Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

grunt-if-0.2.0.tgz: 24 vulnerabilities (highest severity is: 9.8) - autoclosed #111

Closed
dimagwhitesourceapp bot opened this issue Dec 18, 2022 · 1 comment
Labels
Mend: dependency security vulnerability Security vulnerability detected by Mend

Comments

@dimagwhitesourceapp
Copy link

dimagwhitesourceapp bot commented Dec 18, 2022

Vulnerable Library - grunt-if-0.2.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/nyc/node_modules/handlebars/package.json

Found in HEAD commit: b048946ae42446c0ab583ee08f8d27d6b90499e5

Vulnerabilities

CVE Severity CVSS Dependency Type Fixed in (grunt-if version) Remediation Available
CVE-2021-23369 High 9.8 handlebars-4.0.5.tgz Transitive N/A*
CVE-2019-19919 High 9.8 handlebars-4.0.5.tgz Transitive N/A*
CVE-2021-23383 High 9.8 handlebars-4.0.5.tgz Transitive N/A*
CVE-2020-7774 High 9.8 y18n-3.2.1.tgz Transitive N/A*
CVE-2019-10744 High 9.1 lodash-4.13.1.tgz Transitive N/A*
CVE-2019-20920 High 8.1 handlebars-4.0.5.tgz Transitive N/A*
WS-2019-0063 High 8.1 detected in multiple dependencies Transitive N/A*
CVE-2019-20922 High 7.5 handlebars-4.0.5.tgz Transitive N/A*
CVE-2020-28469 High 7.5 glob-parent-2.0.0.tgz Transitive N/A*
WS-2020-0450 High 7.5 handlebars-4.0.5.tgz Transitive N/A*
CVE-2022-3517 High 7.5 minimatch-3.0.2.tgz Transitive N/A*
CVE-2021-23343 High 7.5 path-parse-1.0.5.tgz Transitive N/A*
WS-2019-0032 High 7.5 detected in multiple dependencies Transitive N/A*
CVE-2020-8203 High 7.4 lodash-4.13.1.tgz Transitive N/A*
WS-2019-0064 High 7.3 handlebars-4.0.5.tgz Transitive N/A*
CVE-2021-23337 High 7.2 lodash-4.13.1.tgz Transitive N/A*
WS-2018-0590 High 7.1 diff-1.4.0.tgz Transitive N/A*
CVE-2019-1010266 Medium 6.5 lodash-4.13.1.tgz Transitive N/A*
CVE-2018-3721 Medium 6.5 lodash-4.13.1.tgz Transitive N/A*
WS-2019-0103 Medium 5.6 handlebars-4.0.5.tgz Transitive N/A*
CVE-2018-16487 Medium 5.6 lodash-4.13.1.tgz Transitive N/A*
CVE-2020-28500 Medium 5.3 lodash-4.13.1.tgz Transitive N/A*
CVE-2020-7608 Medium 5.3 yargs-parser-2.4.1.tgz Transitive N/A*
CVE-2017-16028 Medium 5.3 randomatic-1.1.5.tgz Transitive N/A*

*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the section "Details" below to see if there is a version of transitive dependency where vulnerability is fixed.

Details

CVE-2021-23369

Vulnerable Library - handlebars-4.0.5.tgz

Handlebars provides the power necessary to let you build semantic templates effectively with no frustration

Library home page: https://registry.npmjs.org/handlebars/-/handlebars-4.0.5.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/nyc/node_modules/handlebars/package.json

Dependency Hierarchy:

  • grunt-if-0.2.0.tgz (Root Library)
    • grunt-contrib-nodeunit-1.0.0.tgz
      • nodeunit-0.9.5.tgz
        • tap-7.1.2.tgz
          • nyc-7.1.0.tgz
            • istanbul-reports-1.0.0-alpha.8.tgz
              • handlebars-4.0.5.tgz (Vulnerable Library)

Found in HEAD commit: b048946ae42446c0ab583ee08f8d27d6b90499e5

Found in base branch: master

Vulnerability Details

The package handlebars before 4.7.7 are vulnerable to Remote Code Execution (RCE) when selecting certain compiling options to compile templates coming from an untrusted source.

