View Code? Open in Web Editor
NEW
This project forked from tidepool-org /blip
Blip is the internal name for Tidepool for Web, a tool for seeing diabetes data in one place.
Home Page: https://tidepool.org/products/tidepool/
License: BSD 2-Clause "Simplified" License
CSS 0.08%
JavaScript 94.91%
Shell 0.09%
HTML 0.01%
Dockerfile 0.15%
Less 4.75%
EJS 0.02%
blip's Issues
CVE-2020-15095 - Medium Severity Vulnerability
Vulnerable Libraries - npm-2.15.12.tgz , npm-5.1.0.tgz
npm-2.15.12.tgz
a package manager for JavaScript
Library home page: https://registry.npmjs.org/npm/-/npm-2.15.12.tgz
Dependency Hierarchy:
gitbook-cli-2.3.2.tgz (Root Library)
npmi-1.0.1.tgz
❌ npm-2.15.12.tgz (Vulnerable Library)
npm-5.1.0.tgz
a package manager for JavaScript
Library home page: https://registry.npmjs.org/npm/-/npm-5.1.0.tgz
Dependency Hierarchy:
gitbook-cli-2.3.2.tgz (Root Library)
❌ npm-5.1.0.tgz (Vulnerable Library)
Found in base branch: develop
Vulnerability Details
Versions of the npm CLI prior to 6.14.6 are vulnerable to an information exposure vulnerability through log files. The CLI supports URLs like "://[[:]@][:][:][/]". The password value is not redacted and is printed to stdout and also to any generated log files.
Publish Date: 2020-07-07
URL: CVE-2020-15095
CVSS 3 Score Details (4.4 )
Base Score Metrics:
Exploitability Metrics:
Attack Vector: Local
Attack Complexity: High
Privileges Required: Low
User Interaction: Required
Scope: Unchanged
Impact Metrics:
Confidentiality Impact: High
Integrity Impact: None
Availability Impact: None
For more information on CVSS3 Scores, click here .
Suggested Fix
Type: Upgrade version
Origin: GHSA-93f3-23rq-pjfp
Release Date: 2020-07-07
Fix Resolution: npm - 6.14.6
CVE-2020-28500 - Medium Severity Vulnerability
Vulnerable Libraries - lodash-3.3.1.tgz , lodash-4.17.19.tgz , lodash-4.17.4.tgz , lodash-4.17.20.tgz , lodash-4.17.15.tgz
lodash-3.3.1.tgz
The modern build of lodash modular utilities.
Library home page: https://registry.npmjs.org/lodash/-/lodash-3.3.1.tgz
Dependency Hierarchy:
tidepool-platform-client-0.45.0.tgz (Root Library)
❌ lodash-3.3.1.tgz (Vulnerable Library)
lodash-4.17.19.tgz
Lodash modular utilities.
Library home page: https://registry.npmjs.org/lodash/-/lodash-4.17.19.tgz
Dependency Hierarchy:
❌ lodash-4.17.19.tgz (Vulnerable Library)
lodash-4.17.4.tgz
Lodash modular utilities.
Library home page: https://registry.npmjs.org/lodash/-/lodash-4.17.4.tgz
Dependency Hierarchy:
gitbook-cli-2.3.2.tgz (Root Library)
❌ lodash-4.17.4.tgz (Vulnerable Library)
lodash-4.17.20.tgz
Lodash modular utilities.
Library home page: https://registry.npmjs.org/lodash/-/lodash-4.17.20.tgz
Dependency Hierarchy:
preset-env-7.11.0.tgz (Root Library)
types-7.11.5.tgz
❌ lodash-4.17.20.tgz (Vulnerable Library)
lodash-4.17.15.tgz
Lodash modular utilities.
Library home page: https://registry.npmjs.org/lodash/-/lodash-4.17.15.tgz
Dependency Hierarchy:
tideline-1.24.0-control-iq.4.tgz (Root Library)
❌ lodash-4.17.15.tgz (Vulnerable Library)
Found in base branch: develop
Vulnerability Details
Lodash versions prior to 4.17.21 are vulnerable to Regular Expression Denial of Service (ReDoS) via the toNumber, trim and trimEnd functions.
Mend Note: After conducting further research, Mend has determined that CVE-2020-28500 only affects environments with versions 4.0.0 to 4.17.20 of Lodash.
Publish Date: 2021-02-15
URL: CVE-2020-28500
CVSS 3 Score Details (5.3 )
Base Score Metrics:
Exploitability Metrics:
Attack Vector: Network
Attack Complexity: Low
Privileges Required: None
User Interaction: None
Scope: Unchanged
Impact Metrics:
Confidentiality Impact: None
Integrity Impact: None
Availability Impact: Low
For more information on CVSS3 Scores, click here .
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-28500
Release Date: 2021-02-15
Fix Resolution (lodash): 4.17.21
Direct dependency fix Resolution (@babel/preset-env): 7.11.5
CVE-2021-33623 - High Severity Vulnerability
Vulnerable Libraries - trim-newlines-3.0.0.tgz , trim-newlines-1.0.0.tgz
trim-newlines-3.0.0.tgz
Trim newlines from the start and/or end of a string
Library home page: https://registry.npmjs.org/trim-newlines/-/trim-newlines-3.0.0.tgz
Dependency Hierarchy:
stylelint-13.2.0.tgz (Root Library)
meow-6.0.1.tgz
❌ trim-newlines-3.0.0.tgz (Vulnerable Library)
trim-newlines-1.0.0.tgz
Trim newlines from the start and/or end of a string
Library home page: https://registry.npmjs.org/trim-newlines/-/trim-newlines-1.0.0.tgz
Dependency Hierarchy:
karma-coverage-1.1.2.tgz (Root Library)
dateformat-1.0.12.tgz
meow-3.7.0.tgz
❌ trim-newlines-1.0.0.tgz (Vulnerable Library)
Found in base branch: develop
Vulnerability Details
The trim-newlines package before 3.0.1 and 4.x before 4.0.1 for Node.js has an issue related to regular expression denial-of-service (ReDoS) for the .end() method.
Publish Date: 2021-05-28
URL: CVE-2021-33623
CVSS 3 Score Details (7.5 )
Base Score Metrics:
Exploitability Metrics:
Attack Vector: Network
Attack Complexity: Low
Privileges Required: None
User Interaction: None
Scope: Unchanged
Impact Metrics:
Confidentiality Impact: None
Integrity Impact: None
Availability Impact: High
For more information on CVSS3 Scores, click here .
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-33623
Release Date: 2021-05-28
Fix Resolution (trim-newlines): 3.0.1
Direct dependency fix Resolution (stylelint): 13.2.1
Fix Resolution (trim-newlines): 3.0.1
Direct dependency fix Resolution (karma-coverage): 2.0.2
CVE-2020-28481 - Medium Severity Vulnerability
Vulnerable Library - socket.io-2.1.1.tgz
node.js realtime framework server
Library home page: https://registry.npmjs.org/socket.io/-/socket.io-2.1.1.tgz
Dependency Hierarchy:
karma-3.0.0.tgz (Root Library)
❌ socket.io-2.1.1.tgz (Vulnerable Library)
Found in base branch: develop
Vulnerability Details
The package socket.io before 2.4.0 are vulnerable to Insecure Defaults due to CORS Misconfiguration. All domains are whitelisted by default.
Publish Date: 2021-01-19
URL: CVE-2020-28481
CVSS 3 Score Details (4.3 )
Base Score Metrics:
Exploitability Metrics:
Attack Vector: Network
Attack Complexity: Low
Privileges Required: Low
User Interaction: None
Scope: Unchanged
Impact Metrics:
Confidentiality Impact: Low
Integrity Impact: None
Availability Impact: None
For more information on CVSS3 Scores, click here .
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-28481
Release Date: 2021-01-19
Fix Resolution (socket.io): 2.4.0
Direct dependency fix Resolution (karma): 5.0.8
CVE-2020-7707 - High Severity Vulnerability
Vulnerable Library - property-expr-2.0.2.tgz
tiny util for getting and setting deep object props safely
Library home page: https://registry.npmjs.org/property-expr/-/property-expr-2.0.2.tgz
Dependency Hierarchy:
yup-0.29.0.tgz (Root Library)
❌ property-expr-2.0.2.tgz (Vulnerable Library)
Found in base branch: develop
Vulnerability Details
The package property-expr before 2.0.3 are vulnerable to Prototype Pollution via the setter function.
Publish Date: 2020-08-18
URL: CVE-2020-7707
CVSS 3 Score Details (9.8 )
Base Score Metrics:
Exploitability Metrics:
Attack Vector: Network
Attack Complexity: Low
Privileges Required: None
User Interaction: None
Scope: Unchanged
Impact Metrics:
Confidentiality Impact: High
Integrity Impact: High
Availability Impact: High
For more information on CVSS3 Scores, click here .
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7707
Release Date: 2020-08-18
Fix Resolution (property-expr): 2.0.3
Direct dependency fix Resolution (yup): 0.29.1
CVE-2021-32723 - Medium Severity Vulnerability
Vulnerable Libraries - prismjs-1.17.1.tgz , prismjs-1.19.0.tgz
prismjs-1.17.1.tgz
Lightweight, robust, elegant syntax highlighting. A spin-off project from Dabblet.
Library home page: https://registry.npmjs.org/prismjs/-/prismjs-1.17.1.tgz
Dependency Hierarchy:
addon-knobs-5.3.19.tgz (Root Library)
components-5.3.19.tgz
react-syntax-highlighter-11.0.2.tgz
refractor-2.10.1.tgz
❌ prismjs-1.17.1.tgz (Vulnerable Library)
prismjs-1.19.0.tgz
Lightweight, robust, elegant syntax highlighting. A spin-off project from Dabblet.
Library home page: https://registry.npmjs.org/prismjs/-/prismjs-1.19.0.tgz
Dependency Hierarchy:
addon-knobs-5.3.19.tgz (Root Library)
components-5.3.19.tgz
react-syntax-highlighter-11.0.2.tgz
❌ prismjs-1.19.0.tgz (Vulnerable Library)
Found in base branch: develop
Vulnerability Details
Prism is a syntax highlighting library. Some languages before 1.24.0 are vulnerable to Regular Expression Denial of Service (ReDoS). When Prism is used to highlight untrusted (user-given) text, an attacker can craft a string that will take a very very long time to highlight. This problem has been fixed in Prism v1.24. As a workaround, do not use ASCIIDoc or ERB to highlight untrusted text. Other languages are not affected and can be used to highlight untrusted text.
