noahbjohnson / electron-foundation Goto Github PK

Vulnerable Library - ssri-8.0.0.tgz

Standard Subresource Integrity library -- parses, serializes, generates, and verifies integrity metadata according to the SRI spec.

Library home page: https://registry.npmjs.org/ssri/-/ssri-8.0.0.tgz

Path to dependency file: electron-foundation/package.json

Path to vulnerable library: electron-foundation/node_modules/ssri

Dependency Hierarchy:

• css-minimizer-webpack-plugin-1.1.5.tgz (Root Library)
  • cacache-15.0.5.tgz
    • ❌ ssri-8.0.0.tgz (Vulnerable Library)

Found in HEAD commit: 8576c4d5f73b0fff760cc2678c9d1e3c5e5bf092

Found in base branch: master

Vulnerability Details

ssri 5.2.2-8.0.0, fixed in 8.0.1, processes SRIs using a regular expression which is vulnerable to a denial of service. Malicious SRIs could take an extremely long time to process, leading to denial of service. This issue only affects consumers using the strict option.

Publish Date: 2021-03-12

URL: CVE-2021-27290

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-27290

Release Date: 2021-03-12

Fix Resolution: ssri - 6.0.2,8.0.1

Vulnerable Library - opennmsopennms-source-26.0.0-1

A Java based fault and performance management system

Library home page: https://sourceforge.net/projects/opennms/

Found in HEAD commit: 2ea7909f06d579234cf683732329664a2dda71df

Found in base branch: master

Vulnerable Source Files (1)

electron-foundation/node_modules/node-sass/src/libsass/src/prelexer.hpp

Vulnerability Details

In LibSass 3.5.5, a heap-based buffer over-read exists in Sass::Prelexer::skip_over_scopes in prelexer.hpp when called from Sass::Parser::parse_import(), a similar issue to CVE-2018-11693.

Publish Date: 2019-01-14

URL: CVE-2019-6286

CVSS 3 Score Details (6.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6286

Release Date: 2019-08-06

Fix Resolution: LibSass - 3.6.0

Vulnerable Library - opennmsopennms-source-26.0.0-1

A Java based fault and performance management system

Library home page: https://sourceforge.net/projects/opennms/

Found in HEAD commit: 2ea7909f06d579234cf683732329664a2dda71df

Found in base branch: master

Vulnerable Source Files (1)

electron-foundation/node_modules/node-sass/src/libsass/src/parser.cpp

Vulnerability Details

An issue was discovered in LibSass through 3.5.4. A NULL pointer dereference was found in the function Sass::Functions::selector_append which could be leveraged by an attacker to cause a denial of service (application crash) or possibly have unspecified other impact.

Publish Date: 2018-06-04

URL: CVE-2018-11694

CVSS 3 Score Details (8.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-11694

Release Date: 2018-06-04

Fix Resolution: LibSass - 3.6.0

Vulnerable Library - opennmsopennms-source-26.0.0-1

A Java based fault and performance management system

Library home page: https://sourceforge.net/projects/opennms/

Found in HEAD commit: 2ea7909f06d579234cf683732329664a2dda71df

Found in base branch: master

Vulnerable Source Files (1)

electron-foundation/node_modules/node-sass/src/libsass/src/eval.cpp

Vulnerability Details

LibSass 3.6.1 has uncontrolled recursion in Sass::Eval::operator()(Sass::Binary_Expression*) in eval.cpp.

Publish Date: 2019-11-06

URL: CVE-2019-18797

CVSS 3 Score Details (6.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-18797

Release Date: 2019-11-06

Fix Resolution: LibSass - 3.6.3

Vulnerable Library - path-parse-1.0.6.tgz

Node.js path.parse() ponyfill

Library home page: https://registry.npmjs.org/path-parse/-/path-parse-1.0.6.tgz

Path to dependency file: electron-foundation/package.json

Path to vulnerable library: electron-foundation/node_modules/path-parse

Dependency Hierarchy:

• core-7.12.9.tgz (Root Library)
  • resolve-1.20.0.tgz
    • ❌ path-parse-1.0.6.tgz (Vulnerable Library)

Found in HEAD commit: 8576c4d5f73b0fff760cc2678c9d1e3c5e5bf092

Found in base branch: master

Vulnerability Details

All versions of package path-parse are vulnerable to Regular Expression Denial of Service (ReDoS) via splitDeviceRe, splitTailRe, and splitPathRe regular expressions. ReDoS exhibits polynomial worst-case time complexity.

Publish Date: 2021-05-04

URL: CVE-2021-23343

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: jbgutierrez/path-parse#8

Release Date: 2021-05-04

Fix Resolution: path-parse - 1.0.7

Vulnerable Library - browserslist-4.14.7.tgz

Share target browsers between different front-end tools, like Autoprefixer, Stylelint and babel-env-preset

Library home page: https://registry.npmjs.org/browserslist/-/browserslist-4.14.7.tgz

Path to dependency file: electron-foundation/package.json

Path to vulnerable library: electron-foundation/node_modules/browserslist

Dependency Hierarchy:

• eslint-plugin-compat-3.8.0.tgz (Root Library)
  • ❌ browserslist-4.14.7.tgz (Vulnerable Library)

Found in HEAD commit: 8576c4d5f73b0fff760cc2678c9d1e3c5e5bf092

Found in base branch: master

Vulnerability Details

The package browserslist from 4.0.0 and before 4.16.5 are vulnerable to Regular Expression Denial of Service (ReDoS) during parsing of queries.

Publish Date: 2021-04-28

URL: CVE-2021-23364

CVSS 3 Score Details (5.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: Low

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23364

Release Date: 2021-04-28

Fix Resolution: browserslist - 4.16.5

Vulnerability Details

An issue was discovered in LibSass through 3.5.4. An out-of-bounds read of a memory region was found in the function Sass::Prelexer::exactly() which could be leveraged by an attacker to disclose information or manipulated to read from unmapped memory causing a denial of service.

Publish Date: 2018-06-04

URL: CVE-2018-11697

CVSS 3 Score Details (8.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-11697

Release Date: 2019-09-01

Fix Resolution: LibSass - 3.6.0

Vulnerable Library - semver-regex-2.0.0.tgz

Regular expression for matching semver versions

Library home page: https://registry.npmjs.org/semver-regex/-/semver-regex-2.0.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/semver-regex

Dependency Hierarchy:

• husky-4.3.0.tgz (Root Library)
  • find-versions-3.2.0.tgz
    • ❌ semver-regex-2.0.0.tgz (Vulnerable Library)

Found in base branch: master

Vulnerability Details

semver-regex is vulnerable to Inefficient Regular Expression Complexity

Publish Date: 2021-09-15

URL: CVE-2021-3795

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://github.com/sindresorhus/semver-regex/releases/tag/v4.0.1

Release Date: 2021-09-15

Fix Resolution: semver-regex - 3.1.3,4.0.1

Vulnerable Libraries - css-what-2.1.3.tgz, css-what-3.4.2.tgz

Found in HEAD commit: 8576c4d5f73b0fff760cc2678c9d1e3c5e5bf092

Found in base branch: master

Vulnerability Details

The css-what package before 5.0.1 for Node.js does not ensure that attribute parsing has Linear Time Complexity relative to the size of the input.

Publish Date: 2021-05-28

URL: CVE-2021-33587

CVSS 3 Score Details (5.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: Low
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-33587

Release Date: 2021-05-28

Fix Resolution: css-what - 5.0.1

Vulnerable Library - CSS::Sassv3.4.11

Library home page: https://metacpan.org/pod/CSS::Sass

Found in HEAD commit: 2ea7909f06d579234cf683732329664a2dda71df

Found in base branch: master

Vulnerable Source Files (1)

electron-foundation/node_modules/node-sass/src/libsass/src/utf8/checked.h

Vulnerability Details

In LibSass prior to 3.5.5, the function handle_error in sass_context.cpp allows attackers to cause a denial-of-service resulting from a heap-based buffer over-read via a crafted sass file.

Publish Date: 2018-12-04

URL: CVE-2018-19839

CVSS 3 Score Details (6.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-19839

Release Date: 2018-12-04

Fix Resolution: Libsass:3.6.0

Vulnerable Library - opennmsopennms-source-26.0.0-1

A Java based fault and performance management system

Library home page: https://sourceforge.net/projects/opennms/

Found in HEAD commit: 2ea7909f06d579234cf683732329664a2dda71df

Found in base branch: master

Vulnerable Source Files (1)

electron-foundation/node_modules/node-sass/src/libsass/src/parser.cpp

Vulnerability Details

The parsing component in LibSass through 3.5.5 allows attackers to cause a denial-of-service (uncontrolled recursion in Sass::Parser::parse_css_variable_value in parser.cpp).

Publish Date: 2019-04-23

URL: CVE-2018-20821

CVSS 3 Score Details (6.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20821

Release Date: 2019-04-23

Fix Resolution: LibSass - 3.6.0

Vulnerable Library - node-notifier-8.0.0.tgz

A Node.js module for sending notifications on native Mac, Windows (post and pre 8) and Linux (or Growl as fallback)

Library home page: https://registry.npmjs.org/node-notifier/-/node-notifier-8.0.0.tgz

Path to dependency file: electron-foundation/package.json

Path to vulnerable library: electron-foundation/node_modules/node-notifier

Dependency Hierarchy:

• jest-26.6.3.tgz (Root Library)
  • core-26.6.3.tgz
    • reporters-26.6.2.tgz
      • ❌ node-notifier-8.0.0.tgz (Vulnerable Library)

Found in HEAD commit: 8576c4d5f73b0fff760cc2678c9d1e3c5e5bf092

Found in base branch: master

Vulnerability Details

This affects the package node-notifier before 9.0.0. It allows an attacker to run arbitrary commands on Linux machines due to the options params not being sanitised when being passed an array.