Publish Date: 2021-04-12

URL: CVE-2021-23369

CVSS 3 Score Details (9.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: handlebars-lang/handlebars.js@b6d3de7

Release Date: 2021-04-12

Fix Resolution: com.github.jknack:handlebars:4.2.0, handlebars - 4.7.7

CVE-2019-19919

Vulnerable Library - handlebars-4.0.5.tgz

Handlebars provides the power necessary to let you build semantic templates effectively with no frustration

Library home page: https://registry.npmjs.org/handlebars/-/handlebars-4.0.5.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/nyc/node_modules/handlebars/package.json

Dependency Hierarchy:

  • grunt-if-0.2.0.tgz (Root Library)
    • grunt-contrib-nodeunit-1.0.0.tgz
      • nodeunit-0.9.5.tgz
        • tap-7.1.2.tgz
          • nyc-7.1.0.tgz
            • istanbul-reports-1.0.0-alpha.8.tgz
              • handlebars-4.0.5.tgz (Vulnerable Library)

Found in HEAD commit: b048946ae42446c0ab583ee08f8d27d6b90499e5

Found in base branch: master

Vulnerability Details

Versions of handlebars prior to 4.3.0 are vulnerable to Prototype Pollution leading to Remote Code Execution. Templates may alter an Object's proto and defineGetter properties, which may allow an attacker to execute arbitrary code through crafted payloads.
Mend Note: Converted from WS-2019-0368, on 2022-11-08.

Publish Date: 2019-12-20

URL: CVE-2019-19919

CVSS 3 Score Details (9.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19919

Release Date: 2019-12-20

Fix Resolution: handlebars - 4.3.0

CVE-2021-23383

Vulnerable Library - handlebars-4.0.5.tgz

Handlebars provides the power necessary to let you build semantic templates effectively with no frustration

Library home page: https://registry.npmjs.org/handlebars/-/handlebars-4.0.5.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/nyc/node_modules/handlebars/package.json

Dependency Hierarchy:

  • grunt-if-0.2.0.tgz (Root Library)
    • grunt-contrib-nodeunit-1.0.0.tgz
      • nodeunit-0.9.5.tgz
        • tap-7.1.2.tgz
          • nyc-7.1.0.tgz
            • istanbul-reports-1.0.0-alpha.8.tgz
              • handlebars-4.0.5.tgz (Vulnerable Library)

Found in HEAD commit: b048946ae42446c0ab583ee08f8d27d6b90499e5

Found in base branch: master

Vulnerability Details

The package handlebars before 4.7.7 are vulnerable to Prototype Pollution when selecting certain compiling options to compile templates coming from an untrusted source.

Publish Date: 2021-05-04

URL: CVE-2021-23383

CVSS 3 Score Details (9.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23383

Release Date: 2021-05-04

Fix Resolution: handlebars - 4.7.7

CVE-2020-7774

Vulnerable Library - y18n-3.2.1.tgz

the bare-bones internationalization library used by yargs

Library home page: https://registry.npmjs.org/y18n/-/y18n-3.2.1.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/nyc/node_modules/y18n/package.json

Dependency Hierarchy:

  • grunt-if-0.2.0.tgz (Root Library)
    • grunt-contrib-nodeunit-1.0.0.tgz
      • nodeunit-0.9.5.tgz
        • tap-7.1.2.tgz
          • nyc-7.1.0.tgz
            • yargs-4.8.1.tgz
              • y18n-3.2.1.tgz (Vulnerable Library)

Found in HEAD commit: b048946ae42446c0ab583ee08f8d27d6b90499e5

Found in base branch: master

Vulnerability Details

The package y18n before 3.2.2, 4.0.1 and 5.0.5, is vulnerable to Prototype Pollution.

Publish Date: 2020-11-17

URL: CVE-2020-7774

CVSS 3 Score Details (9.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://www.npmjs.com/advisories/1654

Release Date: 2020-11-17

Fix Resolution: 3.2.2, 4.0.1, 5.0.5

CVE-2019-10744

Vulnerable Library - lodash-4.13.1.tgz

Lodash modular utilities.

Library home page: https://registry.npmjs.org/lodash/-/lodash-4.13.1.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/nyc/node_modules/lodash/package.json

Dependency Hierarchy:

  • grunt-if-0.2.0.tgz (Root Library)
    • grunt-contrib-nodeunit-1.0.0.tgz
      • nodeunit-0.9.5.tgz
        • tap-7.1.2.tgz
          • nyc-7.1.0.tgz
            • istanbul-lib-instrument-1.1.0-alpha.4.tgz
              • babel-types-6.11.1.tgz
                • lodash-4.13.1.tgz (Vulnerable Library)

Found in HEAD commit: b048946ae42446c0ab583ee08f8d27d6b90499e5

Found in base branch: master

Vulnerability Details

Versions of lodash lower than 4.17.12 are vulnerable to Prototype Pollution. The function defaultsDeep could be tricked into adding or modifying properties of Object.prototype using a constructor payload.

