turkdevops / nexus-iq-chrome-extension Goto Github PK

Vulnerable Library - normalize-url-5.3.0.tgz

Normalize a URL

Library home page: https://registry.npmjs.org/normalize-url/-/normalize-url-5.3.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/normalize-url/package.json

Dependency Hierarchy:

• semantic-release-17.2.1.tgz (Root Library)
  • npm-7.0.6.tgz
    • ❌ normalize-url-5.3.0.tgz (Vulnerable Library)

Found in base branch: fixVersionHistory-gh

Vulnerability Details

The normalize-url package before 4.5.1, 5.x before 5.3.1, and 6.x before 6.0.1 for Node.js has a ReDoS (regular expression denial of service) issue because it has exponential performance for data: URLs.

Publish Date: 2021-05-24

URL: CVE-2021-33502

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-33502

Release Date: 2021-05-24

Fix Resolution (normalize-url): 5.3.1

Direct dependency fix Resolution (semantic-release): 17.2.2

Vulnerable Libraries - lodash-3.10.1.tgz, lodash-2.4.2.tgz, lodash-0.9.2.tgz

Found in base branch: fixVersionHistory-gh

Vulnerability Details

lodash node module before 4.17.5 suffers from a Modification of Assumed-Immutable Data (MAID) vulnerability via defaultsDeep, merge, and mergeWith functions, which allows a malicious user to modify the prototype of "Object" via proto, causing the addition or modification of an existing property that will exist on all objects.

Publish Date: 2018-06-07

URL: CVE-2018-3721

CVSS 3 Score Details (6.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: Low
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: High
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://www.npmjs.com/advisories/1067

Release Date: 2018-06-07

Fix Resolution (lodash): 4.17.5

Direct dependency fix Resolution (grunt-contrib-csslint): 2.0.0

Fix Resolution (lodash): 4.17.5

Direct dependency fix Resolution (grunt): 1.0.3

Fix Resolution (lodash): 4.17.5

Direct dependency fix Resolution (grunt): 1.0.3

Vulnerable Library - grunt-0.4.5.tgz

The JavaScript Task Runner

Library home page: https://registry.npmjs.org/grunt/-/grunt-0.4.5.tgz

Path to dependency file: /src/Scripts/lib/jquery-ui-1.12.1/package.json

Path to vulnerable library: /src/Scripts/lib/jquery-ui-1.12.1/node_modules/grunt/package.json,/release/1.8.1/src/Scripts/lib/jquery-ui-1.12.1/node_modules/grunt/package.json

Dependency Hierarchy:

• ❌ grunt-0.4.5.tgz (Vulnerable Library)

Found in base branch: fixVersionHistory-gh

Vulnerability Details

Path Traversal in GitHub repository gruntjs/grunt prior to 1.5.2.

Publish Date: 2022-04-12

URL: CVE-2022-0436

CVSS 3 Score Details (5.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Local
  • Attack Complexity: Low
  • Privileges Required: Low
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: None
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0436

Release Date: 2022-04-12

Fix Resolution: 1.5.1

Vulnerable Libraries - underscore.string-2.2.1.tgz, underscore.string-2.4.0.tgz, underscore.string-2.3.3.tgz

Found in base branch: fixVersionHistory-gh

Vulnerability Details

Underscore.string, before 3.3.5, is vulnerable to Regular Expression Denial of Service (ReDoS).

Publish Date: 2018-10-03

URL: WS-2018-0232

CVSS 2 Score Details (5.0)

Base Score Metrics not available

Suggested Fix

Type: Upgrade version

Origin: https://www.npmjs.com/advisories/745

Release Date: 2018-12-30

Fix Resolution: 3.3.5

Vulnerable Libraries - underscore.string-2.2.1.tgz, underscore.string-2.4.0.tgz, underscore.string-2.3.3.tgz

Found in base branch: fixVersionHistory-gh

Vulnerability Details

The string module is a module that provides extra string operations. The string module is vulnerable to regular expression denial of service when specifically crafted untrusted user input is passed into the underscore or unescapeHTML methods.

Publish Date: 2018-06-07

URL: CVE-2017-16116

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2017-16116

Release Date: 2018-06-07

Fix Resolution (underscore.string): 3.3.5

Direct dependency fix Resolution (grunt): 1.0.3

Fix Resolution (underscore.string): 3.3.5

Direct dependency fix Resolution (grunt): 1.0.3

Fix Resolution (underscore.string): 3.3.5

Direct dependency fix Resolution (grunt): 1.0.3

Vulnerable Library - jquery-1.3.2.min.js

JavaScript library for DOM operations

Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.3.2/jquery.min.js

Path to dependency file: /release/1.8.1/src/Scripts/lib/jquery-ui-1.12.1/node_modules/underscore.string/test/test_standalone.html

Path to vulnerable library: /release/1.8.1/src/Scripts/lib/jquery-ui-1.12.1/node_modules/underscore.string/test/test_underscore/vendor/jquery.js,/src/Scripts/lib/jquery-ui-1.12.1/node_modules/underscore.string/test/test_underscore/vendor/jquery.js

Dependency Hierarchy:

• ❌ jquery-1.3.2.min.js (Vulnerable Library)

Found in base branch: fixVersionHistory-gh

Vulnerability Details

jQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, ...) because of Object.prototype pollution. If an unsanitized source object contained an enumerable proto property, it could extend the native Object.prototype.

Publish Date: 2019-04-20

URL: CVE-2019-11358

CVSS 3 Score Details (6.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11358

Release Date: 2019-04-20

Fix Resolution: jquery - 3.4.0

Vulnerable Library - npm-6.14.8.tgz

a package manager for JavaScript

Library home page: https://registry.npmjs.org/npm/-/npm-6.14.8.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/npm/package.json

Dependency Hierarchy:

• semantic-release-17.2.1.tgz (Root Library)
  • npm-7.0.6.tgz
    • ❌ npm-6.14.8.tgz (Vulnerable Library)

Found in base branch: fixVersionHistory-gh

Vulnerability Details

npm pack ignores root-level .gitignore and .npmignore file exclusion directives when run in a workspace or with a workspace flag (ie. --workspaces, --workspace=<name>). Anyone who has run npm pack or npm publish inside a workspace, as of v7.9.0 and v7.13.0 respectively, may be affected and have published files into the npm registry they did not intend to include. Users should upgrade to the latest, patched version of npm v8.11.0, run: npm i -g npm@latest . Node.js versions v16.15.1, v17.19.1, and v18.3.0 include the patched v8.11.0 version of npm.

