@scaffold-eth/hardhat-1.0.0.tgz: 42 vulnerabilities (highest severity is: 9.8)

[mend-bolt-for-github]

Vulnerable Library - @scaffold-eth/hardhat-1.0.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Found in HEAD commit: 92754ee55025bfd0d7a64d23f989a7333a0a8d5d

Vulnerabilities

CVE	Severity	CVSS	Dependency	Type	Fixed in (@scaffold-eth/hardhat version)	Remediation Possible**
CVE-2023-26136	Critical	9.8	tough-cookie-2.5.0.tgz	Transitive	N/A*	❌
CVE-2021-44906	Critical	9.8	minimist-1.2.5.tgz	Transitive	N/A*	❌
CVE-2023-45133	High	8.8	babel-traverse-6.26.0.tgz	Transitive	N/A*	❌
CVE-2023-30542	High	8.8	contracts-4.4.2.tgz	Transitive	N/A*	❌
CVE-2022-46175	High	8.8	json5-0.5.1.tgz	Transitive	N/A*	❌
CVE-2021-43138	High	7.8	detected in multiple dependencies	Transitive	N/A*	❌
WS-2021-0638	High	7.5	mocha-7.2.0.tgz	Transitive	N/A*	❌
CVE-2024-21505	High	7.5	detected in multiple dependencies	Transitive	N/A*	❌
CVE-2023-46234	High	7.5	browserify-sign-4.2.1.tgz	Transitive	N/A*	❌
CVE-2023-43646	High	7.5	get-func-name-2.0.0.tgz	Transitive	N/A*	❌
CVE-2023-26115	High	7.5	word-wrap-1.2.3.tgz	Transitive	N/A*	❌
CVE-2022-3517	High	7.5	minimatch-3.0.4.tgz	Transitive	N/A*	❌
CVE-2022-31198	High	7.5	contracts-4.4.2.tgz	Transitive	N/A*	❌
CVE-2022-31172	High	7.5	contracts-4.4.2.tgz	Transitive	N/A*	❌
CVE-2022-31170	High	7.5	contracts-4.4.2.tgz	Transitive	N/A*	❌
CVE-2022-25883	High	7.5	detected in multiple dependencies	Transitive	N/A*	❌
CVE-2022-25881	High	7.5	http-cache-semantics-4.1.0.tgz	Transitive	N/A*	❌
CVE-2022-24999	High	7.5	detected in multiple dependencies	Transitive	N/A*	❌
CVE-2021-3807	High	7.5	ansi-regex-5.0.0.tgz	Transitive	N/A*	❌
CVE-2021-3749	High	7.5	axios-0.21.1.tgz	Transitive	N/A*	❌
CVE-2021-23358	High	7.2	underscore-1.9.1.tgz	Transitive	N/A*	❌
CVE-2021-23337	High	7.2	lodash-4.17.20.tgz	Transitive	N/A*	❌
CVE-2024-28849	Medium	6.5	follow-redirects-1.14.1.tgz	Transitive	N/A*	❌
CVE-2023-45857	Medium	6.5	axios-0.21.1.tgz	Transitive	N/A*	❌
CVE-2022-35961	Medium	6.5	contracts-4.4.2.tgz	Transitive	N/A*	❌
CVE-2022-1365	Medium	6.5	cross-fetch-2.2.5.tgz	Transitive	N/A*	❌
CVE-2022-0155	Medium	6.5	follow-redirects-1.14.1.tgz	Transitive	N/A*	❌
CVE-2023-28155	Medium	6.1	request-2.88.2.tgz	Transitive	N/A*	❌
CVE-2023-26159	Medium	6.1	follow-redirects-1.14.1.tgz	Transitive	N/A*	❌
CVE-2022-0235	Medium	6.1	node-fetch-2.6.1.tgz	Transitive	N/A*	❌
CVE-2022-0536	Medium	5.9	follow-redirects-1.14.1.tgz	Transitive	N/A*	❌
CVE-2023-40014	Medium	5.3	contracts-4.4.2.tgz	Transitive	N/A*	❌
CVE-2023-34234	Medium	5.3	contracts-4.4.2.tgz	Transitive	N/A*	❌
CVE-2023-30541	Medium	5.3	contracts-4.4.2.tgz	Transitive	N/A*	❌
CVE-2022-35916	Medium	5.3	contracts-4.4.2.tgz	Transitive	N/A*	❌
CVE-2022-35915	Medium	5.3	contracts-4.4.2.tgz	Transitive	N/A*	❌
CVE-2022-33987	Medium	5.3	detected in multiple dependencies	Transitive	N/A*	❌
CVE-2020-7608	Medium	5.3	yargs-parser-2.4.1.tgz	Transitive	N/A*	❌
CVE-2020-28500	Medium	5.3	lodash-4.17.20.tgz	Transitive	N/A*	❌
CVE-2017-16137	Low	3.7	debug-3.2.6.tgz	Transitive	N/A*	❌
WS-2019-0075	Low	3.3	web3-1.2.11.tgz	Transitive	N/A*	❌
CVE-2024-27088	Low	0.0	es5-ext-0.10.53.tgz	Transitive	N/A*	❌

