You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Versions of lodash lower than 4.17.12 are vulnerable to Prototype Pollution. The function defaultsDeep could be tricked into adding or modifying properties of Object.prototype using a constructor payload.
The package jpeg-js before 0.4.4 are vulnerable to Denial of Service (DoS) where a particular piece of input will cause to enter an infinite loop and never return.
Prototype pollution vulnerability in dot-prop npm package versions before 4.2.1 and versions 5.x before 5.1.1 allows an attacker to add arbitrary properties to JavaScript language constructs such as objects.
Insufficient policy enforcement in DevTools in Google Chrome on Windows prior to 108.0.5359.71 allowed a remote attacker to bypass filesystem restrictions via a crafted HTML page. (Chromium security severity: Medium)
Inappropriate implementation in DevTools in Google Chrome prior to 88.0.4324.96 allowed a remote attacker to obtain potentially sensitive information from disk via a crafted HTML page.
Lodash versions prior to 4.17.21 are vulnerable to Regular Expression Denial of Service (ReDoS) via the toNumber, trim and trimEnd functions.
Mend Note: After conducting further research, Mend has determined that CVE-2020-28500 only affects environments with versions 4.0.0 to 4.17.20 of Lodash.
Vulnerable Library - lighthouse-3.2.1.tgz
Found in HEAD commit: 3a02ac49d37e94b5747f69bc6d783357d23ba57f
Vulnerabilities
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
CVE-2021-44906
Vulnerable Library - minimist-0.0.8.tgz
parse argument options
Library home page: https://registry.npmjs.org/minimist/-/minimist-0.0.8.tgz
Dependency Hierarchy:
Found in HEAD commit: 3a02ac49d37e94b5747f69bc6d783357d23ba57f
Found in base branch: main
Vulnerability Details
Minimist <=1.2.5 is vulnerable to Prototype Pollution via file index.js, function setKey() (lines 69-95).
Publish Date: 2022-03-17
URL: CVE-2021-44906
CVSS 3 Score Details (9.8)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: GHSA-xvch-5gv4-984h
Release Date: 2022-03-17
Fix Resolution (minimist): 0.2.4
Direct dependency fix Resolution (lighthouse): 6.0.0
CVE-2020-7774
Vulnerable Library - y18n-3.2.1.tgz
the bare-bones internationalization library used by yargs
Library home page: https://registry.npmjs.org/y18n/-/y18n-3.2.1.tgz
Dependency Hierarchy:
Found in HEAD commit: 3a02ac49d37e94b5747f69bc6d783357d23ba57f
Found in base branch: main
Vulnerability Details
The package y18n before 3.2.2, 4.0.1 and 5.0.5, is vulnerable to Prototype Pollution.
Publish Date: 2020-11-17
URL: CVE-2020-7774
CVSS 3 Score Details (9.8)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://www.npmjs.com/advisories/1654
Release Date: 2020-11-17
Fix Resolution (y18n): 3.2.2
Direct dependency fix Resolution (lighthouse): 4.0.0
CVE-2019-10744
Vulnerable Library - lodash-4.17.11.tgz
Lodash modular utilities.
Library home page: https://registry.npmjs.org/lodash/-/lodash-4.17.11.tgz
Dependency Hierarchy:
Found in HEAD commit: 3a02ac49d37e94b5747f69bc6d783357d23ba57f
Found in base branch: main
Vulnerability Details
Versions of lodash lower than 4.17.12 are vulnerable to Prototype Pollution. The function defaultsDeep could be tricked into adding or modifying properties of Object.prototype using a constructor payload.
Publish Date: 2019-07-26
URL: CVE-2019-10744
CVSS 3 Score Details (9.1)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: GHSA-jf85-cpcp-j695
Release Date: 2019-07-26
Fix Resolution (lodash): 4.17.12
Direct dependency fix Resolution (lighthouse): 4.0.0
CVE-2022-25851
Vulnerable Library - jpeg-js-0.1.2.tgz
A pure javascript JPEG encoder and decoder
Library home page: https://registry.npmjs.org/jpeg-js/-/jpeg-js-0.1.2.tgz
Dependency Hierarchy:
Found in HEAD commit: 3a02ac49d37e94b5747f69bc6d783357d23ba57f
Found in base branch: main
Vulnerability Details
The package jpeg-js before 0.4.4 are vulnerable to Denial of Service (DoS) where a particular piece of input will cause to enter an infinite loop and never return.
