haaskiweatherapp's People
haaskiweatherapp's Issues
cli-plugin-eslint-4.5.6.tgz: 1 vulnerabilities (highest severity is: 7.5)
Vulnerable Library - cli-plugin-eslint-4.5.6.tgz
Path to dependency file: /vue-weather/package.json
Path to vulnerable library: /vue-weather/node_modules/watchpack-chokidar2/node_modules/glob-parent/package.json
Vulnerabilities
CVE | Severity | CVSS | Dependency | Type | Fixed in (cli-plugin-eslint version) | Remediation Possible** |
---|---|---|---|---|---|---|
CVE-2020-28469 | High | 7.5 | glob-parent-3.1.0.tgz | Transitive | 5.0.0 | ❌ |
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
CVE-2020-28469
Vulnerable Library - glob-parent-3.1.0.tgz
Strips glob magic from a string to provide the parent directory path
Library home page: https://registry.npmjs.org/glob-parent/-/glob-parent-3.1.0.tgz
Path to dependency file: /vue-weather/package.json
Path to vulnerable library: /vue-weather/node_modules/watchpack-chokidar2/node_modules/glob-parent/package.json
Dependency Hierarchy:
- cli-plugin-eslint-4.5.6.tgz (Root Library)
- globby-9.2.0.tgz
- fast-glob-2.2.7.tgz
- ❌ glob-parent-3.1.0.tgz (Vulnerable Library)
- fast-glob-2.2.7.tgz
- globby-9.2.0.tgz
Found in base branch: master
Vulnerability Details
This affects the package glob-parent before 5.1.2. The enclosure regex used to check for strings ending in enclosure containing path separator.
Publish Date: 2021-06-03
URL: CVE-2020-28469
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-28469
Release Date: 2021-06-03
Fix Resolution (glob-parent): 5.1.2
Direct dependency fix Resolution (@vue/cli-plugin-eslint): 5.0.0
Step up your Open Source Security Game with Mend here
WS-2020-0208 (Medium) detected in highlight.js-9.18.3.tgz - autoclosed
WS-2020-0208 - Medium Severity Vulnerability
Vulnerable Library - highlight.js-9.18.3.tgz
Syntax highlighting with language autodetection.
Library home page: https://registry.npmjs.org/highlight.js/-/highlight.js-9.18.3.tgz
Path to dependency file: haaskiweatherapp/vue-weather/package.json
Path to vulnerable library: haaskiweatherapp/vue-weather/node_modules/highlight.js/package.json
Dependency Hierarchy:
- cli-service-4.5.6.tgz (Root Library)
- cli-highlight-2.1.4.tgz
- ❌ highlight.js-9.18.3.tgz (Vulnerable Library)
- cli-highlight-2.1.4.tgz
Found in base branch: master
Vulnerability Details
If are you are using Highlight.js to highlight user-provided data you are possibly vulnerable. On the client-side (in a browser or Electron environment) risks could include lengthy freezes or crashes... On the server-side infinite freezes could occur... effectively preventing users from accessing your app or service (ie, Denial of Service). This is an issue with grammars shipped with the parser (and potentially 3rd party grammars also), not the parser itself. If you are using Highlight.js with any of the following grammars you are vulnerable. If you are using highlightAuto to detect the language (and have any of these grammars registered) you are vulnerable.
