📂 Vulnerable Library - snyk-1.434.3.tgz
snyk library and cli utility
Path to dependency file: /package.json
Partial results (32 findings) are displayed below due to a content size limitation in GitHub. To view information on the remaining findings, navigate to the Mend Application.
Findings
| Finding |
Severity |
🎯 CVSS |
Exploit Maturity |
EPSS |
Library |
Type |
Fixed in |
Remediation Available |
Reachability |
| CVE-289561-266276 |
🟣 Critical |
9.8 |
N/A |
N/A |
inherits-2.0.4.tgz |
Transitive |
N/A |
❌ |
|
| CVE-398484-724968 |
🟣 Critical |
9.8 |
N/A |
N/A |
ms-2.1.3.tgz |
Transitive |
N/A |
❌ |
|
| CVE-72435-185255 |
🟣 Critical |
9.8 |
N/A |
N/A |
tweetnacl-0.14.5.tgz |
Transitive |
N/A |
❌ |
|
| CVE-2021-28918 |
🟣 Critical |
9.3 |
Not Defined |
85.9% |
netmask-1.0.6.tgz |
Transitive |
N/A |
❌ |
 Reachable |
| CVE-2021-44906 |
🟣 Critical |
9.3 |
Not Defined |
< 1% |
minimist-1.2.5.tgz |
Transitive |
N/A |
❌ |
Reachable |
| CVE-2021-44906 |
🟣 Critical |
9.3 |
Not Defined |
< 1% |
minimist-1.2.0.tgz |
Transitive |
N/A |
❌ |
 Unreachable |
| CVE-2021-23490 |
🔴 High |
8.7 |
Not Defined |
< 1% |
parse-link-header-1.0.1.tgz |
Transitive |
N/A |
❌ |
Unreachable |
| CVE-2021-33502 |
🔴 High |
8.7 |
Not Defined |
< 1% |
normalize-url-4.5.0.tgz |
Transitive |
N/A |
❌ |
Unreachable |
| CVE-2021-3807 |
🔴 High |
8.7 |
Not Defined |
< 1% |
ansi-regex-5.0.0.tgz |
Transitive |
N/A |
❌ |
Reachable |
| CVE-2021-3807 |
🔴 High |
8.7 |
Not Defined |
< 1% |
ansi-regex-4.1.0.tgz |
Transitive |
N/A |
❌ |
Unreachable |
| CVE-2022-3517 |
🔴 High |
8.7 |
Not Defined |
< 1% |
minimatch-3.0.4.tgz |
Direct |
minimatch - 3.0.5 |
✅ |
Reachable |
| CVE-2024-4068 |
🔴 High |
8.7 |
Not Defined |
< 1% |
braces-3.0.2.tgz |
Transitive |
N/A |
❌ |
Reachable |
| CVE-2021-43138 |
🔴 High |
8.5 |
Not Defined |
< 1% |
async-3.2.0.tgz |
Transitive |
N/A |
❌ |
Unreachable |
| CVE-2022-40764 |
🔴 High |
8.5 |
Not Defined |
3.1% |
snyk-go-plugin-1.16.2.tgz |
Transitive |
N/A |
❌ |
|
| CVE-2022-40764 |
🔴 High |
8.5 |
Not Defined |
3.1% |
snyk-1.434.3.tgz |
Direct |
https://github.com/snyk/cli.git - no_fix |
✅ |
Reachable |
| CVE-2020-8203 |
🔴 High |
8.3 |
Not Defined |
2.4% |
lodash.set-4.3.2.tgz |
Transitive |
N/A |
❌ |
|
| CVE-2021-23406 |
🔴 High |
8.2 |
Proof of concept |
1.0% |
pac-resolver-3.0.0.tgz |
Transitive |
N/A |
❌ |
Reachable |
| CVE-2021-23406 |
🔴 High |
8.2 |
Proof of concept |
1.0% |
degenerator-1.0.4.tgz |
Transitive |
N/A |
❌ |
Reachable |
| CVE-2021-23337 |
🔴 High |
7.3 |
Proof of concept |
< 1% |
lodash-4.17.20.tgz |
Direct |
lodash - 4.17.21,lodash-es - 4.17.21 |
✅ |
Reachable |
| CVE-2021-23413 |
🟠 Medium |
6.9 |
Not Defined |
< 1% |
jszip-3.5.0.tgz |
Transitive |
N/A |
❌ |
Unreachable |
| CVE-2021-23413 |
🟠 Medium |
6.9 |
Not Defined |
< 1% |
jszip-3.4.0.tgz |
Transitive |
N/A |
❌ |
Reachable |
| CVE-2021-29418 |
🟠 Medium |
6.9 |
Not Defined |
< 1% |
netmask-1.0.6.tgz |
Transitive |
N/A |
❌ |
Reachable |
| CVE-2022-25881 |
🟠 Medium |
6.9 |
Not Defined |
< 1% |
http-cache-semantics-4.1.0.tgz |
Transitive |
N/A |
❌ |
Unreachable |
| CVE-2022-33987 |
🟠 Medium |
6.9 |
Not Defined |
< 1% |
got-9.6.0.tgz |
Transitive |
N/A |
❌ |
Unreachable |
| CVE-2022-33987 |
🟠 Medium |
6.9 |
Not Defined |
< 1% |
got-11.4.0.tgz |
Transitive |
N/A |
❌ |
Unreachable |
| CVE-2022-48285 |
🟠 Medium |
6.9 |
Not Defined |
< 1% |
jszip-3.4.0.tgz |
Transitive |
N/A |
❌ |
Reachable |
| CVE-2022-48285 |
🟠 Medium |
6.9 |
Not Defined |
< 1% |
jszip-3.5.0.tgz |
Transitive |
N/A |
❌ |
Unreachable |
| CVE-2018-16487 |
🟠 Medium |
6.3 |
Not Defined |
< 1% |
lodash.clonedeep-4.5.0.tgz |
Transitive |
N/A |
❌ |
Reachable |
| CVE-2020-7598 |
🟠 Medium |
6.3 |
Not Defined |
< 1% |
minimist-1.2.5.tgz |
Transitive |
N/A |
❌ |
|
| CVE-2020-7598 |
🟠 Medium |
6.3 |
Not Defined |
< 1% |
minimist-1.2.0.tgz |
Transitive |
N/A |
❌ |
Unreachable |
| CVE-2020-28500 |
🟠 Medium |
5.5 |
Proof of concept |
< 1% |
lodash-4.17.20.tgz |
Direct |
lodash-es - 4.17.21,lodash - 4.17.21 |
✅ |
Reachable |
| CVE-2020-7788 |
🟠 Medium |
5.5 |
Proof of concept |
< 1% |
ini-1.3.4.tgz |
Transitive |
N/A |
❌ |
Unreachable |
Details
🟣CVE-289561-266276
Vulnerable Library - inherits-2.0.4.tgz
Browser-friendly inheritance fully compatible with standard node.js inherits()
Library home page: https://registry.npmjs.org/inherits/-/inherits-2.0.4.tgz
