[Snyk] Security upgrade @mdn/yari from 0.4.717 to 0.11.22

[ilw4r]

This PR was automatically created by Snyk using the credentials of a real user.

Snyk has created this PR to fix one or more vulnerable packages in the `yarn` dependencies of this project.

Changes included in this PR

• Changes to the following files to upgrade the vulnerable dependencies to a fixed version:
  • package.json
  • yarn.lock

Vulnerabilities that will be fixed

With an upgrade:

Severity	Priority Score (*)	Issue	Breaking Change	Exploit Maturity
	798/1000 Why? Proof of Concept exploit, Recently disclosed, Has a fix available, CVSS 8.1	Remote Code Execution (RCE) SNYK-JS-EJS-2803307	No	Proof of Concept

(*) Note that the real score may have changed since the PR was raised.

Check the changes in this PR to ensure they won't cause issues with your project.

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report

🛠 Adjust project settings

📚 Read more about Snyk's upgrade and patch logic

---

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Remote Code Execution (RCE)

[sonatype-lift]

Critical OSS Vulnerability:

pkg:npm/%40mdn/yari@0.11.22

25 Critical, 9 Severe, 0 Moderate, 0 Unknown vulnerabilities have been found across 26 dependencies

Components

pkg:npm/prismjs@1.28.0

CRITICAL Vulnerabilities (1)




[sonatype-2020-1579] CWE-400: Uncontrolled Resource Consumption ('Resource Exhaustion')

prismjs - Regular Expression Denial of Service (ReDoS) in SCSS Processor

The software does not properly restrict the size or amount of resources that are requested or influenced by an actor, which can be used to consume more resources than intended.

CVSS Score: 7.5

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE: CWE-400

pkg:npm/minimatch@3.0.4

CRITICAL Vulnerabilities (1)




[sonatype-2021-4879] Unknown

minimatch - Regular Expression Denial of Service (ReDoS)

CVSS Score: 7.5

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE: CWE-1333

pkg:npm/minimist@1.2.5

CRITICAL Vulnerabilities (1)




[CVE-2021-44906] Minimist <=1.2.5 is vulnerable to Prototype Pollution via file index.js, function setKey() (lines 69-95).

Minimist <=1.2.5 is vulnerable to Prototype Pollution via file index.js, function setKey() (lines 69-95).

CVSS Score: 9.8

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-1321

pkg:npm/path-parse@1.0.6

SEVERE Vulnerabilities (1)




[sonatype-2021-0176] CWE-400: Uncontrolled Resource Consumption ('Resource Exhaustion')

path-parse - Regular expression Denial of Service (ReDoS) [CVE-2021-23343]

The software does not properly restrict the size or amount of resources that are requested or influenced by an actor, which can be used to consume more resources than intended.

CVSS Score: 6.5

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

CWE: CWE-400

pkg:npm/ansi-regex@3.0.0

CRITICAL Vulnerabilities (1)




[sonatype-2021-1169] Unknown

ansi-regex - Regular Expression Denial of Service (ReDoS) [CVE-2021-3807]

CVSS Score: 7.5

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE: CWE-1333

pkg:npm/async@2.6.3

CRITICAL Vulnerabilities (1)




[CVE-2021-43138] A vulnerability exists in Async through 3.2.1 (fixed in 3.2.2) , which could let a malicious user obtain privileges via the mapValues() method.

A vulnerability exists in Async through 3.2.1 (fixed in 3.2.2) , which could let a malicious user obtain privileges via the mapValues() method.

CVSS Score: 7.8

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CWE: CWE-1321

pkg:npm/hosted-git-info@2.8.8

SEVERE Vulnerabilities (1)




[CVE-2021-23362] CWE-400: Uncontrolled Resource Consumption ('Resource Exhaustion')

The package hosted-git-info before 3.0.8 are vulnerable to Regular Expression Denial of Service (ReDoS) via regular expression shortcutMatch in the fromUrl function in index.js. The affected regular expression exhibits polynomial worst-case time complexity.

