Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

jest-cli-22.0.4.tgz: 22 vulnerabilities (highest severity is: 9.8) #47

Open
dev-mend-for-github-com bot opened this issue Oct 23, 2023 · 0 comments
Labels
Mend: dependency security vulnerability Security vulnerability detected by Mend

Comments

@dev-mend-for-github-com
Copy link

dev-mend-for-github-com bot commented Oct 23, 2023

Vulnerable Library - jest-cli-22.0.4.tgz

Path to dependency file: /npm_and_yarn/spec/fixtures/projects/yarn/lockfile_only_change/package.json

Path to vulnerable library: /npm_and_yarn/spec/fixtures/projects/yarn/lockfile_only_change/node_modules/handlebars/package.json,/npm_and_yarn/spec/fixtures/projects/yarn/lockfile_only_change/node_modules/handlebars/package.json

Vulnerabilities

CVE Severity CVSS Dependency Type Fixed in (jest-cli version) Remediation Possible** Reachability
CVE-2019-19919 Critical 9.8 handlebars-4.0.11.tgz Transitive 22.0.5
WS-2019-0333 High 8.1 handlebars-4.0.11.tgz Transitive 22.0.5
CVE-2019-20920 High 8.1 handlebars-4.0.11.tgz Transitive 22.0.5
WS-2020-0218 High 7.5 merge-1.2.0.tgz Transitive 24.0.0
WS-2019-0493 High 7.5 handlebars-4.0.11.tgz Transitive 22.0.5
WS-2019-0492 High 7.5 handlebars-4.0.11.tgz Transitive 22.0.5
WS-2019-0318 High 7.5 handlebars-4.0.11.tgz Transitive 22.0.5
CVE-2019-20922 High 7.5 handlebars-4.0.11.tgz Transitive 22.0.5
CVE-2018-16469 High 7.5 merge-1.2.0.tgz Transitive 22.0.5
WS-2019-0064 High 7.3 handlebars-4.0.11.tgz Transitive 22.0.5
CVE-2020-28499 High 7.3 merge-1.2.0.tgz Transitive 24.0.0
WS-2018-0590 High 7.0 diff-3.4.0.tgz Transitive 22.0.5
WS-2019-0103 Medium 5.6 handlebars-4.0.11.tgz Transitive 22.0.5
CVE-2021-23383 Medium 5.6 handlebars-4.0.11.tgz Transitive 22.0.5
CVE-2021-23369 Medium 5.6 handlebars-4.0.11.tgz Transitive 22.0.5
CVE-2020-7789 Medium 5.6 node-notifier-5.1.2.tgz Transitive 22.0.5
WS-2017-3757 Medium 5.3 content-type-parser-1.0.2.tgz Transitive N/A*
CVE-2020-7608 Medium 5.3 yargs-parser-8.0.0.tgz Transitive 24.9.0
CVE-2017-16028 Medium 5.3 randomatic-1.1.7.tgz Transitive 22.0.5
WS-2019-0332 Medium 5.0 handlebars-4.0.11.tgz Transitive 22.0.5
WS-2019-0331 Medium 5.0 handlebars-4.0.11.tgz Transitive 22.0.5
WS-2018-0589 Medium 4.0 nwmatcher-1.4.3.tgz Transitive 22.0.5

*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.

**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation

Details

CVE-2019-19919

Vulnerable Library - handlebars-4.0.11.tgz

Handlebars provides the power necessary to let you build semantic templates effectively with no frustration

Library home page: https://registry.npmjs.org/handlebars/-/handlebars-4.0.11.tgz

Path to dependency file: /npm_and_yarn/spec/fixtures/projects/yarn/lockfile_only_change/package.json

Path to vulnerable library: /npm_and_yarn/spec/fixtures/projects/yarn/lockfile_only_change/node_modules/handlebars/package.json,/npm_and_yarn/spec/fixtures/projects/yarn/lockfile_only_change/node_modules/handlebars/package.json

Dependency Hierarchy:

  • jest-cli-22.0.4.tgz (Root Library)
    • istanbul-api-1.2.1.tgz
      • istanbul-reports-1.1.3.tgz
        • handlebars-4.0.11.tgz (Vulnerable Library)

Found in base branch: main

Vulnerability Details

Versions of handlebars prior to 4.3.0 are vulnerable to Prototype Pollution leading to Remote Code Execution. Templates may alter an Object's proto and defineGetter properties, which may allow an attacker to execute arbitrary code through crafted payloads.
Mend Note: Converted from WS-2019-0368, on 2022-11-08.