Path to dependency file: /package.json
Dependency Hierarchy:
-
express-4.17.3.tgz (Root Library)
- body-parser-1.19.2.tgz
- http-errors-1.8.1.tgz
- ❌ inherits-2.0.4.tgz (Vulnerable Library)
-
http-errors-1.8.0.tgz (Root Library)
- ❌ inherits-2.0.4.tgz (Vulnerable Library)
-
body-parser-1.20.1.tgz (Root Library)
- http-errors-2.0.0.tgz
- ❌ inherits-2.0.4.tgz (Vulnerable Library)
-
snyk-1.434.3.tgz (Root Library)
- snyk-docker-plugin-4.12.0.tgz
- tar-stream-2.1.4.tgz
- bl-4.0.3.tgz
- ❌ inherits-2.0.4.tgz (Vulnerable Library)
Vulnerability Details
Created automatically by the test suite
Publish Date: Jun 07, 2010 05:12 PM
URL: CVE-289561-266276
Threat Assessment
Exploit Maturity:N/A
EPSS:N/A
Score: 9.8
Suggested Fix
Type: Upgrade version
Origin:
Release Date:
Fix Resolution :
🟣CVE-398484-724968
Vulnerable Library - ms-2.1.3.tgz
Tiny millisecond conversion utility
Library home page: https://registry.npmjs.org/ms/-/ms-2.1.3.tgz
Path to dependency file: /package.json
Dependency Hierarchy:
-
express-4.17.3.tgz (Root Library)
- send-0.17.2.tgz
- ❌ ms-2.1.3.tgz (Vulnerable Library)
-
jsonwebtoken-9.0.0.tgz (Root Library)
- ❌ ms-2.1.3.tgz (Vulnerable Library)
-
snyk-1.434.3.tgz (Root Library)
- needle-2.5.0.tgz
- debug-3.2.7.tgz
- ❌ ms-2.1.3.tgz (Vulnerable Library)
Vulnerability Details
Created automatically by the test suite
Publish Date: Jun 07, 2010 05:12 PM
URL: CVE-398484-724968
Threat Assessment
Exploit Maturity:N/A
EPSS:N/A
Score: 9.8
Suggested Fix
Type: Upgrade version
Origin:
Release Date:
Fix Resolution :
🟣CVE-72435-185255
Vulnerable Library - tweetnacl-0.14.5.tgz
Port of TweetNaCl cryptographic library to JavaScript
Library home page: https://registry.npmjs.org/tweetnacl/-/tweetnacl-0.14.5.tgz
Path to dependency file: /package.json
Dependency Hierarchy:
Vulnerability Details
Created automatically by the test suite
Publish Date: Jun 07, 2010 05:12 PM
URL: CVE-72435-185255
Threat Assessment
Exploit Maturity:N/A
EPSS:N/A
Score: 9.8
Suggested Fix
Type: Upgrade version
Origin:
Release Date:
Fix Resolution :
🟣CVE-2021-28918
Vulnerable Library - netmask-1.0.6.tgz
Parse and lookup IP network blocks
Library home page: https://registry.npmjs.org/netmask/-/netmask-1.0.6.tgz
Path to dependency file: /package.json
Dependency Hierarchy:
- snyk-1.434.3.tgz (Root Library)
- proxy-agent-3.1.1.tgz
- pac-proxy-agent-3.0.1.tgz
- pac-resolver-3.0.0.tgz
- ❌ netmask-1.0.6.tgz (Vulnerable Library)
Reachability Analysis
This vulnerability is potentially reachable:
- verdaccio-2.3.1/package.json (Application)
- snyk-1.434.3/dist/cli/index.js (Extension)
- snyk-1.434.3/dist/lib/analytics.js (Extension)
- snyk-1.434.3/dist/lib/request/index.js (Extension)
- snyk-1.434.3/dist/lib/request/request.js (Extension)
- proxy-agent-3.1.1/index.js (Extension)
- pac-proxy-agent-3.0.1/index.js (Extension)
- pac-resolver-3.0.0/index.js (Extension)
- pac-resolver-3.0.0/isInNet.js (Extension)
-> ❌ netmask-1.0.6/lib/netmask.js (Vulnerable Component)
Vulnerability Details
Improper input validation of octal strings in netmask npm package v1.0.6 and below allows unauthenticated remote attackers to perform indeterminate SSRF, RFI, and LFI attacks on many of the dependent packages. A remote unauthenticated attacker can bypass packages relying on netmask to filter IPs and reach critical VPN or LAN hosts.
Publish Date: Apr 01, 2021 12:33 PM
URL: CVE-2021-28918
Threat Assessment
Exploit Maturity:Not Defined
EPSS:85.9%
Score: 9.3
Suggested Fix
Type: Upgrade version
Origin:
Release Date:
Fix Resolution :
🟣CVE-2021-44906
Vulnerable Library - minimist-1.2.5.tgz
parse argument options
Library home page: https://registry.npmjs.org/minimist/-/minimist-1.2.5.tgz
Path to dependency file: /package.json
Dependency Hierarchy:
Reachability Analysis
This vulnerability is potentially reachable:
- verdaccio-2.3.1/package.json (Application)
- snyk-1.434.3/dist/cli/index.js (Extension)
- snyk-1.434.3/dist/lib/analytics.js (Extension)
- snyk-1.434.3/dist/lib/config.js (Extension)
- snyk-config-4.0.0-rc.2/dist/index.js (Extension)
- snyk-config-4.0.0-rc.2/dist/nconf/nconf.js (Extension)
- snyk-config-4.0.0-rc.2/dist/nconf/nconf/stores/argv.js (Extension)
-> ❌ minimist-1.2.5/index.js (Vulnerable Component)
Vulnerability Details
Minimist <=1.2.5 is vulnerable to Prototype Pollution via file index.js, function setKey() (lines 69-95).