Publish Date: 2020-12-04
URL: WS-2020-0208
CVSS 3 Score Details (5.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: None
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Origin: https://github.com/highlightjs/highlight.js/tree/10.4.1
Release Date: 2020-12-04
Fix Resolution: 10.4.1
Step up your Open Source Security Game with WhiteSource here
CVE-2021-23364 (Medium) detected in browserslist-4.14.4.tgz - autoclosed
CVE-2021-23364 - Medium Severity Vulnerability
Vulnerable Library - browserslist-4.14.4.tgz
Share target browsers between different front-end tools, like Autoprefixer, Stylelint and babel-env-preset
Library home page: https://registry.npmjs.org/browserslist/-/browserslist-4.14.4.tgz
Path to dependency file: haaskiweatherapp/vue-weather/package.json
Path to vulnerable library: haaskiweatherapp/vue-weather/node_modules/browserslist/package.json
Dependency Hierarchy:
- cli-service-4.5.6.tgz (Root Library)
- ❌ browserslist-4.14.4.tgz (Vulnerable Library)
Found in base branch: master
Vulnerability Details
The package browserslist from 4.0.0 and before 4.16.5 are vulnerable to Regular Expression Denial of Service (ReDoS) during parsing of queries.
Publish Date: 2021-04-28
URL: CVE-2021-23364
CVSS 3 Score Details (5.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: Low
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23364
Release Date: 2021-04-28
Fix Resolution: browserslist - 4.16.5
Step up your Open Source Security Game with WhiteSource here
cli-service-4.5.6.tgz: 9 vulnerabilities (highest severity is: 9.8)
Vulnerable Library - cli-service-4.5.6.tgz
Path to dependency file: /vue-weather/package.json
Path to vulnerable library: /vue-weather/node_modules/highlight.js/package.json
Vulnerabilities
CVE | Severity | CVSS | Dependency | Type | Fixed in (cli-service version) | Remediation Possible** |
---|---|---|---|---|---|---|
CVE-2022-37601 | Critical | 9.8 | loader-utils-0.2.17.tgz | Transitive | 5.0.1 | ❌ |
CVE-2022-37598 | Critical | 9.8 | uglify-js-3.4.10.tgz | Transitive | 5.0.1 | ❌ |
CVE-2022-46175 | High | 8.8 | json5-0.5.1.tgz | Transitive | 5.0.1 | ❌ |
CVE-2021-43138 | High | 7.8 | async-2.6.3.tgz | Transitive | 4.5.7 | ❌ |
CVE-2022-25858 | High | 7.5 | terser-4.8.0.tgz | Transitive | 4.5.7 | ❌ |
CVE-2022-37620 | High | 7.5 | html-minifier-3.5.21.tgz | Transitive | N/A* | ❌ |
CVE-2021-33502 | High | 7.5 | detected in multiple dependencies | Transitive | N/A* | ❌ |
CVE-2021-23364 | Medium | 5.3 | browserslist-4.14.4.tgz | Transitive | 4.5.7 | ❌ |
WS-2020-0208 | Medium | 5.3 | highlight.js-9.18.3.tgz | Transitive | 4.5.7 | ❌ |
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
CVE-2022-37601
Vulnerable Library - loader-utils-0.2.17.tgz
utils for webpack loaders
Library home page: https://registry.npmjs.org/loader-utils/-/loader-utils-0.2.17.tgz
Path to dependency file: /vue-weather/package.json
Path to vulnerable library: /vue-weather/node_modules/html-webpack-plugin/node_modules/loader-utils/package.json
Dependency Hierarchy:
- cli-service-4.5.6.tgz (Root Library)
- html-webpack-plugin-3.2.0.tgz
- ❌ loader-utils-0.2.17.tgz (Vulnerable Library)
- html-webpack-plugin-3.2.0.tgz
Found in base branch: master
Vulnerability Details
Prototype pollution vulnerability in function parseQuery in parseQuery.js in webpack loader-utils 2.0.0 via the name variable in parseQuery.js.
