react-scripts-1.0.17.tgz: 107 vulnerabilities (highest severity is: 9.8) - autoclosed

[mend-for-github-com]

Vulnerable Library - react-scripts-1.0.17.tgz

Found in HEAD commit: e860641c6c1a3b39daa0fa29dbca45ac5104d93d

Vulnerabilities

CVE	Severity	CVSS	Dependency	Type	Fixed in (react-scripts version)	Remediation Possible**	Reachability
CVE-2023-42282	Critical	9.8	ip-1.1.5.tgz	Transitive	1.1.0	❌
CVE-2022-37601	Critical	9.8	detected in multiple dependencies	Transitive	4.0.0	❌
CVE-2022-0691	Critical	9.8	detected in multiple dependencies	Transitive	1.1.0	❌
CVE-2021-44906	Critical	9.8	detected in multiple dependencies	Transitive	1.1.0	❌
CVE-2021-42740	Critical	9.8	shell-quote-1.6.1.tgz	Transitive	5.0.0	❌
CVE-2021-3918	Critical	9.8	json-schema-0.2.3.tgz	Transitive	1.1.0	❌
CVE-2020-7720	Critical	9.8	node-forge-0.6.33.tgz	Transitive	1.1.0	❌
CVE-2018-6342	Critical	9.8	react-dev-utils-4.2.1.tgz	Transitive	1.1.0	❌
CVE-2018-3774	Critical	9.8	detected in multiple dependencies	Transitive	1.1.0	❌
CVE-2018-16492	Critical	9.8	extend-3.0.1.tgz	Transitive	1.1.0	❌
CVE-2018-13797	Critical	9.8	macaddress-0.2.8.tgz	Transitive	1.1.0	❌
CVE-2018-1000620	Critical	9.8	cryptiles-3.1.2.tgz	Transitive	1.1.1	❌
CVE-2023-45133	Critical	9.3	babel-traverse-6.26.0.tgz	Transitive	N/A*	❌
CVE-2024-48949	Critical	9.1	detected in multiple dependencies	Transitive	1.1.0	❌
CVE-2024-29415	Critical	9.1	ip-1.1.5.tgz	Transitive	N/A*	❌
CVE-2022-0686	Critical	9.1	detected in multiple dependencies	Transitive	1.1.0	❌
CVE-2019-10744	Critical	9.1	lodash.template-4.4.0.tgz	Transitive	1.1.0	❌
WS-2019-0063	High	8.1	detected in multiple dependencies	Transitive	2.0.0	❌
CVE-2022-1650	High	8.1	eventsource-0.1.6.tgz	Transitive	2.1.3	❌
CVE-2021-43138	High	7.8	async-2.6.0.tgz	Transitive	1.1.0	❌
CVE-2021-23386	High	7.7	dns-packet-1.2.2.tgz	Transitive	1.1.0	❌
CVE-2020-13822	High	7.7	elliptic-6.4.0.tgz	Transitive	1.1.0	❌
WS-2021-0152	High	7.5	color-string-0.3.0.tgz	Transitive	2.0.0	❌
WS-2020-0450	High	7.5	handlebars-4.5.3.tgz	Transitive	1.1.0	❌
WS-2019-0541	High	7.5	macaddress-0.2.8.tgz	Transitive	1.1.0	❌
WS-2019-0032	High	7.5	detected in multiple dependencies	Transitive	2.0.0	❌
CVE-2024-45590	High	7.5	body-parser-1.18.2.tgz	Transitive	N/A*	❌
CVE-2024-45296	High	7.5	detected in multiple dependencies	Transitive	2.0.1	❌
CVE-2024-4068	High	7.5	braces-1.8.5.tgz	Transitive	N/A*	❌
CVE-2024-21540	High	7.5	source-map-support-0.4.18.tgz	Transitive	N/A*	❌
CVE-2024-21536	High	7.5	http-proxy-middleware-0.17.4.tgz	Transitive	N/A*	❌
