Git Product home page Git Product logo

integrations's Introduction

Check Run Reporter CI Integrations (check-run-reporter/integrations)

standard-readme compliant

Check Run Reporter's client library, CLI, and CI integrations.

This is a monorepo (sort of) for Check Run Reporter's client library, CLI, and CI integrations. Instead of mainting separate test suites (if any tests at all) for each plugin, this repo contains the core TypeScript code as well as CI plugin integration code. As part of the build and release process, each plugin is push to the appopropriate repository for consumption.

Install

Usage

Maintainers

Ian Remmel

Contributing

We welcome pull requests, but for anything more than a minor tweak, please create an issue for so we can discuss whether the change is the right direction for the project.

License

MIT © Ian Remmel, LLC 2019-202

integrations's People

Contributors

dependabot[bot] avatar ianwremmel avatar mend-bolt-for-github[bot] avatar

integrations's Issues

[DepShield] (CVSS 4.3) Vulnerability due to usage of bl:4.1.0

Vulnerabilities

DepShield reports that this application's usage of bl:4.1.0 results in the following vulnerability(s):

Occurrences

bl:4.1.0 is a transitive dependency introduced by the following direct dependency(s):

pkg:5.3.3
        └─ prebuild-install:6.0.1
              └─ tar-fs:2.1.1
                    └─ tar-stream:2.2.0
                          └─ bl:4.1.0

This is an automated GitHub Issue created by Sonatype DepShield. Details on managing GitHub Apps, including DepShield, are available for personal and organization accounts. Please submit questions or feedback about DepShield to the Sonatype DepShield Community.

CVE-2021-3807 (High) detected in ansi-regex-3.0.0.tgz, ansi-regex-5.0.0.tgz - autoclosed

CVE-2021-3807 - High Severity Vulnerability

Vulnerable Libraries - ansi-regex-3.0.0.tgz, ansi-regex-5.0.0.tgz

ansi-regex-3.0.0.tgz

Regular expression for matching ANSI escape codes

Library home page: https://registry.npmjs.org/ansi-regex/-/ansi-regex-3.0.0.tgz

Path to dependency file: integrations/package.json

Path to vulnerable library: integrations/node_modules/npm/node_modules/string-width/node_modules/ansi-regex/package.json,integrations/node_modules/wide-align/node_modules/ansi-regex/package.json

Dependency Hierarchy:

  • semantic-release-18.0.0.tgz (Root Library)
    • npm-8.0.0.tgz
      • npm-7.24.1.tgz
        • cli-columns-3.1.2.tgz
          • string-width-2.1.1.tgz
            • strip-ansi-4.0.0.tgz
              • ansi-regex-3.0.0.tgz (Vulnerable Library)
ansi-regex-5.0.0.tgz

Regular expression for matching ANSI escape codes

Library home page: https://registry.npmjs.org/ansi-regex/-/ansi-regex-5.0.0.tgz

Path to dependency file: integrations/package.json

Path to vulnerable library: integrations/node_modules/npm/node_modules/cli-table3/node_modules/ansi-regex/package.json

Dependency Hierarchy:

  • semantic-release-18.0.0.tgz (Root Library)
    • npm-8.0.0.tgz
      • npm-7.24.1.tgz
        • cli-table3-0.6.0.tgz
          • string-width-4.2.2.tgz
            • strip-ansi-6.0.0.tgz
              • ansi-regex-5.0.0.tgz (Vulnerable Library)

Found in HEAD commit: 28b2a973b77dcb376242d64480f1781bb1eff070

Found in base branch: main

Vulnerability Details

ansi-regex is vulnerable to Inefficient Regular Expression Complexity

Publish Date: 2021-09-17

URL: CVE-2021-3807

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://huntr.dev/bounties/5b3cf33b-ede0-4398-9974-800876dfd994/

Release Date: 2021-09-17

Fix Resolution: ansi-regex - 5.0.1,6.0.1

Step up your Open Source Security Game with WhiteSource here

[DepShield] (CVSS 7.4) Vulnerability due to usage of lodash.isplainobject:4.0.6

Vulnerabilities

DepShield reports that this application's usage of lodash.isplainobject:4.0.6 results in the following vulnerability(s):

Occurrences

lodash.isplainobject:4.0.6 is a transitive dependency introduced by the following direct dependency(s):

semantic-release:18.0.0
        └─ @semantic-release/github:8.0.1
              └─ issue-parser:6.0.0
                    └─ lodash.isplainobject:4.0.6

This is an automated GitHub Issue created by Sonatype DepShield. Details on managing GitHub Apps, including DepShield, are available for personal and organization accounts. Please submit questions or feedback about DepShield to the Sonatype DepShield Community.

[DepShield] (CVSS 7.5) Vulnerability due to usage of debug:2.6.9

Vulnerabilities

DepShield reports that this application's usage of debug:2.6.9 results in the following vulnerability(s):

Occurrences

debug:2.6.9 is a transitive dependency introduced by the following direct dependency(s):

eslint-plugin-import:2.24.2
        └─ debug:2.6.9

This is an automated GitHub Issue created by Sonatype DepShield. Details on managing GitHub Apps, including DepShield, are available for personal and organization accounts. Please submit questions or feedback about DepShield to the Sonatype DepShield Community.

CVE-2022-35954 (Medium) detected in core-1.9.0.tgz

CVE-2022-35954 - Medium Severity Vulnerability

Vulnerable Library - core-1.9.0.tgz

Actions core lib

Library home page: https://registry.npmjs.org/@actions/core/-/core-1.9.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/@actions/core/package.json

Dependency Hierarchy:

  • check-run-reporter-action-0.0.0-development.tgz (Root Library)
    • core-1.9.0.tgz (Vulnerable Library)

Found in HEAD commit: bdf0b0c6cca78da9fa72e34961e2e9d521994b61

Found in base branch: dependabot/npm_and_yarn/actions/glob-0.3.0

Vulnerability Details

The GitHub Actions ToolKit provides a set of packages to make creating actions easier. The core.exportVariable function uses a well known delimiter that attackers can use to break out of that specific variable and assign values to other arbitrary variables. Workflows that write untrusted values to the GITHUB_ENV file may cause the path or other environment variables to be modified without the intention of the workflow or action author. Users should upgrade to @actions/core v1.9.1. If you are unable to upgrade the @actions/core package, you can modify your action to ensure that any user input does not contain the delimiter _GitHubActionsFileCommandDelimeter_ before calling core.exportVariable.

