Vulnerabilities

DepShield reports that this application's usage of postcss:7.0.21 results in the following vulnerability(s):

• (CVSS 7.5) CWE-400: Uncontrolled Resource Consumption ('Resource Exhaustion')

Occurrences

postcss:7.0.21 is a transitive dependency introduced by the following direct dependency(s):

• react-scripts:3.4.4
        └─ resolve-url-loader:3.1.2
              └─ postcss:7.0.21

_{This is an automated GitHub Issue created by Sonatype DepShield. Details on managing GitHub Apps, including DepShield, are available for personal and organization accounts. Please submit questions or feedback about DepShield to the Sonatype DepShield Community.}

Vulnerabilities

DepShield reports that this application's usage of ws:5.2.3 results in the following vulnerability(s):

• (CVSS 5.3) [CVE-2021-32640] ws is an open source WebSocket client and server library for Node.js. A speciall...

Occurrences

ws:5.2.3 is a transitive dependency introduced by the following direct dependency(s):

• react-scripts:3.4.4
        └─ jest:24.9.0
              └─ jest-cli:24.9.0
                    └─ jest-config:24.9.0
                          └─ jest-environment-jsdom:24.9.0
                                └─ jsdom:11.12.0
                                      └─ ws:5.2.3

_{This is an automated GitHub Issue created by Sonatype DepShield. Details on managing GitHub Apps, including DepShield, are available for personal and organization accounts. Please submit questions or feedback about DepShield to the Sonatype DepShield Community.}

Vulnerabilities

DepShield reports that this application's usage of kind-of:4.0.0 results in the following vulnerability(s):

• (CVSS 5.3) CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

Occurrences

kind-of:4.0.0 is a transitive dependency introduced by the following direct dependency(s):

• react-scripts:3.4.4
        └─ webpack:4.42.0
              └─ micromatch:3.1.10
                    └─ snapdragon:0.8.2
                          └─ base:0.11.2
                                └─ cache-base:1.0.1
                                      └─ has-value:1.0.0
                                            └─ has-values:1.0.0
                                                  └─ kind-of:4.0.0

_{This is an automated GitHub Issue created by Sonatype DepShield. Details on managing GitHub Apps, including DepShield, are available for personal and organization accounts. Please submit questions or feedback about DepShield to the Sonatype DepShield Community.}

Vulnerabilities

DepShield reports that this application's usage of browserslist:4.10.0 results in the following vulnerability(s):

• (CVSS 5.3) [CVE-2021-23364] The package browserslist from 4.0.0 and before 4.16.5 are vulnerable to Regular ...

Occurrences

browserslist:4.10.0 is a transitive dependency introduced by the following direct dependency(s):

• react-scripts:3.4.4
        └─ react-dev-utils:10.2.1
              └─ browserslist:4.10.0

_{This is an automated GitHub Issue created by Sonatype DepShield. Details on managing GitHub Apps, including DepShield, are available for personal and organization accounts. Please submit questions or feedback about DepShield to the Sonatype DepShield Community.}

Vulnerabilities

DepShield reports that this application's usage of ssri:7.1.1 results in the following vulnerability(s):

• (CVSS 7.5) [CVE-2021-27290] ssri 5.2.2-8.0.0, fixed in 8.0.1, processes SRIs using a regular expression whic...

Occurrences

ssri:7.1.1 is a transitive dependency introduced by the following direct dependency(s):

• react-scripts:3.4.4
        └─ terser-webpack-plugin:2.3.8
              └─ cacache:13.0.1
                    └─ ssri:7.1.1

_{This is an automated GitHub Issue created by Sonatype DepShield. Details on managing GitHub Apps, including DepShield, are available for personal and organization accounts. Please submit questions or feedback about DepShield to the Sonatype DepShield Community.}

Vulnerabilities

DepShield reports that this application's usage of immer:1.10.0 results in the following vulnerability(s):

• (CVSS 7.4) CWE-471: Modification of Assumed-Immutable Data (MAID)

Occurrences

immer:1.10.0 is a transitive dependency introduced by the following direct dependency(s):

• react-scripts:3.4.4
        └─ react-dev-utils:10.2.1
              └─ immer:1.10.0

_{This is an automated GitHub Issue created by Sonatype DepShield. Details on managing GitHub Apps, including DepShield, are available for personal and organization accounts. Please submit questions or feedback about DepShield to the Sonatype DepShield Community.}

CVE-2022-0512 - Medium Severity Vulnerability

Vulnerable Library - url-parse-1.5.1.tgz

Small footprint URL parser that works seamlessly across Node.js and browser environments

Library home page: https://registry.npmjs.org/url-parse/-/url-parse-1.5.1.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/url-parse

Dependency Hierarchy:

• react-scripts-3.4.4.tgz (Root Library)
  • webpack-dev-server-3.11.0.tgz
    • sockjs-client-1.4.0.tgz
      • ❌ url-parse-1.5.1.tgz (Vulnerable Library)

Found in base branch: master

Vulnerability Details

Authorization Bypass Through User-Controlled Key in NPM url-parse prior to 1.5.6.

Publish Date: 2022-02-14

URL: CVE-2022-0512

CVSS 3 Score Details (5.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: Low
  • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0512

Release Date: 2022-02-14

Fix Resolution (url-parse): 1.5.6

Direct dependency fix Resolution (react-scripts): 4.0.0

Step up your Open Source Security Game with Mend here

CVE-2022-0691 - High Severity Vulnerability

Vulnerable Library - url-parse-1.5.1.tgz

Small footprint URL parser that works seamlessly across Node.js and browser environments

Library home page: https://registry.npmjs.org/url-parse/-/url-parse-1.5.1.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/url-parse

Dependency Hierarchy:

• react-scripts-3.4.4.tgz (Root Library)
  • webpack-dev-server-3.11.0.tgz
    • sockjs-client-1.4.0.tgz
      • ❌ url-parse-1.5.1.tgz (Vulnerable Library)

Found in base branch: master

Vulnerability Details

Authorization Bypass Through User-Controlled Key in NPM url-parse prior to 1.5.9.

Publish Date: 2022-02-21

URL: CVE-2022-0691

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0691

Release Date: 2022-02-21

Fix Resolution (url-parse): 1.5.9

Direct dependency fix Resolution (react-scripts): 4.0.0

Step up your Open Source Security Game with Mend here

Vulnerabilities

DepShield reports that this application's usage of lodash.memoize:4.1.2 results in the following vulnerability(s):

• (CVSS 7.4) CWE-471: Modification of Assumed-Immutable Data (MAID)
• (CVSS 6.5) [CVE-2018-3721] lodash node module before 4.17.5 suffers from a Modification of Assumed-Immutabl...