Publish Date: 2020-12-11

URL: CVE-2020-7789

CVSS 3 Score Details (5.6)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: Low

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7789

Release Date: 2020-12-11

Fix Resolution: 9.0.0

Vulnerable Library - url-parse-1.4.7.tgz

Small footprint URL parser that works seamlessly across Node.js and browser environments

Library home page: https://registry.npmjs.org/url-parse/-/url-parse-1.4.7.tgz

Path to dependency file: electron-foundation/package.json

Path to vulnerable library: electron-foundation/node_modules/url-parse

Dependency Hierarchy:

• webpack-dev-server-3.11.0.tgz (Root Library)
  • sockjs-client-1.4.0.tgz
    • ❌ url-parse-1.4.7.tgz (Vulnerable Library)

Found in HEAD commit: 8576c4d5f73b0fff760cc2678c9d1e3c5e5bf092

Found in base branch: master

Vulnerability Details

url-parse before 1.5.0 mishandles certain uses of backslash such as http:/ and interprets the URI as a relative path.

Publish Date: 2021-02-22

URL: CVE-2021-27515

CVSS 3 Score Details (5.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: Low
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-27515

Release Date: 2021-02-22

Fix Resolution: 1.5.0

Vulnerable Libraries - ws-7.4.0.tgz, ws-6.2.1.tgz

Found in HEAD commit: 8576c4d5f73b0fff760cc2678c9d1e3c5e5bf092

Found in base branch: master

Vulnerability Details

ws is an open source WebSocket client and server library for Node.js. A specially crafted value of the Sec-Websocket-Protocol header can be used to significantly slow down a ws server. The vulnerability has been fixed in [email protected] (websockets/ws@00c425e). In vulnerable versions of ws, the issue can be mitigated by reducing the maximum allowed length of the request headers using the --max-http-header-size=size and/or the maxHeaderSize options.

Publish Date: 2021-05-25

URL: CVE-2021-32640

CVSS 3 Score Details (5.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: Low

Suggested Fix

Type: Upgrade version

Origin: GHSA-6fc8-4gx4-v693

Release Date: 2021-05-25

Fix Resolution: ws - 7.4.6

Vulnerable Library - hosted-git-info-2.8.8.tgz

Provides metadata and conversions from repository urls for Github, Bitbucket and Gitlab

Library home page: https://registry.npmjs.org/hosted-git-info/-/hosted-git-info-2.8.8.tgz

Path to dependency file: electron-foundation/package.json

Path to vulnerable library: electron-foundation/node_modules/hosted-git-info

Dependency Hierarchy:

• concurrently-5.3.0.tgz (Root Library)
  • read-pkg-4.0.1.tgz
    • normalize-package-data-2.5.0.tgz
      • ❌ hosted-git-info-2.8.8.tgz (Vulnerable Library)

Found in HEAD commit: 8576c4d5f73b0fff760cc2678c9d1e3c5e5bf092

Found in base branch: master

Vulnerability Details

The package hosted-git-info before 3.0.8 are vulnerable to Regular Expression Denial of Service (ReDoS) via regular expression shortcutMatch in the fromUrl function in index.js. The affected regular expression exhibits polynomial worst-case time complexity.

Publish Date: 2021-03-23

URL: CVE-2021-23362

CVSS 3 Score Details (5.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: Low

Suggested Fix

Type: Upgrade version

Origin: GHSA-43f8-2h32-f4cj

Release Date: 2021-03-23

Fix Resolution: hosted-git-info - 2.8.9,3.0.8

Vulnerable Library - eslint-plugin-compat-3.8.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/browserslist

CVE-2021-23364

Vulnerable Library - browserslist-4.14.7.tgz

Share target browsers between different front-end tools, like Autoprefixer, Stylelint and babel-env-preset

Library home page: https://registry.npmjs.org/browserslist/-/browserslist-4.14.7.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/browserslist

Dependency Hierarchy:

• eslint-plugin-compat-3.8.0.tgz (Root Library)
  • ❌ browserslist-4.14.7.tgz (Vulnerable Library)

Found in base branch: master

Vulnerability Details

The package browserslist from 4.0.0 and before 4.16.5 are vulnerable to Regular Expression Denial of Service (ReDoS) during parsing of queries.

Publish Date: 2021-04-28

URL: CVE-2021-23364

CVSS 3 Score Details (5.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: Low

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23364

Release Date: 2021-04-28

Fix Resolution (browserslist): 4.16.5

Direct dependency fix Resolution (eslint-plugin-compat): 3.9.0

Step up your Open Source Security Game with Mend here

Vulnerable Library - CSS::Sassv3.4.11

Library home page: https://metacpan.org/pod/CSS::Sass

Found in base branch: master

Vulnerable Source Files (1)

/electron-foundation/node_modules/node-sass/src/libsass/src/lexer.cpp

Vulnerability Details

In sass versions between 3.2.0 to 3.6.3 may read 1 byte outside an allocated buffer while parsing a specially crafted css rule.

Publish Date: 2019-07-16

URL: WS-2019-0605

CVSS 3 Score Details (6.2)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Local
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://osv.dev/vulnerability/OSV-2020-734

Release Date: 2019-07-16

Fix Resolution: 3.6.4

Vulnerable Library - elliptic-6.5.3.tgz

EC cryptography

Library home page: https://registry.npmjs.org/elliptic/-/elliptic-6.5.3.tgz

Path to dependency file: electron-foundation/package.json

Path to vulnerable library: electron-foundation/node_modules/elliptic

Dependency Hierarchy:

• eslint-import-resolver-webpack-0.13.0.tgz (Root Library)
  • node-libs-browser-2.2.1.tgz
    • crypto-browserify-3.12.0.tgz
      • browserify-sign-4.2.1.tgz
        • ❌ elliptic-6.5.3.tgz (Vulnerable Library)

Found in HEAD commit: 8576c4d5f73b0fff760cc2678c9d1e3c5e5bf092

Found in base branch: master

Vulnerability Details

The package elliptic before 6.5.4 are vulnerable to Cryptographic Issues via the secp256k1 implementation in elliptic/ec/key.js. There is no check to confirm that the public key point passed into the derive function actually exists on the secp256k1 curve. This results in the potential for the private key used in this implementation to be revealed after a number of ECDH operations are performed.

Publish Date: 2021-02-02

URL: CVE-2020-28498

CVSS 3 Score Details (6.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: None
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-28498

Release Date: 2021-02-02

Fix Resolution: v6.5.4

Vulnerable Library - node-forge-0.10.0.tgz

JavaScript implementations of network transports, cryptography, ciphers, PKI, message digests, and various utilities.

Library home page: https://registry.npmjs.org/node-forge/-/node-forge-0.10.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/node-forge

Dependency Hierarchy:

• webpack-dev-server-3.11.0.tgz (Root Library)
  • selfsigned-1.10.8.tgz
    • ❌ node-forge-0.10.0.tgz (Vulnerable Library)

Found in base branch: master

Vulnerability Details

The forge.debug API had a potential prototype pollution issue if called with untrusted input. The API was only used for internal debug purposes in a safe way and never documented or advertised. It is suspected that uses of this API, if any exist, would likely not have used untrusted inputs in a vulnerable way.

Publish Date: 2022-01-08

URL: WS-2022-0008

CVSS 3 Score Details (6.6)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: High
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: GHSA-5rrq-pxf6-6jx5

Release Date: 2022-01-08

Fix Resolution: node-forge - 1.0.0

Vulnerable Library - ini-1.3.5.tgz

An ini encoder/decoder for node

Library home page: https://registry.npmjs.org/ini/-/ini-1.3.5.tgz

Path to dependency file: electron-foundation/package.json

Path to vulnerable library: electron-foundation/node_modules/ini

Dependency Hierarchy:

• electron-rebuild-2.3.2.tgz (Root Library)
  • lzma-native-6.0.1.tgz
    • node-pre-gyp-0.11.0.tgz
      • rc-1.2.8.tgz
        • ❌ ini-1.3.5.tgz (Vulnerable Library)

Found in HEAD commit: 8576c4d5f73b0fff760cc2678c9d1e3c5e5bf092

Found in base branch: master

Vulnerability Details

This affects the package ini before 1.3.6. If an attacker submits a malicious INI file to an application that parses it with ini.parse, they will pollute the prototype on the application. This can be exploited further depending on the context.

Publish Date: 2020-12-11

URL: CVE-2020-7788

CVSS 3 Score Details (7.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: Low

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7788

Release Date: 2020-12-11

Fix Resolution: v1.3.6

Vulnerable Library - url-parse-1.4.7.tgz

Small footprint URL parser that works seamlessly across Node.js and browser environments

Library home page: https://registry.npmjs.org/url-parse/-/url-parse-1.4.7.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/url-parse

Dependency Hierarchy:

• webpack-dev-server-3.11.0.tgz (Root Library)
  • sockjs-client-1.4.0.tgz
    • ❌ url-parse-1.4.7.tgz (Vulnerable Library)

Found in base branch: master

Vulnerability Details

url-parse is vulnerable to URL Redirection to Untrusted Site

Publish Date: 2021-07-26

URL: CVE-2021-3664

CVSS 3 Score Details (5.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: Low
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3664

Release Date: 2021-07-26

Fix Resolution: url-parse - 1.5.2

Vulnerable Library - husky-4.3.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/semver-regex

CVE-2021-43307

Vulnerable Library - semver-regex-2.0.0.tgz

Regular expression for matching semver versions

Library home page: https://registry.npmjs.org/semver-regex/-/semver-regex-2.0.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/semver-regex

Dependency Hierarchy:

• husky-4.3.0.tgz (Root Library)
  • find-versions-3.2.0.tgz
    • ❌ semver-regex-2.0.0.tgz (Vulnerable Library)

Found in base branch: master

Vulnerability Details

An exponential ReDoS (Regular Expression Denial of Service) can be triggered in the semver-regex npm package, when an attacker is able to supply arbitrary input to the test() method

Publish Date: 2022-06-02

URL: CVE-2021-43307

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://research.jfrog.com/vulnerabilities/semver-regex-redos-xray-211349/

Release Date: 2022-06-02

Fix Resolution (semver-regex): 3.1.4

Direct dependency fix Resolution (husky): 4.3.7

Step up your Open Source Security Game with Mend here

CVE-2021-3795

Vulnerable Library - semver-regex-2.0.0.tgz

Regular expression for matching semver versions

Library home page: https://registry.npmjs.org/semver-regex/-/semver-regex-2.0.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/semver-regex

Dependency Hierarchy:

• husky-4.3.0.tgz (Root Library)
  • find-versions-3.2.0.tgz
    • ❌ semver-regex-2.0.0.tgz (Vulnerable Library)

Found in base branch: master

Vulnerability Details

semver-regex is vulnerable to Inefficient Regular Expression Complexity

Publish Date: 2021-09-15

URL: CVE-2021-3795

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Release Date: 2021-09-15

Fix Resolution (semver-regex): 3.1.3

Direct dependency fix Resolution (husky): 4.3.7

Step up your Open Source Security Game with Mend here

Vulnerable Library - opennmsopennms-source-26.0.0-1

A Java based fault and performance management system

Library home page: https://sourceforge.net/projects/opennms/

Found in HEAD commit: 2ea7909f06d579234cf683732329664a2dda71df

Found in base branch: master

Vulnerable Source Files (1)

electron-foundation/node_modules/node-sass/src/libsass/src/prelexer.hpp

Vulnerability Details

In LibSass 3.5.5, a heap-based buffer over-read exists in Sass::Prelexer::alternatives in prelexer.hpp.

