Vulnerable Library - build-angular-0.803.26.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/serialize-javascript/package.json
Vulnerabilities
CVE |
Severity |
CVSS |
Dependency |
Type |
Fixed in (build-angular version) |
Remediation Available |
CVE-2022-0691 |
High |
9.8 |
url-parse-1.4.7.tgz |
Transitive |
0.803.27 |
โ |
CVE-2022-37601 |
High |
9.8 |
loader-utils-1.2.3.tgz |
Transitive |
0.901.0 |
โ |
CVE-2022-1650 |
High |
9.3 |
eventsource-1.0.7.tgz |
Transitive |
0.803.27 |
โ |
CVE-2022-0686 |
High |
9.1 |
url-parse-1.4.7.tgz |
Transitive |
0.803.27 |
โ |
CVE-2022-46175 |
High |
8.8 |
detected in multiple dependencies |
Transitive |
0.803.27 |
โ |
CVE-2020-7660 |
High |
8.1 |
serialize-javascript-2.1.2.tgz |
Transitive |
0.803.28 |
โ |
CVE-2021-43138 |
High |
7.8 |
async-2.6.3.tgz |
Transitive |
0.1000.0 |
โ |
CVE-2020-13822 |
High |
7.7 |
elliptic-6.5.2.tgz |
Transitive |
0.803.27 |
โ |
CVE-2022-25858 |
High |
7.5 |
terser-4.6.3.tgz |
Transitive |
0.900.0 |
โ |
CVE-2020-28469 |
High |
7.5 |
detected in multiple dependencies |
Transitive |
13.0.0 |
โ |
CVE-2021-33502 |
High |
7.5 |
normalize-url-1.9.1.tgz |
Transitive |
N/A* |
โ |
CVE-2022-24772 |
High |
7.5 |
node-forge-0.9.0.tgz |
Transitive |
13.2.1 |
โ |
CVE-2022-24771 |
High |
7.5 |
node-forge-0.9.0.tgz |
Transitive |
13.2.1 |
โ |
CVE-2022-3517 |
High |
7.5 |
minimatch-3.0.4.tgz |
Transitive |
N/A* |
โ |
CVE-2021-23382 |
High |
7.5 |
postcss-7.0.17.tgz |
Transitive |
0.1102.13 |
โ |
CVE-2022-37603 |
High |
7.5 |
loader-utils-1.2.3.tgz |
Transitive |
13.2.1 |
โ |
CVE-2020-7720 |
High |
7.3 |
node-forge-0.9.0.tgz |
Transitive |
0.803.27 |
โ |
CVE-2020-28498 |
Medium |
6.8 |
elliptic-6.5.2.tgz |
Transitive |
0.803.27 |
โ |
WS-2022-0008 |
Medium |
6.6 |
node-forge-0.9.0.tgz |
Transitive |
13.2.1 |
โ |
CVE-2022-0122 |
Medium |
6.1 |
node-forge-0.9.0.tgz |
Transitive |
13.2.1 |
โ |
CVE-2023-28155 |
Medium |
6.1 |
request-2.88.2.tgz |
Transitive |
N/A* |
โ |
WS-2019-0424 |
Medium |
5.9 |
elliptic-6.5.2.tgz |
Transitive |
0.803.27 |
โ |
CVE-2020-7693 |
Medium |
5.3 |
sockjs-0.3.19.tgz |
Transitive |
0.803.27 |
โ |
CVE-2022-0512 |
Medium |
5.3 |
url-parse-1.4.7.tgz |
Transitive |
0.803.27 |
โ |
CVE-2021-3664 |
Medium |
5.3 |
url-parse-1.4.7.tgz |
Transitive |
0.803.27 |
โ |
CVE-2022-24773 |
Medium |
5.3 |
node-forge-0.9.0.tgz |
Transitive |
13.2.1 |
โ |
CVE-2021-27515 |
Medium |
5.3 |
url-parse-1.4.7.tgz |
Transitive |
0.803.27 |
โ |
CVE-2022-0639 |
Medium |
5.3 |
url-parse-1.4.7.tgz |
Transitive |
0.803.27 |
โ |
CVE-2021-23364 |
Medium |
5.3 |
detected in multiple dependencies |
Transitive |
0.900.0 |
โ |
CVE-2021-23368 |
Medium |
5.3 |
postcss-7.0.17.tgz |
Transitive |
0.1102.13 |
โ |
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.