Publish Date: 2022-10-12
URL: CVE-2022-37601
CVSS 3 Score Details (9.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: GHSA-76p3-8jx3-jpfq
Release Date: 2022-10-12
Fix Resolution (loader-utils): 1.4.1
Direct dependency fix Resolution (@vue/cli-service): 5.0.1
Step up your Open Source Security Game with Mend here
CVE-2022-37598
Vulnerable Library - uglify-js-3.4.10.tgz
JavaScript parser, mangler/compressor and beautifier toolkit
Library home page: https://registry.npmjs.org/uglify-js/-/uglify-js-3.4.10.tgz
Path to dependency file: /vue-weather/package.json
Path to vulnerable library: /vue-weather/node_modules/uglify-js/package.json
Dependency Hierarchy:
- cli-service-4.5.6.tgz (Root Library)
- html-webpack-plugin-3.2.0.tgz
- html-minifier-3.5.21.tgz
- ❌ uglify-js-3.4.10.tgz (Vulnerable Library)
- html-minifier-3.5.21.tgz
- html-webpack-plugin-3.2.0.tgz
Found in base branch: master
Vulnerability Details
** DISPUTED ** Prototype pollution vulnerability in function DEFNODE in ast.js in mishoo UglifyJS 3.13.2 via the name variable in ast.js. NOTE: the vendor considers this an invalid report.
Publish Date: 2022-10-20
URL: CVE-2022-37598
CVSS 3 Score Details (9.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Release Date: 2022-10-20
Fix Resolution (uglify-js): 3.13.10
Direct dependency fix Resolution (@vue/cli-service): 5.0.1
Step up your Open Source Security Game with Mend here
CVE-2022-46175
Vulnerable Library - json5-0.5.1.tgz
JSON for the ES5 era.
Library home page: https://registry.npmjs.org/json5/-/json5-0.5.1.tgz
Path to dependency file: /vue-weather/package.json
Path to vulnerable library: /vue-weather/node_modules/html-webpack-plugin/node_modules/json5/package.json
Dependency Hierarchy:
- cli-service-4.5.6.tgz (Root Library)
- html-webpack-plugin-3.2.0.tgz
- loader-utils-0.2.17.tgz
- ❌ json5-0.5.1.tgz (Vulnerable Library)
- loader-utils-0.2.17.tgz
- html-webpack-plugin-3.2.0.tgz
Found in base branch: master
Vulnerability Details
JSON5 is an extension to the popular JSON file format that aims to be easier to write and maintain by hand (e.g. for config files). The parse
method of the JSON5 library before and including versions 1.0.1 and 2.2.1 does not restrict parsing of keys named __proto__
, allowing specially crafted strings to pollute the prototype of the resulting object. This vulnerability pollutes the prototype of the object returned by JSON5.parse
and not the global Object prototype, which is the commonly understood definition of Prototype Pollution. However, polluting the prototype of a single object can have significant security impact for an application if the object is later used in trusted operations. This vulnerability could allow an attacker to set arbitrary and unexpected keys on the object returned from JSON5.parse
. The actual impact will depend on how applications utilize the returned object and how they filter unwanted keys, but could include denial of service, cross-site scripting, elevation of privilege, and in extreme cases, remote code execution. JSON5.parse
should restrict parsing of __proto__
keys when parsing JSON strings to objects. As a point of reference, the JSON.parse
method included in JavaScript ignores __proto__
keys. Simply changing JSON5.parse
to JSON.parse
in the examples above mitigates this vulnerability. This vulnerability is patched in json5 versions 1.0.2, 2.2.2, and later.
Publish Date: 2022-12-24
URL: CVE-2022-46175
CVSS 3 Score Details (8.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: https://www.cve.org/CVERecord?id=CVE-2022-46175
Release Date: 2022-12-24
Fix Resolution (json5): 1.0.2
Direct dependency fix Resolution (@vue/cli-service): 5.0.1
Step up your Open Source Security Game with Mend here
CVE-2021-43138
Vulnerable Library - async-2.6.3.tgz
Higher-order functions and common patterns for asynchronous code
Library home page: https://registry.npmjs.org/async/-/async-2.6.3.tgz
Path to dependency file: /vue-weather/package.json
Path to vulnerable library: /vue-weather/node_modules/async/package.json
Dependency Hierarchy:
- cli-service-4.5.6.tgz (Root Library)
- portfinder-1.0.28.tgz
- ❌ async-2.6.3.tgz (Vulnerable Library)
- portfinder-1.0.28.tgz
Found in base branch: master
Vulnerability Details
In Async before 2.6.4 and 3.x before 3.2.2, a malicious user can obtain privileges via the mapValues() method, aka lib/internal/iterator.js createObjectIterator prototype pollution.