Publish Date: 2021-06-28
URL: CVE-2021-32723
CVSS 3 Score Details (6.5 )
Base Score Metrics:
Exploitability Metrics:
Attack Vector: Network
Attack Complexity: Low
Privileges Required: None
User Interaction: Required
Scope: Unchanged
Impact Metrics:
Confidentiality Impact: None
Integrity Impact: None
Availability Impact: High
For more information on CVSS3 Scores, click here .
Suggested Fix
Type: Upgrade version
Origin: GHSA-gj77-59wh-66hg
Release Date: 2021-06-28
Fix Resolution (prismjs): 1.24.0
Direct dependency fix Resolution (@storybook/addon-knobs): 6.1.0
Fix Resolution (prismjs): 1.24.0
Direct dependency fix Resolution (@storybook/addon-knobs): 6.1.0
CVE-2021-32640 - Medium Severity Vulnerability
Vulnerable Libraries - ws-5.2.2.tgz , ws-6.2.1.tgz
ws-5.2.2.tgz
Simple to use, blazing fast and thoroughly tested websocket client and server for Node.js
Library home page: https://registry.npmjs.org/ws/-/ws-5.2.2.tgz
Dependency Hierarchy:
addon-actions-5.3.19.tgz (Root Library)
react-inspector-4.0.0.tgz
storybook-chromatic-2.2.2.tgz
jsdom-11.12.0.tgz
❌ ws-5.2.2.tgz (Vulnerable Library)
ws-6.2.1.tgz
Simple to use, blazing fast and thoroughly tested websocket client and server for Node.js
Library home page: https://registry.npmjs.org/ws/-/ws-6.2.1.tgz
Dependency Hierarchy:
webpack-dev-server-3.8.0.tgz (Root Library)
❌ ws-6.2.1.tgz (Vulnerable Library)
Found in base branch: develop
Vulnerability Details
ws is an open source WebSocket client and server library for Node.js. A specially crafted value of the Sec-Websocket-Protocol
header can be used to significantly slow down a ws server. The vulnerability has been fixed in [email protected] (websockets/ws@00c425e ). In vulnerable versions of ws, the issue can be mitigated by reducing the maximum allowed length of the request headers using the --max-http-header-size=size
and/or the maxHeaderSize
options.
Publish Date: 2021-05-25
URL: CVE-2021-32640
CVSS 3 Score Details (5.3 )
Base Score Metrics:
Exploitability Metrics:
Attack Vector: Network
Attack Complexity: Low
Privileges Required: None
User Interaction: None
Scope: Unchanged
Impact Metrics:
Confidentiality Impact: None
Integrity Impact: None
Availability Impact: Low
For more information on CVSS3 Scores, click here .
Suggested Fix
Type: Upgrade version
Origin: GHSA-6fc8-4gx4-v693
Release Date: 2021-05-25
Fix Resolution (ws): 5.2.3
Direct dependency fix Resolution (@storybook/addon-actions): 5.3.20
Fix Resolution (ws): 6.2.2
Direct dependency fix Resolution (webpack-dev-server): 3.8.1
CVE-2021-23383 - High Severity Vulnerability
Vulnerable Library - handlebars-4.7.6.tgz
Handlebars provides the power necessary to let you build semantic templates effectively with no frustration
Library home page: https://registry.npmjs.org/handlebars/-/handlebars-4.7.6.tgz
Dependency Hierarchy:
karma-coverage-1.1.2.tgz (Root Library)
istanbul-0.4.5.tgz
❌ handlebars-4.7.6.tgz (Vulnerable Library)
Found in base branch: develop
Vulnerability Details
The package handlebars before 4.7.7 are vulnerable to Prototype Pollution when selecting certain compiling options to compile templates coming from an untrusted source.
Publish Date: 2021-05-04
URL: CVE-2021-23383
CVSS 3 Score Details (9.8 )
Base Score Metrics:
Exploitability Metrics:
Attack Vector: Network
Attack Complexity: Low
Privileges Required: None
User Interaction: None
Scope: Unchanged
Impact Metrics:
Confidentiality Impact: High
Integrity Impact: High
Availability Impact: High
For more information on CVSS3 Scores, click here .
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23383
Release Date: 2021-05-04
Fix Resolution (handlebars): 4.7.7
Direct dependency fix Resolution (karma-coverage): 2.0.0
CVE-2021-31597 - High Severity Vulnerability
Vulnerable Library - xmlhttprequest-ssl-1.5.5.tgz
XMLHttpRequest for Node
Library home page: https://registry.npmjs.org/xmlhttprequest-ssl/-/xmlhttprequest-ssl-1.5.5.tgz
Dependency Hierarchy:
karma-3.0.0.tgz (Root Library)
socket.io-2.1.1.tgz
socket.io-client-2.1.1.tgz
engine.io-client-3.2.1.tgz
❌ xmlhttprequest-ssl-1.5.5.tgz (Vulnerable Library)
Found in base branch: develop
Vulnerability Details
The xmlhttprequest-ssl package before 1.6.1 for Node.js disables SSL certificate validation by default, because rejectUnauthorized (when the property exists but is undefined) is considered to be false within the https.request function of Node.js. In other words, no certificate is ever rejected.
Publish Date: 2021-04-23
URL: CVE-2021-31597
CVSS 3 Score Details (9.4 )
Base Score Metrics:
Exploitability Metrics:
Attack Vector: Network
Attack Complexity: Low
Privileges Required: None
User Interaction: None
Scope: Unchanged
Impact Metrics:
Confidentiality Impact: High
Integrity Impact: High
Availability Impact: Low
For more information on CVSS3 Scores, click here .
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-31597
Release Date: 2021-04-23
Fix Resolution (xmlhttprequest-ssl): 1.6.1
Direct dependency fix Resolution (karma): 5.0.8
CVE-2021-23369 - High Severity Vulnerability
Vulnerable Library - handlebars-4.7.6.tgz
Handlebars provides the power necessary to let you build semantic templates effectively with no frustration
Library home page: https://registry.npmjs.org/handlebars/-/handlebars-4.7.6.tgz
Dependency Hierarchy:
karma-coverage-1.1.2.tgz (Root Library)
istanbul-0.4.5.tgz
❌ handlebars-4.7.6.tgz (Vulnerable Library)
Found in base branch: develop
Vulnerability Details
The package handlebars before 4.7.7 are vulnerable to Remote Code Execution (RCE) when selecting certain compiling options to compile templates coming from an untrusted source.
Publish Date: 2021-04-12
URL: CVE-2021-23369
CVSS 3 Score Details (9.8 )
Base Score Metrics:
Exploitability Metrics:
Attack Vector: Network
Attack Complexity: Low
Privileges Required: None
User Interaction: None
Scope: Unchanged
Impact Metrics:
Confidentiality Impact: High
Integrity Impact: High
Availability Impact: High
For more information on CVSS3 Scores, click here .
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23369
Release Date: 2021-04-12
Fix Resolution (handlebars): 4.7.7
Direct dependency fix Resolution (karma-coverage): 2.0.0
CVE-2020-8116 - High Severity Vulnerability
Vulnerable Library - dot-prop-4.2.0.tgz
Get, set, or delete a property from a nested object using a dot path
Library home page: https://registry.npmjs.org/dot-prop/-/dot-prop-4.2.0.tgz
Dependency Hierarchy:
gitbook-cli-2.3.2.tgz (Root Library)
npm-5.1.0.tgz
update-notifier-2.2.0.tgz
configstore-3.1.2.tgz
❌ dot-prop-4.2.0.tgz (Vulnerable Library)
Found in base branch: develop
Vulnerability Details
Prototype pollution vulnerability in dot-prop npm package versions before 4.2.1 and versions 5.x before 5.1.1 allows an attacker to add arbitrary properties to JavaScript language constructs such as objects.
Publish Date: 2020-02-04
URL: CVE-2020-8116
CVSS 3 Score Details (7.3 )
Base Score Metrics:
Exploitability Metrics:
Attack Vector: Network
Attack Complexity: Low
Privileges Required: None
User Interaction: None
Scope: Unchanged
Impact Metrics:
Confidentiality Impact: Low
Integrity Impact: Low
Availability Impact: Low
For more information on CVSS3 Scores, click here .
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8116
Release Date: 2020-02-04
Fix Resolution: dot-prop - 5.1.1
CVE-2018-7651 - Medium Severity Vulnerability
Vulnerable Library - ssri-4.1.6.tgz
Standard Subresource Integrity library -- parses, serializes, generates, and verifies integrity metadata according to the SRI spec.
Library home page: https://registry.npmjs.org/ssri/-/ssri-4.1.6.tgz
Dependency Hierarchy:
gitbook-cli-2.3.2.tgz (Root Library)
npm-5.1.0.tgz
❌ ssri-4.1.6.tgz (Vulnerable Library)
Found in base branch: develop
Vulnerability Details
index.js in the ssri module before 5.2.2 for Node.js is prone to a regular expression denial of service vulnerability in strict mode functionality via a long base64 hash string.
Publish Date: 2018-03-04
URL: CVE-2018-7651
CVSS 3 Score Details (5.9 )
Base Score Metrics:
Exploitability Metrics:
Attack Vector: Network
Attack Complexity: High
Privileges Required: None
User Interaction: None
Scope: Unchanged
Impact Metrics:
Confidentiality Impact: None
Integrity Impact: None
Availability Impact: High
For more information on CVSS3 Scores, click here .
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7651
Release Date: 2018-03-04
Fix Resolution: 5.2.2
CVE-2019-16775 - Medium Severity Vulnerability
Vulnerable Libraries - npm-5.1.0.tgz , npm-2.15.12.tgz
npm-5.1.0.tgz
a package manager for JavaScript
Library home page: https://registry.npmjs.org/npm/-/npm-5.1.0.tgz
Dependency Hierarchy:
gitbook-cli-2.3.2.tgz (Root Library)
❌ npm-5.1.0.tgz (Vulnerable Library)
npm-2.15.12.tgz
a package manager for JavaScript
Library home page: https://registry.npmjs.org/npm/-/npm-2.15.12.tgz
Dependency Hierarchy:
gitbook-cli-2.3.2.tgz (Root Library)
npmi-1.0.1.tgz
❌ npm-2.15.12.tgz (Vulnerable Library)
Found in base branch: develop
Vulnerability Details
Versions of the npm CLI prior to 6.13.3 are vulnerable to an Arbitrary File Write. It is possible for packages to create symlinks to files outside of thenode_modules folder through the bin field upon installation. A properly constructed entry in the package.json bin field would allow a package publisher to create a symlink pointing to arbitrary files on a user's system when the package is installed. This behavior is still possible through install scripts. This vulnerability bypasses a user using the --ignore-scripts install option.