CVSS Score: 5.3

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

CWE: CWE-400

pkg:npm/nth-check@2.0.0

CRITICAL Vulnerabilities (1)




[CVE-2021-3803] nth-check is vulnerable to Inefficient Regular Expression Complexity

nth-check is vulnerable to Inefficient Regular Expression Complexity

CVSS Score: 7.5

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE: CWE-1333

pkg:npm/lodash@4.17.15

CRITICAL Vulnerabilities (4)




sonatype-2019-0467

[sonatype-2019-0467] CWE-20: Improper Input Validation

lodash - Prototype Pollution

The product does not validate or incorrectly validates input that can affect the control flow or data flow of a program.

CVSS Score: 9.8

CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-20

sonatype-2020-0739

[sonatype-2020-0739] CWE-471: Modification of Assumed-Immutable Data (MAID)

lodash - Prototype Pollution

The software does not properly protect an assumed-immutable element from being modified by an attacker.

CVSS Score: 9.8

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-471

sonatype-2020-0292

[sonatype-2020-0292] CWE-471: Modification of Assumed-Immutable Data (MAID)

lodash - Prototype Pollution [ CVE-2020-8203 ]

The software does not properly protect an assumed-immutable element from being modified by an attacker.

CVSS Score: 7.5

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

CWE: CWE-471

CVE-2021-23337

[CVE-2021-23337] CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection')

Lodash versions prior to 4.17.21 are vulnerable to Command Injection via the template function.

CVSS Score: 7.2

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-77

SEVERE Vulnerabilities (1)




[CVE-2020-28500] CWE-400: Uncontrolled Resource Consumption ('Resource Exhaustion')

Lodash versions prior to 4.17.21 are vulnerable to Regular Expression Denial of Service (ReDoS) via the toNumber, trim and trimEnd functions.

CVSS Score: 5.3

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

CWE: CWE-400

pkg:npm/filelist@1.0.1

CRITICAL Vulnerabilities (1)




[sonatype-2021-0457] Unknown

filelist, utilities - Prototype Pollution

CVSS Score: 9.8

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-1321

pkg:npm/trim-newlines@1.0.0

CRITICAL Vulnerabilities (1)




[CVE-2021-33623] CWE-401: Improper Release of Memory Before Removing Last Reference ('Memory Leak')

The trim-newlines package before 3.0.1 and 4.x before 4.0.1 for Node.js has an issue related to regular expression denial-of-service (ReDoS) for the .end() method.

CVSS Score: 7.5

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE: CWE-401

pkg:npm/ansi-regex@5.0.0

CRITICAL Vulnerabilities (1)




[sonatype-2021-1169] Unknown

ansi-regex - Regular Expression Denial of Service (ReDoS) [CVE-2021-3807]

CVSS Score: 7.5

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE: CWE-1333

pkg:npm/accept-language-parser@1.5.0

CRITICAL Vulnerabilities (1)




[sonatype-2020-1241] CWE-400: Uncontrolled Resource Consumption ('Resource Exhaustion')

accept-language-parser - Regular expression Denial of Service (ReDoS)

The software does not properly restrict the size or amount of resources that are requested or influenced by an actor, which can be used to consume more resources than intended.

CVSS Score: 7.5

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE: CWE-400

pkg:npm/ejs@3.1.7

CRITICAL Vulnerabilities (1)




[sonatype-2021-0438] CWE-94: Improper Control of Generation of Code ('Code Injection')

ejs - Remote Code Execution (RCE)

The software constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.

CVSS Score: 9.8

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-94

pkg:npm/express@4.17.3

CRITICAL Vulnerabilities (1)




[sonatype-2012-0022] CWE-113: Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Response Splitting')

expressjs - HTTP Splitting Attack

The software receives data from an upstream component, but does not neutralize or incorrectly neutralizes CR and LF characters before the data is included in outgoing HTTP headers.

CVSS Score: 7.5

CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

CWE: CWE-113

SEVERE Vulnerabilities (1)




[sonatype-2021-0078] CWE-23: Relative Path Traversal

express + hbs - Local File Read via Path Traversal

The software uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize sequences such as .. that can resolve to a location that is outside of that directory.

CVSS Score: 5.9

CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

CWE: CWE-23

pkg:npm/execa@0.7.0

CRITICAL Vulnerabilities (1)




[sonatype-2019-0206] CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

execa - OS Command Injection

The software constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.

