Vulnerable Library - diff-2.2.3.tgz

A javascript text diff implementation.

Library home page: https://registry.npmjs.org/diff/-/diff-2.2.3.tgz

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Dependency Hierarchy:

• text-buffer-13.18.6.tgz (Root Library)
  • ❌ diff-2.2.3.tgz (Vulnerable Library)

Found in HEAD commit: 808ed16784ca49c0e5810becefba198982d2916e

Found in base branch: electron-upgrade

Vulnerability Details

A vulnerability was found in diff before v3.5.0, the affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS) attacks.

Publish Date: 2018-03-05

URL: WS-2018-0590

CVSS 3 Score Details (7.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: Low

Suggested Fix

Type: Upgrade version

Release Date: 2018-03-05

Fix Resolution: 3.5.0

Vulnerable Library - trim-0.0.1.tgz

Trim string whitespace

Library home page: https://registry.npmjs.org/trim/-/trim-0.0.1.tgz

Path to dependency file: atom/script/package.json

Path to vulnerable library: atom/script/node_modules/trim/package.json

Dependency Hierarchy:

• stylelint-9.3.0.tgz (Root Library)
  • postcss-markdown-0.28.0.tgz
    • remark-9.0.0.tgz
      • remark-parse-5.0.0.tgz
        • ❌ trim-0.0.1.tgz (Vulnerable Library)

Found in HEAD commit: b5b707a3090a251254d289cc24069b724015cea2

Found in base branch: electron-upgrade

Vulnerability Details

All versions of package trim are vulnerable to Regular Expression Denial of Service (ReDoS) via trim().

Publish Date: 2020-10-27

URL: CVE-2020-7753

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: component/trim#8

Release Date: 2020-10-27

Fix Resolution: trim - 0.0.3

Vulnerable Library - sync-exec-0.5.0.tgz

Synchronous exec with status code support. Requires no external dependencies, no need for node-gyp compilations etc.

Library home page: https://registry.npmjs.org/sync-exec/-/sync-exec-0.5.0.tgz

Path to dependency file: /packages/line-ending-selector/package.json

Path to vulnerable library: /packages/line-ending-selector/node_modules/sync-exec/package.json

Dependency Hierarchy:

• standard-5.4.1.tgz (Root Library)
  • standard-format-1.6.10.tgz
    • esformatter-0.8.2.tgz
      • npm-run-2.0.0.tgz
        • ❌ sync-exec-0.5.0.tgz (Vulnerable Library)

Found in HEAD commit: 808ed16784ca49c0e5810becefba198982d2916e

Found in base branch: electron-upgrade

Vulnerability Details

The sync-exec module is used to simulate child_process.execSync in node versions <0.11.9. Sync-exec uses tmp directories as a buffer before returning values. Other users on the server have read access to the tmp directory, possibly allowing an attacker on the server to obtain confidential information from the buffer/tmp file, while it exists.

Publish Date: 2018-06-04

URL: CVE-2017-16024

CVSS 3 Score Details (6.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: Low
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: None
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2017-16024

Release Date: 2018-06-04

Fix Resolution: no_fix

Vulnerable Libraries - is-my-json-valid-2.19.0.tgz, is-my-json-valid-2.20.0.tgz

Found in HEAD commit: 808ed16784ca49c0e5810becefba198982d2916e

Found in base branch: electron-upgrade

Vulnerability Details

Regular Expression Denial of Service (ReDoS) vulnerability was found in is-my-json-valid before 2.20.2 via the style format.

Publish Date: 2020-06-27

URL: WS-2020-0342

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: mafintosh/is-my-json-valid@c3fc04f

Release Date: 2020-06-27

Fix Resolution (is-my-json-valid): 2.20.2

Direct dependency fix Resolution (standard): 9.0.0-beta.0

Fix Resolution (is-my-json-valid): 2.20.2

Direct dependency fix Resolution (standard): 9.0.0-beta.0

Vulnerable Libraries - debug-3.2.6.tgz, debug-4.1.1.tgz

Found in HEAD commit: 808ed16784ca49c0e5810becefba198982d2916e

Found in base branch: electron-upgrade

Vulnerability Details

The debug module is vulnerable to regular expression denial of service when untrusted user input is passed into the o formatter. It takes around 50k characters to block for 2 seconds making this a low severity issue.

Publish Date: 2018-06-07

URL: CVE-2017-16137

CVSS 3 Score Details (5.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: Low

Suggested Fix

Type: Upgrade version

Origin: GHSA-gxpj-cx7g-858c

Release Date: 2018-04-26

Fix Resolution (debug): 3.2.7

Direct dependency fix Resolution (mocha-multi-reporters): 1.5.0

Fix Resolution (debug): 3.2.7

Direct dependency fix Resolution (electron-notarize): 0.3.0

Vulnerable Library - tar-2.2.1.tgz

tar for node

Library home page: https://registry.npmjs.org/tar/-/tar-2.2.1.tgz

Dependency Hierarchy:

• atom-package-manager-2.4.5.tgz (Root Library)
  • npm-6.2.0.tgz
    • node-gyp-3.7.0.tgz
      • ❌ tar-2.2.1.tgz (Vulnerable Library)

Found in HEAD commit: b5b707a3090a251254d289cc24069b724015cea2

Found in base branch: electron-upgrade

Vulnerability Details

A vulnerability was found in node-tar before version 4.4.2 (excluding version 2.2.2). An Arbitrary File Overwrite issue exists when extracting a tarball containing a hardlink to a file that already exists on the system, in conjunction with a later plain file with the same name as the hardlink. This plain file content replaces the existing file content. A patch has been applied to node-tar v2.2.2).

