Vulnerable Library - update-0.7.4.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/pkg-store/node_modules/set-value/package.json,/node_modules/map-schema/node_modules/set-value/package.json,/node_modules/data-store/node_modules/set-value/package.json,/node_modules/vinyl-item/node_modules/set-value/package.json,/node_modules/option-cache/node_modules/set-value/package.json
Found in HEAD commit: 4960c5e57a377ff84983ea2cb6c176e76e5ac674
Vulnerabilities
CVE |
Severity |
CVSS |
Dependency |
Type |
Fixed in (update version) |
Remediation Available |
CVE-2021-23440 |
High |
9.8 |
detected in multiple dependencies |
Transitive |
N/A* |
❌ |
CVE-2019-10747 |
High |
9.8 |
detected in multiple dependencies |
Transitive |
N/A* |
❌ |
CVE-2018-16486 |
High |
9.8 |
defaults-deep-0.2.4.tgz |
Transitive |
N/A* |
❌ |
CVE-2020-7608 |
Medium |
5.3 |
yargs-parser-2.4.1.tgz |
Transitive |
N/A* |
❌ |
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.
Details
CVE-2021-23440
Vulnerable Libraries - set-value-0.4.3.tgz, set-value-0.2.0.tgz, set-value-0.3.3.tgz
set-value-0.4.3.tgz
Create nested values and any intermediaries using dot notation (`'a.b.c'`) paths.
Library home page: https://registry.npmjs.org/set-value/-/set-value-0.4.3.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/pkg-store/node_modules/set-value/package.json,/node_modules/map-schema/node_modules/set-value/package.json,/node_modules/data-store/node_modules/set-value/package.json,/node_modules/vinyl-item/node_modules/set-value/package.json,/node_modules/option-cache/node_modules/set-value/package.json
Dependency Hierarchy:
- update-0.7.4.tgz (Root Library)
- data-store-0.16.1.tgz
- union-value-0.2.4.tgz
- ❌ set-value-0.4.3.tgz (Vulnerable Library)
set-value-0.2.0.tgz
Create nested values and any intermediaries using dot notation (`'a.b.c'`) paths.
Library home page: https://registry.npmjs.org/set-value/-/set-value-0.2.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/engine/node_modules/set-value/package.json
Dependency Hierarchy:
- update-0.7.4.tgz (Root Library)
- assemble-core-0.25.0.tgz
- templates-0.24.3.tgz
- engine-base-0.1.3.tgz
- engine-0.1.12.tgz
- ❌ set-value-0.2.0.tgz (Vulnerable Library)
set-value-0.3.3.tgz
Create nested values and any intermediaries using dot notation (`'a.b.c'`) paths.
Library home page: https://registry.npmjs.org/set-value/-/set-value-0.3.3.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/question-cache/node_modules/set-value/package.json,/node_modules/expand-object/node_modules/set-value/package.json,/node_modules/templates/node_modules/set-value/package.json,/node_modules/expand-args/node_modules/set-value/package.json,/node_modules/base-option/node_modules/set-value/package.json,/node_modules/question-store/node_modules/set-value/package.json,/node_modules/gulp-choose-files/node_modules/set-value/package.json
Dependency Hierarchy:
- update-0.7.4.tgz (Root Library)
- base-generators-0.4.6.tgz
- base-option-0.8.4.tgz
- ❌ set-value-0.3.3.tgz (Vulnerable Library)
Found in HEAD commit: 4960c5e57a377ff84983ea2cb6c176e76e5ac674
Found in base branch: main
Vulnerability Details
Mend Note: After conducting further research, Mend has determined that all versions of set-value before versions 2.0.1, 4.0.1 are vulnerable to CVE-2021-23440.
Publish Date: 2021-09-12
URL: CVE-2021-23440
CVSS 3 Score Details (9.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: https://www.huntr.dev/bounties/2eae1159-01de-4f82-a177-7478a408c4a2/
Release Date: 2021-09-12
Fix Resolution: set-value - 2.0.1,4.0.1
Step up your Open Source Security Game with Mend here
CVE-2019-10747
Vulnerable Libraries - set-value-0.3.3.tgz, set-value-0.2.0.tgz, set-value-0.4.3.tgz
set-value-0.3.3.tgz
Create nested values and any intermediaries using dot notation (`'a.b.c'`) paths.