CVE-2022-37620	High	7.5	html-minifier-3.5.6.tgz	Transitive	N/A*	❌
CVE-2022-37603	High	7.5	loader-utils-1.1.0.tgz	Transitive	1.1.0	❌
CVE-2022-3517	High	7.5	minimatch-3.0.3.tgz	Transitive	N/A*	❌
CVE-2022-24999	High	7.5	qs-6.5.1.tgz	Transitive	1.1.0	❌
CVE-2022-24772	High	7.5	node-forge-0.6.33.tgz	Transitive	5.0.0	❌
CVE-2022-24771	High	7.5	node-forge-0.6.33.tgz	Transitive	5.0.0	❌
CVE-2021-3803	High	7.5	nth-check-1.0.1.tgz	Transitive	1.1.0	❌
CVE-2021-3777	High	7.5	tmpl-1.0.4.tgz	Transitive	1.1.0	❌
CVE-2021-33623	High	7.5	trim-newlines-1.0.0.tgz	Transitive	2.0.1	❌
CVE-2021-29059	High	7.5	is-svg-2.1.0.tgz	Transitive	2.0.0	❌
CVE-2021-28092	High	7.5	is-svg-2.1.0.tgz	Transitive	2.0.0	❌
CVE-2021-27516	High	7.5	urijs-1.19.0.tgz	Transitive	1.1.0	❌
CVE-2021-23424	High	7.5	ansi-html-0.0.7.tgz	Transitive	5.0.0	❌
CVE-2020-7662	High	7.5	websocket-extensions-0.1.3.tgz	Transitive	1.1.0	❌
CVE-2018-3737	High	7.5	sshpk-1.13.1.tgz	Transitive	1.1.0	❌
CVE-2018-16469	High	7.5	merge-1.2.0.tgz	Transitive	1.1.0	❌
CVE-2018-14732	High	7.5	webpack-dev-server-2.9.4.tgz	Transitive	2.0.0	❌
WS-2018-0588	High	7.4	detected in multiple dependencies	Transitive	1.1.0	❌
CVE-2022-29167	High	7.4	hawk-6.0.2.tgz	Transitive	1.1.1	❌
CVE-2020-8116	High	7.3	dot-prop-3.0.0.tgz	Transitive	1.1.0	❌
CVE-2020-7788	High	7.3	ini-1.3.4.tgz	Transitive	1.1.0	❌
CVE-2020-28499	High	7.3	merge-1.2.0.tgz	Transitive	3.0.0	❌
CVE-2018-3750	High	7.3	deep-extend-0.4.2.tgz	Transitive	1.1.0	❌
WS-2018-0590	High	7.1	diff-3.4.0.tgz	Transitive	1.1.0	❌
CVE-2022-46175	High	7.1	json5-0.5.1.tgz	Transitive	3.0.0	❌
CVE-2020-28498	Medium	6.8	elliptic-6.4.0.tgz	Transitive	1.1.0	❌
WS-2022-0008	Medium	6.6	node-forge-0.6.33.tgz	Transitive	5.0.0	❌
CVE-2023-26136	Medium	6.5	tough-cookie-2.3.3.tgz	Transitive	4.0.0	❌
CVE-2022-0613	Medium	6.5	urijs-1.19.0.tgz	Transitive	N/A*	❌
CVE-2020-26291	Medium	6.5	urijs-1.19.0.tgz	Transitive	1.1.0	❌
CVE-2018-21270	Medium	6.5	stringstream-0.0.5.tgz	Transitive	1.1.0	❌
CVE-2024-43788	Medium	6.4	webpack-3.8.1.tgz	Transitive	N/A*	❌
CVE-2024-29041	Medium	6.1	express-4.16.2.tgz	Transitive	N/A*	❌
CVE-2023-28155	Medium	6.1	request-2.83.0.tgz	Transitive	N/A*	❌
CVE-2022-1243	Medium	6.1	urijs-1.19.0.tgz	Transitive	1.1.0	❌
CVE-2022-1233	Medium	6.1	urijs-1.19.0.tgz	Transitive	1.1.0	❌
CVE-2022-0868	Medium	6.1	urijs-1.19.0.tgz	Transitive	1.1.0	❌
CVE-2022-0122	Medium	6.1	node-forge-0.6.33.tgz	Transitive	5.0.0	❌
CVE-2021-3647	Medium	6.1	urijs-1.19.0.tgz	Transitive	1.1.0	❌
WS-2019-0427	Medium	5.9	elliptic-6.4.0.tgz	Transitive	1.1.0	❌
