cli-plugin-babel-4.5.12.tgz: 2 vulnerabilities (highest severity is: 9.8) - autoclosed
Closed this issue · 2 comments
Vulnerable Library - cli-plugin-babel-4.5.12.tgz
Path to dependency file: /frontend/package.json
Path to vulnerable library: /frontend/node_modules/hosted-git-info/package.json
Vulnerabilities
| CVE | Severity |  CVSS |
Dependency | Type | Fixed in | Remediation Available |
|---|---|---|---|---|---|---|
| CVE-2021-3918 |  High |
9.8 | json-schema-0.2.3.tgz | Transitive | 4.5.13 | ✅ |
| CVE-2021-23362 |  Medium |
5.3 | hosted-git-info-2.8.8.tgz | Transitive | 4.5.13 | ✅ |
Details
CVE-2021-3918
Vulnerable Library - json-schema-0.2.3.tgz
JSON Schema validation and specifications
Library home page: https://registry.npmjs.org/json-schema/-/json-schema-0.2.3.tgz
Path to dependency file: /frontend/package.json
Path to vulnerable library: /frontend/node_modules/json-schema/package.json
Dependency Hierarchy:
- cli-plugin-babel-4.5.12.tgz (Root Library)
- cli-shared-utils-4.5.12.tgz
- request-2.88.2.tgz
- http-signature-1.2.0.tgz
- jsprim-1.4.1.tgz
- ❌ json-schema-0.2.3.tgz (Vulnerable Library)
- jsprim-1.4.1.tgz
- http-signature-1.2.0.tgz
- request-2.88.2.tgz
- cli-shared-utils-4.5.12.tgz
Found in base branch: main
Vulnerability Details
json-schema is vulnerable to Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')
Publish Date: 2021-11-13
URL: CVE-2021-3918
CVSS 3 Score Details (9.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2021-3918
Release Date: 2021-11-13
Fix Resolution (json-schema): 0.4.0
Direct dependency fix Resolution (@vue/cli-plugin-babel): 4.5.13
⛑️ Automatic Remediation is available for this issue
CVE-2021-23362
Vulnerable Library - hosted-git-info-2.8.8.tgz
Provides metadata and conversions from repository urls for Github, Bitbucket and Gitlab
Library home page: https://registry.npmjs.org/hosted-git-info/-/hosted-git-info-2.8.8.tgz
Path to dependency file: /frontend/package.json
Path to vulnerable library: /frontend/node_modules/hosted-git-info/package.json
Dependency Hierarchy:
- cli-plugin-babel-4.5.12.tgz (Root Library)
- cli-shared-utils-4.5.12.tgz
- read-pkg-5.2.0.tgz
- normalize-package-data-2.5.0.tgz
- ❌ hosted-git-info-2.8.8.tgz (Vulnerable Library)
- normalize-package-data-2.5.0.tgz
- read-pkg-5.2.0.tgz
- cli-shared-utils-4.5.12.tgz
Found in base branch: main
Vulnerability Details
The package hosted-git-info before 3.0.8 are vulnerable to Regular Expression Denial of Service (ReDoS) via regular expression shortcutMatch in the fromUrl function in index.js. The affected regular expression exhibits polynomial worst-case time complexity.
Publish Date: 2021-03-23
URL: CVE-2021-23362
CVSS 3 Score Details (5.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: Low
Suggested Fix
Type: Upgrade version
Origin: GHSA-43f8-2h32-f4cj
Release Date: 2021-03-23
Fix Resolution (hosted-git-info): 2.8.9
Direct dependency fix Resolution (@vue/cli-plugin-babel): 4.5.13
⛑️ Automatic Remediation is available for this issue
⛑️ Automatic Remediation is available for this issue.
✔️ This issue was automatically closed by WhiteSource because the vulnerable library in the specific branch(es) was either marked as ignored or it is no longer part of the WhiteSource inventory.
✔️ This issue was automatically closed by WhiteSource because the vulnerable library in the specific branch(es) was either marked as ignored or it is no longer part of the WhiteSource inventory.