Publish Date: 2019-01-14

URL: CVE-2019-6284

CVSS 3 Score Details (6.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6284

Release Date: 2019-08-06

Fix Resolution: LibSass - 3.6.0

Vulnerable Library - is-svg-3.0.0.tgz

Check if a string or buffer is SVG

Library home page: https://registry.npmjs.org/is-svg/-/is-svg-3.0.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/is-svg

Dependency Hierarchy:

• css-minimizer-webpack-plugin-1.1.5.tgz (Root Library)
  • cssnano-4.1.10.tgz
    • cssnano-preset-default-4.0.7.tgz
      • postcss-svgo-4.0.2.tgz
        • ❌ is-svg-3.0.0.tgz (Vulnerable Library)

Found in base branch: master

Vulnerability Details

A vulnerability was discovered in IS-SVG version 2.1.0 to 4.2.2 and below where a Regular Expression Denial of Service (ReDOS) occurs if the application is provided and checks a crafted invalid SVG string.

Publish Date: 2021-06-21

URL: CVE-2021-29059

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://github.com/sindresorhus/is-svg/releases/tag/v4.3.0

Release Date: 2021-06-21

Fix Resolution: is-svg - 4.3.0

Vulnerable Library - trim-newlines-1.0.0.tgz

Trim newlines from the start and/or end of a string

Library home page: https://registry.npmjs.org/trim-newlines/-/trim-newlines-1.0.0.tgz

Path to dependency file: electron-foundation/package.json

Path to vulnerable library: electron-foundation/node_modules/trim-newlines

Dependency Hierarchy:

• node-sass-6.0.0.tgz (Root Library)
  • meow-3.7.0.tgz
    • ❌ trim-newlines-1.0.0.tgz (Vulnerable Library)

Found in HEAD commit: 8576c4d5f73b0fff760cc2678c9d1e3c5e5bf092

Found in base branch: master

Vulnerability Details

The trim-newlines package before 3.0.1 and 4.x before 4.0.1 for Node.js has an issue related to regular expression denial-of-service (ReDoS) for the .end() method.

Publish Date: 2021-05-28

URL: CVE-2021-33623

CVSS 3 Score Details (5.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: Low
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-33623

Release Date: 2021-05-28

Fix Resolution: trim-newlines - 3.0.1, 4.0.1

Vulnerable Library - opennmsopennms-source-26.0.0-1

A Java based fault and performance management system

Library home page: https://sourceforge.net/projects/opennms/

Found in HEAD commit: 2ea7909f06d579234cf683732329664a2dda71df

Found in base branch: master

Vulnerable Source Files (1)

electron-foundation/node_modules/node-sass/src/libsass/src/ast.cpp

Vulnerability Details

In LibSass 3.5.5, a NULL Pointer Dereference in the function Sass::Selector_List::populate_extends in SharedPtr.hpp (used by ast.cpp and ast_selectors.cpp) may cause a Denial of Service (application crash) via a crafted sass input file.

Publish Date: 2018-12-03

URL: CVE-2018-19797

CVSS 3 Score Details (6.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-19797

Release Date: 2018-12-03

Fix Resolution: libsass-3.6.0

Vulnerable Library - eslint-plugin-4.8.1.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/glob-parent

CVE-2020-28469

Vulnerable Library - glob-parent-5.1.1.tgz

Extract the non-magic parent path from a glob string.

Library home page: https://registry.npmjs.org/glob-parent/-/glob-parent-5.1.1.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/glob-parent

Dependency Hierarchy:

• eslint-plugin-4.8.1.tgz (Root Library)
  • experimental-utils-4.8.1.tgz
    • typescript-estree-4.8.1.tgz
      • globby-11.0.1.tgz
        • fast-glob-3.2.4.tgz
          • ❌ glob-parent-5.1.1.tgz (Vulnerable Library)

Found in base branch: master

Vulnerability Details

This affects the package glob-parent before 5.1.2. The enclosure regex used to check for strings ending in enclosure containing path separator.

Publish Date: 2021-06-03

URL: CVE-2020-28469

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-28469

Release Date: 2021-06-03

Fix Resolution (glob-parent): 5.1.2

Direct dependency fix Resolution (@typescript-eslint/eslint-plugin): 4.8.2

Step up your Open Source Security Game with Mend here

Vulnerable Libraries - postcss-8.1.7.tgz, postcss-7.0.35.tgz

Found in HEAD commit: 8576c4d5f73b0fff760cc2678c9d1e3c5e5bf092

Found in base branch: master

Vulnerability Details

The package postcss from 7.0.0 and before 8.2.10 are vulnerable to Regular Expression Denial of Service (ReDoS) during source map parsing.

Publish Date: 2021-04-12

URL: CVE-2021-23368

CVSS 3 Score Details (5.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: Low

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23368

Release Date: 2021-04-12

Fix Resolution: postcss -8.2.10

Vulnerable Library - opennmsopennms-source-26.0.0-1

A Java based fault and performance management system

Library home page: https://sourceforge.net/projects/opennms/

Found in HEAD commit: 2ea7909f06d579234cf683732329664a2dda71df

Found in base branch: master

Vulnerable Source Files (1)

electron-foundation/node_modules/node-sass/src/libsass/src/parser.cpp

Vulnerability Details

In LibSass 3.5.5, a NULL Pointer Dereference in the function Sass::Eval::operator()(Sass::Supports_Operator*) in eval.cpp may cause a Denial of Service (application crash) via a crafted sass input file.

Publish Date: 2018-12-17

URL: CVE-2018-20190

CVSS 3 Score Details (6.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20190

Release Date: 2018-12-17

Fix Resolution: LibSass - 3.6.0

Vulnerable Libraries - glob-parent-3.1.0.tgz, glob-parent-5.1.1.tgz

Found in base branch: master

Vulnerability Details

This affects the package glob-parent before 5.1.2. The enclosure regex used to check for strings ending in enclosure containing path separator.

Publish Date: 2021-06-03

URL: CVE-2020-28469

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-28469

Release Date: 2021-06-03

Fix Resolution: glob-parent - 5.1.2

Vulnerable Libraries - postcss-8.1.7.tgz, postcss-7.0.35.tgz

Found in HEAD commit: 8576c4d5f73b0fff760cc2678c9d1e3c5e5bf092

Found in base branch: master

Vulnerability Details

The package postcss before 8.2.13 are vulnerable to Regular Expression Denial of Service (ReDoS) via getAnnotationURL() and loadAnnotation() in lib/previous-map.js. The vulnerable regexes are caused mainly by the sub-pattern /*\s* sourceMappingURL=(.*).

Publish Date: 2021-04-26

URL: CVE-2021-23382

CVSS 3 Score Details (5.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: Low

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23382

Release Date: 2021-04-26

Fix Resolution: postcss - 8.2.13

Vulnerable Library - opennmsopennms-source-26.0.0-1

A Java based fault and performance management system

Library home page: https://sourceforge.net/projects/opennms/

Found in HEAD commit: 2ea7909f06d579234cf683732329664a2dda71df

Found in base branch: master

Vulnerable Source Files (1)

electron-foundation/node_modules/node-sass/src/libsass/src/ast.hpp

Vulnerability Details

LibSass 3.5.4 allows attackers to cause a denial-of-service (uncontrolled recursion in Sass::Complex_Selector::perform in ast.hpp and Sass::Inspect::operator in inspect.cpp).

Publish Date: 2019-04-23

URL: CVE-2018-20822

CVSS 3 Score Details (6.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20822

Release Date: 2019-08-06

Fix Resolution: LibSass - 3.6.0;node-sass - 4.13.1

Vulnerable Library - is-svg-3.0.0.tgz

Check if a string or buffer is SVG

Library home page: https://registry.npmjs.org/is-svg/-/is-svg-3.0.0.tgz

Path to dependency file: electron-foundation/package.json

Path to vulnerable library: electron-foundation/node_modules/is-svg

Dependency Hierarchy:

• css-minimizer-webpack-plugin-1.1.5.tgz (Root Library)
  • cssnano-4.1.10.tgz
    • cssnano-preset-default-4.0.7.tgz
      • postcss-svgo-4.0.2.tgz
        • ❌ is-svg-3.0.0.tgz (Vulnerable Library)

Found in HEAD commit: 8576c4d5f73b0fff760cc2678c9d1e3c5e5bf092

Found in base branch: master

Vulnerability Details

The is-svg package 2.1.0 through 4.2.1 for Node.js uses a regular expression that is vulnerable to Regular Expression Denial of Service (ReDoS). If an attacker provides a malicious string, is-svg will get stuck processing the input for a very long time.