CVSS Score: 9.8

CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-78

pkg:npm/is-svg@4.2.2

CRITICAL Vulnerabilities (1)




[CVE-2021-29059] CWE-770: Allocation of Resources Without Limits or Throttling

A vulnerability was discovered in IS-SVG version 2.1.0 to 4.2.2 and below where a Regular Expression Denial of Service (ReDOS) occurs if the application is provided and checks a crafted invalid SVG string.

CVSS Score: 7.5

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE: CWE-770

SEVERE Vulnerabilities (1)




[CVE-2021-23367] CWE-400: Uncontrolled Resource Consumption ('Resource Exhaustion')

is-svg - Regular expression Denial of Service (ReDoS)

CVSS Score: 6.5

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

CWE: CWE-400

pkg:npm/jake@10.8.5

CRITICAL Vulnerabilities (1)




[sonatype-2021-0253] CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

jake - OS Command Injection

The software constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.

CVSS Score: 7.3

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H

CWE: CWE-78

pkg:npm/lodash@4.17.20

CRITICAL Vulnerabilities (1)




[CVE-2021-23337] CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection')

Lodash versions prior to 4.17.21 are vulnerable to Command Injection via the template function.

CVSS Score: 7.2

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-77

SEVERE Vulnerabilities (1)




[CVE-2020-28500] CWE-400: Uncontrolled Resource Consumption ('Resource Exhaustion')

Lodash versions prior to 4.17.21 are vulnerable to Regular Expression Denial of Service (ReDoS) via the toNumber, trim and trimEnd functions.

CVSS Score: 5.3

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

CWE: CWE-400

pkg:npm/ansi-regex@4.1.0

CRITICAL Vulnerabilities (1)




[sonatype-2021-1169] Unknown

ansi-regex - Regular Expression Denial of Service (ReDoS) [CVE-2021-3807]

CVSS Score: 7.5

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE: CWE-1333

pkg:npm/execa@1.0.0

CRITICAL Vulnerabilities (1)




[sonatype-2019-0206] CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

execa - OS Command Injection

The software constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.

CVSS Score: 9.8

CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-78

pkg:npm/css-what@4.0.0

CRITICAL Vulnerabilities (1)




[CVE-2021-33587] CWE-400: Uncontrolled Resource Consumption ('Resource Exhaustion')

The css-what package 4.0.0 through 5.0.0 for Node.js does not ensure that attribute parsing has Linear Time Complexity relative to the size of the input.

CVSS Score: 7.5

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE: CWE-400

pkg:npm/glob-parent@5.1.1

CRITICAL Vulnerabilities (1)




[CVE-2020-28469] CWE-400: Uncontrolled Resource Consumption ('Resource Exhaustion')

This affects the package glob-parent before 5.1.2. The enclosure regex used to check for strings ending in enclosure containing path separator.

CVSS Score: 7.5

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE: CWE-400

pkg:npm/color-string@1.5.3

SEVERE Vulnerabilities (1)




[sonatype-2021-0318] CWE-400: Uncontrolled Resource Consumption ('Resource Exhaustion')

color-string - Regular Expression Denial of Service (ReDoS) [CVE-2021-29060]

The software does not properly restrict the size or amount of resources that are requested or influenced by an actor, which can be used to consume more resources than intended.

CVSS Score: 5.3

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

CWE: CWE-400

pkg:npm/ini@1.3.5

CRITICAL Vulnerabilities (1)




[sonatype-2020-1214] CWE-471: Modification of Assumed-Immutable Data (MAID)

ini - Prototype Pollution [CVE-2020-7788]

The software does not properly protect an assumed-immutable element from being modified by an attacker.

CVSS Score: 7.3

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

CWE: CWE-471

pkg:npm/follow-redirects@1.13.2

SEVERE Vulnerabilities (2)




CVE-2022-0155

[CVE-2022-0155] CWE-359: Exposure of Private Information ('Privacy Violation')

follow-redirects is vulnerable to Exposure of Private Personal Information to an Unauthorized Actor

CVSS Score: 6.5

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N

CWE: CWE-359

CVE-2022-0536

[CVE-2022-0536] CWE-200: Information Exposure

Exposure of Sensitive Information to an Unauthorized Actor in NPM follow-redirects prior to 1.14.8.

