📂 Vulnerable Library - webpack-plugin-injector-1.0.6.tgz
Injects Shopware Plugins into a Webpack config
Path to dependency file: /src/Administration/Resources/app/administration/package.json
Findings
| Finding |
Severity |
🎯 CVSS |
Exploit Maturity |
EPSS |
Library |
Type |
Fixed in |
Remediation Available |
Reachability |
| CVE-289561-266276 |
🟣 Critical |
9.8 |
N/A |
N/A |
inherits-2.0.4.tgz |
Transitive |
N/A |
❌ |
|
| CVE-2022-37601 |
🟣 Critical |
9.3 |
Not Defined |
24.6% |
loader-utils-1.4.0.tgz |
Transitive |
N/A |
❌ |
|
| CVE-2022-3517 |
🔴 High |
8.7 |
Not Defined |
< 1% |
minimatch-3.0.4.tgz |
Transitive |
N/A |
❌ |
|
| CVE-2022-37599 |
🔴 High |
8.7 |
Not Defined |
7.1000004% |
loader-utils-1.4.0.tgz |
Transitive |
N/A |
❌ |
|
| CVE-2022-37603 |
🔴 High |
8.7 |
Not Defined |
1.7% |
loader-utils-1.4.0.tgz |
Transitive |
N/A |
❌ |
|
| CVE-2020-28469 |
🟠 Medium |
6.9 |
Not Defined |
< 1% |
glob-parent-3.1.0.tgz |
Transitive |
N/A |
❌ |
|
Details
🟣CVE-289561-266276
Vulnerable Library - inherits-2.0.4.tgz
Browser-friendly inheritance fully compatible with standard node.js inherits()
Library home page: https://registry.npmjs.org/inherits/-/inherits-2.0.4.tgz
Path to dependency file: /src/Administration/Resources/app/administration/package.json
Dependency Hierarchy:
-
puppeteer-13.7.0.tgz (Root Library)
- tar-fs-2.1.1.tgz
- tar-stream-2.2.0.tgz
- bl-4.1.0.tgz
- ❌ inherits-2.0.4.tgz (Vulnerable Library)
-
cli-0.9.0.tgz (Root Library)
- express-4.18.2.tgz
- http-errors-2.0.0.tgz
- ❌ inherits-2.0.4.tgz (Vulnerable Library)
-
webpack-dev-server-3.11.3.tgz (Root Library)
- chokidar-2.1.8.tgz
- ❌ inherits-2.0.4.tgz (Vulnerable Library)
-
glob-7.1.4.tgz (Root Library)
- ❌ inherits-2.0.4.tgz (Vulnerable Library)
-
test-utils-2.3.2.tgz (Root Library)
- js-beautify-1.14.6.tgz
- glob-8.1.0.tgz
- ❌ inherits-2.0.4.tgz (Vulnerable Library)
-
mocha-7.2.0.tgz (Root Library)
- glob-7.1.3.tgz
- ❌ inherits-2.0.4.tgz (Vulnerable Library)
-
webpack-4.46.0.tgz (Root Library)
- memory-fs-0.4.1.tgz
- readable-stream-2.3.7.tgz
- ❌ inherits-2.0.4.tgz (Vulnerable Library)
-
webpack-plugin-injector-1.0.7.tgz (Root Library)
- copy-webpack-plugin-5.1.2.tgz
- cacache-12.0.4.tgz
- mississippi-3.0.0.tgz
- duplexify-3.7.1.tgz
- ❌ inherits-2.0.4.tgz (Vulnerable Library)
-
puppeteer-13.1.2.tgz (Root Library)
- rimraf-3.0.2.tgz
- glob-7.2.3.tgz
- ❌ inherits-2.0.4.tgz (Vulnerable Library)
-
nuxt-2.10.2.tgz (Root Library)
- loading-screen-1.2.0.tgz
- serve-static-1.14.1.tgz
- send-0.17.1.tgz
- http-errors-1.7.3.tgz
- ❌ inherits-2.0.4.tgz (Vulnerable Library)
-
webpack-plugin-injector-1.0.6.tgz (Root Library)
- copy-webpack-plugin-5.1.2.tgz
- cacache-12.0.4.tgz
- mississippi-3.0.0.tgz
- pumpify-1.5.1.tgz
- ❌ inherits-2.0.4.tgz (Vulnerable Library)
-
fork-ts-checker-webpack-plugin-6.5.3.tgz (Root Library)
- glob-7.1.6.tgz
- ❌ inherits-2.0.4.tgz (Vulnerable Library)
-
cli-0.11.0.tgz (Root Library)
- express-4.18.2.tgz