Publish Date: 2019-12-20

URL: CVE-2019-19919

CVSS 3 Score Details (9.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://www.npmjs.com/advisories/1164

Release Date: 2019-12-20

Fix Resolution (handlebars): 4.3.0

Direct dependency fix Resolution (jest-cli): 22.0.5

In order to enable automatic remediation, please create workflow rules

WS-2019-0333

Vulnerable Library - handlebars-4.0.11.tgz

Handlebars provides the power necessary to let you build semantic templates effectively with no frustration

Library home page: https://registry.npmjs.org/handlebars/-/handlebars-4.0.11.tgz

Path to dependency file: /npm_and_yarn/spec/fixtures/projects/yarn/lockfile_only_change/package.json

Path to vulnerable library: /npm_and_yarn/spec/fixtures/projects/yarn/lockfile_only_change/node_modules/handlebars/package.json,/npm_and_yarn/spec/fixtures/projects/yarn/lockfile_only_change/node_modules/handlebars/package.json

Dependency Hierarchy:

  • jest-cli-22.0.4.tgz (Root Library)
    • istanbul-api-1.2.1.tgz
      • istanbul-reports-1.1.3.tgz
        • handlebars-4.0.11.tgz (Vulnerable Library)

Found in base branch: main

Vulnerability Details

In handlebars, versions prior to v4.5.3 are vulnerable to prototype pollution. Using a malicious template it's possbile to add or modify properties to the Object prototype. This can also lead to DOS and RCE in certain conditions.

Publish Date: 2019-11-18

URL: WS-2019-0333

CVSS 3 Score Details (8.1)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: High
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://www.npmjs.com/advisories/1325

Release Date: 2019-11-18

Fix Resolution (handlebars): 4.5.3

Direct dependency fix Resolution (jest-cli): 22.0.5

In order to enable automatic remediation, please create workflow rules

CVE-2019-20920

Vulnerable Library - handlebars-4.0.11.tgz

Handlebars provides the power necessary to let you build semantic templates effectively with no frustration

Library home page: https://registry.npmjs.org/handlebars/-/handlebars-4.0.11.tgz

Path to dependency file: /npm_and_yarn/spec/fixtures/projects/yarn/lockfile_only_change/package.json

Path to vulnerable library: /npm_and_yarn/spec/fixtures/projects/yarn/lockfile_only_change/node_modules/handlebars/package.json,/npm_and_yarn/spec/fixtures/projects/yarn/lockfile_only_change/node_modules/handlebars/package.json

Dependency Hierarchy:

  • jest-cli-22.0.4.tgz (Root Library)
    • istanbul-api-1.2.1.tgz
      • istanbul-reports-1.1.3.tgz
        • handlebars-4.0.11.tgz (Vulnerable Library)

Found in base branch: main

Vulnerability Details

Handlebars before 3.0.8 and 4.x before 4.5.3 is vulnerable to Arbitrary Code Execution. The lookup helper fails to properly validate templates, allowing attackers to submit templates that execute arbitrary JavaScript. This can be used to run arbitrary code on a server processing Handlebars templates or in a victim's browser (effectively serving as XSS).

Publish Date: 2020-09-30

URL: CVE-2019-20920

CVSS 3 Score Details (8.1)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: High
    • Privileges Required: None
    • User Interaction: None
    • Scope: Changed
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: Low
    • Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://www.npmjs.com/advisories/1316

Release Date: 2020-10-15

Fix Resolution (handlebars): 4.5.3

Direct dependency fix Resolution (jest-cli): 22.0.5

In order to enable automatic remediation, please create workflow rules

WS-2020-0218

Vulnerable Library - merge-1.2.0.tgz

Merge multiple objects into one, optionally creating a new cloned object. Similar to the jQuery.extend but more flexible. Works in Node.js and the browser.

Library home page: https://registry.npmjs.org/merge/-/merge-1.2.0.tgz

Path to dependency file: /npm_and_yarn/spec/fixtures/projects/yarn/lockfile_only_change/package.json

Path to vulnerable library: /npm_and_yarn/spec/fixtures/projects/yarn/lockfile_only_change/node_modules/merge/package.json

Dependency Hierarchy:

  • jest-cli-22.0.4.tgz (Root Library)
    • jest-haste-map-22.0.3.tgz
      • sane-2.2.0.tgz
        • exec-sh-0.2.1.tgz
          • merge-1.2.0.tgz (Vulnerable Library)

Found in base branch: main

Vulnerability Details

A Prototype Pollution vulnerability was found in merge before 2.1.0 via the merge.recursive function. It can be tricked into adding or modifying properties of the Object prototype. These properties will be present on all objects.