Publish Date: 2022-06-13

URL: CVE-2022-29244

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: None
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: GHSA-hj9c-8jmm-8c52

Release Date: 2022-06-13

Fix Resolution (npm): 6.14.18

Direct dependency fix Resolution (semantic-release): 17.2.2

Vulnerable Library - utile-0.2.1.tgz

A drop-in replacement for `util` with some additional advantageous functions

Library home page: https://registry.npmjs.org/utile/-/utile-0.2.1.tgz

Path to dependency file: /release/1.8.1/src/Scripts/lib/jquery-ui-1.12.1/package.json

Path to vulnerable library: /release/1.8.1/src/Scripts/lib/jquery-ui-1.12.1/node_modules/utile/package.json,/src/Scripts/lib/jquery-ui-1.12.1/node_modules/utile/package.json

Dependency Hierarchy:

• grunt-jscs-2.1.0.tgz (Root Library)
  • jscs-2.1.1.tgz
    • prompt-0.2.14.tgz
      • ❌ utile-0.2.1.tgz (Vulnerable Library)

Found in base branch: fixVersionHistory-gh

Vulnerability Details

The utile npm module, version 0.3.0, allows to extract sensitive data from uninitialized memory or to cause a DoS by passing in a large number, in setups where typed user input can be passed (e.g. from JSON).

Publish Date: 2018-07-16

URL: WS-2018-0148

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/WS-2018-0148

Release Date: 2018-01-16

Fix Resolution: JetBrains.Rider.Frontend5 - 213.0.20211008.154703-eap03

Vulnerable Library - js-yaml-2.0.5.tgz

YAML 1.2 parser and serializer

Library home page: https://registry.npmjs.org/js-yaml/-/js-yaml-2.0.5.tgz

Path to dependency file: /release/1.8.1/src/Scripts/lib/jquery-ui-1.12.1/package.json

Path to vulnerable library: /release/1.8.1/src/Scripts/lib/jquery-ui-1.12.1/node_modules/js-yaml/package.json,/src/Scripts/lib/jquery-ui-1.12.1/node_modules/js-yaml/package.json

Dependency Hierarchy:

• grunt-0.4.5.tgz (Root Library)
  • ❌ js-yaml-2.0.5.tgz (Vulnerable Library)

Found in base branch: fixVersionHistory-gh

Vulnerability Details

Js-yaml prior to 3.13.1 are vulnerable to Code Injection. The load() function may execute arbitrary code injected through a malicious YAML file.

Publish Date: 2019-04-05

URL: WS-2019-0063

CVSS 3 Score Details (8.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://www.npmjs.com/advisories/813

Release Date: 2019-04-05

Fix Resolution (js-yaml): 3.13.1

Direct dependency fix Resolution (grunt): 1.0.4

Vulnerable Libraries - lodash-4.17.20.tgz, lodash-3.10.1.tgz, lodash-2.4.2.tgz, lodash-0.9.2.tgz

Found in base branch: fixVersionHistory-gh

Vulnerability Details

Lodash versions prior to 4.17.21 are vulnerable to Regular Expression Denial of Service (ReDoS) via the toNumber, trim and trimEnd functions.

Publish Date: 2021-02-15

URL: CVE-2020-28500

CVSS 3 Score Details (5.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: Low

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-28500

Release Date: 2021-02-15

Fix Resolution (lodash): 4.17.21

Direct dependency fix Resolution (grunt-contrib-jshint): 1.0.0

Fix Resolution (lodash): 4.17.21

Direct dependency fix Resolution (grunt-contrib-csslint): 2.0.0

Fix Resolution (lodash): 4.17.21

Direct dependency fix Resolution (grunt): 1.0.3

Fix Resolution (lodash): 4.17.21

Direct dependency fix Resolution (grunt): 1.0.3

Vulnerable Library - grunt-0.4.5.tgz

The JavaScript Task Runner

Library home page: https://registry.npmjs.org/grunt/-/grunt-0.4.5.tgz

Path to dependency file: /src/Scripts/lib/jquery-ui-1.12.1/package.json

Path to vulnerable library: /src/Scripts/lib/jquery-ui-1.12.1/node_modules/grunt/package.json,/release/1.8.1/src/Scripts/lib/jquery-ui-1.12.1/node_modules/grunt/package.json

Dependency Hierarchy:

• ❌ grunt-0.4.5.tgz (Vulnerable Library)

Found in base branch: fixVersionHistory-gh

Vulnerability Details

file.copy operations in GruntJS are vulnerable to a TOCTOU race condition leading to arbitrary file write in GitHub repository gruntjs/grunt prior to 1.5.3. This vulnerability is capable of arbitrary file writes which can lead to local privilege escalation to the GruntJS user if a lower-privileged user has write access to both source and destination directories as the lower-privileged user can create a symlink to the GruntJS user's .bashrc file or replace /etc/shadow file if the GruntJS user is root.

Publish Date: 2022-05-10

URL: CVE-2022-1537

CVSS 3 Score Details (7.0)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Local
  • Attack Complexity: High
  • Privileges Required: Low
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://huntr.dev/bounties/0179c3e5-bc02-4fc9-8491-a1a319b51b4d/

Release Date: 2022-05-10

Fix Resolution: 1.5.3

Vulnerable Libraries - jquery-ui-1.12.1.js, jquery-ui-1.12.1.min.js

Found in base branch: fixVersionHistory-gh

Vulnerability Details

jQuery-UI is the official jQuery user interface library. Prior to version 1.13.0, accepting the value of the of option of the .position() util from untrusted sources may execute untrusted code. The issue is fixed in jQuery UI 1.13.0. Any string value passed to the of option is now treated as a CSS selector. A workaround is to not accept the value of the of option from untrusted sources.

Publish Date: 2021-10-26

URL: CVE-2021-41184

CVSS 3 Score Details (6.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-41184

Release Date: 2021-10-26

Fix Resolution: jquery-ui - 1.13.0

Vulnerable Library - glob-parent-5.1.1.tgz

Extract the non-magic parent path from a glob string.

