📂 Vulnerable Library - legal-eagle-0.14.0.tgz
A tool for listing the licenses of all dependencies of a node module
Path to dependency file: /script/package.json
Findings
| Finding |
Severity |
🎯 CVSS |
Exploit Maturity |
EPSS |
Library |
Type |
Fixed in |
Remediation Available |
Reachability |
| CVE-2016-10540 |
🔴 High |
8.7 |
Not Defined |
< 1% |
minimatch-2.0.10.tgz |
Transitive |
N/A |
❌ |
|
| CVE-2022-3517 |
🔴 High |
8.7 |
Not Defined |
< 1% |
minimatch-2.0.10.tgz |
Transitive |
N/A |
❌ |
|
| CVE-2021-23358 |
🟡 Low |
1.2 |
Proof of concept |
1.4000001% |
underscore-1.6.0.tgz |
Transitive |
N/A |
❌ |
|
Details
🔴CVE-2016-10540
Vulnerable Library - minimatch-2.0.10.tgz
a glob matcher in javascript
Library home page: https://registry.npmjs.org/minimatch/-/minimatch-2.0.10.tgz
Path to dependency file: /package.json
Dependency Hierarchy:
-
scandal-3.2.0.tgz (Root Library)
- ❌ minimatch-2.0.10.tgz (Vulnerable Library)
-
settings-view-https://www.atom.io/api/packages/settings-view/versions/0.261.3/tarball.tgz (Root Library)
- glob-4.3.1.tgz
- ❌ minimatch-2.0.10.tgz (Vulnerable Library)
-
babel-core-5.8.38.tgz (Root Library)
- ❌ minimatch-2.0.10.tgz (Vulnerable Library)
-
coffeelint-1.15.7.tgz (Root Library)
- glob-4.5.3.tgz
- ❌ minimatch-2.0.10.tgz (Vulnerable Library)
-
legal-eagle-0.14.0.tgz (Root Library)
- read-installed-3.1.3.tgz
- read-package-json-1.3.3.tgz
- glob-5.0.15.tgz
- ❌ minimatch-2.0.10.tgz (Vulnerable Library)
-
glob-7.0.3.tgz (Root Library)
- ❌ minimatch-2.0.10.tgz (Vulnerable Library)
Vulnerability Details
Minimatch is a minimal matching utility that works by converting glob expressions into JavaScript "RegExp" objects. The primary function, "minimatch(path, pattern)" in Minimatch 3.0.1 and earlier is vulnerable to ReDoS in the "pattern" parameter.
Mend Note: The description of this vulnerability differs from MITRE.
Publish Date: May 31, 2018 08:00 PM
URL: CVE-2016-10540
Threat Assessment
Exploit Maturity:Not Defined
EPSS:< 1%
Score: 8.7
Suggested Fix
Type: Upgrade version
Origin: GHSA-hxm2-r34f-qmc5
Release Date: May 31, 2018 08:00 PM
Fix Resolution : minimatch - 3.0.2
🔴CVE-2022-3517
Vulnerable Library - minimatch-2.0.10.tgz
a glob matcher in javascript
Library home page: https://registry.npmjs.org/minimatch/-/minimatch-2.0.10.tgz
Path to dependency file: /package.json
Dependency Hierarchy:
-
scandal-3.2.0.tgz (Root Library)
- ❌ minimatch-2.0.10.tgz (Vulnerable Library)
-
settings-view-https://www.atom.io/api/packages/settings-view/versions/0.261.3/tarball.tgz (Root Library)
- glob-4.3.1.tgz
- ❌ minimatch-2.0.10.tgz (Vulnerable Library)
-
babel-core-5.8.38.tgz (Root Library)
- ❌ minimatch-2.0.10.tgz (Vulnerable Library)
-
coffeelint-1.15.7.tgz (Root Library)
- glob-4.5.3.tgz
- ❌ minimatch-2.0.10.tgz (Vulnerable Library)
-
legal-eagle-0.14.0.tgz (Root Library)
- read-installed-3.1.3.tgz
- read-package-json-1.3.3.tgz
- glob-5.0.15.tgz
- ❌ minimatch-2.0.10.tgz (Vulnerable Library)
-
glob-7.0.3.tgz (Root Library)
- ❌ minimatch-2.0.10.tgz (Vulnerable Library)
Vulnerability Details
A vulnerability was found in the minimatch package. This flaw allows a Regular Expression Denial of Service (ReDoS) when calling the braceExpand function with specific arguments, resulting in a Denial of Service.
Publish Date: Oct 17, 2022 12:00 AM
URL: CVE-2022-3517
Threat Assessment
Exploit Maturity:Not Defined
EPSS:< 1%
Score: 8.7
Suggested Fix
Type: Upgrade version
Origin: GHSA-f8q6-p94x-37v3
Release Date: Oct 17, 2022 12:00 AM
Fix Resolution : minimatch - 3.0.5
🟡CVE-2021-23358
Vulnerable Library - underscore-1.6.0.tgz
JavaScript's functional programming helper library.
