[Snyk] Security upgrade @mdn/yari from 0.4.717 to 0.14.62 #8
Conversation
The following vulnerabilities are fixed with an upgrade: - https://snyk.io/vuln/SNYK-JS-FILETYPE-2958042
![sonatype-lift[bot]](https://avatars.githubusercontent.com/in/9843?s=60&v=4){kind=small}
| @@ -14,7 +14,7 @@ | |||
| "build": "env-cmd --silent cross-env CONTENT_ROOT=files BUILD_OUT_ROOT=build node node_modules/@mdn/yari/build/cli.js" | |||
| }, | |||
| "dependencies": { | |||
| "@mdn/yari": "0.4.717", | |||
| "@mdn/yari": "0.14.62", | |||
There was a problem hiding this comment.
Critical Vulnerability:
pkg:npm/%40mdn/yari@0.14.62
24 Critical, 11 Severe, 0 Moderate, 0 Unknown vulnerabilities have been found across 27 dependencies
Components
pkg:npm/lodash@4.17.20
CRITICAL Vulnerabilities (1)
[CVE-2021-23337] CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection')
Lodash versions prior to 4.17.21 are vulnerable to Command Injection via the template function.
CVSS Score: 7.2
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-77
SEVERE Vulnerabilities (1)
[CVE-2020-28500] CWE-400: Uncontrolled Resource Consumption ('Resource Exhaustion')
Lodash versions prior to 4.17.21 are vulnerable to Regular Expression Denial of Service (ReDoS) via the toNumber, trim and trimEnd functions.
CVSS Score: 5.3
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
CWE: CWE-400
pkg:npm/ini@1.3.5
CRITICAL Vulnerabilities (1)
[sonatype-2020-1214] CWE-471: Modification of Assumed-Immutable Data (MAID)
ini - Prototype Pollution [CVE-2020-7788]
The software does not properly protect an assumed-immutable element from being modified by an attacker.
CVSS Score: 7.3
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
CWE: CWE-471
pkg:npm/execa@0.7.0
CRITICAL Vulnerabilities (1)
[sonatype-2019-0206] CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
execa - OS Command Injection
The software constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.
CVSS Score: 9.8
CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-78
pkg:npm/ansi-regex@4.1.0
CRITICAL Vulnerabilities (1)
[sonatype-2021-1169] Unknown
ansi-regex - Regular Expression Denial of Service (ReDoS) [CVE-2021-3807]
ansi-regex - Regular Expression Denial of Service (ReDoS) [CVE-2021-3807]
CVSS Score: 7.5
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CWE: CWE-1333
pkg:npm/ansi-regex@5.0.0
CRITICAL Vulnerabilities (1)
[sonatype-2021-1169] Unknown
ansi-regex - Regular Expression Denial of Service (ReDoS) [CVE-2021-3807]
ansi-regex - Regular Expression Denial of Service (ReDoS) [CVE-2021-3807]
CVSS Score: 7.5
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CWE: CWE-1333
pkg:npm/express@4.18.1
CRITICAL Vulnerabilities (1)
[sonatype-2012-0022] CWE-113: Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Response Splitting')
expressjs - HTTP Splitting Attack
The software receives data from an upstream component, but does not neutralize or incorrectly neutralizes CR and LF characters before the data is included in outgoing HTTP headers.
CVSS Score: 7.5
CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
CWE: CWE-113
SEVERE Vulnerabilities (1)
[sonatype-2021-0078] CWE-23: Relative Path Traversal
express + hbs - Local File Read via Path Traversal
The software uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize sequences such as .. that can resolve to a location that is outside of that directory.
CVSS Score: 5.9
CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
CWE: CWE-23
pkg:npm/minimist@1.2.5
CRITICAL Vulnerabilities (1)
[CVE-2021-44906] Minimist <=1.2.5 is vulnerable to Prototype Pollution via file index.js, function setKey() (lines 69-95).
Minimist <=1.2.5 is vulnerable to Prototype Pollution via file index.js, function setKey() (lines 69-95).