Publish Date: 2022-04-06
URL: CVE-2021-43138
CVSS 3 Score Details (7.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Local
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2021-43138
Release Date: 2022-04-06
Fix Resolution (async): 2.6.4
Direct dependency fix Resolution (@vue/cli-service): 4.5.7
Step up your Open Source Security Game with Mend here
CVE-2022-25858
Vulnerable Library - terser-4.8.0.tgz
JavaScript parser, mangler/compressor and beautifier toolkit for ES6+
Library home page: https://registry.npmjs.org/terser/-/terser-4.8.0.tgz
Path to dependency file: /vue-weather/package.json
Path to vulnerable library: /vue-weather/node_modules/terser/package.json
Dependency Hierarchy:
- cli-service-4.5.6.tgz (Root Library)
- terser-webpack-plugin-2.3.8.tgz
- ❌ terser-4.8.0.tgz (Vulnerable Library)
- terser-webpack-plugin-2.3.8.tgz
Found in base branch: master
Vulnerability Details
The package terser before 4.8.1, from 5.0.0 and before 5.14.2 are vulnerable to Regular Expression Denial of Service (ReDoS) due to insecure usage of regular expressions.
Publish Date: 2022-07-15
URL: CVE-2022-25858
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-25858
Release Date: 2022-07-15
Fix Resolution (terser): 4.8.1
Direct dependency fix Resolution (@vue/cli-service): 4.5.7
Step up your Open Source Security Game with Mend here
CVE-2022-37620
Vulnerable Library - html-minifier-3.5.21.tgz
Highly configurable, well-tested, JavaScript-based HTML minifier.
Library home page: https://registry.npmjs.org/html-minifier/-/html-minifier-3.5.21.tgz
Path to dependency file: /vue-weather/package.json
Path to vulnerable library: /vue-weather/node_modules/html-minifier/package.json
Dependency Hierarchy:
- cli-service-4.5.6.tgz (Root Library)
- html-webpack-plugin-3.2.0.tgz
- ❌ html-minifier-3.5.21.tgz (Vulnerable Library)
- html-webpack-plugin-3.2.0.tgz
Found in base branch: master
Vulnerability Details
A Regular Expression Denial of Service (ReDoS) flaw was found in kangax html-minifier 4.0.0 via the candidate variable in htmlminifier.js.
Publish Date: 2022-10-31
URL: CVE-2022-37620
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
Step up your Open Source Security Game with Mend here
CVE-2021-33502
Vulnerable Libraries - normalize-url-1.9.1.tgz, normalize-url-3.3.0.tgz
normalize-url-1.9.1.tgz
Normalize a URL
Library home page: https://registry.npmjs.org/normalize-url/-/normalize-url-1.9.1.tgz
Path to dependency file: /vue-weather/package.json
Path to vulnerable library: /vue-weather/node_modules/mini-css-extract-plugin/node_modules/normalize-url/package.json
Dependency Hierarchy:
- cli-service-4.5.6.tgz (Root Library)
- mini-css-extract-plugin-0.9.0.tgz
- ❌ normalize-url-1.9.1.tgz (Vulnerable Library)
- mini-css-extract-plugin-0.9.0.tgz
normalize-url-3.3.0.tgz
Normalize a URL
Library home page: https://registry.npmjs.org/normalize-url/-/normalize-url-3.3.0.tgz
Path to dependency file: /vue-weather/package.json
Path to vulnerable library: /vue-weather/node_modules/normalize-url/package.json
Dependency Hierarchy:
- cli-service-4.5.6.tgz (Root Library)
- optimize-cssnano-plugin-1.0.6.tgz
- cssnano-preset-default-4.0.7.tgz
- postcss-normalize-url-4.0.1.tgz
- ❌ normalize-url-3.3.0.tgz (Vulnerable Library)
- postcss-normalize-url-4.0.1.tgz
- cssnano-preset-default-4.0.7.tgz
- optimize-cssnano-plugin-1.0.6.tgz
Found in base branch: master
Vulnerability Details
The normalize-url package before 4.5.1, 5.x before 5.3.1, and 6.x before 6.0.1 for Node.js has a ReDoS (regular expression denial of service) issue because it has exponential performance for data: URLs.