- http-errors-2.0.0.tgz
- ❌ inherits-2.0.4.tgz (Vulnerable Library)
Vulnerability Details
Created automatically by the test suite
Publish Date: Jun 07, 2010 05:12 PM
URL: CVE-289561-266276
Threat Assessment
Exploit Maturity:N/A
EPSS:N/A
Score: 9.8
Suggested Fix
Type: Upgrade version
Origin:
Release Date:
Fix Resolution :
🟣CVE-2022-37601
Vulnerable Library - loader-utils-1.4.0.tgz
utils for webpack loaders
Library home page: https://registry.npmjs.org/loader-utils/-/loader-utils-1.4.0.tgz
Path to dependency file: /src/Administration/Resources/app/administration/package.json
Dependency Hierarchy:
-
webpack-4.46.0.tgz (Root Library)
- ❌ loader-utils-1.4.0.tgz (Vulnerable Library)
-
webpack-cli-3.3.12.tgz (Root Library)
- ❌ loader-utils-1.4.0.tgz (Vulnerable Library)
-
webpack-plugin-injector-1.0.6.tgz (Root Library)
- copy-webpack-plugin-5.1.2.tgz
- ❌ loader-utils-1.4.0.tgz (Vulnerable Library)
Vulnerability Details
Prototype pollution vulnerability in function parseQuery in parseQuery.js in webpack loader-utils via the name variable in parseQuery.js. This affects all versions prior to 1.4.1 and 2.0.3.
Publish Date: Oct 12, 2022 12:00 AM
URL: CVE-2022-37601
Threat Assessment
Exploit Maturity:Not Defined
EPSS:24.6%
Score: 9.3
Suggested Fix
Type: Upgrade version
Origin: GHSA-76p3-8jx3-jpfq
Release Date: Oct 12, 2022 12:00 AM
Fix Resolution : loader-utils - 2.0.3,loader-utils - 1.4.1
🔴CVE-2022-3517
Vulnerable Library - minimatch-3.0.4.tgz
a glob matcher in javascript
Library home page: https://registry.npmjs.org/minimatch/-/minimatch-3.0.4.tgz
Path to dependency file: /src/Administration/Resources/app/administration/build/nuxt-component-library/package.json
Dependency Hierarchy:
-
babel-jest-29.5.0.tgz (Root Library)
- babel-plugin-istanbul-6.1.1.tgz
- test-exclude-6.0.0.tgz
- ❌ minimatch-3.0.4.tgz (Vulnerable Library)
-
optional-chaining-codemod-1.7.0.tgz (Root Library)
- jscodeshift-0.13.1.tgz
- node-dir-0.1.17.tgz
- ❌ minimatch-3.0.4.tgz (Vulnerable Library)
-
glob-7.1.4.tgz (Root Library)
- ❌ minimatch-3.0.4.tgz (Vulnerable Library)
-
mocha-7.2.0.tgz (Root Library)
- ❌ minimatch-3.0.4.tgz (Vulnerable Library)
-
twig-1.15.4.tgz (Root Library)
- ❌ minimatch-3.0.4.tgz (Vulnerable Library)
-
twig-1.13.3.tgz (Root Library)
- ❌ minimatch-3.0.4.tgz (Vulnerable Library)
-
nuxt-2.10.2.tgz (Root Library)
- webpack-2.10.2.tgz
- style-resources-loader-1.3.2.tgz
- glob-7.1.6.tgz
- ❌ minimatch-3.0.4.tgz (Vulnerable Library)
-
webpack-plugin-injector-1.0.6.tgz (Root Library)
- copy-webpack-plugin-5.1.2.tgz
- ❌ minimatch-3.0.4.tgz (Vulnerable Library)
-
fork-ts-checker-webpack-plugin-6.5.3.tgz (Root Library)
- ❌ minimatch-3.0.4.tgz (Vulnerable Library)
Vulnerability Details
A vulnerability was found in the minimatch package. This flaw allows a Regular Expression Denial of Service (ReDoS) when calling the braceExpand function with specific arguments, resulting in a Denial of Service.