CVSS Score: 9.8
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-1321
pkg:npm/execa@1.0.0
CRITICAL Vulnerabilities (1)
[sonatype-2019-0206] CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
execa - OS Command Injection
The software constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.
CVSS Score: 9.8
CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-78
pkg:npm/css-what@4.0.0
CRITICAL Vulnerabilities (1)
[CVE-2021-33587] CWE-400: Uncontrolled Resource Consumption ('Resource Exhaustion')
The css-what package 4.0.0 through 5.0.0 for Node.js does not ensure that attribute parsing has Linear Time Complexity relative to the size of the input.
CVSS Score: 7.5
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CWE: CWE-400
pkg:npm/accept-language-parser@1.5.0
CRITICAL Vulnerabilities (1)
[sonatype-2020-1241] CWE-400: Uncontrolled Resource Consumption ('Resource Exhaustion')
accept-language-parser - Regular expression Denial of Service (ReDoS)
The software does not properly restrict the size or amount of resources that are requested or influenced by an actor, which can be used to consume more resources than intended.
CVSS Score: 7.5
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CWE: CWE-400
pkg:npm/nth-check@2.0.0
CRITICAL Vulnerabilities (1)
[CVE-2021-3803] nth-check is vulnerable to Inefficient Regular Expression Complexity
nth-check is vulnerable to Inefficient Regular Expression Complexity
CVSS Score: 7.5
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CWE: CWE-1333
pkg:npm/hosted-git-info@2.8.8
SEVERE Vulnerabilities (1)
[CVE-2021-23362] CWE-400: Uncontrolled Resource Consumption ('Resource Exhaustion')
The package hosted-git-info before 3.0.8 are vulnerable to Regular Expression Denial of Service (ReDoS) via regular expression shortcutMatch in the fromUrl function in index.js. The affected regular expression exhibits polynomial worst-case time complexity.
CVSS Score: 5.3
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
CWE: CWE-400
pkg:npm/follow-redirects@1.13.2
SEVERE Vulnerabilities (2)
CVE-2022-0155
[CVE-2022-0155] CWE-359: Exposure of Private Information ('Privacy Violation')
follow-redirects is vulnerable to Exposure of Private Personal Information to an Unauthorized Actor
CVSS Score: 6.5
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
CWE: CWE-359
CVE-2022-0536
[CVE-2022-0536] CWE-200: Information Exposure
Exposure of Sensitive Information to an Unauthorized Actor in NPM follow-redirects prior to 1.14.8.
CVSS Score: 5.9
CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
CWE: CWE-200
pkg:npm/color-string@1.5.3
SEVERE Vulnerabilities (1)
[sonatype-2021-0318] CWE-400: Uncontrolled Resource Consumption ('Resource Exhaustion')
color-string - Regular Expression Denial of Service (ReDoS) [CVE-2021-29060]
The software does not properly restrict the size or amount of resources that are requested or influenced by an actor, which can be used to consume more resources than intended.
CVSS Score: 5.3
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
CWE: CWE-400
pkg:npm/got@7.1.0
SEVERE Vulnerabilities (1)
[CVE-2022-33987] CWE-601: URL Redirection to Untrusted Site ('Open Redirect')
The got package before 12.1.0 (also fixed in 11.8.5) for Node.js allows a redirect to a UNIX socket.
CVSS Score: 5.3
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
CWE: CWE-601
pkg:npm/lodash@4.17.15
CRITICAL Vulnerabilities (4)
sonatype-2019-0467
[sonatype-2019-0467] CWE-20: Improper Input Validation
lodash - Prototype Pollution
The product does not validate or incorrectly validates input that can affect the control flow or data flow of a program.
CVSS Score: 9.8
CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-20
sonatype-2020-0739
[sonatype-2020-0739] CWE-471: Modification of Assumed-Immutable Data (MAID)
lodash - Prototype Pollution
The software does not properly protect an assumed-immutable element from being modified by an attacker.
CVSS Score: 9.8
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-471
sonatype-2020-0292
[sonatype-2020-0292] CWE-471: Modification of Assumed-Immutable Data (MAID)
lodash - Prototype Pollution [ CVE-2020-8203 ]
The software does not properly protect an assumed-immutable element from being modified by an attacker.