CVSS Score: 5.9

CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

CWE: CWE-200

(at-me in a reply with help or ignore)

---

Was this a good recommendation?
[ 🙁 Not relevant ] - [ 😕 Won't fix ] - [ 😑 Not critical, will fix ] - [ 🙂 Critical, will fix ] - [ 😊 Critical, fixing now ]

[sonatype-lift]

Critical OSS Vulnerability:

pkg:npm/%40mdn/yari@0.11.22

25 Critical, 9 Severe, 0 Moderate, 0 Unknown vulnerabilities have been found across 26 dependencies

Components

pkg:npm/prismjs@1.28.0

CRITICAL Vulnerabilities (1)




[sonatype-2020-1579] CWE-400: Uncontrolled Resource Consumption ('Resource Exhaustion')

prismjs - Regular Expression Denial of Service (ReDoS) in SCSS Processor

The software does not properly restrict the size or amount of resources that are requested or influenced by an actor, which can be used to consume more resources than intended.

CVSS Score: 7.5

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE: CWE-400

pkg:npm/minimatch@3.0.4

CRITICAL Vulnerabilities (1)




[sonatype-2021-4879] Unknown

minimatch - Regular Expression Denial of Service (ReDoS)

CVSS Score: 7.5

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE: CWE-1333

pkg:npm/minimist@1.2.5

CRITICAL Vulnerabilities (1)




[CVE-2021-44906] Minimist <=1.2.5 is vulnerable to Prototype Pollution via file index.js, function setKey() (lines 69-95).

Minimist <=1.2.5 is vulnerable to Prototype Pollution via file index.js, function setKey() (lines 69-95).

CVSS Score: 9.8

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-1321

pkg:npm/path-parse@1.0.6

SEVERE Vulnerabilities (1)




[sonatype-2021-0176] CWE-400: Uncontrolled Resource Consumption ('Resource Exhaustion')

path-parse - Regular expression Denial of Service (ReDoS) [CVE-2021-23343]

The software does not properly restrict the size or amount of resources that are requested or influenced by an actor, which can be used to consume more resources than intended.

CVSS Score: 6.5

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

CWE: CWE-400

pkg:npm/ansi-regex@3.0.0

CRITICAL Vulnerabilities (1)




[sonatype-2021-1169] Unknown

ansi-regex - Regular Expression Denial of Service (ReDoS) [CVE-2021-3807]

CVSS Score: 7.5

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE: CWE-1333

pkg:npm/async@2.6.3

CRITICAL Vulnerabilities (1)




[CVE-2021-43138] A vulnerability exists in Async through 3.2.1 (fixed in 3.2.2) , which could let a malicious user obtain privileges via the mapValues() method.

A vulnerability exists in Async through 3.2.1 (fixed in 3.2.2) , which could let a malicious user obtain privileges via the mapValues() method.

CVSS Score: 7.8

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CWE: CWE-1321

pkg:npm/hosted-git-info@2.8.8

SEVERE Vulnerabilities (1)




[CVE-2021-23362] CWE-400: Uncontrolled Resource Consumption ('Resource Exhaustion')

The package hosted-git-info before 3.0.8 are vulnerable to Regular Expression Denial of Service (ReDoS) via regular expression shortcutMatch in the fromUrl function in index.js. The affected regular expression exhibits polynomial worst-case time complexity.

CVSS Score: 5.3

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

CWE: CWE-400

pkg:npm/nth-check@2.0.0

CRITICAL Vulnerabilities (1)




[CVE-2021-3803] nth-check is vulnerable to Inefficient Regular Expression Complexity

nth-check is vulnerable to Inefficient Regular Expression Complexity

CVSS Score: 7.5

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE: CWE-1333

pkg:npm/lodash@4.17.15

CRITICAL Vulnerabilities (4)




sonatype-2019-0467

[sonatype-2019-0467] CWE-20: Improper Input Validation

lodash - Prototype Pollution

The product does not validate or incorrectly validates input that can affect the control flow or data flow of a program.

