GithubHelp home page GithubHelp logo

haaskiweatherapp's People

Contributors

sammiearchie77 avatar

Stargazers

avatar

Watchers

avatar

haaskiweatherapp's Issues

cli-plugin-babel-4.5.6.tgz: 7 vulnerabilities (highest severity is: 9.8)

Vulnerable Library - cli-plugin-babel-4.5.6.tgz

Path to dependency file: /vue-weather/package.json

Path to vulnerable library: /vue-weather/node_modules/shell-quote/package.json

Vulnerabilities

CVE Severity CVSS Dependency Type Fixed in (cli-plugin-babel version) Remediation Possible**
CVE-2023-26136 Critical 9.8 tough-cookie-2.5.0.tgz Transitive 5.0.0
CVE-2022-37601 Critical 9.8 loader-utils-1.4.0.tgz Transitive 4.5.7
CVE-2021-42740 Critical 9.8 shell-quote-1.7.2.tgz Transitive 4.5.7
CVE-2022-46175 High 8.8 detected in multiple dependencies Transitive 4.5.7
CVE-2022-38900 High 7.5 decode-uri-component-0.2.0.tgz Transitive 4.5.7
CVE-2022-37603 High 7.5 loader-utils-1.4.0.tgz Transitive 4.5.7
CVE-2023-28155 Medium 6.1 request-2.88.2.tgz Transitive N/A*

*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.

**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation

Details

CVE-2023-26136

Vulnerable Library - tough-cookie-2.5.0.tgz

RFC6265 Cookies and Cookie Jar for node.js

Library home page: https://registry.npmjs.org/tough-cookie/-/tough-cookie-2.5.0.tgz

Path to dependency file: /vue-weather/package.json

Path to vulnerable library: /vue-weather/node_modules/tough-cookie/package.json

Dependency Hierarchy:

  • cli-plugin-babel-4.5.6.tgz (Root Library)
    • cli-shared-utils-4.5.6.tgz
      • request-2.88.2.tgz
        • tough-cookie-2.5.0.tgz (Vulnerable Library)

Found in base branch: master

Vulnerability Details

Versions of the package tough-cookie before 4.1.3 are vulnerable to Prototype Pollution due to improper handling of Cookies when using CookieJar in rejectPublicSuffixes=false mode. This issue arises from the manner in which the objects are initialized.

Publish Date: 2023-07-01

URL: CVE-2023-26136

CVSS 3 Score Details (9.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://www.cve.org/CVERecord?id=CVE-2023-26136

Release Date: 2023-07-01

Fix Resolution (tough-cookie): 4.1.3

Direct dependency fix Resolution (@vue/cli-plugin-babel): 5.0.0

Step up your Open Source Security Game with Mend here

CVE-2022-37601

Vulnerable Library - loader-utils-1.4.0.tgz

utils for webpack loaders

Library home page: https://registry.npmjs.org/loader-utils/-/loader-utils-1.4.0.tgz

Path to dependency file: /vue-weather/package.json

Path to vulnerable library: /vue-weather/node_modules/loader-utils/package.json

Dependency Hierarchy:

  • cli-plugin-babel-4.5.6.tgz (Root Library)
    • babel-loader-8.1.0.tgz
      • loader-utils-1.4.0.tgz (Vulnerable Library)

Found in base branch: master

Vulnerability Details

Prototype pollution vulnerability in function parseQuery in parseQuery.js in webpack loader-utils 2.0.0 via the name variable in parseQuery.js.

Publish Date: 2022-10-12

URL: CVE-2022-37601

CVSS 3 Score Details (9.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-76p3-8jx3-jpfq

Release Date: 2022-10-12

Fix Resolution (loader-utils): 1.4.1

Direct dependency fix Resolution (@vue/cli-plugin-babel): 4.5.7

Step up your Open Source Security Game with Mend here

CVE-2021-42740

Vulnerable Library - shell-quote-1.7.2.tgz

quote and parse shell commands

Library home page: https://registry.npmjs.org/shell-quote/-/shell-quote-1.7.2.tgz

Path to dependency file: /vue-weather/package.json

Path to vulnerable library: /vue-weather/node_modules/shell-quote/package.json

Dependency Hierarchy:

  • cli-plugin-babel-4.5.6.tgz (Root Library)
    • cli-shared-utils-4.5.6.tgz
      • launch-editor-2.2.1.tgz
        • shell-quote-1.7.2.tgz (Vulnerable Library)

Found in base branch: master

Vulnerability Details

The shell-quote package before 1.7.3 for Node.js allows command injection. An attacker can inject unescaped shell metacharacters through a regex designed to support Windows drive letters. If the output of this package is passed to a real shell as a quoted argument to a command with exec(), an attacker can inject arbitrary commands. This is because the Windows drive letter regex character class is {A-z] instead of the correct {A-Za-z]. Several shell metacharacters exist in the space between capital letter Z and lower case letter a, such as the backtick character.

Publish Date: 2021-10-21

URL: CVE-2021-42740

CVSS 3 Score Details (9.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-42740

Release Date: 2021-10-21

Fix Resolution (shell-quote): 1.7.3

Direct dependency fix Resolution (@vue/cli-plugin-babel): 4.5.7

Step up your Open Source Security Game with Mend here

CVE-2022-46175

Vulnerable Libraries - json5-2.1.3.tgz, json5-1.0.1.tgz

json5-2.1.3.tgz

JSON for humans.

Library home page: https://registry.npmjs.org/json5/-/json5-2.1.3.tgz

Path to dependency file: /vue-weather/package.json

Path to vulnerable library: /vue-weather/node_modules/json5/package.json

Dependency Hierarchy:

  • cli-plugin-babel-4.5.6.tgz (Root Library)
    • core-7.11.6.tgz
      • json5-2.1.3.tgz (Vulnerable Library)

json5-1.0.1.tgz

JSON for humans.

Library home page: https://registry.npmjs.org/json5/-/json5-1.0.1.tgz

Path to dependency file: /vue-weather/package.json

Path to vulnerable library: /vue-weather/node_modules/loader-utils/node_modules/json5/package.json

Dependency Hierarchy:

  • cli-plugin-babel-4.5.6.tgz (Root Library)
    • babel-loader-8.1.0.tgz
      • loader-utils-1.4.0.tgz
        • json5-1.0.1.tgz (Vulnerable Library)

Found in base branch: master

Vulnerability Details

JSON5 is an extension to the popular JSON file format that aims to be easier to write and maintain by hand (e.g. for config files). The parse method of the JSON5 library before and including versions 1.0.1 and 2.2.1 does not restrict parsing of keys named __proto__, allowing specially crafted strings to pollute the prototype of the resulting object. This vulnerability pollutes the prototype of the object returned by JSON5.parse and not the global Object prototype, which is the commonly understood definition of Prototype Pollution. However, polluting the prototype of a single object can have significant security impact for an application if the object is later used in trusted operations. This vulnerability could allow an attacker to set arbitrary and unexpected keys on the object returned from JSON5.parse. The actual impact will depend on how applications utilize the returned object and how they filter unwanted keys, but could include denial of service, cross-site scripting, elevation of privilege, and in extreme cases, remote code execution. JSON5.parse should restrict parsing of __proto__ keys when parsing JSON strings to objects. As a point of reference, the JSON.parse method included in JavaScript ignores __proto__ keys. Simply changing JSON5.parse to JSON.parse in the examples above mitigates this vulnerability. This vulnerability is patched in json5 versions 1.0.2, 2.2.2, and later.

Publish Date: 2022-12-24

URL: CVE-2022-46175

CVSS 3 Score Details (8.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: Low
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://www.cve.org/CVERecord?id=CVE-2022-46175

Release Date: 2022-12-24

Fix Resolution (json5): 2.2.2

Direct dependency fix Resolution (@vue/cli-plugin-babel): 4.5.7

Fix Resolution (json5): 2.2.2

Direct dependency fix Resolution (@vue/cli-plugin-babel): 4.5.7

Step up your Open Source Security Game with Mend here

CVE-2022-38900

Vulnerable Library - decode-uri-component-0.2.0.tgz

A better decodeURIComponent

Library home page: https://registry.npmjs.org/decode-uri-component/-/decode-uri-component-0.2.0.tgz

Path to dependency file: /vue-weather/package.json

Path to vulnerable library: /vue-weather/node_modules/decode-uri-component/package.json

Dependency Hierarchy:

  • cli-plugin-babel-4.5.6.tgz (Root Library)
    • webpack-4.44.2.tgz
      • micromatch-3.1.10.tgz
        • snapdragon-0.8.2.tgz
          • source-map-resolve-0.5.3.tgz
            • decode-uri-component-0.2.0.tgz (Vulnerable Library)

Found in base branch: master

Vulnerability Details

decode-uri-component 0.2.0 is vulnerable to Improper Input Validation resulting in DoS.