Publish Date: Oct 17, 2022 12:00 AM
URL: CVE-2022-3517
Threat Assessment
Exploit Maturity:Not Defined
EPSS:< 1%
Score: 8.7
Suggested Fix
Type: Upgrade version
Origin: GHSA-f8q6-p94x-37v3
Release Date: Oct 17, 2022 12:00 AM
Fix Resolution : minimatch - 3.0.5
🔴CVE-2022-37599
Vulnerable Library - loader-utils-1.4.0.tgz
utils for webpack loaders
Library home page: https://registry.npmjs.org/loader-utils/-/loader-utils-1.4.0.tgz
Path to dependency file: /src/Administration/Resources/app/administration/package.json
Dependency Hierarchy:
-
webpack-4.46.0.tgz (Root Library)
- ❌ loader-utils-1.4.0.tgz (Vulnerable Library)
-
webpack-cli-3.3.12.tgz (Root Library)
- ❌ loader-utils-1.4.0.tgz (Vulnerable Library)
-
webpack-plugin-injector-1.0.6.tgz (Root Library)
- copy-webpack-plugin-5.1.2.tgz
- ❌ loader-utils-1.4.0.tgz (Vulnerable Library)
Vulnerability Details
A Regular expression denial of service (ReDoS) flaw was found in Function interpolateName in interpolateName.js in webpack loader-utils 2.0.0 via the resourcePath variable in interpolateName.js.
Publish Date: Oct 11, 2022 12:00 AM
URL: CVE-2022-37599
Threat Assessment
Exploit Maturity:Not Defined
EPSS:7.1000004%
Score: 8.7
Suggested Fix
Type: Upgrade version
Origin: GHSA-hhq3-ff78-jv3g
Release Date: Oct 11, 2022 12:00 AM
Fix Resolution : loader-utils - 2.0.4,https://github.com/webpack/loader-utils.git - no_fix,loader-utils - 3.2.1,loader-utils - 1.4.2
🔴CVE-2022-37603
Vulnerable Library - loader-utils-1.4.0.tgz
utils for webpack loaders
Library home page: https://registry.npmjs.org/loader-utils/-/loader-utils-1.4.0.tgz
Path to dependency file: /src/Administration/Resources/app/administration/package.json
Dependency Hierarchy:
-
webpack-4.46.0.tgz (Root Library)
- ❌ loader-utils-1.4.0.tgz (Vulnerable Library)
-
webpack-cli-3.3.12.tgz (Root Library)
- ❌ loader-utils-1.4.0.tgz (Vulnerable Library)
-
webpack-plugin-injector-1.0.6.tgz (Root Library)
- copy-webpack-plugin-5.1.2.tgz
- ❌ loader-utils-1.4.0.tgz (Vulnerable Library)
Vulnerability Details
A Regular expression denial of service (ReDoS) flaw was found in Function interpolateName in interpolateName.js in webpack loader-utils 2.0.0 via the url variable in interpolateName.js.
Publish Date: Oct 14, 2022 12:00 AM
URL: CVE-2022-37603
Threat Assessment
Exploit Maturity:Not Defined
EPSS:1.7%
Score: 8.7
Suggested Fix
Type: Upgrade version
Origin: GHSA-3rfm-jhwj-7488
Release Date: Oct 14, 2022 12:00 AM
Fix Resolution : loader-utils - 1.4.2,loader-utils - 3.2.1,loader-utils - 2.0.4
🟠CVE-2020-28469
Vulnerable Library - glob-parent-3.1.0.tgz
Strips glob magic from a string to provide the parent directory path
Library home page: https://registry.npmjs.org/glob-parent/-/glob-parent-3.1.0.tgz
Path to dependency file: /src/Storefront/Resources/app/storefront/package.json
Dependency Hierarchy:
-
webpack-dev-server-3.11.3.tgz (Root Library)
- chokidar-2.1.8.tgz
- ❌ glob-parent-3.1.0.tgz (Vulnerable Library)
-
webpack-plugin-injector-1.0.7.tgz (Root Library)
- copy-webpack-plugin-5.1.2.tgz
- ❌ glob-parent-3.1.0.tgz (Vulnerable Library)
-
nuxt-2.10.2.tgz (Root Library)
- webpack-2.10.2.tgz
- webpack-4.41.2.tgz
- watchpack-1.6.0.tgz
- chokidar-2.1.8.tgz
- ❌ glob-parent-3.1.0.tgz (Vulnerable Library)
-
webpack-plugin-injector-1.0.6.tgz (Root Library)
- copy-webpack-plugin-5.1.2.tgz
- ❌ glob-parent-3.1.0.tgz (Vulnerable Library)
Vulnerability Details
This affects the package glob-parent before 5.1.2. The enclosure regex used to check for strings ending in enclosure containing path separator.