Publish Date: 2019-04-30

URL: CVE-2018-20834

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: High
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20834

Release Date: 2019-04-30

Fix Resolution: tar - 2.2.2,4.4.2

Vulnerable Library - underscore.string-3.3.5.tgz

String manipulation extensions for Underscore.js javascript library.

Library home page: https://registry.npmjs.org/underscore.string/-/underscore.string-3.3.5.tgz

Path to dependency file: atom/script/package.json

Path to vulnerable library: atom/script/node_modules/underscore.string/package.json

Dependency Hierarchy:

• donna-1.0.16.tgz (Root Library)
  • ❌ underscore.string-3.3.5.tgz (Vulnerable Library)

Found in HEAD commit: b5b707a3090a251254d289cc24069b724015cea2

Found in base branch: electron-upgrade

Vulnerability Details

Regular Expression Denial of Service (ReDoS) vulnerability was found in underscore.string 2.4.0 through 3.3.5.

Publish Date: 2017-09-08

URL: WS-2017-3772

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Vulnerable Library - color-string-0.2.4.tgz

Parser and generator for CSS color strings

Library home page: https://registry.npmjs.org/color-string/-/color-string-0.2.4.tgz

Path to dependency file: atom/package.json

Path to vulnerable library: atom/node_modules/color-string/package.json

Dependency Hierarchy:

• color-0.7.3.tgz (Root Library)
  • ❌ color-string-0.2.4.tgz (Vulnerable Library)

Found in HEAD commit: b5b707a3090a251254d289cc24069b724015cea2

Found in base branch: electron-upgrade

Vulnerability Details

Regular Expression Denial of Service (ReDoS) was found in color-string before 1.5.5.

Publish Date: 2021-03-12

URL: WS-2021-0152

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://github.com/Qix-/color-string/releases/tag/1.5.5

Release Date: 2021-03-12

Fix Resolution: color-string - 1.5.5

Vulnerable Libraries - postcss-5.2.4.tgz, postcss-6.0.22.tgz, postcss-5.2.18.tgz, postcss-6.0.23.tgz

Found in HEAD commit: 808ed16784ca49c0e5810becefba198982d2916e

Found in base branch: electron-upgrade

Vulnerability Details

The package postcss before 8.2.13 are vulnerable to Regular Expression Denial of Service (ReDoS) via getAnnotationURL() and loadAnnotation() in lib/previous-map.js. The vulnerable regexes are caused mainly by the sub-pattern /*\s* sourceMappingURL=(.*).

Publish Date: 2021-04-26

URL: CVE-2021-23382

CVSS 3 Score Details (5.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: Low

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23382

Release Date: 2021-04-26

Fix Resolution (postcss): 7.0.36

Direct dependency fix Resolution (stylelint): 9.6.0

Fix Resolution (postcss): 7.0.36

Direct dependency fix Resolution (stylelint): 9.6.0

Fix Resolution (postcss): 7.0.36

Direct dependency fix Resolution (stylelint): 9.6.0

Vulnerable Library - npm-user-validate-1.0.0.tgz

User validations for npm

Library home page: https://registry.npmjs.org/npm-user-validate/-/npm-user-validate-1.0.0.tgz

Path to dependency file: /apm/package.json

Path to vulnerable library: /apm/node_modules/atom-package-manager/node_modules/npm/node_modules/npm-user-validate/package.json,/script/node_modules/npm/node_modules/npm-user-validate/package.json

Dependency Hierarchy:

• atom-package-manager-2.4.5.tgz (Root Library)
  • npm-6.2.0.tgz
    • ❌ npm-user-validate-1.0.0.tgz (Vulnerable Library)

Found in HEAD commit: 808ed16784ca49c0e5810becefba198982d2916e

Found in base branch: electron-upgrade

Vulnerability Details

The package npm-user-validate prior to version 1.0.1 is vulnerable to REDoS. The regex that validates a user's email took exponentially longer to process input strings that begin with the '@' character.

Publish Date: 2020-10-16

URL: WS-2020-0180

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: GHSA-xgh6-85xh-479p

Release Date: 2020-10-16

Fix Resolution (npm-user-validate): 1.0.1

Direct dependency fix Resolution (atom-package-manager): 2.5.0

Vulnerable Library - kind-of-6.0.2.tgz

Get the native type of a value.

Library home page: https://registry.npmjs.org/kind-of/-/kind-of-6.0.2.tgz

Path to dependency file: /script/package.json

Path to vulnerable library: /script/node_modules/randomatic/node_modules/kind-of/package.json,/script/node_modules/define-property/node_modules/kind-of/package.json,/script/node_modules/snapdragon-node/node_modules/kind-of/package.json,/script/node_modules/nanomatch/node_modules/kind-of/package.json,/script/node_modules/fast-glob/node_modules/kind-of/package.json,/script/node_modules/base/node_modules/kind-of/package.json

Dependency Hierarchy:

• klaw-sync-1.1.2.tgz (Root Library)
  • micromatch-2.3.11.tgz
    • braces-1.8.5.tgz
      • expand-range-1.8.2.tgz
        • fill-range-2.2.4.tgz
          • randomatic-3.0.0.tgz
            • ❌ kind-of-6.0.2.tgz (Vulnerable Library)

Found in HEAD commit: 808ed16784ca49c0e5810becefba198982d2916e

Found in base branch: electron-upgrade

Vulnerability Details

ctorName in index.js in kind-of v6.0.2 allows external user input to overwrite certain internal attributes via a conflicting name, as demonstrated by 'constructor': {'name':'Symbol'}. Hence, a crafted payload can overwrite this builtin attribute to manipulate the type detection result.