Publish Date: 2022-11-28

URL: CVE-2022-38900

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-w573-4hg7-7wgq

Release Date: 2022-11-28

Fix Resolution (decode-uri-component): 0.2.1

Direct dependency fix Resolution (@vue/cli-plugin-babel): 4.5.7

Step up your Open Source Security Game with Mend here

CVE-2022-37603

Vulnerable Library - loader-utils-1.4.0.tgz

utils for webpack loaders

Library home page: https://registry.npmjs.org/loader-utils/-/loader-utils-1.4.0.tgz

Path to dependency file: /vue-weather/package.json

Path to vulnerable library: /vue-weather/node_modules/loader-utils/package.json

Dependency Hierarchy:

  • cli-plugin-babel-4.5.6.tgz (Root Library)
    • babel-loader-8.1.0.tgz
      • loader-utils-1.4.0.tgz (Vulnerable Library)

Found in base branch: master

Vulnerability Details

A Regular expression denial of service (ReDoS) flaw was found in Function interpolateName in interpolateName.js in webpack loader-utils 2.0.0 via the url variable in interpolateName.js.

Publish Date: 2022-10-14

URL: CVE-2022-37603

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-3rfm-jhwj-7488

Release Date: 2022-10-14

Fix Resolution (loader-utils): 1.4.2

Direct dependency fix Resolution (@vue/cli-plugin-babel): 4.5.7

Step up your Open Source Security Game with Mend here

CVE-2023-28155

Vulnerable Library - request-2.88.2.tgz

Simplified HTTP request client.

Library home page: https://registry.npmjs.org/request/-/request-2.88.2.tgz

Path to dependency file: /vue-weather/package.json

Path to vulnerable library: /vue-weather/node_modules/request/package.json

Dependency Hierarchy:

  • cli-plugin-babel-4.5.6.tgz (Root Library)
    • cli-shared-utils-4.5.6.tgz
      • request-2.88.2.tgz (Vulnerable Library)

Found in base branch: master

Vulnerability Details

The request package through 2.88.2 for Node.js and the @cypress/request package prior to 3.0.0 allow a bypass of SSRF mitigations via an attacker-controller server that does a cross-protocol redirect (HTTP to HTTPS, or HTTPS to HTTP).NOTE: The request package is no longer supported by the maintainer.

Publish Date: 2023-03-16

URL: CVE-2023-28155

CVSS 3 Score Details (6.1)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Changed
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: Low
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-p8p7-x288-28g6

Release Date: 2023-03-16

Fix Resolution: @cypress/request - 3.0.0

Step up your Open Source Security Game with Mend here

CVE-2021-23364 (Medium) detected in browserslist-4.14.4.tgz - autoclosed

CVE-2021-23364 - Medium Severity Vulnerability

Vulnerable Library - browserslist-4.14.4.tgz

Share target browsers between different front-end tools, like Autoprefixer, Stylelint and babel-env-preset

Library home page: https://registry.npmjs.org/browserslist/-/browserslist-4.14.4.tgz

Path to dependency file: haaskiweatherapp/vue-weather/package.json

Path to vulnerable library: haaskiweatherapp/vue-weather/node_modules/browserslist/package.json

Dependency Hierarchy:

  • cli-service-4.5.6.tgz (Root Library)
    • browserslist-4.14.4.tgz (Vulnerable Library)

Found in base branch: master

Vulnerability Details

The package browserslist from 4.0.0 and before 4.16.5 are vulnerable to Regular Expression Denial of Service (ReDoS) during parsing of queries.