WS-2019-0424	Medium	5.9	elliptic-6.4.0.tgz	Transitive	1.1.0	❌
CVE-2021-24033	Medium	5.6	react-dev-utils-4.2.1.tgz	Transitive	4.0.0	❌
CVE-2021-23383	Medium	5.6	handlebars-4.5.3.tgz	Transitive	1.1.0	❌
CVE-2021-23369	Medium	5.6	handlebars-4.5.3.tgz	Transitive	1.1.0	❌
CVE-2020-7789	Medium	5.6	node-notifier-5.1.2.tgz	Transitive	1.1.0	❌
CVE-2020-7598	Medium	5.6	detected in multiple dependencies	Transitive	1.1.0	❌
CVE-2020-15366	Medium	5.6	ajv-5.3.0.tgz	Transitive	2.0.0	❌
WS-2019-0017	Medium	5.3	clean-css-4.1.9.tgz	Transitive	1.1.0	❌
WS-2018-0347	Medium	5.3	eslint-4.10.0.tgz	Transitive	2.0.0	❌
WS-2017-3757	Medium	5.3	content-type-parser-1.0.2.tgz	Transitive	N/A*	❌
CVE-2024-4067	Medium	5.3	micromatch-2.3.11.tgz	Transitive	N/A*	❌
CVE-2023-44270	Medium	5.3	detected in multiple dependencies	Transitive	N/A*	❌
CVE-2022-33987	Medium	5.3	got-5.7.1.tgz	Transitive	2.0.1	❌
CVE-2022-24773	Medium	5.3	node-forge-0.6.33.tgz	Transitive	5.0.0	❌
CVE-2022-24723	Medium	5.3	urijs-1.19.0.tgz	Transitive	1.1.0	❌
CVE-2022-0639	Medium	5.3	detected in multiple dependencies	Transitive	1.1.0	❌
CVE-2022-0512	Medium	5.3	detected in multiple dependencies	Transitive	1.1.0	❌
CVE-2021-3664	Medium	5.3	detected in multiple dependencies	Transitive	1.1.0	❌
CVE-2021-29060	Medium	5.3	color-string-0.3.0.tgz	Transitive	2.0.0	❌
CVE-2021-27515	Medium	5.3	detected in multiple dependencies	Transitive	1.1.0	❌
CVE-2021-23382	Medium	5.3	detected in multiple dependencies	Transitive	3.0.0	❌
CVE-2021-23362	Medium	5.3	hosted-git-info-2.5.0.tgz	Transitive	1.1.0	❌
CVE-2021-23343	Medium	5.3	path-parse-1.0.5.tgz	Transitive	1.1.0	❌
CVE-2020-8124	Medium	5.3	detected in multiple dependencies	Transitive	1.1.0	❌
CVE-2020-7693	Medium	5.3	sockjs-0.3.18.tgz	Transitive	3.4.2	❌
CVE-2020-7608	Medium	5.3	detected in multiple dependencies	Transitive	2.0.0	❌
CVE-2020-28469	Medium	5.3	glob-parent-2.0.0.tgz	Transitive	5.0.0	❌
CVE-2017-16028	Medium	5.3	randomatic-1.1.7.tgz	Transitive	1.1.0	❌
WS-2019-0307	Medium	5.1	mem-1.1.0.tgz	Transitive	2.0.0	❌
CVE-2024-43800	Medium	5.0	serve-static-1.13.1.tgz	Transitive	N/A*	❌
CVE-2024-43799	Medium	5.0	send-0.16.1.tgz	Transitive	N/A*	❌
CVE-2024-43796	Medium	5.0	express-4.16.2.tgz	Transitive	N/A*	❌
WS-2018-0103	Medium	4.8	stringstream-0.0.5.tgz	Transitive	1.1.0	❌
CVE-2024-48948	Medium	4.8	detected in multiple dependencies	Transitive	N/A*	❌
WS-2018-0589	Low	3.7	nwmatcher-1.4.3.tgz	Transitive	1.1.0	❌
CVE-2024-27088	Low	0.0	es5-ext-0.10.35.tgz	Transitive	1.1.0	❌

