webpack-4.46.0.tgz: 8 vulnerabilities (highest severity is: 9.1)
mend-for-github-com opened this issue · 0 comments
Vulnerable Library - webpack-4.46.0.tgz
Found in HEAD commit: 1e5781423c543a0c9bfedb4c5a57ca049920974b
Vulnerabilities
CVE | Severity | CVSS | Dependency | Type | Fixed in (webpack version) | Remediation Available |
---|---|---|---|---|---|---|
CVE-2022-25858 | High | 7.5 | terser-4.8.0.tgz | Transitive | 5.0.0 | ❌ |
CVE-2020-28469 | High | 7.5 | glob-parent-3.1.0.tgz | Transitive | 5.0.0 | ❌ |
Details
CVE-2022-25858
Vulnerable Library - terser-4.8.0.tgz
JavaScript parser, mangler/compressor and beautifier toolkit for ES6+
Library home page: https://registry.npmjs.org/terser/-/terser-4.8.0.tgz
Dependency Hierarchy:
- webpack-4.46.0.tgz (Root Library)
- terser-webpack-plugin-1.4.5.tgz
- ❌ terser-4.8.0.tgz (Vulnerable Library)
- terser-webpack-plugin-1.4.5.tgz
Found in HEAD commit: 1e5781423c543a0c9bfedb4c5a57ca049920974b
Found in base branch: main
Vulnerability Details
The package terser before 4.8.1, from 5.0.0 and before 5.14.2 are vulnerable to Regular Expression Denial of Service (ReDoS) due to insecure usage of regular expressions.
Publish Date: 2022-07-15
URL: CVE-2022-25858
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-25858
Release Date: 2022-07-15
Fix Resolution (terser): 4.8.1
Direct dependency fix Resolution (webpack): 5.0.0
CVE-2020-28469
Vulnerable Library - glob-parent-3.1.0.tgz
Strips glob magic from a string to provide the parent directory path
Library home page: https://registry.npmjs.org/glob-parent/-/glob-parent-3.1.0.tgz
Dependency Hierarchy:
- webpack-4.46.0.tgz (Root Library)
- watchpack-1.7.5.tgz
- watchpack-chokidar2-2.0.1.tgz
- chokidar-2.1.8.tgz
- ❌ glob-parent-3.1.0.tgz (Vulnerable Library)
- chokidar-2.1.8.tgz
- watchpack-chokidar2-2.0.1.tgz
- watchpack-1.7.5.tgz
Found in HEAD commit: 1e5781423c543a0c9bfedb4c5a57ca049920974b
Found in base branch: main
Vulnerability Details
This affects the package glob-parent before 5.1.2. The enclosure regex used to check for strings ending in enclosure containing path separator.
Publish Date: 2021-06-03
URL: CVE-2020-28469
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-28469
Release Date: 2021-06-03
Fix Resolution (glob-parent): 5.1.2
Direct dependency fix Resolution (webpack): 5.0.0