Publish Date: 2021-05-24
URL: CVE-2021-33502
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-33502
Release Date: 2021-05-24
Fix Resolution: normalize-url - 4.5.1,5.3.1,6.0.1
Step up your Open Source Security Game with Mend here
CVE-2021-23364
Vulnerable Library - browserslist-4.14.4.tgz
Share target browsers between different front-end tools, like Autoprefixer, Stylelint and babel-env-preset
Library home page: https://registry.npmjs.org/browserslist/-/browserslist-4.14.4.tgz
Path to dependency file: /vue-weather/package.json
Path to vulnerable library: /vue-weather/node_modules/browserslist/package.json
Dependency Hierarchy:
- cli-service-4.5.6.tgz (Root Library)
- ❌ browserslist-4.14.4.tgz (Vulnerable Library)
Found in base branch: master
Vulnerability Details
The package browserslist from 4.0.0 and before 4.16.5 are vulnerable to Regular Expression Denial of Service (ReDoS) during parsing of queries.
Publish Date: 2021-04-28
URL: CVE-2021-23364
CVSS 3 Score Details (5.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: Low
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23364
Release Date: 2021-04-28
Fix Resolution (browserslist): 4.16.5
Direct dependency fix Resolution (@vue/cli-service): 4.5.7
Step up your Open Source Security Game with Mend here
WS-2020-0208
Vulnerable Library - highlight.js-9.18.3.tgz
Syntax highlighting with language autodetection.
Library home page: https://registry.npmjs.org/highlight.js/-/highlight.js-9.18.3.tgz
Path to dependency file: /vue-weather/package.json
Path to vulnerable library: /vue-weather/node_modules/highlight.js/package.json
Dependency Hierarchy:
- cli-service-4.5.6.tgz (Root Library)
- cli-highlight-2.1.4.tgz
- ❌ highlight.js-9.18.3.tgz (Vulnerable Library)
- cli-highlight-2.1.4.tgz
Found in base branch: master
Vulnerability Details
If are you are using Highlight.js to highlight user-provided data you are possibly vulnerable. On the client-side (in a browser or Electron environment) risks could include lengthy freezes or crashes... On the server-side infinite freezes could occur... effectively preventing users from accessing your app or service (ie, Denial of Service). This is an issue with grammars shipped with the parser (and potentially 3rd party grammars also), not the parser itself. If you are using Highlight.js with any of the following grammars you are vulnerable. If you are using highlightAuto to detect the language (and have any of these grammars registered) you are vulnerable.