Publish Date: 2019-07-26

URL: CVE-2019-10744

CVSS 3 Score Details (9.1)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-jf85-cpcp-j695

Release Date: 2019-07-26

Fix Resolution: lodash-4.17.12, lodash-amd-4.17.12, lodash-es-4.17.12, lodash.defaultsdeep-4.6.1, lodash.merge- 4.6.2, lodash.mergewith-4.6.2, lodash.template-4.5.0

CVE-2019-20920

Vulnerable Library - handlebars-4.0.5.tgz

Handlebars provides the power necessary to let you build semantic templates effectively with no frustration

Library home page: https://registry.npmjs.org/handlebars/-/handlebars-4.0.5.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/nyc/node_modules/handlebars/package.json

Dependency Hierarchy:

  • grunt-if-0.2.0.tgz (Root Library)
    • grunt-contrib-nodeunit-1.0.0.tgz
      • nodeunit-0.9.5.tgz
        • tap-7.1.2.tgz
          • nyc-7.1.0.tgz
            • istanbul-reports-1.0.0-alpha.8.tgz
              • handlebars-4.0.5.tgz (Vulnerable Library)

Found in HEAD commit: b048946ae42446c0ab583ee08f8d27d6b90499e5

Found in base branch: master

Vulnerability Details

Handlebars before 3.0.8 and 4.x before 4.5.3 is vulnerable to Arbitrary Code Execution. The lookup helper fails to properly validate templates, allowing attackers to submit templates that execute arbitrary JavaScript. This can be used to run arbitrary code on a server processing Handlebars templates or in a victim's browser (effectively serving as XSS).

Publish Date: 2020-09-30

URL: CVE-2019-20920

CVSS 3 Score Details (8.1)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: High
    • Privileges Required: None
    • User Interaction: None
    • Scope: Changed
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: Low
    • Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://www.npmjs.com/advisories/1316

Release Date: 2020-10-15

Fix Resolution: handlebars - 4.5.3

WS-2019-0063

Vulnerable Libraries - js-yaml-3.6.1.tgz, js-yaml-3.5.5.tgz

js-yaml-3.6.1.tgz

YAML 1.2 parser and serializer

Library home page: https://registry.npmjs.org/js-yaml/-/js-yaml-3.6.1.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/coveralls/node_modules/js-yaml/package.json

Dependency Hierarchy:

  • grunt-if-0.2.0.tgz (Root Library)
    • grunt-contrib-nodeunit-1.0.0.tgz
      • nodeunit-0.9.5.tgz
        • tap-7.1.2.tgz
          • coveralls-2.13.3.tgz
            • js-yaml-3.6.1.tgz (Vulnerable Library)

js-yaml-3.5.5.tgz

YAML 1.2 parser and serializer

Library home page: https://registry.npmjs.org/js-yaml/-/js-yaml-3.5.5.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/js-yaml/package.json

Dependency Hierarchy:

  • grunt-if-0.2.0.tgz (Root Library)
    • grunt-contrib-nodeunit-1.0.0.tgz
      • nodeunit-0.9.5.tgz
        • tap-7.1.2.tgz
          • js-yaml-3.5.5.tgz (Vulnerable Library)

Found in HEAD commit: b048946ae42446c0ab583ee08f8d27d6b90499e5

Found in base branch: master

Vulnerability Details

Js-yaml prior to 3.13.1 are vulnerable to Code Injection. The load() function may execute arbitrary code injected through a malicious YAML file.

Publish Date: 2019-04-05

URL: WS-2019-0063

CVSS 3 Score Details (8.1)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: High
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://www.npmjs.com/advisories/813

Release Date: 2019-04-05

Fix Resolution: js-yaml - 3.13.1

CVE-2019-20922

Vulnerable Library - handlebars-4.0.5.tgz

Handlebars provides the power necessary to let you build semantic templates effectively with no frustration

Library home page: https://registry.npmjs.org/handlebars/-/handlebars-4.0.5.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/nyc/node_modules/handlebars/package.json

Dependency Hierarchy:

  • grunt-if-0.2.0.tgz (Root Library)
    • grunt-contrib-nodeunit-1.0.0.tgz
      • nodeunit-0.9.5.tgz
        • tap-7.1.2.tgz
          • nyc-7.1.0.tgz
            • istanbul-reports-1.0.0-alpha.8.tgz
              • handlebars-4.0.5.tgz (Vulnerable Library)

Found in HEAD commit: b048946ae42446c0ab583ee08f8d27d6b90499e5

Found in base branch: master

Vulnerability Details

Handlebars before 4.4.5 allows Regular Expression Denial of Service (ReDoS) because of eager matching. The parser may be forced into an endless loop while processing crafted templates. This may allow attackers to exhaust system resources.
Mend Note: Converted from WS-2019-0491, on 2022-11-08.

Publish Date: 2020-09-30

URL: CVE-2019-20922

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://www.npmjs.com/advisories/1300

Release Date: 2020-09-30

Fix Resolution: handlebars - 4.4.5

CVE-2020-28469

Vulnerable Library - glob-parent-2.0.0.tgz

Strips glob magic from a string to provide the parent path

Library home page: https://registry.npmjs.org/glob-parent/-/glob-parent-2.0.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/nyc/node_modules/glob-parent/package.json

Dependency Hierarchy:

  • grunt-if-0.2.0.tgz (Root Library)
    • grunt-contrib-nodeunit-1.0.0.tgz
      • nodeunit-0.9.5.tgz
        • tap-7.1.2.tgz
          • nyc-7.1.0.tgz
            • micromatch-2.3.11.tgz
              • parse-glob-3.0.4.tgz
                • glob-base-0.3.0.tgz
                  • glob-parent-2.0.0.tgz (Vulnerable Library)

Found in HEAD commit: b048946ae42446c0ab583ee08f8d27d6b90499e5

Found in base branch: master

Vulnerability Details

This affects the package glob-parent before 5.1.2. The enclosure regex used to check for strings ending in enclosure containing path separator.

Publish Date: 2021-06-03

URL: CVE-2020-28469

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-28469

Release Date: 2021-06-03

Fix Resolution: glob-parent - 5.1.2

WS-2020-0450

Vulnerable Library - handlebars-4.0.5.tgz

Handlebars provides the power necessary to let you build semantic templates effectively with no frustration

Library home page: https://registry.npmjs.org/handlebars/-/handlebars-4.0.5.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/nyc/node_modules/handlebars/package.json

Dependency Hierarchy:

  • grunt-if-0.2.0.tgz (Root Library)
    • grunt-contrib-nodeunit-1.0.0.tgz
      • nodeunit-0.9.5.tgz
        • tap-7.1.2.tgz
          • nyc-7.1.0.tgz
            • istanbul-reports-1.0.0-alpha.8.tgz
              • handlebars-4.0.5.tgz (Vulnerable Library)

Found in HEAD commit: b048946ae42446c0ab583ee08f8d27d6b90499e5

Found in base branch: master

Vulnerability Details

Handlebars before 4.6.0 vulnerable to Prototype Pollution. Prototype access to the template engine allows for potential code execution, which may lead to Denial Of Service (DoS).

Publish Date: 2020-01-09

URL: WS-2020-0450

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: handlebars-lang/handlebars.js#1633

Release Date: 2020-01-09

Fix Resolution: handlebars - 4.6.0

CVE-2022-3517

Vulnerable Library - minimatch-3.0.2.tgz

a glob matcher in javascript

Library home page: https://registry.npmjs.org/minimatch/-/minimatch-3.0.2.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/nyc/node_modules/minimatch/package.json

Dependency Hierarchy:

  • grunt-if-0.2.0.tgz (Root Library)
    • grunt-contrib-nodeunit-1.0.0.tgz
      • nodeunit-0.9.5.tgz
        • tap-7.1.2.tgz
          • nyc-7.1.0.tgz
            • glob-7.0.5.tgz
              • minimatch-3.0.2.tgz (Vulnerable Library)

Found in HEAD commit: b048946ae42446c0ab583ee08f8d27d6b90499e5

Found in base branch: master

Vulnerability Details

A vulnerability was found in the minimatch package. This flaw allows a Regular Expression Denial of Service (ReDoS) when calling the braceExpand function with specific arguments, resulting in a Denial of Service.

