📂 Vulnerable Library - pr-changelog-0.3.2.tgz
Changelog generator
Path to dependency file: /script/vsts/package.json
Findings
| Finding |
Severity |
🎯 CVSS |
Exploit Maturity |
EPSS |
Library |
Type |
Fixed in |
Remediation Available |
Reachability |
| CVE-2021-23490 |
🔴 High |
8.7 |
Not Defined |
< 1% |
parse-link-header-0.4.1.tgz |
Transitive |
N/A |
❌ |
|
| CVE-2020-8203 |
🔴 High |
8.3 |
Not Defined |
2.4% |
lodash-4.17.10.tgz |
Transitive |
N/A |
❌ |
|
| CVE-2021-23337 |
🔴 High |
7.3 |
Proof of concept |
< 1% |
lodash-4.17.10.tgz |
Transitive |
N/A |
❌ |
|
| CVE-2019-1010266 |
🔴 High |
7.1 |
Not Defined |
< 1% |
lodash-4.17.10.tgz |
Transitive |
N/A |
❌ |
|
| CVE-2020-28500 |
🟠 Medium |
5.5 |
Proof of concept |
< 1% |
lodash-4.17.10.tgz |
Transitive |
N/A |
❌ |
|
Details
🔴CVE-2021-23490
Vulnerable Library - parse-link-header-0.4.1.tgz
Parses a link header and returns paging information for each contained link.
Library home page: https://registry.npmjs.org/parse-link-header/-/parse-link-header-0.4.1.tgz
Path to dependency file: /script/vsts/package.json
Dependency Hierarchy:
- pr-changelog-0.3.2.tgz (Root Library)
- ❌ parse-link-header-0.4.1.tgz (Vulnerable Library)
Vulnerability Details
The package parse-link-header before 2.0.0 are vulnerable to Regular Expression Denial of Service (ReDoS) via the checkHeader function.
Publish Date: Dec 24, 2021 08:05 PM
URL: CVE-2021-23490
Threat Assessment
Exploit Maturity:Not Defined
EPSS:< 1%
Score: 8.7
Suggested Fix
Type: Upgrade version
Origin: GHSA-q674-xm3x-2926
Release Date: Dec 24, 2021 08:05 PM
Fix Resolution : parse-link-header - 2.0.0,https://github.com/thlorenz/parse-link-header.git - no_fix
🔴CVE-2020-8203
Vulnerable Library - lodash-4.17.10.tgz
Lodash modular utilities.
Library home page: https://registry.npmjs.org/lodash/-/lodash-4.17.10.tgz
Path to dependency file: /script/package.json
Dependency Hierarchy:
-
pr-changelog-0.3.2.tgz (Root Library)
- babel-preset-es2015-6.24.1.tgz
- babel-plugin-transform-es2015-sticky-regex-6.24.1.tgz
- babel-helper-regex-6.26.0.tgz
- ❌ lodash-4.17.10.tgz (Vulnerable Library)
-
request-promise-native-1.0.5.tgz (Root Library)
- request-promise-core-1.1.1.tgz
- ❌ lodash-4.17.10.tgz (Vulnerable Library)
-
stylelint-9.3.0.tgz (Root Library)
- postcss-reporter-5.0.0.tgz
- ❌ lodash-4.17.10.tgz (Vulnerable Library)
-
electron-packager-16.0.0.tgz (Root Library)
- get-2.0.1.tgz
- global-tunnel-ng-2.7.1.tgz
- ❌ lodash-4.17.10.tgz (Vulnerable Library)
-
cheerio-1.0.0-rc.2.tgz (Root Library)
- ❌ lodash-4.17.10.tgz (Vulnerable Library)
-
rest-15.9.5.tgz (Root Library)
- ❌ lodash-4.17.10.tgz (Vulnerable Library)
Vulnerability Details
Prototype pollution attack when using _.zipObjectDeep in lodash before 4.17.20.
Publish Date: Jul 15, 2020 04:10 PM
URL: CVE-2020-8203
Threat Assessment
Exploit Maturity:Not Defined
EPSS:2.4%
Score: 8.3
Suggested Fix
Type: Upgrade version
Origin: GHSA-p6mc-m468-83gw
Release Date: Jul 15, 2020 04:10 PM
Fix Resolution : lodash - 4.17.19,lodash-es - 4.17.20
🔴CVE-2021-23337
Vulnerable Library - lodash-4.17.10.tgz
Lodash modular utilities.