*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.

**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation

Details

Partial details (15 vulnerabilities) are displayed below due to a content size limitation in GitHub. To view information on the remaining vulnerabilities, navigate to the Mend Application.

CVE-2023-42282

Vulnerable Library - ip-1.1.5.tgz

[](https://www.npmjs.com/package/ip)

Library home page: https://registry.npmjs.org/ip/-/ip-1.1.5.tgz

Dependency Hierarchy:

• react-scripts-1.0.17.tgz (Root Library)
  • webpack-dev-server-2.9.4.tgz
    • ❌ ip-1.1.5.tgz (Vulnerable Library)

Found in HEAD commit: e860641c6c1a3b39daa0fa29dbca45ac5104d93d

Found in base branch: main

Vulnerability Details

The ip package before 1.1.9 for Node.js might allow SSRF because some IP addresses (such as 0x7f.1) are improperly categorized as globally routable via isPublic.

Publish Date: 2024-02-08

URL: CVE-2023-42282

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2023-42282

Release Date: 2024-02-08

Fix Resolution (ip): 1.1.9

Direct dependency fix Resolution (react-scripts): 1.1.0

CVE-2022-37601

Vulnerable Libraries - loader-utils-0.2.17.tgz, loader-utils-1.1.0.tgz

loader-utils-0.2.17.tgz

utils for webpack loaders

Library home page: https://registry.npmjs.org/loader-utils/-/loader-utils-0.2.17.tgz

Dependency Hierarchy:

• react-scripts-1.0.17.tgz (Root Library)
  • html-webpack-plugin-2.29.0.tgz
    • ❌ loader-utils-0.2.17.tgz (Vulnerable Library)

loader-utils-1.1.0.tgz

utils for webpack loaders

Library home page: https://registry.npmjs.org/loader-utils/-/loader-utils-1.1.0.tgz

Dependency Hierarchy:

• react-scripts-1.0.17.tgz (Root Library)
  • eslint-loader-1.9.0.tgz
    • ❌ loader-utils-1.1.0.tgz (Vulnerable Library)

Found in HEAD commit: e860641c6c1a3b39daa0fa29dbca45ac5104d93d

Found in base branch: main

Vulnerability Details

Prototype pollution vulnerability in function parseQuery in parseQuery.js in webpack loader-utils via the name variable in parseQuery.js. This affects all versions prior to 1.4.1 and 2.0.3.

Publish Date: 2022-10-12

URL: CVE-2022-37601

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-76p3-8jx3-jpfq

Release Date: 2022-10-12

Fix Resolution (loader-utils): 1.4.1

Direct dependency fix Resolution (react-scripts): 4.0.0

Fix Resolution (loader-utils): 1.4.1

Direct dependency fix Resolution (react-scripts): 4.0.0

CVE-2022-0691

Vulnerable Libraries - url-parse-1.0.5.tgz, url-parse-1.2.0.tgz

url-parse-1.0.5.tgz

Small footprint URL parser that works seamlessly across Node.js and browser environments

Library home page: https://registry.npmjs.org/url-parse/-/url-parse-1.0.5.tgz

Dependency Hierarchy:

• react-scripts-1.0.17.tgz (Root Library)
  • react-dev-utils-4.2.1.tgz
    • sockjs-client-1.1.4.tgz
      • eventsource-0.1.6.tgz
        • original-1.0.0.tgz
          • ❌ url-parse-1.0.5.tgz (Vulnerable Library)

url-parse-1.2.0.tgz

Small footprint URL parser that works seamlessly across Node.js and browser environments

Library home page: https://registry.npmjs.org/url-parse/-/url-parse-1.2.0.tgz

Dependency Hierarchy:

• react-scripts-1.0.17.tgz (Root Library)
  • react-dev-utils-4.2.1.tgz
    • sockjs-client-1.1.4.tgz
      • ❌ url-parse-1.2.0.tgz (Vulnerable Library)

Found in HEAD commit: e860641c6c1a3b39daa0fa29dbca45ac5104d93d

Found in base branch: main

Vulnerability Details

Authorization Bypass Through User-Controlled Key in NPM url-parse prior to 1.5.9.

Publish Date: 2022-02-21

URL: CVE-2022-0691

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0691

Release Date: 2022-02-21

Fix Resolution (url-parse): 1.5.9

Direct dependency fix Resolution (react-scripts): 1.1.0

Fix Resolution (url-parse): 1.5.9

Direct dependency fix Resolution (react-scripts): 1.1.0

CVE-2021-44906

Vulnerable Libraries - minimist-1.2.0.tgz, minimist-0.0.8.tgz, minimist-0.0.10.tgz

minimist-1.2.0.tgz

parse argument options

Library home page: https://registry.npmjs.org/minimist/-/minimist-1.2.0.tgz

Dependency Hierarchy:

• react-scripts-1.0.17.tgz (Root Library)
  • jest-20.0.4.tgz
    • jest-cli-20.0.4.tgz
      • jest-haste-map-20.0.5.tgz
        • sane-1.6.0.tgz
          • ❌ minimist-1.2.0.tgz (Vulnerable Library)

minimist-0.0.8.tgz

parse argument options

Library home page: https://registry.npmjs.org/minimist/-/minimist-0.0.8.tgz

Dependency Hierarchy:

• react-scripts-1.0.17.tgz (Root Library)
  • babel-loader-7.1.2.tgz
    • mkdirp-0.5.1.tgz
      • ❌ minimist-0.0.8.tgz (Vulnerable Library)

minimist-0.0.10.tgz

parse argument options

Library home page: https://registry.npmjs.org/minimist/-/minimist-0.0.10.tgz

Dependency Hierarchy:

• react-scripts-1.0.17.tgz (Root Library)
  • jest-20.0.4.tgz
    • jest-cli-20.0.4.tgz
      • istanbul-api-1.2.1.tgz
        • istanbul-reports-1.1.3.tgz
          • handlebars-4.5.3.tgz
            • optimist-0.6.1.tgz
              • ❌ minimist-0.0.10.tgz (Vulnerable Library)

Found in HEAD commit: e860641c6c1a3b39daa0fa29dbca45ac5104d93d

Found in base branch: main

Vulnerability Details

Minimist <=1.2.5 is vulnerable to Prototype Pollution via file index.js, function setKey() (lines 69-95).

Publish Date: 2022-03-17

URL: CVE-2021-44906

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-xvch-5gv4-984h

Release Date: 2022-03-17

Fix Resolution (minimist): 1.2.6

Direct dependency fix Resolution (react-scripts): 1.1.0

Fix Resolution (minimist): 1.2.6

Direct dependency fix Resolution (react-scripts): 1.1.0

Fix Resolution (minimist): 1.2.6

Direct dependency fix Resolution (react-scripts): 1.1.0

CVE-2021-42740

Vulnerable Library - shell-quote-1.6.1.tgz

quote and parse shell commands

Library home page: https://registry.npmjs.org/shell-quote/-/shell-quote-1.6.1.tgz

Dependency Hierarchy:

• react-scripts-1.0.17.tgz (Root Library)
  • react-dev-utils-4.2.1.tgz
    • ❌ shell-quote-1.6.1.tgz (Vulnerable Library)

Found in HEAD commit: e860641c6c1a3b39daa0fa29dbca45ac5104d93d

Found in base branch: main

Vulnerability Details

The shell-quote package before 1.7.3 for Node.js allows command injection. An attacker can inject unescaped shell metacharacters through a regex designed to support Windows drive letters. If the output of this package is passed to a real shell as a quoted argument to a command with exec(), an attacker can inject arbitrary commands. This is because the Windows drive letter regex character class is {A-z] instead of the correct {A-Za-z]. Several shell metacharacters exist in the space between capital letter Z and lower case letter a, such as the backtick character.

Publish Date: 2021-10-21

URL: CVE-2021-42740

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-42740

Release Date: 2021-10-21

Fix Resolution (shell-quote): 1.7.3

Direct dependency fix Resolution (react-scripts): 5.0.0

CVE-2021-3918

Vulnerable Library - json-schema-0.2.3.tgz

JSON Schema validation and specifications

Library home page: https://registry.npmjs.org/json-schema/-/json-schema-0.2.3.tgz

Dependency Hierarchy:

• react-scripts-1.0.17.tgz (Root Library)
  • jest-20.0.4.tgz
    • jest-cli-20.0.4.tgz
      • jest-environment-jsdom-20.0.3.tgz
        • jsdom-9.12.0.tgz
          • request-2.83.0.tgz
            • http-signature-1.2.0.tgz
              • jsprim-1.4.1.tgz
                • ❌ json-schema-0.2.3.tgz (Vulnerable Library)

Found in HEAD commit: e860641c6c1a3b39daa0fa29dbca45ac5104d93d

Found in base branch: main

Vulnerability Details

json-schema is vulnerable to Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')

Publish Date: 2021-11-13

URL: CVE-2021-3918

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2021-3918

Release Date: 2021-11-13

Fix Resolution (json-schema): 0.4.0

Direct dependency fix Resolution (react-scripts): 1.1.0

CVE-2020-7720

Vulnerable Library - node-forge-0.6.33.tgz

JavaScript implementations of network transports, cryptography, ciphers, PKI, message digests, and various utilities.