Publish Date: 2019-12-13
URL: CVE-2019-16775
CVSS 3 Score Details (6.5 )
Base Score Metrics:
Exploitability Metrics:
Attack Vector: Network
Attack Complexity: Low
Privileges Required: Low
User Interaction: None
Scope: Unchanged
Impact Metrics:
Confidentiality Impact: None
Integrity Impact: High
Availability Impact: None
For more information on CVSS3 Scores, click here .
Suggested Fix
Type: Upgrade version
Origin: https://blog.npmjs.org/post/189618601100/binary-planting-with-the-npm-cli
Release Date: 2019-12-13
Fix Resolution: npm - 6.13.3;yarn - 1.21.1
CVE-2021-23337 - High Severity Vulnerability
Vulnerable Libraries - lodash-4.17.4.tgz , lodash-4.17.20.tgz , lodash-3.3.1.tgz , lodash-4.17.15.tgz , lodash-4.17.19.tgz
lodash-4.17.4.tgz
Lodash modular utilities.
Library home page: https://registry.npmjs.org/lodash/-/lodash-4.17.4.tgz
Dependency Hierarchy:
gitbook-cli-2.3.2.tgz (Root Library)
❌ lodash-4.17.4.tgz (Vulnerable Library)
lodash-4.17.20.tgz
Lodash modular utilities.
Library home page: https://registry.npmjs.org/lodash/-/lodash-4.17.20.tgz
Dependency Hierarchy:
preset-env-7.11.0.tgz (Root Library)
types-7.11.5.tgz
❌ lodash-4.17.20.tgz (Vulnerable Library)
lodash-3.3.1.tgz
The modern build of lodash modular utilities.
Library home page: https://registry.npmjs.org/lodash/-/lodash-3.3.1.tgz
Dependency Hierarchy:
tidepool-platform-client-0.45.0.tgz (Root Library)
❌ lodash-3.3.1.tgz (Vulnerable Library)
lodash-4.17.15.tgz
Lodash modular utilities.
Library home page: https://registry.npmjs.org/lodash/-/lodash-4.17.15.tgz
Dependency Hierarchy:
tideline-1.24.0-control-iq.4.tgz (Root Library)
❌ lodash-4.17.15.tgz (Vulnerable Library)
lodash-4.17.19.tgz
Lodash modular utilities.
Library home page: https://registry.npmjs.org/lodash/-/lodash-4.17.19.tgz
Dependency Hierarchy:
❌ lodash-4.17.19.tgz (Vulnerable Library)
Found in base branch: develop
Vulnerability Details
Lodash versions prior to 4.17.21 are vulnerable to Command Injection via the template function.
Publish Date: 2021-02-15
URL: CVE-2021-23337
CVSS 3 Score Details (7.2 )
Base Score Metrics:
Exploitability Metrics:
Attack Vector: Network
Attack Complexity: Low
Privileges Required: High
User Interaction: None
Scope: Unchanged
Impact Metrics:
Confidentiality Impact: High
Integrity Impact: High
Availability Impact: High
For more information on CVSS3 Scores, click here .
Suggested Fix
Type: Upgrade version
Release Date: 2021-02-15
Fix Resolution (lodash): 4.17.21
Direct dependency fix Resolution (@babel/preset-env): 7.11.5
CVE-2020-7774 - High Severity Vulnerability
Vulnerable Libraries - y18n-4.0.0.tgz , y18n-3.2.1.tgz
y18n-4.0.0.tgz
the bare-bones internationalization library used by yargs
Library home page: https://registry.npmjs.org/y18n/-/y18n-4.0.0.tgz
Dependency Hierarchy:
gitbook-cli-2.3.2.tgz (Root Library)
npm-5.1.0.tgz
pacote-2.7.38.tgz
make-fetch-happen-2.6.0.tgz
cacache-10.0.4.tgz
❌ y18n-4.0.0.tgz (Vulnerable Library)
y18n-3.2.1.tgz
the bare-bones internationalization library used by yargs
Library home page: https://registry.npmjs.org/y18n/-/y18n-3.2.1.tgz
Dependency Hierarchy:
gitbook-cli-2.3.2.tgz (Root Library)
npm-5.1.0.tgz
pacote-2.7.38.tgz
cacache-9.3.0.tgz
❌ y18n-3.2.1.tgz (Vulnerable Library)
Found in base branch: develop
Vulnerability Details
This affects the package y18n before 3.2.2, 4.0.1 and 5.0.5. PoC by po6ix: const y18n = require('y18n')(); y18n.setLocale('proto '); y18n.updateLocale({polluted: true}); console.log(polluted); // true
Publish Date: 2020-11-17
URL: CVE-2020-7774
CVSS 3 Score Details (9.8 )
Base Score Metrics:
Exploitability Metrics:
Attack Vector: Network
Attack Complexity: Low
Privileges Required: None
User Interaction: None
Scope: Unchanged
Impact Metrics:
Confidentiality Impact: High
Integrity Impact: High
Availability Impact: High
For more information on CVSS3 Scores, click here .
Suggested Fix
Type: Upgrade version
Origin: https://www.npmjs.com/advisories/1654
Release Date: 2020-11-17
Fix Resolution: 3.2.2, 4.0.1, 5.0.5
CVE-2020-7733 - High Severity Vulnerability
Vulnerable Library - ua-parser-js-0.7.21.tgz
Lightweight JavaScript-based user-agent string parser
Library home page: https://registry.npmjs.org/ua-parser-js/-/ua-parser-js-0.7.21.tgz
Dependency Hierarchy:
create-react-class-15.6.3.tgz (Root Library)
fbjs-0.8.17.tgz
❌ ua-parser-js-0.7.21.tgz (Vulnerable Library)
Found in base branch: develop
Vulnerability Details
The package ua-parser-js before 0.7.22 are vulnerable to Regular Expression Denial of Service (ReDoS) via the regex for Redmi Phones and Mi Pad Tablets UA.
Publish Date: 2020-09-16
URL: CVE-2020-7733
CVSS 3 Score Details (7.5 )
Base Score Metrics:
Exploitability Metrics:
Attack Vector: Network
Attack Complexity: Low
Privileges Required: None
User Interaction: None
Scope: Unchanged
Impact Metrics:
Confidentiality Impact: None
Integrity Impact: None
Availability Impact: High
For more information on CVSS3 Scores, click here .
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7733
Release Date: 2020-09-16
Fix Resolution (ua-parser-js): 0.7.22
Direct dependency fix Resolution (create-react-class): 15.7.0
CVE-2019-16777 - Medium Severity Vulnerability
Vulnerable Libraries - npm-2.15.12.tgz , npm-5.1.0.tgz
npm-2.15.12.tgz
a package manager for JavaScript
Library home page: https://registry.npmjs.org/npm/-/npm-2.15.12.tgz
Dependency Hierarchy:
gitbook-cli-2.3.2.tgz (Root Library)
npmi-1.0.1.tgz
❌ npm-2.15.12.tgz (Vulnerable Library)
npm-5.1.0.tgz
a package manager for JavaScript
Library home page: https://registry.npmjs.org/npm/-/npm-5.1.0.tgz
Dependency Hierarchy:
gitbook-cli-2.3.2.tgz (Root Library)
❌ npm-5.1.0.tgz (Vulnerable Library)
Found in base branch: develop
Vulnerability Details
Versions of the npm CLI prior to 6.13.4 are vulnerable to an Arbitrary File Overwrite. It fails to prevent existing globally-installed binaries to be overwritten by other package installations. For example, if a package was installed globally and created a serve binary, any subsequent installs of packages that also create a serve binary would overwrite the previous serve binary. This behavior is still allowed in local installations and also through install scripts. This vulnerability bypasses a user using the --ignore-scripts install option.
Publish Date: 2019-12-13
URL: CVE-2019-16777
CVSS 3 Score Details (6.5 )
Base Score Metrics:
Exploitability Metrics:
Attack Vector: Network
Attack Complexity: Low
Privileges Required: Low
User Interaction: None
Scope: Unchanged
Impact Metrics:
Confidentiality Impact: None
Integrity Impact: High
Availability Impact: None
For more information on CVSS3 Scores, click here .
Suggested Fix
Type: Upgrade version
Origin: https://blog.npmjs.org/post/189618601100/binary-planting-with-the-npm-cli
Release Date: 2020-10-09
Fix Resolution: npm - 6.13.4
WS-2020-0180 - High Severity Vulnerability
Vulnerable Libraries - npm-user-validate-1.0.0.tgz , npm-user-validate-0.1.5.tgz
npm-user-validate-1.0.0.tgz
User validations for npm
Library home page: https://registry.npmjs.org/npm-user-validate/-/npm-user-validate-1.0.0.tgz
Dependency Hierarchy:
gitbook-cli-2.3.2.tgz (Root Library)
npm-5.1.0.tgz
❌ npm-user-validate-1.0.0.tgz (Vulnerable Library)
npm-user-validate-0.1.5.tgz
User validations for npm
Library home page: https://registry.npmjs.org/npm-user-validate/-/npm-user-validate-0.1.5.tgz
Dependency Hierarchy:
gitbook-cli-2.3.2.tgz (Root Library)
npmi-1.0.1.tgz
npm-2.15.12.tgz
❌ npm-user-validate-0.1.5.tgz (Vulnerable Library)
Found in base branch: develop
Vulnerability Details
The package npm-user-validate prior to version 1.0.1 is vulnerable to REDoS. The regex that validates a user's email took exponentially longer to process input strings that begin with the '@' character.
Publish Date: 2020-10-16
URL: WS-2020-0180
CVSS 3 Score Details (7.5 )
Base Score Metrics:
Exploitability Metrics:
Attack Vector: Network
Attack Complexity: Low
Privileges Required: None
User Interaction: None
Scope: Unchanged
Impact Metrics:
Confidentiality Impact: None
Integrity Impact: None
Availability Impact: High
For more information on CVSS3 Scores, click here .