Publish Date: 2022-10-17

URL: CVE-2022-3517

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: isaacs/minimatch@a8763f4

Release Date: 2022-10-17

Fix Resolution: minimatch - 3.0.5

CVE-2021-23343

Vulnerable Library - path-parse-1.0.5.tgz

Node.js path.parse() ponyfill

Library home page: https://registry.npmjs.org/path-parse/-/path-parse-1.0.5.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/nyc/node_modules/path-parse/package.json

Dependency Hierarchy:

  • grunt-if-0.2.0.tgz (Root Library)
    • grunt-contrib-nodeunit-1.0.0.tgz
      • nodeunit-0.9.5.tgz
        • tap-7.1.2.tgz
          • nyc-7.1.0.tgz
            • istanbul-lib-report-1.0.0-alpha.3.tgz
              • path-parse-1.0.5.tgz (Vulnerable Library)

Found in HEAD commit: b048946ae42446c0ab583ee08f8d27d6b90499e5

Found in base branch: master

Vulnerability Details

All versions of package path-parse are vulnerable to Regular Expression Denial of Service (ReDoS) via splitDeviceRe, splitTailRe, and splitPathRe regular expressions. ReDoS exhibits polynomial worst-case time complexity.

Publish Date: 2021-05-04

URL: CVE-2021-23343

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: jbgutierrez/path-parse#8

Release Date: 2021-05-04

Fix Resolution: path-parse - 1.0.7

WS-2019-0032

Vulnerable Libraries - js-yaml-3.6.1.tgz, js-yaml-3.5.5.tgz

js-yaml-3.6.1.tgz

YAML 1.2 parser and serializer

Library home page: https://registry.npmjs.org/js-yaml/-/js-yaml-3.6.1.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/coveralls/node_modules/js-yaml/package.json

Dependency Hierarchy:

  • grunt-if-0.2.0.tgz (Root Library)
    • grunt-contrib-nodeunit-1.0.0.tgz
      • nodeunit-0.9.5.tgz
        • tap-7.1.2.tgz
          • coveralls-2.13.3.tgz
            • js-yaml-3.6.1.tgz (Vulnerable Library)

js-yaml-3.5.5.tgz

YAML 1.2 parser and serializer

Library home page: https://registry.npmjs.org/js-yaml/-/js-yaml-3.5.5.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/js-yaml/package.json

Dependency Hierarchy:

  • grunt-if-0.2.0.tgz (Root Library)
    • grunt-contrib-nodeunit-1.0.0.tgz
      • nodeunit-0.9.5.tgz
        • tap-7.1.2.tgz
          • js-yaml-3.5.5.tgz (Vulnerable Library)

Found in HEAD commit: b048946ae42446c0ab583ee08f8d27d6b90499e5

Found in base branch: master

Vulnerability Details

Versions js-yaml prior to 3.13.0 are vulnerable to Denial of Service. By parsing a carefully-crafted YAML file, the node process stalls and may exhaust system resources leading to a Denial of Service.

Publish Date: 2019-03-20

URL: WS-2019-0032

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://www.npmjs.com/advisories/788/versions

Release Date: 2019-03-20

Fix Resolution: js-yaml - 3.13.0

CVE-2020-8203

Vulnerable Library - lodash-4.13.1.tgz

Lodash modular utilities.

Library home page: https://registry.npmjs.org/lodash/-/lodash-4.13.1.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/nyc/node_modules/lodash/package.json

Dependency Hierarchy:

  • grunt-if-0.2.0.tgz (Root Library)
    • grunt-contrib-nodeunit-1.0.0.tgz
      • nodeunit-0.9.5.tgz
        • tap-7.1.2.tgz
          • nyc-7.1.0.tgz
            • istanbul-lib-instrument-1.1.0-alpha.4.tgz
              • babel-types-6.11.1.tgz
                • lodash-4.13.1.tgz (Vulnerable Library)

Found in HEAD commit: b048946ae42446c0ab583ee08f8d27d6b90499e5

Found in base branch: master

Vulnerability Details

Prototype pollution attack when using _.zipObjectDeep in lodash before 4.17.20.