*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.

**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation

Details

Partial details (19 vulnerabilities) are displayed below due to a content size limitation in GitHub. To view information on the remaining vulnerabilities, navigate to the Mend Application.

CVE-2023-26136

Vulnerable Library - tough-cookie-2.5.0.tgz

RFC6265 Cookies and Cookie Jar for node.js

Library home page: https://registry.npmjs.org/tough-cookie/-/tough-cookie-2.5.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Dependency Hierarchy:

• @scaffold-eth/hardhat-1.0.0.tgz (Root Library)
  • hardhat-gas-reporter-1.0.4.tgz
    • eth-gas-reporter-0.2.22.tgz
      • request-promise-native-1.0.9.tgz
        • ❌ tough-cookie-2.5.0.tgz (Vulnerable Library)

Found in HEAD commit: 92754ee55025bfd0d7a64d23f989a7333a0a8d5d

Found in base branch: master

Vulnerability Details

Versions of the package tough-cookie before 4.1.3 are vulnerable to Prototype Pollution due to improper handling of Cookies when using CookieJar in rejectPublicSuffixes=false mode. This issue arises from the manner in which the objects are initialized.

Publish Date: 2023-07-01

URL: CVE-2023-26136

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://www.cve.org/CVERecord?id=CVE-2023-26136

Release Date: 2023-07-01

Fix Resolution: tough-cookie - 4.1.3

Step up your Open Source Security Game with Mend here

CVE-2021-44906

Vulnerable Library - minimist-1.2.5.tgz

parse argument options

Library home page: https://registry.npmjs.org/minimist/-/minimist-1.2.5.tgz

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Dependency Hierarchy:

• @scaffold-eth/hardhat-1.0.0.tgz (Root Library)
  • ethereum-waffle-3.4.0.tgz
    • provider-3.4.0.tgz
      • patch-package-6.4.7.tgz
        • ❌ minimist-1.2.5.tgz (Vulnerable Library)

Found in HEAD commit: 92754ee55025bfd0d7a64d23f989a7333a0a8d5d

Found in base branch: master

Vulnerability Details

Minimist <=1.2.5 is vulnerable to Prototype Pollution via file index.js, function setKey() (lines 69-95).

Publish Date: 2022-03-17

URL: CVE-2021-44906

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-xvch-5gv4-984h

Release Date: 2022-03-17

Fix Resolution: minimist - 0.2.4,1.2.6

Step up your Open Source Security Game with Mend here

CVE-2023-45133

Vulnerable Library - babel-traverse-6.26.0.tgz

The Babel Traverse module maintains the overall tree state, and is responsible for replacing, removing, and adding nodes

Library home page: https://registry.npmjs.org/babel-traverse/-/babel-traverse-6.26.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Dependency Hierarchy:

• @scaffold-eth/hardhat-1.0.0.tgz (Root Library)
  • ethereum-waffle-3.4.0.tgz
    • provider-3.4.0.tgz
      • ganache-core-2.13.2.tgz
        • web3-provider-engine-14.2.1.tgz
          • eth-json-rpc-infura-3.2.1.tgz
            • json-rpc-engine-3.8.0.tgz
              • babel-preset-env-1.7.0.tgz
                • babel-plugin-transform-es2015-modules-umd-6.24.1.tgz
                  • babel-template-6.26.0.tgz
                  • ❌ babel-traverse-6.26.0.tgz (Vulnerable Library)