Publish Date: 2021-04-28

URL: CVE-2021-23364

CVSS 3 Score Details (5.3)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23364

Release Date: 2021-04-28

Fix Resolution: browserslist - 4.16.5

Step up your Open Source Security Game with WhiteSource here

cli-plugin-eslint-4.5.6.tgz: 1 vulnerabilities (highest severity is: 7.5)

Vulnerable Library - cli-plugin-eslint-4.5.6.tgz

Path to dependency file: /vue-weather/package.json

Path to vulnerable library: /vue-weather/node_modules/watchpack-chokidar2/node_modules/glob-parent/package.json

Vulnerabilities

CVE Severity CVSS Dependency Type Fixed in (cli-plugin-eslint version) Remediation Possible**
CVE-2020-28469 High 7.5 glob-parent-3.1.0.tgz Transitive 5.0.0

**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation

Details

CVE-2020-28469

Vulnerable Library - glob-parent-3.1.0.tgz

Strips glob magic from a string to provide the parent directory path

Library home page: https://registry.npmjs.org/glob-parent/-/glob-parent-3.1.0.tgz

Path to dependency file: /vue-weather/package.json

Path to vulnerable library: /vue-weather/node_modules/watchpack-chokidar2/node_modules/glob-parent/package.json

Dependency Hierarchy:

  • cli-plugin-eslint-4.5.6.tgz (Root Library)
    • globby-9.2.0.tgz
      • fast-glob-2.2.7.tgz
        • glob-parent-3.1.0.tgz (Vulnerable Library)

Found in base branch: master

Vulnerability Details

This affects the package glob-parent before 5.1.2. The enclosure regex used to check for strings ending in enclosure containing path separator.

Publish Date: 2021-06-03

URL: CVE-2020-28469

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-28469

Release Date: 2021-06-03

Fix Resolution (glob-parent): 5.1.2

Direct dependency fix Resolution (@vue/cli-plugin-eslint): 5.0.0

Step up your Open Source Security Game with Mend here

WS-2020-0208 (Medium) detected in highlight.js-9.18.3.tgz - autoclosed

WS-2020-0208 - Medium Severity Vulnerability

Vulnerable Library - highlight.js-9.18.3.tgz

Syntax highlighting with language autodetection.

Library home page: https://registry.npmjs.org/highlight.js/-/highlight.js-9.18.3.tgz

Path to dependency file: haaskiweatherapp/vue-weather/package.json

Path to vulnerable library: haaskiweatherapp/vue-weather/node_modules/highlight.js/package.json

Dependency Hierarchy:

  • cli-service-4.5.6.tgz (Root Library)
    • cli-highlight-2.1.4.tgz
      • highlight.js-9.18.3.tgz (Vulnerable Library)

Found in base branch: master

Vulnerability Details

If are you are using Highlight.js to highlight user-provided data you are possibly vulnerable. On the client-side (in a browser or Electron environment) risks could include lengthy freezes or crashes... On the server-side infinite freezes could occur... effectively preventing users from accessing your app or service (ie, Denial of Service). This is an issue with grammars shipped with the parser (and potentially 3rd party grammars also), not the parser itself. If you are using Highlight.js with any of the following grammars you are vulnerable. If you are using highlightAuto to detect the language (and have any of these grammars registered) you are vulnerable.

Publish Date: 2020-12-04

URL: WS-2020-0208

CVSS 3 Score Details (5.3)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: None
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://github.com/highlightjs/highlight.js/tree/10.4.1

Release Date: 2020-12-04

Fix Resolution: 10.4.1

Step up your Open Source Security Game with WhiteSource here

cli-service-4.5.6.tgz: 9 vulnerabilities (highest severity is: 9.8)