Publish Date: 2019-12-30

URL: CVE-2019-20149

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: High
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-20149

Release Date: 2020-08-24

Fix Resolution (kind-of): 6.0.3

Direct dependency fix Resolution (klaw-sync): 2.0.0

Vulnerable Libraries - xmlbuilder-0.4.3.tgz, xmlbuilder-8.2.2.tgz

Found in HEAD commit: 808ed16784ca49c0e5810becefba198982d2916e

Found in base branch: electron-upgrade

Vulnerability Details

The package xmlbuilder-js before 9.0.5 is vulnerable to denial of service due to a regular expression issue.

Publish Date: 2018-02-08

URL: WS-2018-0625

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Release Date: 2018-02-08

Fix Resolution (xmlbuilder): 9.0.5

Direct dependency fix Resolution (electron-packager): 13.0.0

Vulnerable Libraries - lodash-2.4.2.tgz, lodash-3.10.1.tgz, lodash-4.17.10.tgz, lodash-4.17.15.tgz, lodash-4.17.11.tgz

Found in HEAD commit: 808ed16784ca49c0e5810becefba198982d2916e

Found in base branch: electron-upgrade

Vulnerability Details

Lodash versions prior to 4.17.21 are vulnerable to Regular Expression Denial of Service (ReDoS) via the toNumber, trim and trimEnd functions.
Mend Note: After conducting further research, Mend has determined that CVE-2020-28500 only affects environments with versions 4.0.0 to 4.17.20 of Lodash.

Publish Date: 2021-02-15

URL: CVE-2020-28500

CVSS 3 Score Details (5.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: Low

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-28500

Release Date: 2021-02-15

Fix Resolution (lodash): 4.17.21

Direct dependency fix Resolution (babel-core): 6.9.0

Fix Resolution (lodash): 4.17.21

Direct dependency fix Resolution (@octokit/rest): 15.9.6

Fix Resolution (lodash): 4.17.21

Direct dependency fix Resolution (mocha-multi-reporters): 1.5.0

Fix Resolution (lodash): 4.17.21

Direct dependency fix Resolution (eslint): 6.0.0

Vulnerable Library - npm-6.2.0.tgz

a package manager for JavaScript

Library home page: https://registry.npmjs.org/npm/-/npm-6.2.0.tgz

Path to dependency file: /apm/package.json

Path to vulnerable library: /apm/node_modules/atom-package-manager/node_modules/npm/package.json

Dependency Hierarchy:

• atom-package-manager-2.4.5.tgz (Root Library)
  • ❌ npm-6.2.0.tgz (Vulnerable Library)

Found in HEAD commit: 808ed16784ca49c0e5810becefba198982d2916e

Found in base branch: electron-upgrade

Vulnerability Details

Versions of the npm CLI prior to 6.14.6 are vulnerable to an information exposure vulnerability through log files. The CLI supports URLs like "://[[:]@][:][:][/]". The password value is not redacted and is printed to stdout and also to any generated log files.

Publish Date: 2020-07-07

URL: CVE-2020-15095

CVSS 3 Score Details (4.4)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Local
  • Attack Complexity: High
  • Privileges Required: Low
  • User Interaction: Required
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: None
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: GHSA-93f3-23rq-pjfp

Release Date: 2020-07-07

Fix Resolution (npm): 6.14.6

Direct dependency fix Resolution (atom-package-manager): 2.5.0

Vulnerable Libraries - xmlbuilder-0.4.3.tgz, xmlbuilder-8.2.2.tgz

Found in HEAD commit: b5b707a3090a251254d289cc24069b724015cea2

Found in base branch: electron-upgrade

Vulnerability Details

The package xmlbuilder-js before 9.0.5 is vulnerable to denial of service due to a regular expression issue.

Publish Date: 2018-02-08

URL: WS-2018-0625

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: oozcitak/xmlbuilder-js@bbf929a

Release Date: 2020-03-23

Fix Resolution: 9.0.5

Vulnerable Libraries - ssri-5.3.0.tgz, ssri-6.0.1.tgz, ssri-6.0.0.tgz

Found in HEAD commit: 808ed16784ca49c0e5810becefba198982d2916e

Found in base branch: electron-upgrade

Vulnerability Details

ssri 5.2.2-8.0.0, fixed in 8.0.1, processes SRIs using a regular expression which is vulnerable to a denial of service. Malicious SRIs could take an extremely long time to process, leading to denial of service. This issue only affects consumers using the strict option.

Publish Date: 2021-03-12

URL: CVE-2021-27290

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: GHSA-vx3p-948g-6vhq

Release Date: 2021-03-12

Fix Resolution (ssri): 6.0.2

Direct dependency fix Resolution (atom-package-manager): 2.5.0

Fix Resolution (ssri): 6.0.2

Direct dependency fix Resolution (npm): 6.14.7

Fix Resolution (ssri): 6.0.2

Direct dependency fix Resolution (atom-package-manager): 2.5.0

Vulnerable Library - jsonpointer-4.0.1.tgz

Simple JSON Addressing.

Library home page: https://registry.npmjs.org/jsonpointer/-/jsonpointer-4.0.1.tgz

Path to dependency file: /packages/dalek/package.json

Path to vulnerable library: /packages/dalek/node_modules/jsonpointer/package.json

Dependency Hierarchy:

• standard-8.6.0.tgz (Root Library)
  • eslint-3.10.2.tgz
    • is-my-json-valid-2.19.0.tgz
      • ❌ jsonpointer-4.0.1.tgz (Vulnerable Library)

Found in HEAD commit: 808ed16784ca49c0e5810becefba198982d2916e

Found in base branch: electron-upgrade

Vulnerability Details

Prototype Pollution vulnerability was found in jsonpointer before 4.1.0 via the set function.