Publish Date: 2022-06-10
URL: CVE-2022-25851
CVSS 3 Score Details (7.5)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Release Date: 2022-06-10
Fix Resolution (jpeg-js): 0.4.4
Direct dependency fix Resolution (lighthouse): 6.2.0
CVE-2021-3807
Vulnerable Library - ansi-regex-3.0.0.tgz
Regular expression for matching ANSI escape codes
Library home page: https://registry.npmjs.org/ansi-regex/-/ansi-regex-3.0.0.tgz
Dependency Hierarchy:
Found in HEAD commit: 3a02ac49d37e94b5747f69bc6d783357d23ba57f
Found in base branch: main
Vulnerability Details
ansi-regex is vulnerable to Inefficient Regular Expression Complexity
Publish Date: 2021-09-17
URL: CVE-2021-3807
CVSS 3 Score Details (7.5)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://huntr.dev/bounties/5b3cf33b-ede0-4398-9974-800876dfd994/
Release Date: 2021-09-17
Fix Resolution (ansi-regex): 3.0.1
Direct dependency fix Resolution (lighthouse): 4.0.0
CVE-2020-8203
Vulnerable Library - lodash-4.17.11.tgz
Lodash modular utilities.
Library home page: https://registry.npmjs.org/lodash/-/lodash-4.17.11.tgz
Dependency Hierarchy:
Found in HEAD commit: 3a02ac49d37e94b5747f69bc6d783357d23ba57f
Found in base branch: main
Vulnerability Details
Prototype pollution attack when using _.zipObjectDeep in lodash before 4.17.20.
Publish Date: 2020-07-15
URL: CVE-2020-8203
CVSS 3 Score Details (7.4)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://www.npmjs.com/advisories/1523
Release Date: 2020-07-15
Fix Resolution (lodash): 4.17.19
Direct dependency fix Resolution (lighthouse): 4.0.0
CVE-2020-8116
Vulnerable Library - dot-prop-4.2.0.tgz
Get, set, or delete a property from a nested object using a dot path
Library home page: https://registry.npmjs.org/dot-prop/-/dot-prop-4.2.0.tgz
Dependency Hierarchy:
Found in HEAD commit: 3a02ac49d37e94b5747f69bc6d783357d23ba57f
Found in base branch: main
Vulnerability Details
Prototype pollution vulnerability in dot-prop npm package versions before 4.2.1 and versions 5.x before 5.1.1 allows an attacker to add arbitrary properties to JavaScript language constructs such as objects.
Publish Date: 2020-02-04
URL: CVE-2020-8116
CVSS 3 Score Details (7.3)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8116
Release Date: 2020-02-04
Fix Resolution (dot-prop): 4.2.1
Direct dependency fix Resolution (lighthouse): 4.0.0
CVE-2021-23337
Vulnerable Library - lodash-4.17.11.tgz
Lodash modular utilities.
Library home page: https://registry.npmjs.org/lodash/-/lodash-4.17.11.tgz
Dependency Hierarchy:
Found in HEAD commit: 3a02ac49d37e94b5747f69bc6d783357d23ba57f
Found in base branch: main
Vulnerability Details
Lodash versions prior to 4.17.21 are vulnerable to Command Injection via the template function.
Publish Date: 2021-02-15
URL: CVE-2021-23337
CVSS 3 Score Details (7.2)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: GHSA-35jh-r3h4-6jhm
Release Date: 2021-02-15
Fix Resolution (lodash): 4.17.21
Direct dependency fix Resolution (lighthouse): 4.0.0
CVE-2022-4187
Vulnerable Libraries - chrome-devtools-frontend-1.0.401423.tgz, chrome-devtools-frontend-1.0.593291.tgz
chrome-devtools-frontend-1.0.401423.tgz
Library home page: https://registry.npmjs.org/chrome-devtools-frontend/-/chrome-devtools-frontend-1.0.401423.tgz
Dependency Hierarchy:
chrome-devtools-frontend-1.0.593291.tgz
Library home page: https://registry.npmjs.org/chrome-devtools-frontend/-/chrome-devtools-frontend-1.0.593291.tgz
Dependency Hierarchy:
Found in HEAD commit: 3a02ac49d37e94b5747f69bc6d783357d23ba57f
Found in base branch: main
Vulnerability Details
Insufficient policy enforcement in DevTools in Google Chrome on Windows prior to 108.0.5359.71 allowed a remote attacker to bypass filesystem restrictions via a crafted HTML page. (Chromium security severity: Medium)
Publish Date: 2022-11-30
URL: CVE-2022-4187
CVSS 3 Score Details (6.5)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://www.npmjs.com/package/chrome-devtools-frontend?activeTab=versions
Release Date: 2022-11-30
Fix Resolution (chrome-devtools-frontend): 1.0.1070764
Direct dependency fix Resolution (lighthouse): 4.0.0
Fix Resolution (chrome-devtools-frontend): 1.0.1070764
Direct dependency fix Resolution (lighthouse): 4.0.0
CVE-2021-21137
Vulnerable Libraries - chrome-devtools-frontend-1.0.401423.tgz, chrome-devtools-frontend-1.0.593291.tgz
chrome-devtools-frontend-1.0.401423.tgz
Library home page: https://registry.npmjs.org/chrome-devtools-frontend/-/chrome-devtools-frontend-1.0.401423.tgz
Dependency Hierarchy:
chrome-devtools-frontend-1.0.593291.tgz
Library home page: https://registry.npmjs.org/chrome-devtools-frontend/-/chrome-devtools-frontend-1.0.593291.tgz
Dependency Hierarchy:
Found in HEAD commit: 3a02ac49d37e94b5747f69bc6d783357d23ba57f
Found in base branch: main
Vulnerability Details
Inappropriate implementation in DevTools in Google Chrome prior to 88.0.4324.96 allowed a remote attacker to obtain potentially sensitive information from disk via a crafted HTML page.