Publish Date: Mar 17, 2022 01:05 PM
URL: CVE-2021-44906
Threat Assessment
Exploit Maturity:Not Defined
EPSS:< 1%
Score: 9.3
Suggested Fix
Type: Upgrade version
Origin: GHSA-xvch-5gv4-984h
Release Date: Mar 17, 2022 01:05 PM
Fix Resolution : minimist - 0.2.4,minimist - 1.2.6
🟣CVE-2021-44906
Vulnerable Library - minimist-1.2.0.tgz
parse argument options
Library home page: https://registry.npmjs.org/minimist/-/minimist-1.2.0.tgz
Path to dependency file: /package.json
Dependency Hierarchy:
- snyk-1.434.3.tgz (Root Library)
- update-notifier-4.1.3.tgz
- latest-version-5.1.0.tgz
- package-json-6.5.0.tgz
- registry-auth-token-4.2.1.tgz
- rc-1.2.8.tgz
- ❌ minimist-1.2.0.tgz (Vulnerable Library)
Reachability Analysis
The vulnerable code is unreachable
Vulnerability Details
Minimist <=1.2.5 is vulnerable to Prototype Pollution via file index.js, function setKey() (lines 69-95).
Publish Date: Mar 17, 2022 01:05 PM
URL: CVE-2021-44906
Threat Assessment
Exploit Maturity:Not Defined
EPSS:< 1%
Score: 9.3
Suggested Fix
Type: Upgrade version
Origin: GHSA-xvch-5gv4-984h
Release Date: Mar 17, 2022 01:05 PM
Fix Resolution : minimist - 0.2.4,minimist - 1.2.6
🔴CVE-2021-23490
Vulnerable Library - parse-link-header-1.0.1.tgz
Parses a link header and returns paging information for each contained link.
Library home page: https://registry.npmjs.org/parse-link-header/-/parse-link-header-1.0.1.tgz
Path to dependency file: /package.json
Dependency Hierarchy:
- snyk-1.434.3.tgz (Root Library)
- snyk-docker-plugin-4.12.0.tgz
- snyk-docker-pull-3.2.3.tgz
- docker-registry-v2-client-1.13.9.tgz
- ❌ parse-link-header-1.0.1.tgz (Vulnerable Library)
Reachability Analysis
The vulnerable code is unreachable
Vulnerability Details
The package parse-link-header before 2.0.0 are vulnerable to Regular Expression Denial of Service (ReDoS) via the checkHeader function.
Publish Date: Dec 24, 2021 08:05 PM
URL: CVE-2021-23490
Threat Assessment
Exploit Maturity:Not Defined
EPSS:< 1%
Score: 8.7
Suggested Fix
Type: Upgrade version
Origin: https://osv.dev/vulnerability/CVE-2021-23490
Release Date: Dec 24, 2021 08:05 PM
Fix Resolution : https://github.com/thlorenz/parse-link-header.git - no_fix,parse-link-header - 2.0.0
🔴CVE-2021-33502
Vulnerable Library - normalize-url-4.5.0.tgz
Normalize a URL
Library home page: https://registry.npmjs.org/normalize-url/-/normalize-url-4.5.0.tgz
Path to dependency file: /package.json
Dependency Hierarchy:
- snyk-1.434.3.tgz (Root Library)
- update-notifier-4.1.3.tgz
- latest-version-5.1.0.tgz
- package-json-6.5.0.tgz
- got-9.6.0.tgz
- cacheable-request-6.1.0.tgz
- ❌ normalize-url-4.5.0.tgz (Vulnerable Library)
Reachability Analysis
The vulnerable code is unreachable
Vulnerability Details
The normalize-url package before 4.5.1, 5.x before 5.3.1, and 6.x before 6.0.1 for Node.js has a ReDoS (regular expression denial of service) issue because it has exponential performance for data: URLs.
Publish Date: May 24, 2021 03:42 PM
URL: CVE-2021-33502
Threat Assessment
Exploit Maturity:Not Defined
EPSS:< 1%
Score: 8.7
Suggested Fix
Type: Upgrade version
Origin: GHSA-px4h-xg32-q955
Release Date: May 24, 2021 03:42 PM
Fix Resolution : normalize-url - 5.3.1,normalize-url - 6.0.1,normalize-url - 4.5.1
🔴CVE-2021-3807
Vulnerable Library - ansi-regex-5.0.0.tgz
Regular expression for matching ANSI escape codes
Library home page: https://registry.npmjs.org/ansi-regex/-/ansi-regex-5.0.0.tgz
Path to dependency file: /package.json
Dependency Hierarchy:
- snyk-1.434.3.tgz (Root Library)
- inquirer-7.3.3.tgz
- strip-ansi-6.0.0.tgz
- ❌ ansi-regex-5.0.0.tgz (Vulnerable Library)
Reachability Analysis
This vulnerability is potentially reachable:
- verdaccio-2.3.1/package.json (Application)
- snyk-1.434.3/dist/cli/index.js (Extension)
- strip-ansi-6.0.0/index.js (Extension)
-> ❌ ansi-regex-5.0.0/index.js (Vulnerable Component)
Vulnerability Details
ansi-regex is vulnerable to Inefficient Regular Expression Complexity
Publish Date: Sep 17, 2021 12:00 AM
URL: CVE-2021-3807
Threat Assessment
Exploit Maturity:Not Defined
EPSS:< 1%
Score: 8.7
Suggested Fix
Type: Upgrade version
Origin: https://osv.dev/vulnerability/CVE-2021-3807
Release Date: Sep 17, 2021 12:00 AM
Fix Resolution : https://github.com/chalk/ansi-regex.git - no_fix,ansi-regex - 6.0.1,ansi-regex - 4.1.1,ansi-regex - 5.0.1,ansi-regex - 3.0.1
🔴CVE-2021-3807
Vulnerable Library - ansi-regex-4.1.0.tgz
Regular expression for matching ANSI escape codes
Library home page: https://registry.npmjs.org/ansi-regex/-/ansi-regex-4.1.0.tgz
Path to dependency file: /package.json
Dependency Hierarchy:
- snyk-1.434.3.tgz (Root Library)