Details
Partial details (26 vulnerabilities) are displayed below due to a content size limitation in GitHub. To view information on the remaining vulnerabilities, navigate to the Mend Application.
CVE-2022-0691
Vulnerable Library - url-parse-1.4.7.tgz
Small footprint URL parser that works seamlessly across Node.js and browser environments
Library home page: https://registry.npmjs.org/url-parse/-/url-parse-1.4.7.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/url-parse/package.json
Dependency Hierarchy:
- build-angular-0.803.26.tgz (Root Library)
- webpack-dev-server-3.9.0.tgz
- sockjs-client-1.4.0.tgz
- โ url-parse-1.4.7.tgz (Vulnerable Library)
Vulnerability Details
Authorization Bypass Through User-Controlled Key in NPM url-parse prior to 1.5.9.
Publish Date: 2022-02-21
URL: CVE-2022-0691
CVSS 3 Score Details (9.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0691
Release Date: 2022-02-21
Fix Resolution (url-parse): 1.5.9
Direct dependency fix Resolution (@angular-devkit/build-angular): 0.803.27
Step up your Open Source Security Game with Mend here
CVE-2022-37601
Vulnerable Library - loader-utils-1.2.3.tgz
utils for webpack loaders
Library home page: https://registry.npmjs.org/loader-utils/-/loader-utils-1.2.3.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/loader-utils/package.json
Dependency Hierarchy:
- build-angular-0.803.26.tgz (Root Library)
- โ loader-utils-1.2.3.tgz (Vulnerable Library)
Vulnerability Details
Prototype pollution vulnerability in function parseQuery in parseQuery.js in webpack loader-utils 2.0.0 via the name variable in parseQuery.js.
Publish Date: 2022-10-12
URL: CVE-2022-37601
CVSS 3 Score Details (9.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Release Date: 2022-10-12
Fix Resolution (loader-utils): 1.4.1
Direct dependency fix Resolution (@angular-devkit/build-angular): 0.901.0
Step up your Open Source Security Game with Mend here
CVE-2022-1650
Vulnerable Library - eventsource-1.0.7.tgz
W3C compliant EventSource client for Node.js and browser (polyfill)
Library home page: https://registry.npmjs.org/eventsource/-/eventsource-1.0.7.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/eventsource/package.json
Dependency Hierarchy:
- build-angular-0.803.26.tgz (Root Library)
- webpack-dev-server-3.9.0.tgz
- sockjs-client-1.4.0.tgz
- โ eventsource-1.0.7.tgz (Vulnerable Library)
Vulnerability Details
Exposure of Sensitive Information to an Unauthorized Actor in GitHub repository eventsource/eventsource prior to v2.0.2.
Publish Date: 2022-05-12
URL: CVE-2022-1650
CVSS 3 Score Details (9.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: None
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Release Date: 2022-05-12
Fix Resolution (eventsource): 1.1.1
Direct dependency fix Resolution (@angular-devkit/build-angular): 0.803.27
Step up your Open Source Security Game with Mend here
CVE-2022-0686
Vulnerable Library - url-parse-1.4.7.tgz
Small footprint URL parser that works seamlessly across Node.js and browser environments
Library home page: https://registry.npmjs.org/url-parse/-/url-parse-1.4.7.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/url-parse/package.json
Dependency Hierarchy:
- build-angular-0.803.26.tgz (Root Library)
- webpack-dev-server-3.9.0.tgz
- sockjs-client-1.4.0.tgz
- โ url-parse-1.4.7.tgz (Vulnerable Library)
Vulnerability Details
Authorization Bypass Through User-Controlled Key in NPM url-parse prior to 1.5.8.
Publish Date: 2022-02-20
URL: CVE-2022-0686
CVSS 3 Score Details (9.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: None
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0686
Release Date: 2022-02-20
Fix Resolution (url-parse): 1.5.8
Direct dependency fix Resolution (@angular-devkit/build-angular): 0.803.27
Step up your Open Source Security Game with Mend here
CVE-2022-46175
Vulnerable Libraries - json5-2.1.3.tgz, json5-1.0.1.tgz
json5-2.1.3.tgz
JSON for humans.