CVSS Score: 7.5
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
CWE: CWE-471
CVE-2021-23337
[CVE-2021-23337] CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection')
Lodash versions prior to 4.17.21 are vulnerable to Command Injection via the template function.
CVSS Score: 7.2
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-77
SEVERE Vulnerabilities (1)
[CVE-2020-28500] CWE-400: Uncontrolled Resource Consumption ('Resource Exhaustion')
Lodash versions prior to 4.17.21 are vulnerable to Regular Expression Denial of Service (ReDoS) via the toNumber, trim and trimEnd functions.
CVSS Score: 5.3
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
CWE: CWE-400
pkg:npm/async@2.6.3
CRITICAL Vulnerabilities (1)
[CVE-2021-43138] In Async before 2.6.4 and 3.x before 3.2.2, a malicious user can obtain privileges via the mapValues() method, aka lib/internal/iterator.js createObjectIterator prototype pollution.
In Async before 2.6.4 and 3.x before 3.2.2, a malicious user can obtain privileges via the mapValues() method, aka lib/internal/iterator.js createObjectIterator prototype pollution.
CVSS Score: 7.8
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CWE: CWE-1321
pkg:npm/path-parse@1.0.6
SEVERE Vulnerabilities (1)
[sonatype-2021-0176] CWE-400: Uncontrolled Resource Consumption ('Resource Exhaustion')
path-parse - Regular expression Denial of Service (ReDoS) [CVE-2021-23343]
The software does not properly restrict the size or amount of resources that are requested or influenced by an actor, which can be used to consume more resources than intended.
CVSS Score: 6.5
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
CWE: CWE-400
pkg:npm/minimatch@3.0.4
CRITICAL Vulnerabilities (1)
[sonatype-2021-4879] Unknown
minimatch - Regular Expression Denial of Service (ReDoS)
minimatch - Regular Expression Denial of Service (ReDoS)
CVSS Score: 7.5
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CWE: CWE-1333
pkg:npm/got@8.3.2
SEVERE Vulnerabilities (1)
[CVE-2022-33987] CWE-601: URL Redirection to Untrusted Site ('Open Redirect')
The got package before 12.1.0 (also fixed in 11.8.5) for Node.js allows a redirect to a UNIX socket.
CVSS Score: 5.3
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
CWE: CWE-601
pkg:npm/prismjs@1.28.0
CRITICAL Vulnerabilities (1)
[sonatype-2020-1579] CWE-400: Uncontrolled Resource Consumption ('Resource Exhaustion')
prismjs - Regular Expression Denial of Service (ReDoS) in SCSS Processor
The software does not properly restrict the size or amount of resources that are requested or influenced by an actor, which can be used to consume more resources than intended.
CVSS Score: 7.5
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CWE: CWE-400
pkg:npm/is-svg@4.2.2
CRITICAL Vulnerabilities (1)
[CVE-2021-29059] CWE-770: Allocation of Resources Without Limits or Throttling
A vulnerability was discovered in IS-SVG version 2.1.0 to 4.2.2 and below where a Regular Expression Denial of Service (ReDOS) occurs if the application is provided and checks a crafted invalid SVG string.
CVSS Score: 7.5
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CWE: CWE-770
SEVERE Vulnerabilities (1)
[CVE-2021-23367] CWE-400: Uncontrolled Resource Consumption ('Resource Exhaustion')
is-svg - Regular expression Denial of Service (ReDoS)
CVSS Score: 6.5
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
CWE: CWE-400
pkg:npm/glob-parent@5.1.1
CRITICAL Vulnerabilities (1)
[CVE-2020-28469] CWE-400: Uncontrolled Resource Consumption ('Resource Exhaustion')
This affects the package glob-parent before 5.1.2. The enclosure regex used to check for strings ending in enclosure containing path separator.
CVSS Score: 7.5
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CWE: CWE-400
pkg:npm/jake@10.8.5
CRITICAL Vulnerabilities (1)
[sonatype-2021-0253] CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
jake - OS Command Injection
The software constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.