Publish Date: 2021-03-12

URL: CVE-2021-28092

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-28092

Release Date: 2021-03-12

Fix Resolution: v4.2.2

Vulnerable Library - opennmsopennms-source-26.0.0-1

A Java based fault and performance management system

Library home page: https://sourceforge.net/projects/opennms/

Found in HEAD commit: 2ea7909f06d579234cf683732329664a2dda71df

Found in base branch: master

Vulnerable Source Files (1)

electron-foundation/node_modules/node-sass/src/libsass/src/ast.cpp

Vulnerability Details

In LibSass prior to 3.5.5, functions inside ast.cpp for IMPLEMENT_AST_OPERATORS expansion allow attackers to cause a denial-of-service resulting from stack consumption via a crafted sass file, as demonstrated by recursive calls involving clone(), cloneChildren(), and copy().

Publish Date: 2018-12-04

URL: CVE-2018-19838

CVSS 3 Score Details (6.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: sass/libsass#2660

Release Date: 2018-12-04

Fix Resolution: libsass - 3.6.1

Vulnerable Library - opennmsopennms-source-26.0.0-1

A Java based fault and performance management system

Library home page: https://sourceforge.net/projects/opennms/

Found in HEAD commit: 2ea7909f06d579234cf683732329664a2dda71df

Found in base branch: master

Vulnerable Source Files (1)

electron-foundation/node_modules/node-sass/src/libsass/src/prelexer.hpp

Vulnerability Details

In LibSass 3.5.5, a heap-based buffer over-read exists in Sass::Prelexer::parenthese_scope in prelexer.hpp.

Publish Date: 2019-01-14

URL: CVE-2019-6283

CVSS 3 Score Details (6.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6284

Release Date: 2019-08-06

Fix Resolution: LibSass - 3.6.0

Vulnerable Library - node-forge-0.10.0.tgz

JavaScript implementations of network transports, cryptography, ciphers, PKI, message digests, and various utilities.

Library home page: https://registry.npmjs.org/node-forge/-/node-forge-0.10.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/node-forge

Dependency Hierarchy:

• webpack-dev-server-3.11.0.tgz (Root Library)
  • selfsigned-1.10.8.tgz
    • ❌ node-forge-0.10.0.tgz (Vulnerable Library)

Found in base branch: master

Vulnerability Details

forge is vulnerable to URL Redirection to Untrusted Site

Publish Date: 2022-01-06

URL: CVE-2022-0122

CVSS 3 Score Details (6.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: GHSA-gf8q-jrpm-jvxq

Release Date: 2022-01-06

Fix Resolution: node-forge - 1.0.0

Vulnerable Library - webpack-dev-server-3.11.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/url-parse

CVE-2023-42282

Vulnerable Library - ip-1.1.5.tgz

[](https://www.npmjs.com/package/ip)

Library home page: https://registry.npmjs.org/ip/-/ip-1.1.5.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/ip

Dependency Hierarchy:

• webpack-dev-server-3.11.0.tgz (Root Library)
  • ❌ ip-1.1.5.tgz (Vulnerable Library)

Found in base branch: master

Vulnerability Details

An issue in NPM IP Package v.1.1.8 and before allows an attacker to execute arbitrary code and obtain sensitive information via the isPublic() function.

Publish Date: 2024-02-08

URL: CVE-2023-42282

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: GHSA-78xj-cgh5-2h22

Release Date: 2024-02-08

Fix Resolution (ip): 1.1.9

Direct dependency fix Resolution (webpack-dev-server): 3.11.1

Step up your Open Source Security Game with Mend here

CVE-2022-0691

Vulnerable Library - url-parse-1.4.7.tgz

Small footprint URL parser that works seamlessly across Node.js and browser environments

Library home page: https://registry.npmjs.org/url-parse/-/url-parse-1.4.7.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/url-parse

Dependency Hierarchy:

• webpack-dev-server-3.11.0.tgz (Root Library)
  • sockjs-client-1.4.0.tgz
    • ❌ url-parse-1.4.7.tgz (Vulnerable Library)

Found in base branch: master

Vulnerability Details

Authorization Bypass Through User-Controlled Key in NPM url-parse prior to 1.5.9.

Publish Date: 2022-02-21

URL: CVE-2022-0691

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0691

Release Date: 2022-02-21

Fix Resolution (url-parse): 1.5.9

Direct dependency fix Resolution (webpack-dev-server): 3.11.1

Step up your Open Source Security Game with Mend here

CVE-2022-1650

Vulnerable Library - eventsource-1.0.7.tgz

W3C compliant EventSource client for Node.js and browser (polyfill)

Library home page: https://registry.npmjs.org/eventsource/-/eventsource-1.0.7.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/eventsource

Dependency Hierarchy:

• webpack-dev-server-3.11.0.tgz (Root Library)
  • sockjs-client-1.4.0.tgz
    • ❌ eventsource-1.0.7.tgz (Vulnerable Library)

Found in base branch: master

Vulnerability Details

Improper Removal of Sensitive Information Before Storage or Transfer in GitHub repository eventsource/eventsource prior to v2.0.2.

Publish Date: 2022-05-12

URL: CVE-2022-1650

CVSS 3 Score Details (9.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Release Date: 2022-05-12

Fix Resolution (eventsource): 1.1.1

Direct dependency fix Resolution (webpack-dev-server): 3.11.1

Step up your Open Source Security Game with Mend here

CVE-2022-0686

Vulnerable Library - url-parse-1.4.7.tgz

Small footprint URL parser that works seamlessly across Node.js and browser environments

Library home page: https://registry.npmjs.org/url-parse/-/url-parse-1.4.7.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/url-parse

Dependency Hierarchy:

• webpack-dev-server-3.11.0.tgz (Root Library)
  • sockjs-client-1.4.0.tgz
    • ❌ url-parse-1.4.7.tgz (Vulnerable Library)

Found in base branch: master

Vulnerability Details

Authorization Bypass Through User-Controlled Key in NPM url-parse prior to 1.5.8.

Publish Date: 2022-02-20

URL: CVE-2022-0686

CVSS 3 Score Details (9.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0686

Release Date: 2022-02-20

Fix Resolution (url-parse): 1.5.8

Direct dependency fix Resolution (webpack-dev-server): 3.11.1

Step up your Open Source Security Game with Mend here

CVE-2021-43138

Vulnerable Library - async-2.6.3.tgz

Higher-order functions and common patterns for asynchronous code

Library home page: https://registry.npmjs.org/async/-/async-2.6.3.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/async

Dependency Hierarchy:

• webpack-dev-server-3.11.0.tgz (Root Library)
  • portfinder-1.0.28.tgz
    • ❌ async-2.6.3.tgz (Vulnerable Library)

Found in base branch: master

Vulnerability Details

In Async before 2.6.4 and 3.x before 3.2.2, a malicious user can obtain privileges via the mapValues() method, aka lib/internal/iterator.js createObjectIterator prototype pollution.

Publish Date: 2022-04-06

URL: CVE-2021-43138

CVSS 3 Score Details (7.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Local
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2021-43138

Release Date: 2022-04-06

Fix Resolution (async): 2.6.4

Direct dependency fix Resolution (webpack-dev-server): 3.11.1

Step up your Open Source Security Game with Mend here

CVE-2022-24772

Vulnerable Library - node-forge-0.10.0.tgz

JavaScript implementations of network transports, cryptography, ciphers, PKI, message digests, and various utilities.

Library home page: https://registry.npmjs.org/node-forge/-/node-forge-0.10.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/node-forge

Dependency Hierarchy:

• webpack-dev-server-3.11.0.tgz (Root Library)
  • selfsigned-1.10.8.tgz
    • ❌ node-forge-0.10.0.tgz (Vulnerable Library)

Found in base branch: master

Vulnerability Details

Forge (also called node-forge) is a native implementation of Transport Layer Security in JavaScript. Prior to version 1.3.0, RSA PKCS#1 v1.5 signature verification code does not check for tailing garbage bytes after decoding a DigestInfo ASN.1 structure. This can allow padding bytes to be removed and garbage data added to forge a signature when a low public exponent is being used. The issue has been addressed in node-forge version 1.3.0. There are currently no known workarounds.

Publish Date: 2022-03-18

URL: CVE-2022-24772

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: High
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24772

Release Date: 2022-03-18

Fix Resolution (node-forge): 1.3.0

Direct dependency fix Resolution (webpack-dev-server): 4.7.3

Step up your Open Source Security Game with Mend here

CVE-2022-24771

Vulnerable Library - node-forge-0.10.0.tgz

JavaScript implementations of network transports, cryptography, ciphers, PKI, message digests, and various utilities.

Library home page: https://registry.npmjs.org/node-forge/-/node-forge-0.10.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/node-forge

Dependency Hierarchy:

• webpack-dev-server-3.11.0.tgz (Root Library)
  • selfsigned-1.10.8.tgz
    • ❌ node-forge-0.10.0.tgz (Vulnerable Library)

Found in base branch: master

Vulnerability Details

Forge (also called node-forge) is a native implementation of Transport Layer Security in JavaScript. Prior to version 1.3.0, RSA PKCS#1 v1.5 signature verification code is lenient in checking the digest algorithm structure. This can allow a crafted structure that steals padding bytes and uses unchecked portion of the PKCS#1 encoded message to forge a signature when a low public exponent is being used. The issue has been addressed in node-forge version 1.3.0. There are currently no known workarounds.

Publish Date: 2022-03-18

URL: CVE-2022-24771

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: High
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24771

Release Date: 2022-03-18

Fix Resolution (node-forge): 1.3.0

Direct dependency fix Resolution (webpack-dev-server): 4.7.3

Step up your Open Source Security Game with Mend here

CVE-2020-28469

Vulnerable Library - glob-parent-3.1.0.tgz

Strips glob magic from a string to provide the parent directory path

Library home page: https://registry.npmjs.org/glob-parent/-/glob-parent-3.1.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/glob-parent

Dependency Hierarchy:

• webpack-dev-server-3.11.0.tgz (Root Library)
  • chokidar-2.1.8.tgz
    • ❌ glob-parent-3.1.0.tgz (Vulnerable Library)

Found in base branch: master

Vulnerability Details

This affects the package glob-parent before 5.1.2. The enclosure regex used to check for strings ending in enclosure containing path separator.

Publish Date: 2021-06-03

URL: CVE-2020-28469

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-28469

Release Date: 2021-06-03

Fix Resolution (glob-parent): 5.1.2

Direct dependency fix Resolution (webpack-dev-server): 4.0.0

Step up your Open Source Security Game with Mend here

WS-2022-0008

Vulnerable Library - node-forge-0.10.0.tgz

JavaScript implementations of network transports, cryptography, ciphers, PKI, message digests, and various utilities.