Publish Date: 2020-07-03

URL: WS-2020-0345

CVSS 3 Score Details (8.2)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: Low
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://github.com/janl/node-jsonpointer/releases/tag/v4.1.0

Release Date: 2020-07-03

Fix Resolution (jsonpointer): 4.1.0

Direct dependency fix Resolution (standard): 9.0.0-beta.0

Vulnerable Library - dompurify-1.0.11.tgz

DOMPurify is a DOM-only, super-fast, uber-tolerant XSS sanitizer for HTML, MathML and SVG. It's written in JavaScript and works in all modern browsers (Safari, Opera (15+), Internet Explorer (10+), Firefox and Chrome - as well as almost anything else usin

Library home page: https://registry.npmjs.org/dompurify/-/dompurify-1.0.11.tgz

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Dependency Hierarchy:

• autocomplete-plus-https://www.atom.io/api/packages/autocomplete-plus/versions/2.42.3/tarball.tgz (Root Library)
  • ❌ dompurify-1.0.11.tgz (Vulnerable Library)

Found in HEAD commit: 808ed16784ca49c0e5810becefba198982d2916e

Found in base branch: electron-upgrade

Vulnerability Details

DOMPurify before 2.0.1 allows XSS because of innerHTML mutation XSS (mXSS) for an SVG element or a MATH element, as demonstrated by Chrome and Safari.

Publish Date: 2019-09-24

URL: CVE-2019-16728

CVSS 3 Score Details (6.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16728

Release Date: 2019-09-24

Fix Resolution: 2.0.1

Vulnerable Libraries - lodash-4.17.10.tgz, lodash-4.17.15.tgz, lodash-4.17.11.tgz

Found in HEAD commit: b5b707a3090a251254d289cc24069b724015cea2

Found in base branch: electron-upgrade

Vulnerability Details

Lodash versions prior to 4.17.21 are vulnerable to Regular Expression Denial of Service (ReDoS) via the toNumber, trim and trimEnd functions.

Publish Date: 2021-02-15

URL: CVE-2020-28500

CVSS 3 Score Details (5.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: Low

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-28500

Release Date: 2021-02-15

Fix Resolution: lodash-4.17.21

Vulnerable Libraries - trim-newlines-1.0.0.tgz, trim-newlines-2.0.0.tgz

Found in HEAD commit: 808ed16784ca49c0e5810becefba198982d2916e

Found in base branch: electron-upgrade

Vulnerability Details

The trim-newlines package before 3.0.1 and 4.x before 4.0.1 for Node.js has an issue related to regular expression denial-of-service (ReDoS) for the .end() method.

Publish Date: 2021-05-28

URL: CVE-2021-33623

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-33623

Release Date: 2021-05-28

Fix Resolution (trim-newlines): 3.0.1

Direct dependency fix Resolution (stylelint): 13.0.0

Vulnerable Libraries - is-my-json-valid-2.19.0.tgz, is-my-json-valid-2.20.0.tgz

Found in HEAD commit: b5b707a3090a251254d289cc24069b724015cea2

Found in base branch: electron-upgrade

Vulnerability Details

Arbitrary Code Execution vulnerability was found in is-my-json-valid before 2.20.3 via the fromatName function.

Publish Date: 2020-06-09

URL: WS-2020-0344

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: mafintosh/is-my-json-valid@c3fc04f

Release Date: 2020-06-09

Fix Resolution: is-my-json-valid - 2.20.3

Vulnerable Libraries - is-my-json-valid-2.19.0.tgz, is-my-json-valid-2.20.0.tgz

Found in HEAD commit: b5b707a3090a251254d289cc24069b724015cea2

Found in base branch: electron-upgrade

Vulnerability Details

Regular Expression Denial of Service (ReDoS) vulnerability was found in is-my-json-valid before 2.20.2 via the style format.

Publish Date: 2020-06-27

URL: WS-2020-0342

CVSS 3 Score Details (5.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: Low

Suggested Fix

Type: Upgrade version

Origin: mafintosh/is-my-json-valid@c3fc04f

Release Date: 2020-06-27

Fix Resolution: is-my-json-valid - 2.20.2

Vulnerable Libraries - marked-0.3.19.js, marked-0.3.19.tgz

Found in HEAD commit: b5b707a3090a251254d289cc24069b724015cea2

Found in base branch: electron-upgrade

Vulnerability Details

marked before 0.4.0 is vulnerable to Regular Expression Denial of Service (REDoS) through heading in marked.js.

Publish Date: 2018-04-16

URL: WS-2018-0628

CVSS 3 Score Details (5.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: Low

Suggested Fix

Type: Upgrade version

Origin: https://github.com/markedjs/marked/releases/tag/0.4.0

Release Date: 2018-04-16

Fix Resolution: marked - 0.4.0

Vulnerable Library - normalize-url-2.0.1.tgz

Normalize a URL

Library home page: https://registry.npmjs.org/normalize-url/-/normalize-url-2.0.1.tgz

Path to dependency file: atom/script/vsts/package.json

Path to vulnerable library: atom/script/vsts/node_modules/normalize-url/package.json

Dependency Hierarchy:

• download-7.1.0.tgz (Root Library)
  • got-8.3.2.tgz
    • cacheable-request-2.1.4.tgz
      • ❌ normalize-url-2.0.1.tgz (Vulnerable Library)

Found in HEAD commit: b5b707a3090a251254d289cc24069b724015cea2

Found in base branch: electron-upgrade

Vulnerability Details

The normalize-url package before 4.5.1, 5.x before 5.3.1, and 6.x before 6.0.1 for Node.js has a ReDoS (regular expression denial of service) issue because it has exponential performance for data: URLs.