Library home page: https://registry.npmjs.org/glob-parent/-/glob-parent-5.1.1.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/glob-parent/package.json

Dependency Hierarchy:

• eslint-6.8.0.tgz (Root Library)
  • ❌ glob-parent-5.1.1.tgz (Vulnerable Library)

Found in base branch: fixVersionHistory-gh

Vulnerability Details

This affects the package glob-parent before 5.1.2. The enclosure regex used to check for strings ending in enclosure containing path separator.

Publish Date: 2021-06-03

URL: CVE-2020-28469

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-28469

Release Date: 2021-06-03

Fix Resolution (glob-parent): 5.1.2

Direct dependency fix Resolution (eslint): 7.0.0

Vulnerable Libraries - marked-1.2.0.tgz, marked-0.8.2.tgz

Found in base branch: fixVersionHistory-gh

Vulnerability Details

Marked is a markdown parser and compiler. Prior to version 4.0.10, the regular expression inline.reflinkSearch may cause catastrophic backtracking against some strings and lead to a denial of service (DoS). Anyone who runs untrusted markdown through a vulnerable version of marked and does not use a worker with a time limit may be affected. This issue is patched in version 4.0.10. As a workaround, avoid running untrusted markdown through marked or run marked on a worker thread and set a reasonable time limit to prevent draining resources.

Publish Date: 2022-01-14

URL: CVE-2022-21681

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: GHSA-5v2h-r2cx-5xgj

Release Date: 2022-01-14

Fix Resolution (marked): 4.0.10

Direct dependency fix Resolution (semantic-release): 19.0.0

Fix Resolution (marked): 4.0.10

Direct dependency fix Resolution (jsdoc): 3.6.8

Vulnerable Library - node-notifier-6.0.0.tgz

A Node.js module for sending notifications on native Mac, Windows (post and pre 8) and Linux (or Growl as fallback)

Library home page: https://registry.npmjs.org/node-notifier/-/node-notifier-6.0.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/node-notifier/package.json

Dependency Hierarchy:

• jest-25.5.4.tgz (Root Library)
  • core-25.5.4.tgz
    • reporters-25.5.1.tgz
      • ❌ node-notifier-6.0.0.tgz (Vulnerable Library)

Found in base branch: fixVersionHistory-gh

Vulnerability Details

This affects the package node-notifier before 9.0.0. It allows an attacker to run arbitrary commands on Linux machines due to the options params not being sanitised when being passed an array.

Publish Date: 2020-12-11

URL: CVE-2020-7789

CVSS 3 Score Details (5.6)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: Low

Suggested Fix

Type: Upgrade version

Origin: https://bugzilla.redhat.com/show_bug.cgi?id=1906853

Release Date: 2020-12-11

Fix Resolution (node-notifier): 8.0.1

Direct dependency fix Resolution (jest): 26.0.0

Vulnerable Library - underscore-1.10.2.tgz

JavaScript's functional programming helper library.

Library home page: https://registry.npmjs.org/underscore/-/underscore-1.10.2.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/underscore/package.json

Dependency Hierarchy:

• jsdoc-3.6.6.tgz (Root Library)
  • ❌ underscore-1.10.2.tgz (Vulnerable Library)

Found in base branch: fixVersionHistory-gh

Vulnerability Details

The package underscore from 1.13.0-0 and before 1.13.0-2, from 1.3.2 and before 1.12.1 are vulnerable to Arbitrary Code Injection via the template function, particularly when a variable property is passed as an argument as it is not sanitized.

Publish Date: 2021-03-29

URL: CVE-2021-23358

CVSS 3 Score Details (7.2)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: High
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23358

Release Date: 2021-03-29

Fix Resolution (underscore): 1.12.1

Direct dependency fix Resolution (jsdoc): 3.6.7

Vulnerable Libraries - lodash-3.10.1.tgz, lodash-2.4.2.tgz, lodash-0.9.2.tgz

Found in base branch: fixVersionHistory-gh

Vulnerability Details

lodash prior to 4.17.11 is affected by: CWE-400: Uncontrolled Resource Consumption. The impact is: Denial of service. The component is: Date handler. The attack vector is: Attacker provides very long strings, which the library attempts to match using a regular expression. The fixed version is: 4.17.11.

Publish Date: 2019-07-17

URL: CVE-2019-1010266

CVSS 3 Score Details (6.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: Low
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Release Date: 2019-07-17

Fix Resolution (lodash): 4.17.11

Direct dependency fix Resolution (grunt-contrib-csslint): 2.0.0

Fix Resolution (lodash): 4.17.11

Direct dependency fix Resolution (grunt): 1.0.3

Fix Resolution (lodash): 4.17.11

Direct dependency fix Resolution (grunt): 1.0.3

Vulnerable Library - jquery-1.8.1.min.js

JavaScript library for DOM operations

Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.8.1/jquery.min.js

Path to dependency file: /release/1.8.1/src/Scripts/lib/jquery-ui-1.12.1/node_modules/bower/lib/node_modules/redeyed/examples/browser/index.html

Path to vulnerable library: /release/1.8.1/src/Scripts/lib/jquery-ui-1.12.1/node_modules/bower/lib/node_modules/redeyed/examples/browser/index.html,/src/Scripts/lib/jquery-ui-1.12.1/node_modules/bower/lib/node_modules/redeyed/examples/browser/index.html

Dependency Hierarchy:

• ❌ jquery-1.8.1.min.js (Vulnerable Library)

Found in base branch: fixVersionHistory-gh

Vulnerability Details

jquery prior to 1.9.0 allows Cross-site Scripting attacks via the load method. The load method fails to recognize and remove "<script>" HTML tags that contain a whitespace character, i.e: "</script >", which results in the enclosed script logic to be executed.