Library home page: https://registry.npmjs.org/node-forge/-/node-forge-0.10.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/node-forge

Dependency Hierarchy:

• webpack-dev-server-3.11.0.tgz (Root Library)
  • selfsigned-1.10.8.tgz
    • ❌ node-forge-0.10.0.tgz (Vulnerable Library)

Found in base branch: master

Vulnerability Details

The forge.debug API had a potential prototype pollution issue if called with untrusted input. The API was only used for internal debug purposes in a safe way and never documented or advertised. It is suspected that uses of this API, if any exist, would likely not have used untrusted inputs in a vulnerable way.

Publish Date: 2022-01-08

URL: WS-2022-0008

CVSS 3 Score Details (6.6)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: High
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: GHSA-5rrq-pxf6-6jx5

Release Date: 2022-01-08

Fix Resolution (node-forge): 1.0.0

Direct dependency fix Resolution (webpack-dev-server): 4.7.3

Step up your Open Source Security Game with Mend here

CVE-2022-0155

Vulnerable Library - follow-redirects-1.13.0.tgz

HTTP and HTTPS modules that follow redirects.

Library home page: https://registry.npmjs.org/follow-redirects/-/follow-redirects-1.13.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/follow-redirects

Dependency Hierarchy:

• webpack-dev-server-3.11.0.tgz (Root Library)
  • http-proxy-middleware-0.19.1.tgz
    • http-proxy-1.18.1.tgz
      • ❌ follow-redirects-1.13.0.tgz (Vulnerable Library)

Found in base branch: master

Vulnerability Details

follow-redirects is vulnerable to Exposure of Private Personal Information to an Unauthorized Actor

Publish Date: 2022-01-10

URL: CVE-2022-0155

CVSS 3 Score Details (6.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: None
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://huntr.dev/bounties/fc524e4b-ebb6-427d-ab67-a64181020406/

Release Date: 2022-01-10

Fix Resolution (follow-redirects): 1.14.7

Direct dependency fix Resolution (webpack-dev-server): 3.11.1

Step up your Open Source Security Game with Mend here

CVE-2021-23386

Vulnerable Library - dns-packet-1.3.1.tgz

An abstract-encoding compliant module for encoding / decoding DNS packets

Library home page: https://registry.npmjs.org/dns-packet/-/dns-packet-1.3.1.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/dns-packet

Dependency Hierarchy:

• webpack-dev-server-3.11.0.tgz (Root Library)
  • bonjour-3.5.0.tgz
    • multicast-dns-6.2.3.tgz
      • ❌ dns-packet-1.3.1.tgz (Vulnerable Library)

Found in base branch: master

Vulnerability Details

This affects the package dns-packet before 5.2.2. It creates buffers with allocUnsafe and does not always fill them before forming network packets. This can expose internal application memory over unencrypted network when querying crafted invalid domain names.

Publish Date: 2021-05-20

URL: CVE-2021-23386

CVSS 3 Score Details (6.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: Low
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: None
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23386

Release Date: 2021-05-20

Fix Resolution (dns-packet): 1.3.2

Direct dependency fix Resolution (webpack-dev-server): 3.11.1

Step up your Open Source Security Game with Mend here

CVE-2023-26159

Vulnerable Library - follow-redirects-1.13.0.tgz

HTTP and HTTPS modules that follow redirects.

Library home page: https://registry.npmjs.org/follow-redirects/-/follow-redirects-1.13.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/follow-redirects

Dependency Hierarchy:

• webpack-dev-server-3.11.0.tgz (Root Library)
  • http-proxy-middleware-0.19.1.tgz
    • http-proxy-1.18.1.tgz
      • ❌ follow-redirects-1.13.0.tgz (Vulnerable Library)

Found in base branch: master

Vulnerability Details

Versions of the package follow-redirects before 1.15.4 are vulnerable to Improper Input Validation due to the improper handling of URLs by the url.parse() function. When new URL() throws an error, it can be manipulated to misinterpret the hostname. An attacker could exploit this weakness to redirect traffic to a malicious site, potentially leading to information disclosure, phishing attacks, or other security breaches.

Publish Date: 2024-01-02

URL: CVE-2023-26159

CVSS 3 Score Details (6.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://www.cve.org/CVERecord?id=CVE-2023-26159

Release Date: 2024-01-02

Fix Resolution (follow-redirects): 1.15.4

Direct dependency fix Resolution (webpack-dev-server): 3.11.1

Step up your Open Source Security Game with Mend here

CVE-2022-0122

Vulnerable Library - node-forge-0.10.0.tgz

JavaScript implementations of network transports, cryptography, ciphers, PKI, message digests, and various utilities.

Library home page: https://registry.npmjs.org/node-forge/-/node-forge-0.10.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/node-forge

Dependency Hierarchy:

• webpack-dev-server-3.11.0.tgz (Root Library)
  • selfsigned-1.10.8.tgz
    • ❌ node-forge-0.10.0.tgz (Vulnerable Library)

Found in base branch: master

Vulnerability Details

forge is vulnerable to URL Redirection to Untrusted Site
Mend Note: Converted from WS-2022-0007, on 2022-11-07.

Publish Date: 2022-01-06

URL: CVE-2022-0122

CVSS 3 Score Details (6.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: GHSA-gf8q-jrpm-jvxq

Release Date: 2022-01-06

Fix Resolution (node-forge): 1.0.0

Direct dependency fix Resolution (webpack-dev-server): 4.7.3

Step up your Open Source Security Game with Mend here

CVE-2022-0536

Vulnerable Library - follow-redirects-1.13.0.tgz

HTTP and HTTPS modules that follow redirects.

Library home page: https://registry.npmjs.org/follow-redirects/-/follow-redirects-1.13.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/follow-redirects

Dependency Hierarchy:

• webpack-dev-server-3.11.0.tgz (Root Library)
  • http-proxy-middleware-0.19.1.tgz
    • http-proxy-1.18.1.tgz
      • ❌ follow-redirects-1.13.0.tgz (Vulnerable Library)

Found in base branch: master

Vulnerability Details

Improper Removal of Sensitive Information Before Storage or Transfer in NPM follow-redirects prior to 1.14.8.

Publish Date: 2022-02-09

URL: CVE-2022-0536

CVSS 3 Score Details (5.9)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: None
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0536

Release Date: 2022-02-09

Fix Resolution (follow-redirects): 1.14.8

Direct dependency fix Resolution (webpack-dev-server): 3.11.1

Step up your Open Source Security Game with Mend here

CVE-2022-24773

Vulnerable Library - node-forge-0.10.0.tgz

JavaScript implementations of network transports, cryptography, ciphers, PKI, message digests, and various utilities.

Library home page: https://registry.npmjs.org/node-forge/-/node-forge-0.10.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/node-forge

Dependency Hierarchy:

• webpack-dev-server-3.11.0.tgz (Root Library)
  • selfsigned-1.10.8.tgz
    • ❌ node-forge-0.10.0.tgz (Vulnerable Library)

Found in base branch: master

Vulnerability Details

Forge (also called node-forge) is a native implementation of Transport Layer Security in JavaScript. Prior to version 1.3.0, RSA PKCS#1 v1.5 signature verification code does not properly check DigestInfo for a proper ASN.1 structure. This can lead to successful verification with signatures that contain invalid structures but a valid digest. The issue has been addressed in node-forge version 1.3.0. There are currently no known workarounds.

Publish Date: 2022-03-18

URL: CVE-2022-24773

CVSS 3 Score Details (5.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: Low
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24773

Release Date: 2022-03-18

Fix Resolution (node-forge): 1.3.0

Direct dependency fix Resolution (webpack-dev-server): 4.7.3

Step up your Open Source Security Game with Mend here

CVE-2022-0639

Vulnerable Library - url-parse-1.4.7.tgz

Small footprint URL parser that works seamlessly across Node.js and browser environments

Library home page: https://registry.npmjs.org/url-parse/-/url-parse-1.4.7.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/url-parse

Dependency Hierarchy:

• webpack-dev-server-3.11.0.tgz (Root Library)
  • sockjs-client-1.4.0.tgz
    • ❌ url-parse-1.4.7.tgz (Vulnerable Library)

Found in base branch: master

Vulnerability Details

Authorization Bypass Through User-Controlled Key in NPM url-parse prior to 1.5.7.

Publish Date: 2022-02-17

URL: CVE-2022-0639

CVSS 3 Score Details (5.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: Low
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0639

Release Date: 2022-02-17

Fix Resolution (url-parse): 1.5.7

Direct dependency fix Resolution (webpack-dev-server): 3.11.1

Step up your Open Source Security Game with Mend here

CVE-2022-0512

Vulnerable Library - url-parse-1.4.7.tgz

Small footprint URL parser that works seamlessly across Node.js and browser environments

Library home page: https://registry.npmjs.org/url-parse/-/url-parse-1.4.7.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/url-parse

Dependency Hierarchy:

• webpack-dev-server-3.11.0.tgz (Root Library)
  • sockjs-client-1.4.0.tgz
    • ❌ url-parse-1.4.7.tgz (Vulnerable Library)

Found in base branch: master

Vulnerability Details

Authorization Bypass Through User-Controlled Key in NPM url-parse prior to 1.5.6.