Suggested Fix
Type: Upgrade version
Origin: GHSA-xgh6-85xh-479p
Release Date: 2020-10-16
Fix Resolution: 1.0.1
CVE-2021-3749 - High Severity Vulnerability
Vulnerable Libraries - axios-0.19.0.tgz , axios-0.15.3.tgz
axios-0.19.0.tgz
Promise based HTTP client for the browser and node.js
Library home page: https://registry.npmjs.org/axios/-/axios-0.19.0.tgz
Dependency Hierarchy:
addon-actions-5.3.19.tgz (Root Library)
react-inspector-4.0.0.tgz
storybook-chromatic-2.2.2.tgz
localtunnel-1.10.1.tgz
❌ axios-0.19.0.tgz (Vulnerable Library)
axios-0.15.3.tgz
Promise based HTTP client for the browser and node.js
Library home page: https://registry.npmjs.org/axios/-/axios-0.15.3.tgz
Dependency Hierarchy:
github-api-3.0.0.tgz (Root Library)
❌ axios-0.15.3.tgz (Vulnerable Library)
Found in base branch: develop
Vulnerability Details
axios is vulnerable to Inefficient Regular Expression Complexity
Publish Date: 2021-08-31
URL: CVE-2021-3749
CVSS 3 Score Details (7.5 )
Base Score Metrics:
Exploitability Metrics:
Attack Vector: Network
Attack Complexity: Low
Privileges Required: None
User Interaction: None
Scope: Unchanged
Impact Metrics:
Confidentiality Impact: None
Integrity Impact: None
Availability Impact: High
For more information on CVSS3 Scores, click here .
Suggested Fix
Type: Upgrade version
Origin: https://huntr.dev/bounties/1e8f07fc-c384-4ff9-8498-0690de2e8c31/
Release Date: 2021-08-31
Fix Resolution (axios): 0.20.0
Direct dependency fix Resolution (@storybook/addon-actions): 5.3.20
Fix Resolution (axios): 0.18.1
Direct dependency fix Resolution (github-api): 3.2.2
CVE-2021-27292 - High Severity Vulnerability
Vulnerable Library - ua-parser-js-0.7.21.tgz
Lightweight JavaScript-based user-agent string parser
Library home page: https://registry.npmjs.org/ua-parser-js/-/ua-parser-js-0.7.21.tgz
Dependency Hierarchy:
create-react-class-15.6.3.tgz (Root Library)
fbjs-0.8.17.tgz
❌ ua-parser-js-0.7.21.tgz (Vulnerable Library)
Found in base branch: develop
Vulnerability Details
ua-parser-js >= 0.7.14, fixed in 0.7.24, uses a regular expression which is vulnerable to denial of service. If an attacker sends a malicious User-Agent header, ua-parser-js will get stuck processing it for an extended period of time.
Publish Date: 2021-03-17
URL: CVE-2021-27292
CVSS 3 Score Details (7.5 )
Base Score Metrics:
Exploitability Metrics:
Attack Vector: Network
Attack Complexity: Low
Privileges Required: None
User Interaction: None
Scope: Unchanged
Impact Metrics:
Confidentiality Impact: None
Integrity Impact: None
Availability Impact: High
For more information on CVSS3 Scores, click here .
Suggested Fix
Type: Upgrade version
Release Date: 2021-03-17
Fix Resolution (ua-parser-js): 0.7.24
Direct dependency fix Resolution (create-react-class): 15.7.0
CVE-2019-10742 - High Severity Vulnerability
Vulnerable Library - axios-0.15.3.tgz
Promise based HTTP client for the browser and node.js
Library home page: https://registry.npmjs.org/axios/-/axios-0.15.3.tgz
Dependency Hierarchy:
github-api-3.0.0.tgz (Root Library)
❌ axios-0.15.3.tgz (Vulnerable Library)
Found in base branch: develop
Vulnerability Details
Axios up to and including 0.18.0 allows attackers to cause a denial of service (application crash) by continuing to accepting content after maxContentLength is exceeded.
Publish Date: 2019-05-07
URL: CVE-2019-10742
CVSS 3 Score Details (7.5 )
Base Score Metrics:
Exploitability Metrics:
Attack Vector: Network
Attack Complexity: Low
Privileges Required: None
User Interaction: None
Scope: Unchanged
Impact Metrics:
Confidentiality Impact: None
Integrity Impact: None
Availability Impact: High
For more information on CVSS3 Scores, click here .
Suggested Fix
Type: Upgrade version
Release Date: 2019-05-07
Fix Resolution (axios): 0.18.1
Direct dependency fix Resolution (github-api): 3.2.2
CVE-2020-7693 - Medium Severity Vulnerability
Vulnerable Library - sockjs-0.3.19.tgz
SockJS-node is a server counterpart of SockJS-client a JavaScript library that provides a WebSocket-like object in the browser. SockJS gives you a coherent, cross-browser, Javascript API which creates a low latency, full duplex, cross-domain communication
Library home page: https://registry.npmjs.org/sockjs/-/sockjs-0.3.19.tgz
Dependency Hierarchy:
webpack-dev-server-3.8.0.tgz (Root Library)
❌ sockjs-0.3.19.tgz (Vulnerable Library)
Found in base branch: develop
Vulnerability Details
Incorrect handling of Upgrade header with the value websocket leads in crashing of containers hosting sockjs apps. This affects the package sockjs before 0.3.20.
Publish Date: 2020-07-09
URL: CVE-2020-7693
CVSS 3 Score Details (5.3 )
Base Score Metrics:
Exploitability Metrics:
Attack Vector: Network
Attack Complexity: Low
Privileges Required: None
User Interaction: None
Scope: Unchanged
Impact Metrics:
Confidentiality Impact: None
Integrity Impact: None
Availability Impact: Low
For more information on CVSS3 Scores, click here .
Suggested Fix
Type: Upgrade version
Release Date: 2020-07-14
Fix Resolution (sockjs): 0.3.20
Direct dependency fix Resolution (webpack-dev-server): 3.11.0
CVE-2021-23343 - High Severity Vulnerability
Vulnerable Library - path-parse-1.0.6.tgz
Node.js path.parse() ponyfill
Library home page: https://registry.npmjs.org/path-parse/-/path-parse-1.0.6.tgz
Dependency Hierarchy:
eslint-plugin-react-7.20.3.tgz (Root Library)
resolve-1.17.0.tgz
❌ path-parse-1.0.6.tgz (Vulnerable Library)
Found in base branch: develop
Vulnerability Details
All versions of package path-parse are vulnerable to Regular Expression Denial of Service (ReDoS) via splitDeviceRe, splitTailRe, and splitPathRe regular expressions. ReDoS exhibits polynomial worst-case time complexity.
Publish Date: 2021-05-04
URL: CVE-2021-23343
CVSS 3 Score Details (7.5 )
Base Score Metrics:
Exploitability Metrics:
Attack Vector: Network
Attack Complexity: Low
Privileges Required: None
User Interaction: None
Scope: Unchanged
Impact Metrics:
Confidentiality Impact: None
Integrity Impact: None
Availability Impact: High
For more information on CVSS3 Scores, click here .
Suggested Fix
Type: Upgrade version
Release Date: 2021-05-04
Fix Resolution (path-parse): 1.0.7
Direct dependency fix Resolution (eslint-plugin-react): 7.20.4
Vulnerable Library - cryptiles-2.0.5.tgz
General purpose crypto utilities
Library home page: https://registry.npmjs.org/cryptiles/-/cryptiles-2.0.5.tgz
Dependency Hierarchy:
gitbook-cli-2.3.2.tgz (Root Library)
npm-5.1.0.tgz
request-2.81.0.tgz
hawk-3.1.3.tgz
❌ cryptiles-2.0.5.tgz (Vulnerable Library)
Found in base branch: develop
Vulnerability Details
Eran Hammer cryptiles version 4.1.1 earlier contains a CWE-331: Insufficient Entropy vulnerability in randomDigits() method that can result in An attacker is more likely to be able to brute force something that was supposed to be random.. This attack appear to be exploitable via Depends upon the calling application.. This vulnerability appears to have been fixed in 4.1.2.
Publish Date: 2018-07-09
URL: CVE-2018-1000620
CVSS 3 Score Details (9.8 )
Base Score Metrics:
Exploitability Metrics:
Attack Vector: Network
Attack Complexity: Low
Privileges Required: None
User Interaction: None
Scope: Unchanged
Impact Metrics:
Confidentiality Impact: High
Integrity Impact: High
Availability Impact: High
For more information on CVSS3 Scores, click here .
Suggested Fix
Type: Upgrade version
Origin: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-1000620
Release Date: 2018-07-09
Fix Resolution: v4.1.2
CVE-2021-32804 - High Severity Vulnerability
Vulnerable Library - tar-2.2.2.tgz
tar for node
Library home page: https://registry.npmjs.org/tar/-/tar-2.2.2.tgz
Dependency Hierarchy:
gitbook-cli-2.3.2.tgz (Root Library)
npm-5.1.0.tgz
❌ tar-2.2.2.tgz (Vulnerable Library)
Found in base branch: develop
Vulnerability Details
The npm package "tar" (aka node-tar) before versions 6.1.1, 5.0.6, 4.4.14, and 3.3.2 has a arbitrary File Creation/Overwrite vulnerability due to insufficient absolute path sanitization. node-tar aims to prevent extraction of absolute file paths by turning absolute paths into relative paths when the preservePaths
flag is not set to true
. This is achieved by stripping the absolute path root from any absolute file paths contained in a tar file. For example /home/user/.bashrc
would turn into home/user/.bashrc
. This logic was insufficient when file paths contained repeated path roots such as ////home/user/.bashrc
. node-tar
would only strip a single path root from such paths. When given an absolute file path with repeating path roots, the resulting path (e.g. ///home/user/.bashrc
) would still resolve to an absolute path, thus allowing arbitrary file creation and overwrite. This issue was addressed in releases 3.2.2, 4.4.14, 5.0.6 and 6.1.1. Users may work around this vulnerability without upgrading by creating a custom onentry
method which sanitizes the entry.path
or a filter
method which removes entries with absolute paths. See referenced GitHub Advisory for details. Be aware of CVE-2021-32803 which fixes a similar bug in later versions of tar.