Library home page: https://registry.npmjs.org/json5/-/json5-2.1.3.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/@babel/core/node_modules/json5/package.json
Dependency Hierarchy:
- build-angular-0.803.26.tgz (Root Library)
- core-7.8.7.tgz
- โ json5-2.1.3.tgz (Vulnerable Library)
json5-1.0.1.tgz
JSON for humans.
Library home page: https://registry.npmjs.org/json5/-/json5-1.0.1.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/json5/package.json
Dependency Hierarchy:
- build-angular-0.803.26.tgz (Root Library)
- loader-utils-1.2.3.tgz
- โ json5-1.0.1.tgz (Vulnerable Library)
Vulnerability Details
JSON5 is an extension to the popular JSON file format that aims to be easier to write and maintain by hand (e.g. for config files). The parse
method of the JSON5 library before and including versions 1.0.1 and 2.2.1 does not restrict parsing of keys named __proto__
, allowing specially crafted strings to pollute the prototype of the resulting object. This vulnerability pollutes the prototype of the object returned by JSON5.parse
and not the global Object prototype, which is the commonly understood definition of Prototype Pollution. However, polluting the prototype of a single object can have significant security impact for an application if the object is later used in trusted operations. This vulnerability could allow an attacker to set arbitrary and unexpected keys on the object returned from JSON5.parse
. The actual impact will depend on how applications utilize the returned object and how they filter unwanted keys, but could include denial of service, cross-site scripting, elevation of privilege, and in extreme cases, remote code execution. JSON5.parse
should restrict parsing of __proto__
keys when parsing JSON strings to objects. As a point of reference, the JSON.parse
method included in JavaScript ignores __proto__
keys. Simply changing JSON5.parse
to JSON.parse
in the examples above mitigates this vulnerability. This vulnerability is patched in json5 versions 1.0.2, 2.2.2, and later.
Publish Date: 2022-12-24
URL: CVE-2022-46175
CVSS 3 Score Details (8.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: https://www.cve.org/CVERecord?id=CVE-2022-46175
Release Date: 2022-12-24
Fix Resolution (json5): 2.2.2
Direct dependency fix Resolution (@angular-devkit/build-angular): 0.803.27
Fix Resolution (json5): 1.0.2
Direct dependency fix Resolution (@angular-devkit/build-angular): 0.803.27
Step up your Open Source Security Game with Mend here
CVE-2020-7660
Vulnerable Library - serialize-javascript-2.1.2.tgz
Serialize JavaScript to a superset of JSON that includes regular expressions and functions.
Library home page: https://registry.npmjs.org/serialize-javascript/-/serialize-javascript-2.1.2.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/serialize-javascript/package.json
Dependency Hierarchy:
- build-angular-0.803.26.tgz (Root Library)
- copy-webpack-plugin-5.1.1.tgz
- โ serialize-javascript-2.1.2.tgz (Vulnerable Library)
Vulnerability Details
serialize-javascript prior to 3.1.0 allows remote attackers to inject arbitrary code via the function "deleteFunctions" within "index.js".
Publish Date: 2020-06-01
URL: CVE-2020-7660
CVSS 3 Score Details (8.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7660
Release Date: 2020-06-08
Fix Resolution (serialize-javascript): 3.1.0
Direct dependency fix Resolution (@angular-devkit/build-angular): 0.803.28
Step up your Open Source Security Game with Mend here
CVE-2021-43138
Vulnerable Library - async-2.6.3.tgz
Higher-order functions and common patterns for asynchronous code
Library home page: https://registry.npmjs.org/async/-/async-2.6.3.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/async/package.json
Dependency Hierarchy:
- build-angular-0.803.26.tgz (Root Library)
- source-map-loader-0.2.4.tgz
- โ async-2.6.3.tgz (Vulnerable Library)
Vulnerability Details
In Async before 2.6.4 and 3.x before 3.2.2, a malicious user can obtain privileges via the mapValues() method, aka lib/internal/iterator.js createObjectIterator prototype pollution.