Library home page: https://registry.npmjs.org/lodash/-/lodash-4.17.10.tgz
Path to dependency file: /script/package.json
Dependency Hierarchy:
-
pr-changelog-0.3.2.tgz (Root Library)
- babel-preset-es2015-6.24.1.tgz
- babel-plugin-transform-es2015-sticky-regex-6.24.1.tgz
- babel-helper-regex-6.26.0.tgz
- ❌ lodash-4.17.10.tgz (Vulnerable Library)
-
request-promise-native-1.0.5.tgz (Root Library)
- request-promise-core-1.1.1.tgz
- ❌ lodash-4.17.10.tgz (Vulnerable Library)
-
stylelint-9.3.0.tgz (Root Library)
- postcss-reporter-5.0.0.tgz
- ❌ lodash-4.17.10.tgz (Vulnerable Library)
-
electron-packager-16.0.0.tgz (Root Library)
- get-2.0.1.tgz
- global-tunnel-ng-2.7.1.tgz
- ❌ lodash-4.17.10.tgz (Vulnerable Library)
-
cheerio-1.0.0-rc.2.tgz (Root Library)
- ❌ lodash-4.17.10.tgz (Vulnerable Library)
-
rest-15.9.5.tgz (Root Library)
- ❌ lodash-4.17.10.tgz (Vulnerable Library)
Vulnerability Details
Lodash versions prior to 4.17.21 are vulnerable to Command Injection via the template function.
Publish Date: Feb 15, 2021 12:15 PM
URL: CVE-2021-23337
Threat Assessment
Exploit Maturity:Proof of concept
EPSS:< 1%
Score: 7.3
Suggested Fix
Type: Upgrade version
Origin: GHSA-35jh-r3h4-6jhm
Release Date: Feb 15, 2021 12:15 PM
Fix Resolution : lodash - 4.17.21,lodash-es - 4.17.21
🔴CVE-2019-1010266
Vulnerable Library - lodash-4.17.10.tgz
Lodash modular utilities.
Library home page: https://registry.npmjs.org/lodash/-/lodash-4.17.10.tgz
Path to dependency file: /script/package.json
Dependency Hierarchy:
-
pr-changelog-0.3.2.tgz (Root Library)
- babel-preset-es2015-6.24.1.tgz
- babel-plugin-transform-es2015-sticky-regex-6.24.1.tgz
- babel-helper-regex-6.26.0.tgz
- ❌ lodash-4.17.10.tgz (Vulnerable Library)
-
request-promise-native-1.0.5.tgz (Root Library)
- request-promise-core-1.1.1.tgz
- ❌ lodash-4.17.10.tgz (Vulnerable Library)
-
stylelint-9.3.0.tgz (Root Library)
- postcss-reporter-5.0.0.tgz
- ❌ lodash-4.17.10.tgz (Vulnerable Library)
-
electron-packager-16.0.0.tgz (Root Library)
- get-2.0.1.tgz
- global-tunnel-ng-2.7.1.tgz
- ❌ lodash-4.17.10.tgz (Vulnerable Library)
-
cheerio-1.0.0-rc.2.tgz (Root Library)
- ❌ lodash-4.17.10.tgz (Vulnerable Library)
-
rest-15.9.5.tgz (Root Library)
- ❌ lodash-4.17.10.tgz (Vulnerable Library)
Vulnerability Details
lodash prior to 4.17.11 is affected by: CWE-400: Uncontrolled Resource Consumption. The impact is: Denial of service. The component is: Date handler. The attack vector is: Attacker provides very long strings, which the library attempts to match using a regular expression. The fixed version is: 4.17.11.
Publish Date: Jul 17, 2019 08:25 PM
URL: CVE-2019-1010266
Threat Assessment
Exploit Maturity:Not Defined
EPSS:< 1%
Score: 7.1
Suggested Fix
Type: Upgrade version
Origin: GHSA-x5rq-j2xg-h7qm
Release Date: Jul 17, 2019 08:25 PM
Fix Resolution : lodash-es - 4.17.11,lodash - 4.17.11,lodash-amd - 4.17.11
🟠CVE-2020-28500
Vulnerable Library - lodash-4.17.10.tgz
Lodash modular utilities.