Vulnerable Library - cli-service-4.5.6.tgz

Path to dependency file: /vue-weather/package.json

Path to vulnerable library: /vue-weather/node_modules/highlight.js/package.json

Vulnerabilities

CVE Severity CVSS Dependency Type Fixed in (cli-service version) Remediation Possible**
CVE-2022-37601 Critical 9.8 loader-utils-0.2.17.tgz Transitive 5.0.1
CVE-2022-37598 Critical 9.8 uglify-js-3.4.10.tgz Transitive 5.0.1
CVE-2022-46175 High 8.8 json5-0.5.1.tgz Transitive 5.0.1
CVE-2021-43138 High 7.8 async-2.6.3.tgz Transitive 4.5.7
CVE-2022-25858 High 7.5 terser-4.8.0.tgz Transitive 4.5.7
CVE-2022-37620 High 7.5 html-minifier-3.5.21.tgz Transitive N/A*
CVE-2021-33502 High 7.5 detected in multiple dependencies Transitive N/A*
CVE-2021-23364 Medium 5.3 browserslist-4.14.4.tgz Transitive 4.5.7
WS-2020-0208 Medium 5.3 highlight.js-9.18.3.tgz Transitive 4.5.7

*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.

**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation

Details

CVE-2022-37601

Vulnerable Library - loader-utils-0.2.17.tgz

utils for webpack loaders

Library home page: https://registry.npmjs.org/loader-utils/-/loader-utils-0.2.17.tgz

Path to dependency file: /vue-weather/package.json

Path to vulnerable library: /vue-weather/node_modules/html-webpack-plugin/node_modules/loader-utils/package.json

Dependency Hierarchy:

  • cli-service-4.5.6.tgz (Root Library)
    • html-webpack-plugin-3.2.0.tgz
      • loader-utils-0.2.17.tgz (Vulnerable Library)

Found in base branch: master

Vulnerability Details

Prototype pollution vulnerability in function parseQuery in parseQuery.js in webpack loader-utils 2.0.0 via the name variable in parseQuery.js.

Publish Date: 2022-10-12

URL: CVE-2022-37601

CVSS 3 Score Details (9.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-76p3-8jx3-jpfq

Release Date: 2022-10-12

Fix Resolution (loader-utils): 1.4.1

Direct dependency fix Resolution (@vue/cli-service): 5.0.1

Step up your Open Source Security Game with Mend here

CVE-2022-37598

Vulnerable Library - uglify-js-3.4.10.tgz

JavaScript parser, mangler/compressor and beautifier toolkit

Library home page: https://registry.npmjs.org/uglify-js/-/uglify-js-3.4.10.tgz

Path to dependency file: /vue-weather/package.json

Path to vulnerable library: /vue-weather/node_modules/uglify-js/package.json

Dependency Hierarchy:

  • cli-service-4.5.6.tgz (Root Library)
    • html-webpack-plugin-3.2.0.tgz
      • html-minifier-3.5.21.tgz
        • uglify-js-3.4.10.tgz (Vulnerable Library)

Found in base branch: master

Vulnerability Details

** DISPUTED ** Prototype pollution vulnerability in function DEFNODE in ast.js in mishoo UglifyJS 3.13.2 via the name variable in ast.js. NOTE: the vendor considers this an invalid report.

Publish Date: 2022-10-20

URL: CVE-2022-37598

CVSS 3 Score Details (9.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2022-10-20

Fix Resolution (uglify-js): 3.13.10

Direct dependency fix Resolution (@vue/cli-service): 5.0.1

Step up your Open Source Security Game with Mend here

CVE-2022-46175

Vulnerable Library - json5-0.5.1.tgz

JSON for the ES5 era.

Library home page: https://registry.npmjs.org/json5/-/json5-0.5.1.tgz

Path to dependency file: /vue-weather/package.json

Path to vulnerable library: /vue-weather/node_modules/html-webpack-plugin/node_modules/json5/package.json

Dependency Hierarchy:

  • cli-service-4.5.6.tgz (Root Library)
    • html-webpack-plugin-3.2.0.tgz
      • loader-utils-0.2.17.tgz
        • json5-0.5.1.tgz (Vulnerable Library)