- wrap-ansi-5.1.0.tgz
- string-width-3.1.0.tgz
- strip-ansi-5.2.0.tgz
- ❌ ansi-regex-4.1.0.tgz (Vulnerable Library)
Reachability Analysis
The vulnerable code is unreachable
Vulnerability Details
ansi-regex is vulnerable to Inefficient Regular Expression Complexity
Publish Date: Sep 17, 2021 12:00 AM
URL: CVE-2021-3807
Threat Assessment
Exploit Maturity:Not Defined
EPSS:< 1%
Score: 8.7
Suggested Fix
Type: Upgrade version
Origin: GHSA-93q8-gq69-wqmw
Release Date: Sep 17, 2021 12:00 AM
Fix Resolution : ansi-regex - 5.0.1,ansi-regex - 4.1.1,ansi-regex - 6.0.1,ansi-regex - 3.0.1,https://github.com/chalk/ansi-regex.git - no_fix
🔴CVE-2022-3517
Vulnerable Library - minimatch-3.0.4.tgz
a glob matcher in javascript
Library home page: https://registry.npmjs.org/minimatch/-/minimatch-3.0.4.tgz
Path to dependency file: /package.json
Dependency Hierarchy:
-
bunyan-1.8.14.tgz (Root Library)
- mv-2.1.1.tgz
- rimraf-2.4.5.tgz
- glob-6.0.4.tgz
- ❌ minimatch-3.0.4.tgz (Vulnerable Library)
-
❌ minimatch-3.0.4.tgz (Vulnerable Library)
-
snyk-1.434.3.tgz (Root Library)
- snyk-mvn-plugin-2.25.0.tgz
- tmp-0.1.0.tgz
- rimraf-2.7.1.tgz
- glob-7.1.6.tgz
- ❌ minimatch-3.0.4.tgz (Vulnerable Library)
Reachability Analysis
This vulnerability is potentially reachable:
- verdaccio-2.3.1/src/lib/config.js (Application)
-> ❌ minimatch-3.0.4/minimatch.js (Vulnerable Component)
Vulnerability Details
A vulnerability was found in the minimatch package. This flaw allows a Regular Expression Denial of Service (ReDoS) when calling the braceExpand function with specific arguments, resulting in a Denial of Service.
Publish Date: Oct 17, 2022 12:00 AM
URL: CVE-2022-3517
Threat Assessment
Exploit Maturity:Not Defined
EPSS:< 1%
Score: 8.7
Suggested Fix
Type: Upgrade version
Origin: GHSA-f8q6-p94x-37v3
Release Date: Oct 17, 2022 12:00 AM
Fix Resolution : minimatch - 3.0.5
🔴CVE-2024-4068
Vulnerable Library - braces-3.0.2.tgz
Bash-like brace expansion, implemented in JavaScript. Safer than other brace expansion libs, with complete support for the Bash 4.3 braces specification, without sacrificing speed.
Library home page: https://registry.npmjs.org/braces/-/braces-3.0.2.tgz
Path to dependency file: /package.json
Dependency Hierarchy:
- snyk-1.434.3.tgz (Root Library)
- micromatch-4.0.2.tgz
- ❌ braces-3.0.2.tgz (Vulnerable Library)
Reachability Analysis
This vulnerability is potentially reachable:
- verdaccio-2.3.1/package.json (Application)
- snyk-1.434.3/dist/cli/index.js (Extension)
- snyk-1.434.3/dist/lib/analytics.js (Extension)
- snyk-1.434.3/dist/lib/index.js (Extension)
- snyk-1.434.3/dist/lib/snyk-test/index.js (Extension)
- snyk-1.434.3/dist/lib/snyk-test/run-test.js (Extension)
- snyk-1.434.3/dist/lib/plugins/get-deps-from-plugin.js (Extension)
- snyk-1.434.3/dist/lib/plugins/nodejs-plugin/yarn-workspaces-parser.js (Extension)
- micromatch-4.0.2/index.js (Extension)
- braces-3.0.2/index.js (Extension)
- braces-3.0.2/lib/parse.js (Extension)
-> ❌ braces-3.0.2/lib/constants.js (Vulnerable Component)
Vulnerability Details
The NPM package "braces", versions prior to 3.0.3, fails to limit the number of characters it can handle, which could lead to Memory Exhaustion. In "lib/parse.js," if a malicious user sends "imbalanced braces" as input, the parsing will enter a loop, which will cause the program to start allocating heap memory without freeing it at any moment of the loop. Eventually, the JavaScript heap limit is reached, and the program will crash. After conducting a further research, it was concluded that CVE-2024-4068 does not contain a high security risk that reflects the NVD score, but should be kept for users' awareness. Users of braces should follow the fix recommendation as noted.
Publish Date: May 13, 2024 10:06 AM
URL: CVE-2024-4068
Threat Assessment
Exploit Maturity:Not Defined
EPSS:< 1%
Score: 8.7
Suggested Fix
Type: Upgrade version
Origin: GHSA-grv7-fg5c-xmjg
Release Date: May 13, 2024 10:06 AM
Fix Resolution : braces - 3.0.3
🔴CVE-2021-43138
Vulnerable Library - async-3.2.0.tgz
Higher-order functions and common patterns for asynchronous code
Library home page: https://registry.npmjs.org/async/-/async-3.2.0.tgz
Path to dependency file: /package.json
Dependency Hierarchy:
- snyk-1.434.3.tgz (Root Library)
- snyk-config-4.0.0-rc.2.tgz
- ❌ async-3.2.0.tgz (Vulnerable Library)
Reachability Analysis
The vulnerable code is unreachable
Vulnerability Details
In Async before 2.6.4 and 3.x before 3.2.2, a malicious user can obtain privileges via the mapValues() method, aka lib/internal/iterator.js createObjectIterator prototype pollution.