Found in HEAD commit: 92754ee55025bfd0d7a64d23f989a7333a0a8d5d

Found in base branch: master

Vulnerability Details

Babel is a compiler for writingJavaScript. In @babel/traverse prior to versions 7.23.2 and 8.0.0-alpha.4 and all versions of babel-traverse, using Babel to compile code that was specifically crafted by an attacker can lead to arbitrary code execution during compilation, when using plugins that rely on the path.evaluate()or path.evaluateTruthy() internal Babel methods. Known affected plugins are @babel/plugin-transform-runtime; @babel/preset-env when using its useBuiltIns option; and any "polyfill provider" plugin that depends on @babel/helper-define-polyfill-provider, such as babel-plugin-polyfill-corejs3, babel-plugin-polyfill-corejs2, babel-plugin-polyfill-es-shims, babel-plugin-polyfill-regenerator. No other plugins under the @babel/ namespace are impacted, but third-party plugins might be. Users that only compile trusted code are not impacted. The vulnerability has been fixed in @babel/traverse@7.23.2 and @babel/traverse@8.0.0-alpha.4. Those who cannot upgrade @babel/traverse and are using one of the affected packages mentioned above should upgrade them to their latest version to avoid triggering the vulnerable code path in affected @babel/traverse versions: @babel/plugin-transform-runtime v7.23.2, @babel/preset-env v7.23.2, @babel/helper-define-polyfill-provider v0.4.3, babel-plugin-polyfill-corejs2 v0.4.6, babel-plugin-polyfill-corejs3 v0.8.5, babel-plugin-polyfill-es-shims v0.10.0, babel-plugin-polyfill-regenerator v0.5.3.

Publish Date: 2023-10-12

URL: CVE-2023-45133

CVSS 3 Score Details (8.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Local
  • Attack Complexity: Low
  • Privileges Required: Low
  • User Interaction: None
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-67hx-6x53-jw92

Release Date: 2023-10-12

Fix Resolution: @babel/traverse - 7.23.2

Step up your Open Source Security Game with Mend here

CVE-2023-30542

Vulnerable Library - contracts-4.4.2.tgz

Secure Smart Contract library for Solidity

Library home page: https://registry.npmjs.org/@openzeppelin/contracts/-/contracts-4.4.2.tgz

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Dependency Hierarchy:

• @scaffold-eth/hardhat-1.0.0.tgz (Root Library)
  • ❌ contracts-4.4.2.tgz (Vulnerable Library)

Found in HEAD commit: 92754ee55025bfd0d7a64d23f989a7333a0a8d5d

Found in base branch: master

Vulnerability Details

OpenZeppelin Contracts is a library for secure smart contract development. The proposal creation entrypoint (propose) in GovernorCompatibilityBravo allows the creation of proposals with a signatures array shorter than the calldatas array. This causes the additional elements of the latter to be ignored, and if the proposal succeeds the corresponding actions would eventually execute without any calldata. The ProposalCreated event correctly represents what will eventually execute, but the proposal parameters as queried through getActions appear to respect the original intended calldata. This issue has been patched in 4.8.3. As a workaround, ensure that all proposals that pass through governance have equal length signatures and calldatas parameters.

Publish Date: 2023-04-16

URL: CVE-2023-30542

CVSS 3 Score Details (8.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: Low
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-93hq-5wgc-jc82

Release Date: 2023-04-16

Fix Resolution: @openzeppelin/contracts - 4.8.3;@openzeppelin/contracts-upgradeable - 4.8.3

Step up your Open Source Security Game with Mend here

CVE-2022-46175

Vulnerable Library - json5-0.5.1.tgz

JSON for the ES5 era.

Library home page: https://registry.npmjs.org/json5/-/json5-0.5.1.tgz

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Dependency Hierarchy:

• @scaffold-eth/hardhat-1.0.0.tgz (Root Library)
  • ethereum-waffle-3.4.0.tgz
    • provider-3.4.0.tgz
      • ganache-core-2.13.2.tgz
        • web3-provider-engine-14.2.1.tgz
          • eth-json-rpc-infura-3.2.1.tgz
            • json-rpc-engine-3.8.0.tgz
              • babelify-7.3.0.tgz
                • babel-core-6.26.3.tgz
                  • ❌ json5-0.5.1.tgz (Vulnerable Library)