Publish Date: 2020-05-19

URL: CVE-2020-7656

CVSS 3 Score Details (6.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: GHSA-q4m3-2j7h-f7xw

Release Date: 2020-05-19

Fix Resolution: jquery - 1.9.0

Vulnerable Library - node-fetch-2.6.1.tgz

A light-weight module that brings window.fetch to node.js

Library home page: https://registry.npmjs.org/node-fetch/-/node-fetch-2.6.1.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/node-fetch/package.json

Dependency Hierarchy:

• auditjs-4.0.18.tgz (Root Library)
  • ❌ node-fetch-2.6.1.tgz (Vulnerable Library)

Found in base branch: fixVersionHistory-gh

Vulnerability Details

node-fetch is vulnerable to Exposure of Sensitive Information to an Unauthorized Actor

Publish Date: 2022-01-16

URL: CVE-2022-0235

CVSS 3 Score Details (6.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: GHSA-r683-j2x4-v87g

Release Date: 2022-01-16

Fix Resolution (node-fetch): 2.6.7

Direct dependency fix Resolution (auditjs): 4.0.19

Vulnerable Libraries - jquery-3.4.1.js, jquery-3.4.1.min.js, jquery-1.8.1.min.js

Found in base branch: fixVersionHistory-gh

Vulnerability Details

In jQuery versions greater than or equal to 1.2 and before 3.5.0, passing HTML from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. This problem is patched in jQuery 3.5.0.

Publish Date: 2020-04-29

URL: CVE-2020-11022

CVSS 3 Score Details (6.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11022

Release Date: 2020-04-29

Fix Resolution: jQuery - 3.5.0

Vulnerable Library - marked-0.8.2.tgz

A markdown parser built for speed

Library home page: https://registry.npmjs.org/marked/-/marked-0.8.2.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/marked/package.json

Dependency Hierarchy:

• jsdoc-3.6.6.tgz (Root Library)
  • ❌ marked-0.8.2.tgz (Vulnerable Library)

Found in base branch: fixVersionHistory-gh

Vulnerability Details

marked before 1.1.1 is vulnerable to Regular Expression Denial of Service (REDoS). rules.js have multiple unused capture groups which can lead to a Denial of Service.

Publish Date: 2020-07-02

URL: WS-2020-0163

CVSS 3 Score Details (5.9)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Release Date: 2020-07-02

Fix Resolution (marked): 1.1.1

Direct dependency fix Resolution (jsdoc): 3.6.7

Vulnerable Libraries - jquery-ui-1.12.1.js, jquery-ui-1.12.1.min.js

Found in base branch: fixVersionHistory-gh

Vulnerability Details

jQuery-UI is the official jQuery user interface library. Prior to version 1.13.0, accepting the value of various *Text options of the Datepicker widget from untrusted sources may execute untrusted code. The issue is fixed in jQuery UI 1.13.0. The values passed to various *Text options are now always treated as pure text, not HTML. A workaround is to not accept the value of the *Text options from untrusted sources.

Publish Date: 2021-10-26

URL: CVE-2021-41183

CVSS 3 Score Details (6.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-41183

Release Date: 2021-10-26

Fix Resolution: jquery-ui - 1.13.0

Vulnerable Library - request-2.12.0.tgz

Simplified HTTP request client.

Library home page: https://registry.npmjs.org/request/-/request-2.12.0.tgz

Path to dependency file: /release/1.8.1/src/Scripts/lib/jquery-ui-1.12.1/package.json

Path to vulnerable library: /release/1.8.1/src/Scripts/lib/jquery-ui-1.12.1/node_modules/testswarm/node_modules/request/package.json,/src/Scripts/lib/jquery-ui-1.12.1/node_modules/testswarm/node_modules/request/package.json

Dependency Hierarchy:

• testswarm-1.1.0.tgz (Root Library)
  • ❌ request-2.12.0.tgz (Vulnerable Library)

Found in base branch: fixVersionHistory-gh

Vulnerability Details

Request is an http client. If a request is made using multipart, and the body type is a number, then the specified number of non-zero memory is passed in the body. This affects Request >=2.2.6 <2.47.0 || >2.51.0 <=2.67.0.

Publish Date: 2018-06-04

URL: CVE-2017-16026

CVSS 3 Score Details (5.9)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: None
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2017-16026

Release Date: 2018-04-26

Fix Resolution (request): 2.68.0

Direct dependency fix Resolution (testswarm): 1.1.1

Vulnerable Library - semantic-release-17.2.1.tgz

Automated semver compliant package publishing

Library home page: https://registry.npmjs.org/semantic-release/-/semantic-release-17.2.1.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/semantic-release/package.json

Dependency Hierarchy:

• ❌ semantic-release-17.2.1.tgz (Vulnerable Library)

Found in base branch: fixVersionHistory-gh

Vulnerability Details

In the npm package semantic-release before version 17.2.3, secrets that would normally be masked by semantic-release can be accidentally disclosed if they contain characters that become encoded when included in a URL. Secrets that do not contain characters that become encoded when included in a URL are already masked properly. The issue is fixed in version 17.2.3.

Publish Date: 2020-11-18

URL: CVE-2020-26226

CVSS 3 Score Details (8.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: GHSA-r2j6-p67h-q639

Release Date: 2020-11-18

Fix Resolution: 17.2.3

Vulnerable Library - y18n-4.0.0.tgz

the bare-bones internationalization library used by yargs

Library home page: https://registry.npmjs.org/y18n/-/y18n-4.0.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/y18n/package.json,/node_modules/npm/node_modules/y18n/package.json

Dependency Hierarchy:

• semantic-release-17.2.1.tgz (Root Library)
  • npm-7.0.6.tgz
    • npm-6.14.8.tgz
      • cacache-12.0.3.tgz
        • ❌ y18n-4.0.0.tgz (Vulnerable Library)

Found in base branch: fixVersionHistory-gh

Vulnerability Details

The package y18n before 3.2.2, 4.0.1 and 5.0.5, is vulnerable to Prototype Pollution.

Publish Date: 2020-11-17

URL: CVE-2020-7774

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://www.npmjs.com/advisories/1654

Release Date: 2020-11-17

Fix Resolution (y18n): 4.0.1

Direct dependency fix Resolution (semantic-release): 17.2.2

Vulnerable Library - npm-user-validate-1.0.0.tgz

User validations for npm

Library home page: https://registry.npmjs.org/npm-user-validate/-/npm-user-validate-1.0.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/npm/node_modules/npm-user-validate/package.json

Dependency Hierarchy:

• semantic-release-17.2.1.tgz (Root Library)
  • npm-7.0.6.tgz
    • npm-6.14.8.tgz
      • ❌ npm-user-validate-1.0.0.tgz (Vulnerable Library)

Found in base branch: fixVersionHistory-gh

Vulnerability Details

This affects the package npm-user-validate before 1.0.1. The regex that validates user emails took exponentially longer to process long input strings beginning with @ characters.