Publish Date: 2020-12-04
URL: WS-2020-0208
CVSS 3 Score Details (5.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: None
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Release Date: 2020-12-04
Fix Resolution (highlight.js): 10.4.1
Direct dependency fix Resolution (@vue/cli-service): 4.5.7
Step up your Open Source Security Game with Mend here
cli-plugin-babel-4.5.6.tgz: 7 vulnerabilities (highest severity is: 9.8)
Vulnerable Library - cli-plugin-babel-4.5.6.tgz
Path to dependency file: /vue-weather/package.json
Path to vulnerable library: /vue-weather/node_modules/shell-quote/package.json
Vulnerabilities
CVE | Severity | CVSS | Dependency | Type | Fixed in (cli-plugin-babel version) | Remediation Possible** |
---|---|---|---|---|---|---|
CVE-2023-26136 | Critical | 9.8 | tough-cookie-2.5.0.tgz | Transitive | 5.0.0 | ❌ |
CVE-2022-37601 | Critical | 9.8 | loader-utils-1.4.0.tgz | Transitive | 4.5.7 | ❌ |
CVE-2021-42740 | Critical | 9.8 | shell-quote-1.7.2.tgz | Transitive | 4.5.7 | ❌ |
CVE-2022-46175 | High | 8.8 | detected in multiple dependencies | Transitive | 4.5.7 | ❌ |
CVE-2022-38900 | High | 7.5 | decode-uri-component-0.2.0.tgz | Transitive | 4.5.7 | ❌ |
CVE-2022-37603 | High | 7.5 | loader-utils-1.4.0.tgz | Transitive | 4.5.7 | ❌ |
CVE-2023-28155 | Medium | 6.1 | request-2.88.2.tgz | Transitive | N/A* | ❌ |
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
CVE-2023-26136
Vulnerable Library - tough-cookie-2.5.0.tgz
RFC6265 Cookies and Cookie Jar for node.js
Library home page: https://registry.npmjs.org/tough-cookie/-/tough-cookie-2.5.0.tgz
Path to dependency file: /vue-weather/package.json
Path to vulnerable library: /vue-weather/node_modules/tough-cookie/package.json
Dependency Hierarchy:
- cli-plugin-babel-4.5.6.tgz (Root Library)
- cli-shared-utils-4.5.6.tgz
- request-2.88.2.tgz
- ❌ tough-cookie-2.5.0.tgz (Vulnerable Library)
- request-2.88.2.tgz
- cli-shared-utils-4.5.6.tgz
Found in base branch: master
Vulnerability Details
Versions of the package tough-cookie before 4.1.3 are vulnerable to Prototype Pollution due to improper handling of Cookies when using CookieJar in rejectPublicSuffixes=false mode. This issue arises from the manner in which the objects are initialized.
Publish Date: 2023-07-01
URL: CVE-2023-26136
CVSS 3 Score Details (9.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: https://www.cve.org/CVERecord?id=CVE-2023-26136
Release Date: 2023-07-01
Fix Resolution (tough-cookie): 4.1.3
Direct dependency fix Resolution (@vue/cli-plugin-babel): 5.0.0
Step up your Open Source Security Game with Mend here
CVE-2022-37601
Vulnerable Library - loader-utils-1.4.0.tgz
utils for webpack loaders
Library home page: https://registry.npmjs.org/loader-utils/-/loader-utils-1.4.0.tgz
Path to dependency file: /vue-weather/package.json
Path to vulnerable library: /vue-weather/node_modules/loader-utils/package.json
Dependency Hierarchy:
- cli-plugin-babel-4.5.6.tgz (Root Library)
- babel-loader-8.1.0.tgz
- ❌ loader-utils-1.4.0.tgz (Vulnerable Library)
- babel-loader-8.1.0.tgz
Found in base branch: master
Vulnerability Details
Prototype pollution vulnerability in function parseQuery in parseQuery.js in webpack loader-utils 2.0.0 via the name variable in parseQuery.js.