Found in HEAD commit: 92754ee55025bfd0d7a64d23f989a7333a0a8d5d

Found in base branch: master

Vulnerability Details

JSON5 is an extension to the popular JSON file format that aims to be easier to write and maintain by hand (e.g. for config files). The parse method of the JSON5 library before and including versions 1.0.1 and 2.2.1 does not restrict parsing of keys named __proto__, allowing specially crafted strings to pollute the prototype of the resulting object. This vulnerability pollutes the prototype of the object returned by JSON5.parse and not the global Object prototype, which is the commonly understood definition of Prototype Pollution. However, polluting the prototype of a single object can have significant security impact for an application if the object is later used in trusted operations. This vulnerability could allow an attacker to set arbitrary and unexpected keys on the object returned from JSON5.parse. The actual impact will depend on how applications utilize the returned object and how they filter unwanted keys, but could include denial of service, cross-site scripting, elevation of privilege, and in extreme cases, remote code execution. JSON5.parse should restrict parsing of __proto__ keys when parsing JSON strings to objects. As a point of reference, the JSON.parse method included in JavaScript ignores __proto__ keys. Simply changing JSON5.parse to JSON.parse in the examples above mitigates this vulnerability. This vulnerability is patched in json5 versions 1.0.2, 2.2.2, and later.

Publish Date: 2022-12-24

URL: CVE-2022-46175

CVSS 3 Score Details (8.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: Low
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://www.cve.org/CVERecord?id=CVE-2022-46175

Release Date: 2022-12-24

Fix Resolution: json5 - 2.2.2

Step up your Open Source Security Game with Mend here

CVE-2021-43138

Vulnerable Libraries - async-2.6.2.tgz, async-2.6.3.tgz

async-2.6.2.tgz

Higher-order functions and common patterns for asynchronous code

Library home page: https://registry.npmjs.org/async/-/async-2.6.2.tgz

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Dependency Hierarchy:

• @scaffold-eth/hardhat-1.0.0.tgz (Root Library)
  • ethereum-waffle-3.4.0.tgz
    • provider-3.4.0.tgz
      • ganache-core-2.13.2.tgz
        • ❌ async-2.6.2.tgz (Vulnerable Library)

async-2.6.3.tgz

Higher-order functions and common patterns for asynchronous code

Library home page: https://registry.npmjs.org/async/-/async-2.6.3.tgz

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Dependency Hierarchy:

• @scaffold-eth/hardhat-1.0.0.tgz (Root Library)
  • ethereum-waffle-3.4.0.tgz
    • provider-3.4.0.tgz
      • ganache-core-2.13.2.tgz
        • web3-provider-engine-14.2.1.tgz
          • ❌ async-2.6.3.tgz (Vulnerable Library)

Found in HEAD commit: 92754ee55025bfd0d7a64d23f989a7333a0a8d5d

Found in base branch: master

Vulnerability Details

In Async before 2.6.4 and 3.x before 3.2.2, a malicious user can obtain privileges via the mapValues() method, aka lib/internal/iterator.js createObjectIterator prototype pollution.

Publish Date: 2022-04-06

URL: CVE-2021-43138

CVSS 3 Score Details (7.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Local
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2021-43138

Release Date: 2022-04-06

Fix Resolution: async - 2.6.4,3.2.2

Step up your Open Source Security Game with Mend here

WS-2021-0638

Vulnerable Library - mocha-7.2.0.tgz

simple, flexible, fun test framework

Library home page: https://registry.npmjs.org/mocha/-/mocha-7.2.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Dependency Hierarchy:

• @scaffold-eth/hardhat-1.0.0.tgz (Root Library)
  • hardhat-gas-reporter-1.0.4.tgz
    • eth-gas-reporter-0.2.22.tgz
      • ❌ mocha-7.2.0.tgz (Vulnerable Library)

Found in HEAD commit: 92754ee55025bfd0d7a64d23f989a7333a0a8d5d

Found in base branch: master

Vulnerability Details

There is regular Expression Denial of Service (ReDoS) vulnerability in mocha.
It allows cause a denial of service when stripping crafted invalid function definition from strs.

Publish Date: 2021-09-18

URL: WS-2021-0638

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2021-09-18

Fix Resolution: mocha - 10.1.0

Step up your Open Source Security Game with Mend here

CVE-2024-21505

Vulnerable Libraries - web3-utils-1.5.0.tgz, web3-utils-1.2.11.tgz

web3-utils-1.5.0.tgz

Collection of utility functions used in web3.js.

Library home page: https://registry.npmjs.org/web3-utils/-/web3-utils-1.5.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Dependency Hierarchy:

• @scaffold-eth/hardhat-1.0.0.tgz (Root Library)
  • ethereum-waffle-3.4.0.tgz
    • provider-3.4.0.tgz
      • ens-3.3.0.tgz
        • ens-0.4.5.tgz
          • ❌ web3-utils-1.5.0.tgz (Vulnerable Library)

web3-utils-1.2.11.tgz

Collection of utility functions used in web3.js.