Publish Date: 2020-10-09

URL: WS-2020-0218

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2020-10-09

Fix Resolution (merge): 2.1.0

Direct dependency fix Resolution (jest-cli): 24.0.0

In order to enable automatic remediation, please create workflow rules

WS-2019-0493

Vulnerable Library - handlebars-4.0.11.tgz

Handlebars provides the power necessary to let you build semantic templates effectively with no frustration

Library home page: https://registry.npmjs.org/handlebars/-/handlebars-4.0.11.tgz

Path to dependency file: /npm_and_yarn/spec/fixtures/projects/yarn/lockfile_only_change/package.json

Path to vulnerable library: /npm_and_yarn/spec/fixtures/projects/yarn/lockfile_only_change/node_modules/handlebars/package.json,/npm_and_yarn/spec/fixtures/projects/yarn/lockfile_only_change/node_modules/handlebars/package.json

Dependency Hierarchy:

  • jest-cli-22.0.4.tgz (Root Library)
    • istanbul-api-1.2.1.tgz
      • istanbul-reports-1.1.3.tgz
        • handlebars-4.0.11.tgz (Vulnerable Library)

Found in base branch: main

Vulnerability Details

handlebars before 3.0.8 and 4.x before 4.5.2 is vulnerable to Arbitrary Code Execution. The package's lookup helper fails to properly validate templates, allowing attackers to submit templates that execute arbitrary JavaScript in the system.

Publish Date: 2019-11-14

URL: WS-2019-0493

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://www.npmjs.com/advisories/1316

Release Date: 2019-11-14

Fix Resolution (handlebars): 4.5.2

Direct dependency fix Resolution (jest-cli): 22.0.5

In order to enable automatic remediation, please create workflow rules

WS-2019-0492

Vulnerable Library - handlebars-4.0.11.tgz

Handlebars provides the power necessary to let you build semantic templates effectively with no frustration

Library home page: https://registry.npmjs.org/handlebars/-/handlebars-4.0.11.tgz

Path to dependency file: /npm_and_yarn/spec/fixtures/projects/yarn/lockfile_only_change/package.json

Path to vulnerable library: /npm_and_yarn/spec/fixtures/projects/yarn/lockfile_only_change/node_modules/handlebars/package.json,/npm_and_yarn/spec/fixtures/projects/yarn/lockfile_only_change/node_modules/handlebars/package.json

Dependency Hierarchy:

  • jest-cli-22.0.4.tgz (Root Library)
    • istanbul-api-1.2.1.tgz
      • istanbul-reports-1.1.3.tgz
        • handlebars-4.0.11.tgz (Vulnerable Library)

Found in base branch: main

Vulnerability Details

handlebars before 3.0.8 and 4.x before 4.5.3 is vulnerable to Arbitrary Code Execution. The package's lookup helper fails to properly validate templates, allowing attackers to submit templates that execute arbitrary JavaScript in the system.

Publish Date: 2019-11-19

URL: WS-2019-0492

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://www.npmjs.com/advisories/1324

Release Date: 2019-11-19

Fix Resolution (handlebars): 4.5.3

Direct dependency fix Resolution (jest-cli): 22.0.5

In order to enable automatic remediation, please create workflow rules

WS-2019-0318

Vulnerable Library - handlebars-4.0.11.tgz

Handlebars provides the power necessary to let you build semantic templates effectively with no frustration

Library home page: https://registry.npmjs.org/handlebars/-/handlebars-4.0.11.tgz

Path to dependency file: /npm_and_yarn/spec/fixtures/projects/yarn/lockfile_only_change/package.json

Path to vulnerable library: /npm_and_yarn/spec/fixtures/projects/yarn/lockfile_only_change/node_modules/handlebars/package.json,/npm_and_yarn/spec/fixtures/projects/yarn/lockfile_only_change/node_modules/handlebars/package.json

Dependency Hierarchy:

  • jest-cli-22.0.4.tgz (Root Library)
    • istanbul-api-1.2.1.tgz
      • istanbul-reports-1.1.3.tgz
        • handlebars-4.0.11.tgz (Vulnerable Library)

Found in base branch: main

Vulnerability Details

In "showdownjs/showdown", versions prior to v4.4.5 are vulnerable against Regular expression Denial of Service (ReDOS) once receiving specially-crafted templates.