Publish Date: 2022-04-06
URL: CVE-2021-43138
CVSS 3 Score Details (7.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Local
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2021-43138
Release Date: 2022-04-06
Fix Resolution (async): 2.6.4
Direct dependency fix Resolution (@angular-devkit/build-angular): 0.1000.0
Step up your Open Source Security Game with Mend here
CVE-2020-13822
Vulnerable Library - elliptic-6.5.2.tgz
EC cryptography
Library home page: https://registry.npmjs.org/elliptic/-/elliptic-6.5.2.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/elliptic/package.json
Dependency Hierarchy:
- build-angular-0.803.26.tgz (Root Library)
- webpack-4.39.2.tgz
- node-libs-browser-2.2.1.tgz
- crypto-browserify-3.12.0.tgz
- browserify-sign-4.2.0.tgz
- โ elliptic-6.5.2.tgz (Vulnerable Library)
Vulnerability Details
The Elliptic package 6.5.2 for Node.js allows ECDSA signature malleability via variations in encoding, leading '\0' bytes, or integer overflows. This could conceivably have a security-relevant impact if an application relied on a single canonical signature.
Publish Date: 2020-06-04
URL: CVE-2020-13822
CVSS 3 Score Details (7.7)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: Low
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Release Date: 2020-07-02
Fix Resolution (elliptic): 6.5.3
Direct dependency fix Resolution (@angular-devkit/build-angular): 0.803.27
Step up your Open Source Security Game with Mend here
CVE-2022-25858
Vulnerable Library - terser-4.6.3.tgz
JavaScript parser, mangler/compressor and beautifier toolkit for ES6+
Library home page: https://registry.npmjs.org/terser/-/terser-4.6.3.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/terser/package.json
Dependency Hierarchy:
- build-angular-0.803.26.tgz (Root Library)
- โ terser-4.6.3.tgz (Vulnerable Library)
Vulnerability Details
The package terser before 4.8.1, from 5.0.0 and before 5.14.2 are vulnerable to Regular Expression Denial of Service (ReDoS) due to insecure usage of regular expressions.
Publish Date: 2022-07-15
URL: CVE-2022-25858
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-25858
Release Date: 2022-07-15
Fix Resolution (terser): 4.8.1
Direct dependency fix Resolution (@angular-devkit/build-angular): 0.900.0
Step up your Open Source Security Game with Mend here
CVE-2020-28469
Vulnerable Libraries - glob-parent-5.1.1.tgz, glob-parent-3.1.0.tgz
glob-parent-5.1.1.tgz
Extract the non-magic parent path from a glob string.
Library home page: https://registry.npmjs.org/glob-parent/-/glob-parent-5.1.1.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/chokidar/node_modules/glob-parent/package.json
Dependency Hierarchy:
- build-angular-0.803.26.tgz (Root Library)
- sass-1.22.9.tgz
- chokidar-3.4.0.tgz
- โ glob-parent-5.1.1.tgz (Vulnerable Library)
glob-parent-3.1.0.tgz
Strips glob magic from a string to provide the parent directory path
Library home page: https://registry.npmjs.org/glob-parent/-/glob-parent-3.1.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/glob-parent/package.json
Dependency Hierarchy:
- build-angular-0.803.26.tgz (Root Library)
- copy-webpack-plugin-5.1.1.tgz
- โ glob-parent-3.1.0.tgz (Vulnerable Library)
Vulnerability Details
This affects the package glob-parent before 5.1.2. The enclosure regex used to check for strings ending in enclosure containing path separator.
Publish Date: 2021-06-03
URL: CVE-2020-28469
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-28469
Release Date: 2021-06-03
Fix Resolution (glob-parent): 5.1.2
Direct dependency fix Resolution (@angular-devkit/build-angular): 13.0.0
Fix Resolution (glob-parent): 5.1.2
Direct dependency fix Resolution (@angular-devkit/build-angular): 13.0.0
Step up your Open Source Security Game with Mend here
CVE-2021-33502
Vulnerable Library - normalize-url-1.9.1.tgz
Normalize a URL
Library home page: https://registry.npmjs.org/normalize-url/-/normalize-url-1.9.1.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/normalize-url/package.json
Dependency Hierarchy:
- build-angular-0.803.26.tgz (Root Library)
- mini-css-extract-plugin-0.8.0.tgz
- โ normalize-url-1.9.1.tgz (Vulnerable Library)
Vulnerability Details
The normalize-url package before 4.5.1, 5.x before 5.3.1, and 6.x before 6.0.1 for Node.js has a ReDoS (regular expression denial of service) issue because it has exponential performance for data: URLs.