Library home page: https://registry.npmjs.org/underscore/-/underscore-1.6.0.tgz
Path to dependency file: /package.json
Dependency Hierarchy:
Vulnerability Details
The package underscore from 1.13.0-0 and before 1.13.0-2, from 1.3.2 and before 1.12.1 are vulnerable to Arbitrary Code Injection via the template function, particularly when a variable property is passed as an argument as it is not sanitized.
Publish Date: Mar 29, 2021 01:15 PM
URL: CVE-2021-23358
Threat Assessment
Exploit Maturity:Proof of concept
EPSS:1.4000001%
Score: 1.2
Suggested Fix
Type: Upgrade version
Origin: GHSA-cf4h-3jhx-xvhq
Release Date: Mar 29, 2021 01:15 PM
Fix Resolution : underscore.js - 1.12.1,underscore - 1.12.1
📂 Vulnerable Library - legal-eagle-0.14.0.tgz
A tool for listing the licenses of all dependencies of a node module
Path to dependency file: /script/package.json
Findings
Details
🔴CVE-2016-10540
Vulnerable Library - minimatch-2.0.10.tgz
a glob matcher in javascript
Library home page: https://registry.npmjs.org/minimatch/-/minimatch-2.0.10.tgz
Path to dependency file: /package.json
Dependency Hierarchy:
scandal-3.2.0.tgz (Root Library)
settings-view-https://www.atom.io/api/packages/settings-view/versions/0.261.3/tarball.tgz (Root Library)
babel-core-5.8.38.tgz (Root Library)
coffeelint-1.15.7.tgz (Root Library)
legal-eagle-0.14.0.tgz (Root Library)
glob-7.0.3.tgz (Root Library)
Vulnerability Details
Minimatch is a minimal matching utility that works by converting glob expressions into JavaScript "RegExp" objects. The primary function, "minimatch(path, pattern)" in Minimatch 3.0.1 and earlier is vulnerable to ReDoS in the "pattern" parameter.
Mend Note: The description of this vulnerability differs from MITRE.
Publish Date: May 31, 2018 08:00 PM
URL: CVE-2016-10540
Threat Assessment
Exploit Maturity:Not Defined
EPSS:< 1%
Score: 8.7
Suggested Fix
Type: Upgrade version
Origin: GHSA-hxm2-r34f-qmc5
Release Date: May 31, 2018 08:00 PM
Fix Resolution : minimatch - 3.0.2
🔴CVE-2022-3517
Vulnerable Library - minimatch-2.0.10.tgz
a glob matcher in javascript
Library home page: https://registry.npmjs.org/minimatch/-/minimatch-2.0.10.tgz
Path to dependency file: /package.json
Dependency Hierarchy:
scandal-3.2.0.tgz (Root Library)
settings-view-https://www.atom.io/api/packages/settings-view/versions/0.261.3/tarball.tgz (Root Library)
babel-core-5.8.38.tgz (Root Library)
coffeelint-1.15.7.tgz (Root Library)
legal-eagle-0.14.0.tgz (Root Library)
glob-7.0.3.tgz (Root Library)
Vulnerability Details
A vulnerability was found in the minimatch package. This flaw allows a Regular Expression Denial of Service (ReDoS) when calling the braceExpand function with specific arguments, resulting in a Denial of Service.
Publish Date: Oct 17, 2022 12:00 AM
URL: CVE-2022-3517
Threat Assessment
Exploit Maturity:Not Defined
EPSS:< 1%
Score: 8.7
Suggested Fix
Type: Upgrade version
Origin: GHSA-f8q6-p94x-37v3
Release Date: Oct 17, 2022 12:00 AM
Fix Resolution : minimatch - 3.0.5
🟡CVE-2021-23358
Vulnerable Library - underscore-1.6.0.tgz
JavaScript's functional programming helper library.
Library home page: https://registry.npmjs.org/underscore/-/underscore-1.6.0.tgz
Path to dependency file: /package.json
Dependency Hierarchy:
settings-view-https://www.atom.io/api/packages/settings-view/versions/0.261.3/tarball.tgz (Root Library)
legal-eagle-0.14.0.tgz (Root Library)
tello-1.2.0.tgz (Root Library)
Vulnerability Details
The package underscore from 1.13.0-0 and before 1.13.0-2, from 1.3.2 and before 1.12.1 are vulnerable to Arbitrary Code Injection via the template function, particularly when a variable property is passed as an argument as it is not sanitized.
Publish Date: Mar 29, 2021 01:15 PM
URL: CVE-2021-23358
Threat Assessment
Exploit Maturity:Proof of concept
EPSS:1.4000001%
Score: 1.2
Suggested Fix
Type: Upgrade version
Origin: GHSA-cf4h-3jhx-xvhq
Release Date: Mar 29, 2021 01:15 PM
Fix Resolution : underscore.js - 1.12.1,underscore - 1.12.1