Publish Date: 2019-10-20

URL: WS-2019-0318

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://www.npmjs.com/advisories/1300

Release Date: 2019-10-20

Fix Resolution (handlebars): 4.4.5

Direct dependency fix Resolution (jest-cli): 22.0.5

In order to enable automatic remediation, please create workflow rules

CVE-2019-20922

Vulnerable Library - handlebars-4.0.11.tgz

Handlebars provides the power necessary to let you build semantic templates effectively with no frustration

Library home page: https://registry.npmjs.org/handlebars/-/handlebars-4.0.11.tgz

Path to dependency file: /npm_and_yarn/spec/fixtures/projects/yarn/lockfile_only_change/package.json

Path to vulnerable library: /npm_and_yarn/spec/fixtures/projects/yarn/lockfile_only_change/node_modules/handlebars/package.json,/npm_and_yarn/spec/fixtures/projects/yarn/lockfile_only_change/node_modules/handlebars/package.json

Dependency Hierarchy:

  • jest-cli-22.0.4.tgz (Root Library)
    • istanbul-api-1.2.1.tgz
      • istanbul-reports-1.1.3.tgz
        • handlebars-4.0.11.tgz (Vulnerable Library)

Found in base branch: main

Vulnerability Details

Handlebars before 4.4.5 allows Regular Expression Denial of Service (ReDoS) because of eager matching. The parser may be forced into an endless loop while processing crafted templates. This may allow attackers to exhaust system resources.
Mend Note: Converted from WS-2019-0491, on 2022-11-08.

Publish Date: 2020-09-30

URL: CVE-2019-20922

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://www.npmjs.com/advisories/1300

Release Date: 2020-09-30

Fix Resolution (handlebars): 4.4.5

Direct dependency fix Resolution (jest-cli): 22.0.5

In order to enable automatic remediation, please create workflow rules

CVE-2018-16469

Vulnerable Library - merge-1.2.0.tgz

Merge multiple objects into one, optionally creating a new cloned object. Similar to the jQuery.extend but more flexible. Works in Node.js and the browser.

Library home page: https://registry.npmjs.org/merge/-/merge-1.2.0.tgz

Path to dependency file: /npm_and_yarn/spec/fixtures/projects/yarn/lockfile_only_change/package.json

Path to vulnerable library: /npm_and_yarn/spec/fixtures/projects/yarn/lockfile_only_change/node_modules/merge/package.json

Dependency Hierarchy:

  • jest-cli-22.0.4.tgz (Root Library)
    • jest-haste-map-22.0.3.tgz
      • sane-2.2.0.tgz
        • exec-sh-0.2.1.tgz
          • merge-1.2.0.tgz (Vulnerable Library)

Found in base branch: main

Vulnerability Details

The merge.recursive function in the merge package <1.2.1 can be tricked into adding or modifying properties of the Object prototype. These properties will be present on all objects allowing for a denial of service attack.

Publish Date: 2018-10-30

URL: CVE-2018-16469

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16469

Release Date: 2018-10-30

Fix Resolution (merge): 1.2.1

Direct dependency fix Resolution (jest-cli): 22.0.5

In order to enable automatic remediation, please create workflow rules

WS-2019-0064

Vulnerable Library - handlebars-4.0.11.tgz

Handlebars provides the power necessary to let you build semantic templates effectively with no frustration

Library home page: https://registry.npmjs.org/handlebars/-/handlebars-4.0.11.tgz

Path to dependency file: /npm_and_yarn/spec/fixtures/projects/yarn/lockfile_only_change/package.json

Path to vulnerable library: /npm_and_yarn/spec/fixtures/projects/yarn/lockfile_only_change/node_modules/handlebars/package.json,/npm_and_yarn/spec/fixtures/projects/yarn/lockfile_only_change/node_modules/handlebars/package.json

Dependency Hierarchy:

  • jest-cli-22.0.4.tgz (Root Library)
    • istanbul-api-1.2.1.tgz
      • istanbul-reports-1.1.3.tgz
        • handlebars-4.0.11.tgz (Vulnerable Library)

Found in base branch: main

Vulnerability Details

Versions of handlebars prior to 4.0.14 are vulnerable to Prototype Pollution. Templates may alter an Objects' prototype, thus allowing an attacker to execute arbitrary code on the server.