Library home page: https://registry.npmjs.org/web3-utils/-/web3-utils-1.2.11.tgz

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Dependency Hierarchy:

• @scaffold-eth/hardhat-1.0.0.tgz (Root Library)
  • ethereum-waffle-3.4.0.tgz
    • provider-3.4.0.tgz
      • ganache-core-2.13.2.tgz
        • web3-1.2.11.tgz
          • ❌ web3-utils-1.2.11.tgz (Vulnerable Library)

Found in HEAD commit: 92754ee55025bfd0d7a64d23f989a7333a0a8d5d

Found in base branch: master

Vulnerability Details

Versions of the package web3-utils before 4.2.1 are vulnerable to Prototype Pollution via the utility functions format and mergeDeep, due to insecure recursive merge.
An attacker can manipulate an object's prototype, potentially leading to the alteration of the behavior of all objects inheriting from the affected prototype by passing specially crafted input to these functions.

Publish Date: 2024-03-25

URL: CVE-2024-21505

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://www.cve.org/CVERecord?id=CVE-2024-21505

Release Date: 2024-03-25

Fix Resolution: web3-utils - 4.2.1

Step up your Open Source Security Game with Mend here

CVE-2023-46234

Vulnerable Library - browserify-sign-4.2.1.tgz

adds node crypto signing for browsers

Library home page: https://registry.npmjs.org/browserify-sign/-/browserify-sign-4.2.1.tgz

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Dependency Hierarchy:

• @scaffold-eth/hardhat-1.0.0.tgz (Root Library)
  • ethereum-waffle-3.4.0.tgz
    • provider-3.4.0.tgz
      • ganache-core-2.13.2.tgz
        • web3-1.2.11.tgz
          • web3-eth-1.2.11.tgz
            • web3-eth-accounts-1.2.11.tgz
              • crypto-browserify-3.12.0.tgz
                • ❌ browserify-sign-4.2.1.tgz (Vulnerable Library)

Found in HEAD commit: 92754ee55025bfd0d7a64d23f989a7333a0a8d5d

Found in base branch: master

Vulnerability Details

browserify-sign is a package to duplicate the functionality of node's crypto public key functions, much of this is based on Fedor Indutny's work on indutny/tls.js. An upper bound check issue in dsaVerify function allows an attacker to construct signatures that can be successfully verified by any public key, thus leading to a signature forgery attack. All places in this project that involve DSA verification of user-input signatures will be affected by this vulnerability. This issue has been patched in version 4.2.2.

Publish Date: 2023-10-26

URL: CVE-2023-46234

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: High
  • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-x9w5-v3q2-3rhw

Release Date: 2023-10-26

Fix Resolution: browserify-sign - 4.2.2

Step up your Open Source Security Game with Mend here

CVE-2023-43646

Vulnerable Library - get-func-name-2.0.0.tgz

Utility for getting a function's name for node and the browser

Library home page: https://registry.npmjs.org/get-func-name/-/get-func-name-2.0.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Dependency Hierarchy:

• @scaffold-eth/hardhat-1.0.0.tgz (Root Library)
  • chai-4.3.4.tgz
    • ❌ get-func-name-2.0.0.tgz (Vulnerable Library)

Found in HEAD commit: 92754ee55025bfd0d7a64d23f989a7333a0a8d5d

Found in base branch: master

Vulnerability Details

get-func-name is a module to retrieve a function's name securely and consistently both in NodeJS and the browser. Versions prior to 2.0.1 are subject to a regular expression denial of service (redos) vulnerability which may lead to a denial of service when parsing malicious input. This vulnerability can be exploited when there is an imbalance in parentheses, which results in excessive backtracking and subsequently increases the CPU load and processing time significantly. This vulnerability can be triggered using the following input: '\t'.repeat(54773) + '\t/function/i'. This issue has been addressed in commit f934b228b which has been included in releases from 2.0.1. Users are advised to upgrade. There are no known workarounds for this vulnerability.

Publish Date: 2023-09-27

URL: CVE-2023-43646

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-4q6p-r6v2-jvc5

Release Date: 2023-09-27

Fix Resolution: get-func-name - 2.0.1,3.0.0

Step up your Open Source Security Game with Mend here

CVE-2023-26115

Vulnerable Library - word-wrap-1.2.3.tgz

Wrap words to a specified length.