Library home page: https://registry.npmjs.org/node-forge/-/node-forge-0.6.33.tgz

Dependency Hierarchy:

• react-scripts-1.0.17.tgz (Root Library)
  • webpack-dev-server-2.9.4.tgz
    • selfsigned-1.10.1.tgz
      • ❌ node-forge-0.6.33.tgz (Vulnerable Library)

Found in HEAD commit: e860641c6c1a3b39daa0fa29dbca45ac5104d93d

Found in base branch: main

Vulnerability Details

The package node-forge before 0.10.0 is vulnerable to Prototype Pollution via the util.setPath function. Note: Version 0.10.0 is a breaking change removing the vulnerable functions.

Publish Date: 2020-09-01

URL: CVE-2020-7720

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2020-09-01

Fix Resolution (node-forge): 0.10.0

Direct dependency fix Resolution (react-scripts): 1.1.0

CVE-2018-6342

Vulnerable Library - react-dev-utils-4.2.1.tgz

Webpack utilities used by Create React App

Library home page: https://registry.npmjs.org/react-dev-utils/-/react-dev-utils-4.2.1.tgz

Dependency Hierarchy:

• react-scripts-1.0.17.tgz (Root Library)
  • ❌ react-dev-utils-4.2.1.tgz (Vulnerable Library)

Found in HEAD commit: e860641c6c1a3b39daa0fa29dbca45ac5104d93d

Found in base branch: main

Vulnerability Details

react-dev-utils on Windows allows developers to run a local webserver for accepting various commands, including a command to launch an editor. The input to that command was not properly sanitized, allowing an attacker who can make a network request to the server (either via CSRF or by direct request) to execute arbitrary commands on the targeted system. This issue affects multiple branches: 1.x.x prior to 1.0.4, 2.x.x prior to 2.0.2, 3.x.x prior to 3.1.2, 4.x.x prior to 4.2.2, and 5.x.x prior to 5.0.2.

Publish Date: 2018-12-31

URL: CVE-2018-6342

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6342

Release Date: 2018-12-31

Fix Resolution (react-dev-utils): 4.2.2

Direct dependency fix Resolution (react-scripts): 1.1.0

CVE-2018-3774

Vulnerable Libraries - url-parse-1.0.5.tgz, url-parse-1.2.0.tgz

url-parse-1.0.5.tgz

Small footprint URL parser that works seamlessly across Node.js and browser environments

Library home page: https://registry.npmjs.org/url-parse/-/url-parse-1.0.5.tgz

Dependency Hierarchy:

• react-scripts-1.0.17.tgz (Root Library)
  • react-dev-utils-4.2.1.tgz
    • sockjs-client-1.1.4.tgz
      • eventsource-0.1.6.tgz
        • original-1.0.0.tgz
          • ❌ url-parse-1.0.5.tgz (Vulnerable Library)

url-parse-1.2.0.tgz

Small footprint URL parser that works seamlessly across Node.js and browser environments

Library home page: https://registry.npmjs.org/url-parse/-/url-parse-1.2.0.tgz

Dependency Hierarchy:

• react-scripts-1.0.17.tgz (Root Library)
  • react-dev-utils-4.2.1.tgz
    • sockjs-client-1.1.4.tgz
      • ❌ url-parse-1.2.0.tgz (Vulnerable Library)

Found in HEAD commit: e860641c6c1a3b39daa0fa29dbca45ac5104d93d

Found in base branch: main

Vulnerability Details

Incorrect parsing in url-parse <1.4.3 returns wrong hostname which leads to multiple vulnerabilities such as SSRF, Open Redirect, Bypass Authentication Protocol.

Publish Date: 2018-08-12

URL: CVE-2018-3774

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2018-3774

Release Date: 2018-08-12

Fix Resolution (url-parse): 1.4.3

Direct dependency fix Resolution (react-scripts): 1.1.0

Fix Resolution (url-parse): 1.4.3

Direct dependency fix Resolution (react-scripts): 1.1.0

CVE-2018-16492

Vulnerable Library - extend-3.0.1.tgz

Port of jQuery.extend for node.js and the browser

Library home page: https://registry.npmjs.org/extend/-/extend-3.0.1.tgz

Dependency Hierarchy:

• react-scripts-1.0.17.tgz (Root Library)
  • jest-20.0.4.tgz
    • jest-cli-20.0.4.tgz
      • jest-environment-jsdom-20.0.3.tgz
        • jsdom-9.12.0.tgz
          • request-2.83.0.tgz
            • ❌ extend-3.0.1.tgz (Vulnerable Library)

Found in HEAD commit: e860641c6c1a3b39daa0fa29dbca45ac5104d93d

Found in base branch: main

Vulnerability Details

A prototype pollution vulnerability was found in module extend <2.0.2, ~<3.0.2 that allows an attacker to inject arbitrary properties onto Object.prototype.