Publish Date: 2019-01-30

URL: WS-2019-0064

CVSS 3 Score Details (7.3)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: Low
    • Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://www.npmjs.com/advisories/755/versions

Release Date: 2019-01-30

Fix Resolution (handlebars): 4.0.14

Direct dependency fix Resolution (jest-cli): 22.0.5

In order to enable automatic remediation, please create workflow rules

CVE-2020-28499

Vulnerable Library - merge-1.2.0.tgz

Merge multiple objects into one, optionally creating a new cloned object. Similar to the jQuery.extend but more flexible. Works in Node.js and the browser.

Library home page: https://registry.npmjs.org/merge/-/merge-1.2.0.tgz

Path to dependency file: /npm_and_yarn/spec/fixtures/projects/yarn/lockfile_only_change/package.json

Path to vulnerable library: /npm_and_yarn/spec/fixtures/projects/yarn/lockfile_only_change/node_modules/merge/package.json

Dependency Hierarchy:

  • jest-cli-22.0.4.tgz (Root Library)
    • jest-haste-map-22.0.3.tgz
      • sane-2.2.0.tgz
        • exec-sh-0.2.1.tgz
          • merge-1.2.0.tgz (Vulnerable Library)

Found in base branch: main

Vulnerability Details

All versions of package merge are vulnerable to Prototype Pollution via _recursiveMerge .
Mend Note: Converted from WS-2020-0218, on 2021-07-21.

Publish Date: 2021-02-18

URL: CVE-2020-28499

CVSS 3 Score Details (7.3)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: Low
    • Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://www.npmjs.com/advisories/1666

Release Date: 2021-02-18

Fix Resolution (merge): 2.1.1

Direct dependency fix Resolution (jest-cli): 24.0.0

In order to enable automatic remediation, please create workflow rules

WS-2018-0590

Vulnerable Library - diff-3.4.0.tgz

A javascript text diff implementation.

Library home page: https://registry.npmjs.org/diff/-/diff-3.4.0.tgz

Path to dependency file: /npm_and_yarn/spec/fixtures/projects/yarn/lockfile_only_change/package.json

Path to vulnerable library: /npm_and_yarn/spec/fixtures/projects/yarn/lockfile_only_change/node_modules/diff/package.json,/npm_and_yarn/spec/fixtures/projects/yarn/lockfile_only_change/node_modules/diff/package.json

Dependency Hierarchy:

  • jest-cli-22.0.4.tgz (Root Library)
    • jest-snapshot-22.0.3.tgz
      • jest-diff-22.0.3.tgz
        • diff-3.4.0.tgz (Vulnerable Library)

Found in base branch: main

Vulnerability Details

A vulnerability was found in diff before v3.5.0, the affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS) attacks.

Publish Date: 2018-03-05

URL: WS-2018-0590

CVSS 2 Score Details (7.0)

Base Score Metrics not available

Suggested Fix

Type: Upgrade version

Release Date: 2018-03-05

Fix Resolution (diff): 3.5.0

Direct dependency fix Resolution (jest-cli): 22.0.5

In order to enable automatic remediation, please create workflow rules

WS-2019-0103

Vulnerable Library - handlebars-4.0.11.tgz

Handlebars provides the power necessary to let you build semantic templates effectively with no frustration

Library home page: https://registry.npmjs.org/handlebars/-/handlebars-4.0.11.tgz

Path to dependency file: /npm_and_yarn/spec/fixtures/projects/yarn/lockfile_only_change/package.json

Path to vulnerable library: /npm_and_yarn/spec/fixtures/projects/yarn/lockfile_only_change/node_modules/handlebars/package.json,/npm_and_yarn/spec/fixtures/projects/yarn/lockfile_only_change/node_modules/handlebars/package.json

Dependency Hierarchy:

  • jest-cli-22.0.4.tgz (Root Library)
    • istanbul-api-1.2.1.tgz
      • istanbul-reports-1.1.3.tgz
        • handlebars-4.0.11.tgz (Vulnerable Library)

Found in base branch: main

Vulnerability Details

Handlebars.js before 4.1.0 has Remote Code Execution (RCE)

Publish Date: 2019-01-30

URL: WS-2019-0103

CVSS 3 Score Details (5.6)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: High
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: Low
    • Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2019-01-30

Fix Resolution (handlebars): 4.0.13

Direct dependency fix Resolution (jest-cli): 22.0.5

In order to enable automatic remediation, please create workflow rules

CVE-2021-23383

Vulnerable Library - handlebars-4.0.11.tgz

Handlebars provides the power necessary to let you build semantic templates effectively with no frustration