Publish Date: 2022-08-15

URL: CVE-2022-35954

CVSS 3 Score Details (5.0)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: Low
    • User Interaction: None
    • Scope: Changed
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: Low
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-35954

Release Date: 2022-08-15

Fix Resolution: @actions/core - 1.9.1

Step up your Open Source Security Game with Mend here

CVE-2022-31051 (High) detected in semantic-release-18.0.0.tgz - autoclosed

CVE-2022-31051 - High Severity Vulnerability

Vulnerable Library - semantic-release-18.0.0.tgz

Automated semver compliant package publishing

Library home page: https://registry.npmjs.org/semantic-release/-/semantic-release-18.0.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/semantic-release/package.json

Dependency Hierarchy:

  • semantic-release-18.0.0.tgz (Vulnerable Library)

Found in HEAD commit: 3897795a3c6a8288d211dfcb229583d94b143b2e

Found in base branch: main

Vulnerability Details

semantic-release is an open source npm package for automated version management and package publishing. In affected versions secrets that would normally be masked by semantic-release can be accidentally disclosed if they contain characters that are excluded from uri encoding by encodeURI. Occurrence is further limited to execution contexts where push access to the related repository is not available without modifying the repository url to inject credentials. Users are advised to upgrade. Users unable to upgrade should ensure that secrets that do not contain characters that are excluded from encoding with encodeURI when included in a URL are already masked properly.

Publish Date: 2022-06-09

URL: CVE-2022-31051

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: None
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-x2pg-mjhr-2m5x

Release Date: 2022-06-09

Fix Resolution: 19.0.3

Step up your Open Source Security Game with Mend here

[DepShield] (CVSS 7.4) Vulnerability due to usage of lodash.escaperegexp:4.1.2

Vulnerabilities

DepShield reports that this application's usage of lodash.escaperegexp:4.1.2 results in the following vulnerability(s):

Occurrences

lodash.escaperegexp:4.1.2 is a transitive dependency introduced by the following direct dependency(s):

semantic-release:18.0.0
        └─ @semantic-release/github:8.0.1
              └─ issue-parser:6.0.0
                    └─ lodash.escaperegexp:4.1.2

This is an automated GitHub Issue created by Sonatype DepShield. Details on managing GitHub Apps, including DepShield, are available for personal and organization accounts. Please submit questions or feedback about DepShield to the Sonatype DepShield Community.

[DepShield] (CVSS 7.4) Vulnerability due to usage of lodash.set:4.3.2

Vulnerabilities

DepShield reports that this application's usage of lodash.set:4.3.2 results in the following vulnerability(s):

Occurrences

lodash.set:4.3.2 is a transitive dependency introduced by the following direct dependency(s):

nock:13.1.3
        └─ lodash.set:4.3.2

This is an automated GitHub Issue created by Sonatype DepShield. Details on managing GitHub Apps, including DepShield, are available for personal and organization accounts. Please submit questions or feedback about DepShield to the Sonatype DepShield Community.

CVE-2022-1214 (High) detected in axios-0.24.0.tgz - autoclosed

CVE-2022-1214 - High Severity Vulnerability

Vulnerable Library - axios-0.24.0.tgz

Promise based HTTP client for the browser and node.js

Library home page: https://registry.npmjs.org/axios/-/axios-0.24.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/axios/package.json

Dependency Hierarchy:

  • axios-0.24.0.tgz (Vulnerable Library)

Found in HEAD commit: 3897795a3c6a8288d211dfcb229583d94b143b2e

Found in base branch: main

Vulnerability Details

Exposure of Sensitive Information to an Unauthorized Actor in GitHub repository axios/axios prior to 0.26.

Publish Date: 2022-05-03

URL: CVE-2022-1214

CVSS 3 Score Details (8.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: Low
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://huntr.dev/bounties/ef7b4ab6-a3f6-4268-a21a-e7104d344607/

Release Date: 2022-05-03

Fix Resolution: 0.26.0

Step up your Open Source Security Game with WhiteSource here

CVE-2021-43616 (High) detected in npm-7.24.1.tgz - autoclosed

CVE-2021-43616 - High Severity Vulnerability

Vulnerable Library - npm-7.24.1.tgz

a package manager for JavaScript

Library home page: https://registry.npmjs.org/npm/-/npm-7.24.1.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/npm/package.json

Dependency Hierarchy:

  • semantic-release-18.0.0.tgz (Root Library)
    • npm-8.0.0.tgz
      • npm-7.24.1.tgz (Vulnerable Library)

Found in HEAD commit: bbb860e0100136ab2faac5844868c966f016ce2a

Found in base branch: main

Vulnerability Details

The npm ci command in npm 7.x and 8.x through 8.1.3 proceeds with an installation even if dependency information in package-lock.json differs from package.json. This behavior is inconsistent with the documentation, and makes it easier for attackers to install malware that was supposed to have been blocked by an exact version match requirement in package-lock.json.

Publish Date: 2021-11-13

URL: CVE-2021-43616

CVSS 3 Score Details (9.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2021-43616

Release Date: 2021-11-13

Fix Resolution (npm): 8.1.4

Direct dependency fix Resolution (semantic-release): 19.0.0

Step up your Open Source Security Game with Mend here

CVE-2021-35065 (High) detected in glob-parent-5.1.2.tgz - autoclosed

CVE-2021-35065 - High Severity Vulnerability

Vulnerable Library - glob-parent-5.1.2.tgz

Extract the non-magic parent path from a glob string.

