compiler-sfc-3.0.9.tgz: 3 vulnerabilities (highest severity is: 5.5) - autoclosed
Closed this issue · 1 comments
Vulnerable Library - compiler-sfc-3.0.9.tgz
Path to dependency file: /frontend/package.json
Path to vulnerable library: /frontend/node_modules/nanoid/package.json
Found in HEAD commit: a88cb57894b45f44522a94500165f0a324ef4f75
Vulnerabilities
CVE | Severity | CVSS | Dependency | Type | Fixed in | Remediation Available |
---|---|---|---|---|---|---|
CVE-2021-23566 | Medium | 5.5 | nanoid-3.1.22.tgz | Transitive | 3.0.10 | ✅ |
CVE-2021-23382 | Medium | 5.3 | postcss-8.2.8.tgz | Transitive | 3.0.10 | ✅ |
CVE-2021-23368 | Medium | 5.3 | postcss-8.2.8.tgz | Transitive | 3.0.10 | ✅ |
Details
CVE-2021-23566
Vulnerable Library - nanoid-3.1.22.tgz
A tiny (108 bytes), secure URL-friendly unique string ID generator
Library home page: https://registry.npmjs.org/nanoid/-/nanoid-3.1.22.tgz
Path to dependency file: /frontend/package.json
Path to vulnerable library: /frontend/node_modules/nanoid/package.json
Dependency Hierarchy:
- compiler-sfc-3.0.9.tgz (Root Library)
- postcss-8.2.8.tgz
- ❌ nanoid-3.1.22.tgz (Vulnerable Library)
- postcss-8.2.8.tgz
Found in HEAD commit: a88cb57894b45f44522a94500165f0a324ef4f75
Found in base branch: main
Vulnerability Details
The package nanoid from 3.0.0 and before 3.1.31 are vulnerable to Information Exposure via the valueOf() function which allows to reproduce the last id generated.
Publish Date: 2022-01-14
URL: CVE-2021-23566
CVSS 3 Score Details (5.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Local
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: None
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Origin: ai/nanoid#328
Release Date: 2022-01-14
Fix Resolution (nanoid): 3.1.31
Direct dependency fix Resolution (@vue/compiler-sfc): 3.0.10
⛑️ Automatic Remediation is available for this issue
CVE-2021-23382
Vulnerable Library - postcss-8.2.8.tgz
Tool for transforming styles with JS plugins
Library home page: https://registry.npmjs.org/postcss/-/postcss-8.2.8.tgz
Path to dependency file: /frontend/package.json
Path to vulnerable library: /frontend/node_modules/@vue/compiler-sfc/node_modules/postcss/package.json
Dependency Hierarchy:
- compiler-sfc-3.0.9.tgz (Root Library)
- ❌ postcss-8.2.8.tgz (Vulnerable Library)
Found in HEAD commit: a88cb57894b45f44522a94500165f0a324ef4f75
Found in base branch: main
Vulnerability Details
The package postcss before 8.2.13 are vulnerable to Regular Expression Denial of Service (ReDoS) via getAnnotationURL() and loadAnnotation() in lib/previous-map.js. The vulnerable regexes are caused mainly by the sub-pattern /*\s* sourceMappingURL=(.*).
Publish Date: 2021-04-26
URL: CVE-2021-23382
CVSS 3 Score Details (5.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: Low
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23382
Release Date: 2021-04-26
Fix Resolution (postcss): 8.2.13
Direct dependency fix Resolution (@vue/compiler-sfc): 3.0.10
⛑️ Automatic Remediation is available for this issue
CVE-2021-23368
Vulnerable Library - postcss-8.2.8.tgz
Tool for transforming styles with JS plugins
Library home page: https://registry.npmjs.org/postcss/-/postcss-8.2.8.tgz
Path to dependency file: /frontend/package.json
Path to vulnerable library: /frontend/node_modules/@vue/compiler-sfc/node_modules/postcss/package.json
Dependency Hierarchy:
- compiler-sfc-3.0.9.tgz (Root Library)
- ❌ postcss-8.2.8.tgz (Vulnerable Library)
Found in HEAD commit: a88cb57894b45f44522a94500165f0a324ef4f75
Found in base branch: main
Vulnerability Details
The package postcss from 7.0.0 and before 8.2.10 are vulnerable to Regular Expression Denial of Service (ReDoS) during source map parsing.
Publish Date: 2021-04-12
URL: CVE-2021-23368
CVSS 3 Score Details (5.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: Low
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23368
Release Date: 2021-04-12
Fix Resolution (postcss): 8.2.10
Direct dependency fix Resolution (@vue/compiler-sfc): 3.0.10
⛑️ Automatic Remediation is available for this issue
⛑️ Automatic Remediation is available for this issue.
✔️ This issue was automatically closed by WhiteSource because the vulnerable library in the specific branch(es) was either marked as ignored or it is no longer part of the WhiteSource inventory.