Publish Date: 2020-10-27

URL: CVE-2020-7754

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7754

Release Date: 2020-10-27

Fix Resolution (npm-user-validate): 1.0.1

Direct dependency fix Resolution (semantic-release): 17.2.2

Vulnerable Libraries - lodash-3.10.1.tgz, lodash-2.4.2.tgz, lodash-0.9.2.tgz

Found in base branch: fixVersionHistory-gh

Vulnerability Details

Prototype pollution attack when using _.zipObjectDeep in lodash before 4.17.20.

Publish Date: 2020-07-15

URL: CVE-2020-8203

CVSS 3 Score Details (7.4)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://www.npmjs.com/advisories/1523

Release Date: 2020-07-15

Fix Resolution (lodash): 4.17.9

Direct dependency fix Resolution (grunt-contrib-csslint): 2.0.0

Fix Resolution (lodash): 4.17.9

Direct dependency fix Resolution (grunt): 1.0.3

Fix Resolution (lodash): 4.17.9

Direct dependency fix Resolution (grunt): 1.0.3

Vulnerable Library - semver-regex-2.0.0.tgz

Regular expression for matching semver versions

Library home page: https://registry.npmjs.org/semver-regex/-/semver-regex-2.0.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/semver-regex/package.json

Dependency Hierarchy:

• semantic-release-17.2.1.tgz (Root Library)
  • find-versions-3.2.0.tgz
    • ❌ semver-regex-2.0.0.tgz (Vulnerable Library)

Found in base branch: fixVersionHistory-gh

Vulnerability Details

semver-regex is vulnerable to Inefficient Regular Expression Complexity

Publish Date: 2021-09-15

URL: CVE-2021-3795

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Release Date: 2021-09-15

Fix Resolution (semver-regex): 3.1.3

Direct dependency fix Resolution (semantic-release): 17.3.1

Vulnerable Library - mout-0.11.1.tgz

Modular Utilities

Library home page: https://registry.npmjs.org/mout/-/mout-0.11.1.tgz

Path to dependency file: /src/Scripts/lib/jquery-ui-1.12.1/package.json

Path to vulnerable library: /src/Scripts/lib/jquery-ui-1.12.1/node_modules/mout/package.json,/release/1.8.1/src/Scripts/lib/jquery-ui-1.12.1/node_modules/mout/package.json

Dependency Hierarchy:

• commitplease-2.3.0.tgz (Root Library)
  • ❌ mout-0.11.1.tgz (Vulnerable Library)

Found in base branch: fixVersionHistory-gh

Vulnerability Details

This affects all versions of package mout. The deepFillIn function can be used to 'fill missing properties recursively', while the deepMixIn 'mixes objects into the target object, recursively mixing existing child objects as well'. In both cases, the key used to access the target object recursively is not checked, leading to a Prototype Pollution.

Publish Date: 2020-12-11

URL: CVE-2020-7792

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2020-7792

Release Date: 2020-12-11

Fix Resolution (mout): 1.2.3

Direct dependency fix Resolution (commitplease): 2.7.0

Vulnerable Libraries - lodash-3.10.1.tgz, lodash-2.4.2.tgz, lodash-0.9.2.tgz

Found in base branch: fixVersionHistory-gh

Vulnerability Details

A prototype pollution vulnerability was found in lodash <4.17.11 where the functions merge, mergeWith, and defaultsDeep can be tricked into adding or modifying properties of Object.prototype.

Publish Date: 2019-02-01

URL: CVE-2018-16487

CVSS 3 Score Details (5.6)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: Low

Suggested Fix

Type: Upgrade version

Origin: https://hackerone.com/reports/380873

Release Date: 2019-02-01

Fix Resolution (lodash): 4.17.11

Direct dependency fix Resolution (grunt-contrib-csslint): 2.0.0

Fix Resolution (lodash): 4.17.11

Direct dependency fix Resolution (grunt): 1.0.3

Fix Resolution (lodash): 4.17.11

Direct dependency fix Resolution (grunt): 1.0.3

Vulnerable Library - npm-user-validate-1.0.0.tgz

User validations for npm

Library home page: https://registry.npmjs.org/npm-user-validate/-/npm-user-validate-1.0.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/npm/node_modules/npm-user-validate/package.json

Dependency Hierarchy:

• semantic-release-17.2.1.tgz (Root Library)
  • npm-7.0.6.tgz
    • npm-6.14.8.tgz
      • ❌ npm-user-validate-1.0.0.tgz (Vulnerable Library)

Found in base branch: fixVersionHistory-gh

Vulnerability Details

The package npm-user-validate prior to version 1.0.1 is vulnerable to REDoS. The regex that validates a user's email took exponentially longer to process input strings that begin with the '@' character.

Publish Date: 2020-10-16

URL: WS-2020-0180

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: GHSA-xgh6-85xh-479p

Release Date: 2020-10-16

Fix Resolution (npm-user-validate): 1.0.1

Direct dependency fix Resolution (semantic-release): 17.2.2

Vulnerable Libraries - minimatch-0.3.0.tgz, minimatch-2.0.10.tgz, minimatch-0.2.14.tgz

Found in base branch: fixVersionHistory-gh

Vulnerability Details

Minimatch is a minimal matching utility that works by converting glob expressions into JavaScript RegExp objects. The primary function, minimatch(path, pattern) in Minimatch 3.0.1 and earlier is vulnerable to ReDoS in the pattern parameter.