Found in base branch: master

Vulnerability Details

JSON5 is an extension to the popular JSON file format that aims to be easier to write and maintain by hand (e.g. for config files). The parse method of the JSON5 library before and including versions 1.0.1 and 2.2.1 does not restrict parsing of keys named __proto__, allowing specially crafted strings to pollute the prototype of the resulting object. This vulnerability pollutes the prototype of the object returned by JSON5.parse and not the global Object prototype, which is the commonly understood definition of Prototype Pollution. However, polluting the prototype of a single object can have significant security impact for an application if the object is later used in trusted operations. This vulnerability could allow an attacker to set arbitrary and unexpected keys on the object returned from JSON5.parse. The actual impact will depend on how applications utilize the returned object and how they filter unwanted keys, but could include denial of service, cross-site scripting, elevation of privilege, and in extreme cases, remote code execution. JSON5.parse should restrict parsing of __proto__ keys when parsing JSON strings to objects. As a point of reference, the JSON.parse method included in JavaScript ignores __proto__ keys. Simply changing JSON5.parse to JSON.parse in the examples above mitigates this vulnerability. This vulnerability is patched in json5 versions 1.0.2, 2.2.2, and later.

Publish Date: 2022-12-24

URL: CVE-2022-46175

CVSS 3 Score Details (8.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: Low
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://www.cve.org/CVERecord?id=CVE-2022-46175

Release Date: 2022-12-24

Fix Resolution (json5): 1.0.2

Direct dependency fix Resolution (@vue/cli-service): 5.0.1

Step up your Open Source Security Game with Mend here

CVE-2021-43138

Vulnerable Library - async-2.6.3.tgz

Higher-order functions and common patterns for asynchronous code

Library home page: https://registry.npmjs.org/async/-/async-2.6.3.tgz

Path to dependency file: /vue-weather/package.json

Path to vulnerable library: /vue-weather/node_modules/async/package.json

Dependency Hierarchy:

  • cli-service-4.5.6.tgz (Root Library)
    • portfinder-1.0.28.tgz
      • async-2.6.3.tgz (Vulnerable Library)

Found in base branch: master

Vulnerability Details

In Async before 2.6.4 and 3.x before 3.2.2, a malicious user can obtain privileges via the mapValues() method, aka lib/internal/iterator.js createObjectIterator prototype pollution.

Publish Date: 2022-04-06

URL: CVE-2021-43138

CVSS 3 Score Details (7.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Local
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2021-43138

Release Date: 2022-04-06

Fix Resolution (async): 2.6.4

Direct dependency fix Resolution (@vue/cli-service): 4.5.7

Step up your Open Source Security Game with Mend here

CVE-2022-25858

Vulnerable Library - terser-4.8.0.tgz

JavaScript parser, mangler/compressor and beautifier toolkit for ES6+

Library home page: https://registry.npmjs.org/terser/-/terser-4.8.0.tgz

Path to dependency file: /vue-weather/package.json

Path to vulnerable library: /vue-weather/node_modules/terser/package.json

Dependency Hierarchy:

  • cli-service-4.5.6.tgz (Root Library)
    • terser-webpack-plugin-2.3.8.tgz
      • terser-4.8.0.tgz (Vulnerable Library)

Found in base branch: master

Vulnerability Details

The package terser before 4.8.1, from 5.0.0 and before 5.14.2 are vulnerable to Regular Expression Denial of Service (ReDoS) due to insecure usage of regular expressions.

Publish Date: 2022-07-15

URL: CVE-2022-25858

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-25858

Release Date: 2022-07-15

Fix Resolution (terser): 4.8.1

Direct dependency fix Resolution (@vue/cli-service): 4.5.7

Step up your Open Source Security Game with Mend here

CVE-2022-37620

Vulnerable Library - html-minifier-3.5.21.tgz

Highly configurable, well-tested, JavaScript-based HTML minifier.

Library home page: https://registry.npmjs.org/html-minifier/-/html-minifier-3.5.21.tgz

Path to dependency file: /vue-weather/package.json

Path to vulnerable library: /vue-weather/node_modules/html-minifier/package.json

Dependency Hierarchy:

  • cli-service-4.5.6.tgz (Root Library)
    • html-webpack-plugin-3.2.0.tgz
      • html-minifier-3.5.21.tgz (Vulnerable Library)

Found in base branch: master

Vulnerability Details

A Regular Expression Denial of Service (ReDoS) flaw was found in kangax html-minifier 4.0.0 via the candidate variable in htmlminifier.js.