Publish Date: 2021-05-24
URL: CVE-2021-33502
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-33502
Release Date: 2021-05-24
Fix Resolution: normalize-url - 4.5.1,5.3.1,6.0.1
Step up your Open Source Security Game with Mend here
CVE-2022-24772
Vulnerable Library - node-forge-0.9.0.tgz
JavaScript implementations of network transports, cryptography, ciphers, PKI, message digests, and various utilities.
Library home page: https://registry.npmjs.org/node-forge/-/node-forge-0.9.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/node-forge/package.json
Dependency Hierarchy:
- build-angular-0.803.26.tgz (Root Library)
- webpack-dev-server-3.9.0.tgz
- selfsigned-1.10.7.tgz
- โ node-forge-0.9.0.tgz (Vulnerable Library)
Vulnerability Details
Forge (also called node-forge
) is a native implementation of Transport Layer Security in JavaScript. Prior to version 1.3.0, RSA PKCS#1 v1.5 signature verification code does not check for tailing garbage bytes after decoding a DigestInfo
ASN.1 structure. This can allow padding bytes to be removed and garbage data added to forge a signature when a low public exponent is being used. The issue has been addressed in node-forge
version 1.3.0. There are currently no known workarounds.
Publish Date: 2022-03-18
URL: CVE-2022-24772
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: High
- Availability Impact: None
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24772
Release Date: 2022-03-18
Fix Resolution (node-forge): 1.3.0
Direct dependency fix Resolution (@angular-devkit/build-angular): 13.2.1
Step up your Open Source Security Game with Mend here
CVE-2022-24771
Vulnerable Library - node-forge-0.9.0.tgz
JavaScript implementations of network transports, cryptography, ciphers, PKI, message digests, and various utilities.
Library home page: https://registry.npmjs.org/node-forge/-/node-forge-0.9.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/node-forge/package.json
Dependency Hierarchy:
- build-angular-0.803.26.tgz (Root Library)
- webpack-dev-server-3.9.0.tgz
- selfsigned-1.10.7.tgz
- โ node-forge-0.9.0.tgz (Vulnerable Library)
Vulnerability Details
Forge (also called node-forge
) is a native implementation of Transport Layer Security in JavaScript. Prior to version 1.3.0, RSA PKCS#1 v1.5 signature verification code is lenient in checking the digest algorithm structure. This can allow a crafted structure that steals padding bytes and uses unchecked portion of the PKCS#1 encoded message to forge a signature when a low public exponent is being used. The issue has been addressed in node-forge
version 1.3.0. There are currently no known workarounds.
Publish Date: 2022-03-18
URL: CVE-2022-24771
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: High
- Availability Impact: None
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24771
Release Date: 2022-03-18
Fix Resolution (node-forge): 1.3.0
Direct dependency fix Resolution (@angular-devkit/build-angular): 13.2.1
Step up your Open Source Security Game with Mend here
CVE-2022-3517
Vulnerable Library - minimatch-3.0.4.tgz
a glob matcher in javascript
Library home page: https://registry.npmjs.org/minimatch/-/minimatch-3.0.4.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/minimatch/package.json
Dependency Hierarchy:
- build-angular-0.803.26.tgz (Root Library)
- โ minimatch-3.0.4.tgz (Vulnerable Library)
Vulnerability Details
A vulnerability was found in the minimatch package. This flaw allows a Regular Expression Denial of Service (ReDoS) when calling the braceExpand function with specific arguments, resulting in a Denial of Service.
