temporalio/temporal-ecommerce

compiler-sfc-3.0.9.tgz: 3 vulnerabilities (highest severity is: 5.5) - autoclosed

Closed this issue · 1 comments

mend-for-github-com commented
Vulnerable Library - compiler-sfc-3.0.9.tgz

Path to dependency file: /frontend/package.json

Path to vulnerable library: /frontend/node_modules/nanoid/package.json

Found in HEAD commit: a88cb57894b45f44522a94500165f0a324ef4f75

Vulnerabilities

CVE Severity CVSS Dependency Type Fixed in Remediation Available
CVE-2021-23566 Medium 5.5 nanoid-3.1.22.tgz Transitive 3.0.10
CVE-2021-23382 Medium 5.3 postcss-8.2.8.tgz Transitive 3.0.10
CVE-2021-23368 Medium 5.3 postcss-8.2.8.tgz Transitive 3.0.10

Details

CVE-2021-23566

Vulnerable Library - nanoid-3.1.22.tgz

A tiny (108 bytes), secure URL-friendly unique string ID generator

Library home page: https://registry.npmjs.org/nanoid/-/nanoid-3.1.22.tgz

Path to dependency file: /frontend/package.json

Path to vulnerable library: /frontend/node_modules/nanoid/package.json

Dependency Hierarchy:

  • compiler-sfc-3.0.9.tgz (Root Library)
    • postcss-8.2.8.tgz
      • nanoid-3.1.22.tgz (Vulnerable Library)

Found in HEAD commit: a88cb57894b45f44522a94500165f0a324ef4f75

Found in base branch: main

Vulnerability Details

The package nanoid from 3.0.0 and before 3.1.31 are vulnerable to Information Exposure via the valueOf() function which allows to reproduce the last id generated.

Publish Date: 2022-01-14

URL: CVE-2021-23566

CVSS 3 Score Details (5.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Local
    • Attack Complexity: Low
    • Privileges Required: Low
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: None
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: ai/nanoid#328

Release Date: 2022-01-14

Fix Resolution (nanoid): 3.1.31

Direct dependency fix Resolution (@vue/compiler-sfc): 3.0.10

⛑️ Automatic Remediation is available for this issue

CVE-2021-23382

Vulnerable Library - postcss-8.2.8.tgz

Tool for transforming styles with JS plugins

Library home page: https://registry.npmjs.org/postcss/-/postcss-8.2.8.tgz

Path to dependency file: /frontend/package.json

Path to vulnerable library: /frontend/node_modules/@vue/compiler-sfc/node_modules/postcss/package.json

Dependency Hierarchy:

  • compiler-sfc-3.0.9.tgz (Root Library)
    • postcss-8.2.8.tgz (Vulnerable Library)

Found in HEAD commit: a88cb57894b45f44522a94500165f0a324ef4f75

Found in base branch: main

Vulnerability Details

The package postcss before 8.2.13 are vulnerable to Regular Expression Denial of Service (ReDoS) via getAnnotationURL() and loadAnnotation() in lib/previous-map.js. The vulnerable regexes are caused mainly by the sub-pattern /*\s* sourceMappingURL=(.*).

Publish Date: 2021-04-26

URL: CVE-2021-23382

CVSS 3 Score Details (5.3)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23382

Release Date: 2021-04-26

Fix Resolution (postcss): 8.2.13

Direct dependency fix Resolution (@vue/compiler-sfc): 3.0.10

⛑️ Automatic Remediation is available for this issue

CVE-2021-23368

Vulnerable Library - postcss-8.2.8.tgz

Tool for transforming styles with JS plugins

Library home page: https://registry.npmjs.org/postcss/-/postcss-8.2.8.tgz

Path to dependency file: /frontend/package.json

Path to vulnerable library: /frontend/node_modules/@vue/compiler-sfc/node_modules/postcss/package.json

Dependency Hierarchy:

  • compiler-sfc-3.0.9.tgz (Root Library)
    • postcss-8.2.8.tgz (Vulnerable Library)

Found in HEAD commit: a88cb57894b45f44522a94500165f0a324ef4f75

Found in base branch: main

Vulnerability Details

The package postcss from 7.0.0 and before 8.2.10 are vulnerable to Regular Expression Denial of Service (ReDoS) during source map parsing.

Publish Date: 2021-04-12

URL: CVE-2021-23368

CVSS 3 Score Details (5.3)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23368

Release Date: 2021-04-12

Fix Resolution (postcss): 8.2.10

Direct dependency fix Resolution (@vue/compiler-sfc): 3.0.10

⛑️ Automatic Remediation is available for this issue

⛑️ Automatic Remediation is available for this issue.

mend-for-github-com commented

✔️ This issue was automatically closed by WhiteSource because the vulnerable library in the specific branch(es) was either marked as ignored or it is no longer part of the WhiteSource inventory.