Library home page: https://registry.npmjs.org/set-value/-/set-value-0.3.3.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/question-cache/node_modules/set-value/package.json,/node_modules/expand-object/node_modules/set-value/package.json,/node_modules/templates/node_modules/set-value/package.json,/node_modules/expand-args/node_modules/set-value/package.json,/node_modules/base-option/node_modules/set-value/package.json,/node_modules/question-store/node_modules/set-value/package.json,/node_modules/gulp-choose-files/node_modules/set-value/package.json
Dependency Hierarchy:
- update-0.7.4.tgz (Root Library)
- base-generators-0.4.6.tgz
- base-option-0.8.4.tgz
- ❌ set-value-0.3.3.tgz (Vulnerable Library)
set-value-0.2.0.tgz
Create nested values and any intermediaries using dot notation (`'a.b.c'`) paths.
Library home page: https://registry.npmjs.org/set-value/-/set-value-0.2.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/engine/node_modules/set-value/package.json
Dependency Hierarchy:
- update-0.7.4.tgz (Root Library)
- assemble-core-0.25.0.tgz
- templates-0.24.3.tgz
- engine-base-0.1.3.tgz
- engine-0.1.12.tgz
- ❌ set-value-0.2.0.tgz (Vulnerable Library)
set-value-0.4.3.tgz
Create nested values and any intermediaries using dot notation (`'a.b.c'`) paths.
Library home page: https://registry.npmjs.org/set-value/-/set-value-0.4.3.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/pkg-store/node_modules/set-value/package.json,/node_modules/map-schema/node_modules/set-value/package.json,/node_modules/data-store/node_modules/set-value/package.json,/node_modules/vinyl-item/node_modules/set-value/package.json,/node_modules/option-cache/node_modules/set-value/package.json
Dependency Hierarchy:
- update-0.7.4.tgz (Root Library)
- data-store-0.16.1.tgz
- union-value-0.2.4.tgz
- ❌ set-value-0.4.3.tgz (Vulnerable Library)
Found in HEAD commit: 4960c5e57a377ff84983ea2cb6c176e76e5ac674
Found in base branch: main
Vulnerability Details
set-value is vulnerable to Prototype Pollution in versions lower than 3.0.1. The function mixin-deep could be tricked into adding or modifying properties of Object.prototype using any of the constructor, prototype and proto payloads.
Publish Date: 2019-08-23
URL: CVE-2019-10747
CVSS 3 Score Details (9.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Release Date: 2019-08-23
Fix Resolution: 2.0.1,3.0.1
Step up your Open Source Security Game with Mend here
CVE-2018-16486
Vulnerable Library - defaults-deep-0.2.4.tgz
Like `extend` but recursively copies only the missing properties/values to the target object.
Library home page: https://registry.npmjs.org/defaults-deep/-/defaults-deep-0.2.4.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/defaults-deep/package.json
Dependency Hierarchy:
- update-0.7.4.tgz (Root Library)
- base-generators-0.4.6.tgz
- base-pkg-0.2.5.tgz
- expand-pkg-0.1.9.tgz
- ❌ defaults-deep-0.2.4.tgz (Vulnerable Library)
Found in HEAD commit: 4960c5e57a377ff84983ea2cb6c176e76e5ac674
Found in base branch: main
Vulnerability Details
A prototype pollution vulnerability was found in defaults-deep <=0.2.4 that would allow a malicious user to inject properties onto Object.prototype.
Publish Date: 2019-02-01
URL: CVE-2018-16486
CVSS 3 Score Details (9.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
For more information on CVSS3 Scores, click here.
Step up your Open Source Security Game with Mend here
CVE-2020-7608
Vulnerable Library - yargs-parser-2.4.1.tgz
the mighty option parser used by yargs
Library home page: https://registry.npmjs.org/yargs-parser/-/yargs-parser-2.4.1.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/common-config/node_modules/yargs-parser/package.json,/node_modules/update/node_modules/yargs-parser/package.json
Dependency Hierarchy:
- update-0.7.4.tgz (Root Library)
- ❌ yargs-parser-2.4.1.tgz (Vulnerable Library)
Found in HEAD commit: 4960c5e57a377ff84983ea2cb6c176e76e5ac674
Found in base branch: main
Vulnerability Details
yargs-parser could be tricked into adding or modifying properties of Object.prototype using a "proto" payload.
Publish Date: 2020-03-16
URL: CVE-2020-7608
CVSS 3 Score Details (5.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Local
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: Low
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Release Date: 2020-03-16
Fix Resolution: 5.0.1;13.1.2;15.0.1;18.1.1
Step up your Open Source Security Game with Mend here