Occurrences

lodash.memoize:4.1.2 is a transitive dependency introduced by the following direct dependency(s):

• react-scripts:3.4.4
        └─ optimize-css-assets-webpack-plugin:5.0.3
              └─ cssnano:4.1.11
                    └─ cssnano-preset-default:4.0.8
                          └─ postcss-merge-rules:4.0.3
                                └─ caniuse-api:3.0.0
                                      └─ lodash.memoize:4.1.2

_{This is an automated GitHub Issue created by Sonatype DepShield. Details on managing GitHub Apps, including DepShield, are available for personal and organization accounts. Please submit questions or feedback about DepShield to the Sonatype DepShield Community.}

WS-2022-0008 - Medium Severity Vulnerability

Vulnerable Library - node-forge-0.10.0.tgz

JavaScript implementations of network transports, cryptography, ciphers, PKI, message digests, and various utilities.

Library home page: https://registry.npmjs.org/node-forge/-/node-forge-0.10.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/node-forge

Dependency Hierarchy:

• react-scripts-3.4.4.tgz (Root Library)
  • webpack-dev-server-3.11.0.tgz
    • selfsigned-1.10.11.tgz
      • ❌ node-forge-0.10.0.tgz (Vulnerable Library)

Found in base branch: master

Vulnerability Details

The forge.debug API had a potential prototype pollution issue if called with untrusted input. The API was only used for internal debug purposes in a safe way and never documented or advertised. It is suspected that uses of this API, if any exist, would likely not have used untrusted inputs in a vulnerable way.

Publish Date: 2022-01-08

URL: WS-2022-0008

CVSS 3 Score Details (6.6)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: High
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-5rrq-pxf6-6jx5

Release Date: 2022-01-08

Fix Resolution (node-forge): 1.0.0

Direct dependency fix Resolution (react-scripts): 5.0.0

Step up your Open Source Security Game with Mend here

CVE-2021-33502 - High Severity Vulnerability

Vulnerable Libraries - normalize-url-1.9.1.tgz, normalize-url-3.3.0.tgz

normalize-url-1.9.1.tgz

Normalize a URL

Library home page: https://registry.npmjs.org/normalize-url/-/normalize-url-1.9.1.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/normalize-url

Dependency Hierarchy:

• react-scripts-3.4.4.tgz (Root Library)
  • mini-css-extract-plugin-0.9.0.tgz
    • ❌ normalize-url-1.9.1.tgz (Vulnerable Library)

normalize-url-3.3.0.tgz

Normalize a URL

Library home page: https://registry.npmjs.org/normalize-url/-/normalize-url-3.3.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/normalize-url

Dependency Hierarchy:

• react-scripts-3.4.4.tgz (Root Library)
  • optimize-css-assets-webpack-plugin-5.0.3.tgz
    • cssnano-4.1.11.tgz
      • cssnano-preset-default-4.0.8.tgz
        • postcss-normalize-url-4.0.1.tgz
          • ❌ normalize-url-3.3.0.tgz (Vulnerable Library)

Found in HEAD commit: 31e3781d9cd380020c335ba4f4897abf983dbc02

Found in base branch: master

Vulnerability Details

The normalize-url package before 4.5.1, 5.x before 5.3.1, and 6.x before 6.0.1 for Node.js has a ReDoS (regular expression denial of service) issue because it has exponential performance for data: URLs.

Publish Date: 2021-05-24

URL: CVE-2021-33502

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-33502

Release Date: 2021-05-24

Fix Resolution: normalize-url - 4.5.1,5.3.1,6.0.1

Step up your Open Source Security Game with Mend here

CVE-2021-35065 - High Severity Vulnerability

Vulnerable Library - glob-parent-5.1.2.tgz

Extract the non-magic parent path from a glob string.

Library home page: https://registry.npmjs.org/glob-parent/-/glob-parent-5.1.2.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/glob-parent

Dependency Hierarchy:

• react-scripts-3.4.4.tgz (Root Library)
  • eslint-6.8.0.tgz
    • ❌ glob-parent-5.1.2.tgz (Vulnerable Library)

Found in base branch: master

Vulnerability Details

The package glob-parent from 6.0.0 and before 6.0.1 are vulnerable to Regular Expression Denial of Service (ReDoS)

Publish Date: 2021-06-22

URL: CVE-2021-35065

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-cj88-88mr-972w

Release Date: 2021-06-22

Fix Resolution: glob-parent - 6.0.1

Step up your Open Source Security Game with Mend here

CVE-2021-27290 - High Severity Vulnerability

Vulnerable Library - ssri-7.1.1.tgz

Standard Subresource Integrity library -- parses, serializes, generates, and verifies integrity metadata according to the SRI spec.

Library home page: https://registry.npmjs.org/ssri/-/ssri-7.1.1.tgz

Path to dependency file: cirrus-ci-web/package.json

Path to vulnerable library: cirrus-ci-web/node_modules/ssri

Dependency Hierarchy:

• react-scripts-3.4.4.tgz (Root Library)
  • terser-webpack-plugin-2.3.8.tgz
    • cacache-13.0.1.tgz
      • ❌ ssri-7.1.1.tgz (Vulnerable Library)

Found in base branch: master

Vulnerability Details

ssri 5.2.2-8.0.0, fixed in 8.0.1, processes SRIs using a regular expression which is vulnerable to a denial of service. Malicious SRIs could take an extremely long time to process, leading to denial of service. This issue only affects consumers using the strict option.

Publish Date: 2021-03-12

URL: CVE-2021-27290

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16082

Release Date: 2021-03-12

Fix Resolution: 8.0.1

Step up your Open Source Security Game with WhiteSource here

Vulnerabilities

DepShield reports that this application's usage of lodash.camelcase:4.3.0 results in the following vulnerability(s):

• (CVSS 7.4) CWE-471: Modification of Assumed-Immutable Data (MAID)
• (CVSS 6.5) [CVE-2018-3721] lodash node module before 4.17.5 suffers from a Modification of Assumed-Immutabl...

Occurrences

lodash.camelcase:4.3.0 is a transitive dependency introduced by the following direct dependency(s):

• react-markdown:5.0.3
        └─ html-to-react:1.4.5
              └─ lodash.camelcase:4.3.0

_{This is an automated GitHub Issue created by Sonatype DepShield. Details on managing GitHub Apps, including DepShield, are available for personal and organization accounts. Please submit questions or feedback about DepShield to the Sonatype DepShield Community.}

Vulnerabilities

DepShield reports that this application's usage of lodash.uniq:4.5.0 results in the following vulnerability(s):

• (CVSS 7.4) CWE-471: Modification of Assumed-Immutable Data (MAID)
• (CVSS 6.5) [CVE-2018-3721] lodash node module before 4.17.5 suffers from a Modification of Assumed-Immutabl...