Library home page: https://registry.npmjs.org/glob-parent/-/glob-parent-5.1.2.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/glob-parent/package.json

Dependency Hierarchy:

  • cli-7.15.7.tgz (Root Library)
    • chokidar-3.5.2.tgz
      • glob-parent-5.1.2.tgz (Vulnerable Library)

Found in HEAD commit: 3897795a3c6a8288d211dfcb229583d94b143b2e

Found in base branch: main

Vulnerability Details

The package glob-parent before 6.0.1 are vulnerable to Regular Expression Denial of Service (ReDoS)

Publish Date: 2021-06-22

URL: CVE-2021-35065

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-cj88-88mr-972w

Release Date: 2021-06-22

Fix Resolution (glob-parent): 6.0.1

Direct dependency fix Resolution (@babel/cli): 7.16.0

Step up your Open Source Security Game with Mend here

[DepShield] (CVSS 7.4) Vulnerability due to usage of lodash.memoize:4.1.2

Vulnerabilities

DepShield reports that this application's usage of lodash.memoize:4.1.2 results in the following vulnerability(s):

Occurrences

lodash.memoize:4.1.2 is a transitive dependency introduced by the following direct dependency(s):

eslint-plugin-compat:3.13.0
        └─ lodash.memoize:4.1.2

This is an automated GitHub Issue created by Sonatype DepShield. Details on managing GitHub Apps, including DepShield, are available for personal and organization accounts. Please submit questions or feedback about DepShield to the Sonatype DepShield Community.

CVE-2022-0355 (High) detected in simple-get-3.1.0.tgz - autoclosed

CVE-2022-0355 - High Severity Vulnerability

Vulnerable Library - simple-get-3.1.0.tgz

Simplest way to make http get requests. Supports HTTPS, redirects, gzip/deflate, streams in < 100 lines.

Library home page: https://registry.npmjs.org/simple-get/-/simple-get-3.1.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/simple-get/package.json

Dependency Hierarchy:

  • pkg-5.5.1.tgz (Root Library)
    • prebuild-install-6.1.4.tgz
      • simple-get-3.1.0.tgz (Vulnerable Library)

Found in base branch: main

Vulnerability Details

Exposure of Sensitive Information to an Unauthorized Actor in NPM simple-get prior to 4.0.1.

Publish Date: 2022-01-26

URL: CVE-2022-0355

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: None
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0355

Release Date: 2022-01-26

Fix Resolution (simple-get): 3.1.1

Direct dependency fix Resolution (pkg): 5.5.2

Step up your Open Source Security Game with Mend here

[DepShield] (CVSS 7.4) Vulnerability due to usage of lodash.debounce:4.0.8

Vulnerabilities

DepShield reports that this application's usage of lodash.debounce:4.0.8 results in the following vulnerability(s):

Occurrences

lodash.debounce:4.0.8 is a transitive dependency introduced by the following direct dependency(s):

@babel/preset-env:7.15.6
        └─ babel-plugin-polyfill-corejs2:0.2.2
              └─ @babel/helper-define-polyfill-provider:0.2.3
                    └─ lodash.debounce:4.0.8

This is an automated GitHub Issue created by Sonatype DepShield. Details on managing GitHub Apps, including DepShield, are available for personal and organization accounts. Please submit questions or feedback about DepShield to the Sonatype DepShield Community.

[DepShield] (CVSS 7.4) Vulnerability due to usage of lodash.get:4.4.2

Vulnerabilities

DepShield reports that this application's usage of lodash.get:4.4.2 results in the following vulnerability(s):

Occurrences

lodash.get:4.4.2 is a transitive dependency introduced by the following direct dependency(s):

@commitlint/cli:13.2.0
        └─ @commitlint/load:13.2.0
              └─ @endemolshinegroup/cosmiconfig-typescript-loader:3.0.2
                    └─ lodash.get:4.4.2

This is an automated GitHub Issue created by Sonatype DepShield. Details on managing GitHub Apps, including DepShield, are available for personal and organization accounts. Please submit questions or feedback about DepShield to the Sonatype DepShield Community.

[DepShield] (CVSS 7.4) Vulnerability due to usage of lodash.clonedeep:4.5.0

Vulnerabilities

DepShield reports that this application's usage of lodash.clonedeep:4.5.0 results in the following vulnerability(s):

Occurrences

lodash.clonedeep:4.5.0 is a transitive dependency introduced by the following direct dependency(s):

eslint:7.32.0
        └─ table:6.7.2
              └─ lodash.clonedeep:4.5.0

This is an automated GitHub Issue created by Sonatype DepShield. Details on managing GitHub Apps, including DepShield, are available for personal and organization accounts. Please submit questions or feedback about DepShield to the Sonatype DepShield Community.

[DepShield] (CVSS 7.4) Vulnerability due to usage of ini:1.3.8

Vulnerabilities

DepShield reports that this application's usage of ini:1.3.8 results in the following vulnerability(s):

Occurrences

ini:1.3.8 is a transitive dependency introduced by the following direct dependency(s):

@commitlint/cli:13.2.0
        └─ resolve-global:1.0.0
              └─ global-dirs:0.1.1
                    └─ ini:1.3.8

pkg:5.3.3
        └─ prebuild-install:6.0.1
              └─ rc:1.2.8
                    └─ ini:1.3.8

This is an automated GitHub Issue created by Sonatype DepShield. Details on managing GitHub Apps, including DepShield, are available for personal and organization accounts. Please submit questions or feedback about DepShield to the Sonatype DepShield Community.

CVE-2012-6708 (Medium) detected in jquery-1.8.1.min.js - autoclosed

CVE-2012-6708 - Medium Severity Vulnerability

Vulnerable Library - jquery-1.8.1.min.js

JavaScript library for DOM operations

Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.8.1/jquery.min.js

Path to dependency file: integrations/node_modules/redeyed/examples/browser/index.html

Path to vulnerable library: /node_modules/redeyed/examples/browser/index.html

Dependency Hierarchy:

  • jquery-1.8.1.min.js (Vulnerable Library)

Found in HEAD commit: 3897795a3c6a8288d211dfcb229583d94b143b2e

Found in base branch: main

Vulnerability Details

jQuery before 1.9.0 is vulnerable to Cross-site Scripting (XSS) attacks. The jQuery(strInput) function does not differentiate selectors from HTML in a reliable fashion. In vulnerable versions, jQuery determined whether the input was HTML by looking for the '<' character anywhere in the string, giving attackers more flexibility when attempting to construct a malicious payload. In fixed versions, jQuery only deems the input to be HTML if it explicitly starts with the '<' character, limiting exploitability only to attackers who can control the beginning of a string, which is far less common.