Publish Date: Apr 06, 2022 12:00 AM
URL: CVE-2021-43138
Threat Assessment
Exploit Maturity:Not Defined
EPSS:< 1%
Score: 8.5
Suggested Fix
Type: Upgrade version
Origin: GHSA-fwr7-v2mv-hh25
Release Date: Apr 06, 2022 12:00 AM
Fix Resolution : async - 2.6.4,async - 3.2.2
🔴CVE-2022-40764
Vulnerable Library - snyk-go-plugin-1.16.2.tgz
Snyk CLI Golang plugin
Library home page: https://registry.npmjs.org/snyk-go-plugin/-/snyk-go-plugin-1.16.2.tgz
Path to dependency file: /package.json
Dependency Hierarchy:
- snyk-1.434.3.tgz (Root Library)
- ❌ snyk-go-plugin-1.16.2.tgz (Vulnerable Library)
Vulnerability Details
Snyk CLI before 1.996.0 allows arbitrary command execution, affecting Snyk IDE plugins and the snyk npm package. Exploitation could follow from the common practice of viewing untrusted files in the Visual Studio Code editor, for example. The original demonstration was with shell metacharacters in the vendor.json ignore field, affecting snyk-go-plugin before 1.19.1. This affects, for example, the Snyk TeamCity plugin (which does not update automatically) before 20220930.142957.
Publish Date: Oct 03, 2022 02:03 PM
URL: CVE-2022-40764
Threat Assessment
Exploit Maturity:Not Defined
EPSS:3.1%
Score: 8.5
Suggested Fix
Type: Upgrade version
Origin: https://osv.dev/vulnerability/CVE-2022-40764
Release Date: Oct 03, 2022 02:03 PM
Fix Resolution : https://github.com/snyk/cli.git - no_fix
🔴CVE-2022-40764
Vulnerable Library - snyk-1.434.3.tgz
snyk library and cli utility
Library home page: https://registry.npmjs.org/snyk/-/snyk-1.434.3.tgz
Path to dependency file: /package.json
Dependency Hierarchy:
- ❌ snyk-1.434.3.tgz (Vulnerable Library)
Reachability Analysis
This vulnerability is potentially reachable:
- verdaccio-2.3.1/package.json (Application)
- snyk-1.434.3/dist/cli/index.js (Extension)
- snyk-1.434.3/dist/lib/analytics.js (Extension)
- snyk-1.434.3/dist/lib/index.js (Extension)
- snyk-1.434.3/dist/lib/snyk-test/index.js (Extension)
- snyk-1.434.3/dist/lib/snyk-test/run-test.js (Extension)
- snyk-1.434.3/dist/lib/plugins/get-deps-from-plugin.js (Extension)
- snyk-1.434.3/dist/lib/plugins/get-single-plugin-result.js (Extension)
- snyk-1.434.3/dist/lib/plugins/index.js (Extension)
- snyk-1.434.3/dist/lib/plugins/nodejs-plugin/index.js (Extension)
-> ❌ snyk-1.434.3/dist/lib/plugins/nodejs-plugin/npm-lock-parser.js (Vulnerable Component)
Vulnerability Details
Snyk CLI before 1.996.0 allows arbitrary command execution, affecting Snyk IDE plugins and the snyk npm package. Exploitation could follow from the common practice of viewing untrusted files in the Visual Studio Code editor, for example. The original demonstration was with shell metacharacters in the vendor.json ignore field, affecting snyk-go-plugin before 1.19.1. This affects, for example, the Snyk TeamCity plugin (which does not update automatically) before 20220930.142957.
Publish Date: Oct 03, 2022 02:03 PM
URL: CVE-2022-40764
Threat Assessment
Exploit Maturity:Not Defined
EPSS:3.1%
Score: 8.5
Suggested Fix
Type: Upgrade version
Origin: https://osv.dev/vulnerability/CVE-2022-40764
Release Date: Oct 03, 2022 02:03 PM
Fix Resolution : https://github.com/snyk/cli.git - no_fix
🔴CVE-2020-8203
Vulnerable Library - lodash.set-4.3.2.tgz
The lodash method _.set exported as a module.
Library home page: https://registry.npmjs.org/lodash.set/-/lodash.set-4.3.2.tgz
Path to dependency file: /package.json
Dependency Hierarchy:
- snyk-1.434.3.tgz (Root Library)
- snyk-resolve-deps-4.4.0.tgz
- ❌ lodash.set-4.3.2.tgz (Vulnerable Library)
Vulnerability Details
Prototype pollution attack when using _.zipObjectDeep in lodash before 4.17.20.
Publish Date: Jul 15, 2020 04:10 PM
URL: CVE-2020-8203
Threat Assessment
Exploit Maturity:Not Defined
EPSS:2.4%
Score: 8.3
Suggested Fix
Type: Upgrade version
Origin: GHSA-p6mc-m468-83gw
Release Date: Jul 15, 2020 04:10 PM
Fix Resolution : lodash - 4.17.19,lodash-es - 4.17.20
🔴CVE-2021-23406
Vulnerable Library - pac-resolver-3.0.0.tgz
Generates an asynchronous resolver function from a PAC file
Library home page: https://registry.npmjs.org/pac-resolver/-/pac-resolver-3.0.0.tgz
Path to dependency file: /package.json
Dependency Hierarchy:
- snyk-1.434.3.tgz (Root Library)
- proxy-agent-3.1.1.tgz
- pac-proxy-agent-3.0.1.tgz
- ❌ pac-resolver-3.0.0.tgz (Vulnerable Library)
Reachability Analysis
This vulnerability is potentially reachable:
- verdaccio-2.3.1/package.json (Application)
- snyk-1.434.3/dist/cli/index.js (Extension)
- snyk-1.434.3/dist/lib/analytics.js (Extension)
- snyk-1.434.3/dist/lib/request/index.js (Extension)
- snyk-1.434.3/dist/lib/request/request.js (Extension)
- proxy-agent-3.1.1/index.js (Extension)
- pac-proxy-agent-3.0.1/index.js (Extension)
-> ❌ pac-resolver-3.0.0/index.js (Vulnerable Component)
Vulnerability Details
This affects the package pac-resolver before 5.0.0. This can occur when used with untrusted input, due to unsafe PAC file handling. NOTE: The fix for this vulnerability is applied in the node-degenerator library, a dependency written by the same maintainer.
Mend Note: The description of this vulnerability differs from MITRE.
Publish Date: Aug 24, 2021 07:45 AM
URL: CVE-2021-23406
Threat Assessment
Exploit Maturity:Proof of concept
EPSS:1.0%
Score: 8.2
Suggested Fix
Type: Upgrade version
Origin:
Release Date:
Fix Resolution :
🔴CVE-2021-23406
Vulnerable Library - degenerator-1.0.4.tgz
Turns sync functions into async generator functions
Library home page: https://registry.npmjs.org/degenerator/-/degenerator-1.0.4.tgz
Path to dependency file: /package.json
Dependency Hierarchy:
- snyk-1.434.3.tgz (Root Library)
- proxy-agent-3.1.1.tgz
- pac-proxy-agent-3.0.1.tgz
- pac-resolver-3.0.0.tgz
- ❌ degenerator-1.0.4.tgz (Vulnerable Library)
Reachability Analysis
This vulnerability is potentially reachable:
- verdaccio-2.3.1/package.json (Application)
- snyk-1.434.3/dist/cli/index.js (Extension)
- snyk-1.434.3/dist/lib/analytics.js (Extension)
- snyk-1.434.3/dist/lib/request/index.js (Extension)
- snyk-1.434.3/dist/lib/request/request.js (Extension)
- proxy-agent-3.1.1/index.js (Extension)
- pac-proxy-agent-3.0.1/index.js (Extension)
- pac-resolver-3.0.0/index.js (Extension)
-> ❌ degenerator-1.0.4/index.js (Vulnerable Component)
Vulnerability Details
This affects the package pac-resolver before 5.0.0. This can occur when used with untrusted input, due to unsafe PAC file handling. NOTE: The fix for this vulnerability is applied in the node-degenerator library, a dependency written by the same maintainer.
Mend Note: The description of this vulnerability differs from MITRE.
Publish Date: Aug 24, 2021 07:45 AM
URL: CVE-2021-23406
Threat Assessment
Exploit Maturity:Proof of concept
EPSS:1.0%
Score: 8.2
Suggested Fix
Type: Upgrade version
Origin:
Release Date:
Fix Resolution :
🔴CVE-2021-23337
Vulnerable Library - lodash-4.17.20.tgz
Lodash modular utilities.
Library home page: https://registry.npmjs.org/lodash/-/lodash-4.17.20.tgz
Path to dependency file: /package.json
Dependency Hierarchy:
Reachability Analysis
This vulnerability is potentially reachable:
- verdaccio-2.3.1/package.json (Application)
- snyk-1.434.3/dist/cli/index.js (Extension)
- snyk-1.434.3/dist/lib/detect.js (Extension)
-> ❌ lodash-4.17.20/lodash.js (Vulnerable Component)
Vulnerability Details
Lodash versions prior to 4.17.21 are vulnerable to Command Injection via the template function.
Publish Date: Feb 15, 2021 12:15 PM
URL: CVE-2021-23337
Threat Assessment
Exploit Maturity:Proof of concept
EPSS:< 1%
Score: 7.3
Suggested Fix
Type: Upgrade version
Origin: GHSA-35jh-r3h4-6jhm
Release Date: Feb 15, 2021 12:15 PM
Fix Resolution : lodash - 4.17.21,lodash-es - 4.17.21
🟠CVE-2021-23413
Vulnerable Library - jszip-3.5.0.tgz
Create, read and edit .zip files with JavaScript http://stuartk.com/jszip
Library home page: https://registry.npmjs.org/jszip/-/jszip-3.5.0.tgz
Path to dependency file: /package.json
Dependency Hierarchy:
- snyk-1.434.3.tgz (Root Library)
- snyk-gradle-plugin-3.10.3.tgz
- java-call-graph-builder-1.16.2.tgz
- ❌ jszip-3.5.0.tgz (Vulnerable Library)
Reachability Analysis
The vulnerable code is unreachable
Vulnerability Details
This affects the package jszip before 3.7.0. Crafting a new zip file with filenames set to Object prototype values (e.g proto, toString, etc) results in a returned object with a modified prototype instance.
Mend Note: The description of this vulnerability differs from MITRE.
Publish Date: Jul 25, 2021 01:10 PM
URL: CVE-2021-23413
Threat Assessment
Exploit Maturity:Not Defined
EPSS:< 1%
Score: 6.9
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23413
Release Date: Jul 25, 2021 01:10 PM
Fix Resolution : jszip - 3.7.0,jszip - 2.7.0,jszip - 3.7.0
🟠CVE-2021-23413
Vulnerable Library - jszip-3.4.0.tgz
Create, read and edit .zip files with JavaScript http://stuartk.com/jszip
Library home page: https://registry.npmjs.org/jszip/-/jszip-3.4.0.tgz
Path to dependency file: /package.json
Dependency Hierarchy:
- snyk-1.434.3.tgz (Root Library)
- snyk-nuget-plugin-1.19.4.tgz
- ❌ jszip-3.4.0.tgz (Vulnerable Library)
Reachability Analysis
This vulnerability is potentially reachable:
- verdaccio-2.3.1/package.json (Application)
- snyk-1.434.3/dist/cli/index.js (Extension)
- snyk-1.434.3/dist/lib/analytics.js (Extension)
- snyk-1.434.3/dist/lib/index.js (Extension)
- snyk-1.434.3/dist/lib/snyk-test/index.js (Extension)
- snyk-1.434.3/dist/lib/snyk-test/run-test.js (Extension)
- snyk-1.434.3/dist/lib/plugins/get-deps-from-plugin.js (Extension)
- snyk-1.434.3/dist/lib/plugins/get-single-plugin-result.js (Extension)
- snyk-1.434.3/dist/lib/plugins/index.js (Extension)
- snyk-nuget-plugin-1.19.4/dist/index.js (Extension)
- snyk-nuget-plugin-1.19.4/dist/nuget-parser/index.js (Extension)
- snyk-nuget-plugin-1.19.4/dist/nuget-parser/dotnet-framework-parser.js (Extension)
- snyk-nuget-plugin-1.19.4/dist/nuget-parser/nuspec-parser.js (Extension)
-> ❌ jszip-3.4.0/lib/index.js (Vulnerable Component)
Vulnerability Details
This affects the package jszip before 3.7.0. Crafting a new zip file with filenames set to Object prototype values (e.g proto, toString, etc) results in a returned object with a modified prototype instance.