Library home page: https://registry.npmjs.org/lodash/-/lodash-4.17.10.tgz
Path to dependency file: /script/package.json
Dependency Hierarchy:
-
pr-changelog-0.3.2.tgz (Root Library)
- babel-preset-es2015-6.24.1.tgz
- babel-plugin-transform-es2015-sticky-regex-6.24.1.tgz
- babel-helper-regex-6.26.0.tgz
- ❌ lodash-4.17.10.tgz (Vulnerable Library)
-
request-promise-native-1.0.5.tgz (Root Library)
- request-promise-core-1.1.1.tgz
- ❌ lodash-4.17.10.tgz (Vulnerable Library)
-
stylelint-9.3.0.tgz (Root Library)
- postcss-reporter-5.0.0.tgz
- ❌ lodash-4.17.10.tgz (Vulnerable Library)
-
electron-packager-16.0.0.tgz (Root Library)
- get-2.0.1.tgz
- global-tunnel-ng-2.7.1.tgz
- ❌ lodash-4.17.10.tgz (Vulnerable Library)
-
cheerio-1.0.0-rc.2.tgz (Root Library)
- ❌ lodash-4.17.10.tgz (Vulnerable Library)
-
rest-15.9.5.tgz (Root Library)
- ❌ lodash-4.17.10.tgz (Vulnerable Library)
Vulnerability Details
Lodash versions prior to 4.17.21 are vulnerable to Regular Expression Denial of Service (ReDoS) via the toNumber, trim and trimEnd functions. After conducting further research, Mend has determined that CVE-2020-28500 only affects environments with versions 4.0.0 to 4.17.20 of Lodash.
Publish Date: Feb 15, 2021 11:10 AM
URL: CVE-2020-28500
Threat Assessment
Exploit Maturity:Proof of concept
EPSS:< 1%
Score: 5.5
Suggested Fix
Type: Upgrade version
Origin: GHSA-29mw-wpgm-hmr9
Release Date: Feb 15, 2021 11:10 AM
Fix Resolution : lodash - 4.17.21,lodash-es - 4.17.21
📂 Vulnerable Library - pr-changelog-0.3.2.tgz
Changelog generator
Path to dependency file: /script/vsts/package.json
Findings
Details
🔴CVE-2021-23490
Vulnerable Library - parse-link-header-0.4.1.tgz
Parses a link header and returns paging information for each contained link.
Library home page: https://registry.npmjs.org/parse-link-header/-/parse-link-header-0.4.1.tgz
Path to dependency file: /script/vsts/package.json
Dependency Hierarchy:
Vulnerability Details
The package parse-link-header before 2.0.0 are vulnerable to Regular Expression Denial of Service (ReDoS) via the checkHeader function.
Publish Date: Dec 24, 2021 08:05 PM
URL: CVE-2021-23490
Threat Assessment
Exploit Maturity:Not Defined
EPSS:< 1%
Score: 8.7
Suggested Fix
Type: Upgrade version
Origin: GHSA-q674-xm3x-2926
Release Date: Dec 24, 2021 08:05 PM
Fix Resolution : parse-link-header - 2.0.0,https://github.com/thlorenz/parse-link-header.git - no_fix
🔴CVE-2020-8203
Vulnerable Library - lodash-4.17.10.tgz
Lodash modular utilities.
Library home page: https://registry.npmjs.org/lodash/-/lodash-4.17.10.tgz
Path to dependency file: /script/package.json
Dependency Hierarchy:
pr-changelog-0.3.2.tgz (Root Library)
request-promise-native-1.0.5.tgz (Root Library)
stylelint-9.3.0.tgz (Root Library)
electron-packager-16.0.0.tgz (Root Library)
cheerio-1.0.0-rc.2.tgz (Root Library)
rest-15.9.5.tgz (Root Library)
Vulnerability Details
Prototype pollution attack when using _.zipObjectDeep in lodash before 4.17.20.