Publish Date: 2018-01-18

URL: CVE-2012-6708

CVSS 3 Score Details (6.1)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Changed
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: Low
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2012-6708

Release Date: 2018-01-18

Fix Resolution: jQuery - v1.9.0

Step up your Open Source Security Game with WhiteSource here

[DepShield] (CVSS 5.3) Vulnerability due to usage of just-diff:3.1.1

Vulnerabilities

DepShield reports that this application's usage of just-diff:3.1.1 results in the following vulnerability(s):

Occurrences

just-diff:3.1.1 is a transitive dependency introduced by the following direct dependency(s):

semantic-release:18.0.0
        └─ @semantic-release/npm:8.0.0
              └─ npm:7.24.1
                    └─ parse-conflict-json:1.1.1
                          └─ just-diff:3.1.1

This is an automated GitHub Issue created by Sonatype DepShield. Details on managing GitHub Apps, including DepShield, are available for personal and organization accounts. Please submit questions or feedback about DepShield to the Sonatype DepShield Community.

CVE-2020-11023 (Medium) detected in jquery-1.8.1.min.js - autoclosed

CVE-2020-11023 - Medium Severity Vulnerability

Vulnerable Library - jquery-1.8.1.min.js

JavaScript library for DOM operations

Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.8.1/jquery.min.js

Path to dependency file: integrations/node_modules/redeyed/examples/browser/index.html

Path to vulnerable library: /node_modules/redeyed/examples/browser/index.html

Dependency Hierarchy:

  • jquery-1.8.1.min.js (Vulnerable Library)

Found in HEAD commit: 3897795a3c6a8288d211dfcb229583d94b143b2e

Found in base branch: main

Vulnerability Details

In jQuery versions greater than or equal to 1.0.3 and before 3.5.0, passing HTML containing elements from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. This problem is patched in jQuery 3.5.0.

Publish Date: 2020-04-29

URL: CVE-2020-11023

CVSS 3 Score Details (6.1)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Changed
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: Low
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://github.com/jquery/jquery/security/advisories/GHSA-jpcq-cgw6-v4j6,https://github.com/rails/jquery-rails/blob/master/CHANGELOG.md#440

Release Date: 2020-04-29

Fix Resolution: jquery - 3.5.0;jquery-rails - 4.4.0

Step up your Open Source Security Game with WhiteSource here

WS-2017-3770 (Medium) detected in autolinker-0.28.1.tgz - autoclosed

WS-2017-3770 - Medium Severity Vulnerability

Vulnerable Library - autolinker-0.28.1.tgz

Utility to automatically link the URLs, email addresses, and Twitter handles in a given block of text/HTML

Library home page: https://registry.npmjs.org/autolinker/-/autolinker-0.28.1.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/autolinker/package.json

Dependency Hierarchy:

  • markdown-toc-1.2.0.tgz (Root Library)
    • remarkable-1.7.4.tgz
      • autolinker-0.28.1.tgz (Vulnerable Library)

Found in HEAD commit: 3897795a3c6a8288d211dfcb229583d94b143b2e

Found in base branch: main

Vulnerability Details

Cross-site Scripting (XSS) vulnerability was found in autolinker before 3.14.0. User input passed to the innerHTML tags isn't sanitized.

Publish Date: 2017-02-15

URL: WS-2017-3770

CVSS 3 Score Details (6.1)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Changed
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: Low
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2017-02-15

Fix Resolution: autolinker - 3.14.0

Step up your Open Source Security Game with Mend here

CVE-2022-29244 (High) detected in npm-7.24.1.tgz - autoclosed

CVE-2022-29244 - High Severity Vulnerability

Vulnerable Library - npm-7.24.1.tgz

a package manager for JavaScript

Library home page: https://registry.npmjs.org/npm/-/npm-7.24.1.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/npm/package.json

Dependency Hierarchy:

  • semantic-release-18.0.0.tgz (Root Library)
    • npm-8.0.0.tgz
      • npm-7.24.1.tgz (Vulnerable Library)

Found in base branch: main

Vulnerability Details

npm pack ignores root-level .gitignore and .npmignore file exclusion directives when run in a workspace or with a workspace flag (ie. --workspaces, --workspace=<name>). Anyone who has run npm pack or npm publish inside a workspace, as of v7.9.0 and v7.13.0 respectively, may be affected and have published files into the npm registry they did not intend to include. Users should upgrade to the latest, patched version of npm v8.11.0, run: npm i -g npm@latest . Node.js versions v16.15.1, v17.19.1, and v18.3.0 include the patched v8.11.0 version of npm.

Publish Date: 2022-06-13

URL: CVE-2022-29244

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: None
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-hj9c-8jmm-8c52

Release Date: 2022-06-13

Fix Resolution (npm): 8.11.0

Direct dependency fix Resolution (semantic-release): 19.0.0

Step up your Open Source Security Game with Mend here

CVE-2020-11022 (Medium) detected in jquery-1.8.1.min.js - autoclosed

CVE-2020-11022 - Medium Severity Vulnerability

Vulnerable Library - jquery-1.8.1.min.js

JavaScript library for DOM operations

Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.8.1/jquery.min.js

Path to dependency file: integrations/node_modules/redeyed/examples/browser/index.html

Path to vulnerable library: /node_modules/redeyed/examples/browser/index.html

Dependency Hierarchy:

  • jquery-1.8.1.min.js (Vulnerable Library)

Found in HEAD commit: 3897795a3c6a8288d211dfcb229583d94b143b2e

Found in base branch: main

Vulnerability Details

In jQuery versions greater than or equal to 1.2 and before 3.5.0, passing HTML from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. This problem is patched in jQuery 3.5.0.

Publish Date: 2020-04-29

URL: CVE-2020-11022

CVSS 3 Score Details (6.1)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Changed
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: Low
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://blog.jquery.com/2020/04/10/jquery-3-5-0-released/

Release Date: 2020-04-29

Fix Resolution: jQuery - 3.5.0

Step up your Open Source Security Game with WhiteSource here

WS-2019-0540 (Medium) detected in autolinker-0.28.1.tgz - autoclosed

WS-2019-0540 - Medium Severity Vulnerability

Vulnerable Library - autolinker-0.28.1.tgz

Utility to automatically link the URLs, email addresses, and Twitter handles in a given block of text/HTML

Library home page: https://registry.npmjs.org/autolinker/-/autolinker-0.28.1.tgz

Path to dependency file: integrations/package.json

Path to vulnerable library: integrations/node_modules/autolinker/package.json

Dependency Hierarchy:

  • markdown-toc-1.2.0.tgz (Root Library)
    • remarkable-1.7.4.tgz
      • autolinker-0.28.1.tgz (Vulnerable Library)

Found in HEAD commit: 28b2a973b77dcb376242d64480f1781bb1eff070

Found in base branch: main

Vulnerability Details

Denial of Service (DoS) vulnerability was found in autolinker before 3.0.0. Unterminated img src causes long execution.