CVSS Score: 7.3
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
CWE: CWE-78
pkg:npm/ansi-regex@3.0.0
CRITICAL Vulnerabilities (1)
[sonatype-2021-1169] Unknown
ansi-regex - Regular Expression Denial of Service (ReDoS) [CVE-2021-3807]
ansi-regex - Regular Expression Denial of Service (ReDoS) [CVE-2021-3807]
CVSS Score: 7.5
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CWE: CWE-1333
pkg:npm/filelist@1.0.1
CRITICAL Vulnerabilities (1)
[sonatype-2021-0457] Unknown
filelist, utilities - Prototype Pollution
filelist, utilities - Prototype Pollution
CVSS Score: 9.8
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-1321
pkg:npm/trim-newlines@1.0.0
CRITICAL Vulnerabilities (1)
[CVE-2021-33623] CWE-400: Uncontrolled Resource Consumption ('Resource Exhaustion')
The trim-newlines package before 3.0.1 and 4.x before 4.0.1 for Node.js has an issue related to regular expression denial-of-service (ReDoS) for the .end() method.
CVSS Score: 7.5
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CWE: CWE-400
Reply with "@sonatype-lift help" for info about LiftBot commands.
Reply with "@sonatype-lift ignore" to tell LiftBot to leave out the above finding from this PR.
Reply with "@sonatype-lift ignoreall" to tell LiftBot to leave out all the findings from this PR and from the status bar in Github.
When talking to LiftBot, you need to refresh the page to see its response. Click here to get to know more about LiftBot commands.
Was this a good recommendation?
[ 🙁 Not relevant ] - [ 😕 Won't fix ] - [ 😑 Not critical, will fix ] - [ 🙂 Critical, will fix ] - [ 😊 Critical, fixing now ]
| resolved "https://registry.yarnpkg.com/@mdn/browser-compat-data/-/browser-compat-data-4.2.1.tgz#1fead437f3957ceebe2e8c3f46beccdb9bc575b8" | ||
| integrity sha512-EWUguj2kd7ldmrF9F+vI5hUOralPd+sdsUnYbRy33vZTuZkduC1shE9TtEMEjAQwyfyMb4ole5KtjF8MsnQOlA== | ||
|
|
||
| "@mdn/yari@0.14.62": |
There was a problem hiding this comment.
Critical Vulnerability:
pkg:npm/%40mdn/yari@0.14.62
24 Critical, 11 Severe, 0 Moderate, 0 Unknown vulnerabilities have been found across 27 dependencies
Components
pkg:npm/lodash@4.17.20
CRITICAL Vulnerabilities (1)
[CVE-2021-23337] CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection')
Lodash versions prior to 4.17.21 are vulnerable to Command Injection via the template function.
CVSS Score: 7.2
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-77
SEVERE Vulnerabilities (1)
[CVE-2020-28500] CWE-400: Uncontrolled Resource Consumption ('Resource Exhaustion')
Lodash versions prior to 4.17.21 are vulnerable to Regular Expression Denial of Service (ReDoS) via the toNumber, trim and trimEnd functions.
CVSS Score: 5.3
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
CWE: CWE-400
pkg:npm/ini@1.3.5
CRITICAL Vulnerabilities (1)
[sonatype-2020-1214] CWE-471: Modification of Assumed-Immutable Data (MAID)
ini - Prototype Pollution [CVE-2020-7788]
The software does not properly protect an assumed-immutable element from being modified by an attacker.
CVSS Score: 7.3
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
CWE: CWE-471
pkg:npm/execa@0.7.0
CRITICAL Vulnerabilities (1)
[sonatype-2019-0206] CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
execa - OS Command Injection
The software constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.