Publish Date: 2020-07-15

URL: CVE-2020-8203

CVSS 3 Score Details (7.4)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: High
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://www.npmjs.com/advisories/1523

Release Date: 2020-07-15

Fix Resolution: lodash - 4.17.19

WS-2019-0064

Vulnerable Library - handlebars-4.0.5.tgz

Handlebars provides the power necessary to let you build semantic templates effectively with no frustration

Library home page: https://registry.npmjs.org/handlebars/-/handlebars-4.0.5.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/nyc/node_modules/handlebars/package.json

Dependency Hierarchy:

  • grunt-if-0.2.0.tgz (Root Library)
    • grunt-contrib-nodeunit-1.0.0.tgz
      • nodeunit-0.9.5.tgz
        • tap-7.1.2.tgz
          • nyc-7.1.0.tgz
            • istanbul-reports-1.0.0-alpha.8.tgz
              • handlebars-4.0.5.tgz (Vulnerable Library)

Found in HEAD commit: b048946ae42446c0ab583ee08f8d27d6b90499e5

Found in base branch: master

Vulnerability Details

Versions of handlebars prior to 4.0.14 are vulnerable to Prototype Pollution. Templates may alter an Objects' prototype, thus allowing an attacker to execute arbitrary code on the server.

Publish Date: 2019-01-30

URL: WS-2019-0064

CVSS 3 Score Details (7.3)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: Low
    • Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://www.npmjs.com/advisories/755/

Release Date: 2019-01-30

Fix Resolution: 3.0.7,4.0.14,4.1.2

CVE-2021-23337

Vulnerable Library - lodash-4.13.1.tgz

Lodash modular utilities.

Library home page: https://registry.npmjs.org/lodash/-/lodash-4.13.1.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/nyc/node_modules/lodash/package.json

Dependency Hierarchy:

  • grunt-if-0.2.0.tgz (Root Library)
    • grunt-contrib-nodeunit-1.0.0.tgz
      • nodeunit-0.9.5.tgz
        • tap-7.1.2.tgz
          • nyc-7.1.0.tgz
            • istanbul-lib-instrument-1.1.0-alpha.4.tgz
              • babel-types-6.11.1.tgz
                • lodash-4.13.1.tgz (Vulnerable Library)

Found in HEAD commit: b048946ae42446c0ab583ee08f8d27d6b90499e5

Found in base branch: master

Vulnerability Details

Lodash versions prior to 4.17.21 are vulnerable to Command Injection via the template function.

Publish Date: 2021-02-15

URL: CVE-2021-23337

CVSS 3 Score Details (7.2)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: High
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-35jh-r3h4-6jhm

Release Date: 2021-02-15

Fix Resolution: lodash - 4.17.21, lodash-es - 4.17.21

WS-2018-0590

Vulnerable Library - diff-1.4.0.tgz

A javascript text diff implementation.

Library home page: https://registry.npmjs.org/diff/-/diff-1.4.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/diff/package.json

Dependency Hierarchy:

  • grunt-if-0.2.0.tgz (Root Library)
    • grunt-contrib-nodeunit-1.0.0.tgz
      • nodeunit-0.9.5.tgz
        • tap-7.1.2.tgz
          • tap-mocha-reporter-2.0.1.tgz
            • diff-1.4.0.tgz (Vulnerable Library)

Found in HEAD commit: b048946ae42446c0ab583ee08f8d27d6b90499e5

Found in base branch: master

Vulnerability Details

A vulnerability was found in diff before v3.5.0, the affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS) attacks.

Publish Date: 2018-03-05

URL: WS-2018-0590

CVSS 3 Score Details (7.1)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: High
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: kpdecker/jsdiff@2aec429

Release Date: 2018-03-05

Fix Resolution: 3.5.0

CVE-2019-1010266

Vulnerable Library - lodash-4.13.1.tgz

Lodash modular utilities.

Library home page: https://registry.npmjs.org/lodash/-/lodash-4.13.1.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/nyc/node_modules/lodash/package.json

Dependency Hierarchy:

  • grunt-if-0.2.0.tgz (Root Library)
    • grunt-contrib-nodeunit-1.0.0.tgz
      • nodeunit-0.9.5.tgz
        • tap-7.1.2.tgz
          • nyc-7.1.0.tgz
            • istanbul-lib-instrument-1.1.0-alpha.4.tgz
              • babel-types-6.11.1.tgz
                • lodash-4.13.1.tgz (Vulnerable Library)

Found in HEAD commit: b048946ae42446c0ab583ee08f8d27d6b90499e5

Found in base branch: master

Vulnerability Details

lodash prior to 4.17.11 is affected by: CWE-400: Uncontrolled Resource Consumption. The impact is: Denial of service. The component is: Date handler. The attack vector is: Attacker provides very long strings, which the library attempts to match using a regular expression. The fixed version is: 4.17.11.