Mend Note: The description of this vulnerability differs from MITRE.
Publish Date: Jul 25, 2021 01:10 PM
URL: CVE-2021-23413
Threat Assessment
Exploit Maturity:Not Defined
EPSS:< 1%
Score: 6.9
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23413
Release Date: Jul 25, 2021 01:10 PM
Fix Resolution : jszip - 3.7.0,jszip - 2.7.0,jszip - 3.7.0
🟠CVE-2021-29418
Vulnerable Library - netmask-1.0.6.tgz
Parse and lookup IP network blocks
Library home page: https://registry.npmjs.org/netmask/-/netmask-1.0.6.tgz
Path to dependency file: /package.json
Dependency Hierarchy:
- snyk-1.434.3.tgz (Root Library)
- proxy-agent-3.1.1.tgz
- pac-proxy-agent-3.0.1.tgz
- pac-resolver-3.0.0.tgz
- ❌ netmask-1.0.6.tgz (Vulnerable Library)
Reachability Analysis
This vulnerability is potentially reachable:
- verdaccio-2.3.1/package.json (Application)
- snyk-1.434.3/dist/cli/index.js (Extension)
- snyk-1.434.3/dist/lib/analytics.js (Extension)
- snyk-1.434.3/dist/lib/request/index.js (Extension)
- snyk-1.434.3/dist/lib/request/request.js (Extension)
- proxy-agent-3.1.1/index.js (Extension)
- pac-proxy-agent-3.0.1/index.js (Extension)
- pac-resolver-3.0.0/index.js (Extension)
- pac-resolver-3.0.0/isInNet.js (Extension)
-> ❌ netmask-1.0.6/lib/netmask.js (Vulnerable Component)
Vulnerability Details
The netmask package before 2.0.1 for Node.js mishandles certain unexpected characters in an IP address string, such as an octal digit of 9. This (in some situations) allows attackers to bypass access control that is based on IP addresses. NOTE: this issue exists because of an incomplete fix for CVE-2021-28918.
Publish Date: Mar 30, 2021 06:08 AM
URL: CVE-2021-29418
Threat Assessment
Exploit Maturity:Not Defined
EPSS:< 1%
Score: 6.9
Suggested Fix
Type: Upgrade version
Origin: GHSA-pch5-whg9-qr2r
Release Date: Mar 30, 2021 06:08 AM
Fix Resolution : netmask - 2.0.1
🟠CVE-2022-25881
Vulnerable Library - http-cache-semantics-4.1.0.tgz
Parses Cache-Control and other headers. Helps building correct HTTP caches and proxies
Library home page: https://registry.npmjs.org/http-cache-semantics/-/http-cache-semantics-4.1.0.tgz
Path to dependency file: /package.json
Dependency Hierarchy:
- snyk-1.434.3.tgz (Root Library)
- update-notifier-4.1.3.tgz
- latest-version-5.1.0.tgz
- package-json-6.5.0.tgz
- got-9.6.0.tgz
- cacheable-request-6.1.0.tgz
- ❌ http-cache-semantics-4.1.0.tgz (Vulnerable Library)
Reachability Analysis
The vulnerable code is unreachable
Vulnerability Details
This affects versions of the package http-cache-semantics before 4.1.1. The issue can be exploited via malicious request header values sent to a server, when that server reads the cache policy from the request using this library.
Publish Date: Jan 31, 2023 05:00 AM
URL: CVE-2022-25881
Threat Assessment
Exploit Maturity:Not Defined
EPSS:< 1%
Score: 6.9
Suggested Fix
Type: Upgrade version
Origin: GHSA-rc47-6667-2j5j
Release Date: Jan 31, 2023 05:00 AM
Fix Resolution : org.webjars.npm:http-cache-semantics:4.1.1,http-cache-semantics - 4.1.1
🟠CVE-2022-33987
Vulnerable Library - got-9.6.0.tgz
Simplified HTTP requests
Library home page: https://registry.npmjs.org/got/-/got-9.6.0.tgz
Path to dependency file: /package.json
Dependency Hierarchy:
- snyk-1.434.3.tgz (Root Library)
- update-notifier-4.1.3.tgz
- latest-version-5.1.0.tgz
- package-json-6.5.0.tgz
- ❌ got-9.6.0.tgz (Vulnerable Library)
Reachability Analysis
The vulnerable code is unreachable
Vulnerability Details
The got package before 12.1.0 (also fixed in 11.8.5) for Node.js allows a redirect to a UNIX socket.
Publish Date: Jun 18, 2022 08:51 PM
URL: CVE-2022-33987
Threat Assessment
Exploit Maturity:Not Defined
EPSS:< 1%
Score: 6.9
Suggested Fix
Type: Upgrade version
Origin: GHSA-pfrx-2q88-qq97
Release Date: Jun 18, 2022 08:51 PM
Fix Resolution : got - 11.8.5,got - 12.1.0
🟠CVE-2022-33987
Vulnerable Library - got-11.4.0.tgz
Human-friendly and powerful HTTP request library for Node.js
Library home page: https://registry.npmjs.org/got/-/got-11.4.0.tgz
Path to dependency file: /package.json
Dependency Hierarchy:
- snyk-1.434.3.tgz (Root Library)
- snyk-nodejs-lockfile-parser-1.30.1.tgz
- ❌ got-11.4.0.tgz (Vulnerable Library)
Reachability Analysis
The vulnerable code is unreachable
Vulnerability Details
The got package before 12.1.0 (also fixed in 11.8.5) for Node.js allows a redirect to a UNIX socket.