CVSS Score: 9.8
CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-78
pkg:npm/ansi-regex@4.1.0
CRITICAL Vulnerabilities (1)
[sonatype-2021-1169] Unknown
ansi-regex - Regular Expression Denial of Service (ReDoS) [CVE-2021-3807]
ansi-regex - Regular Expression Denial of Service (ReDoS) [CVE-2021-3807]
CVSS Score: 7.5
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CWE: CWE-1333
pkg:npm/ansi-regex@5.0.0
CRITICAL Vulnerabilities (1)
[sonatype-2021-1169] Unknown
ansi-regex - Regular Expression Denial of Service (ReDoS) [CVE-2021-3807]
ansi-regex - Regular Expression Denial of Service (ReDoS) [CVE-2021-3807]
CVSS Score: 7.5
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CWE: CWE-1333
pkg:npm/express@4.18.1
CRITICAL Vulnerabilities (1)
[sonatype-2012-0022] CWE-113: Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Response Splitting')
expressjs - HTTP Splitting Attack
The software receives data from an upstream component, but does not neutralize or incorrectly neutralizes CR and LF characters before the data is included in outgoing HTTP headers.
CVSS Score: 7.5
CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
CWE: CWE-113
SEVERE Vulnerabilities (1)
[sonatype-2021-0078] CWE-23: Relative Path Traversal
express + hbs - Local File Read via Path Traversal
The software uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize sequences such as .. that can resolve to a location that is outside of that directory.
CVSS Score: 5.9
CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
CWE: CWE-23
pkg:npm/minimist@1.2.5
CRITICAL Vulnerabilities (1)
[CVE-2021-44906] Minimist <=1.2.5 is vulnerable to Prototype Pollution via file index.js, function setKey() (lines 69-95).
Minimist <=1.2.5 is vulnerable to Prototype Pollution via file index.js, function setKey() (lines 69-95).
CVSS Score: 9.8
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-1321
pkg:npm/execa@1.0.0
CRITICAL Vulnerabilities (1)
[sonatype-2019-0206] CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
execa - OS Command Injection
The software constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.
CVSS Score: 9.8
CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-78
pkg:npm/css-what@4.0.0
CRITICAL Vulnerabilities (1)
[CVE-2021-33587] CWE-400: Uncontrolled Resource Consumption ('Resource Exhaustion')
The css-what package 4.0.0 through 5.0.0 for Node.js does not ensure that attribute parsing has Linear Time Complexity relative to the size of the input.
CVSS Score: 7.5
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CWE: CWE-400
pkg:npm/accept-language-parser@1.5.0
CRITICAL Vulnerabilities (1)
[sonatype-2020-1241] CWE-400: Uncontrolled Resource Consumption ('Resource Exhaustion')
accept-language-parser - Regular expression Denial of Service (ReDoS)
The software does not properly restrict the size or amount of resources that are requested or influenced by an actor, which can be used to consume more resources than intended.
CVSS Score: 7.5
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CWE: CWE-400
pkg:npm/nth-check@2.0.0
CRITICAL Vulnerabilities (1)
[CVE-2021-3803] nth-check is vulnerable to Inefficient Regular Expression Complexity
nth-check is vulnerable to Inefficient Regular Expression Complexity
CVSS Score: 7.5
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CWE: CWE-1333
pkg:npm/hosted-git-info@2.8.8
SEVERE Vulnerabilities (1)
[CVE-2021-23362] CWE-400: Uncontrolled Resource Consumption ('Resource Exhaustion')
The package hosted-git-info before 3.0.8 are vulnerable to Regular Expression Denial of Service (ReDoS) via regular expression shortcutMatch in the fromUrl function in index.js. The affected regular expression exhibits polynomial worst-case time complexity.
CVSS Score: 5.3
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
CWE: CWE-400
pkg:npm/follow-redirects@1.13.2
SEVERE Vulnerabilities (2)
CVE-2022-0155
[CVE-2022-0155] CWE-359: Exposure of Private Information ('Privacy Violation')
follow-redirects is vulnerable to Exposure of Private Personal Information to an Unauthorized Actor
CVSS Score: 6.5
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
CWE: CWE-359
CVE-2022-0536
[CVE-2022-0536] CWE-200: Information Exposure
Exposure of Sensitive Information to an Unauthorized Actor in NPM follow-redirects prior to 1.14.8.
