noise-suppression-1.0.0-beta.9.tgz: 1 vulnerabilities (highest severity is: 6.1) - autoclosed

Question

noise-suppression-1.0.0-beta.9.tgz: 1 vulnerabilities (highest severity is: 6.1) - autoclosed

Closed this issue 8 months ago · 1 comments

mend-for-github-com commented 9 months ago

Vulnerable Library - noise-suppression-1.0.0-beta.9.tgz

Path to dependency file: /noise-suppression/denoize-file/package.json

Path to vulnerable library: /noise-suppression/denoize-file/package.json

Found in HEAD commit: 9b1f98ab042c8779c87c84b4c9fa92fab79a7be4

Oops, something went wrong. We couldn’t find a fix. Support token-de3013379a0444b592ba5013ad0d9f28

Vulnerabilities

CVE	Severity	CVSS	Dependency	Type	Fixed in (noise-suppression version)	Fix PR available
CVE-2023-49293	Medium	6.1	vite-4.5.0.tgz	Transitive	N/A*	❌

*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.

**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation

Details

CVE-2023-49293

Vulnerable Library - vite-4.5.0.tgz

Library home page: https://registry.npmjs.org/vite/-/vite-4.5.0.tgz

Path to dependency file: /noise-suppression/denoize-file/package.json

Path to vulnerable library: /noise-suppression/denoize-file/package.json

Dependency Hierarchy:

noise-suppression-1.0.0-beta.9.tgz (Root Library)
- ❌ vite-4.5.0.tgz (Vulnerable Library)

Found in HEAD commit: 9b1f98ab042c8779c87c84b4c9fa92fab79a7be4

Found in base branch: main

Vulnerability Details

Vite is a website frontend framework. When Vite's HTML transformation is invoked manually via server.transformIndexHtml, the original request URL is passed in unmodified, and the html being transformed contains inline module scripts (<script type="module">...</script>), it is possible to inject arbitrary HTML into the transformed output by supplying a malicious URL query string to server.transformIndexHtml. Only apps using appType: 'custom' and using the default Vite HTML middleware are affected. The HTML entry must also contain an inline script. The attack requires a user to click on a malicious URL while running the dev server. Restricted files aren't exposed to the attacker. This issue has been addressed in vite@5.0.5, vite@4.5.1, and vite@4.4.12. There are no known workarounds for this vulnerability.

Publish Date: 2023-12-04

URL: CVE-2023-49293

CVSS 3 Score Details (6.1)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Changed
Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-92r3-m2mg-pj97

Release Date: 2023-12-04

Fix Resolution: vite - 4.4.12,4.5.1,5.0.5

Answer 1 · 2024-01-25T11:19:13.000Z

✔️ This issue was automatically closed by Mend because the vulnerable library in the specific branch(es) was either marked as ignored or it is no longer part of the Mend inventory.