ansi#ansi-regex"
info Disk size without dependencies: "16KB"
info Disk size with unique dependencies: "16KB"
info Disk size with transitive dependencies: "16KB"
info Number of shared dependencies: 0
=> Found "log-update#ansi-regex@3.0.0"
info Reasons this module exists
   - "_project_#listr#listr-update-renderer#log-update#wrap-ansi#strip-ansi" depends on it
   - Hoisted from "_project_#listr#listr-update-renderer#log-update#wrap-ansi#strip-ansi#ansi-regex"
info Disk size without dependencies: "16KB"
info Disk size with unique dependencies: "16KB"
info Disk size with transitive dependencies: "16KB"
info Number of shared dependencies: 0
=> Found "ansi-align#ansi-regex@4.1.0"
info Reasons this module exists
   - "_project_#@elastic#safer-lodash-set#tsd#update-notifier#boxen#ansi-align#string-width#strip-ansi" depends on it
   - Hoisted from "_project_#@elastic#safer-lodash-set#tsd#update-notifier#boxen#ansi-align#string-width#strip-ansi#ansi-regex"
info Disk size without dependencies: "16KB"
info Disk size with unique dependencies: "16KB"
info Disk size with transitive dependencies: "16KB"
info Number of shared dependencies: 0
Done in 1.60s.