Publish Date: 2022-02-14

URL: CVE-2022-0512

CVSS 3 Score Details (5.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: Low
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0512

Release Date: 2022-02-14

Fix Resolution (url-parse): 1.5.6

Direct dependency fix Resolution (webpack-dev-server): 3.11.1

Step up your Open Source Security Game with Mend here

CVE-2021-3664

Vulnerable Library - url-parse-1.4.7.tgz

Small footprint URL parser that works seamlessly across Node.js and browser environments

Library home page: https://registry.npmjs.org/url-parse/-/url-parse-1.4.7.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/url-parse

Dependency Hierarchy:

• webpack-dev-server-3.11.0.tgz (Root Library)
  • sockjs-client-1.4.0.tgz
    • ❌ url-parse-1.4.7.tgz (Vulnerable Library)

Found in base branch: master

Vulnerability Details

url-parse is vulnerable to URL Redirection to Untrusted Site

Publish Date: 2021-07-26

URL: CVE-2021-3664

CVSS 3 Score Details (5.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: Low
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3664

Release Date: 2021-07-26

Fix Resolution (url-parse): 1.5.2

Direct dependency fix Resolution (webpack-dev-server): 3.11.1

Step up your Open Source Security Game with Mend here

CVE-2021-32640

Vulnerable Library - ws-6.2.1.tgz

Simple to use, blazing fast and thoroughly tested websocket client and server for Node.js

Library home page: https://registry.npmjs.org/ws/-/ws-6.2.1.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/ws

Dependency Hierarchy:

• webpack-dev-server-3.11.0.tgz (Root Library)
  • ❌ ws-6.2.1.tgz (Vulnerable Library)

Found in base branch: master

Vulnerability Details

ws is an open source WebSocket client and server library for Node.js. A specially crafted value of the Sec-Websocket-Protocol header can be used to significantly slow down a ws server. The vulnerability has been fixed in [email protected] (websockets/ws@00c425e). In vulnerable versions of ws, the issue can be mitigated by reducing the maximum allowed length of the request headers using the --max-http-header-size=size and/or the maxHeaderSize options.

Publish Date: 2021-05-25

URL: CVE-2021-32640

CVSS 3 Score Details (5.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: Low

Suggested Fix

Type: Upgrade version

Origin: GHSA-6fc8-4gx4-v693

Release Date: 2021-05-25

Fix Resolution (ws): 6.2.2

Direct dependency fix Resolution (webpack-dev-server): 3.11.1

Step up your Open Source Security Game with Mend here

CVE-2021-27515

Vulnerable Library - url-parse-1.4.7.tgz

Small footprint URL parser that works seamlessly across Node.js and browser environments

Library home page: https://registry.npmjs.org/url-parse/-/url-parse-1.4.7.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/url-parse

Dependency Hierarchy:

• webpack-dev-server-3.11.0.tgz (Root Library)
  • sockjs-client-1.4.0.tgz
    • ❌ url-parse-1.4.7.tgz (Vulnerable Library)

Found in base branch: master

Vulnerability Details

url-parse before 1.5.0 mishandles certain uses of backslash such as http:/ and interprets the URI as a relative path.

Publish Date: 2021-02-22

URL: CVE-2021-27515

CVSS 3 Score Details (5.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: Low
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-27515

Release Date: 2021-02-22

Fix Resolution (url-parse): 1.5.0

Direct dependency fix Resolution (webpack-dev-server): 3.11.1

Step up your Open Source Security Game with Mend here

Vulnerable Library - electron-11.0.1.tgz

Build cross platform desktop apps with JavaScript, HTML, and CSS

Library home page: https://registry.npmjs.org/electron/-/electron-11.0.1.tgz

Path to dependency file: electron-foundation/package.json

Path to vulnerable library: electron-foundation/node_modules/electron

Dependency Hierarchy:

• ❌ electron-11.0.1.tgz (Vulnerable Library)

Found in HEAD commit: 8576c4d5f73b0fff760cc2678c9d1e3c5e5bf092

Found in base branch: master

Vulnerability Details

The Electron framework lets you write cross-platform desktop applications using JavaScript, HTML and CSS. In affected versions of Electron IPC messages sent from the main process to a subframe in the renderer process, through webContents.sendToFrame, event.reply or when using the remote module, can in some cases be delivered to the wrong frame. If your app uses remote, calls webContents.sendToFrame, or calls event.reply in an IPC message handler then it is impacted by this issue. This has been fixed in versions 9.4.0, 10.2.0, 11.1.0, and 12.0.0-beta.9. There are no workarounds for this issue.

Publish Date: 2021-01-28

URL: CVE-2020-26272

CVSS 3 Score Details (6.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-26272

Release Date: 2021-01-28

Fix Resolution: electron - 9.4.0,10.2.0,11.1.0,12.0.0-beta.9

Vulnerable Library - opennmsopennms-source-26.0.0-1

A Java based fault and performance management system

Library home page: https://sourceforge.net/projects/opennms/

Found in HEAD commit: 2ea7909f06d579234cf683732329664a2dda71df

Found in base branch: master

Vulnerable Source Files (1)

electron-foundation/node_modules/node-sass/src/libsass/src/parser.cpp

Vulnerability Details

A use-after-free vulnerability exists in handle_error() in sass_context.cpp in LibSass 3.4.x and 3.5.x through 3.5.4 that could be leveraged to cause a denial of service (application crash) or possibly unspecified other impact.

Publish Date: 2018-05-26

URL: CVE-2018-11499

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-11499

Release Date: 2018-05-26

Fix Resolution: LibSass - 3.6.0

Vulnerable Library - nanoid-3.1.16.tgz

A tiny (108 bytes), secure URL-friendly unique string ID generator

Library home page: https://registry.npmjs.org/nanoid/-/nanoid-3.1.16.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/nanoid

Dependency Hierarchy:

• css-loader-5.0.1.tgz (Root Library)
  • postcss-8.1.7.tgz
    • ❌ nanoid-3.1.16.tgz (Vulnerable Library)

Found in base branch: master

Vulnerability Details

The package nanoid before 3.1.31 are vulnerable to Information Exposure via the valueOf() function which allows to reproduce the last id generated.

Publish Date: 2022-01-14

URL: CVE-2021-23566

CVSS 3 Score Details (5.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Local
  • Attack Complexity: Low
  • Privileges Required: Low
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: None
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23566

Release Date: 2022-01-14

Fix Resolution: nanoid - 3.1.31

Vulnerable Library - opennmsopennms-source-26.0.0-1

A Java based fault and performance management system

Library home page: https://sourceforge.net/projects/opennms/

Found in HEAD commit: 2ea7909f06d579234cf683732329664a2dda71df

Found in base branch: master

Vulnerable Source Files (1)

electron-foundation/node_modules/node-sass/src/libsass/src/expand.cpp

Vulnerability Details

In LibSass 3.5.5, a use-after-free vulnerability exists in the SharedPtr class in SharedPtr.cpp (or SharedPtr.hpp) that may cause a denial of service (application crash) or possibly have unspecified other impact.

Publish Date: 2018-12-03

URL: CVE-2018-19827

CVSS 3 Score Details (8.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: sass/libsass#2784

Release Date: 2019-08-29

Fix Resolution: LibSass - 3.6.0

Vulnerable Library - opennmsopennms-source-26.0.0-1

A Java based fault and performance management system

Library home page: https://sourceforge.net/projects/opennms/

Found in HEAD commit: 2ea7909f06d579234cf683732329664a2dda71df

Found in base branch: master

Vulnerable Source Files (1)

electron-foundation/node_modules/node-sass/src/libsass/src/sass_context.cpp

Vulnerability Details

An issue was discovered in LibSass through 3.5.4. An out-of-bounds read of a memory region was found in the function Sass::handle_error which could be leveraged by an attacker to disclose information or manipulated to read from unmapped memory causing a denial of service.

Publish Date: 2018-06-04

URL: CVE-2018-11698

CVSS 3 Score Details (8.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-11698

Release Date: 2018-06-04

Fix Resolution: Libsass-3.6.0

Vulnerable Library - electron-11.0.1.tgz

Build cross platform desktop apps with JavaScript, HTML, and CSS

Library home page: https://registry.npmjs.org/electron/-/electron-11.0.1.tgz

Path to dependency file: /package.json

Path to vulnerable library: /electron-foundation/node_modules/electron

Dependency Hierarchy:

• ❌ electron-11.0.1.tgz (Vulnerable Library)

Found in base branch: master

Vulnerability Details

Electron is a framework for writing cross-platform desktop applications using JavaScript, HTML and CSS. A vulnerability in versions prior to 11.5.0, 12.1.0, and 13.3.0 allows a sandboxed renderer to request a "thumbnail" image of an arbitrary file on the user's system. The thumbnail can potentially include significant parts of the original file, including textual data in many cases. Versions 15.0.0-alpha.10, 14.0.0, 13.3.0, 12.1.0, and 11.5.0 all contain a fix for the vulnerability. Two workarounds aside from upgrading are available. One may make the vulnerability significantly more difficult for an attacker to exploit by enabling contextIsolation in one's app. One may also disable the functionality of the createThumbnailFromPath API if one does not need it.

Publish Date: 2021-10-12

URL: CVE-2021-39184

CVSS 3 Score Details (8.6)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: None
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: GHSA-mpjm-v997-c4h4

Release Date: 2021-10-12

Fix Resolution: 11.5.0

Vulnerable Library - lodash-4.17.20.tgz

Lodash modular utilities.

Library home page: https://registry.npmjs.org/lodash/-/lodash-4.17.20.tgz

Path to dependency file: electron-foundation/package.json

Path to vulnerable library: electron-foundation/node_modules/lodash

Dependency Hierarchy:

• webpack-bundle-analyzer-4.1.0.tgz (Root Library)
  • ❌ lodash-4.17.20.tgz (Vulnerable Library)

Found in HEAD commit: 8576c4d5f73b0fff760cc2678c9d1e3c5e5bf092

Found in base branch: master

Vulnerability Details

Lodash versions prior to 4.17.21 are vulnerable to Regular Expression Denial of Service (ReDoS) via the toNumber, trim and trimEnd functions.

Publish Date: 2021-02-15

URL: CVE-2020-28500

CVSS 3 Score Details (5.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: Low

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-28500

Release Date: 2021-02-15

Fix Resolution: lodash-4.17.21

Vulnerable Library - lodash-4.17.20.tgz

Lodash modular utilities.

Library home page: https://registry.npmjs.org/lodash/-/lodash-4.17.20.tgz

Path to dependency file: electron-foundation/package.json

Path to vulnerable library: electron-foundation/node_modules/lodash

Dependency Hierarchy:

• webpack-bundle-analyzer-4.1.0.tgz (Root Library)
  • ❌ lodash-4.17.20.tgz (Vulnerable Library)

Found in HEAD commit: 8576c4d5f73b0fff760cc2678c9d1e3c5e5bf092

Found in base branch: master

Vulnerability Details

Lodash versions prior to 4.17.21 are vulnerable to Command Injection via the template function.