Publish Date: Jul 15, 2020 04:10 PM
URL: CVE-2020-8203
Threat Assessment
Exploit Maturity:Not Defined
EPSS:2.4%
Score: 8.3
Suggested Fix
Type: Upgrade version
Origin: GHSA-p6mc-m468-83gw
Release Date: Jul 15, 2020 04:10 PM
Fix Resolution : lodash - 4.17.19,lodash-es - 4.17.20
🔴CVE-2021-23337
Vulnerable Library - lodash-4.17.10.tgz
Lodash modular utilities.
Library home page: https://registry.npmjs.org/lodash/-/lodash-4.17.10.tgz
Path to dependency file: /script/package.json
Dependency Hierarchy:
pr-changelog-0.3.2.tgz (Root Library)
request-promise-native-1.0.5.tgz (Root Library)
stylelint-9.3.0.tgz (Root Library)
electron-packager-16.0.0.tgz (Root Library)
cheerio-1.0.0-rc.2.tgz (Root Library)
rest-15.9.5.tgz (Root Library)
Vulnerability Details
Lodash versions prior to 4.17.21 are vulnerable to Command Injection via the template function.
Publish Date: Feb 15, 2021 12:15 PM
URL: CVE-2021-23337
Threat Assessment
Exploit Maturity:Proof of concept
EPSS:< 1%
Score: 7.3
Suggested Fix
Type: Upgrade version
Origin: GHSA-35jh-r3h4-6jhm
Release Date: Feb 15, 2021 12:15 PM
Fix Resolution : lodash - 4.17.21,lodash-es - 4.17.21
🔴CVE-2019-1010266
Vulnerable Library - lodash-4.17.10.tgz
Lodash modular utilities.
Library home page: https://registry.npmjs.org/lodash/-/lodash-4.17.10.tgz
Path to dependency file: /script/package.json
Dependency Hierarchy:
pr-changelog-0.3.2.tgz (Root Library)
request-promise-native-1.0.5.tgz (Root Library)
stylelint-9.3.0.tgz (Root Library)
electron-packager-16.0.0.tgz (Root Library)
cheerio-1.0.0-rc.2.tgz (Root Library)
rest-15.9.5.tgz (Root Library)
Vulnerability Details
lodash prior to 4.17.11 is affected by: CWE-400: Uncontrolled Resource Consumption. The impact is: Denial of service. The component is: Date handler. The attack vector is: Attacker provides very long strings, which the library attempts to match using a regular expression. The fixed version is: 4.17.11.
Publish Date: Jul 17, 2019 08:25 PM
URL: CVE-2019-1010266
Threat Assessment
Exploit Maturity:Not Defined
EPSS:< 1%
Score: 7.1
Suggested Fix
Type: Upgrade version
Origin: GHSA-x5rq-j2xg-h7qm
Release Date: Jul 17, 2019 08:25 PM
Fix Resolution : lodash-es - 4.17.11,lodash - 4.17.11,lodash-amd - 4.17.11
🟠CVE-2020-28500
Vulnerable Library - lodash-4.17.10.tgz
Lodash modular utilities.
Library home page: https://registry.npmjs.org/lodash/-/lodash-4.17.10.tgz
Path to dependency file: /script/package.json
Dependency Hierarchy:
pr-changelog-0.3.2.tgz (Root Library)
request-promise-native-1.0.5.tgz (Root Library)
stylelint-9.3.0.tgz (Root Library)
electron-packager-16.0.0.tgz (Root Library)
cheerio-1.0.0-rc.2.tgz (Root Library)
rest-15.9.5.tgz (Root Library)
Vulnerability Details
Lodash versions prior to 4.17.21 are vulnerable to Regular Expression Denial of Service (ReDoS) via the toNumber, trim and trimEnd functions. After conducting further research, Mend has determined that CVE-2020-28500 only affects environments with versions 4.0.0 to 4.17.20 of Lodash.
Publish Date: Feb 15, 2021 11:10 AM
URL: CVE-2020-28500
Threat Assessment
Exploit Maturity:Proof of concept
EPSS:< 1%
Score: 5.5
Suggested Fix
Type: Upgrade version
Origin: GHSA-29mw-wpgm-hmr9
Release Date: Feb 15, 2021 11:10 AM
Fix Resolution : lodash - 4.17.21,lodash-es - 4.17.21