@tmarkley
Copy link
Contributor

tmarkley commented Jan 6, 2022

$ npm ls ansi-regex
opensearch-dashboards@2.0.0 /home/ubuntu/ws/OpenSearch-Dashboards
├─┬ @elastic/github-checks-reporter@0.0.20b3
│ └─┬ strip-ansi@5.2.0
│   └── ansi-regex@4.1.0
├─┬ @elastic/makelogs@6.0.0
│ └─┬ update-notifier@0.5.0
│   └─┬ chalk@1.1.3
│     ├─┬ has-ansi@2.0.0
│     │ └── ansi-regex@2.1.1 deduped
│     └─┬ strip-ansi@3.0.1
│       └── ansi-regex@2.1.1 deduped
├─┬ @elastic/safer-lodash-set@0.0.0 -> ./packages/opensearch-safer-lodash-set
│ └─┬ tsd@0.16.0
│   └─┬ update-notifier@4.1.0
│     └─┬ boxen@4.2.0
│       └─┬ ansi-align@3.0.0
│         └─┬ string-width@3.1.0
│           └─┬ strip-ansi@5.2.0
│             └── ansi-regex@4.1.0
├─┬ @osd/optimizer@1.0.0 -> ./packages/osd-optimizer
│ └─┬ node-sass@6.0.1
│   ├─┬ chalk@1.1.3
│   │ ├─┬ has-ansi@2.0.0
│   │ │ └── ansi-regex@2.1.1 deduped
│   │ └─┬ strip-ansi@3.0.1
│   │   └── ansi-regex@2.1.1 deduped
│   └─┬ npmlog@4.1.2
│     └─┬ gauge@2.7.4
│       └─┬ strip-ansi@3.0.1
│         └── ansi-regex@2.1.1 deduped
├─┬ @osd/pm@1.0.0 -> ./packages/osd-pm
│ └─┬ @types/strip-ansi@5.2.1
│   └─┬ strip-ansi@5.2.0
│     └── ansi-regex@4.1.0
├─┬ @osd/test@1.0.0 -> ./packages/osd-test
│ └─┬ @types/strip-ansi@5.2.1
│   └─┬ strip-ansi@5.2.0
│     └── ansi-regex@4.1.0
├─┬ @osd/ui-framework@1.0.0 -> ./packages/osd-ui-framework
│ ├─┬ grunt-contrib-copy@1.0.0
│ │ └─┬ chalk@1.1.3
│ │   ├─┬ has-ansi@2.0.0
│ │   │ └── ansi-regex@2.1.1
│ │   └─┬ strip-ansi@3.0.1
│ │     └── ansi-regex@2.1.1 deduped
│ └─┬ webpack-dev-server@4.7.4
│   └─┬ strip-ansi@7.0.1
│     └── ansi-regex@6.0.1
├─┬ @testing-library/dom@7.24.2
│ └─┬ pretty-format@26.4.2
│   └── ansi-regex@5.0.0
├─┬ @testing-library/jest-dom@5.11.4
│ └─┬ @types/testing-library__jest-dom@5.9.2
│   └─┬ @types/jest@25.2.3
│     └─┬ pretty-format@25.5.0
│       └── ansi-regex@5.0.0
├─┬ @types/jest@26.0.14
│ └─┬ pretty-format@25.5.0
│   └── ansi-regex@5.0.0
├─┬ @types/strip-ansi@5.2.1
│ └─┬ strip-ansi@5.2.0
│   └── ansi-regex@4.1.0
├─┬ @types/testing-library__jest-dom@5.9.3
│ └─┬ @types/jest@25.2.3
│   └─┬ pretty-format@25.5.0
│     └── ansi-regex@5.0.0
├─┬ elasticsearch@16.7.0
│ └─┬ chalk@1.1.3
│   ├─┬ has-ansi@2.0.0
│   │ └── ansi-regex@2.1.1
│   └─┬ strip-ansi@3.0.1
│     └── ansi-regex@2.1.1 deduped
├─┬ eslint@6.8.0
│ ├─┬ strip-ansi@5.2.0
│ │ └── ansi-regex@4.1.0
│ └─┬ table@5.2.3
│   └─┬ string-width@3.1.0
│     └─┬ strip-ansi@5.2.0
│       └── ansi-regex@4.1.0
├─┬ grunt-available-tasks@0.6.3
│ └─┬ chalk@1.1.3
│   ├─┬ has-ansi@2.0.0
│   │ └── ansi-regex@2.1.1
│   └─┬ strip-ansi@3.0.1
│     └── ansi-regex@2.1.1 deduped
├─┬ grunt-run@0.8.1
│ └─┬ strip-ansi@3.0.1
│   └── ansi-regex@2.1.1
├─┬ has-ansi@3.0.0
│ └── ansi-regex@3.0.0
├─┬ license-checker@16.0.0
│ └─┬ chalk@0.5.1
│   ├─┬ has-ansi@0.1.0
│   │ └── ansi-regex@0.2.1
│   └─┬ strip-ansi@0.3.0
│     └── ansi-regex@0.2.1 deduped
├─┬ listr@0.14.3
│ └─┬ listr-update-renderer@0.5.0
│   ├─┬ chalk@1.1.3
│   │ └─┬ has-ansi@2.0.0
│   │   └── ansi-regex@2.1.1 deduped
│   ├─┬ cli-truncate@0.2.1
│   │ └─┬ string-width@1.0.2
│   │   └─┬ strip-ansi@3.0.1
│   │     └── ansi-regex@2.1.1 deduped
│   ├─┬ log-update@2.3.0
│   │ └─┬ wrap-ansi@3.0.1
│   │   └─┬ strip-ansi@4.0.0
│   │     └── ansi-regex@3.0.0
│   └─┬ strip-ansi@3.0.1
│     └── ansi-regex@2.1.1 deduped
├─┬ mocha@7.2.0
│ ├─┬ wide-align@1.1.3
│ │ └─┬ string-width@2.1.1
│ │   └─┬ strip-ansi@4.0.0
│ │     └── ansi-regex@3.0.0
│ └─┬ yargs@13.3.2
│   ├─┬ cliui@5.0.0
│   │ ├─┬ strip-ansi@5.2.0
│   │ │ └── ansi-regex@4.1.0
│   │ └─┬ wrap-ansi@5.1.0
│   │   └─┬ strip-ansi@5.2.0
│   │     └── ansi-regex@4.1.0
│   └─┬ string-width@3.1.0
│     └─┬ strip-ansi@5.2.0
│       └── ansi-regex@4.1.0
├─┬ sass-lint@1.12.1
│ └─┬ eslint@2.13.1
│   ├─┬ chalk@1.1.3
│   │ ├─┬ has-ansi@2.0.0
│   │ │ └── ansi-regex@2.1.1 deduped
│   │ └─┬ strip-ansi@3.0.1
│   │   └── ansi-regex@2.1.1 deduped
│   ├─┬ inquirer@0.12.0
│   │ └── ansi-regex@2.1.1 deduped
│   └─┬ table@3.8.3
│     └─┬ string-width@2.1.1
│       └─┬ strip-ansi@4.0.0
│         └── ansi-regex@3.0.0
└─┬ strip-ansi@6.0.1
  └── ansi-regex@5.0.1