Publish Date: 2019-07-17

URL: CVE-2019-1010266

CVSS 3 Score Details (6.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: Low
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: lodash/lodash@5c08f18

Release Date: 2019-07-17

Fix Resolution: lodash-4.17.11

CVE-2018-3721

Vulnerable Library - lodash-4.13.1.tgz

Lodash modular utilities.

Library home page: https://registry.npmjs.org/lodash/-/lodash-4.13.1.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/nyc/node_modules/lodash/package.json

Dependency Hierarchy:

  • grunt-if-0.2.0.tgz (Root Library)
    • grunt-contrib-nodeunit-1.0.0.tgz
      • nodeunit-0.9.5.tgz
        • tap-7.1.2.tgz
          • nyc-7.1.0.tgz
            • istanbul-lib-instrument-1.1.0-alpha.4.tgz
              • babel-types-6.11.1.tgz
                • lodash-4.13.1.tgz (Vulnerable Library)

Found in HEAD commit: b048946ae42446c0ab583ee08f8d27d6b90499e5

Found in base branch: master

Vulnerability Details

lodash node module before 4.17.5 suffers from a Modification of Assumed-Immutable Data (MAID) vulnerability via defaultsDeep, merge, and mergeWith functions, which allows a malicious user to modify the prototype of "Object" via proto, causing the addition or modification of an existing property that will exist on all objects.
Mend Note: Converted from WS-2019-0184, on 2022-11-08.

Publish Date: 2018-06-07

URL: CVE-2018-3721

CVSS 3 Score Details (6.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: Low
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: High
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://www.npmjs.com/advisories/1067

Release Date: 2018-04-26

Fix Resolution: lodash 4.17.5

WS-2019-0103

Vulnerable Library - handlebars-4.0.5.tgz

Handlebars provides the power necessary to let you build semantic templates effectively with no frustration

Library home page: https://registry.npmjs.org/handlebars/-/handlebars-4.0.5.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/nyc/node_modules/handlebars/package.json

Dependency Hierarchy:

  • grunt-if-0.2.0.tgz (Root Library)
    • grunt-contrib-nodeunit-1.0.0.tgz
      • nodeunit-0.9.5.tgz
        • tap-7.1.2.tgz
          • nyc-7.1.0.tgz
            • istanbul-reports-1.0.0-alpha.8.tgz
              • handlebars-4.0.5.tgz (Vulnerable Library)

Found in HEAD commit: b048946ae42446c0ab583ee08f8d27d6b90499e5

Found in base branch: master

Vulnerability Details

Handlebars.js before 4.1.0 has Remote Code Execution (RCE)

Publish Date: 2019-01-30

URL: WS-2019-0103

CVSS 3 Score Details (5.6)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: High
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: Low
    • Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: handlebars-lang/handlebars.js@edc6220

Release Date: 2019-01-30

Fix Resolution: 4.1.0

CVE-2018-16487

Vulnerable Library - lodash-4.13.1.tgz

Lodash modular utilities.

Library home page: https://registry.npmjs.org/lodash/-/lodash-4.13.1.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/nyc/node_modules/lodash/package.json

Dependency Hierarchy:

  • grunt-if-0.2.0.tgz (Root Library)
    • grunt-contrib-nodeunit-1.0.0.tgz
      • nodeunit-0.9.5.tgz
        • tap-7.1.2.tgz
          • nyc-7.1.0.tgz
            • istanbul-lib-instrument-1.1.0-alpha.4.tgz
              • babel-types-6.11.1.tgz
                • lodash-4.13.1.tgz (Vulnerable Library)

Found in HEAD commit: b048946ae42446c0ab583ee08f8d27d6b90499e5

Found in base branch: master

Vulnerability Details

A prototype pollution vulnerability was found in lodash <4.17.11 where the functions merge, mergeWith, and defaultsDeep can be tricked into adding or modifying properties of Object.prototype.

Publish Date: 2019-02-01

URL: CVE-2018-16487

CVSS 3 Score Details (5.6)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: High
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: Low
    • Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://hackerone.com/reports/380873

Release Date: 2019-02-01

Fix Resolution: lodash 4.17.11

CVE-2020-28500

Vulnerable Library - lodash-4.13.1.tgz

Lodash modular utilities.