Publish Date: 2021-05-24

URL: CVE-2021-33502

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-33502

Release Date: 2021-05-24

Fix Resolution: normalize-url - 4.5.1, 5.3.1, 6.0.1

Vulnerable Libraries - is-my-json-valid-2.19.0.tgz, is-my-json-valid-2.20.0.tgz

Found in HEAD commit: 808ed16784ca49c0e5810becefba198982d2916e

Found in base branch: electron-upgrade

Vulnerability Details

Arbitrary Code Execution vulnerability was found in is-my-json-valid before 2.20.3 via the fromatName function.

Publish Date: 2020-06-09

URL: WS-2020-0344

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: mafintosh/is-my-json-valid@c3fc04f

Release Date: 2020-06-09

Fix Resolution (is-my-json-valid): 2.20.3

Direct dependency fix Resolution (standard): 9.0.0-beta.0

Fix Resolution (is-my-json-valid): 2.20.3

Direct dependency fix Resolution (standard): 9.0.0-beta.0

Vulnerable Library - css-what-2.1.3.tgz

a CSS selector parser

Library home page: https://registry.npmjs.org/css-what/-/css-what-2.1.3.tgz

Path to dependency file: /script/package.json

Path to vulnerable library: /script/node_modules/css-what/package.json

Dependency Hierarchy:

• cheerio-1.0.0-rc.2.tgz (Root Library)
  • css-select-1.2.0.tgz
    • ❌ css-what-2.1.3.tgz (Vulnerable Library)

Found in HEAD commit: 0dd3ca131788e5d5aeaf0e095ce6ca46d6df0b9f

Found in base branch: electron-upgrade

Vulnerability Details

The css-what package 4.0.0 through 5.0.0 for Node.js does not ensure that attribute parsing has Linear Time Complexity relative to the size of the input.

Publish Date: 2021-05-28

URL: CVE-2021-33587

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-33587

Release Date: 2021-05-28

Fix Resolution (css-what): 5.0.1

Direct dependency fix Resolution (cheerio): 1.0.0-rc.6

Vulnerable Library - jsonpointer-4.0.1.tgz

Simple JSON Addressing.

Library home page: https://registry.npmjs.org/jsonpointer/-/jsonpointer-4.0.1.tgz

Path to dependency file: atom/packages/dalek/package.json

Path to vulnerable library: atom/packages/dalek/node_modules/jsonpointer/package.json,atom/packages/welcome/node_modules/jsonpointer/package.json

Dependency Hierarchy:

• standard-8.6.0.tgz (Root Library)
  • eslint-3.10.2.tgz
    • is-my-json-valid-2.20.0.tgz
      • ❌ jsonpointer-4.0.1.tgz (Vulnerable Library)

Found in HEAD commit: b5b707a3090a251254d289cc24069b724015cea2

Found in base branch: electron-upgrade

Vulnerability Details

Prototype Pollution vulnerability was found in jsonpointer before 4.1.0 via the set function.

Publish Date: 2020-07-03

URL: WS-2020-0345

CVSS 3 Score Details (8.2)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: Low
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://github.com/janl/node-jsonpointer/releases/tag/v4.1.0

Release Date: 2020-07-03

Fix Resolution: jsonpointer - 4.1.0

Vulnerable Libraries - glob-parent-2.0.0.tgz, glob-parent-3.1.0.tgz

Found in HEAD commit: b5b707a3090a251254d289cc24069b724015cea2

Found in base branch: electron-upgrade

Vulnerability Details

This affects the package glob-parent before 5.1.2. The enclosure regex used to check for strings ending in enclosure containing path separator.

Publish Date: 2021-06-03

URL: CVE-2020-28469

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-28469

Release Date: 2021-06-03

Fix Resolution: glob-parent - 5.1.2

Vulnerable Library - underscore.string-3.3.5.tgz

String manipulation extensions for Underscore.js javascript library.

Library home page: https://registry.npmjs.org/underscore.string/-/underscore.string-3.3.5.tgz

Path to dependency file: atom/script/package.json

Path to vulnerable library: atom/script/node_modules/underscore.string/package.json

Dependency Hierarchy:

• donna-1.0.16.tgz (Root Library)
  • ❌ underscore.string-3.3.5.tgz (Vulnerable Library)

Found in HEAD commit: 0dd3ca131788e5d5aeaf0e095ce6ca46d6df0b9f

Found in base branch: electron-upgrade

Vulnerability Details

Regular Expression Denial of Service (ReDoS) vulnerability was found in underscore.string 2.4.0 through 3.3.5.

Publish Date: 2017-09-08

URL: WS-2017-3772

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Vulnerable Library - css-what-2.1.3.tgz

a CSS selector parser

Library home page: https://registry.npmjs.org/css-what/-/css-what-2.1.3.tgz

Path to dependency file: atom/package.json

Path to vulnerable library: atom/node_modules/css-what/package.json,atom/script/node_modules/css-what/package.json

Dependency Hierarchy:

• cheerio-1.0.0-rc.2.tgz (Root Library)
  • css-select-1.2.0.tgz
    • ❌ css-what-2.1.3.tgz (Vulnerable Library)

Found in HEAD commit: b5b707a3090a251254d289cc24069b724015cea2

Found in base branch: electron-upgrade

Vulnerability Details

The css-what package 4.0.0 through 5.0.0 for Node.js does not ensure that attribute parsing has Linear Time Complexity relative to the size of the input.