Publish Date: 2021-02-15

URL: CVE-2021-23337

CVSS 3 Score Details (7.2)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: High
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: lodash/lodash@3469357

Release Date: 2021-02-15

Fix Resolution: lodash - 4.17.21

Vulnerable Library - y18n-4.0.0.tgz

the bare-bones internationalization library used by yargs

Library home page: https://registry.npmjs.org/y18n/-/y18n-4.0.0.tgz

Path to dependency file: electron-foundation/package.json

Path to vulnerable library: electron-foundation/node_modules/y18n

Dependency Hierarchy:

• concurrently-5.3.0.tgz (Root Library)
  • yargs-13.3.2.tgz
    • ❌ y18n-4.0.0.tgz (Vulnerable Library)

Found in HEAD commit: 8576c4d5f73b0fff760cc2678c9d1e3c5e5bf092

Found in base branch: master

Vulnerability Details

This affects the package y18n before 3.2.2, 4.0.1 and 5.0.5. PoC by po6ix: const y18n = require('y18n')(); y18n.setLocale('proto'); y18n.updateLocale({polluted: true}); console.log(polluted); // true

Publish Date: 2020-11-17

URL: CVE-2020-7774

CVSS 3 Score Details (7.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: Low

Suggested Fix

Type: Upgrade version

Origin: https://www.npmjs.com/advisories/1654

Release Date: 2020-11-17

Fix Resolution: 3.2.2, 4.0.1, 5.0.5

Vulnerable Library - dns-packet-1.3.1.tgz

An abstract-encoding compliant module for encoding / decoding DNS packets

Library home page: https://registry.npmjs.org/dns-packet/-/dns-packet-1.3.1.tgz

Path to dependency file: electron-foundation/package.json

Path to vulnerable library: electron-foundation/node_modules/dns-packet

Dependency Hierarchy:

• webpack-dev-server-3.11.0.tgz (Root Library)
  • bonjour-3.5.0.tgz
    • multicast-dns-6.2.3.tgz
      • ❌ dns-packet-1.3.1.tgz (Vulnerable Library)

Found in HEAD commit: 8576c4d5f73b0fff760cc2678c9d1e3c5e5bf092

Found in base branch: master

Vulnerability Details

This affects the package dns-packet before 5.2.2. It creates buffers with allocUnsafe and does not always fill them before forming network packets. This can expose internal application memory over unencrypted network when querying crafted invalid domain names.

Publish Date: 2021-05-20

URL: CVE-2021-23386

CVSS 3 Score Details (6.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: Low
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: None
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23386

Release Date: 2021-05-20

Fix Resolution: dns-packet - 5.2.2

Vulnerable Library - jest-26.6.3.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/node-notifier

CVE-2023-26136

Vulnerable Library - tough-cookie-3.0.1.tgz

RFC6265 Cookies and Cookie Jar for node.js

Library home page: https://registry.npmjs.org/tough-cookie/-/tough-cookie-3.0.1.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/tough-cookie

Dependency Hierarchy:

• jest-26.6.3.tgz (Root Library)
  • jest-cli-26.6.3.tgz
    • jest-config-26.6.3.tgz
      • jest-environment-jsdom-26.6.2.tgz
        • jsdom-16.4.0.tgz
          • ❌ tough-cookie-3.0.1.tgz (Vulnerable Library)

Found in base branch: master

Vulnerability Details

Versions of the package tough-cookie before 4.1.3 are vulnerable to Prototype Pollution due to improper handling of Cookies when using CookieJar in rejectPublicSuffixes=false mode. This issue arises from the manner in which the objects are initialized.

Publish Date: 2023-07-01

URL: CVE-2023-26136

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://www.cve.org/CVERecord?id=CVE-2023-26136

Release Date: 2023-07-01

Fix Resolution (tough-cookie): 4.1.3

Direct dependency fix Resolution (jest): 27.0.0

Step up your Open Source Security Game with Mend here

CVE-2023-26115

Vulnerable Library - word-wrap-1.2.3.tgz

Wrap words to a specified length.

Library home page: https://registry.npmjs.org/word-wrap/-/word-wrap-1.2.3.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/word-wrap

Dependency Hierarchy:

• jest-26.6.3.tgz (Root Library)
  • jest-cli-26.6.3.tgz
    • jest-config-26.6.3.tgz
      • jest-environment-jsdom-26.6.2.tgz
        • jsdom-16.4.0.tgz
          • escodegen-1.14.3.tgz
            • optionator-0.8.3.tgz
              • ❌ word-wrap-1.2.3.tgz (Vulnerable Library)

Found in base branch: master

Vulnerability Details

All versions of the package word-wrap are vulnerable to Regular Expression Denial of Service (ReDoS) due to the usage of an insecure regular expression within the result variable.

Publish Date: 2023-06-22

URL: CVE-2023-26115

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: GHSA-j8xg-fqg3-53r7

Release Date: 2023-06-22

Fix Resolution: word-wrap - 1.2.4

Step up your Open Source Security Game with Mend here

CVE-2021-3777

Vulnerable Library - tmpl-1.0.4.tgz

JavaScript micro templates.

Library home page: https://registry.npmjs.org/tmpl/-/tmpl-1.0.4.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/tmpl

Dependency Hierarchy:

• jest-26.6.3.tgz (Root Library)
  • jest-cli-26.6.3.tgz
    • jest-config-26.6.3.tgz
      • jest-jasmine2-26.6.3.tgz
        • jest-snapshot-26.6.2.tgz
          • jest-haste-map-26.6.2.tgz
            • walker-1.0.7.tgz
              • makeerror-1.0.11.tgz
                • ❌ tmpl-1.0.4.tgz (Vulnerable Library)

Found in base branch: master

Vulnerability Details

nodejs-tmpl is vulnerable to Inefficient Regular Expression Complexity

Publish Date: 2021-09-15

URL: CVE-2021-3777

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Release Date: 2021-09-15

Fix Resolution (tmpl): 1.0.5

Direct dependency fix Resolution (jest): 27.0.0

Step up your Open Source Security Game with Mend here

CVE-2020-7789

Vulnerable Library - node-notifier-8.0.0.tgz

A Node.js module for sending notifications on native Mac, Windows (post and pre 8) and Linux (or Growl as fallback)

Library home page: https://registry.npmjs.org/node-notifier/-/node-notifier-8.0.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/node-notifier

Dependency Hierarchy:

• jest-26.6.3.tgz (Root Library)
  • core-26.6.3.tgz
    • reporters-26.6.2.tgz
      • ❌ node-notifier-8.0.0.tgz (Vulnerable Library)

Found in base branch: master

Vulnerability Details

This affects the package node-notifier before 9.0.0. It allows an attacker to run arbitrary commands on Linux machines due to the options params not being sanitised when being passed an array.

Publish Date: 2020-12-11

URL: CVE-2020-7789

CVSS 3 Score Details (5.6)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: Low

Suggested Fix

Type: Upgrade version

Origin: https://bugzilla.redhat.com/show_bug.cgi?id=1906853

Release Date: 2020-12-11

Fix Resolution (node-notifier): 8.0.1

Direct dependency fix Resolution (jest): 27.0.0

Step up your Open Source Security Game with Mend here

Vulnerable Libraries - normalize-url-4.5.0.tgz, normalize-url-3.3.0.tgz

Found in HEAD commit: 8576c4d5f73b0fff760cc2678c9d1e3c5e5bf092

Found in base branch: master

Vulnerability Details

The normalize-url package before 4.5.1, 5.x before 5.3.1, and 6.x before 6.0.1 for Node.js has a ReDoS (regular expression denial of service) issue because it has exponential performance for data: URLs.

Publish Date: 2021-05-24

URL: CVE-2021-33502

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-33502

Release Date: 2021-05-24

Fix Resolution: normalize-url - 4.5.1, 5.3.1, 6.0.1

Vulnerable Library - electron-11.0.1.tgz

Build cross platform desktop apps with JavaScript, HTML, and CSS

Library home page: https://registry.npmjs.org/electron/-/electron-11.0.1.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/electron

CVE-2022-29247

Vulnerable Library - electron-11.0.1.tgz

Build cross platform desktop apps with JavaScript, HTML, and CSS

Library home page: https://registry.npmjs.org/electron/-/electron-11.0.1.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/electron

Dependency Hierarchy:

• ❌ electron-11.0.1.tgz (Vulnerable Library)

Found in base branch: master

Vulnerability Details

Electron is a framework for writing cross-platform desktop applications using JavaScript (JS), HTML, and CSS. A vulnerability in versions prior to 18.0.0-beta.6, 17.2.0, 16.2.6, and 15.5.5 allows a renderer with JS execution to obtain access to a new renderer process with nodeIntegrationInSubFrames enabled which in turn allows effective access to ipcRenderer. The nodeIntegrationInSubFrames option does not implicitly grant Node.js access. Rather, it depends on the existing sandbox setting. If an application is sandboxed, then nodeIntegrationInSubFrames just gives access to the sandboxed renderer APIs, which include ipcRenderer. If the application then additionally exposes IPC messages without IPC senderFrame validation that perform privileged actions or return confidential data this access to ipcRenderer can in turn compromise your application / user even with the sandbox enabled. Electron versions 18.0.0-beta.6, 17.2.0, 16.2.6, and 15.5.5 contain a fix for this issue. As a workaround, ensure that all IPC message handlers appropriately validate senderFrame.