Occurrences

lodash.uniq:4.5.0 is a transitive dependency introduced by the following direct dependency(s):

• react-scripts:3.4.4
        └─ optimize-css-assets-webpack-plugin:5.0.3
              └─ cssnano:4.1.11
                    └─ cssnano-preset-default:4.0.8
                          └─ postcss-merge-rules:4.0.3
                                └─ caniuse-api:3.0.0
                                      └─ lodash.uniq:4.5.0

_{This is an automated GitHub Issue created by Sonatype DepShield. Details on managing GitHub Apps, including DepShield, are available for personal and organization accounts. Please submit questions or feedback about DepShield to the Sonatype DepShield Community.}

Vulnerabilities

DepShield reports that this application's usage of debug:2.6.9 results in the following vulnerability(s):

• (CVSS 7.5) CWE-400: Uncontrolled Resource Consumption ('Resource Exhaustion')

Occurrences

debug:2.6.9 is a transitive dependency introduced by the following direct dependency(s):

• react-scripts:3.4.4
        └─ eslint-plugin-import:2.20.1
              └─ eslint-import-resolver-node:0.3.4
                    └─ debug:2.6.9
              └─ debug:2.6.9
        └─ react-dev-utils:10.2.1
              └─ detect-port-alt:1.1.6
                    └─ debug:2.6.9
        └─ webpack:4.42.0
              └─ micromatch:3.1.10
                    └─ extglob:2.0.4
                          └─ expand-brackets:2.1.4
                                └─ debug:2.6.9
                    └─ snapdragon:0.8.2
                          └─ debug:2.6.9
        └─ webpack-dev-server:3.11.0
              └─ compression:1.7.4
                    └─ debug:2.6.9
              └─ express:4.17.1
                    └─ body-parser:1.19.0
                          └─ debug:2.6.9
                    └─ debug:2.6.9
                    └─ finalhandler:1.1.2
                          └─ debug:2.6.9
                    └─ send:0.17.1
                          └─ debug:2.6.9
              └─ serve-index:1.9.1
                    └─ debug:2.6.9

_{This is an automated GitHub Issue created by Sonatype DepShield. Details on managing GitHub Apps, including DepShield, are available for personal and organization accounts. Please submit questions or feedback about DepShield to the Sonatype DepShield Community.}

Vulnerabilities

DepShield reports that this application's usage of kind-of:2.0.1 results in the following vulnerability(s):

• (CVSS 5.3) CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

Occurrences

kind-of:2.0.1 is a transitive dependency introduced by the following direct dependency(s):

• react-scripts:3.4.4
        └─ @svgr/webpack:4.3.3
              └─ @svgr/plugin-svgo:4.3.1
                    └─ merge-deep:3.0.3
                          └─ clone-deep:0.2.4
                                └─ shallow-clone:0.1.2
                                      └─ kind-of:2.0.1

_{This is an automated GitHub Issue created by Sonatype DepShield. Details on managing GitHub Apps, including DepShield, are available for personal and organization accounts. Please submit questions or feedback about DepShield to the Sonatype DepShield Community.}

Vulnerabilities

DepShield reports that this application's usage of q:1.5.1 results in the following vulnerability(s):

• (CVSS 7.5) CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Occurrences

q:1.5.1 is a transitive dependency introduced by the following direct dependency(s):

• react-scripts:3.4.4
        └─ @svgr/webpack:4.3.3
              └─ @svgr/plugin-svgo:4.3.1
                    └─ svgo:1.3.2
                          └─ coa:2.0.2
                                └─ q:1.5.1

_{This is an automated GitHub Issue created by Sonatype DepShield. Details on managing GitHub Apps, including DepShield, are available for personal and organization accounts. Please submit questions or feedback about DepShield to the Sonatype DepShield Community.}

Vulnerabilities

DepShield reports that this application's usage of postcss:7.0.36 results in the following vulnerability(s):

• (CVSS 7.5) CWE-400: Uncontrolled Resource Consumption ('Resource Exhaustion')

Occurrences

postcss:7.0.36 is a transitive dependency introduced by the following direct dependency(s):