Library home page: https://registry.npmjs.org/word-wrap/-/word-wrap-1.2.3.tgz

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Dependency Hierarchy:

• @scaffold-eth/hardhat-1.0.0.tgz (Root Library)
  • eslint-7.31.0.tgz
    • optionator-0.9.1.tgz
      • ❌ word-wrap-1.2.3.tgz (Vulnerable Library)

Found in HEAD commit: 92754ee55025bfd0d7a64d23f989a7333a0a8d5d

Found in base branch: master

Vulnerability Details

All versions of the package word-wrap are vulnerable to Regular Expression Denial of Service (ReDoS) due to the usage of an insecure regular expression within the result variable.

Publish Date: 2023-06-22

URL: CVE-2023-26115

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-j8xg-fqg3-53r7

Release Date: 2023-06-22

Fix Resolution: word-wrap - 1.2.4

Step up your Open Source Security Game with Mend here

CVE-2022-3517

Vulnerable Library - minimatch-3.0.4.tgz

a glob matcher in javascript

Library home page: https://registry.npmjs.org/minimatch/-/minimatch-3.0.4.tgz

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Dependency Hierarchy:

• @scaffold-eth/hardhat-1.0.0.tgz (Root Library)
  • ethereum-waffle-3.4.0.tgz
    • provider-3.4.0.tgz
      • ganache-core-2.13.2.tgz
        • web3-provider-engine-14.2.1.tgz
          • eth-json-rpc-infura-3.2.1.tgz
            • json-rpc-engine-3.8.0.tgz
              • babelify-7.3.0.tgz
                • babel-core-6.26.3.tgz
                  • ❌ minimatch-3.0.4.tgz (Vulnerable Library)

Found in HEAD commit: 92754ee55025bfd0d7a64d23f989a7333a0a8d5d

Found in base branch: master

Vulnerability Details

A vulnerability was found in the minimatch package. This flaw allows a Regular Expression Denial of Service (ReDoS) when calling the braceExpand function with specific arguments, resulting in a Denial of Service.

Publish Date: 2022-10-17

URL: CVE-2022-3517

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2022-10-17

Fix Resolution: minimatch - 3.0.5

Step up your Open Source Security Game with Mend here

CVE-2022-31198

Vulnerable Library - contracts-4.4.2.tgz

Secure Smart Contract library for Solidity

Library home page: https://registry.npmjs.org/@openzeppelin/contracts/-/contracts-4.4.2.tgz

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Dependency Hierarchy:

• @scaffold-eth/hardhat-1.0.0.tgz (Root Library)
  • ❌ contracts-4.4.2.tgz (Vulnerable Library)

Found in HEAD commit: 92754ee55025bfd0d7a64d23f989a7333a0a8d5d

Found in base branch: master

Vulnerability Details

OpenZeppelin Contracts is a library for secure smart contract development. This issue concerns instances of Governor that use the module GovernorVotesQuorumFraction, a mechanism that determines quorum requirements as a percentage of the voting token's total supply. In affected instances, when a proposal is passed to lower the quorum requirements, past proposals may become executable if they had been defeated only due to lack of quorum, and the number of votes it received meets the new quorum requirement. Analysis of instances on chain found only one proposal that met this condition, and we are actively monitoring for new occurrences of this particular issue. This issue has been patched in v4.7.2. Users are advised to upgrade. Users unable to upgrade should consider avoiding lowering quorum requirements if a past proposal was defeated for lack of quorum.

Publish Date: 2022-08-01

URL: CVE-2022-31198

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: High
  • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-xrc4-737v-9q75

Release Date: 2022-08-01

Fix Resolution: @openzeppelin/contracts-upgradeable - 4.7.2, @openzeppelin/contracts - 4.7.2

Step up your Open Source Security Game with Mend here

CVE-2022-31172

Vulnerable Library - contracts-4.4.2.tgz

Secure Smart Contract library for Solidity

Library home page: https://registry.npmjs.org/@openzeppelin/contracts/-/contracts-4.4.2.tgz

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Dependency Hierarchy:

• @scaffold-eth/hardhat-1.0.0.tgz (Root Library)
  • ❌ contracts-4.4.2.tgz (Vulnerable Library)

Found in HEAD commit: 92754ee55025bfd0d7a64d23f989a7333a0a8d5d

Found in base branch: master

Vulnerability Details

OpenZeppelin Contracts is a library for smart contract development. Versions 4.1.0 until 4.7.1 are vulnerable to the SignatureChecker reverting. SignatureChecker.isValidSignatureNow is not expected to revert. However, an incorrect assumption about Solidity 0.8's abi.decode allows some cases to revert, given a target contract that doesn't implement EIP-1271 as expected. The contracts that may be affected are those that use SignatureChecker to check the validity of a signature and handle invalid signatures in a way other than reverting. The issue was patched in version 4.7.1.