Publish Date: Jun 03, 2021 03:15 PM
URL: CVE-2020-28469
Threat Assessment
Exploit Maturity:Not Defined
EPSS:< 1%
Score: 6.9
Suggested Fix
Type: Upgrade version
Origin: GHSA-ww39-953v-wcq6
Release Date: Jun 03, 2021 03:15 PM
Fix Resolution : glob-parent - 5.1.2
📂 Vulnerable Library - webpack-plugin-injector-1.0.6.tgz
Injects Shopware Plugins into a Webpack config
Path to dependency file: /src/Administration/Resources/app/administration/package.json
Findings
Details
🟣CVE-289561-266276
Vulnerable Library - inherits-2.0.4.tgz
Browser-friendly inheritance fully compatible with standard node.js inherits()
Library home page: https://registry.npmjs.org/inherits/-/inherits-2.0.4.tgz
Path to dependency file: /src/Administration/Resources/app/administration/package.json
Dependency Hierarchy:
puppeteer-13.7.0.tgz (Root Library)
cli-0.9.0.tgz (Root Library)
webpack-dev-server-3.11.3.tgz (Root Library)
glob-7.1.4.tgz (Root Library)
test-utils-2.3.2.tgz (Root Library)
mocha-7.2.0.tgz (Root Library)
webpack-4.46.0.tgz (Root Library)
webpack-plugin-injector-1.0.7.tgz (Root Library)
puppeteer-13.1.2.tgz (Root Library)
nuxt-2.10.2.tgz (Root Library)
webpack-plugin-injector-1.0.6.tgz (Root Library)
fork-ts-checker-webpack-plugin-6.5.3.tgz (Root Library)
cli-0.11.0.tgz (Root Library)
Vulnerability Details
Created automatically by the test suite
Publish Date: Jun 07, 2010 05:12 PM
URL: CVE-289561-266276
Threat Assessment
Exploit Maturity:N/A
EPSS:N/A
Score: 9.8
Suggested Fix
Type: Upgrade version
Origin:
Release Date:
Fix Resolution :
🟣CVE-2022-37601
Vulnerable Library - loader-utils-1.4.0.tgz
utils for webpack loaders
Library home page: https://registry.npmjs.org/loader-utils/-/loader-utils-1.4.0.tgz
Path to dependency file: /src/Administration/Resources/app/administration/package.json
Dependency Hierarchy:
webpack-4.46.0.tgz (Root Library)
webpack-cli-3.3.12.tgz (Root Library)
webpack-plugin-injector-1.0.6.tgz (Root Library)
Vulnerability Details
Prototype pollution vulnerability in function parseQuery in parseQuery.js in webpack loader-utils via the name variable in parseQuery.js. This affects all versions prior to 1.4.1 and 2.0.3.
Publish Date: Oct 12, 2022 12:00 AM
URL: CVE-2022-37601
Threat Assessment
Exploit Maturity:Not Defined
EPSS:24.6%
Score: 9.3
Suggested Fix
Type: Upgrade version
Origin: GHSA-76p3-8jx3-jpfq
Release Date: Oct 12, 2022 12:00 AM
Fix Resolution : loader-utils - 2.0.3,loader-utils - 1.4.1
🔴CVE-2022-3517
Vulnerable Library - minimatch-3.0.4.tgz
a glob matcher in javascript
Library home page: https://registry.npmjs.org/minimatch/-/minimatch-3.0.4.tgz
Path to dependency file: /src/Administration/Resources/app/administration/build/nuxt-component-library/package.json
Dependency Hierarchy:
babel-jest-29.5.0.tgz (Root Library)
optional-chaining-codemod-1.7.0.tgz (Root Library)
glob-7.1.4.tgz (Root Library)
mocha-7.2.0.tgz (Root Library)
twig-1.15.4.tgz (Root Library)
twig-1.13.3.tgz (Root Library)
nuxt-2.10.2.tgz (Root Library)
webpack-plugin-injector-1.0.6.tgz (Root Library)
fork-ts-checker-webpack-plugin-6.5.3.tgz (Root Library)
Vulnerability Details
A vulnerability was found in the minimatch package. This flaw allows a Regular Expression Denial of Service (ReDoS) when calling the braceExpand function with specific arguments, resulting in a Denial of Service.