Publish Date: 2021-08-03
URL: CVE-2021-32804
CVSS 3 Score Details (8.1 )
Base Score Metrics:
Exploitability Metrics:
Attack Vector: Network
Attack Complexity: Low
Privileges Required: None
User Interaction: Required
Scope: Unchanged
Impact Metrics:
Confidentiality Impact: None
Integrity Impact: High
Availability Impact: High
For more information on CVSS3 Scores, click here .
Suggested Fix
Type: Upgrade version
Origin: GHSA-3jfq-g458-7qm9
Release Date: 2021-08-03
Fix Resolution: tar - 3.2.2, 4.4.14, 5.0.6, 6.1.1
WS-2020-0342 - High Severity Vulnerability
Vulnerable Library - is-my-json-valid-2.20.0.tgz
A [JSONSchema](https://json-schema.org/) validator that uses code generation to be extremely fast.
Library home page: https://registry.npmjs.org/is-my-json-valid/-/is-my-json-valid-2.20.0.tgz
Dependency Hierarchy:
gitbook-cli-2.3.2.tgz (Root Library)
npmi-1.0.1.tgz
npm-2.15.12.tgz
request-2.74.0.tgz
har-validator-2.0.6.tgz
❌ is-my-json-valid-2.20.0.tgz (Vulnerable Library)
Found in base branch: develop
Vulnerability Details
Regular Expression Denial of Service (ReDoS) vulnerability was found in is-my-json-valid before 2.20.2 via the style format.
Publish Date: 2020-06-27
URL: WS-2020-0342
CVSS 3 Score Details (7.5 )
Base Score Metrics:
Exploitability Metrics:
Attack Vector: Network
Attack Complexity: Low
Privileges Required: None
User Interaction: None
Scope: Unchanged
Impact Metrics:
Confidentiality Impact: None
Integrity Impact: None
Availability Impact: High
For more information on CVSS3 Scores, click here .
Suggested Fix
Type: Upgrade version
Release Date: 2020-06-27
Fix Resolution: is-my-json-valid - 2.20.2
CVE-2017-18869 - Low Severity Vulnerability
Vulnerable Library - chownr-1.0.1.tgz
like `chown -R`
Library home page: https://registry.npmjs.org/chownr/-/chownr-1.0.1.tgz
Dependency Hierarchy:
gitbook-cli-2.3.2.tgz (Root Library)
npm-5.1.0.tgz
❌ chownr-1.0.1.tgz (Vulnerable Library)
Found in base branch: develop
Vulnerability Details
A TOCTOU issue in the chownr package before 1.1.0 for Node.js 10.10 could allow a local attacker to trick it into descending into unintended directories via symlink attacks.
Publish Date: 2020-06-15
URL: CVE-2017-18869
CVSS 3 Score Details (2.5 )
Base Score Metrics:
Exploitability Metrics:
Attack Vector: Local
Attack Complexity: High
Privileges Required: Low
User Interaction: None
Scope: Unchanged
Impact Metrics:
Confidentiality Impact: None
Integrity Impact: Low
Availability Impact: None
For more information on CVSS3 Scores, click here .
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-18869
Release Date: 2020-06-15
Fix Resolution: 1.1.0
CVE-2021-23341 - High Severity Vulnerability
Vulnerable Libraries - prismjs-1.19.0.tgz , prismjs-1.17.1.tgz
prismjs-1.19.0.tgz
Lightweight, robust, elegant syntax highlighting. A spin-off project from Dabblet.
Library home page: https://registry.npmjs.org/prismjs/-/prismjs-1.19.0.tgz
Dependency Hierarchy:
addon-knobs-5.3.19.tgz (Root Library)
components-5.3.19.tgz
react-syntax-highlighter-11.0.2.tgz
❌ prismjs-1.19.0.tgz (Vulnerable Library)
prismjs-1.17.1.tgz
Lightweight, robust, elegant syntax highlighting. A spin-off project from Dabblet.
Library home page: https://registry.npmjs.org/prismjs/-/prismjs-1.17.1.tgz
Dependency Hierarchy:
addon-knobs-5.3.19.tgz (Root Library)
components-5.3.19.tgz
react-syntax-highlighter-11.0.2.tgz
refractor-2.10.1.tgz
❌ prismjs-1.17.1.tgz (Vulnerable Library)
Found in base branch: develop
Vulnerability Details
The package prismjs before 1.23.0 are vulnerable to Regular Expression Denial of Service (ReDoS) via the prism-asciidoc, prism-rest, prism-tap and prism-eiffel components.
Publish Date: 2021-02-18
URL: CVE-2021-23341
CVSS 3 Score Details (7.5 )
Base Score Metrics:
Exploitability Metrics:
Attack Vector: Network
Attack Complexity: Low
Privileges Required: None
User Interaction: None
Scope: Unchanged
Impact Metrics:
Confidentiality Impact: None
Integrity Impact: None
Availability Impact: High
For more information on CVSS3 Scores, click here .
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23341
Release Date: 2021-02-18
Fix Resolution (prismjs): 1.23.0
Direct dependency fix Resolution (@storybook/addon-knobs): 5.3.20
Fix Resolution (prismjs): 1.23.0
Direct dependency fix Resolution (@storybook/addon-knobs): 5.3.20
CVE-2021-23386 - Medium Severity Vulnerability
Vulnerable Library - dns-packet-1.3.1.tgz
An abstract-encoding compliant module for encoding / decoding DNS packets
Library home page: https://registry.npmjs.org/dns-packet/-/dns-packet-1.3.1.tgz
Dependency Hierarchy:
webpack-dev-server-3.8.0.tgz (Root Library)
bonjour-3.5.0.tgz
multicast-dns-6.2.3.tgz
❌ dns-packet-1.3.1.tgz (Vulnerable Library)
Found in base branch: develop
Vulnerability Details
This affects the package dns-packet before 5.2.2. It creates buffers with allocUnsafe and does not always fill them before forming network packets. This can expose internal application memory over unencrypted network when querying crafted invalid domain names.
Publish Date: 2021-05-20
URL: CVE-2021-23386
CVSS 3 Score Details (6.5 )
Base Score Metrics:
Exploitability Metrics:
Attack Vector: Network
Attack Complexity: Low
Privileges Required: Low
User Interaction: None
Scope: Unchanged
Impact Metrics:
Confidentiality Impact: High
Integrity Impact: None
Availability Impact: None
For more information on CVSS3 Scores, click here .
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23386
Release Date: 2021-05-20
Fix Resolution (dns-packet): 1.3.2
Direct dependency fix Resolution (webpack-dev-server): 3.8.1
CVE-2021-33587 - High Severity Vulnerability
Vulnerable Library - css-what-3.2.1.tgz
a CSS selector parser
Library home page: https://registry.npmjs.org/css-what/-/css-what-3.2.1.tgz
Dependency Hierarchy:
react-5.3.19.tgz (Root Library)
webpack-4.3.3.tgz
plugin-svgo-4.3.1.tgz
svgo-1.3.2.tgz
css-select-2.1.0.tgz
❌ css-what-3.2.1.tgz (Vulnerable Library)
Found in base branch: develop
Vulnerability Details
The css-what package 4.0.0 through 5.0.0 for Node.js does not ensure that attribute parsing has Linear Time Complexity relative to the size of the input.
Publish Date: 2021-05-28
URL: CVE-2021-33587
CVSS 3 Score Details (7.5 )
Base Score Metrics:
Exploitability Metrics:
Attack Vector: Network
Attack Complexity: Low
Privileges Required: None
User Interaction: None
Scope: Unchanged
Impact Metrics:
Confidentiality Impact: None
Integrity Impact: None
Availability Impact: High
For more information on CVSS3 Scores, click here .
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-33587
Release Date: 2021-05-28
Fix Resolution (css-what): 5.0.1
Direct dependency fix Resolution (@storybook/react): 6.1.7
WS-2020-0042 - High Severity Vulnerability
Vulnerable Library - acorn-6.4.0.tgz
ECMAScript parser
Library home page: https://registry.npmjs.org/acorn/-/acorn-6.4.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/acorn/package.json
Dependency Hierarchy:
addon-actions-5.3.19.tgz (Root Library)
react-inspector-4.0.0.tgz
storybook-chromatic-2.2.2.tgz
jsdom-11.12.0.tgz
acorn-globals-4.3.4.tgz
❌ acorn-6.4.0.tgz (Vulnerable Library)
Found in base branch: develop
Vulnerability Details
acorn is vulnerable to REGEX DoS. A regex of the form /[x-\ud800]/u causes the parser to enter an infinite loop. attackers may leverage the vulnerability leading to a Denial of Service since the string is not valid UTF16 and it results in it being sanitized before reaching the parser.
Publish Date: 2020-03-01
URL: WS-2020-0042
CVSS 3 Score Details (7.5 )
Base Score Metrics:
Exploitability Metrics:
Attack Vector: Network
Attack Complexity: Low
Privileges Required: None
User Interaction: None
Scope: Unchanged
Impact Metrics:
Confidentiality Impact: None
Integrity Impact: None
Availability Impact: High
For more information on CVSS3 Scores, click here .
Suggested Fix
Type: Upgrade version
Origin: https://www.npmjs.com/advisories/1488
Release Date: 2020-03-01
Fix Resolution (acorn): 6.4.1
Direct dependency fix Resolution (@storybook/addon-actions): 5.3.20
CVE-2021-3664 - Medium Severity Vulnerability
Vulnerable Library - url-parse-1.4.7.tgz
Small footprint URL parser that works seamlessly across Node.js and browser environments
Library home page: https://registry.npmjs.org/url-parse/-/url-parse-1.4.7.tgz
Dependency Hierarchy:
react-5.3.19.tgz (Root Library)
react-dev-utils-9.1.0.tgz
sockjs-client-1.4.0.tgz
❌ url-parse-1.4.7.tgz (Vulnerable Library)
Found in base branch: develop
Vulnerability Details
url-parse is vulnerable to URL Redirection to Untrusted Site
Publish Date: 2021-07-26
URL: CVE-2021-3664
CVSS 3 Score Details (5.3 )
Base Score Metrics:
Exploitability Metrics:
Attack Vector: Network
Attack Complexity: Low
Privileges Required: None
User Interaction: None
Scope: Unchanged
Impact Metrics:
Confidentiality Impact: None
Integrity Impact: Low
Availability Impact: None
For more information on CVSS3 Scores, click here .