Publish Date: 2022-07-22

URL: CVE-2022-31172

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: High
  • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-4g63-c64m-25w9

Release Date: 2022-07-22

Fix Resolution: @openzeppelin/contracts - 4.7.1;@openzeppelin/contracts-upgradeable - 4.7.1

Step up your Open Source Security Game with Mend here

CVE-2022-31170

Vulnerable Library - contracts-4.4.2.tgz

Secure Smart Contract library for Solidity

Library home page: https://registry.npmjs.org/@openzeppelin/contracts/-/contracts-4.4.2.tgz

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Dependency Hierarchy:

• @scaffold-eth/hardhat-1.0.0.tgz (Root Library)
  • ❌ contracts-4.4.2.tgz (Vulnerable Library)

Found in HEAD commit: 92754ee55025bfd0d7a64d23f989a7333a0a8d5d

Found in base branch: master

Vulnerability Details

OpenZeppelin Contracts is a library for smart contract development. Versions 4.0.0 until 4.7.1 are vulnerable to ERC165Checker reverting instead of returning false. ERC165Checker.supportsInterface is designed to always successfully return a boolean, and under no circumstance revert. However, an incorrect assumption about Solidity 0.8's abi.decode allows some cases to revert, given a target contract that doesn't implement EIP-165 as expected, specifically if it returns a value other than 0 or 1. The contracts that may be affected are those that use ERC165Checker to check for support for an interface and then handle the lack of support in a way other than reverting. The issue was patched in version 4.7.1.

Publish Date: 2022-07-22

URL: CVE-2022-31170

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: High
  • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-qh9x-gcfh-pcrw

Release Date: 2022-07-22

Fix Resolution: @openzeppelin/contracts - 4.7.1;@openzeppelin/contracts-upgradeable - 4.7.1

Step up your Open Source Security Game with Mend here

CVE-2022-25883

Vulnerable Libraries - semver-7.3.5.tgz, semver-6.3.0.tgz, semver-5.7.1.tgz

semver-7.3.5.tgz

The semantic version parser used by npm.

Library home page: https://registry.npmjs.org/semver/-/semver-7.3.5.tgz

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Dependency Hierarchy:

• @scaffold-eth/hardhat-1.0.0.tgz (Root Library)
  • eslint-7.31.0.tgz
    • ❌ semver-7.3.5.tgz (Vulnerable Library)

semver-6.3.0.tgz

The semantic version parser used by npm.

Library home page: https://registry.npmjs.org/semver/-/semver-6.3.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Dependency Hierarchy:

• @scaffold-eth/hardhat-1.0.0.tgz (Root Library)
  • hardhat-etherscan-3.0.1.tgz
    • ❌ semver-6.3.0.tgz (Vulnerable Library)

semver-5.7.1.tgz

The semantic version parser used by npm.

Library home page: https://registry.npmjs.org/semver/-/semver-5.7.1.tgz

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Dependency Hierarchy:

• @scaffold-eth/hardhat-1.0.0.tgz (Root Library)
  • ethereum-waffle-3.4.0.tgz
    • provider-3.4.0.tgz
      • ens-3.3.0.tgz
        • ens-0.4.5.tgz
          • solc-0.4.26.tgz
            • ❌ semver-5.7.1.tgz (Vulnerable Library)

Found in HEAD commit: 92754ee55025bfd0d7a64d23f989a7333a0a8d5d

Found in base branch: master

Vulnerability Details

Versions of the package semver before 7.5.2 are vulnerable to Regular Expression Denial of Service (ReDoS) via the function new Range, when untrusted user data is provided as a range.