Publish Date: Oct 17, 2022 12:00 AM
URL: CVE-2022-3517
Threat Assessment
Exploit Maturity:Not Defined
EPSS:< 1%
Score: 8.7
Suggested Fix
Type: Upgrade version
Origin: GHSA-f8q6-p94x-37v3
Release Date: Oct 17, 2022 12:00 AM
Fix Resolution : minimatch - 3.0.5
🔴CVE-2022-37599
Vulnerable Library - loader-utils-1.4.0.tgz
utils for webpack loaders
Library home page: https://registry.npmjs.org/loader-utils/-/loader-utils-1.4.0.tgz
Path to dependency file: /src/Administration/Resources/app/administration/package.json
Dependency Hierarchy:
webpack-4.46.0.tgz (Root Library)
webpack-cli-3.3.12.tgz (Root Library)
webpack-plugin-injector-1.0.6.tgz (Root Library)
Vulnerability Details
A Regular expression denial of service (ReDoS) flaw was found in Function interpolateName in interpolateName.js in webpack loader-utils 2.0.0 via the resourcePath variable in interpolateName.js.
Publish Date: Oct 11, 2022 12:00 AM
URL: CVE-2022-37599
Threat Assessment
Exploit Maturity:Not Defined
EPSS:7.1000004%
Score: 8.7
Suggested Fix
Type: Upgrade version
Origin: GHSA-hhq3-ff78-jv3g
Release Date: Oct 11, 2022 12:00 AM
Fix Resolution : loader-utils - 2.0.4,https://github.com/webpack/loader-utils.git - no_fix,loader-utils - 3.2.1,loader-utils - 1.4.2
🔴CVE-2022-37603
Vulnerable Library - loader-utils-1.4.0.tgz
utils for webpack loaders
Library home page: https://registry.npmjs.org/loader-utils/-/loader-utils-1.4.0.tgz
Path to dependency file: /src/Administration/Resources/app/administration/package.json
Dependency Hierarchy:
webpack-4.46.0.tgz (Root Library)
webpack-cli-3.3.12.tgz (Root Library)
webpack-plugin-injector-1.0.6.tgz (Root Library)
Vulnerability Details
A Regular expression denial of service (ReDoS) flaw was found in Function interpolateName in interpolateName.js in webpack loader-utils 2.0.0 via the url variable in interpolateName.js.
Publish Date: Oct 14, 2022 12:00 AM
URL: CVE-2022-37603
Threat Assessment
Exploit Maturity:Not Defined
EPSS:1.7%
Score: 8.7
Suggested Fix
Type: Upgrade version
Origin: GHSA-3rfm-jhwj-7488
Release Date: Oct 14, 2022 12:00 AM
Fix Resolution : loader-utils - 1.4.2,loader-utils - 3.2.1,loader-utils - 2.0.4
🟠CVE-2020-28469
Vulnerable Library - glob-parent-3.1.0.tgz
Strips glob magic from a string to provide the parent directory path
Library home page: https://registry.npmjs.org/glob-parent/-/glob-parent-3.1.0.tgz
Path to dependency file: /src/Storefront/Resources/app/storefront/package.json
Dependency Hierarchy:
webpack-dev-server-3.11.3.tgz (Root Library)
webpack-plugin-injector-1.0.7.tgz (Root Library)
nuxt-2.10.2.tgz (Root Library)
webpack-plugin-injector-1.0.6.tgz (Root Library)
Vulnerability Details
This affects the package glob-parent before 5.1.2. The enclosure regex used to check for strings ending in enclosure containing path separator.
Publish Date: Jun 03, 2021 03:15 PM
URL: CVE-2020-28469
Threat Assessment
Exploit Maturity:Not Defined
EPSS:< 1%
Score: 6.9
Suggested Fix
Type: Upgrade version
Origin: GHSA-ww39-953v-wcq6
Release Date: Jun 03, 2021 03:15 PM
Fix Resolution : glob-parent - 5.1.2