@mend-for-github-com mend-for-github-com bot changed the title CVE-2021-3807 (High) detected in ansi-regex-5.0.0.tgz, ansi-regex-4.1.0.tgz CVE-2021-3807 (High) detected in multiple libraries Jan 14, 2022
@mend-for-github-com mend-for-github-com bot changed the title CVE-2021-3807 (High) detected in multiple libraries CVE-2021-3807 (High) detected in ansi-regex-3.0.0.tgz, ansi-regex-5.0.0.tgz Feb 9, 2022
AMoo-Miki pushed a commit to AMoo-Miki/OpenSearch-Dashboards that referenced this issue Feb 10, 2022
AMoo-Miki pushed a commit to AMoo-Miki/OpenSearch-Dashboards that referenced this issue Feb 10, 2022
@tmarkley tmarkley self-assigned this Feb 14, 2022
@tmarkley tmarkley mentioned this issue Mar 1, 2022
7 tasks
@mend-for-github-com mend-for-github-com bot changed the title CVE-2021-3807 (High) detected in ansi-regex-3.0.0.tgz, ansi-regex-5.0.0.tgz CVE-2021-3807 (High) detected in ansi-regex-3.0.0.tgz, ansi-regex-4.1.0.tgz Mar 3, 2022
@tmarkley tmarkley added the v2.0.0 label Mar 4, 2022
tmarkley pushed a commit to tmarkley/OpenSearch-Dashboards that referenced this issue Mar 4, 2022
* Addresses known Inefficient Regular Expression Complexity CVE
  in `ansi-regex` < 5.0.1: CVE-2021-3807
* `webpack-dev-server` has a downstream dependency on
  `ansi-regex` v6.0.1 but it's still compatible with v5.0.1.

Resolves opensearch-project#1084

Signed-off-by: Tengda He <tengh@amazon.com>
tmarkley pushed a commit to tmarkley/OpenSearch-Dashboards that referenced this issue Mar 4, 2022
* Addresses known Inefficient Regular Expression Complexity CVE
  in `ansi-regex` < 5.0.1: CVE-2021-3807
* `webpack-dev-server` has a downstream dependency on
  `ansi-regex` v6.0.1 but it's still compatible with v5.0.1.

Resolves opensearch-project#1084

Signed-off-by: Tengda He <tengh@amazon.com>
tmarkley pushed a commit that referenced this issue Mar 4, 2022
* Addresses known Inefficient Regular Expression Complexity CVE
  in `ansi-regex` < 5.0.1: CVE-2021-3807
* `webpack-dev-server` has a downstream dependency on
  `ansi-regex` v6.0.1 but it's still compatible with v5.0.1.

Resolves #1084

Signed-off-by: Tengda He <tengh@amazon.com>
tmarkley pushed a commit that referenced this issue Mar 14, 2022
* Addresses known Inefficient Regular Expression Complexity CVE
  in `ansi-regex` < 5.0.1: CVE-2021-3807
* `webpack-dev-server` has a downstream dependency on
  `ansi-regex` v6.0.1 but it's still compatible with v5.0.1.

Resolves #1084

Signed-off-by: Tengda He <tengh@amazon.com>
@minutolc
Copy link

this issue is closed but I still have this CVE detected in the 1.3.2 versions or 2.0.0-rc1 version of opensearch dashboard. Anyone can explain if this issue is really done or not ?

@tmarkley
Copy link
Contributor

Hi @minutolc, yes this CVE is addressed in 2.0:

"**/ansi-regex": "^5.0.1",

It's not fixed in 1.3.2 because the fix involves a breaking change.

@minutolc
Copy link

minutolc commented May 10, 2022

Is it normal that i detect it also in 2.0.0-rc1 ? or it would be correct only in 2.0.0 ?

@tmarkley
Copy link
Contributor

The CVE is mitigated in 2.0.0-rc1 as well, so no that's not normal. Can you provide details about how you're detecting the CVE?

@minutolc
Copy link

minutolc commented May 11, 2022

I use Anchore in order to detect CVE :

result from Anchore

stop : vulnerabilities / package / HIGH Vulnerability found in non-os package type (npm) - /usr/share/opensearch-dashboards/plugins/notificationsDashboards/node_modules/wrap-ansi/node_modules/ansi-regex/package.json (CVE-2021-3807 - https://nvd.nist.gov/vuln/detail/CVE-2021-3807)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
cve Security vulnerabilities detected by Dependabot or Mend high severity High severity CVE Mend: dependency security vulnerability Security vulnerability detected by Mend v2.0.0
Projects
None yet
Development

Successfully merging a pull request may close this issue.

2 participants