Library home page: https://registry.npmjs.org/handlebars/-/handlebars-4.0.11.tgz

Path to dependency file: /npm_and_yarn/spec/fixtures/projects/yarn/lockfile_only_change/package.json

Path to vulnerable library: /npm_and_yarn/spec/fixtures/projects/yarn/lockfile_only_change/node_modules/handlebars/package.json,/npm_and_yarn/spec/fixtures/projects/yarn/lockfile_only_change/node_modules/handlebars/package.json

Dependency Hierarchy:

  • jest-cli-22.0.4.tgz (Root Library)
    • istanbul-api-1.2.1.tgz
      • istanbul-reports-1.1.3.tgz
        • handlebars-4.0.11.tgz (Vulnerable Library)

Found in base branch: main

Vulnerability Details

The package handlebars before 4.7.7 are vulnerable to Prototype Pollution when selecting certain compiling options to compile templates coming from an untrusted source.

Publish Date: 2021-05-04

URL: CVE-2021-23383

CVSS 3 Score Details (5.6)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: High
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: Low
    • Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23383

Release Date: 2021-05-04

Fix Resolution (handlebars): 4.1.2-0

Direct dependency fix Resolution (jest-cli): 22.0.5

In order to enable automatic remediation, please create workflow rules

CVE-2021-23369

Vulnerable Library - handlebars-4.0.11.tgz

Handlebars provides the power necessary to let you build semantic templates effectively with no frustration

Library home page: https://registry.npmjs.org/handlebars/-/handlebars-4.0.11.tgz

Path to dependency file: /npm_and_yarn/spec/fixtures/projects/yarn/lockfile_only_change/package.json

Path to vulnerable library: /npm_and_yarn/spec/fixtures/projects/yarn/lockfile_only_change/node_modules/handlebars/package.json,/npm_and_yarn/spec/fixtures/projects/yarn/lockfile_only_change/node_modules/handlebars/package.json

Dependency Hierarchy:

  • jest-cli-22.0.4.tgz (Root Library)
    • istanbul-api-1.2.1.tgz
      • istanbul-reports-1.1.3.tgz
        • handlebars-4.0.11.tgz (Vulnerable Library)

Found in base branch: main

Vulnerability Details

The package handlebars before 4.7.7 are vulnerable to Remote Code Execution (RCE) when selecting certain compiling options to compile templates coming from an untrusted source.

Publish Date: 2021-04-12

URL: CVE-2021-23369

CVSS 3 Score Details (5.6)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: High
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: Low
    • Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23369

Release Date: 2021-04-12

Fix Resolution (handlebars): 4.1.2-0

Direct dependency fix Resolution (jest-cli): 22.0.5

In order to enable automatic remediation, please create workflow rules

CVE-2020-7789

Vulnerable Library - node-notifier-5.1.2.tgz

A Node.js module for sending notifications on native Mac, Windows (post and pre 8) and Linux (or Growl as fallback)

Library home page: https://registry.npmjs.org/node-notifier/-/node-notifier-5.1.2.tgz

Path to dependency file: /npm_and_yarn/spec/fixtures/projects/yarn/lockfile_only_change/package.json

Path to vulnerable library: /npm_and_yarn/spec/fixtures/projects/yarn/lockfile_only_change/node_modules/node-notifier/package.json

Dependency Hierarchy:

  • jest-cli-22.0.4.tgz (Root Library)
    • node-notifier-5.1.2.tgz (Vulnerable Library)

Found in base branch: main

Vulnerability Details

This affects the package node-notifier before 9.0.0. It allows an attacker to run arbitrary commands on Linux machines due to the options params not being sanitised when being passed an array.

Publish Date: 2020-12-11

URL: CVE-2020-7789

CVSS 3 Score Details (5.6)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: High
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: Low
    • Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7789

Release Date: 2020-12-11

Fix Resolution (node-notifier): 5.4.4

Direct dependency fix Resolution (jest-cli): 22.0.5

In order to enable automatic remediation, please create workflow rules

WS-2017-3757

Vulnerable Library - content-type-parser-1.0.2.tgz

Parse the value of the Content-Type header

Library home page: https://registry.npmjs.org/content-type-parser/-/content-type-parser-1.0.2.tgz

Path to dependency file: /npm_and_yarn/spec/fixtures/projects/yarn/lockfile_only_change/package.json