Publish Date: 2023-06-21

URL: CVE-2022-25883

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-c2qf-rxjj-qqgw

Release Date: 2023-06-21

Fix Resolution: semver - 5.7.2,6.3.1,7.5.2;org.webjars.npm:semver:7.5.2

Step up your Open Source Security Game with Mend here

CVE-2022-25881

Vulnerable Library - http-cache-semantics-4.1.0.tgz

Parses Cache-Control and other headers. Helps building correct HTTP caches and proxies

Library home page: https://registry.npmjs.org/http-cache-semantics/-/http-cache-semantics-4.1.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Dependency Hierarchy:

• @scaffold-eth/hardhat-1.0.0.tgz (Root Library)
  • ethereum-waffle-3.4.0.tgz
    • provider-3.4.0.tgz
      • ganache-core-2.13.2.tgz
        • web3-1.2.11.tgz
          • web3-bzz-1.2.11.tgz
            • got-9.6.0.tgz
              • cacheable-request-6.1.0.tgz
                • ❌ http-cache-semantics-4.1.0.tgz (Vulnerable Library)

Found in HEAD commit: 92754ee55025bfd0d7a64d23f989a7333a0a8d5d

Found in base branch: master

Vulnerability Details

This affects versions of the package http-cache-semantics before 4.1.1. The issue can be exploited via malicious request header values sent to a server, when that server reads the cache policy from the request using this library.

Publish Date: 2023-01-31

URL: CVE-2022-25881

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-rc47-6667-2j5j

Release Date: 2023-01-31

Fix Resolution: http-cache-semantics - 4.1.1;org.webjars.npm:http-cache-semantics:4.1.1

Step up your Open Source Security Game with Mend here

CVE-2022-24999

Vulnerable Libraries - qs-6.7.0.tgz, qs-6.10.1.tgz

qs-6.7.0.tgz

A querystring parser that supports nesting and arrays, with a depth limit

Library home page: https://registry.npmjs.org/qs/-/qs-6.7.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Dependency Hierarchy:

• @scaffold-eth/hardhat-1.0.0.tgz (Root Library)
  • ethereum-waffle-3.4.0.tgz
    • provider-3.4.0.tgz
      • ganache-core-2.13.2.tgz
        • web3-1.2.11.tgz
          • web3-bzz-1.2.11.tgz
            • swarm-js-0.1.40.tgz
              • eth-lib-0.1.29.tgz
                • servify-0.1.12.tgz
                  • express-4.17.1.tgz
                  • ❌ qs-6.7.0.tgz (Vulnerable Library)

qs-6.10.1.tgz

A querystring parser that supports nesting and arrays, with a depth limit

Library home page: https://registry.npmjs.org/qs/-/qs-6.10.1.tgz

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Dependency Hierarchy:

• @scaffold-eth/hardhat-1.0.0.tgz (Root Library)
  • hardhat-deploy-0.9.0.tgz
    • ❌ qs-6.10.1.tgz (Vulnerable Library)

Found in HEAD commit: 92754ee55025bfd0d7a64d23f989a7333a0a8d5d

Found in base branch: master

Vulnerability Details

qs before 6.10.3, as used in Express before 4.17.3 and other products, allows attackers to cause a Node process hang for an Express application because an __ proto__ key can be used. In many typical Express use cases, an unauthenticated remote attacker can place the attack payload in the query string of the URL that is used to visit the application, such as a[proto]=b&a[proto]&a[length]=100000000. The fix was backported to qs 6.9.7, 6.8.3, 6.7.3, 6.6.1, 6.5.3, 6.4.1, 6.3.3, and 6.2.4 (and therefore Express 4.17.3, which has "deps: qs@6.9.7" in its release description, is not vulnerable).

Publish Date: 2022-11-26

URL: CVE-2022-24999

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://www.cve.org/CVERecord?id=CVE-2022-24999

Release Date: 2022-11-26

Fix Resolution: qs - 6.2.4,6.3.3,6.4.1,6.5.3,6.6.1,6.7.3,6.8.3,6.9.7,6.10.3

Step up your Open Source Security Game with Mend here

CVE-2021-3807

Vulnerable Library - ansi-regex-5.0.0.tgz

Regular expression for matching ANSI escape codes

Library home page: https://registry.npmjs.org/ansi-regex/-/ansi-regex-5.0.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Dependency Hierarchy:

• @scaffold-eth/hardhat-1.0.0.tgz (Root Library)
  • eslint-7.31.0.tgz
    • strip-ansi-6.0.0.tgz
      • ❌ ansi-regex-5.0.0.tgz (Vulnerable Library)

Found in HEAD commit: 92754ee55025bfd0d7a64d23f989a7333a0a8d5d

Found in base branch: master

Vulnerability Details

ansi-regex is vulnerable to Inefficient Regular Expression Complexity

Publish Date: 2021-09-17

URL: CVE-2021-3807

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://huntr.dev/bounties/5b3cf33b-ede0-4398-9974-800876dfd994/

Release Date: 2021-09-17

Fix Resolution: ansi-regex - 5.0.1,6.0.1

Step up your Open Source Security Game with Mend here