Library home page: https://registry.npmjs.org/lodash/-/lodash-4.13.1.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/nyc/node_modules/lodash/package.json

Dependency Hierarchy:

  • grunt-if-0.2.0.tgz (Root Library)
    • grunt-contrib-nodeunit-1.0.0.tgz
      • nodeunit-0.9.5.tgz
        • tap-7.1.2.tgz
          • nyc-7.1.0.tgz
            • istanbul-lib-instrument-1.1.0-alpha.4.tgz
              • babel-types-6.11.1.tgz
                • lodash-4.13.1.tgz (Vulnerable Library)

Found in HEAD commit: b048946ae42446c0ab583ee08f8d27d6b90499e5

Found in base branch: master

Vulnerability Details

Lodash versions prior to 4.17.21 are vulnerable to Regular Expression Denial of Service (ReDoS) via the toNumber, trim and trimEnd functions.
Mend Note: After conducting further research, Mend has determined that CVE-2020-28500 only affects environments with versions 4.0.0 to 4.17.20 of Lodash.

Publish Date: 2021-02-15

URL: CVE-2020-28500

CVSS 3 Score Details (5.3)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-28500

Release Date: 2021-02-15

Fix Resolution: lodash - 4.17.21

CVE-2020-7608

Vulnerable Library - yargs-parser-2.4.1.tgz

the mighty option parser used by yargs

Library home page: https://registry.npmjs.org/yargs-parser/-/yargs-parser-2.4.1.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/nyc/node_modules/yargs-parser/package.json

Dependency Hierarchy:

  • grunt-if-0.2.0.tgz (Root Library)
    • grunt-contrib-nodeunit-1.0.0.tgz
      • nodeunit-0.9.5.tgz
        • tap-7.1.2.tgz
          • nyc-7.1.0.tgz
            • yargs-parser-2.4.1.tgz (Vulnerable Library)

Found in HEAD commit: b048946ae42446c0ab583ee08f8d27d6b90499e5

Found in base branch: master

Vulnerability Details

yargs-parser could be tricked into adding or modifying properties of Object.prototype using a "proto" payload.

Publish Date: 2020-03-16

URL: CVE-2020-7608

CVSS 3 Score Details (5.3)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Local
    • Attack Complexity: Low
    • Privileges Required: Low
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: Low
    • Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: yargs/yargs-parser@63810ca

Release Date: 2020-03-16

Fix Resolution: 5.0.1;13.1.2;15.0.1;18.1.1

CVE-2017-16028

Vulnerable Library - randomatic-1.1.5.tgz

Generate randomized strings of a specified length, fast. Only the length is necessary, but you can optionally generate patterns using any combination of numeric, alpha-numeric, alphabetical, special or custom characters.

Library home page: https://registry.npmjs.org/randomatic/-/randomatic-1.1.5.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/nyc/node_modules/randomatic/package.json

Dependency Hierarchy:

  • grunt-if-0.2.0.tgz (Root Library)
    • grunt-contrib-nodeunit-1.0.0.tgz
      • nodeunit-0.9.5.tgz
        • tap-7.1.2.tgz
          • nyc-7.1.0.tgz
            • micromatch-2.3.11.tgz
              • braces-1.8.5.tgz
                • expand-range-1.8.2.tgz
                  • fill-range-2.2.3.tgz
                    • randomatic-1.1.5.tgz (Vulnerable Library)

Found in HEAD commit: b048946ae42446c0ab583ee08f8d27d6b90499e5

Found in base branch: master

Vulnerability Details

react-native-meteor-oauth is a library for Oauth2 login to a Meteor server in React Native. The oauth Random Token is generated using a non-cryptographically strong RNG (Math.random()).

Publish Date: 2018-06-04

URL: CVE-2017-16028

CVSS 3 Score Details (5.3)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: None
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://www.npmjs.com/advisories/157/versions

Release Date: 2018-04-26

Fix Resolution: 3.0.0

@dimagwhitesourceapp dimagwhitesourceapp bot added the Mend: dependency security vulnerability Security vulnerability detected by Mend label Dec 18, 2022
@dimagwhitesourceapp dimagwhitesourceapp bot changed the title grunt-if-0.2.0.tgz: 24 vulnerabilities (highest severity is: 9.8) grunt-if-0.2.0.tgz: 24 vulnerabilities (highest severity is: 9.8) - autoclosed Dec 4, 2023
Copy link
Author

✔️ This issue was automatically closed by Mend because the vulnerable library in the specific branch(es) was either marked as ignored or it is no longer part of the Mend inventory.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Mend: dependency security vulnerability Security vulnerability detected by Mend
Projects
None yet
Development

No branches or pull requests

0 participants