Publish Date: 2022-06-13

URL: CVE-2022-29247

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-29247

Release Date: 2022-06-13

Fix Resolution: 15.5.5

Step up your Open Source Security Game with Mend here

CVE-2021-39184

Vulnerable Library - electron-11.0.1.tgz

Build cross platform desktop apps with JavaScript, HTML, and CSS

Library home page: https://registry.npmjs.org/electron/-/electron-11.0.1.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/electron

Dependency Hierarchy:

• ❌ electron-11.0.1.tgz (Vulnerable Library)

Found in base branch: master

Vulnerability Details

Electron is a framework for writing cross-platform desktop applications using JavaScript, HTML and CSS. A vulnerability in versions prior to 11.5.0, 12.1.0, and 13.3.0 allows a sandboxed renderer to request a "thumbnail" image of an arbitrary file on the user's system. The thumbnail can potentially include significant parts of the original file, including textual data in many cases. Versions 15.0.0-alpha.10, 14.0.0, 13.3.0, 12.1.0, and 11.5.0 all contain a fix for the vulnerability. Two workarounds aside from upgrading are available. One may make the vulnerability significantly more difficult for an attacker to exploit by enabling contextIsolation in one's app. One may also disable the functionality of the createThumbnailFromPath API if one does not need it.

Publish Date: 2021-10-12

URL: CVE-2021-39184

CVSS 3 Score Details (8.6)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: None
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: GHSA-mpjm-v997-c4h4

Release Date: 2021-10-12

Fix Resolution: 11.5.0

Step up your Open Source Security Game with Mend here

CVE-2023-29198

Vulnerable Library - electron-11.0.1.tgz

Build cross platform desktop apps with JavaScript, HTML, and CSS

Library home page: https://registry.npmjs.org/electron/-/electron-11.0.1.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/electron

Dependency Hierarchy:

• ❌ electron-11.0.1.tgz (Vulnerable Library)

Found in base branch: master

Vulnerability Details

Electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS. Electron apps using contextIsolation and contextBridge are affected. This is a context isolation bypass, meaning that code running in the main world context in the renderer can reach into the isolated Electron context and perform privileged actions. This issue is only exploitable if an API exposed to the main world via contextBridge can return an object or array that contains a javascript object which cannot be serialized, for instance, a canvas rendering context. This would normally result in an exception being thrown Error: object could not be cloned. The app side workaround is to ensure that such a case is not possible. Ensure all values returned from a function exposed over the context bridge are supported. This issue has been fixed in versions 25.0.0-alpha.2, 24.0.1, 23.2.3, and 22.3.6.

Publish Date: 2023-09-06

URL: CVE-2023-29198

CVSS 3 Score Details (8.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: Low
  • User Interaction: None
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://www.cve.org/CVERecord?id=CVE-2023-29198

Release Date: 2023-09-06

Fix Resolution: 22.3.6

Step up your Open Source Security Game with Mend here

CVE-2022-29257

Vulnerable Library - electron-11.0.1.tgz

Build cross platform desktop apps with JavaScript, HTML, and CSS

Library home page: https://registry.npmjs.org/electron/-/electron-11.0.1.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/electron

Dependency Hierarchy:

• ❌ electron-11.0.1.tgz (Vulnerable Library)

Found in base branch: master

Vulnerability Details

Electron is a framework for writing cross-platform desktop applications using JavaScript (JS), HTML, and CSS. A vulnerability in versions prior to 18.0.0-beta.6, 17.2.0, 16.2.6, and 15.5.5 allows attackers who have control over a given apps update server / update storage to serve maliciously crafted update packages that pass the code signing validation check but contain malicious code in some components. This kind of attack would require significant privileges in a potential victim's own auto updating infrastructure and the ease of that attack entirely depends on the potential victim's infrastructure security. Electron versions 18.0.0-beta.6, 17.2.0, 16.2.6, and 15.5.5 contain a fix for this issue. There are no known workarounds.

Publish Date: 2022-06-13

URL: CVE-2022-29257

CVSS 3 Score Details (7.2)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: High
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: GHSA-77xc-hjv8-ww97

Release Date: 2022-06-13

Fix Resolution: 15.5.0

Step up your Open Source Security Game with Mend here

CVE-2023-44402

Vulnerable Library - electron-11.0.1.tgz

Build cross platform desktop apps with JavaScript, HTML, and CSS

Library home page: https://registry.npmjs.org/electron/-/electron-11.0.1.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/electron

Dependency Hierarchy:

• ❌ electron-11.0.1.tgz (Vulnerable Library)

Found in base branch: master

Vulnerability Details

Electron is an open source framework for writing cross-platform desktop applications using JavaScript, HTML and CSS. This only impacts apps that have the embeddedAsarIntegrityValidation and onlyLoadAppFromAsar fuses enabled. Apps without these fuses enabled are not impacted. This issue is specific to macOS as these fuses are only currently supported on macOS. Specifically this issue can only be exploited if your app is launched from a filesystem the attacker has write access too. i.e. the ability to edit files inside the .app bundle on macOS which these fuses are supposed to protect against. There are no app side workarounds, you must update to a patched version of Electron.

Publish Date: 2023-12-01

URL: CVE-2023-44402

CVSS 3 Score Details (7.0)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Local
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: GHSA-7m48-wc93-9g85

Release Date: 2023-12-01

Fix Resolution: 22.3.24

Step up your Open Source Security Game with Mend here

CVE-2020-26272

Vulnerable Library - electron-11.0.1.tgz

Build cross platform desktop apps with JavaScript, HTML, and CSS

Library home page: https://registry.npmjs.org/electron/-/electron-11.0.1.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/electron

Dependency Hierarchy:

• ❌ electron-11.0.1.tgz (Vulnerable Library)

Found in base branch: master

Vulnerability Details

The Electron framework lets you write cross-platform desktop applications using JavaScript, HTML and CSS. In affected versions of Electron IPC messages sent from the main process to a subframe in the renderer process, through webContents.sendToFrame, event.reply or when using the remote module, can in some cases be delivered to the wrong frame. If your app uses remote, calls webContents.sendToFrame, or calls event.reply in an IPC message handler then it is impacted by this issue. This has been fixed in versions 9.4.0, 10.2.0, 11.1.0, and 12.0.0-beta.9. There are no workarounds for this issue.

Publish Date: 2021-01-28

URL: CVE-2020-26272

CVSS 3 Score Details (6.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-26272

Release Date: 2021-01-28

Fix Resolution: 11.1.0

Step up your Open Source Security Game with Mend here

CVE-2023-39956

Vulnerable Library - electron-11.0.1.tgz

Build cross platform desktop apps with JavaScript, HTML, and CSS

Library home page: https://registry.npmjs.org/electron/-/electron-11.0.1.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/electron

Dependency Hierarchy:

• ❌ electron-11.0.1.tgz (Vulnerable Library)

Found in base branch: master

Vulnerability Details

Electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS. Electron apps that are launched as command line executables are impacted. Specifically this issue can only be exploited if the following conditions are met: 1. The app is launched with an attacker-controlled working directory and 2. The attacker has the ability to write files to that working directory. This makes the risk quite low, in fact normally issues of this kind are considered outside of our threat model as similar to Chromium we exclude Physically Local Attacks but given the ability for this issue to bypass certain protections like ASAR Integrity it is being treated with higher importance. This issue has been fixed in versions:26.0.0-beta.13, 25.4.1, 24.7.1, 23.3.13, and 22.3.19. There are no app side workarounds, users must update to a patched version of Electron.

Publish Date: 2023-09-06

URL: CVE-2023-39956

CVSS 3 Score Details (6.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Local
  • Attack Complexity: Low
  • Privileges Required: Low
  • User Interaction: Required
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: High
  • Availability Impact: Low

Suggested Fix

Type: Upgrade version

Origin: https://www.cve.org/CVERecord?id=CVE-2023-39956

Release Date: 2023-09-06

Fix Resolution: 22.3.21

Step up your Open Source Security Game with Mend here

CVE-2022-36077

Vulnerable Library - electron-11.0.1.tgz

Build cross platform desktop apps with JavaScript, HTML, and CSS

Library home page: https://registry.npmjs.org/electron/-/electron-11.0.1.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/electron

Dependency Hierarchy:

• ❌ electron-11.0.1.tgz (Vulnerable Library)

Found in base branch: master

Vulnerability Details

The Electron framework enables writing cross-platform desktop applications using JavaScript, HTML and CSS. In versions prior to 21.0.0-beta.1, 20.0.1, 19.0.11, and 18.3.7, Electron is vulnerable to Exposure of Sensitive Information. When following a redirect, Electron delays a check for redirecting to file:// URLs from other schemes. The contents of the file is not available to the renderer following the redirect, but if the redirect target is a SMB URL such as file://some.website.com/, then in some cases, Windows will connect to that server and attempt NTLM authentication, which can include sending hashed credentials.This issue has been patched in versions: 21.0.0-beta.1, 20.0.1, 19.0.11, and 18.3.7. Users are recommended to upgrade to the latest stable version of Electron. If upgrading isn't possible, this issue can be addressed without upgrading by preventing redirects to file:// URLs in the WebContents.on('will-redirect') event, for all WebContents as a workaround.

Publish Date: 2022-11-08

URL: CVE-2022-36077

CVSS 3 Score Details (6.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: GHSA-p2jh-44qj-pf2v

Release Date: 2022-11-08

Fix Resolution: 18.3.7

Step up your Open Source Security Game with Mend here

CVE-2022-21718

Vulnerable Library - electron-11.0.1.tgz

Build cross platform desktop apps with JavaScript, HTML, and CSS

Library home page: https://registry.npmjs.org/electron/-/electron-11.0.1.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/electron

Dependency Hierarchy:

• ❌ electron-11.0.1.tgz (Vulnerable Library)

Found in base branch: master

Vulnerability Details

Electron is a framework for writing cross-platform desktop applications using JavaScript, HTML and CSS. A vulnerability in versions prior to 17.0.0-alpha.6, 16.0.6, 15.3.5, 14.2.4, and 13.6.6 allows renderers to obtain access to a bluetooth device via the web bluetooth API if the app has not configured a custom select-bluetooth-device event handler. This has been patched and Electron versions 17.0.0-alpha.6, 16.0.6, 15.3.5, 14.2.4, and 13.6.6 contain the fix. Code from the GitHub Security Advisory can be added to the app to work around the issue.

Publish Date: 2022-03-22

URL: CVE-2022-21718

CVSS 3 Score Details (5.0)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: Low
  • User Interaction: None
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: None
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21718

Release Date: 2022-03-22

Fix Resolution: 13.6.6

Step up your Open Source Security Game with Mend here