Publish Date: 2022-10-12
URL: CVE-2022-37601
CVSS 3 Score Details (9.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: GHSA-76p3-8jx3-jpfq
Release Date: 2022-10-12
Fix Resolution (loader-utils): 1.4.1
Direct dependency fix Resolution (@vue/cli-plugin-babel): 4.5.7
Step up your Open Source Security Game with Mend here
CVE-2021-42740
Vulnerable Library - shell-quote-1.7.2.tgz
quote and parse shell commands
Library home page: https://registry.npmjs.org/shell-quote/-/shell-quote-1.7.2.tgz
Path to dependency file: /vue-weather/package.json
Path to vulnerable library: /vue-weather/node_modules/shell-quote/package.json
Dependency Hierarchy:
- cli-plugin-babel-4.5.6.tgz (Root Library)
- cli-shared-utils-4.5.6.tgz
- launch-editor-2.2.1.tgz
- ❌ shell-quote-1.7.2.tgz (Vulnerable Library)
- launch-editor-2.2.1.tgz
- cli-shared-utils-4.5.6.tgz
Found in base branch: master
Vulnerability Details
The shell-quote package before 1.7.3 for Node.js allows command injection. An attacker can inject unescaped shell metacharacters through a regex designed to support Windows drive letters. If the output of this package is passed to a real shell as a quoted argument to a command with exec(), an attacker can inject arbitrary commands. This is because the Windows drive letter regex character class is {A-z] instead of the correct {A-Za-z]. Several shell metacharacters exist in the space between capital letter Z and lower case letter a, such as the backtick character.
Publish Date: 2021-10-21
URL: CVE-2021-42740
CVSS 3 Score Details (9.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-42740
Release Date: 2021-10-21
Fix Resolution (shell-quote): 1.7.3
Direct dependency fix Resolution (@vue/cli-plugin-babel): 4.5.7
Step up your Open Source Security Game with Mend here
CVE-2022-46175
Vulnerable Libraries - json5-2.1.3.tgz, json5-1.0.1.tgz
json5-2.1.3.tgz
JSON for humans.
Library home page: https://registry.npmjs.org/json5/-/json5-2.1.3.tgz
Path to dependency file: /vue-weather/package.json
Path to vulnerable library: /vue-weather/node_modules/json5/package.json
Dependency Hierarchy:
- cli-plugin-babel-4.5.6.tgz (Root Library)
- core-7.11.6.tgz
- ❌ json5-2.1.3.tgz (Vulnerable Library)
- core-7.11.6.tgz
json5-1.0.1.tgz
JSON for humans.
Library home page: https://registry.npmjs.org/json5/-/json5-1.0.1.tgz
Path to dependency file: /vue-weather/package.json
Path to vulnerable library: /vue-weather/node_modules/loader-utils/node_modules/json5/package.json
Dependency Hierarchy:
- cli-plugin-babel-4.5.6.tgz (Root Library)
- babel-loader-8.1.0.tgz
- loader-utils-1.4.0.tgz
- ❌ json5-1.0.1.tgz (Vulnerable Library)
- loader-utils-1.4.0.tgz
- babel-loader-8.1.0.tgz
Found in base branch: master
Vulnerability Details
JSON5 is an extension to the popular JSON file format that aims to be easier to write and maintain by hand (e.g. for config files). The parse
method of the JSON5 library before and including versions 1.0.1 and 2.2.1 does not restrict parsing of keys named __proto__
, allowing specially crafted strings to pollute the prototype of the resulting object. This vulnerability pollutes the prototype of the object returned by JSON5.parse
and not the global Object prototype, which is the commonly understood definition of Prototype Pollution. However, polluting the prototype of a single object can have significant security impact for an application if the object is later used in trusted operations. This vulnerability could allow an attacker to set arbitrary and unexpected keys on the object returned from JSON5.parse
. The actual impact will depend on how applications utilize the returned object and how they filter unwanted keys, but could include denial of service, cross-site scripting, elevation of privilege, and in extreme cases, remote code execution. JSON5.parse
should restrict parsing of __proto__
keys when parsing JSON strings to objects. As a point of reference, the JSON.parse
method included in JavaScript ignores __proto__
keys. Simply changing JSON5.parse
to JSON.parse
in the examples above mitigates this vulnerability. This vulnerability is patched in json5 versions 1.0.2, 2.2.2, and later.