Path to vulnerable library: /npm_and_yarn/spec/fixtures/projects/yarn/lockfile_only_change/node_modules/content-type-parser/package.json,/npm_and_yarn/spec/fixtures/projects/yarn/lockfile_only_change/node_modules/content-type-parser/package.json

Dependency Hierarchy:

  • jest-cli-22.0.4.tgz (Root Library)
    • jest-environment-jsdom-22.0.4.tgz
      • jsdom-11.5.1.tgz
        • content-type-parser-1.0.2.tgz (Vulnerable Library)

Found in base branch: main

Vulnerability Details

all versions prior to 2.0.0 of content-type-parser npm package are vulnerable to ReDoS via the user agent parser. the vulnerability was fixed by reintroducing a new parser and deleting the old one.

Publish Date: 2017-12-10

URL: WS-2017-3757

CVSS 3 Score Details (5.3)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2017-12-10

Fix Resolution: v2.0.0

CVE-2020-7608

Vulnerable Library - yargs-parser-8.0.0.tgz

the mighty option parser used by yargs

Library home page: https://registry.npmjs.org/yargs-parser/-/yargs-parser-8.0.0.tgz

Path to dependency file: /npm_and_yarn/spec/fixtures/projects/yarn/lockfile_only_change/package.json

Path to vulnerable library: /npm_and_yarn/spec/fixtures/projects/yarn/lockfile_only_change/node_modules/yargs-parser/package.json,/npm_and_yarn/spec/fixtures/projects/yarn/lockfile_only_change/node_modules/yargs-parser/package.json

Dependency Hierarchy:

  • jest-cli-22.0.4.tgz (Root Library)
    • yargs-10.0.3.tgz
      • yargs-parser-8.0.0.tgz (Vulnerable Library)

Found in base branch: main

Vulnerability Details

yargs-parser could be tricked into adding or modifying properties of Object.prototype using a "proto" payload.

Publish Date: 2020-03-16

URL: CVE-2020-7608

CVSS 3 Score Details (5.3)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Local
    • Attack Complexity: Low
    • Privileges Required: Low
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: Low
    • Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2020-03-16

Fix Resolution (yargs-parser): 13.1.2

Direct dependency fix Resolution (jest-cli): 24.9.0

In order to enable automatic remediation, please create workflow rules

CVE-2017-16028

Vulnerable Library - randomatic-1.1.7.tgz

Generate randomized strings of a specified length, fast. Only the length is necessary, but you can optionally generate patterns using any combination of numeric, alpha-numeric, alphabetical, special or custom characters.

Library home page: https://registry.npmjs.org/randomatic/-/randomatic-1.1.7.tgz

Path to dependency file: /npm_and_yarn/spec/fixtures/projects/yarn/lockfile_only_change/package.json

Path to vulnerable library: /npm_and_yarn/spec/fixtures/projects/yarn/lockfile_only_change/node_modules/randomatic/package.json,/npm_and_yarn/spec/fixtures/projects/yarn/lockfile_only_change/node_modules/randomatic/package.json

Dependency Hierarchy:

  • jest-cli-22.0.4.tgz (Root Library)
    • micromatch-2.3.11.tgz
      • braces-1.8.5.tgz
        • expand-range-1.8.2.tgz
          • fill-range-2.2.3.tgz
            • randomatic-1.1.7.tgz (Vulnerable Library)

Found in base branch: main

Vulnerability Details

react-native-meteor-oauth is a library for Oauth2 login to a Meteor server in React Native. The oauth Random Token is generated using a non-cryptographically strong RNG (Math.random()).

Publish Date: 2018-04-26

URL: CVE-2017-16028

CVSS 3 Score Details (5.3)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: None
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://www.npmjs.com/advisories/157/versions

Release Date: 2018-04-26

Fix Resolution (randomatic): 3.0.0

Direct dependency fix Resolution (jest-cli): 22.0.5

In order to enable automatic remediation, please create workflow rules

WS-2019-0332

Vulnerable Library - handlebars-4.0.11.tgz

Handlebars provides the power necessary to let you build semantic templates effectively with no frustration

Library home page: https://registry.npmjs.org/handlebars/-/handlebars-4.0.11.tgz

Path to dependency file: /npm_and_yarn/spec/fixtures/projects/yarn/lockfile_only_change/package.json

Path to vulnerable library: /npm_and_yarn/spec/fixtures/projects/yarn/lockfile_only_change/node_modules/handlebars/package.json,/npm_and_yarn/spec/fixtures/projects/yarn/lockfile_only_change/node_modules/handlebars/package.json

Dependency Hierarchy:

  • jest-cli-22.0.4.tgz (Root Library)
    • istanbul-api-1.2.1.tgz
      • istanbul-reports-1.1.3.tgz
        • handlebars-4.0.11.tgz (Vulnerable Library)

Found in base branch: main

Vulnerability Details

Arbitrary Code Execution vulnerability found in handlebars before 4.5.3. Lookup helper fails to validate templates. Attack may submit templates that execute arbitrary JavaScript in the system.It is due to an incomplete fix for a WS-2019-0331.