Publish Date: 2019-01-08

URL: WS-2019-0540

CVSS 3 Score Details (5.3)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://github.com/gregjacobs/Autolinker.js/releases/tag/v3.0.0

Release Date: 2019-01-08

Fix Resolution: autolinker - 3.0.0

Step up your Open Source Security Game with WhiteSource here

[DepShield] (CVSS 5.3) Vulnerability due to usage of kind-of:3.2.2

Vulnerabilities

DepShield reports that this application's usage of kind-of:3.2.2 results in the following vulnerability(s):

Occurrences

kind-of:3.2.2 is a transitive dependency introduced by the following direct dependency(s):

markdown-toc:1.2.0
        └─ lazy-cache:2.0.2
              └─ set-getter:0.1.1
                    └─ to-object-path:0.3.0
                          └─ kind-of:3.2.2
        └─ list-item:1.1.1
              └─ is-number:2.1.0
                    └─ kind-of:3.2.2

This is an automated GitHub Issue created by Sonatype DepShield. Details on managing GitHub Apps, including DepShield, are available for personal and organization accounts. Please submit questions or feedback about DepShield to the Sonatype DepShield Community.

CVE-2022-0155 (Medium) detected in follow-redirects-1.14.4.tgz - autoclosed

CVE-2022-0155 - Medium Severity Vulnerability

Vulnerable Library - follow-redirects-1.14.4.tgz

HTTP and HTTPS modules that follow redirects.

Library home page: https://registry.npmjs.org/follow-redirects/-/follow-redirects-1.14.4.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/follow-redirects/package.json

Dependency Hierarchy:

  • axios-0.24.0.tgz (Root Library)
    • follow-redirects-1.14.4.tgz (Vulnerable Library)

Found in HEAD commit: bdf0b0c6cca78da9fa72e34961e2e9d521994b61

Found in base branch: main

Vulnerability Details

follow-redirects is vulnerable to Exposure of Private Personal Information to an Unauthorized Actor

Publish Date: 2022-01-10

URL: CVE-2022-0155

CVSS 3 Score Details (6.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: None
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://huntr.dev/bounties/fc524e4b-ebb6-427d-ab67-a64181020406/

Release Date: 2022-01-10

Fix Resolution (follow-redirects): 1.14.7

Direct dependency fix Resolution (axios): 0.25.0

Step up your Open Source Security Game with Mend here

WS-2017-3770 (Medium) detected in autolinker-0.28.1.tgz - autoclosed

WS-2017-3770 - Medium Severity Vulnerability

Vulnerable Library - autolinker-0.28.1.tgz

Utility to automatically link the URLs, email addresses, and Twitter handles in a given block of text/HTML

Library home page: https://registry.npmjs.org/autolinker/-/autolinker-0.28.1.tgz

Path to dependency file: integrations/package.json

Path to vulnerable library: integrations/node_modules/autolinker/package.json

Dependency Hierarchy:

  • markdown-toc-1.2.0.tgz (Root Library)
    • remarkable-1.7.4.tgz
      • autolinker-0.28.1.tgz (Vulnerable Library)

Found in HEAD commit: 28b2a973b77dcb376242d64480f1781bb1eff070

Found in base branch: main

Vulnerability Details

Cross-site Scripting (XSS) vulnerability was found in autolinker before 3.14.0. User input passed to the innerHTML tags isn't sanitized.

Publish Date: 2017-02-15

URL: WS-2017-3770

CVSS 3 Score Details (6.1)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Changed
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: Low
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://github.com/gregjacobs/Autolinker.js/releases/tag/v3.14.0

Release Date: 2017-02-15

Fix Resolution: autolinker - 3.14.0

Step up your Open Source Security Game with WhiteSource here

[DepShield] (CVSS 7.5) Vulnerability due to usage of q:1.5.1

Vulnerabilities

DepShield reports that this application's usage of q:1.5.1 results in the following vulnerability(s):

Occurrences

q:1.5.1 is a transitive dependency introduced by the following direct dependency(s):

@commitlint/config-conventional:13.2.0
        └─ conventional-changelog-conventionalcommits:4.6.1
              └─ q:1.5.1

semantic-release:18.0.0
        └─ @semantic-release/commit-analyzer:9.0.1
              └─ conventional-changelog-angular:5.0.13
                    └─ q:1.5.1

This is an automated GitHub Issue created by Sonatype DepShield. Details on managing GitHub Apps, including DepShield, are available for personal and organization accounts. Please submit questions or feedback about DepShield to the Sonatype DepShield Community.

CVE-2021-3918 (High) detected in json-schema-0.2.3.tgz - autoclosed

CVE-2021-3918 - High Severity Vulnerability

Vulnerable Library - json-schema-0.2.3.tgz

JSON Schema validation and specifications

Library home page: https://registry.npmjs.org/json-schema/-/json-schema-0.2.3.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/npm/node_modules/json-schema/package.json

Dependency Hierarchy:

  • semantic-release-18.0.0.tgz (Root Library)
    • npm-8.0.0.tgz
      • npm-7.24.1.tgz
        • node-gyp-7.1.2.tgz
          • request-2.88.2.tgz
            • http-signature-1.2.0.tgz
              • jsprim-1.4.1.tgz
                • json-schema-0.2.3.tgz (Vulnerable Library)

Found in HEAD commit: bbb860e0100136ab2faac5844868c966f016ce2a

Found in base branch: main

Vulnerability Details

json-schema is vulnerable to Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')

Publish Date: 2021-11-13

URL: CVE-2021-3918

CVSS 3 Score Details (9.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2021-3918

Release Date: 2021-11-13

Fix Resolution (json-schema): 0.4.0

Direct dependency fix Resolution (semantic-release): 18.0.1

Step up your Open Source Security Game with Mend here

CVE-2015-9251 (Medium) detected in jquery-1.8.1.min.js - autoclosed

CVE-2015-9251 - Medium Severity Vulnerability

Vulnerable Library - jquery-1.8.1.min.js

JavaScript library for DOM operations

Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.8.1/jquery.min.js

Path to dependency file: integrations/node_modules/redeyed/examples/browser/index.html

Path to vulnerable library: /node_modules/redeyed/examples/browser/index.html

Dependency Hierarchy:

  • jquery-1.8.1.min.js (Vulnerable Library)

Found in HEAD commit: 28b2a973b77dcb376242d64480f1781bb1eff070

Found in base branch: main

Vulnerability Details

jQuery before 3.0.0 is vulnerable to Cross-site Scripting (XSS) attacks when a cross-domain Ajax request is performed without the dataType option, causing text/javascript responses to be executed.