CVSS Score: 9.8

CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-20

sonatype-2020-0739

[sonatype-2020-0739] CWE-471: Modification of Assumed-Immutable Data (MAID)

lodash - Prototype Pollution

The software does not properly protect an assumed-immutable element from being modified by an attacker.

CVSS Score: 9.8

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-471

sonatype-2020-0292

[sonatype-2020-0292] CWE-471: Modification of Assumed-Immutable Data (MAID)

lodash - Prototype Pollution [ CVE-2020-8203 ]

The software does not properly protect an assumed-immutable element from being modified by an attacker.

CVSS Score: 7.5

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

CWE: CWE-471

CVE-2021-23337

[CVE-2021-23337] CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection')

Lodash versions prior to 4.17.21 are vulnerable to Command Injection via the template function.

CVSS Score: 7.2

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-77

SEVERE Vulnerabilities (1)




[CVE-2020-28500] CWE-400: Uncontrolled Resource Consumption ('Resource Exhaustion')

Lodash versions prior to 4.17.21 are vulnerable to Regular Expression Denial of Service (ReDoS) via the toNumber, trim and trimEnd functions.

CVSS Score: 5.3

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

CWE: CWE-400

pkg:npm/filelist@1.0.1

CRITICAL Vulnerabilities (1)




[sonatype-2021-0457] Unknown

filelist, utilities - Prototype Pollution

CVSS Score: 9.8

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-1321

pkg:npm/trim-newlines@1.0.0

CRITICAL Vulnerabilities (1)




[CVE-2021-33623] CWE-401: Improper Release of Memory Before Removing Last Reference ('Memory Leak')

The trim-newlines package before 3.0.1 and 4.x before 4.0.1 for Node.js has an issue related to regular expression denial-of-service (ReDoS) for the .end() method.

CVSS Score: 7.5

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE: CWE-401

pkg:npm/ansi-regex@5.0.0

CRITICAL Vulnerabilities (1)




[sonatype-2021-1169] Unknown

ansi-regex - Regular Expression Denial of Service (ReDoS) [CVE-2021-3807]

CVSS Score: 7.5

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE: CWE-1333

pkg:npm/accept-language-parser@1.5.0

CRITICAL Vulnerabilities (1)




[sonatype-2020-1241] CWE-400: Uncontrolled Resource Consumption ('Resource Exhaustion')

accept-language-parser - Regular expression Denial of Service (ReDoS)

The software does not properly restrict the size or amount of resources that are requested or influenced by an actor, which can be used to consume more resources than intended.

CVSS Score: 7.5

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE: CWE-400

pkg:npm/ejs@3.1.7

CRITICAL Vulnerabilities (1)




[sonatype-2021-0438] CWE-94: Improper Control of Generation of Code ('Code Injection')

ejs - Remote Code Execution (RCE)

The software constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.

CVSS Score: 9.8

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-94

pkg:npm/express@4.17.3

CRITICAL Vulnerabilities (1)




[sonatype-2012-0022] CWE-113: Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Response Splitting')

expressjs - HTTP Splitting Attack

The software receives data from an upstream component, but does not neutralize or incorrectly neutralizes CR and LF characters before the data is included in outgoing HTTP headers.

CVSS Score: 7.5

CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

CWE: CWE-113

SEVERE Vulnerabilities (1)




[sonatype-2021-0078] CWE-23: Relative Path Traversal

express + hbs - Local File Read via Path Traversal

The software uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize sequences such as .. that can resolve to a location that is outside of that directory.

CVSS Score: 5.9

CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

CWE: CWE-23

pkg:npm/execa@0.7.0

CRITICAL Vulnerabilities (1)




[sonatype-2019-0206] CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

execa - OS Command Injection

The software constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.

CVSS Score: 9.8

CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-78

pkg:npm/is-svg@4.2.2

CRITICAL Vulnerabilities (1)




[CVE-2021-29059] CWE-770: Allocation of Resources Without Limits or Throttling

A vulnerability was discovered in IS-SVG version 2.1.0 to 4.2.2 and below where a Regular Expression Denial of Service (ReDOS) occurs if the application is provided and checks a crafted invalid SVG string.