Publish Date: 2021-05-28

URL: CVE-2021-33587

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-33587

Release Date: 2021-05-28

Fix Resolution: css-what - 5.0.1

Vulnerable Library - npm-user-validate-1.0.0.tgz

User validations for npm

Library home page: https://registry.npmjs.org/npm-user-validate/-/npm-user-validate-1.0.0.tgz

Path to dependency file: /apm/package.json

Path to vulnerable library: /apm/node_modules/atom-package-manager/node_modules/npm/node_modules/npm-user-validate/package.json,/script/node_modules/npm/node_modules/npm-user-validate/package.json

Dependency Hierarchy:

• atom-package-manager-2.4.5.tgz (Root Library)
  • npm-6.2.0.tgz
    • ❌ npm-user-validate-1.0.0.tgz (Vulnerable Library)

Found in HEAD commit: 808ed16784ca49c0e5810becefba198982d2916e

Found in base branch: electron-upgrade

Vulnerability Details

This affects the package npm-user-validate before 1.0.1. The regex that validates user emails took exponentially longer to process long input strings beginning with @ characters.

Publish Date: 2020-10-27

URL: CVE-2020-7754

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7754

Release Date: 2020-10-27

Fix Resolution (npm-user-validate): 1.0.1

Direct dependency fix Resolution (atom-package-manager): 2.5.0

Vulnerable Libraries - set-value-0.4.3.tgz, set-value-2.0.0.tgz

Found in HEAD commit: 808ed16784ca49c0e5810becefba198982d2916e

Found in base branch: electron-upgrade

Vulnerability Details

set-value is vulnerable to Prototype Pollution in versions lower than 3.0.1. The function mixin-deep could be tricked into adding or modifying properties of Object.prototype using any of the constructor, prototype and proto payloads.

Publish Date: 2019-08-23

URL: CVE-2019-10747

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Release Date: 2019-10-29

Fix Resolution (set-value): 2.0.1

Direct dependency fix Resolution (stylelint): 9.4.0

Fix Resolution (set-value): 2.0.1

Direct dependency fix Resolution (stylelint): 9.4.0

Vulnerability Details

An issue was discovered in PHP before 5.6.40, 7.x before 7.1.26, 7.2.x before 7.2.14, and 7.3.x before 7.3.1. A number of heap-based buffer over-read instances are present in mbstring regular expression functions when supplied with invalid multibyte data. These occur in ext/mbstring/oniguruma/regcomp.c, ext/mbstring/oniguruma/regexec.c, ext/mbstring/oniguruma/regparse.c, ext/mbstring/oniguruma/enc/unicode.c, and ext/mbstring/oniguruma/src/utf32_be.c when a multibyte regular expression pattern contains invalid multibyte sequences.

Publish Date: 2019-02-22

URL: CVE-2019-9023

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9023

Release Date: 2019-02-22

Fix Resolution: 5.6.40,7.1.26,7.2.14,7.3.1

Vulnerable Library - normalize-url-2.0.1.tgz

Normalize a URL

Library home page: https://registry.npmjs.org/normalize-url/-/normalize-url-2.0.1.tgz

Path to dependency file: /script/vsts/package.json

Path to vulnerable library: /script/vsts/node_modules/normalize-url/package.json

Dependency Hierarchy:

• download-7.1.0.tgz (Root Library)
  • got-8.3.2.tgz
    • cacheable-request-2.1.4.tgz
      • ❌ normalize-url-2.0.1.tgz (Vulnerable Library)

Found in HEAD commit: 808ed16784ca49c0e5810becefba198982d2916e

Found in base branch: electron-upgrade

Vulnerability Details

The normalize-url package before 4.5.1, 5.x before 5.3.1, and 6.x before 6.0.1 for Node.js has a ReDoS (regular expression denial of service) issue because it has exponential performance for data: URLs.

Publish Date: 2021-05-24

URL: CVE-2021-33502

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-33502

Release Date: 2021-05-24

Fix Resolution: normalize-url - 4.5.1,5.3.1,6.0.1

Vulnerable Library - parsejson-0.0.3.tgz

Method that parses a JSON string and returns a JSON object

Library home page: https://registry.npmjs.org/parsejson/-/parsejson-0.0.3.tgz

Path to dependency file: /repo-with-submodules/You-Dont-Need-jQuery/package.json

Path to vulnerable library: atom/spec/fixtures/git/repo-with-submodules/You-Dont-Need-jQuery/node_modules/parsejson/package.json

Dependency Hierarchy:

• karma-0.13.22.tgz (Root Library)
  • socket.io-1.7.4.tgz
    • socket.io-client-1.7.4.tgz
      • engine.io-client-1.8.6.tgz
        • ❌ parsejson-0.0.3.tgz (Vulnerable Library)

Found in HEAD commit: b5b707a3090a251254d289cc24069b724015cea2

Found in base branch: electron-upgrade

Vulnerability Details

The parsejson module is vulnerable to regular expression denial of service when untrusted user input is passed into it to be parsed.

Publish Date: 2018-06-07

URL: CVE-2017-16113

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Vulnerable Library - color-string-0.2.4.tgz

Parser and generator for CSS color strings

Library home page: https://registry.npmjs.org/color-string/-/color-string-0.2.4.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/color-string/package.json

Dependency Hierarchy:

• color-0.7.3.tgz (Root Library)
  • ❌ color-string-0.2.4.tgz (Vulnerable Library)

Found in HEAD commit: 808ed16784ca49c0e5810becefba198982d2916e

Found in base branch: electron-upgrade

Vulnerability Details

Regular Expression Denial of Service (ReDoS) was found in color-string before 1.5.5.