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3664
Release Date: 2021-07-26
Fix Resolution (url-parse): 1.5.2
Direct dependency fix Resolution (@storybook/react): 5.3.20
CVE-2019-16776 - High Severity Vulnerability
Vulnerable Libraries - npm-5.1.0.tgz , npm-2.15.12.tgz
npm-5.1.0.tgz
a package manager for JavaScript
Library home page: https://registry.npmjs.org/npm/-/npm-5.1.0.tgz
Dependency Hierarchy:
gitbook-cli-2.3.2.tgz (Root Library)
❌ npm-5.1.0.tgz (Vulnerable Library)
npm-2.15.12.tgz
a package manager for JavaScript
Library home page: https://registry.npmjs.org/npm/-/npm-2.15.12.tgz
Dependency Hierarchy:
gitbook-cli-2.3.2.tgz (Root Library)
npmi-1.0.1.tgz
❌ npm-2.15.12.tgz (Vulnerable Library)
Found in base branch: develop
Vulnerability Details
Versions of the npm CLI prior to 6.13.3 are vulnerable to an Arbitrary File Write. It fails to prevent access to folders outside of the intended node_modules folder through the bin field. A properly constructed entry in the package.json bin field would allow a package publisher to modify and/or gain access to arbitrary files on a user's system when the package is installed. This behavior is still possible through install scripts. This vulnerability bypasses a user using the --ignore-scripts install option.
Publish Date: 2019-12-13
URL: CVE-2019-16776
CVSS 3 Score Details (8.1 )
Base Score Metrics:
Exploitability Metrics:
Attack Vector: Network
Attack Complexity: Low
Privileges Required: Low
User Interaction: None
Scope: Unchanged
Impact Metrics:
Confidentiality Impact: High
Integrity Impact: High
Availability Impact: None
For more information on CVSS3 Scores, click here .
Suggested Fix
Type: Upgrade version
Origin: https://blog.npmjs.org/post/189618601100/binary-planting-with-the-npm-cli
Release Date: 2020-10-07
Fix Resolution: npm - 6.13.3;yarn - 1.21.1
CVE-2020-15138 - High Severity Vulnerability
Vulnerable Libraries - prismjs-1.19.0.tgz , prismjs-1.17.1.tgz
prismjs-1.19.0.tgz
Lightweight, robust, elegant syntax highlighting. A spin-off project from Dabblet.
Library home page: https://registry.npmjs.org/prismjs/-/prismjs-1.19.0.tgz
Dependency Hierarchy:
addon-knobs-5.3.19.tgz (Root Library)
components-5.3.19.tgz
react-syntax-highlighter-11.0.2.tgz
❌ prismjs-1.19.0.tgz (Vulnerable Library)
prismjs-1.17.1.tgz
Lightweight, robust, elegant syntax highlighting. A spin-off project from Dabblet.
Library home page: https://registry.npmjs.org/prismjs/-/prismjs-1.17.1.tgz
Dependency Hierarchy:
addon-knobs-5.3.19.tgz (Root Library)
components-5.3.19.tgz
react-syntax-highlighter-11.0.2.tgz
refractor-2.10.1.tgz
❌ prismjs-1.17.1.tgz (Vulnerable Library)
Found in base branch: develop
Vulnerability Details
Prism is vulnerable to Cross-Site Scripting. The easing preview of the Previewers plugin has an XSS vulnerability that allows attackers to execute arbitrary code in Safari and Internet Explorer. This impacts all Safari and Internet Explorer users of Prism >=v1.1.0 that use the Previewers plugin (>=v1.10.0) or the Previewer: Easing plugin (v1.1.0 to v1.9.0). This problem is fixed in version 1.21.0. To workaround the issue without upgrading, disable the easing preview on all impacted code blocks. You need Prism v1.10.0 or newer to apply this workaround.
Publish Date: 2020-08-07
URL: CVE-2020-15138
CVSS 3 Score Details (7.5 )
Base Score Metrics:
Exploitability Metrics:
Attack Vector: Network
Attack Complexity: High
Privileges Required: None
User Interaction: Required
Scope: Changed
Impact Metrics:
Confidentiality Impact: High
Integrity Impact: Low
Availability Impact: Low
For more information on CVSS3 Scores, click here .
Suggested Fix
Type: Upgrade version
Release Date: 2020-08-28
Fix Resolution (prismjs): 1.21.0
Direct dependency fix Resolution (@storybook/addon-knobs): 5.3.20
Fix Resolution (prismjs): 1.21.0
Direct dependency fix Resolution (@storybook/addon-knobs): 5.3.20
CVE-2019-10744 - High Severity Vulnerability
Vulnerable Libraries - lodash-4.17.4.tgz , lodash-3.3.1.tgz
lodash-4.17.4.tgz
Lodash modular utilities.
Library home page: https://registry.npmjs.org/lodash/-/lodash-4.17.4.tgz
Dependency Hierarchy:
gitbook-cli-2.3.2.tgz (Root Library)
❌ lodash-4.17.4.tgz (Vulnerable Library)
lodash-3.3.1.tgz
The modern build of lodash modular utilities.
Library home page: https://registry.npmjs.org/lodash/-/lodash-3.3.1.tgz
Dependency Hierarchy:
tidepool-platform-client-0.45.0.tgz (Root Library)
❌ lodash-3.3.1.tgz (Vulnerable Library)
Found in base branch: develop
Vulnerability Details
Versions of lodash lower than 4.17.12 are vulnerable to Prototype Pollution. The function defaultsDeep could be tricked into adding or modifying properties of Object.prototype using a constructor payload.
Publish Date: 2019-07-26
URL: CVE-2019-10744
CVSS 3 Score Details (9.1 )
Base Score Metrics:
Exploitability Metrics:
Attack Vector: Network
Attack Complexity: Low
Privileges Required: None
User Interaction: None
Scope: Unchanged
Impact Metrics:
Confidentiality Impact: None
Integrity Impact: High
Availability Impact: High
For more information on CVSS3 Scores, click here .
Suggested Fix
Type: Upgrade version
Origin: GHSA-jf85-cpcp-j695
Release Date: 2019-07-26
Fix Resolution: lodash-4.17.12, lodash-amd-4.17.12, lodash-es-4.17.12, lodash.defaultsdeep-4.6.1, lodash.merge- 4.6.2, lodash.mergewith-4.6.2, lodash.template-4.5.0
CVE-2021-23424 - High Severity Vulnerability
Vulnerable Library - ansi-html-0.0.7.tgz
An elegant lib that converts the chalked (ANSI) text to HTML.
Library home page: https://registry.npmjs.org/ansi-html/-/ansi-html-0.0.7.tgz
Dependency Hierarchy:
react-5.3.19.tgz (Root Library)
core-5.3.19.tgz
webpack-hot-middleware-2.25.0.tgz
❌ ansi-html-0.0.7.tgz (Vulnerable Library)
Found in base branch: develop
Vulnerability Details
This affects all versions of package ansi-html. If an attacker provides a malicious string, it will get stuck processing the input for an extremely long time.
Publish Date: 2021-08-18
URL: CVE-2021-23424
CVSS 3 Score Details (7.5 )
Base Score Metrics:
Exploitability Metrics:
Attack Vector: Network
Attack Complexity: Low
Privileges Required: None
User Interaction: None
Scope: Unchanged
Impact Metrics:
Confidentiality Impact: None
Integrity Impact: None
Availability Impact: High
For more information on CVSS3 Scores, click here .
Suggested Fix
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2021-23424
Release Date: 2021-08-18
Fix Resolution (ansi-html): 0.0.8
Direct dependency fix Resolution (@storybook/react): 5.3.20
CVE-2021-3757 - High Severity Vulnerability
Vulnerable Library - immer-1.10.0.tgz
Create your next immutable state by mutating the current one
Library home page: https://registry.npmjs.org/immer/-/immer-1.10.0.tgz
Dependency Hierarchy:
react-5.3.19.tgz (Root Library)
react-dev-utils-9.1.0.tgz
❌ immer-1.10.0.tgz (Vulnerable Library)
Found in base branch: develop
Vulnerability Details
immer is vulnerable to Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')
Publish Date: 2021-09-02
URL: CVE-2021-3757
CVSS 3 Score Details (9.8 )
Base Score Metrics:
Exploitability Metrics:
Attack Vector: Network
Attack Complexity: Low
Privileges Required: None
User Interaction: None
Scope: Unchanged
Impact Metrics:
Confidentiality Impact: High
Integrity Impact: High
Availability Impact: High
For more information on CVSS3 Scores, click here .
Suggested Fix
Type: Upgrade version
Origin: https://huntr.dev/bounties/23d38099-71cd-42ed-a77a-71e68094adfa/
Release Date: 2021-09-02
Fix Resolution (immer): 9.0.6
Direct dependency fix Resolution (@storybook/react): 6.4.13
CVE-2021-24033 - Medium Severity Vulnerability
Vulnerable Library - react-dev-utils-9.1.0.tgz
Webpack utilities used by Create React App
Library home page: https://registry.npmjs.org/react-dev-utils/-/react-dev-utils-9.1.0.tgz
Dependency Hierarchy:
react-5.3.19.tgz (Root Library)
❌ react-dev-utils-9.1.0.tgz (Vulnerable Library)
Found in base branch: develop
Vulnerability Details
react-dev-utils prior to v11.0.4 exposes a function, getProcessForPort, where an input argument is concatenated into a command string to be executed. This function is typically used from react-scripts (in Create React App projects), where the usage is safe. Only when this function is manually invoked with user-provided values (ie: by custom code) is there the potential for command injection. If you're consuming it from react-scripts then this issue does not affect you.
Publish Date: 2021-03-09
URL: CVE-2021-24033
CVSS 3 Score Details (5.6 )
Base Score Metrics:
Exploitability Metrics:
Attack Vector: Network
Attack Complexity: High
Privileges Required: None
User Interaction: None
Scope: Unchanged
Impact Metrics:
Confidentiality Impact: Low
Integrity Impact: Low
Availability Impact: Low
For more information on CVSS3 Scores, click here .
Suggested Fix
Type: Upgrade version
Origin: https://www.facebook.com/security/advisories/cve-2021-24033
Release Date: 2021-03-09
Fix Resolution (react-dev-utils): 11.0.4
Direct dependency fix Resolution (@storybook/react): 6.1.20
CVE-2019-16769 - Medium Severity Vulnerability
Vulnerable Library - serialize-javascript-1.9.1.tgz
Serialize JavaScript to a superset of JSON that includes regular expressions and functions.