Publish Date: 2018-01-18

URL: CVE-2015-9251

CVSS 3 Score Details (6.1)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Changed
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: Low
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2015-9251

Release Date: 2018-01-18

Fix Resolution: jQuery - v3.0.0

Step up your Open Source Security Game with WhiteSource here

CVE-2015-9251 (Medium) detected in jquery-1.8.1.min.js - autoclosed

CVE-2015-9251 - Medium Severity Vulnerability

Vulnerable Library - jquery-1.8.1.min.js

JavaScript library for DOM operations

Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.8.1/jquery.min.js

Path to dependency file: integrations/node_modules/redeyed/examples/browser/index.html

Path to vulnerable library: /node_modules/redeyed/examples/browser/index.html

Dependency Hierarchy:

  • jquery-1.8.1.min.js (Vulnerable Library)

Found in HEAD commit: 3897795a3c6a8288d211dfcb229583d94b143b2e

Found in base branch: main

Vulnerability Details

jQuery before 3.0.0 is vulnerable to Cross-site Scripting (XSS) attacks when a cross-domain Ajax request is performed without the dataType option, causing text/javascript responses to be executed.

Publish Date: 2018-01-18

URL: CVE-2015-9251

CVSS 3 Score Details (6.1)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Changed
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: Low
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2015-9251

Release Date: 2018-01-18

Fix Resolution: jQuery - v3.0.0

Step up your Open Source Security Game with WhiteSource here

CVE-2022-0235 (Medium) detected in node-fetch-2.6.6.tgz - autoclosed

CVE-2022-0235 - Medium Severity Vulnerability

Vulnerable Library - node-fetch-2.6.6.tgz

A light-weight module that brings window.fetch to node.js

Library home page: https://registry.npmjs.org/node-fetch/-/node-fetch-2.6.6.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/node-fetch/package.json

Dependency Hierarchy:

  • check-run-reporter-action-0.0.0-development.tgz (Root Library)
    • github-5.0.0.tgz
      • core-3.5.1.tgz
        • request-5.6.2.tgz
          • node-fetch-2.6.6.tgz (Vulnerable Library)

Found in base branch: main

Vulnerability Details

node-fetch is vulnerable to Exposure of Sensitive Information to an Unauthorized Actor

Publish Date: 2022-01-16

URL: CVE-2022-0235

CVSS 3 Score Details (6.1)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Changed
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: Low
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-r683-j2x4-v87g

Release Date: 2022-01-16

Fix Resolution: node-fetch - 2.6.7,3.1.1

Step up your Open Source Security Game with Mend here

CVE-2012-6708 (Medium) detected in jquery-1.8.1.min.js - autoclosed

CVE-2012-6708 - Medium Severity Vulnerability

Vulnerable Library - jquery-1.8.1.min.js

JavaScript library for DOM operations

Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.8.1/jquery.min.js

Path to dependency file: integrations/node_modules/redeyed/examples/browser/index.html

Path to vulnerable library: /node_modules/redeyed/examples/browser/index.html

Dependency Hierarchy:

  • jquery-1.8.1.min.js (Vulnerable Library)

Found in HEAD commit: 28b2a973b77dcb376242d64480f1781bb1eff070

Found in base branch: main

Vulnerability Details

jQuery before 1.9.0 is vulnerable to Cross-site Scripting (XSS) attacks. The jQuery(strInput) function does not differentiate selectors from HTML in a reliable fashion. In vulnerable versions, jQuery determined whether the input was HTML by looking for the '<' character anywhere in the string, giving attackers more flexibility when attempting to construct a malicious payload. In fixed versions, jQuery only deems the input to be HTML if it explicitly starts with the '<' character, limiting exploitability only to attackers who can control the beginning of a string, which is far less common.

Publish Date: 2018-01-18

URL: CVE-2012-6708

CVSS 3 Score Details (6.1)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Changed
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: Low
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2012-6708

Release Date: 2018-01-18

Fix Resolution: jQuery - v1.9.0

Step up your Open Source Security Game with WhiteSource here

CVE-2022-0536 (Medium) detected in follow-redirects-1.14.4.tgz - autoclosed

CVE-2022-0536 - Medium Severity Vulnerability

Vulnerable Library - follow-redirects-1.14.4.tgz

HTTP and HTTPS modules that follow redirects.

Library home page: https://registry.npmjs.org/follow-redirects/-/follow-redirects-1.14.4.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/follow-redirects/package.json

Dependency Hierarchy:

  • axios-0.24.0.tgz (Root Library)
    • follow-redirects-1.14.4.tgz (Vulnerable Library)

Found in HEAD commit: bdf0b0c6cca78da9fa72e34961e2e9d521994b61

Found in base branch: main

Vulnerability Details

Exposure of Sensitive Information to an Unauthorized Actor in NPM follow-redirects prior to 1.14.8.

Publish Date: 2022-02-09

URL: CVE-2022-0536

CVSS 3 Score Details (5.9)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: High
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: None
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0536

Release Date: 2022-02-09

Fix Resolution (follow-redirects): 1.14.8

Direct dependency fix Resolution (axios): 0.25.0

Step up your Open Source Security Game with Mend here

[DepShield] (CVSS 7.5) Vulnerability due to usage of marked:2.1.3

Depshield will be deprecated soon

Please install our new product, Sonatype Lift with advanced features

Vulnerabilities

DepShield reports that this application's usage of marked:2.1.3 results in the following vulnerability(s):

Occurrences

marked:2.1.3 is a transitive dependency introduced by the following direct dependency(s):

semantic-release:18.0.0
        └─ marked:2.1.3

This is an automated GitHub Issue created by Sonatype DepShield. Details on managing GitHub Apps, including DepShield, are available for personal and organization accounts. Please submit questions or feedback about DepShield to the Sonatype DepShield Community.