Publish Date: 2018-04-26

URL: CVE-2016-10540

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2016-10540

Release Date: 2018-04-26

Fix Resolution (minimatch): 3.0.2

Direct dependency fix Resolution (grunt): 1.0.0

Fix Resolution (minimatch): 3.0.2

Direct dependency fix Resolution (grunt-bowercopy): 1.2.5

Fix Resolution (minimatch): 3.0.2

Direct dependency fix Resolution (grunt): 1.0.0

Vulnerable Libraries - marked-1.2.0.tgz, marked-0.8.2.tgz

Found in base branch: fixVersionHistory-gh

Vulnerability Details

Marked is a markdown parser and compiler. Prior to version 4.0.10, the regular expression block.def may cause catastrophic backtracking against some strings and lead to a regular expression denial of service (ReDoS). Anyone who runs untrusted markdown through a vulnerable version of marked and does not use a worker with a time limit may be affected. This issue is patched in version 4.0.10. As a workaround, avoid running untrusted markdown through marked or run marked on a worker thread and set a reasonable time limit to prevent draining resources.

Publish Date: 2022-01-14

URL: CVE-2022-21680

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: GHSA-rrrm-qjm4-v8hf

Release Date: 2022-01-14

Fix Resolution (marked): 4.0.10

Direct dependency fix Resolution (semantic-release): 19.0.0

Fix Resolution (marked): 4.0.10

Direct dependency fix Resolution (jsdoc): 3.6.8

Vulnerable Library - js-yaml-2.0.5.tgz

YAML 1.2 parser and serializer

Library home page: https://registry.npmjs.org/js-yaml/-/js-yaml-2.0.5.tgz

Path to dependency file: /release/1.8.1/src/Scripts/lib/jquery-ui-1.12.1/package.json

Path to vulnerable library: /release/1.8.1/src/Scripts/lib/jquery-ui-1.12.1/node_modules/js-yaml/package.json,/src/Scripts/lib/jquery-ui-1.12.1/node_modules/js-yaml/package.json

Dependency Hierarchy:

• grunt-0.4.5.tgz (Root Library)
  • ❌ js-yaml-2.0.5.tgz (Vulnerable Library)

Found in base branch: fixVersionHistory-gh

Vulnerability Details

Versions js-yaml prior to 3.13.0 are vulnerable to Denial of Service. By parsing a carefully-crafted YAML file, the node process stalls and may exhaust system resources leading to a Denial of Service.

Publish Date: 2019-03-20

URL: WS-2019-0032

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://www.npmjs.com/advisories/788/versions

Release Date: 2019-03-20

Fix Resolution (js-yaml): 3.13.0

Direct dependency fix Resolution (grunt): 1.0.4

Vulnerable Library - pathval-0.1.1.tgz

Object value retrieval given a string path

Library home page: https://registry.npmjs.org/pathval/-/pathval-0.1.1.tgz

Path to dependency file: /src/Scripts/lib/jquery-ui-1.12.1/package.json

Path to vulnerable library: /src/Scripts/lib/jquery-ui-1.12.1/node_modules/pathval/package.json,/release/1.8.1/src/Scripts/lib/jquery-ui-1.12.1/node_modules/pathval/package.json

Dependency Hierarchy:

• grunt-jscs-2.1.0.tgz (Root Library)
  • jscs-2.1.1.tgz
    • ❌ pathval-0.1.1.tgz (Vulnerable Library)

Found in base branch: fixVersionHistory-gh

Vulnerability Details

pathval before version 1.1.1 is vulnerable to prototype pollution.

Publish Date: 2020-10-26

URL: CVE-2020-7751

CVSS 3 Score Details (7.2)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: High
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7751

Release Date: 2020-10-26

Fix Resolution: pathval - 1.1.1

Vulnerable Libraries - lodash-4.17.20.tgz, lodash-3.10.1.tgz, lodash-2.4.2.tgz, lodash-0.9.2.tgz

Found in base branch: fixVersionHistory-gh

Vulnerability Details

Lodash versions prior to 4.17.21 are vulnerable to Command Injection via the template function.

Publish Date: 2021-02-15

URL: CVE-2021-23337

CVSS 3 Score Details (7.2)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: High
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: GHSA-35jh-r3h4-6jhm

Release Date: 2021-02-15

Fix Resolution (lodash): 4.17.21

Direct dependency fix Resolution (grunt-contrib-jshint): 1.0.0

Fix Resolution (lodash): 4.17.21

Direct dependency fix Resolution (grunt-contrib-csslint): 2.0.0

Fix Resolution (lodash): 4.17.21

Direct dependency fix Resolution (grunt): 1.0.3

Fix Resolution (lodash): 4.17.21

Direct dependency fix Resolution (grunt): 1.0.3

Vulnerable Library - ini-1.3.5.tgz

An ini encoder/decoder for node

Library home page: https://registry.npmjs.org/ini/-/ini-1.3.5.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/ini/package.json,/node_modules/npm/node_modules/ini/package.json

Dependency Hierarchy:

• semantic-release-17.2.1.tgz (Root Library)
  • npm-7.0.6.tgz
    • rc-1.2.8.tgz
      • ❌ ini-1.3.5.tgz (Vulnerable Library)

Found in base branch: fixVersionHistory-gh

Vulnerability Details

This affects the package ini before 1.3.6. If an attacker submits a malicious INI file to an application that parses it with ini.parse, they will pollute the prototype on the application. This can be exploited further depending on the context.

Publish Date: 2020-12-11

URL: CVE-2020-7788

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7788

Release Date: 2020-12-11

Fix Resolution (ini): 1.3.6

Direct dependency fix Resolution (semantic-release): 17.2.2

Vulnerable Library - grunt-0.4.5.tgz

The JavaScript Task Runner

Library home page: https://registry.npmjs.org/grunt/-/grunt-0.4.5.tgz

Path to dependency file: /src/Scripts/lib/jquery-ui-1.12.1/package.json

Path to vulnerable library: /src/Scripts/lib/jquery-ui-1.12.1/node_modules/grunt/package.json,/release/1.8.1/src/Scripts/lib/jquery-ui-1.12.1/node_modules/grunt/package.json

Dependency Hierarchy:

• ❌ grunt-0.4.5.tgz (Vulnerable Library)

Found in base branch: fixVersionHistory-gh

Vulnerability Details

The package grunt before 1.3.0 are vulnerable to Arbitrary Code Execution due to the default usage of the function load() instead of its secure replacement safeLoad() of the package js-yaml inside grunt.file.readYAML.