Library home page: https://registry.npmjs.org/serialize-javascript/-/serialize-javascript-1.9.1.tgz
Dependency Hierarchy:
copy-webpack-plugin-4.5.2.tgz (Root Library)
❌ serialize-javascript-1.9.1.tgz (Vulnerable Library)
Found in base branch: develop
Vulnerability Details
The serialize-javascript npm package before version 2.1.1 is vulnerable to Cross-site Scripting (XSS). It does not properly mitigate against unsafe characters in serialized regular expressions. This vulnerability is not affected on Node.js environment since Node.js's implementation of RegExp.prototype.toString() backslash-escapes all forward slashes in regular expressions. If serialized data of regular expression objects are used in an environment other than Node.js, it is affected by this vulnerability.
Publish Date: 2019-12-05
URL: CVE-2019-16769
CVSS 3 Score Details (5.4 )
Base Score Metrics:
Exploitability Metrics:
Attack Vector: Network
Attack Complexity: Low
Privileges Required: Low
User Interaction: Required
Scope: Changed
Impact Metrics:
Confidentiality Impact: Low
Integrity Impact: Low
Availability Impact: None
For more information on CVSS3 Scores, click here .
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16769
Release Date: 2020-01-17
Fix Resolution (serialize-javascript): 2.1.1
Direct dependency fix Resolution (copy-webpack-plugin): 5.0.5
CVE-2021-23382 - Medium Severity Vulnerability
Vulnerable Libraries - postcss-7.0.32.tgz , postcss-5.2.18.tgz , postcss-6.0.23.tgz , postcss-7.0.27.tgz
postcss-7.0.32.tgz
Tool for transforming styles with JS plugins
Library home page: https://registry.npmjs.org/postcss/-/postcss-7.0.32.tgz
Dependency Hierarchy:
autoprefixer-9.8.4.tgz (Root Library)
❌ postcss-7.0.32.tgz (Vulnerable Library)
postcss-5.2.18.tgz
Tool for transforming styles with JS plugins
Library home page: https://registry.npmjs.org/postcss/-/postcss-5.2.18.tgz
Dependency Hierarchy:
babel-plugin-styled-components-css-namespace-1.0.0-rc4.tgz (Root Library)
postcss-parent-selector-1.0.0.tgz
❌ postcss-5.2.18.tgz (Vulnerable Library)
postcss-6.0.23.tgz
Tool for transforming styles with JS plugins
Library home page: https://registry.npmjs.org/postcss/-/postcss-6.0.23.tgz
Dependency Hierarchy:
css-loader-1.0.0.tgz (Root Library)
❌ postcss-6.0.23.tgz (Vulnerable Library)
postcss-7.0.27.tgz
Tool for transforming styles with JS plugins
Library home page: https://registry.npmjs.org/postcss/-/postcss-7.0.27.tgz
Dependency Hierarchy:
stylelint-13.2.0.tgz (Root Library)
❌ postcss-7.0.27.tgz (Vulnerable Library)
Found in base branch: develop
Vulnerability Details
The package postcss before 8.2.13 are vulnerable to Regular Expression Denial of Service (ReDoS) via getAnnotationURL() and loadAnnotation() in lib/previous-map.js. The vulnerable regexes are caused mainly by the sub-pattern /*\s* sourceMappingURL=(.*).
Publish Date: 2021-04-26
URL: CVE-2021-23382
CVSS 3 Score Details (5.3 )
Base Score Metrics:
Exploitability Metrics:
Attack Vector: Network
Attack Complexity: Low
Privileges Required: None
User Interaction: None
Scope: Unchanged
Impact Metrics:
Confidentiality Impact: None
Integrity Impact: None
Availability Impact: Low
For more information on CVSS3 Scores, click here .
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23382
Release Date: 2021-04-26
Fix Resolution (postcss): 7.0.36
Direct dependency fix Resolution (autoprefixer): 9.8.5
Fix Resolution (postcss): 7.0.36
Direct dependency fix Resolution (css-loader): 2.0.0
Fix Resolution (postcss): 7.0.36
Direct dependency fix Resolution (stylelint): 13.2.1
CVE-2020-28502 - High Severity Vulnerability
Vulnerable Library - xmlhttprequest-ssl-1.5.5.tgz
XMLHttpRequest for Node
Library home page: https://registry.npmjs.org/xmlhttprequest-ssl/-/xmlhttprequest-ssl-1.5.5.tgz
Dependency Hierarchy:
karma-3.0.0.tgz (Root Library)
socket.io-2.1.1.tgz
socket.io-client-2.1.1.tgz
engine.io-client-3.2.1.tgz
❌ xmlhttprequest-ssl-1.5.5.tgz (Vulnerable Library)
Found in base branch: develop
Vulnerability Details
This affects the package xmlhttprequest before 1.7.0; all versions of package xmlhttprequest-ssl. Provided requests are sent synchronously (async=False on xhr.open), malicious user input flowing into xhr.send could result in arbitrary code being injected and run.
Publish Date: 2021-03-05
URL: CVE-2020-28502
CVSS 3 Score Details (8.1 )
Base Score Metrics:
Exploitability Metrics:
Attack Vector: Network
Attack Complexity: High
Privileges Required: None
User Interaction: None
Scope: Unchanged
Impact Metrics:
Confidentiality Impact: High
Integrity Impact: High
Availability Impact: High
For more information on CVSS3 Scores, click here .
Suggested Fix
Type: Upgrade version
Origin: GHSA-h4j5-c7cj-74xg
Release Date: 2021-03-05
Fix Resolution (xmlhttprequest-ssl): 1.6.1
Direct dependency fix Resolution (karma): 5.0.8
WS-2020-0344 - High Severity Vulnerability
Vulnerable Library - is-my-json-valid-2.20.0.tgz
A [JSONSchema](https://json-schema.org/) validator that uses code generation to be extremely fast.
Library home page: https://registry.npmjs.org/is-my-json-valid/-/is-my-json-valid-2.20.0.tgz
Dependency Hierarchy:
gitbook-cli-2.3.2.tgz (Root Library)
npmi-1.0.1.tgz
npm-2.15.12.tgz
request-2.74.0.tgz
har-validator-2.0.6.tgz
❌ is-my-json-valid-2.20.0.tgz (Vulnerable Library)
Found in base branch: develop
Vulnerability Details
Arbitrary Code Execution vulnerability was found in is-my-json-valid before 2.20.3 via the fromatName function.
Publish Date: 2020-06-09
URL: WS-2020-0344
CVSS 3 Score Details (9.8 )
Base Score Metrics:
Exploitability Metrics:
Attack Vector: Network
Attack Complexity: Low
Privileges Required: None
User Interaction: None
Scope: Unchanged
Impact Metrics:
Confidentiality Impact: High
Integrity Impact: High
Availability Impact: High
For more information on CVSS3 Scores, click here .
Suggested Fix
Type: Upgrade version
Release Date: 2020-06-09
Fix Resolution: is-my-json-valid - 2.20.3
CVE-2020-7660 - High Severity Vulnerability
Vulnerable Libraries - serialize-javascript-1.9.1.tgz , serialize-javascript-2.1.2.tgz
serialize-javascript-1.9.1.tgz
Serialize JavaScript to a superset of JSON that includes regular expressions and functions.
Library home page: https://registry.npmjs.org/serialize-javascript/-/serialize-javascript-1.9.1.tgz
Dependency Hierarchy:
copy-webpack-plugin-4.5.2.tgz (Root Library)
❌ serialize-javascript-1.9.1.tgz (Vulnerable Library)
serialize-javascript-2.1.2.tgz
Serialize JavaScript to a superset of JSON that includes regular expressions and functions.
Library home page: https://registry.npmjs.org/serialize-javascript/-/serialize-javascript-2.1.2.tgz
Dependency Hierarchy:
react-5.3.19.tgz (Root Library)
core-5.3.19.tgz
terser-webpack-plugin-2.3.5.tgz
❌ serialize-javascript-2.1.2.tgz (Vulnerable Library)
Found in base branch: develop
Vulnerability Details
serialize-javascript prior to 3.1.0 allows remote attackers to inject arbitrary code via the function "deleteFunctions" within "index.js".
Publish Date: 2020-06-01
URL: CVE-2020-7660
CVSS 3 Score Details (8.1 )
Base Score Metrics:
Exploitability Metrics:
Attack Vector: Network
Attack Complexity: High
Privileges Required: None
User Interaction: None
Scope: Unchanged
Impact Metrics:
Confidentiality Impact: High
Integrity Impact: High
Availability Impact: High
For more information on CVSS3 Scores, click here .
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7660
Release Date: 2020-06-08
Fix Resolution (serialize-javascript): 3.1.0
Direct dependency fix Resolution (copy-webpack-plugin): 5.1.2
Fix Resolution (serialize-javascript): 3.1.0
Direct dependency fix Resolution (@storybook/react): 5.3.20
CVE-2020-28168 - Medium Severity Vulnerability
Vulnerable Libraries - axios-0.15.3.tgz , axios-0.19.0.tgz
axios-0.15.3.tgz
Promise based HTTP client for the browser and node.js
Library home page: https://registry.npmjs.org/axios/-/axios-0.15.3.tgz
Dependency Hierarchy:
github-api-3.0.0.tgz (Root Library)
❌ axios-0.15.3.tgz (Vulnerable Library)
axios-0.19.0.tgz
Promise based HTTP client for the browser and node.js
Library home page: https://registry.npmjs.org/axios/-/axios-0.19.0.tgz
Dependency Hierarchy:
addon-actions-5.3.19.tgz (Root Library)
react-inspector-4.0.0.tgz
storybook-chromatic-2.2.2.tgz
localtunnel-1.10.1.tgz
❌ axios-0.19.0.tgz (Vulnerable Library)
Found in base branch: develop
Vulnerability Details
Axios NPM package 0.21.0 contains a Server-Side Request Forgery (SSRF) vulnerability where an attacker is able to bypass a proxy by providing a URL that responds with a redirect to a restricted host or IP address.