Publish Date: 2019-11-17

URL: WS-2019-0332

CVSS 2 Score Details (5.0)

Base Score Metrics not available

Suggested Fix

Type: Upgrade version

Origin: https://www.npmjs.com/advisories/1324

Release Date: 2019-11-17

Fix Resolution (handlebars): 4.5.3

Direct dependency fix Resolution (jest-cli): 22.0.5

In order to enable automatic remediation, please create workflow rules

WS-2019-0331

Vulnerable Library - handlebars-4.0.11.tgz

Handlebars provides the power necessary to let you build semantic templates effectively with no frustration

Library home page: https://registry.npmjs.org/handlebars/-/handlebars-4.0.11.tgz

Path to dependency file: /npm_and_yarn/spec/fixtures/projects/yarn/lockfile_only_change/package.json

Path to vulnerable library: /npm_and_yarn/spec/fixtures/projects/yarn/lockfile_only_change/node_modules/handlebars/package.json,/npm_and_yarn/spec/fixtures/projects/yarn/lockfile_only_change/node_modules/handlebars/package.json

Dependency Hierarchy:

  • jest-cli-22.0.4.tgz (Root Library)
    • istanbul-api-1.2.1.tgz
      • istanbul-reports-1.1.3.tgz
        • handlebars-4.0.11.tgz (Vulnerable Library)

Found in base branch: main

Vulnerability Details

Arbitrary Code Execution vulnerability found in handlebars before 4.5.2. Lookup helper fails to validate templates. Attack may submit templates that execute arbitrary JavaScript in the system.

Publish Date: 2019-11-13

URL: WS-2019-0331

CVSS 2 Score Details (5.0)

Base Score Metrics not available

Suggested Fix

Type: Upgrade version

Origin: https://www.npmjs.com/advisories/1316

Release Date: 2019-11-13

Fix Resolution (handlebars): 4.1.2-0

Direct dependency fix Resolution (jest-cli): 22.0.5

In order to enable automatic remediation, please create workflow rules

WS-2018-0589

Vulnerable Library - nwmatcher-1.4.3.tgz

A CSS3-compliant JavaScript selector engine.

Library home page: https://registry.npmjs.org/nwmatcher/-/nwmatcher-1.4.3.tgz

Path to dependency file: /npm_and_yarn/spec/fixtures/projects/yarn/lockfile_only_change/package.json

Path to vulnerable library: /npm_and_yarn/spec/fixtures/projects/yarn/lockfile_only_change/node_modules/nwmatcher/package.json,/npm_and_yarn/spec/fixtures/projects/yarn/lockfile_only_change/node_modules/nwmatcher/package.json

Dependency Hierarchy:

  • jest-cli-22.0.4.tgz (Root Library)
    • jest-environment-jsdom-22.0.4.tgz
      • jsdom-11.5.1.tgz
        • nwmatcher-1.4.3.tgz (Vulnerable Library)

Found in base branch: main

Vulnerability Details

A Regular Expression vulnerability was found in nwmatcher before 1.4.4. The fix replacing multiple repeated instances of the "\s*" pattern.

Publish Date: 2018-03-05

URL: WS-2018-0589

CVSS 2 Score Details (4.0)

Base Score Metrics not available

Suggested Fix

Type: Upgrade version

Release Date: 2018-03-05

Fix Resolution (nwmatcher): 1.4.4

Direct dependency fix Resolution (jest-cli): 22.0.5

In order to enable automatic remediation, please create workflow rules


In order to enable automatic remediation for this issue, please create workflow rules

@dev-mend-for-github-com dev-mend-for-github-com bot added the Mend: dependency security vulnerability Security vulnerability detected by Mend label Oct 23, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Mend: dependency security vulnerability Security vulnerability detected by Mend
Projects
None yet
Development

No branches or pull requests

0 participants