Publish Date: 2022-10-17
URL: CVE-2022-3517
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Release Date: 2022-10-17
Fix Resolution: minimatch - 3.0.5
Step up your Open Source Security Game with Mend here
CVE-2021-23382
Vulnerable Library - postcss-7.0.17.tgz
Tool for transforming styles with JS plugins
Library home page: https://registry.npmjs.org/postcss/-/postcss-7.0.17.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/postcss/package.json
Dependency Hierarchy:
- build-angular-0.803.26.tgz (Root Library)
- โ postcss-7.0.17.tgz (Vulnerable Library)
Vulnerability Details
The package postcss before 8.2.13 are vulnerable to Regular Expression Denial of Service (ReDoS) via getAnnotationURL() and loadAnnotation() in lib/previous-map.js. The vulnerable regexes are caused mainly by the sub-pattern /*\s* sourceMappingURL=(.*).
Publish Date: 2021-04-26
URL: CVE-2021-23382
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23382
Release Date: 2021-04-26
Fix Resolution (postcss): 7.0.36
Direct dependency fix Resolution (@angular-devkit/build-angular): 0.1102.13
Step up your Open Source Security Game with Mend here
CVE-2022-37603
Vulnerable Library - loader-utils-1.2.3.tgz
utils for webpack loaders
Library home page: https://registry.npmjs.org/loader-utils/-/loader-utils-1.2.3.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/loader-utils/package.json
Dependency Hierarchy:
- build-angular-0.803.26.tgz (Root Library)
- โ loader-utils-1.2.3.tgz (Vulnerable Library)
Vulnerability Details
A Regular expression denial of service (ReDoS) flaw was found in Function interpolateName in interpolateName.js in webpack loader-utils 2.0.0 via the url variable in interpolateName.js.
Publish Date: 2022-10-14
URL: CVE-2022-37603
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: GHSA-3rfm-jhwj-7488
Release Date: 2022-10-14
Fix Resolution (loader-utils): 2.0.4
Direct dependency fix Resolution (@angular-devkit/build-angular): 13.2.1
Step up your Open Source Security Game with Mend here
CVE-2020-7720
Vulnerable Library - node-forge-0.9.0.tgz
JavaScript implementations of network transports, cryptography, ciphers, PKI, message digests, and various utilities.
Library home page: https://registry.npmjs.org/node-forge/-/node-forge-0.9.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/node-forge/package.json
Dependency Hierarchy:
- build-angular-0.803.26.tgz (Root Library)
- webpack-dev-server-3.9.0.tgz
- selfsigned-1.10.7.tgz
- โ node-forge-0.9.0.tgz (Vulnerable Library)
Vulnerability Details
The package node-forge before 0.10.0 is vulnerable to Prototype Pollution via the util.setPath function. Note: Version 0.10.0 is a breaking change removing the vulnerable functions.
Publish Date: 2020-09-01
URL: CVE-2020-7720
CVSS 3 Score Details (7.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: Low
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Release Date: 2020-09-01
Fix Resolution (node-forge): 0.10.0
Direct dependency fix Resolution (@angular-devkit/build-angular): 0.803.27
Step up your Open Source Security Game with Mend here
CVE-2020-28498
Vulnerable Library - elliptic-6.5.2.tgz
EC cryptography
Library home page: https://registry.npmjs.org/elliptic/-/elliptic-6.5.2.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/elliptic/package.json
Dependency Hierarchy:
- build-angular-0.803.26.tgz (Root Library)
- webpack-4.39.2.tgz
- node-libs-browser-2.2.1.tgz
- crypto-browserify-3.12.0.tgz
- browserify-sign-4.2.0.tgz
- โ elliptic-6.5.2.tgz (Vulnerable Library)
Vulnerability Details
The package elliptic before 6.5.4 are vulnerable to Cryptographic Issues via the secp256k1 implementation in elliptic/ec/key.js. There is no check to confirm that the public key point passed into the derive function actually exists on the secp256k1 curve. This results in the potential for the private key used in this implementation to be revealed after a number of ECDH operations are performed.
Publish Date: 2021-02-02
URL: CVE-2020-28498
CVSS 3 Score Details (6.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: None
- Availability Impact: None
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-28498
Release Date: 2021-02-02
Fix Resolution (elliptic): 6.5.4
Direct dependency fix Resolution (@angular-devkit/build-angular): 0.803.27
Step up your Open Source Security Game with Mend here
WS-2022-0008
Vulnerable Library - node-forge-0.9.0.tgz
JavaScript implementations of network transports, cryptography, ciphers, PKI, message digests, and various utilities.