[DepShield] (CVSS 7.4) Vulnerability due to usage of lodash.isstring:4.0.1

Vulnerabilities

DepShield reports that this application's usage of lodash.isstring:4.0.1 results in the following vulnerability(s):

Occurrences

lodash.isstring:4.0.1 is a transitive dependency introduced by the following direct dependency(s):

semantic-release:18.0.0
        └─ @semantic-release/github:8.0.1
              └─ issue-parser:6.0.0
                    └─ lodash.isstring:4.0.1

This is an automated GitHub Issue created by Sonatype DepShield. Details on managing GitHub Apps, including DepShield, are available for personal and organization accounts. Please submit questions or feedback about DepShield to the Sonatype DepShield Community.

[DepShield] (CVSS 7.4) Vulnerability due to usage of lodash.uniqby:4.7.0

Vulnerabilities

DepShield reports that this application's usage of lodash.uniqby:4.7.0 results in the following vulnerability(s):

Occurrences

lodash.uniqby:4.7.0 is a transitive dependency introduced by the following direct dependency(s):

semantic-release:18.0.0
        └─ @semantic-release/github:8.0.1
              └─ issue-parser:6.0.0
                    └─ lodash.uniqby:4.7.0

This is an automated GitHub Issue created by Sonatype DepShield. Details on managing GitHub Apps, including DepShield, are available for personal and organization accounts. Please submit questions or feedback about DepShield to the Sonatype DepShield Community.

[DepShield] (CVSS 5.3) Vulnerability due to usage of just-diff-apply:3.0.0

Vulnerabilities

DepShield reports that this application's usage of just-diff-apply:3.0.0 results in the following vulnerability(s):

Occurrences

just-diff-apply:3.0.0 is a transitive dependency introduced by the following direct dependency(s):

semantic-release:18.0.0
        └─ @semantic-release/npm:8.0.0
              └─ npm:7.24.1
                    └─ parse-conflict-json:1.1.1
                          └─ just-diff-apply:3.0.0

This is an automated GitHub Issue created by Sonatype DepShield. Details on managing GitHub Apps, including DepShield, are available for personal and organization accounts. Please submit questions or feedback about DepShield to the Sonatype DepShield Community.

CVE-2021-3807 (High) detected in ansi-regex-3.0.0.tgz, ansi-regex-5.0.0.tgz - autoclosed

CVE-2021-3807 - High Severity Vulnerability

Vulnerable Libraries - ansi-regex-3.0.0.tgz, ansi-regex-5.0.0.tgz

ansi-regex-3.0.0.tgz

Regular expression for matching ANSI escape codes

Library home page: https://registry.npmjs.org/ansi-regex/-/ansi-regex-3.0.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/npm/node_modules/string-width/node_modules/ansi-regex/package.json

Dependency Hierarchy:

  • semantic-release-18.0.0.tgz (Root Library)
    • npm-8.0.0.tgz
      • npm-7.24.1.tgz
        • cli-columns-3.1.2.tgz
          • string-width-2.1.1.tgz
            • strip-ansi-4.0.0.tgz
              • ansi-regex-3.0.0.tgz (Vulnerable Library)
ansi-regex-5.0.0.tgz

Regular expression for matching ANSI escape codes

Library home page: https://registry.npmjs.org/ansi-regex/-/ansi-regex-5.0.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/npm/node_modules/cli-table3/node_modules/ansi-regex/package.json

Dependency Hierarchy:

  • semantic-release-18.0.0.tgz (Root Library)
    • npm-8.0.0.tgz
      • npm-7.24.1.tgz
        • cli-table3-0.6.0.tgz
          • string-width-4.2.2.tgz
            • strip-ansi-6.0.0.tgz
              • ansi-regex-5.0.0.tgz (Vulnerable Library)

Found in HEAD commit: 3897795a3c6a8288d211dfcb229583d94b143b2e

Found in base branch: main

Vulnerability Details

ansi-regex is vulnerable to Inefficient Regular Expression Complexity

Publish Date: 2021-09-17

URL: CVE-2021-3807

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://huntr.dev/bounties/5b3cf33b-ede0-4398-9974-800876dfd994/

Release Date: 2021-09-17

Fix Resolution (ansi-regex): 3.0.1

Direct dependency fix Resolution (semantic-release): 18.0.1

Fix Resolution (ansi-regex): 5.0.1

Direct dependency fix Resolution (semantic-release): 18.0.1

Step up your Open Source Security Game with Mend here

CVE-2020-7656 (Medium) detected in jquery-1.8.1.min.js - autoclosed

CVE-2020-7656 - Medium Severity Vulnerability

Vulnerable Library - jquery-1.8.1.min.js

JavaScript library for DOM operations

Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.8.1/jquery.min.js

Path to dependency file: integrations/node_modules/redeyed/examples/browser/index.html

Path to vulnerable library: /node_modules/redeyed/examples/browser/index.html

Dependency Hierarchy:

  • jquery-1.8.1.min.js (Vulnerable Library)

Found in HEAD commit: 28b2a973b77dcb376242d64480f1781bb1eff070

Found in base branch: main

Vulnerability Details

jquery prior to 1.9.0 allows Cross-site Scripting attacks via the load method. The load method fails to recognize and remove "<script>" HTML tags that contain a whitespace character, i.e: "</script >", which results in the enclosed script logic to be executed.

Publish Date: 2020-05-19

URL: CVE-2020-7656

CVSS 3 Score Details (6.1)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Changed
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: Low
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-q4m3-2j7h-f7xw

Release Date: 2020-05-28

Fix Resolution: jquery - 1.9.0

Step up your Open Source Security Game with WhiteSource here

CVE-2021-42740 (High) detected in shell-quote-1.7.2.tgz - autoclosed

CVE-2021-42740 - High Severity Vulnerability

Vulnerable Library - shell-quote-1.7.2.tgz

quote and parse shell commands

Library home page: https://registry.npmjs.org/shell-quote/-/shell-quote-1.7.2.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/shell-quote/package.json

Dependency Hierarchy:

  • npm-run-all-4.1.5.tgz (Root Library)
    • shell-quote-1.7.2.tgz (Vulnerable Library)

Found in HEAD commit: bbb860e0100136ab2faac5844868c966f016ce2a

Found in base branch: main

Vulnerability Details

The shell-quote package before 1.7.3 for Node.js allows command injection. An attacker can inject unescaped shell metacharacters through a regex designed to support Windows drive letters. If the output of this package is passed to a real shell as a quoted argument to a command with exec(), an attacker can inject arbitrary commands. This is because the Windows drive letter regex character class is {A-z] instead of the correct {A-Za-z]. Several shell metacharacters exist in the space between capital letter Z and lower case letter a, such as the backtick character.