Publish Date: 2019-02-01

URL: CVE-2018-16492

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://hackerone.com/reports/381185

Release Date: 2019-02-01

Fix Resolution (extend): 3.0.2

Direct dependency fix Resolution (react-scripts): 1.1.0

CVE-2018-13797

Vulnerable Library - macaddress-0.2.8.tgz

Get the MAC addresses (hardware addresses) of the hosts network interfaces.

Library home page: https://registry.npmjs.org/macaddress/-/macaddress-0.2.8.tgz

Dependency Hierarchy:

• react-scripts-1.0.17.tgz (Root Library)
  • css-loader-0.28.7.tgz
    • cssnano-3.10.0.tgz
      • postcss-filter-plugins-2.0.2.tgz
        • uniqid-4.1.1.tgz
          • ❌ macaddress-0.2.8.tgz (Vulnerable Library)

Found in HEAD commit: e860641c6c1a3b39daa0fa29dbca45ac5104d93d

Found in base branch: main

Vulnerability Details

The macaddress module before 0.2.9 for Node.js is prone to an arbitrary command injection flaw, due to allowing unsanitized input to an exec (rather than execFile) call.

Publish Date: 2018-07-10

URL: CVE-2018-13797

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2018-13797

Release Date: 2022-10-03

Fix Resolution (macaddress): 0.2.9

Direct dependency fix Resolution (react-scripts): 1.1.0

CVE-2018-1000620

Vulnerable Library - cryptiles-3.1.2.tgz

General purpose crypto utilities

Library home page: https://registry.npmjs.org/cryptiles/-/cryptiles-3.1.2.tgz

Dependency Hierarchy:

• react-scripts-1.0.17.tgz (Root Library)
  • jest-20.0.4.tgz
    • jest-cli-20.0.4.tgz
      • jest-environment-jsdom-20.0.3.tgz
        • jsdom-9.12.0.tgz
          • request-2.83.0.tgz
            • hawk-6.0.2.tgz
              • ❌ cryptiles-3.1.2.tgz (Vulnerable Library)

Found in HEAD commit: e860641c6c1a3b39daa0fa29dbca45ac5104d93d

Found in base branch: main

Vulnerability Details

Eran Hammer cryptiles version 4.1.1 earlier contains a CWE-331: Insufficient Entropy vulnerability in randomDigits() method that can result in An attacker is more likely to be able to brute force something that was supposed to be random.. This attack appear to be exploitable via Depends upon the calling application.. This vulnerability appears to have been fixed in 4.1.2.

Publish Date: 2018-07-09

URL: CVE-2018-1000620

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-1000620

Release Date: 2018-07-09

Fix Resolution (cryptiles): 4.1.2

Direct dependency fix Resolution (react-scripts): 1.1.1

CVE-2023-45133

Vulnerable Library - babel-traverse-6.26.0.tgz

The Babel Traverse module maintains the overall tree state, and is responsible for replacing, removing, and adding nodes

Library home page: https://registry.npmjs.org/babel-traverse/-/babel-traverse-6.26.0.tgz

Dependency Hierarchy:

• react-scripts-1.0.17.tgz (Root Library)
  • babel-core-6.26.0.tgz
    • ❌ babel-traverse-6.26.0.tgz (Vulnerable Library)