Publish Date: 2021-02-09
URL: CVE-2021-21137
CVSS 3 Score Details (6.5)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21137
Release Date: 2021-02-09
Fix Resolution (chrome-devtools-frontend): 1.0.820688
Direct dependency fix Resolution (lighthouse): 4.0.0
Fix Resolution (chrome-devtools-frontend): 1.0.820688
Direct dependency fix Resolution (lighthouse): 4.0.0
CVE-2020-7598
Vulnerable Library - minimist-0.0.8.tgz
parse argument options
Library home page: https://registry.npmjs.org/minimist/-/minimist-0.0.8.tgz
Dependency Hierarchy:
Found in HEAD commit: 3a02ac49d37e94b5747f69bc6d783357d23ba57f
Found in base branch: main
Vulnerability Details
minimist before 1.2.2 could be tricked into adding or modifying properties of Object.prototype using a "constructor" or "proto" payload.
Publish Date: 2020-03-11
URL: CVE-2020-7598
CVSS 3 Score Details (5.6)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Release Date: 2020-03-11
Fix Resolution (minimist): 0.2.1
Direct dependency fix Resolution (lighthouse): 6.0.0
CVE-2020-8175
Vulnerable Library - jpeg-js-0.1.2.tgz
A pure javascript JPEG encoder and decoder
Library home page: https://registry.npmjs.org/jpeg-js/-/jpeg-js-0.1.2.tgz
Dependency Hierarchy:
Found in HEAD commit: 3a02ac49d37e94b5747f69bc6d783357d23ba57f
Found in base branch: main
Vulnerability Details
Uncontrolled resource consumption in
jpeg-js
before 0.4.0 may allow attacker to launch denial of service attacks using specially a crafted JPEG image.Publish Date: 2020-07-24
URL: CVE-2020-8175
CVSS 3 Score Details (5.5)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8175
Release Date: 2020-07-27
Fix Resolution (jpeg-js): 0.4.0
Direct dependency fix Resolution (lighthouse): 6.2.0
CVE-2022-33987
Vulnerable Library - got-6.7.1.tgz
Simplified HTTP requests
Library home page: https://registry.npmjs.org/got/-/got-6.7.1.tgz
Dependency Hierarchy:
Found in HEAD commit: 3a02ac49d37e94b5747f69bc6d783357d23ba57f
Found in base branch: main
Vulnerability Details
The got package before 12.1.0 (also fixed in 11.8.5) for Node.js allows a redirect to a UNIX socket.
Publish Date: 2022-06-18
URL: CVE-2022-33987
CVSS 3 Score Details (5.3)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-33987
Release Date: 2022-06-18
Fix Resolution (got): 11.8.6
Direct dependency fix Resolution (lighthouse): 9.3.0
CVE-2020-7608
Vulnerable Library - yargs-parser-7.0.0.tgz
the mighty option parser used by yargs
Library home page: https://registry.npmjs.org/yargs-parser/-/yargs-parser-7.0.0.tgz
Dependency Hierarchy:
Found in HEAD commit: 3a02ac49d37e94b5747f69bc6d783357d23ba57f
Found in base branch: main
Vulnerability Details
yargs-parser could be tricked into adding or modifying properties of Object.prototype using a "proto" payload.
Publish Date: 2020-03-16
URL: CVE-2020-7608
CVSS 3 Score Details (5.3)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Release Date: 2020-03-16
Fix Resolution (yargs-parser): 13.1.2
Direct dependency fix Resolution (lighthouse): 6.0.0
CVE-2020-28500
Vulnerable Library - lodash-4.17.11.tgz
Lodash modular utilities.
Library home page: https://registry.npmjs.org/lodash/-/lodash-4.17.11.tgz
Dependency Hierarchy:
Found in HEAD commit: 3a02ac49d37e94b5747f69bc6d783357d23ba57f
Found in base branch: main
Vulnerability Details
Lodash versions prior to 4.17.21 are vulnerable to Regular Expression Denial of Service (ReDoS) via the toNumber, trim and trimEnd functions.
Mend Note: After conducting further research, Mend has determined that CVE-2020-28500 only affects environments with versions 4.0.0 to 4.17.20 of Lodash.
Publish Date: 2021-02-15
URL: CVE-2020-28500
CVSS 3 Score Details (5.3)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-28500
Release Date: 2021-02-15
Fix Resolution (lodash): 4.17.21
Direct dependency fix Resolution (lighthouse): 4.0.0
The text was updated successfully, but these errors were encountered: