Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

babel-cli-6.26.0.tgz: 4 vulnerabilities (highest severity is: 8.0) #46

Open
dev-mend-for-github-com bot opened this issue Oct 23, 2023 · 0 comments
Labels
Mend: dependency security vulnerability Security vulnerability detected by Mend

Comments

@dev-mend-for-github-com
Copy link

dev-mend-for-github-com bot commented Oct 23, 2023

Vulnerable Library - babel-cli-6.26.0.tgz

Path to dependency file: /npm_and_yarn/spec/fixtures/projects/yarn_berry/lockfile_only_change/package.json

Path to vulnerable library: /npm_and_yarn/spec/fixtures/projects/yarn/lockfile_only_change/node_modules/sshpk/package.json,/npm_and_yarn/spec/fixtures/projects/yarn/lockfile_only_change/node_modules/sshpk/package.json

Vulnerabilities

CVE Severity CVSS Dependency Type Fixed in (babel-cli version) Remediation Possible** Reachability
WS-2018-0084 High 8.0 sshpk-1.13.1.tgz Transitive N/A*
CVE-2019-13173 High 7.5 fstream-1.0.11.tgz Transitive N/A*
CVE-2018-3737 High 7.5 sshpk-1.13.1.tgz Transitive N/A*
CVE-2018-20834 High 7.5 tar-2.2.1.tgz Transitive N/A*

*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.

**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation

Details

WS-2018-0084

Vulnerable Library - sshpk-1.13.1.tgz

A library for finding and using SSH public keys

Library home page: https://registry.npmjs.org/sshpk/-/sshpk-1.13.1.tgz

Path to dependency file: /npm_and_yarn/spec/fixtures/projects/yarn/lockfile_only_change/package.json

Path to vulnerable library: /npm_and_yarn/spec/fixtures/projects/yarn/lockfile_only_change/node_modules/sshpk/package.json,/npm_and_yarn/spec/fixtures/projects/yarn/lockfile_only_change/node_modules/sshpk/package.json

Dependency Hierarchy:

  • babel-cli-6.26.0.tgz (Root Library)
    • chokidar-1.7.0.tgz
      • fsevents-1.1.3.tgz
        • node-pre-gyp-0.6.39.tgz
          • request-2.81.0.tgz
            • http-signature-1.1.1.tgz
              • sshpk-1.13.1.tgz (Vulnerable Library)

Found in base branch: main

Vulnerability Details

Versions of sshpk before 1.14.1 are vulnerable to regular expression denial of service when parsing crafted invalid public keys.

Publish Date: 2018-04-25

URL: WS-2018-0084

CVSS 2 Score Details (8.0)

Base Score Metrics not available

Suggested Fix

Type: Upgrade version

Origin: https://nodesecurity.io/advisories/606

Release Date: 2018-01-27

Fix Resolution: 1.14.1

CVE-2019-13173

Vulnerable Library - fstream-1.0.11.tgz

Advanced file system stream things

Library home page: https://registry.npmjs.org/fstream/-/fstream-1.0.11.tgz

Path to dependency file: /npm_and_yarn/spec/fixtures/projects/yarn/dist_tag/package.json

Path to vulnerable library: /npm_and_yarn/spec/fixtures/projects/yarn/dist_tag/node_modules/npm/node_modules/npm-lifecycle/node_modules/node-gyp/node_modules/fstream/package.json,/npm_and_yarn/spec/fixtures/projects/yarn/lockfile_only_change/package.json

Dependency Hierarchy:

  • babel-cli-6.26.0.tgz (Root Library)
    • chokidar-1.7.0.tgz
      • fsevents-1.1.3.tgz
        • node-pre-gyp-0.6.39.tgz
          • tar-2.2.1.tgz
            • fstream-1.0.11.tgz (Vulnerable Library)

Found in base branch: main

Vulnerability Details

fstream before 1.0.12 is vulnerable to Arbitrary File Overwrite. Extracting tarballs containing a hardlink to a file that already exists in the system, and a file that matches the hardlink, will overwrite the system's file with the contents of the extracted file. The fstream.DirWriter() function is vulnerable.

Publish Date: 2019-07-02

URL: CVE-2019-13173

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: High
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13173

Release Date: 2019-07-02

Fix Resolution: 1.0.12

CVE-2018-3737

Vulnerable Library - sshpk-1.13.1.tgz

A library for finding and using SSH public keys

Library home page: https://registry.npmjs.org/sshpk/-/sshpk-1.13.1.tgz

Path to dependency file: /npm_and_yarn/spec/fixtures/projects/yarn/lockfile_only_change/package.json

Path to vulnerable library: /npm_and_yarn/spec/fixtures/projects/yarn/lockfile_only_change/node_modules/sshpk/package.json,/npm_and_yarn/spec/fixtures/projects/yarn/lockfile_only_change/node_modules/sshpk/package.json

Dependency Hierarchy:

  • babel-cli-6.26.0.tgz (Root Library)
    • chokidar-1.7.0.tgz
      • fsevents-1.1.3.tgz
        • node-pre-gyp-0.6.39.tgz
          • request-2.81.0.tgz
            • http-signature-1.1.1.tgz
              • sshpk-1.13.1.tgz (Vulnerable Library)

Found in base branch: main

Vulnerability Details

sshpk is vulnerable to ReDoS when parsing crafted invalid public keys.

Publish Date: 2018-04-26

URL: CVE-2018-3737

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://hackerone.com/reports/319593

Release Date: 2018-04-26

Fix Resolution: 1.13.2

CVE-2018-20834

Vulnerable Library - tar-2.2.1.tgz

tar for node

Library home page: https://registry.npmjs.org/tar/-/tar-2.2.1.tgz

Path to dependency file: /npm_and_yarn/spec/fixtures/projects/yarn/dist_tag/package.json

Path to vulnerable library: /npm_and_yarn/spec/fixtures/projects/yarn/dist_tag/node_modules/npm/node_modules/npm-lifecycle/node_modules/node-gyp/node_modules/tar/package.json,/npm_and_yarn/spec/fixtures/projects/yarn/lockfile_only_change/package.json

Dependency Hierarchy:

  • babel-cli-6.26.0.tgz (Root Library)
    • chokidar-1.7.0.tgz
      • fsevents-1.1.3.tgz
        • node-pre-gyp-0.6.39.tgz
          • tar-2.2.1.tgz (Vulnerable Library)

Found in base branch: main

Vulnerability Details

A vulnerability was found in node-tar before version 4.4.2 (excluding version 2.2.2). An Arbitrary File Overwrite issue exists when extracting a tarball containing a hardlink to a file that already exists on the system, in conjunction with a later plain file with the same name as the hardlink. This plain file content replaces the existing file content. A patch has been applied to node-tar v2.2.2).

Publish Date: 2019-04-30

URL: CVE-2018-20834

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: High
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16082

Release Date: 2019-04-30

Fix Resolution: 2.2.2,4.4.2

@dev-mend-for-github-com dev-mend-for-github-com bot added the Mend: dependency security vulnerability Security vulnerability detected by Mend label Oct 23, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Mend: dependency security vulnerability Security vulnerability detected by Mend
Projects
None yet
Development

No branches or pull requests

0 participants