CVSS Score: 5.9
CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
CWE: CWE-200
pkg:npm/color-string@1.5.3
SEVERE Vulnerabilities (1)
[sonatype-2021-0318] CWE-400: Uncontrolled Resource Consumption ('Resource Exhaustion')
color-string - Regular Expression Denial of Service (ReDoS) [CVE-2021-29060]
The software does not properly restrict the size or amount of resources that are requested or influenced by an actor, which can be used to consume more resources than intended.
CVSS Score: 5.3
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
CWE: CWE-400
pkg:npm/got@7.1.0
SEVERE Vulnerabilities (1)
[CVE-2022-33987] CWE-601: URL Redirection to Untrusted Site ('Open Redirect')
The got package before 12.1.0 (also fixed in 11.8.5) for Node.js allows a redirect to a UNIX socket.
CVSS Score: 5.3
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
CWE: CWE-601
pkg:npm/lodash@4.17.15
CRITICAL Vulnerabilities (4)
sonatype-2019-0467
[sonatype-2019-0467] CWE-20: Improper Input Validation
lodash - Prototype Pollution
The product does not validate or incorrectly validates input that can affect the control flow or data flow of a program.
CVSS Score: 9.8
CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-20
sonatype-2020-0739
[sonatype-2020-0739] CWE-471: Modification of Assumed-Immutable Data (MAID)
lodash - Prototype Pollution
The software does not properly protect an assumed-immutable element from being modified by an attacker.
CVSS Score: 9.8
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-471
sonatype-2020-0292
[sonatype-2020-0292] CWE-471: Modification of Assumed-Immutable Data (MAID)
lodash - Prototype Pollution [ CVE-2020-8203 ]
The software does not properly protect an assumed-immutable element from being modified by an attacker.
CVSS Score: 7.5
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
CWE: CWE-471
CVE-2021-23337
[CVE-2021-23337] CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection')
Lodash versions prior to 4.17.21 are vulnerable to Command Injection via the template function.
CVSS Score: 7.2
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-77
SEVERE Vulnerabilities (1)
[CVE-2020-28500] CWE-400: Uncontrolled Resource Consumption ('Resource Exhaustion')
Lodash versions prior to 4.17.21 are vulnerable to Regular Expression Denial of Service (ReDoS) via the toNumber, trim and trimEnd functions.
CVSS Score: 5.3
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
CWE: CWE-400
pkg:npm/async@2.6.3
CRITICAL Vulnerabilities (1)
[CVE-2021-43138] In Async before 2.6.4 and 3.x before 3.2.2, a malicious user can obtain privileges via the mapValues() method, aka lib/internal/iterator.js createObjectIterator prototype pollution.
In Async before 2.6.4 and 3.x before 3.2.2, a malicious user can obtain privileges via the mapValues() method, aka lib/internal/iterator.js createObjectIterator prototype pollution.
CVSS Score: 7.8
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CWE: CWE-1321
pkg:npm/path-parse@1.0.6
SEVERE Vulnerabilities (1)
[sonatype-2021-0176] CWE-400: Uncontrolled Resource Consumption ('Resource Exhaustion')
path-parse - Regular expression Denial of Service (ReDoS) [CVE-2021-23343]
The software does not properly restrict the size or amount of resources that are requested or influenced by an actor, which can be used to consume more resources than intended.
CVSS Score: 6.5
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
CWE: CWE-400
pkg:npm/minimatch@3.0.4
CRITICAL Vulnerabilities (1)
[sonatype-2021-4879] Unknown
minimatch - Regular Expression Denial of Service (ReDoS)
minimatch - Regular Expression Denial of Service (ReDoS)
CVSS Score: 7.5
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CWE: CWE-1333
pkg:npm/got@8.3.2
SEVERE Vulnerabilities (1)
[CVE-2022-33987] CWE-601: URL Redirection to Untrusted Site ('Open Redirect')
The got package before 12.1.0 (also fixed in 11.8.5) for Node.js allows a redirect to a UNIX socket.