Publish Date: 2020-09-03

URL: CVE-2020-7729

CVSS 3 Score Details (7.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: Low
  • User Interaction: Required
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://www.npmjs.com/advisories/1684

Release Date: 2020-09-03

Fix Resolution: 1.3.0

Vulnerable Libraries - async-0.1.9.js, async-2.6.3.tgz

Found in base branch: fixVersionHistory-gh

Vulnerability Details

In Async before 2.6.4 and 3.x before 3.2.2, a malicious user can obtain privileges via the mapValues() method, aka lib/internal/iterator.js createObjectIterator prototype pollution.

Publish Date: 2022-04-06

URL: CVE-2021-43138

CVSS 3 Score Details (7.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Local
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2021-43138

Release Date: 2022-04-06

Fix Resolution: async - 2.6.4,3.2.2

Vulnerable Libraries - jquery-3.4.1.js, jquery-3.4.1.min.js, jquery-1.8.1.min.js

Found in base branch: fixVersionHistory-gh

Vulnerability Details

In jQuery versions greater than or equal to 1.0.3 and before 3.5.0, passing HTML containing elements from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. This problem is patched in jQuery 3.5.0.

Publish Date: 2020-04-29

URL: CVE-2020-11023

CVSS 3 Score Details (6.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://github.com/jquery/jquery/security/advisories/GHSA-jpcq-cgw6-v4j6,https://github.com/rails/jquery-rails/blob/master/CHANGELOG.md#440

Release Date: 2020-04-29

Fix Resolution: jquery - 3.5.0;jquery-rails - 4.4.0

Vulnerable Library - ajv-5.5.2.tgz

Another JSON Schema Validator

Library home page: https://registry.npmjs.org/ajv/-/ajv-5.5.2.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/npm/node_modules/ajv/package.json

Dependency Hierarchy:

• semantic-release-17.2.1.tgz (Root Library)
  • npm-7.0.6.tgz
    • npm-6.14.8.tgz
      • request-2.88.0.tgz
        • har-validator-5.1.0.tgz
          • ❌ ajv-5.5.2.tgz (Vulnerable Library)

Found in base branch: fixVersionHistory-gh

Vulnerability Details

An issue was discovered in ajv.validate() in Ajv (aka Another JSON Schema Validator) 6.12.2. A carefully crafted JSON schema could be provided that allows execution of other code by prototype pollution. (While untrusted schemas are recommended against, the worst case of an untrusted schema should be a denial of service, not execution of code.)

Publish Date: 2020-07-15

URL: CVE-2020-15366

CVSS 3 Score Details (5.6)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: Low

Suggested Fix

Type: Upgrade version

Release Date: 2020-07-15

Fix Resolution (ajv): 6.12.3

Direct dependency fix Resolution (semantic-release): 17.2.2

Vulnerable Library - jquery-1.8.1.min.js

JavaScript library for DOM operations

Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.8.1/jquery.min.js

Path to dependency file: /release/1.8.1/src/Scripts/lib/jquery-ui-1.12.1/node_modules/bower/lib/node_modules/redeyed/examples/browser/index.html

Path to vulnerable library: /release/1.8.1/src/Scripts/lib/jquery-ui-1.12.1/node_modules/bower/lib/node_modules/redeyed/examples/browser/index.html,/src/Scripts/lib/jquery-ui-1.12.1/node_modules/bower/lib/node_modules/redeyed/examples/browser/index.html

Dependency Hierarchy:

• ❌ jquery-1.8.1.min.js (Vulnerable Library)

Found in base branch: fixVersionHistory-gh

Vulnerability Details

jQuery before 3.0.0 is vulnerable to Cross-site Scripting (XSS) attacks when a cross-domain Ajax request is performed without the dataType option, causing text/javascript responses to be executed.

Publish Date: 2018-01-18

URL: CVE-2015-9251

CVSS 3 Score Details (6.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2015-9251

Release Date: 2018-01-18

Fix Resolution: jQuery - 3.0.0

Vulnerable Library - xmlbuilder-2.6.5.tgz

An XML builder for node.js

Library home page: https://registry.npmjs.org/xmlbuilder/-/xmlbuilder-2.6.5.tgz

Path to dependency file: /release/1.8.1/src/Scripts/lib/jquery-ui-1.12.1/package.json

Path to vulnerable library: /release/1.8.1/src/Scripts/lib/jquery-ui-1.12.1/node_modules/xmlbuilder/package.json,/src/Scripts/lib/jquery-ui-1.12.1/node_modules/xmlbuilder/package.json

Dependency Hierarchy:

• grunt-jscs-2.1.0.tgz (Root Library)
  • jscs-2.1.1.tgz
    • ❌ xmlbuilder-2.6.5.tgz (Vulnerable Library)

Found in base branch: fixVersionHistory-gh

Vulnerability Details

The package xmlbuilder-js before 9.0.5 is vulnerable to denial of service due to a regular expression issue.

Publish Date: 2018-02-08

URL: WS-2018-0625

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Release Date: 2018-02-08

Fix Resolution: 9.0.5

Vulnerable Libraries - lodash-3.10.1.tgz, lodash-2.4.2.tgz, lodash-0.9.2.tgz

Found in base branch: fixVersionHistory-gh

Vulnerability Details

Versions of lodash lower than 4.17.12 are vulnerable to Prototype Pollution. The function defaultsDeep could be tricked into adding or modifying properties of Object.prototype using a constructor payload.

Publish Date: 2019-07-26

URL: CVE-2019-10744

CVSS 3 Score Details (9.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: GHSA-jf85-cpcp-j695

Release Date: 2019-07-26

Fix Resolution (lodash): 4.17.12

Direct dependency fix Resolution (grunt-contrib-csslint): 2.0.0

Fix Resolution (lodash): 4.17.12

Direct dependency fix Resolution (grunt): 1.0.3

Fix Resolution (lodash): 4.17.12

Direct dependency fix Resolution (grunt): 1.0.3

Vulnerable Libraries - jquery-ui-1.12.1.js, jquery-ui-1.12.1.min.js

Found in base branch: fixVersionHistory-gh

Vulnerability Details

jQuery-UI is the official jQuery user interface library. Prior to version 1.13.0, accepting the value of the altField option of the Datepicker widget from untrusted sources may execute untrusted code. The issue is fixed in jQuery UI 1.13.0. Any string value passed to the altField option is now treated as a CSS selector. A workaround is to not accept the value of the altField option from untrusted sources.