Publish Date: 2021-03-12

URL: WS-2021-0152

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Release Date: 2021-03-12

Fix Resolution (color-string): 1.5.5

Direct dependency fix Resolution (color): 1.0.0

Vulnerable Libraries - trim-newlines-1.0.0.tgz, trim-newlines-2.0.0.tgz

Found in HEAD commit: b5b707a3090a251254d289cc24069b724015cea2

Found in base branch: electron-upgrade

Vulnerability Details

The trim-newlines package before 3.0.1 and 4.x before 4.0.1 for Node.js has an issue related to regular expression denial-of-service (ReDoS) for the .end() method.

Publish Date: 2021-05-28

URL: CVE-2021-33623

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-33623

Release Date: 2021-05-28

Fix Resolution: trim-newlines - 3.0.1, 4.0.1

Vulnerable Libraries - ms-0.7.2.tgz, ms-0.7.1.tgz

Found in HEAD commit: 0dd3ca131788e5d5aeaf0e095ce6ca46d6df0b9f

Found in base branch: electron-upgrade

Vulnerability Details

Affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS).

Publish Date: 2017-04-12

URL: WS-2017-0247

CVSS 2 Score Details (3.4)

Base Score Metrics not available

Suggested Fix

Type: Upgrade version

Origin: vercel/ms#89

Release Date: 2017-04-12

Fix Resolution: 2.1.1

Vulnerable Library - marked-0.3.19.tgz

A markdown parser built for speed

Library home page: https://registry.npmjs.org/marked/-/marked-0.3.19.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/roaster/node_modules/marked/package.json,/packages/deprecation-cop/node_modules/marked/package.json,/node_modules/notifications/node_modules/marked/package.json,/node_modules/settings-view/node_modules/marked/package.json

Dependency Hierarchy:

• ❌ marked-0.3.19.tgz (Vulnerable Library)

Found in HEAD commit: 808ed16784ca49c0e5810becefba198982d2916e

Found in base branch: electron-upgrade

Vulnerability Details

marked before 0.4.0 is vulnerable to Regular Expression Denial of Service (REDoS) through heading in marked.js.

Publish Date: 2018-04-16

URL: WS-2018-0628

CVSS 3 Score Details (5.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: Low

Suggested Fix

Type: Upgrade version

Release Date: 2018-04-16

Fix Resolution: 0.4.0

Vulnerable Libraries - postcss-5.2.4.tgz, postcss-6.0.22.tgz, postcss-5.2.18.tgz, postcss-6.0.23.tgz

Found in HEAD commit: b5b707a3090a251254d289cc24069b724015cea2

Found in base branch: electron-upgrade

Vulnerability Details

The package postcss before 8.2.13 are vulnerable to Regular Expression Denial of Service (ReDoS) via getAnnotationURL() and loadAnnotation() in lib/previous-map.js. The vulnerable regexes are caused mainly by the sub-pattern /*\s* sourceMappingURL=(.*).

Publish Date: 2021-04-26

URL: CVE-2021-23382

CVSS 3 Score Details (5.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: Low

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23382

Release Date: 2021-04-26

Fix Resolution: postcss - 8.2.13

Vulnerable Libraries - glob-parent-2.0.0.tgz, glob-parent-3.1.0.tgz

Found in HEAD commit: 0dd3ca131788e5d5aeaf0e095ce6ca46d6df0b9f

Found in base branch: electron-upgrade

Vulnerability Details

Regular Expression Denial of Service (ReDoS) vulnerability was found in glob-parent before 5.1.2.

Publish Date: 2021-01-27

URL: WS-2021-0154

CVSS 3 Score Details (5.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: Low

Suggested Fix

Type: Upgrade version

Origin: https://github.com/gulpjs/glob-parent/releases/tag/v5.1.2

Release Date: 2021-01-27

Fix Resolution: glob-parent - 5.1.2

Vulnerable Libraries - glob-parent-2.0.0.tgz, glob-parent-3.1.0.tgz

Found in HEAD commit: 808ed16784ca49c0e5810becefba198982d2916e

Found in base branch: electron-upgrade

Vulnerability Details

This affects the package glob-parent before 5.1.2. The enclosure regex used to check for strings ending in enclosure containing path separator.

Publish Date: 2021-06-03

URL: CVE-2020-28469

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-28469

Release Date: 2021-06-03

Fix Resolution (glob-parent): 5.1.2

Direct dependency fix Resolution (klaw-sync): 2.0.0

Fix Resolution (glob-parent): 5.1.2

Direct dependency fix Resolution (stylelint): 13.0.0

Vulnerability Details

An issue was discovered in PHP before 5.6.40, 7.x before 7.1.26, 7.2.x before 7.2.14, and 7.3.x before 7.3.1. A number of heap-based buffer over-read instances are present in mbstring regular expression functions when supplied with invalid multibyte data. These occur in ext/mbstring/oniguruma/regcomp.c, ext/mbstring/oniguruma/regexec.c, ext/mbstring/oniguruma/regparse.c, ext/mbstring/oniguruma/enc/unicode.c, and ext/mbstring/oniguruma/src/utf32_be.c when a multibyte regular expression pattern contains invalid multibyte sequences.

Publish Date: 2019-02-22

URL: CVE-2019-9023

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9023

Release Date: 2019-02-22

Fix Resolution: 5.6.40,7.1.26,7.2.14,7.3.1

Vulnerable Library - npm-user-validate-1.0.0.tgz

User validations for npm

Library home page: https://registry.npmjs.org/npm-user-validate/-/npm-user-validate-1.0.0.tgz

Path to dependency file: atom/script/package.json

Path to vulnerable library: atom/script/node_modules/npm/node_modules/npm-user-validate/package.json

Dependency Hierarchy:

• npm-6.14.6.tgz (Root Library)
  • ❌ npm-user-validate-1.0.0.tgz (Vulnerable Library)

Found in HEAD commit: b5b707a3090a251254d289cc24069b724015cea2

Found in base branch: electron-upgrade

Vulnerability Details

The package npm-user-validate prior to version 1.0.1 is vulnerable to REDoS. The regex that validates a user's email took exponentially longer to process input strings that begin with the '@' character.