Publish Date: 2022-12-24
URL: CVE-2022-46175
CVSS 3 Score Details (8.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: https://www.cve.org/CVERecord?id=CVE-2022-46175
Release Date: 2022-12-24
Fix Resolution (json5): 2.2.2
Direct dependency fix Resolution (@vue/cli-plugin-babel): 4.5.7
Fix Resolution (json5): 2.2.2
Direct dependency fix Resolution (@vue/cli-plugin-babel): 4.5.7
Step up your Open Source Security Game with Mend here
CVE-2022-38900
Vulnerable Library - decode-uri-component-0.2.0.tgz
A better decodeURIComponent
Library home page: https://registry.npmjs.org/decode-uri-component/-/decode-uri-component-0.2.0.tgz
Path to dependency file: /vue-weather/package.json
Path to vulnerable library: /vue-weather/node_modules/decode-uri-component/package.json
Dependency Hierarchy:
- cli-plugin-babel-4.5.6.tgz (Root Library)
- webpack-4.44.2.tgz
- micromatch-3.1.10.tgz
- snapdragon-0.8.2.tgz
- source-map-resolve-0.5.3.tgz
- ❌ decode-uri-component-0.2.0.tgz (Vulnerable Library)
- source-map-resolve-0.5.3.tgz
- snapdragon-0.8.2.tgz
- micromatch-3.1.10.tgz
- webpack-4.44.2.tgz
Found in base branch: master
Vulnerability Details
decode-uri-component 0.2.0 is vulnerable to Improper Input Validation resulting in DoS.
Publish Date: 2022-11-28
URL: CVE-2022-38900
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: GHSA-w573-4hg7-7wgq
Release Date: 2022-11-28
Fix Resolution (decode-uri-component): 0.2.1
Direct dependency fix Resolution (@vue/cli-plugin-babel): 4.5.7
Step up your Open Source Security Game with Mend here
CVE-2022-37603
Vulnerable Library - loader-utils-1.4.0.tgz
utils for webpack loaders
Library home page: https://registry.npmjs.org/loader-utils/-/loader-utils-1.4.0.tgz
Path to dependency file: /vue-weather/package.json
Path to vulnerable library: /vue-weather/node_modules/loader-utils/package.json
Dependency Hierarchy:
- cli-plugin-babel-4.5.6.tgz (Root Library)
- babel-loader-8.1.0.tgz
- ❌ loader-utils-1.4.0.tgz (Vulnerable Library)
- babel-loader-8.1.0.tgz
Found in base branch: master
Vulnerability Details
A Regular expression denial of service (ReDoS) flaw was found in Function interpolateName in interpolateName.js in webpack loader-utils 2.0.0 via the url variable in interpolateName.js.
Publish Date: 2022-10-14
URL: CVE-2022-37603
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: GHSA-3rfm-jhwj-7488
Release Date: 2022-10-14
Fix Resolution (loader-utils): 1.4.2
Direct dependency fix Resolution (@vue/cli-plugin-babel): 4.5.7
Step up your Open Source Security Game with Mend here
CVE-2023-28155
Vulnerable Library - request-2.88.2.tgz
Simplified HTTP request client.
Library home page: https://registry.npmjs.org/request/-/request-2.88.2.tgz
Path to dependency file: /vue-weather/package.json
Path to vulnerable library: /vue-weather/node_modules/request/package.json
Dependency Hierarchy:
- cli-plugin-babel-4.5.6.tgz (Root Library)
- cli-shared-utils-4.5.6.tgz
- ❌ request-2.88.2.tgz (Vulnerable Library)
- cli-shared-utils-4.5.6.tgz
Found in base branch: master
Vulnerability Details
The request package through 2.88.2 for Node.js and the @cypress/request package prior to 3.0.0 allow a bypass of SSRF mitigations via an attacker-controller server that does a cross-protocol redirect (HTTP to HTTPS, or HTTPS to HTTP).NOTE: The request package is no longer supported by the maintainer.
Publish Date: 2023-03-16
URL: CVE-2023-28155
CVSS 3 Score Details (6.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Origin: GHSA-p8p7-x288-28g6
Release Date: 2023-03-16
Fix Resolution: @cypress/request - 3.0.0
Step up your Open Source Security Game with Mend here
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.