Publish Date: 2021-10-21

URL: CVE-2021-42740

CVSS 3 Score Details (9.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-42740

Release Date: 2021-10-21

Fix Resolution: shell-quote - 1.7.3

Step up your Open Source Security Game with Mend here

CVE-2021-43307 (High) detected in semver-regex-3.1.3.tgz - autoclosed

CVE-2021-43307 - High Severity Vulnerability

Vulnerable Library - semver-regex-3.1.3.tgz

Regular expression for matching semver versions

Library home page: https://registry.npmjs.org/semver-regex/-/semver-regex-3.1.3.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/semver-regex/package.json

Dependency Hierarchy:

  • semantic-release-18.0.0.tgz (Root Library)
    • find-versions-4.0.0.tgz
      • semver-regex-3.1.3.tgz (Vulnerable Library)

Found in HEAD commit: 3897795a3c6a8288d211dfcb229583d94b143b2e

Found in base branch: main

Vulnerability Details

An exponential ReDoS (Regular Expression Denial of Service) can be triggered in the semver-regex npm package, when an attacker is able to supply arbitrary input to the test() method

Publish Date: 2022-06-02

URL: CVE-2021-43307

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://research.jfrog.com/vulnerabilities/semver-regex-redos-xray-211349/

Release Date: 2022-06-02

Fix Resolution (semver-regex): 3.1.4

Direct dependency fix Resolution (semantic-release): 18.0.1

Step up your Open Source Security Game with Mend here

CVE-2022-2596 (Medium) detected in node-fetch-2.6.6.tgz - autoclosed

CVE-2022-2596 - Medium Severity Vulnerability

Vulnerable Library - node-fetch-2.6.6.tgz

A light-weight module that brings window.fetch to node.js

Library home page: https://registry.npmjs.org/node-fetch/-/node-fetch-2.6.6.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/node-fetch/package.json

Dependency Hierarchy:

  • check-run-reporter-action-0.0.0-development.tgz (Root Library)
    • github-5.0.0.tgz
      • core-3.5.1.tgz
        • request-5.6.2.tgz
          • node-fetch-2.6.6.tgz (Vulnerable Library)

Found in HEAD commit: bdf0b0c6cca78da9fa72e34961e2e9d521994b61

Found in base branch: main

Vulnerability Details

Denial of Service in GitHub repository node-fetch/node-fetch prior to 3.2.10.

Publish Date: 2022-08-01

URL: CVE-2022-2596

CVSS 3 Score Details (5.9)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: High
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-2596

Release Date: 2022-08-01

Fix Resolution: node-fetch - 3.2.10

Step up your Open Source Security Game with Mend here

WS-2019-0540 (Medium) detected in autolinker-0.28.1.tgz - autoclosed

WS-2019-0540 - Medium Severity Vulnerability

Vulnerable Library - autolinker-0.28.1.tgz

Utility to automatically link the URLs, email addresses, and Twitter handles in a given block of text/HTML

Library home page: https://registry.npmjs.org/autolinker/-/autolinker-0.28.1.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/autolinker/package.json

Dependency Hierarchy:

  • markdown-toc-1.2.0.tgz (Root Library)
    • remarkable-1.7.4.tgz
      • autolinker-0.28.1.tgz (Vulnerable Library)

Found in HEAD commit: 3897795a3c6a8288d211dfcb229583d94b143b2e

Found in base branch: main

Vulnerability Details

Denial of Service (DoS) vulnerability was found in autolinker before 3.0.0. Unterminated img src causes long execution.

Publish Date: 2019-01-08

URL: WS-2019-0540

CVSS 3 Score Details (5.3)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2019-01-08

Fix Resolution: autolinker - 3.0.0

Step up your Open Source Security Game with Mend here

[DepShield] (CVSS 7.4) Vulnerability due to usage of lodash._reinterpolate:3.0.0

Vulnerabilities

DepShield reports that this application's usage of lodash._reinterpolate:3.0.0 results in the following vulnerability(s):

Occurrences

lodash._reinterpolate:3.0.0 is a transitive dependency introduced by the following direct dependency(s):

markdown-toc:1.2.0
        └─ remarkable:1.7.4
              └─ autolinker:0.28.1
                    └─ gulp-header:1.8.12
                          └─ lodash.template:4.5.0
                                └─ lodash._reinterpolate:3.0.0
                                └─ lodash.templatesettings:4.2.0
                                      └─ lodash._reinterpolate:3.0.0

This is an automated GitHub Issue created by Sonatype DepShield. Details on managing GitHub Apps, including DepShield, are available for personal and organization accounts. Please submit questions or feedback about DepShield to the Sonatype DepShield Community.

CVE-2020-7656 (Medium) detected in jquery-1.8.1.min.js - autoclosed

CVE-2020-7656 - Medium Severity Vulnerability

Vulnerable Library - jquery-1.8.1.min.js

JavaScript library for DOM operations

Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.8.1/jquery.min.js

Path to dependency file: integrations/node_modules/redeyed/examples/browser/index.html

Path to vulnerable library: /node_modules/redeyed/examples/browser/index.html

Dependency Hierarchy:

  • jquery-1.8.1.min.js (Vulnerable Library)

Found in HEAD commit: 3897795a3c6a8288d211dfcb229583d94b143b2e

Found in base branch: main

Vulnerability Details

jquery prior to 1.9.0 allows Cross-site Scripting attacks via the load method. The load method fails to recognize and remove "<script>" HTML tags that contain a whitespace character, i.e: "</script >", which results in the enclosed script logic to be executed.

Publish Date: 2020-05-19

URL: CVE-2020-7656

CVSS 3 Score Details (6.1)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Changed
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: Low
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-q4m3-2j7h-f7xw

Release Date: 2020-05-28

Fix Resolution: jquery - 1.9.0

Step up your Open Source Security Game with WhiteSource here

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.