CVSS Score: 5.3
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
CWE: CWE-601
pkg:npm/prismjs@1.28.0
CRITICAL Vulnerabilities (1)
[sonatype-2020-1579] CWE-400: Uncontrolled Resource Consumption ('Resource Exhaustion')
prismjs - Regular Expression Denial of Service (ReDoS) in SCSS Processor
The software does not properly restrict the size or amount of resources that are requested or influenced by an actor, which can be used to consume more resources than intended.
CVSS Score: 7.5
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CWE: CWE-400
pkg:npm/is-svg@4.2.2
CRITICAL Vulnerabilities (1)
[CVE-2021-29059] CWE-770: Allocation of Resources Without Limits or Throttling
A vulnerability was discovered in IS-SVG version 2.1.0 to 4.2.2 and below where a Regular Expression Denial of Service (ReDOS) occurs if the application is provided and checks a crafted invalid SVG string.
CVSS Score: 7.5
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CWE: CWE-770
SEVERE Vulnerabilities (1)
[CVE-2021-23367] CWE-400: Uncontrolled Resource Consumption ('Resource Exhaustion')
is-svg - Regular expression Denial of Service (ReDoS)
CVSS Score: 6.5
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
CWE: CWE-400
pkg:npm/glob-parent@5.1.1
CRITICAL Vulnerabilities (1)
[CVE-2020-28469] CWE-400: Uncontrolled Resource Consumption ('Resource Exhaustion')
This affects the package glob-parent before 5.1.2. The enclosure regex used to check for strings ending in enclosure containing path separator.
CVSS Score: 7.5
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CWE: CWE-400
pkg:npm/jake@10.8.5
CRITICAL Vulnerabilities (1)
[sonatype-2021-0253] CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
jake - OS Command Injection
The software constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.
CVSS Score: 7.3
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
CWE: CWE-78
pkg:npm/ansi-regex@3.0.0
CRITICAL Vulnerabilities (1)
[sonatype-2021-1169] Unknown
ansi-regex - Regular Expression Denial of Service (ReDoS) [CVE-2021-3807]
ansi-regex - Regular Expression Denial of Service (ReDoS) [CVE-2021-3807]
CVSS Score: 7.5
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CWE: CWE-1333
pkg:npm/filelist@1.0.1
CRITICAL Vulnerabilities (1)
[sonatype-2021-0457] Unknown
filelist, utilities - Prototype Pollution
filelist, utilities - Prototype Pollution
CVSS Score: 9.8
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-1321
pkg:npm/trim-newlines@1.0.0
CRITICAL Vulnerabilities (1)
[CVE-2021-33623] CWE-400: Uncontrolled Resource Consumption ('Resource Exhaustion')
The trim-newlines package before 3.0.1 and 4.x before 4.0.1 for Node.js has an issue related to regular expression denial-of-service (ReDoS) for the .end() method.
CVSS Score: 7.5
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CWE: CWE-400
Reply with "@sonatype-lift help" for info about LiftBot commands.
Reply with "@sonatype-lift ignore" to tell LiftBot to leave out the above finding from this PR.
Reply with "@sonatype-lift ignoreall" to tell LiftBot to leave out all the findings from this PR and from the status bar in Github.
When talking to LiftBot, you need to refresh the page to see its response. Click here to get to know more about LiftBot commands.
Was this a good recommendation?
[ 🙁 Not relevant ] - [ 😕 Won't fix ] - [ 😑 Not critical, will fix ] - [ 🙂 Critical, will fix ] - [ 😊 Critical, fixing now ]
This PR was automatically created by Snyk using the credentials of a real user.
Snyk has created this PR to fix one or more vulnerable packages in the `yarn` dependencies of this project.
Changes included in this PR
Vulnerabilities that will be fixed
With an upgrade:
Why? Recently disclosed, Has a fix available, CVSS 7.5
SNYK-JS-FILETYPE-2958042
(*) Note that the real score may have changed since the PR was raised.
Check the changes in this PR to ensure they won't cause issues with your project.
Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.
For more information:
🧐 View latest project report
🛠 Adjust project settings
📚 Read more about Snyk's upgrade and patch logic
Learn how to fix vulnerabilities with free interactive lessons:
🦉 Learn about vulnerability in an interactive lesson of Snyk Learn.