• react-scripts:3.4.4
        └─ css-loader:3.4.2
              └─ icss-utils:4.1.1
                    └─ postcss:7.0.36
              └─ postcss:7.0.36
              └─ postcss-modules-extract-imports:2.0.0
                    └─ postcss:7.0.36
              └─ postcss-modules-local-by-default:3.0.3
                    └─ postcss:7.0.36
              └─ postcss-modules-scope:2.2.0
                    └─ postcss:7.0.36
              └─ postcss-modules-values:3.0.0
                    └─ postcss:7.0.36
        └─ optimize-css-assets-webpack-plugin:5.0.3
              └─ cssnano:4.1.11
                    └─ cssnano-preset-default:4.0.8
                          └─ css-declaration-sorter:4.0.1
                                └─ postcss:7.0.36
                          └─ cssnano-util-raw-cache:4.0.1
                                └─ postcss:7.0.36
                          └─ postcss:7.0.36
                          └─ postcss-calc:7.0.5
                                └─ postcss:7.0.36
                          └─ postcss-colormin:4.0.3
                                └─ postcss:7.0.36
                          └─ postcss-convert-values:4.0.1
                                └─ postcss:7.0.36
                          └─ postcss-discard-comments:4.0.2
                                └─ postcss:7.0.36
                          └─ postcss-discard-duplicates:4.0.2
                                └─ postcss:7.0.36
                          └─ postcss-discard-empty:4.0.1
                                └─ postcss:7.0.36
                          └─ postcss-discard-overridden:4.0.1
                                └─ postcss:7.0.36
                          └─ postcss-merge-longhand:4.0.11
                                └─ postcss:7.0.36
                                └─ stylehacks:4.0.3
                                      └─ postcss:7.0.36
                          └─ postcss-merge-rules:4.0.3
                                └─ postcss:7.0.36
                          └─ postcss-minify-font-values:4.0.2
                                └─ postcss:7.0.36
                          └─ postcss-minify-gradients:4.0.2
                                └─ postcss:7.0.36
                          └─ postcss-minify-params:4.0.2
                                └─ postcss:7.0.36
                          └─ postcss-minify-selectors:4.0.2
                                └─ postcss:7.0.36
                          └─ postcss-normalize-charset:4.0.1
                                └─ postcss:7.0.36
                          └─ postcss-normalize-display-values:4.0.2
                                └─ postcss:7.0.36
                          └─ postcss-normalize-positions:4.0.2
                                └─ postcss:7.0.36
                          └─ postcss-normalize-repeat-style:4.0.2
                                └─ postcss:7.0.36
                          └─ postcss-normalize-string:4.0.2
                                └─ postcss:7.0.36
                          └─ postcss-normalize-timing-functions:4.0.2
                                └─ postcss:7.0.36
                          └─ postcss-normalize-unicode:4.0.1
                                └─ postcss:7.0.36
                          └─ postcss-normalize-url:4.0.1
                                └─ postcss:7.0.36
                          └─ postcss-normalize-whitespace:4.0.2
                                └─ postcss:7.0.36
                          └─ postcss-ordered-values:4.1.2
                                └─ postcss:7.0.36
                          └─ postcss-reduce-initial:4.0.3
                                └─ postcss:7.0.36
                          └─ postcss-reduce-transforms:4.0.2
                                └─ postcss:7.0.36
                          └─ postcss-svgo:4.0.3
                                └─ postcss:7.0.36
                          └─ postcss-unique-selectors:4.0.1
                                └─ postcss:7.0.36
                    └─ postcss:7.0.36
        └─ postcss-flexbugs-fixes:4.1.0
              └─ postcss:7.0.36
        └─ postcss-loader:3.0.0
              └─ postcss:7.0.36
        └─ postcss-normalize:8.0.1
              └─ postcss:7.0.36
              └─ postcss-browser-comments:3.0.0
                    └─ postcss:7.0.36
        └─ postcss-preset-env:6.7.0
              └─ autoprefixer:9.8.6
                    └─ postcss:7.0.36
              └─ css-blank-pseudo:0.1.4
                    └─ postcss:7.0.36
              └─ css-has-pseudo:0.10.0
                    └─ postcss:7.0.36
              └─ css-prefers-color-scheme:3.1.1
                    └─ postcss:7.0.36
              └─ postcss:7.0.36
              └─ postcss-attribute-case-insensitive:4.0.2
                    └─ postcss:7.0.36
              └─ postcss-color-functional-notation:2.0.1
                    └─ postcss:7.0.36
              └─ postcss-color-gray:5.0.0
                    └─ postcss:7.0.36
              └─ postcss-color-hex-alpha:5.0.3
                    └─ postcss:7.0.36
              └─ postcss-color-mod-function:3.0.3
                    └─ postcss:7.0.36
              └─ postcss-color-rebeccapurple:4.0.1
                    └─ postcss:7.0.36
              └─ postcss-custom-media:7.0.8
                    └─ postcss:7.0.36
              └─ postcss-custom-properties:8.0.11
                    └─ postcss:7.0.36
              └─ postcss-custom-selectors:5.1.2
                    └─ postcss:7.0.36
              └─ postcss-dir-pseudo-class:5.0.0
                    └─ postcss:7.0.36
              └─ postcss-double-position-gradients:1.0.0
                    └─ postcss:7.0.36
              └─ postcss-env-function:2.0.2
                    └─ postcss:7.0.36
              └─ postcss-focus-visible:4.0.0
                    └─ postcss:7.0.36
              └─ postcss-focus-within:3.0.0
                    └─ postcss:7.0.36
              └─ postcss-font-variant:4.0.1
                    └─ postcss:7.0.36
              └─ postcss-gap-properties:2.0.0
                    └─ postcss:7.0.36
              └─ postcss-image-set-function:3.0.1
                    └─ postcss:7.0.36
              └─ postcss-initial:3.0.4
                    └─ postcss:7.0.36
              └─ postcss-lab-function:2.0.1
                    └─ postcss:7.0.36
              └─ postcss-logical:3.0.0
                    └─ postcss:7.0.36
              └─ postcss-media-minmax:4.0.0
                    └─ postcss:7.0.36
              └─ postcss-nesting:7.0.1
                    └─ postcss:7.0.36
              └─ postcss-overflow-shorthand:2.0.0
                    └─ postcss:7.0.36
              └─ postcss-page-break:2.0.0
                    └─ postcss:7.0.36
              └─ postcss-place:4.0.1
                    └─ postcss:7.0.36
              └─ postcss-pseudo-class-any-link:6.0.0
                    └─ postcss:7.0.36
              └─ postcss-replace-overflow-wrap:3.0.0
                    └─ postcss:7.0.36
              └─ postcss-selector-matches:4.0.0
                    └─ postcss:7.0.36
              └─ postcss-selector-not:4.0.1
                    └─ postcss:7.0.36
        └─ postcss-safe-parser:4.0.1
              └─ postcss:7.0.36

_{This is an automated GitHub Issue created by Sonatype DepShield. Details on managing GitHub Apps, including DepShield, are available for personal and organization accounts. Please submit questions or feedback about DepShield to the Sonatype DepShield Community.}

Vulnerabilities

DepShield reports that this application's usage of kind-of:3.2.2 results in the following vulnerability(s):

• (CVSS 5.3) CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

Occurrences

kind-of:3.2.2 is a transitive dependency introduced by the following direct dependency(s):

• react-scripts:3.4.4
        └─ @svgr/webpack:4.3.3
              └─ @svgr/plugin-svgo:4.3.1
                    └─ merge-deep:3.0.3
                          └─ clone-deep:0.2.4
                                └─ kind-of:3.2.2
                          └─ kind-of:3.2.2
        └─ webpack:4.42.0
              └─ micromatch:3.1.10
                    └─ braces:2.3.2
                          └─ fill-range:4.0.0
                                └─ is-number:3.0.0
                                      └─ kind-of:3.2.2
                          └─ snapdragon-node:2.1.1
                                └─ snapdragon-util:3.0.1
                                      └─ kind-of:3.2.2
                    └─ snapdragon:0.8.2
                          └─ base:0.11.2
                                └─ cache-base:1.0.1
                                      └─ to-object-path:0.3.0
                                            └─ kind-of:3.2.2
                                └─ class-utils:0.3.6
                                      └─ static-extend:0.1.2
                                            └─ object-copy:0.1.0
                                                  └─ kind-of:3.2.2
                          └─ define-property:0.2.5
                                └─ is-descriptor:0.1.6
                                      └─ is-accessor-descriptor:0.1.6
                                            └─ kind-of:3.2.2
                                      └─ is-data-descriptor:0.1.4
                                            └─ kind-of:3.2.2

_{This is an automated GitHub Issue created by Sonatype DepShield. Details on managing GitHub Apps, including DepShield, are available for personal and organization accounts. Please submit questions or feedback about DepShield to the Sonatype DepShield Community.}

CVE-2021-23368 - Medium Severity Vulnerability

Vulnerable Library - postcss-7.0.21.tgz

Tool for transforming styles with JS plugins

Library home page: https://registry.npmjs.org/postcss/-/postcss-7.0.21.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/postcss

Dependency Hierarchy:

• react-scripts-3.4.4.tgz (Root Library)
  • resolve-url-loader-3.1.2.tgz
    • ❌ postcss-7.0.21.tgz (Vulnerable Library)

Found in HEAD commit: 31e3781d9cd380020c335ba4f4897abf983dbc02

Found in base branch: master

Vulnerability Details

The package postcss from 7.0.0 and before 8.2.10 are vulnerable to Regular Expression Denial of Service (ReDoS) during source map parsing.

Publish Date: 2021-04-12

URL: CVE-2021-23368

CVSS 3 Score Details (5.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23368

Release Date: 2021-04-12

Fix Resolution (postcss): 7.0.36

Direct dependency fix Resolution (react-scripts): 4.0.0

Step up your Open Source Security Game with Mend here

CVE-2015-9251 - Medium Severity Vulnerability

Vulnerable Library - jquery-2.0.2.min.js

JavaScript library for DOM operations

Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/2.0.2/jquery.min.js

Path to dependency file: /node_modules/ace-builds/demo/whitespace .html

Path to vulnerable library: /node_modules/ace-builds/demo/whitespace .html

Dependency Hierarchy:

• ❌ jquery-2.0.2.min.js (Vulnerable Library)

Found in HEAD commit: 31e3781d9cd380020c335ba4f4897abf983dbc02

Found in base branch: master

Vulnerability Details

jQuery before 3.0.0 is vulnerable to Cross-site Scripting (XSS) attacks when a cross-domain Ajax request is performed without the dataType option, causing text/javascript responses to be executed.