Found in HEAD commit: e860641c6c1a3b39daa0fa29dbca45ac5104d93d

Found in base branch: main

Vulnerability Details

Babel is a compiler for writingJavaScript. In @babel/traverse prior to versions 7.23.2 and 8.0.0-alpha.4 and all versions of babel-traverse, using Babel to compile code that was specifically crafted by an attacker can lead to arbitrary code execution during compilation, when using plugins that rely on the path.evaluate()or path.evaluateTruthy() internal Babel methods. Known affected plugins are @babel/plugin-transform-runtime; @babel/preset-env when using its useBuiltIns option; and any "polyfill provider" plugin that depends on @babel/helper-define-polyfill-provider, such as babel-plugin-polyfill-corejs3, babel-plugin-polyfill-corejs2, babel-plugin-polyfill-es-shims, babel-plugin-polyfill-regenerator. No other plugins under the @babel/ namespace are impacted, but third-party plugins might be. Users that only compile trusted code are not impacted. The vulnerability has been fixed in @babel/[email protected] and @babel/[email protected]. Those who cannot upgrade @babel/traverse and are using one of the affected packages mentioned above should upgrade them to their latest version to avoid triggering the vulnerable code path in affected @babel/traverse versions: @babel/plugin-transform-runtime v7.23.2, @babel/preset-env v7.23.2, @babel/helper-define-polyfill-provider v0.4.3, babel-plugin-polyfill-corejs2 v0.4.6, babel-plugin-polyfill-corejs3 v0.8.5, babel-plugin-polyfill-es-shims v0.10.0, babel-plugin-polyfill-regenerator v0.5.3.

Publish Date: 2023-10-12

URL: CVE-2023-45133

CVSS 3 Score Details (9.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Local
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-67hx-6x53-jw92

Release Date: 2023-10-12

Fix Resolution: @babel/traverse - 7.23.2

CVE-2024-48949

Vulnerable Libraries - elliptic-6.5.4.tgz, elliptic-6.4.0.tgz

elliptic-6.5.4.tgz

EC cryptography

Library home page: https://registry.npmjs.org/elliptic/-/elliptic-6.5.4.tgz

Dependency Hierarchy:

• react-scripts-1.0.17.tgz (Root Library)
  • webpack-3.8.1.tgz
    • node-libs-browser-2.0.0.tgz
      • crypto-browserify-3.12.0.tgz
        • browserify-sign-4.2.2.tgz
          • ❌ elliptic-6.5.4.tgz (Vulnerable Library)

elliptic-6.4.0.tgz

EC cryptography

Library home page: https://registry.npmjs.org/elliptic/-/elliptic-6.4.0.tgz

Dependency Hierarchy:

• react-scripts-1.0.17.tgz (Root Library)
  • webpack-3.8.1.tgz
    • node-libs-browser-2.0.0.tgz
      • crypto-browserify-3.12.0.tgz
        • create-ecdh-4.0.0.tgz
          • ❌ elliptic-6.4.0.tgz (Vulnerable Library)

Found in HEAD commit: e860641c6c1a3b39daa0fa29dbca45ac5104d93d

Found in base branch: main

Vulnerability Details

The verify function in lib/elliptic/eddsa/index.js in the Elliptic package before 6.5.6 for Node.js omits "sig.S().gte(sig.eddsa.curve.n) || sig.S().isNeg()" validation.

Publish Date: 2024-10-10

URL: CVE-2024-48949

CVSS 3 Score Details (9.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://www.cve.org/CVERecord?id=CVE-2024-48949

Release Date: 2024-10-10

Fix Resolution (elliptic): 6.5.6

Direct dependency fix Resolution (react-scripts): 1.1.0

Fix Resolution (elliptic): 6.5.6

Direct dependency fix Resolution (react-scripts): 1.1.0

CVE-2024-29415

Vulnerable Library - ip-1.1.5.tgz

[](https://www.npmjs.com/package/ip)

Library home page: https://registry.npmjs.org/ip/-/ip-1.1.5.tgz

Dependency Hierarchy:

• react-scripts-1.0.17.tgz (Root Library)
  • webpack-dev-server-2.9.4.tgz
    • ❌ ip-1.1.5.tgz (Vulnerable Library)

Found in HEAD commit: e860641c6c1a3b39daa0fa29dbca45ac5104d93d

Found in base branch: main

Vulnerability Details

The ip package through 2.0.1 for Node.js might allow SSRF because some IP addresses (such as 127.1, 01200034567, 012.1.2.3, 000:0:0000::01, and ::fFFf:127.0.0.1) are improperly categorized as globally routable via isPublic. NOTE: this issue exists because of an incomplete fix for CVE-2023-42282.

Publish Date: 2024-05-27

URL: CVE-2024-29415

CVSS 3 Score Details (9.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: None

For more information on CVSS3 Scores, click here.

[mend-for-github-com]

ℹ️ This issue was automatically closed by Mend because it is a duplicate of an existing issue: #46

[mend-for-github-com]

ℹ️ This issue was automatically closed by Mend because it is a duplicate of an existing issue: #46