Publish Date: 2022-10-31

URL: CVE-2022-37620

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Step up your Open Source Security Game with Mend here

CVE-2021-33502

Vulnerable Libraries - normalize-url-1.9.1.tgz, normalize-url-3.3.0.tgz

normalize-url-1.9.1.tgz

Normalize a URL

Library home page: https://registry.npmjs.org/normalize-url/-/normalize-url-1.9.1.tgz

Path to dependency file: /vue-weather/package.json

Path to vulnerable library: /vue-weather/node_modules/mini-css-extract-plugin/node_modules/normalize-url/package.json

Dependency Hierarchy:

  • cli-service-4.5.6.tgz (Root Library)
    • mini-css-extract-plugin-0.9.0.tgz
      • normalize-url-1.9.1.tgz (Vulnerable Library)

normalize-url-3.3.0.tgz

Normalize a URL

Library home page: https://registry.npmjs.org/normalize-url/-/normalize-url-3.3.0.tgz

Path to dependency file: /vue-weather/package.json

Path to vulnerable library: /vue-weather/node_modules/normalize-url/package.json

Dependency Hierarchy:

  • cli-service-4.5.6.tgz (Root Library)
    • optimize-cssnano-plugin-1.0.6.tgz
      • cssnano-preset-default-4.0.7.tgz
        • postcss-normalize-url-4.0.1.tgz
          • normalize-url-3.3.0.tgz (Vulnerable Library)

Found in base branch: master

Vulnerability Details

The normalize-url package before 4.5.1, 5.x before 5.3.1, and 6.x before 6.0.1 for Node.js has a ReDoS (regular expression denial of service) issue because it has exponential performance for data: URLs.

Publish Date: 2021-05-24

URL: CVE-2021-33502

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-33502

Release Date: 2021-05-24

Fix Resolution: normalize-url - 4.5.1,5.3.1,6.0.1

Step up your Open Source Security Game with Mend here

CVE-2021-23364

Vulnerable Library - browserslist-4.14.4.tgz

Share target browsers between different front-end tools, like Autoprefixer, Stylelint and babel-env-preset

Library home page: https://registry.npmjs.org/browserslist/-/browserslist-4.14.4.tgz

Path to dependency file: /vue-weather/package.json

Path to vulnerable library: /vue-weather/node_modules/browserslist/package.json

Dependency Hierarchy:

  • cli-service-4.5.6.tgz (Root Library)
    • browserslist-4.14.4.tgz (Vulnerable Library)

Found in base branch: master

Vulnerability Details

The package browserslist from 4.0.0 and before 4.16.5 are vulnerable to Regular Expression Denial of Service (ReDoS) during parsing of queries.

Publish Date: 2021-04-28

URL: CVE-2021-23364

CVSS 3 Score Details (5.3)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23364

Release Date: 2021-04-28

Fix Resolution (browserslist): 4.16.5

Direct dependency fix Resolution (@vue/cli-service): 4.5.7

Step up your Open Source Security Game with Mend here

WS-2020-0208

Vulnerable Library - highlight.js-9.18.3.tgz

Syntax highlighting with language autodetection.

Library home page: https://registry.npmjs.org/highlight.js/-/highlight.js-9.18.3.tgz

Path to dependency file: /vue-weather/package.json

Path to vulnerable library: /vue-weather/node_modules/highlight.js/package.json

Dependency Hierarchy:

  • cli-service-4.5.6.tgz (Root Library)
    • cli-highlight-2.1.4.tgz
      • highlight.js-9.18.3.tgz (Vulnerable Library)

Found in base branch: master

Vulnerability Details

If are you are using Highlight.js to highlight user-provided data you are possibly vulnerable. On the client-side (in a browser or Electron environment) risks could include lengthy freezes or crashes... On the server-side infinite freezes could occur... effectively preventing users from accessing your app or service (ie, Denial of Service). This is an issue with grammars shipped with the parser (and potentially 3rd party grammars also), not the parser itself. If you are using Highlight.js with any of the following grammars you are vulnerable. If you are using highlightAuto to detect the language (and have any of these grammars registered) you are vulnerable.

Publish Date: 2020-12-04

URL: WS-2020-0208

CVSS 3 Score Details (5.3)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: None
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2020-12-04

Fix Resolution (highlight.js): 10.4.1

Direct dependency fix Resolution (@vue/cli-service): 4.5.7

Step up your Open Source Security Game with Mend here

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.