copy-webpack-plugin-4.6.0.tgz: 3 vulnerabilities (highest severity is: 8.1) - autoclosed
Closed this issue · 1 comments
Vulnerable Library - copy-webpack-plugin-4.6.0.tgz
Path to dependency file: /Modules/UpendoPrompt/package.json
Path to vulnerable library: /Modules/UpendoPrompt/node_modules/ssri/package.json
Found in HEAD commit: 34d11f1fc219eef34bab125547d2716a9a9ac785
Vulnerabilities
| CVE | Severity |  CVSS |
Dependency | Type | Fixed in (copy-webpack-plugin version) | Remediation Available |
|---|---|---|---|---|---|---|
| CVE-2020-7660 |  High |
8.1 | serialize-javascript-1.9.1.tgz | Transitive | 5.1.2 | ❌ |
| CVE-2021-27290 | High |
7.5 | ssri-5.3.0.tgz | Transitive | 5.0.0 | ❌ |
| CVE-2019-16769 |  Medium |
5.4 | serialize-javascript-1.9.1.tgz | Transitive | 5.0.5 | ❌ |
Details
CVE-2020-7660
Vulnerable Library - serialize-javascript-1.9.1.tgz
Serialize JavaScript to a superset of JSON that includes regular expressions and functions.
Library home page: https://registry.npmjs.org/serialize-javascript/-/serialize-javascript-1.9.1.tgz
Path to dependency file: /Modules/UpendoPrompt/package.json
Path to vulnerable library: /Modules/UpendoPrompt/node_modules/serialize-javascript/package.json
Dependency Hierarchy:
- copy-webpack-plugin-4.6.0.tgz (Root Library)
- ❌ serialize-javascript-1.9.1.tgz (Vulnerable Library)
Found in HEAD commit: 34d11f1fc219eef34bab125547d2716a9a9ac785
Found in base branch: main
Vulnerability Details
serialize-javascript prior to 3.1.0 allows remote attackers to inject arbitrary code via the function "deleteFunctions" within "index.js".
Publish Date: 2020-06-01
URL: CVE-2020-7660
CVSS 3 Score Details (8.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7660
Release Date: 2020-06-08
Fix Resolution (serialize-javascript): 3.1.0
Direct dependency fix Resolution (copy-webpack-plugin): 5.1.2
Step up your Open Source Security Game with Mend here
CVE-2021-27290
Vulnerable Library - ssri-5.3.0.tgz
Standard Subresource Integrity library -- parses, serializes, generates, and verifies integrity metadata according to the SRI spec.
Library home page: https://registry.npmjs.org/ssri/-/ssri-5.3.0.tgz
Path to dependency file: /Modules/UpendoPrompt/package.json
Path to vulnerable library: /Modules/UpendoPrompt/node_modules/ssri/package.json
Dependency Hierarchy:
- copy-webpack-plugin-4.6.0.tgz (Root Library)
- cacache-10.0.4.tgz
- ❌ ssri-5.3.0.tgz (Vulnerable Library)
- cacache-10.0.4.tgz
Found in HEAD commit: 34d11f1fc219eef34bab125547d2716a9a9ac785
Found in base branch: main
Vulnerability Details
ssri 5.2.2-8.0.0, fixed in 8.0.1, processes SRIs using a regular expression which is vulnerable to a denial of service. Malicious SRIs could take an extremely long time to process, leading to denial of service. This issue only affects consumers using the strict option.
Publish Date: 2021-03-12
URL: CVE-2021-27290
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: GHSA-vx3p-948g-6vhq
Release Date: 2021-03-12
Fix Resolution (ssri): 6.0.2
Direct dependency fix Resolution (copy-webpack-plugin): 5.0.0
Step up your Open Source Security Game with Mend here
CVE-2019-16769
Vulnerable Library - serialize-javascript-1.9.1.tgz
Serialize JavaScript to a superset of JSON that includes regular expressions and functions.
Library home page: https://registry.npmjs.org/serialize-javascript/-/serialize-javascript-1.9.1.tgz
Path to dependency file: /Modules/UpendoPrompt/package.json
Path to vulnerable library: /Modules/UpendoPrompt/node_modules/serialize-javascript/package.json
Dependency Hierarchy:
- copy-webpack-plugin-4.6.0.tgz (Root Library)
- ❌ serialize-javascript-1.9.1.tgz (Vulnerable Library)
Found in HEAD commit: 34d11f1fc219eef34bab125547d2716a9a9ac785
Found in base branch: main
Vulnerability Details
The serialize-javascript npm package before version 2.1.1 is vulnerable to Cross-site Scripting (XSS). It does not properly mitigate against unsafe characters in serialized regular expressions. This vulnerability is not affected on Node.js environment since Node.js's implementation of RegExp.prototype.toString() backslash-escapes all forward slashes in regular expressions. If serialized data of regular expression objects are used in an environment other than Node.js, it is affected by this vulnerability.
Publish Date: 2019-12-05
URL: CVE-2019-16769
CVSS 3 Score Details (5.4)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: Required
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16769
Release Date: 2019-12-05
Fix Resolution (serialize-javascript): 2.1.1
Direct dependency fix Resolution (copy-webpack-plugin): 5.0.5
Step up your Open Source Security Game with Mend here
✔️ This issue was automatically closed by Mend because the vulnerable library in the specific branch(es) was either marked as ignored or it is no longer part of the Mend inventory.