Publish Date: 2018-01-18

URL: CVE-2015-9251

CVSS 3 Score Details (6.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2015-9251

Release Date: 2018-01-18

Fix Resolution: jQuery - 3.0.0

Step up your Open Source Security Game with Mend here

Vulnerabilities

DepShield reports that this application's usage of lodash._reinterpolate:3.0.0 results in the following vulnerability(s):

• (CVSS 7.4) CWE-471: Modification of Assumed-Immutable Data (MAID)

Occurrences

lodash._reinterpolate:3.0.0 is a transitive dependency introduced by the following direct dependency(s):

• react-scripts:3.4.4
        └─ workbox-webpack-plugin:4.3.1
              └─ workbox-build:4.3.1
                    └─ lodash.template:4.5.0
                          └─ lodash._reinterpolate:3.0.0
                          └─ lodash.templatesettings:4.2.0
                                └─ lodash._reinterpolate:3.0.0

_{This is an automated GitHub Issue created by Sonatype DepShield. Details on managing GitHub Apps, including DepShield, are available for personal and organization accounts. Please submit questions or feedback about DepShield to the Sonatype DepShield Community.}

CVE-2021-33587 - High Severity Vulnerability

Vulnerable Library - css-what-3.4.2.tgz

a CSS selector parser

Library home page: https://registry.npmjs.org/css-what/-/css-what-3.4.2.tgz

Path to dependency file: cirrus-ci-web/package.json

Path to vulnerable library: cirrus-ci-web/node_modules/css-what

Dependency Hierarchy:

• react-scripts-3.4.4.tgz (Root Library)
  • optimize-css-assets-webpack-plugin-5.0.3.tgz
    • cssnano-4.1.11.tgz
      • cssnano-preset-default-4.0.8.tgz
        • postcss-svgo-4.0.3.tgz
          • svgo-1.3.2.tgz
            • css-select-2.1.0.tgz
              • ❌ css-what-3.4.2.tgz (Vulnerable Library)

Found in HEAD commit: 31e3781d9cd380020c335ba4f4897abf983dbc02

Found in base branch: master

Vulnerability Details

The css-what package 4.0.0 through 5.0.0 for Node.js does not ensure that attribute parsing has Linear Time Complexity relative to the size of the input.

Publish Date: 2021-05-28

URL: CVE-2021-33587

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-33587

Release Date: 2021-05-28

Fix Resolution: css-what - 5.0.1

Step up your Open Source Security Game with WhiteSource here

CVE-2021-23436 - High Severity Vulnerability

Vulnerable Library - immer-1.10.0.tgz

Create your next immutable state by mutating the current one

Library home page: https://registry.npmjs.org/immer/-/immer-1.10.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/immer

Dependency Hierarchy:

• react-scripts-3.4.4.tgz (Root Library)
  • react-dev-utils-10.2.1.tgz
    • ❌ immer-1.10.0.tgz (Vulnerable Library)

Found in base branch: master

Vulnerability Details

This affects the package immer before 9.0.6. A type confusion vulnerability can lead to a bypass of CVE-2020-28477 when the user-provided keys used in the path parameter are arrays. In particular, this bypass is possible because the condition (p === "proto" || p === "constructor") in applyPatches_ returns false if p is ['proto'] (or ['constructor']). The === operator (strict equality operator) returns false if the operands have different type.

Publish Date: 2021-09-01

URL: CVE-2021-23436

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23436

Release Date: 2021-09-01

Fix Resolution (immer): 9.0.6

Direct dependency fix Resolution (react-scripts): 5.0.0

Step up your Open Source Security Game with Mend here

Vulnerabilities

DepShield reports that this application's usage of express:4.17.1 results in the following vulnerability(s):

• (CVSS 7.5) CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Occurrences

express:4.17.1 is a transitive dependency introduced by the following direct dependency(s):

• react-scripts:3.4.4
        └─ webpack-dev-server:3.11.0
              └─ express:4.17.1

_{This is an automated GitHub Issue created by Sonatype DepShield. Details on managing GitHub Apps, including DepShield, are available for personal and organization accounts. Please submit questions or feedback about DepShield to the Sonatype DepShield Community.}

CVE-2022-0122 - Medium Severity Vulnerability

Vulnerable Library - node-forge-0.10.0.tgz

JavaScript implementations of network transports, cryptography, ciphers, PKI, message digests, and various utilities.

Library home page: https://registry.npmjs.org/node-forge/-/node-forge-0.10.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/node-forge

Dependency Hierarchy:

• react-scripts-3.4.4.tgz (Root Library)
  • webpack-dev-server-3.11.0.tgz
    • selfsigned-1.10.11.tgz
      • ❌ node-forge-0.10.0.tgz (Vulnerable Library)

Found in base branch: master

Vulnerability Details

forge is vulnerable to URL Redirection to Untrusted Site

Publish Date: 2022-01-06

URL: CVE-2022-0122

CVSS 3 Score Details (6.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-gf8q-jrpm-jvxq

Release Date: 2022-01-06

Fix Resolution (node-forge): 1.0.0

Direct dependency fix Resolution (react-scripts): 5.0.0

Step up your Open Source Security Game with Mend here

CVE-2022-0235 - Medium Severity Vulnerability

Vulnerable Library - node-fetch-2.6.1.tgz

A light-weight module that brings window.fetch to node.js

Library home page: https://registry.npmjs.org/node-fetch/-/node-fetch-2.6.1.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/node-fetch

Dependency Hierarchy:

• react-relay-12.0.0.tgz (Root Library)
  • fbjs-3.0.1.tgz
    • cross-fetch-3.1.4.tgz
      • ❌ node-fetch-2.6.1.tgz (Vulnerable Library)

Found in base branch: master

Vulnerability Details

node-fetch is vulnerable to Exposure of Sensitive Information to an Unauthorized Actor

Publish Date: 2022-01-16

URL: CVE-2022-0235

CVSS 3 Score Details (6.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-r683-j2x4-v87g

Release Date: 2022-01-16

Fix Resolution (node-fetch): 2.6.7

Direct dependency fix Resolution (react-relay): 13.0.0

Step up your Open Source Security Game with Mend here

CVE-2021-3757 - High Severity Vulnerability

Vulnerable Library - immer-1.10.0.tgz

Create your next immutable state by mutating the current one

Library home page: https://registry.npmjs.org/immer/-/immer-1.10.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/immer

Dependency Hierarchy:

• react-scripts-3.4.4.tgz (Root Library)
  • react-dev-utils-10.2.1.tgz
    • ❌ immer-1.10.0.tgz (Vulnerable Library)

Found in base branch: master

Vulnerability Details

immer is vulnerable to Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')

Publish Date: 2021-09-02

URL: CVE-2021-3757

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://huntr.dev/bounties/23d38099-71cd-42ed-a77a-71e68094adfa/

Release Date: 2021-09-02

Fix Resolution (immer): 9.0.6

Direct dependency fix Resolution (react-scripts): 5.0.0

Step up your Open Source Security Game with Mend here

CVE-2021-24033 - Medium Severity Vulnerability

Vulnerable Library - react-dev-utils-10.2.1.tgz

webpack utilities used by Create React App

Library home page: https://registry.npmjs.org/react-dev-utils/-/react-dev-utils-10.2.1.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/react-dev-utils

Dependency Hierarchy:

• react-scripts-3.4.4.tgz (Root Library)
  • ❌ react-dev-utils-10.2.1.tgz (Vulnerable Library)

Found in HEAD commit: 31e3781d9cd380020c335ba4f4897abf983dbc02

Found in base branch: master

Vulnerability Details

react-dev-utils prior to v11.0.4 exposes a function, getProcessForPort, where an input argument is concatenated into a command string to be executed. This function is typically used from react-scripts (in Create React App projects), where the usage is safe. Only when this function is manually invoked with user-provided values (ie: by custom code) is there the potential for command injection. If you're consuming it from react-scripts then this issue does not affect you.

Publish Date: 2021-03-09

URL: CVE-2021-24033

CVSS 3 Score Details (5.6)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://www.facebook.com/security/advisories/cve-2021-24033

Release Date: 2021-03-09

Fix Resolution (react-dev-utils): 11.0.4

Direct dependency fix Resolution (react-scripts): 4.0.0

Step up your Open Source Security Game with Mend here

CVE-2021-3664 - Medium Severity Vulnerability

Vulnerable Library - url-parse-1.5.1.tgz

Small footprint URL parser that works seamlessly across Node.js and browser environments

Library home page: https://registry.npmjs.org/url-parse/-/url-parse-1.5.1.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/url-parse

Dependency Hierarchy:

• react-scripts-3.4.4.tgz (Root Library)
  • webpack-dev-server-3.11.0.tgz
    • sockjs-client-1.4.0.tgz
      • ❌ url-parse-1.5.1.tgz (Vulnerable Library)

Found in HEAD commit: d74cafa041df75c6a5f14ffbbd747a42d893b8c5

Found in base branch: master

Vulnerability Details

url-parse is vulnerable to URL Redirection to Untrusted Site

Publish Date: 2021-07-26

URL: CVE-2021-3664

CVSS 3 Score Details (5.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: Low
  • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3664

Release Date: 2021-07-26

Fix Resolution (url-parse): 1.5.2

Direct dependency fix Resolution (react-scripts): 4.0.0

Step up your Open Source Security Game with Mend here

Vulnerabilities

DepShield reports that this application's usage of acorn:5.7.4 results in the following vulnerability(s):

• (CVSS 7.5) CWE-400: Uncontrolled Resource Consumption ('Resource Exhaustion')

Occurrences

acorn:5.7.4 is a transitive dependency introduced by the following direct dependency(s):

• react-scripts:3.4.4
        └─ jest:24.9.0
              └─ jest-cli:24.9.0
                    └─ jest-config:24.9.0
                          └─ jest-environment-jsdom:24.9.0
                                └─ jsdom:11.12.0
                                      └─ acorn:5.7.4

_{This is an automated GitHub Issue created by Sonatype DepShield. Details on managing GitHub Apps, including DepShield, are available for personal and organization accounts. Please submit questions or feedback about DepShield to the Sonatype DepShield Community.}

Vulnerabilities

DepShield reports that this application's usage of http-proxy:1.18.1 results in the following vulnerability(s):

• (CVSS 7.5) CWE-400: Uncontrolled Resource Consumption ('Resource Exhaustion')

Occurrences

http-proxy:1.18.1 is a transitive dependency introduced by the following direct dependency(s):

• react-scripts:3.4.4
        └─ webpack-dev-server:3.11.0
              └─ http-proxy-middleware:0.19.1
                    └─ http-proxy:1.18.1

_{This is an automated GitHub Issue created by Sonatype DepShield. Details on managing GitHub Apps, including DepShield, are available for personal and organization accounts. Please submit questions or feedback about DepShield to the Sonatype DepShield Community.}

CVE-2019-11358 - Medium Severity Vulnerability

Vulnerable Library - jquery-2.0.2.min.js

JavaScript library for DOM operations

Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/2.0.2/jquery.min.js

Path to dependency file: /node_modules/ace-builds/demo/whitespace .html

Path to vulnerable library: /node_modules/ace-builds/demo/whitespace .html

Dependency Hierarchy:

• ❌ jquery-2.0.2.min.js (Vulnerable Library)

Found in HEAD commit: 31e3781d9cd380020c335ba4f4897abf983dbc02

Found in base branch: master

Vulnerability Details

jQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, ...) because of Object.prototype pollution. If an unsanitized source object contained an enumerable proto property, it could extend the native Object.prototype.

Publish Date: 2019-04-20

URL: CVE-2019-11358

CVSS 3 Score Details (6.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11358

Release Date: 2019-04-20

Fix Resolution: jquery - 3.4.0

Step up your Open Source Security Game with Mend here

CVE-2020-11022 - Medium Severity Vulnerability

Vulnerable Library - jquery-2.0.2.min.js

JavaScript library for DOM operations

Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/2.0.2/jquery.min.js

Path to dependency file: /node_modules/ace-builds/demo/whitespace .html

Path to vulnerable library: /node_modules/ace-builds/demo/whitespace .html

Dependency Hierarchy:

• ❌ jquery-2.0.2.min.js (Vulnerable Library)

Found in HEAD commit: 31e3781d9cd380020c335ba4f4897abf983dbc02

Found in base branch: master

Vulnerability Details

In jQuery versions greater than or equal to 1.2 and before 3.5.0, passing HTML from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. This problem is patched in jQuery 3.5.0.

Publish Date: 2020-04-29

URL: CVE-2020-11022

CVSS 3 Score Details (6.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11022

Release Date: 2020-04-29

Fix Resolution: jQuery - 3.5.0

Step up your Open Source Security Game with Mend here

CVE-2020-11023 - Medium Severity Vulnerability

Vulnerable Library - jquery-2.0.2.min.js

JavaScript library for DOM operations

Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/2.0.2/jquery.min.js

Path to dependency file: /node_modules/ace-builds/demo/whitespace .html

Path to vulnerable library: /node_modules/ace-builds/demo/whitespace .html

Dependency Hierarchy:

• ❌ jquery-2.0.2.min.js (Vulnerable Library)

Found in HEAD commit: 31e3781d9cd380020c335ba4f4897abf983dbc02

Found in base branch: master

Vulnerability Details

In jQuery versions greater than or equal to 1.0.3 and before 3.5.0, passing HTML containing elements from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. This problem is patched in jQuery 3.5.0.