CVSS Score: 7.5

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE: CWE-770

SEVERE Vulnerabilities (1)




[CVE-2021-23367] CWE-400: Uncontrolled Resource Consumption ('Resource Exhaustion')

is-svg - Regular expression Denial of Service (ReDoS)

CVSS Score: 6.5

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

CWE: CWE-400

pkg:npm/jake@10.8.5

CRITICAL Vulnerabilities (1)




[sonatype-2021-0253] CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

jake - OS Command Injection

The software constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.

CVSS Score: 7.3

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H

CWE: CWE-78

pkg:npm/lodash@4.17.20

CRITICAL Vulnerabilities (1)




[CVE-2021-23337] CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection')

Lodash versions prior to 4.17.21 are vulnerable to Command Injection via the template function.

CVSS Score: 7.2

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-77

SEVERE Vulnerabilities (1)




[CVE-2020-28500] CWE-400: Uncontrolled Resource Consumption ('Resource Exhaustion')

Lodash versions prior to 4.17.21 are vulnerable to Regular Expression Denial of Service (ReDoS) via the toNumber, trim and trimEnd functions.

CVSS Score: 5.3

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

CWE: CWE-400

pkg:npm/ansi-regex@4.1.0

CRITICAL Vulnerabilities (1)




[sonatype-2021-1169] Unknown

ansi-regex - Regular Expression Denial of Service (ReDoS) [CVE-2021-3807]

CVSS Score: 7.5

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE: CWE-1333

pkg:npm/execa@1.0.0

CRITICAL Vulnerabilities (1)




[sonatype-2019-0206] CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

execa - OS Command Injection

The software constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.

CVSS Score: 9.8

CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-78

pkg:npm/css-what@4.0.0

CRITICAL Vulnerabilities (1)




[CVE-2021-33587] CWE-400: Uncontrolled Resource Consumption ('Resource Exhaustion')

The css-what package 4.0.0 through 5.0.0 for Node.js does not ensure that attribute parsing has Linear Time Complexity relative to the size of the input.

CVSS Score: 7.5

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE: CWE-400

pkg:npm/glob-parent@5.1.1

CRITICAL Vulnerabilities (1)




[CVE-2020-28469] CWE-400: Uncontrolled Resource Consumption ('Resource Exhaustion')

This affects the package glob-parent before 5.1.2. The enclosure regex used to check for strings ending in enclosure containing path separator.

CVSS Score: 7.5

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE: CWE-400

pkg:npm/color-string@1.5.3

SEVERE Vulnerabilities (1)




[sonatype-2021-0318] CWE-400: Uncontrolled Resource Consumption ('Resource Exhaustion')

color-string - Regular Expression Denial of Service (ReDoS) [CVE-2021-29060]

The software does not properly restrict the size or amount of resources that are requested or influenced by an actor, which can be used to consume more resources than intended.

CVSS Score: 5.3

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

CWE: CWE-400

pkg:npm/ini@1.3.5

CRITICAL Vulnerabilities (1)




[sonatype-2020-1214] CWE-471: Modification of Assumed-Immutable Data (MAID)

ini - Prototype Pollution [CVE-2020-7788]

The software does not properly protect an assumed-immutable element from being modified by an attacker.

CVSS Score: 7.3

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

CWE: CWE-471

pkg:npm/follow-redirects@1.13.2

SEVERE Vulnerabilities (2)




CVE-2022-0155

[CVE-2022-0155] CWE-359: Exposure of Private Information ('Privacy Violation')

follow-redirects is vulnerable to Exposure of Private Personal Information to an Unauthorized Actor

CVSS Score: 6.5

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N

CWE: CWE-359

CVE-2022-0536

[CVE-2022-0536] CWE-200: Information Exposure

Exposure of Sensitive Information to an Unauthorized Actor in NPM follow-redirects prior to 1.14.8.

CVSS Score: 5.9

CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

CWE: CWE-200

(at-me in a reply with help or ignore)

---

Was this a good recommendation?
[ 🙁 Not relevant ] - [ 😕 Won't fix ] - [ 😑 Not critical, will fix ] - [ 🙂 Critical, will fix ] - [ 😊 Critical, fixing now ]