Library home page: https://registry.npmjs.org/node-forge/-/node-forge-0.9.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/node-forge/package.json
Dependency Hierarchy:
- build-angular-0.803.26.tgz (Root Library)
- webpack-dev-server-3.9.0.tgz
- selfsigned-1.10.7.tgz
- โ node-forge-0.9.0.tgz (Vulnerable Library)
Vulnerability Details
The forge.debug API had a potential prototype pollution issue if called with untrusted input. The API was only used for internal debug purposes in a safe way and never documented or advertised. It is suspected that uses of this API, if any exist, would likely not have used untrusted inputs in a vulnerable way.
Publish Date: 2022-01-08
URL: WS-2022-0008
CVSS 3 Score Details (6.6)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: High
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: GHSA-5rrq-pxf6-6jx5
Release Date: 2022-01-08
Fix Resolution (node-forge): 1.0.0
Direct dependency fix Resolution (@angular-devkit/build-angular): 13.2.1
Step up your Open Source Security Game with Mend here
CVE-2022-0122
Vulnerable Library - node-forge-0.9.0.tgz
JavaScript implementations of network transports, cryptography, ciphers, PKI, message digests, and various utilities.
Library home page: https://registry.npmjs.org/node-forge/-/node-forge-0.9.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/node-forge/package.json
Dependency Hierarchy:
- build-angular-0.803.26.tgz (Root Library)
- webpack-dev-server-3.9.0.tgz
- selfsigned-1.10.7.tgz
- โ node-forge-0.9.0.tgz (Vulnerable Library)
Vulnerability Details
forge is vulnerable to URL Redirection to Untrusted Site
Publish Date: 2022-01-06
URL: CVE-2022-0122
CVSS 3 Score Details (6.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: GHSA-gf8q-jrpm-jvxq
Release Date: 2022-01-06
Fix Resolution (node-forge): 1.0.0
Direct dependency fix Resolution (@angular-devkit/build-angular): 13.2.1
Step up your Open Source Security Game with Mend here
CVE-2023-28155
Vulnerable Library - request-2.88.2.tgz
Simplified HTTP request client.
Library home page: https://registry.npmjs.org/request/-/request-2.88.2.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/request/package.json
Dependency Hierarchy:
- build-angular-0.803.26.tgz (Root Library)
- less-3.9.0.tgz
- โ request-2.88.2.tgz (Vulnerable Library)
Vulnerability Details
** UNSUPPORTED WHEN ASSIGNED ** The Request package through 2.88.1 for Node.js allows a bypass of SSRF mitigations via an attacker-controller server that does a cross-protocol redirect (HTTP to HTTPS, or HTTPS to HTTP). NOTE: This vulnerability only affects products that are no longer supported by the maintainer.
Publish Date: 2023-03-16
URL: CVE-2023-28155
CVSS 3 Score Details (6.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None
For more information on CVSS3 Scores, click here.
Step up your Open Source Security Game with Mend here
WS-2019-0424
Vulnerable Library - elliptic-6.5.2.tgz
EC cryptography
Library home page: https://registry.npmjs.org/elliptic/-/elliptic-6.5.2.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/elliptic/package.json
Dependency Hierarchy:
- build-angular-0.803.26.tgz (Root Library)
- webpack-4.39.2.tgz
- node-libs-browser-2.2.1.tgz
- crypto-browserify-3.12.0.tgz
- browserify-sign-4.2.0.tgz
- โ elliptic-6.5.2.tgz (Vulnerable Library)
Vulnerability Details
all versions of elliptic are vulnerable to Timing Attack through side-channels.
Publish Date: 2019-11-13
URL: WS-2019-0424
CVSS 3 Score Details (5.9)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Adjacent
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: High
- Availability Impact: None
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/WS-2019-0424
Release Date: 2019-11-13
Fix Resolution (elliptic): 6.5.3
Direct dependency fix Resolution (@angular-devkit/build-angular): 0.803.27
Step up your Open Source Security Game with Mend here
CVE-2020-7693
Vulnerable Library - sockjs-0.3.19.tgz
SockJS-node is a server counterpart of SockJS-client a JavaScript library that provides a WebSocket-like object in the browser. SockJS gives you a coherent, cross-browser, Javascript API which creates a low latency, full duplex, cross-domain communication
Library home page: https://registry.npmjs.org/sockjs/-/sockjs-0.3.19.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/sockjs/package.json
Dependency Hierarchy:
- build-angular-0.803.26.tgz (Root Library)
- webpack-dev-server-3.9.0.tgz
- โ sockjs-0.3.19.tgz (Vulnerable Library)
Vulnerability Details
Incorrect handling of Upgrade header with the value websocket leads in crashing of containers hosting sockjs apps. This affects the package sockjs before 0.3.20.