Publish Date: 2020-10-16

URL: WS-2020-0180

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: GHSA-xgh6-85xh-479p

Release Date: 2020-10-16

Fix Resolution: 1.0.1

Vulnerable Libraries - lodash-2.4.2.tgz, lodash-3.10.1.tgz, lodash-4.17.10.tgz, lodash-4.17.11.tgz

Found in HEAD commit: 808ed16784ca49c0e5810becefba198982d2916e

Found in base branch: electron-upgrade

Vulnerability Details

Versions of lodash lower than 4.17.12 are vulnerable to Prototype Pollution. The function defaultsDeep could be tricked into adding or modifying properties of Object.prototype using a constructor payload.

Publish Date: 2019-07-26

URL: CVE-2019-10744

CVSS 3 Score Details (9.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: GHSA-jf85-cpcp-j695

Release Date: 2019-07-26

Fix Resolution (lodash): 4.17.12

Direct dependency fix Resolution (@octokit/rest): 15.9.6

Fix Resolution (lodash): 4.17.12

Direct dependency fix Resolution (eslint-plugin-import): 2.17.3

Vulnerable Library - tar-2.2.1.tgz

tar for node

Library home page: https://registry.npmjs.org/tar/-/tar-2.2.1.tgz

Path to dependency file: /apm/package.json

Path to vulnerable library: /apm/node_modules/atom-package-manager/node_modules/npm/node_modules/node-gyp/node_modules/tar/package.json

Dependency Hierarchy:

• atom-package-manager-2.4.5.tgz (Root Library)
  • npm-6.2.0.tgz
    • node-gyp-3.7.0.tgz
      • ❌ tar-2.2.1.tgz (Vulnerable Library)

Found in HEAD commit: 808ed16784ca49c0e5810becefba198982d2916e

Found in base branch: electron-upgrade

Vulnerability Details

A vulnerability was found in node-tar before version 4.4.2 (excluding version 2.2.2). An Arbitrary File Overwrite issue exists when extracting a tarball containing a hardlink to a file that already exists on the system, in conjunction with a later plain file with the same name as the hardlink. This plain file content replaces the existing file content. A patch has been applied to node-tar v2.2.2).

Publish Date: 2019-04-30

URL: CVE-2018-20834

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: High
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16082

Release Date: 2019-04-30

Fix Resolution (tar): 2.2.2

Direct dependency fix Resolution (atom-package-manager): 2.5.0

Vulnerable Library - npm-user-validate-1.0.0.tgz

User validations for npm

Library home page: https://registry.npmjs.org/npm-user-validate/-/npm-user-validate-1.0.0.tgz

Path to dependency file: atom/script/package.json

Path to vulnerable library: atom/script/node_modules/npm/node_modules/npm-user-validate/package.json

Dependency Hierarchy:

• npm-6.14.6.tgz (Root Library)
  • ❌ npm-user-validate-1.0.0.tgz (Vulnerable Library)

Found in HEAD commit: b5b707a3090a251254d289cc24069b724015cea2

Found in base branch: electron-upgrade

Vulnerability Details

This affects the package npm-user-validate before 1.0.1. The regex that validates user emails took exponentially longer to process long input strings beginning with @ characters.

Publish Date: 2020-10-27

URL: CVE-2020-7754

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7754

Release Date: 2020-07-21

Fix Resolution: 1.0.1

Vulnerable Libraries - glob-parent-2.0.0.tgz, glob-parent-3.1.0.tgz

Found in HEAD commit: b5b707a3090a251254d289cc24069b724015cea2

Found in base branch: electron-upgrade

Vulnerability Details

Regular Expression Denial of Service (ReDoS) vulnerability was found in glob-parent before 5.1.2.

Publish Date: 2021-01-27

URL: WS-2021-0154

CVSS 3 Score Details (5.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: Low

Suggested Fix

Type: Upgrade version

Origin: https://github.com/gulpjs/glob-parent/releases/tag/v5.1.2

Release Date: 2021-01-27

Fix Resolution: glob-parent - 5.1.2

Vulnerable Library - parsejson-0.0.3.tgz

Method that parses a JSON string and returns a JSON object

Library home page: https://registry.npmjs.org/parsejson/-/parsejson-0.0.3.tgz

Path to dependency file: /repo-with-submodules/You-Dont-Need-jQuery/package.json

Path to vulnerable library: /spec/fixtures/git/repo-with-submodules/You-Dont-Need-jQuery/node_modules/parsejson/package.json

Dependency Hierarchy:

• karma-0.13.22.tgz (Root Library)
  • socket.io-1.7.4.tgz
    • socket.io-client-1.7.4.tgz
      • engine.io-client-1.8.6.tgz
        • ❌ parsejson-0.0.3.tgz (Vulnerable Library)

Found in HEAD commit: 808ed16784ca49c0e5810becefba198982d2916e

Found in base branch: electron-upgrade

Vulnerability Details

The parsejson module is vulnerable to regular expression denial of service when untrusted user input is passed into it to be parsed.

Publish Date: 2018-06-07

URL: CVE-2017-16113

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2017-16113

Release Date: 2018-06-07

Fix Resolution: no_fix