Publish Date: 2020-04-29

URL: CVE-2020-11023

CVSS 3 Score Details (6.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://github.com/jquery/jquery/security/advisories/GHSA-jpcq-cgw6-v4j6,https://github.com/rails/jquery-rails/blob/master/CHANGELOG.md#440

Release Date: 2020-04-29

Fix Resolution: jquery - 3.5.0;jquery-rails - 4.4.0

Step up your Open Source Security Game with Mend here

CVE-2021-23364 - Medium Severity Vulnerability

Vulnerable Library - browserslist-4.10.0.tgz

Share target browsers between different front-end tools, like Autoprefixer, Stylelint and babel-env-preset

Library home page: https://registry.npmjs.org/browserslist/-/browserslist-4.10.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/browserslist

Dependency Hierarchy:

• react-scripts-3.4.4.tgz (Root Library)
  • react-dev-utils-10.2.1.tgz
    • ❌ browserslist-4.10.0.tgz (Vulnerable Library)

Found in HEAD commit: 31e3781d9cd380020c335ba4f4897abf983dbc02

Found in base branch: master

Vulnerability Details

The package browserslist from 4.0.0 and before 4.16.5 are vulnerable to Regular Expression Denial of Service (ReDoS) during parsing of queries.

Publish Date: 2021-04-28

URL: CVE-2021-23364

CVSS 3 Score Details (5.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23364

Release Date: 2021-04-28

Fix Resolution (browserslist): 4.16.5

Direct dependency fix Resolution (react-scripts): 5.0.0

Step up your Open Source Security Game with Mend here

Vulnerabilities

DepShield reports that this application's usage of ini:1.3.8 results in the following vulnerability(s):

• (CVSS 7.4) CWE-471: Modification of Assumed-Immutable Data (MAID)

Occurrences

ini:1.3.8 is a transitive dependency introduced by the following direct dependency(s):

• react-scripts:3.4.4
        └─ react-dev-utils:10.2.1
              └─ global-modules:2.0.0
                    └─ global-prefix:3.0.0
                          └─ ini:1.3.8

_{This is an automated GitHub Issue created by Sonatype DepShield. Details on managing GitHub Apps, including DepShield, are available for personal and organization accounts. Please submit questions or feedback about DepShield to the Sonatype DepShield Community.}

CVE-2020-28469 - High Severity Vulnerability

Vulnerable Library - glob-parent-3.1.0.tgz

Strips glob magic from a string to provide the parent directory path

Library home page: https://registry.npmjs.org/glob-parent/-/glob-parent-3.1.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/glob-parent

Dependency Hierarchy:

• react-scripts-3.4.4.tgz (Root Library)
  • react-dev-utils-10.2.1.tgz
    • globby-8.0.2.tgz
      • fast-glob-2.2.7.tgz
        • ❌ glob-parent-3.1.0.tgz (Vulnerable Library)

Found in HEAD commit: 31e3781d9cd380020c335ba4f4897abf983dbc02

Found in base branch: master

Vulnerability Details

This affects the package glob-parent before 5.1.2. The enclosure regex used to check for strings ending in enclosure containing path separator.

Publish Date: 2021-06-03

URL: CVE-2020-28469

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-28469

Release Date: 2021-06-03

Fix Resolution (glob-parent): 5.1.2

Direct dependency fix Resolution (react-scripts): 5.0.0

Step up your Open Source Security Game with Mend here

Vulnerabilities

DepShield reports that this application's usage of lodash.throttle:4.1.1 results in the following vulnerability(s):

• (CVSS 7.4) CWE-471: Modification of Assumed-Immutable Data (MAID)
• (CVSS 6.5) [CVE-2018-3721] lodash node module before 4.17.5 suffers from a Modification of Assumed-Immutabl...

Occurrences

lodash.throttle:4.1.1 is a transitive dependency introduced by the following direct dependency(s):

• recharts:1.8.5
        └─ react-resize-detector:2.3.0
              └─ lodash.throttle:4.1.1

_{This is an automated GitHub Issue created by Sonatype DepShield. Details on managing GitHub Apps, including DepShield, are available for personal and organization accounts. Please submit questions or feedback about DepShield to the Sonatype DepShield Community.}

CVE-2021-23382 - High Severity Vulnerability

Vulnerable Library - postcss-7.0.21.tgz

Tool for transforming styles with JS plugins

Library home page: https://registry.npmjs.org/postcss/-/postcss-7.0.21.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/postcss

Dependency Hierarchy:

• react-scripts-3.4.4.tgz (Root Library)
  • resolve-url-loader-3.1.2.tgz
    • ❌ postcss-7.0.21.tgz (Vulnerable Library)

Found in HEAD commit: 31e3781d9cd380020c335ba4f4897abf983dbc02

Found in base branch: master

Vulnerability Details

The package postcss before 8.2.13 are vulnerable to Regular Expression Denial of Service (ReDoS) via getAnnotationURL() and loadAnnotation() in lib/previous-map.js. The vulnerable regexes are caused mainly by the sub-pattern /*\s* sourceMappingURL=(.*).

Publish Date: 2021-04-26

URL: CVE-2021-23382

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23382

Release Date: 2021-04-26

Fix Resolution (postcss): 7.0.36

Direct dependency fix Resolution (react-scripts): 4.0.0

Step up your Open Source Security Game with Mend here

Vulnerabilities

DepShield reports that this application's usage of glob-parent:3.1.0 results in the following vulnerability(s):

• (CVSS 7.5) CWE-400: Uncontrolled Resource Consumption ('Resource Exhaustion')

Occurrences

glob-parent:3.1.0 is a transitive dependency introduced by the following direct dependency(s):

• react-scripts:3.4.4
        └─ react-dev-utils:10.2.1
              └─ globby:8.0.2
                    └─ fast-glob:2.2.7
                          └─ glob-parent:3.1.0
        └─ webpack:4.42.0
              └─ watchpack:1.7.5
                    └─ watchpack-chokidar2:2.0.1
                          └─ chokidar:2.1.8
                                └─ glob-parent:3.1.0
        └─ webpack-dev-server:3.11.0
              └─ chokidar:2.1.8
                    └─ glob-parent:3.1.0

_{This is an automated GitHub Issue created by Sonatype DepShield. Details on managing GitHub Apps, including DepShield, are available for personal and organization accounts. Please submit questions or feedback about DepShield to the Sonatype DepShield Community.}

Vulnerabilities

DepShield reports that this application's usage of lodash.sortby:4.7.0 results in the following vulnerability(s):

• (CVSS 7.4) CWE-471: Modification of Assumed-Immutable Data (MAID)

Occurrences

lodash.sortby:4.7.0 is a transitive dependency introduced by the following direct dependency(s):