Publish Date: 2020-11-06
URL: CVE-2020-28168
CVSS 3 Score Details (5.9 )
Base Score Metrics:
Exploitability Metrics:
Attack Vector: Network
Attack Complexity: High
Privileges Required: None
User Interaction: None
Scope: Unchanged
Impact Metrics:
Confidentiality Impact: High
Integrity Impact: None
Availability Impact: None
For more information on CVSS3 Scores, click here .
Suggested Fix
Type: Upgrade version
Release Date: 2020-11-06
Fix Resolution (axios): 0.21.1
Direct dependency fix Resolution (github-api): 3.4.0
Fix Resolution (axios): 0.21.1
Direct dependency fix Resolution (@storybook/addon-actions): 5.3.20
WS-2018-0076 - Medium Severity Vulnerability
Vulnerable Library - tunnel-agent-0.4.3.tgz
HTTP proxy tunneling agent. Formerly part of mikeal/request, now a standalone module.
Library home page: https://registry.npmjs.org/tunnel-agent/-/tunnel-agent-0.4.3.tgz
Dependency Hierarchy:
gitbook-cli-2.3.2.tgz (Root Library)
npmi-1.0.1.tgz
npm-2.15.12.tgz
request-2.74.0.tgz
❌ tunnel-agent-0.4.3.tgz (Vulnerable Library)
Found in base branch: develop
Vulnerability Details
Versions of tunnel-agent before 0.6.0 are vulnerable to memory exposure. This is exploitable if user supplied input is provided to the auth value and is a number.
Publish Date: 2017-03-05
URL: WS-2018-0076
CVSS 3 Score Details (5.1 )
Base Score Metrics:
Exploitability Metrics:
Attack Vector: Local
Attack Complexity: High
Privileges Required: None
User Interaction: None
Scope: Unchanged
Impact Metrics:
Confidentiality Impact: High
Integrity Impact: None
Availability Impact: None
For more information on CVSS3 Scores, click here .
Suggested Fix
Type: Upgrade version
Origin: https://nodesecurity.io/advisories/598
Release Date: 2017-03-05
Fix Resolution: 0.6.0
CVE-2021-27290 - High Severity Vulnerability
Vulnerable Library - ssri-5.3.0.tgz
Standard Subresource Integrity library -- parses, serializes, generates, and verifies integrity metadata according to the SRI spec.
Library home page: https://registry.npmjs.org/ssri/-/ssri-5.3.0.tgz
Dependency Hierarchy:
gitbook-cli-2.3.2.tgz (Root Library)
npm-5.1.0.tgz
pacote-2.7.38.tgz
make-fetch-happen-2.6.0.tgz
❌ ssri-5.3.0.tgz (Vulnerable Library)
Found in base branch: develop
Vulnerability Details
ssri 5.2.2-8.0.0, fixed in 8.0.1, processes SRIs using a regular expression which is vulnerable to a denial of service. Malicious SRIs could take an extremely long time to process, leading to denial of service. This issue only affects consumers using the strict option.
Publish Date: 2021-03-12
URL: CVE-2021-27290
CVSS 3 Score Details (7.5 )
Base Score Metrics:
Exploitability Metrics:
Attack Vector: Network
Attack Complexity: Low
Privileges Required: None
User Interaction: None
Scope: Unchanged
Impact Metrics:
Confidentiality Impact: None
Integrity Impact: None
Availability Impact: High
For more information on CVSS3 Scores, click here .
Suggested Fix
Type: Upgrade version
Origin: GHSA-vx3p-948g-6vhq
Release Date: 2021-03-12
Fix Resolution: ssri - 6.0.2,7.1.1,8.0.1
CVE-2020-28469 - High Severity Vulnerability
Vulnerable Libraries - glob-parent-3.1.0.tgz , glob-parent-5.1.0.tgz , glob-parent-5.1.1.tgz , glob-parent-2.0.0.tgz
glob-parent-3.1.0.tgz
Strips glob magic from a string to provide the parent directory path
Library home page: https://registry.npmjs.org/glob-parent/-/glob-parent-3.1.0.tgz
Dependency Hierarchy:
react-5.3.19.tgz (Root Library)
react-dev-utils-9.1.0.tgz
fork-ts-checker-webpack-plugin-1.5.0.tgz
chokidar-2.1.8.tgz
❌ glob-parent-3.1.0.tgz (Vulnerable Library)
glob-parent-5.1.0.tgz
Extract the non-magic parent path from a glob string.
Library home page: https://registry.npmjs.org/glob-parent/-/glob-parent-5.1.0.tgz
Dependency Hierarchy:
stylelint-13.2.0.tgz (Root Library)
globby-11.0.0.tgz
fast-glob-3.2.2.tgz
❌ glob-parent-5.1.0.tgz (Vulnerable Library)
glob-parent-5.1.1.tgz
Extract the non-magic parent path from a glob string.
Library home page: https://registry.npmjs.org/glob-parent/-/glob-parent-5.1.1.tgz
Dependency Hierarchy:
webpack-4.44.1.tgz (Root Library)
watchpack-1.7.4.tgz
chokidar-3.4.2.tgz
❌ glob-parent-5.1.1.tgz (Vulnerable Library)
glob-parent-2.0.0.tgz
Strips glob magic from a string to provide the parent path
Library home page: https://registry.npmjs.org/glob-parent/-/glob-parent-2.0.0.tgz
Dependency Hierarchy:
react-5.3.19.tgz (Root Library)
core-5.3.19.tgz
glob-base-0.3.0.tgz
❌ glob-parent-2.0.0.tgz (Vulnerable Library)
Found in base branch: develop
Vulnerability Details
This affects the package glob-parent before 5.1.2. The enclosure regex used to check for strings ending in enclosure containing path separator.
Publish Date: 2021-06-03
URL: CVE-2020-28469
CVSS 3 Score Details (7.5 )
Base Score Metrics:
Exploitability Metrics:
Attack Vector: Network
Attack Complexity: Low
Privileges Required: None
User Interaction: None
Scope: Unchanged
Impact Metrics:
Confidentiality Impact: None
Integrity Impact: None
Availability Impact: High
For more information on CVSS3 Scores, click here .
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-28469
Release Date: 2021-06-03
Fix Resolution (glob-parent): 5.1.2
Direct dependency fix Resolution (@storybook/react): 6.5.0
Fix Resolution (glob-parent): 5.1.2
Direct dependency fix Resolution (stylelint): 13.2.1
Fix Resolution (glob-parent): 5.1.2
Direct dependency fix Resolution (webpack): 4.44.2
Fix Resolution (glob-parent): 5.1.2
Direct dependency fix Resolution (@storybook/react): 6.5.0
CVE-2021-23346 - Medium Severity Vulnerability
Vulnerable Library - html-parse-stringify2-2.0.1.tgz
Parses well-formed HTML (meaning all tags closed) into an AST and back. quickly.
Library home page: https://registry.npmjs.org/html-parse-stringify2/-/html-parse-stringify2-2.0.1.tgz
Dependency Hierarchy:
react-i18next-7.13.0.tgz (Root Library)
❌ html-parse-stringify2-2.0.1.tgz (Vulnerable Library)
Found in base branch: develop
Vulnerability Details
This affects the package html-parse-stringify before 2.0.1; all versions of package html-parse-stringify2. Sending certain input could cause one of the regular expressions that is used for parsing to backtrack, freezing the process.
Publish Date: 2021-03-04
URL: CVE-2021-23346
CVSS 3 Score Details (5.3 )
Base Score Metrics:
Exploitability Metrics:
Attack Vector: Network
Attack Complexity: Low
Privileges Required: None
User Interaction: None
Scope: Unchanged
Impact Metrics:
Confidentiality Impact: None
Integrity Impact: None
Availability Impact: Low
For more information on CVSS3 Scores, click here .
Suggested Fix
Type: Upgrade version
Origin: GHSA-545q-3fg6-48m7
Release Date: 2021-03-04
Fix Resolution: html-parse-stringify 2.0.1
WS-2020-0345 - High Severity Vulnerability
Vulnerable Library - jsonpointer-4.0.1.tgz
Simple JSON Addressing.
Library home page: https://registry.npmjs.org/jsonpointer/-/jsonpointer-4.0.1.tgz
Dependency Hierarchy:
gitbook-cli-2.3.2.tgz (Root Library)
npmi-1.0.1.tgz
npm-2.15.12.tgz
request-2.74.0.tgz
har-validator-2.0.6.tgz
is-my-json-valid-2.20.0.tgz
❌ jsonpointer-4.0.1.tgz (Vulnerable Library)
Found in base branch: develop
Vulnerability Details
Prototype Pollution vulnerability was found in jsonpointer before 4.1.0 via the set function.
Publish Date: 2020-07-03
URL: WS-2020-0345
CVSS 3 Score Details (8.2 )
Base Score Metrics:
Exploitability Metrics:
Attack Vector: Network
Attack Complexity: Low
Privileges Required: None
User Interaction: None
Scope: Unchanged
Impact Metrics:
Confidentiality Impact: None
Integrity Impact: Low
Availability Impact: High
For more information on CVSS3 Scores, click here .
Suggested Fix
Type: Upgrade version
Release Date: 2020-07-03
Fix Resolution: jsonpointer - 4.1.0
CVE-2021-23807 - High Severity Vulnerability
Vulnerable Library - jsonpointer-4.0.1.tgz
Simple JSON Addressing.
Library home page: https://registry.npmjs.org/jsonpointer/-/jsonpointer-4.0.1.tgz
Dependency Hierarchy:
gitbook-cli-2.3.2.tgz (Root Library)
npmi-1.0.1.tgz
npm-2.15.12.tgz
request-2.74.0.tgz
har-validator-2.0.6.tgz
is-my-json-valid-2.20.0.tgz
❌ jsonpointer-4.0.1.tgz (Vulnerable Library)
Found in base branch: develop
Vulnerability Details
This affects the package jsonpointer before 5.0.0. A type confusion vulnerability can lead to a bypass of a previous Prototype Pollution fix when the pointer components are arrays.
Publish Date: 2021-11-03
URL: CVE-2021-23807
CVSS 3 Score Details (9.8 )
Base Score Metrics:
Exploitability Metrics:
Attack Vector: Network
Attack Complexity: Low
Privileges Required: None
User Interaction: None
Scope: Unchanged
Impact Metrics:
Confidentiality Impact: High
Integrity Impact: High
Availability Impact: High
For more information on CVSS3 Scores, click here .
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23807
Release Date: 2021-11-03
Fix Resolution: jsonpointer - 5.0.0