Publish Date: 2020-07-09
URL: CVE-2020-7693
CVSS 3 Score Details (5.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: Low
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Release Date: 2020-07-14
Fix Resolution (sockjs): 0.3.20
Direct dependency fix Resolution (@angular-devkit/build-angular): 0.803.27
Step up your Open Source Security Game with Mend here
CVE-2022-0512
Vulnerable Library - url-parse-1.4.7.tgz
Small footprint URL parser that works seamlessly across Node.js and browser environments
Library home page: https://registry.npmjs.org/url-parse/-/url-parse-1.4.7.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/url-parse/package.json
Dependency Hierarchy:
- build-angular-0.803.26.tgz (Root Library)
- webpack-dev-server-3.9.0.tgz
- sockjs-client-1.4.0.tgz
- โ url-parse-1.4.7.tgz (Vulnerable Library)
Vulnerability Details
Authorization Bypass Through User-Controlled Key in NPM url-parse prior to 1.5.6.
Publish Date: 2022-02-14
URL: CVE-2022-0512
CVSS 3 Score Details (5.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: Low
- Availability Impact: None
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0512
Release Date: 2022-02-14
Fix Resolution (url-parse): 1.5.6
Direct dependency fix Resolution (@angular-devkit/build-angular): 0.803.27
Step up your Open Source Security Game with Mend here
CVE-2021-3664
Vulnerable Library - url-parse-1.4.7.tgz
Small footprint URL parser that works seamlessly across Node.js and browser environments
Library home page: https://registry.npmjs.org/url-parse/-/url-parse-1.4.7.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/url-parse/package.json
Dependency Hierarchy:
- build-angular-0.803.26.tgz (Root Library)
- webpack-dev-server-3.9.0.tgz
- sockjs-client-1.4.0.tgz
- โ url-parse-1.4.7.tgz (Vulnerable Library)
Vulnerability Details
url-parse is vulnerable to URL Redirection to Untrusted Site
Publish Date: 2021-07-26
URL: CVE-2021-3664
CVSS 3 Score Details (5.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: Low
- Availability Impact: None
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3664
Release Date: 2021-07-26
Fix Resolution (url-parse): 1.5.2
Direct dependency fix Resolution (@angular-devkit/build-angular): 0.803.27
Step up your Open Source Security Game with Mend here
CVE-2022-24773
Vulnerable Library - node-forge-0.9.0.tgz
JavaScript implementations of network transports, cryptography, ciphers, PKI, message digests, and various utilities.
Library home page: https://registry.npmjs.org/node-forge/-/node-forge-0.9.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/node-forge/package.json
Dependency Hierarchy:
- build-angular-0.803.26.tgz (Root Library)
- webpack-dev-server-3.9.0.tgz
- selfsigned-1.10.7.tgz
- โ node-forge-0.9.0.tgz (Vulnerable Library)
Vulnerability Details
Forge (also called node-forge
) is a native implementation of Transport Layer Security in JavaScript. Prior to version 1.3.0, RSA PKCS#1 v1.5 signature verification code does not properly check DigestInfo
for a proper ASN.1 structure. This can lead to successful verification with signatures that contain invalid structures but a valid digest. The issue has been addressed in node-forge
version 1.3.0. There are currently no known workarounds.
Publish Date: 2022-03-18
URL: CVE-2022-24773
CVSS 3 Score Details (5.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: Low
- Availability Impact: None
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24773
Release Date: 2022-03-18
Fix Resolution (node-forge): 1.3.0
Direct dependency fix Resolution (@angular-devkit/build-angular): 13.2.1
Step up your Open Source Security Game with Mend here