• react-scripts:3.4.4
        └─ jest:24.9.0
              └─ jest-cli:24.9.0
                    └─ jest-config:24.9.0
                          └─ jest-environment-jsdom:24.9.0
                                └─ jsdom:11.12.0
                                      └─ whatwg-url:6.5.0
                                            └─ lodash.sortby:4.7.0
        └─ jest-environment-jsdom-fourteen:1.0.1
              └─ jsdom:14.1.0
                    └─ data-urls:1.1.0
                          └─ whatwg-url:7.1.0
                                └─ lodash.sortby:4.7.0
                    └─ whatwg-url:7.1.0
                          └─ lodash.sortby:4.7.0

_{This is an automated GitHub Issue created by Sonatype DepShield. Details on managing GitHub Apps, including DepShield, are available for personal and organization accounts. Please submit questions or feedback about DepShield to the Sonatype DepShield Community.}

Vulnerabilities

DepShield reports that this application's usage of kind-of:5.1.0 results in the following vulnerability(s):

• (CVSS 5.3) CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

Occurrences

kind-of:5.1.0 is a transitive dependency introduced by the following direct dependency(s):

• react-scripts:3.4.4
        └─ webpack:4.42.0
              └─ micromatch:3.1.10
                    └─ snapdragon:0.8.2
                          └─ define-property:0.2.5
                                └─ is-descriptor:0.1.6
                                      └─ kind-of:5.1.0

_{This is an automated GitHub Issue created by Sonatype DepShield. Details on managing GitHub Apps, including DepShield, are available for personal and organization accounts. Please submit questions or feedback about DepShield to the Sonatype DepShield Community.}

Vulnerabilities

DepShield reports that this application's usage of lodash.get:4.4.2 results in the following vulnerability(s):

• (CVSS 7.4) CWE-471: Modification of Assumed-Immutable Data (MAID)
• (CVSS 6.5) [CVE-2018-3721] lodash node module before 4.17.5 suffers from a Modification of Assumed-Immutabl...

Occurrences

lodash.get:4.4.2 is a transitive dependency introduced by the following direct dependency(s):

• react-ace:9.4.1
        └─ lodash.get:4.4.2

_{This is an automated GitHub Issue created by Sonatype DepShield. Details on managing GitHub Apps, including DepShield, are available for personal and organization accounts. Please submit questions or feedback about DepShield to the Sonatype DepShield Community.}

CVE-2020-28477 - High Severity Vulnerability

Vulnerable Library - immer-1.10.0.tgz

Create your next immutable state by mutating the current one

Library home page: https://registry.npmjs.org/immer/-/immer-1.10.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/immer

Dependency Hierarchy:

• react-scripts-3.4.4.tgz (Root Library)
  • react-dev-utils-10.2.1.tgz
    • ❌ immer-1.10.0.tgz (Vulnerable Library)

Found in HEAD commit: 31e3781d9cd380020c335ba4f4897abf983dbc02

Found in base branch: master

Vulnerability Details

This affects all versions of package immer.

Publish Date: 2021-01-19

URL: CVE-2020-28477

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2021-01-19

Fix Resolution (immer): 8.0.1

Direct dependency fix Resolution (react-scripts): 4.0.0

Step up your Open Source Security Game with Mend here

Vulnerabilities

DepShield reports that this application's usage of lodash.isequal:4.5.0 results in the following vulnerability(s):

• (CVSS 7.4) CWE-471: Modification of Assumed-Immutable Data (MAID)

Occurrences

lodash.isequal:4.5.0 is a transitive dependency introduced by the following direct dependency(s):

• react-ace:9.4.1
        └─ lodash.isequal:4.5.0

_{This is an automated GitHub Issue created by Sonatype DepShield. Details on managing GitHub Apps, including DepShield, are available for personal and organization accounts. Please submit questions or feedback about DepShield to the Sonatype DepShield Community.}

Vulnerabilities

DepShield reports that this application's usage of ini:1.3.8 results in the following vulnerability(s):

• (CVSS 7.4) CWE-471: Modification of Assumed-Immutable Data (MAID)

Occurrences

ini:1.3.8 is a transitive dependency introduced by the following direct dependency(s):

• snyk:1.652.0
        └─ update-notifier:5.1.0
              └─ latest-version:5.1.0
                    └─ package-json:6.5.0
                          └─ registry-auth-token:4.2.1
                                └─ rc:1.2.8
                                      └─ ini:1.3.8

_{This is an automated GitHub Issue created by Sonatype DepShield. Details on managing GitHub Apps, including DepShield, are available for personal and organization accounts. Please submit questions or feedback about DepShield to the Sonatype DepShield Community.}

Vulnerabilities

DepShield reports that this application's usage of lodash.debounce:4.0.8 results in the following vulnerability(s):

• (CVSS 7.4) CWE-471: Modification of Assumed-Immutable Data (MAID)
• (CVSS 6.5) [CVE-2018-3721] lodash node module before 4.17.5 suffers from a Modification of Assumed-Immutabl...

Occurrences

lodash.debounce:4.0.8 is a transitive dependency introduced by the following direct dependency(s):

• react-scripts:3.4.4
        └─ @svgr/webpack:4.3.3
              └─ @babel/preset-env:7.14.7
                    └─ babel-plugin-polyfill-corejs2:0.2.2
                          └─ @babel/helper-define-polyfill-provider:0.2.3
                                └─ lodash.debounce:4.0.8

• recharts:1.8.5
        └─ react-resize-detector:2.3.0
              └─ lodash.debounce:4.0.8

_{This is an automated GitHub Issue created by Sonatype DepShield. Details on managing GitHub Apps, including DepShield, are available for personal and organization accounts. Please submit questions or feedback about DepShield to the Sonatype DepShield Community.}

WS-2021-0154 - Medium Severity Vulnerability

Vulnerable Library - glob-parent-3.1.0.tgz

Strips glob magic from a string to provide the parent directory path

Library home page: https://registry.npmjs.org/glob-parent/-/glob-parent-3.1.0.tgz

Path to dependency file: cirrus-ci-web/package.json

Path to vulnerable library: cirrus-ci-web/node_modules/glob-parent

Dependency Hierarchy:

• react-scripts-3.4.4.tgz (Root Library)
  • react-dev-utils-10.2.1.tgz
    • globby-8.0.2.tgz
      • fast-glob-2.2.7.tgz
        • ❌ glob-parent-3.1.0.tgz (Vulnerable Library)

Found in HEAD commit: 31e3781d9cd380020c335ba4f4897abf983dbc02

Found in base branch: master

Vulnerability Details

Regular Expression Denial of Service (ReDoS) vulnerability was found in glob-parent before 5.1.2.

Publish Date: 2021-01-27

URL: WS-2021-0154

CVSS 3 Score Details (5.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://github.com/gulpjs/glob-parent/releases/tag/v5.1.2

Release Date: 2021-01-27

Fix Resolution: glob-parent - 5.1.2

Step up your Open Source Security Game with WhiteSource here