Publish Date: 2021-10-26

URL: CVE-2021-41182

CVSS 3 Score Details (6.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-41182

Release Date: 2021-10-26

Fix Resolution: jquery-ui - 1.13.0

Vulnerable Library - jquery-1.8.1.min.js

JavaScript library for DOM operations

Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.8.1/jquery.min.js

Path to dependency file: /release/1.8.1/src/Scripts/lib/jquery-ui-1.12.1/node_modules/bower/lib/node_modules/redeyed/examples/browser/index.html

Path to vulnerable library: /release/1.8.1/src/Scripts/lib/jquery-ui-1.12.1/node_modules/bower/lib/node_modules/redeyed/examples/browser/index.html,/src/Scripts/lib/jquery-ui-1.12.1/node_modules/bower/lib/node_modules/redeyed/examples/browser/index.html

Dependency Hierarchy:

• ❌ jquery-1.8.1.min.js (Vulnerable Library)

Found in base branch: fixVersionHistory-gh

Vulnerability Details

jQuery before 1.9.0 is vulnerable to Cross-site Scripting (XSS) attacks. The jQuery(strInput) function does not differentiate selectors from HTML in a reliable fashion. In vulnerable versions, jQuery determined whether the input was HTML by looking for the '<' character anywhere in the string, giving attackers more flexibility when attempting to construct a malicious payload. In fixed versions, jQuery only deems the input to be HTML if it explicitly starts with the '<' character, limiting exploitability only to attackers who can control the beginning of a string, which is far less common.

Publish Date: 2018-01-18

URL: CVE-2012-6708

CVSS 3 Score Details (6.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2012-6708

Release Date: 2018-01-18

Fix Resolution: jQuery - v1.9.0

Vulnerable Library - mime-1.2.7.tgz

A comprehensive library for mime-type mapping

Library home page: https://registry.npmjs.org/mime/-/mime-1.2.7.tgz

Path to dependency file: /src/Scripts/lib/jquery-ui-1.12.1/package.json

Path to vulnerable library: /src/Scripts/lib/jquery-ui-1.12.1/node_modules/testswarm/node_modules/request/node_modules/mime/package.json,/release/1.8.1/src/Scripts/lib/jquery-ui-1.12.1/node_modules/testswarm/node_modules/request/node_modules/mime/package.json

Dependency Hierarchy:

• testswarm-1.1.0.tgz (Root Library)
  • request-2.12.0.tgz
    • ❌ mime-1.2.7.tgz (Vulnerable Library)

Found in base branch: fixVersionHistory-gh

Vulnerability Details

The mime module < 1.4.1, 2.0.1, 2.0.2 is vulnerable to regular expression denial of service when a mime lookup is performed on untrusted user input.

Publish Date: 2018-06-07

URL: CVE-2017-16138

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16138

Release Date: 2018-04-26

Fix Resolution (mime): 1.4.1

Direct dependency fix Resolution (testswarm): 1.1.1

Vulnerable Library - marked-1.2.0.tgz

A markdown parser built for speed

Library home page: https://registry.npmjs.org/marked/-/marked-1.2.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/semantic-release/node_modules/marked/package.json

Dependency Hierarchy:

• semantic-release-17.2.1.tgz (Root Library)
  • ❌ marked-1.2.0.tgz (Vulnerable Library)

Found in base branch: fixVersionHistory-gh

Vulnerability Details

Marked is an open-source markdown parser and compiler (npm package "marked"). In marked from version 1.1.1 and before version 2.0.0, there is a Regular expression Denial of Service vulnerability. This vulnerability can affect anyone who runs user generated code through marked. This vulnerability is fixed in version 2.0.0.

Publish Date: 2021-02-08

URL: CVE-2021-21306

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: GHSA-4r62-v4vq-hr96

Release Date: 2021-02-08

Fix Resolution (marked): 2.0.0

Direct dependency fix Resolution (semantic-release): 17.3.8

Vulnerable Library - getobject-0.1.0.tgz

get.and.set.deep.objects.easily = true

Library home page: https://registry.npmjs.org/getobject/-/getobject-0.1.0.tgz

Path to dependency file: /release/1.8.1/src/Scripts/lib/jquery-ui-1.12.1/package.json

Path to vulnerable library: /release/1.8.1/src/Scripts/lib/jquery-ui-1.12.1/node_modules/getobject/package.json,/src/Scripts/lib/jquery-ui-1.12.1/node_modules/getobject/package.json

Dependency Hierarchy:

• grunt-0.4.5.tgz (Root Library)
  • ❌ getobject-0.1.0.tgz (Vulnerable Library)

Found in base branch: fixVersionHistory-gh

Vulnerability Details

Prototype pollution vulnerability in 'getobject' version 0.1.0 allows an attacker to cause a denial of service and may lead to remote code execution.

Publish Date: 2020-12-29

URL: CVE-2020-28282

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://www.npmjs.com/package/getobject

Release Date: 2020-12-29

Fix Resolution (getobject): 1.0.0

Direct dependency fix Resolution (grunt): 1.3.0

Vulnerable Library - jquery-1.3.2.min.js

JavaScript library for DOM operations

Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.3.2/jquery.min.js

Path to dependency file: /release/1.8.1/src/Scripts/lib/jquery-ui-1.12.1/node_modules/underscore.string/test/test_standalone.html

Path to vulnerable library: /release/1.8.1/src/Scripts/lib/jquery-ui-1.12.1/node_modules/underscore.string/test/test_underscore/vendor/jquery.js,/src/Scripts/lib/jquery-ui-1.12.1/node_modules/underscore.string/test/test_underscore/vendor/jquery.js

Dependency Hierarchy:

• ❌ jquery-1.3.2.min.js (Vulnerable Library)

Found in base branch: fixVersionHistory-gh

Vulnerability Details

Cross-site scripting (XSS) vulnerability in jQuery before 1.6.3, when using location.hash to select elements, allows remote attackers to inject arbitrary web script or HTML via a crafted tag.

Publish Date: 2013-03-08

URL: CVE-2011-4969

CVSS 3 Score Details (3.7)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: Low
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2011-4969

Release Date: 2013-03-08

Fix Resolution: 1.6.3