Publish Date: Jun 18, 2022 08:51 PM
URL: CVE-2022-33987
Threat Assessment
Exploit Maturity:Not Defined
EPSS:< 1%
Score: 6.9
Suggested Fix
Type: Upgrade version
Origin: GHSA-pfrx-2q88-qq97
Release Date: Jun 18, 2022 08:51 PM
Fix Resolution : got - 12.1.0,got - 11.8.5
🟠CVE-2022-48285
Vulnerable Library - jszip-3.4.0.tgz
Create, read and edit .zip files with JavaScript http://stuartk.com/jszip
Library home page: https://registry.npmjs.org/jszip/-/jszip-3.4.0.tgz
Path to dependency file: /package.json
Dependency Hierarchy:
- snyk-1.434.3.tgz (Root Library)
- snyk-nuget-plugin-1.19.4.tgz
- ❌ jszip-3.4.0.tgz (Vulnerable Library)
Reachability Analysis
This vulnerability is potentially reachable:
- verdaccio-2.3.1/package.json (Application)
- snyk-1.434.3/dist/cli/index.js (Extension)
- snyk-1.434.3/dist/lib/analytics.js (Extension)
- snyk-1.434.3/dist/lib/index.js (Extension)
- snyk-1.434.3/dist/lib/snyk-test/index.js (Extension)
- snyk-1.434.3/dist/lib/snyk-test/run-test.js (Extension)
- snyk-1.434.3/dist/lib/plugins/get-deps-from-plugin.js (Extension)
- snyk-1.434.3/dist/lib/plugins/get-single-plugin-result.js (Extension)
- snyk-1.434.3/dist/lib/plugins/index.js (Extension)
- snyk-nuget-plugin-1.19.4/dist/index.js (Extension)
- snyk-nuget-plugin-1.19.4/dist/nuget-parser/index.js (Extension)
- snyk-nuget-plugin-1.19.4/dist/nuget-parser/dotnet-framework-parser.js (Extension)
- snyk-nuget-plugin-1.19.4/dist/nuget-parser/nuspec-parser.js (Extension)
- jszip-3.4.0/lib/index.js (Extension)
- jszip-3.4.0/lib/object.js (Extension)
-> ❌ jszip-3.4.0/lib/utils.js (Vulnerable Component)
Vulnerability Details
loadAsync in JSZip before 3.8.0 allows Directory Traversal via a crafted ZIP archive. Converted from WS-2023-0004, on 2023-02-01.
Publish Date: Jan 29, 2023 12:00 AM
URL: CVE-2022-48285
Threat Assessment
Exploit Maturity:Not Defined
EPSS:< 1%
Score: 6.9
Suggested Fix
Type: Upgrade version
Origin: GHSA-36fh-84j7-cv5h
Release Date: Jan 29, 2023 12:00 AM
Fix Resolution : jszip - 3.8.0,jszip - 3.8.0
🟠CVE-2022-48285
Vulnerable Library - jszip-3.5.0.tgz
Create, read and edit .zip files with JavaScript http://stuartk.com/jszip
Library home page: https://registry.npmjs.org/jszip/-/jszip-3.5.0.tgz
Path to dependency file: /package.json
Dependency Hierarchy:
- snyk-1.434.3.tgz (Root Library)
- snyk-gradle-plugin-3.10.3.tgz
- java-call-graph-builder-1.16.2.tgz
- ❌ jszip-3.5.0.tgz (Vulnerable Library)
Reachability Analysis
The vulnerable code is unreachable
Vulnerability Details
loadAsync in JSZip before 3.8.0 allows Directory Traversal via a crafted ZIP archive. Converted from WS-2023-0004, on 2023-02-01.
Publish Date: Jan 29, 2023 12:00 AM
URL: CVE-2022-48285
Threat Assessment
Exploit Maturity:Not Defined
EPSS:< 1%
Score: 6.9
Suggested Fix
Type: Upgrade version
Origin: GHSA-36fh-84j7-cv5h
Release Date: Jan 29, 2023 12:00 AM
Fix Resolution : jszip - 3.8.0,jszip - 3.8.0
🟠CVE-2018-16487
Vulnerable Library - lodash.clonedeep-4.5.0.tgz
The lodash method _.cloneDeep exported as a module.
Library home page: https://registry.npmjs.org/lodash.clonedeep/-/lodash.clonedeep-4.5.0.tgz
Path to dependency file: /package.json
Dependency Hierarchy:
- snyk-1.434.3.tgz (Root Library)
- snyk-try-require-1.3.1.tgz
- ❌ lodash.clonedeep-4.5.0.tgz (Vulnerable Library)
Reachability Analysis
This vulnerability is potentially reachable:
- verdaccio-2.3.1/package.json (Application)
- snyk-1.434.3/dist/cli/index.js (Extension)
- snyk-1.434.3/dist/lib/analytics.js (Extension)
- snyk-1.434.3/dist/lib/index.js (Extension)
- snyk-policy-1.14.1/lib/index.js (Extension)
- snyk-policy-1.14.1/lib/parser/index.js (Extension)
-> ❌ lodash.clonedeep-4.5.0/index.js (Vulnerable Component)
Vulnerability Details
A prototype pollution vulnerability was found in lodash <4.17.11 where the functions merge, mergeWith, and defaultsDeep can be tricked into adding or modifying properties of Object.prototype.
Publish Date: Feb 01, 2019 06:00 PM
URL: CVE-2018-16487
Threat Assessment
Exploit Maturity:Not Defined
EPSS:< 1%
Score: 6.3
Suggested Fix
Type: Upgrade version
Origin: GHSA-4xc9-xhrj-v574
Release Date: Feb 01, 2019 06:00 PM
Fix Resolution : lodash - 4.17.11
🟠CVE-2020-7598
Vulnerable Library - minimist-1.2.5.tgz
parse argument options
Library home page: https://registry.npmjs.org/minimist/-/minimist-1.2.5.tgz
Path to dependency file: /package.json
Dependency Hierarchy:
Vulnerability Details
minimist before 1.2.2 could be tricked into adding or modifying properties of Object.prototype using a "constructor" or "proto" payload.
Mend Note: The description of this vulnerability differs from MITRE.
Publish Date: Mar 11, 2020 09:40 PM
URL: CVE-2020-7598
Threat Assessment
Exploit Maturity:Not Defined
EPSS:< 1%
Score: 6.3
Suggested Fix
Type: Upgrade version
Origin: GHSA-vh95-rmgr-6w4m
Release Date: Mar 11, 2020 09:40 PM
Fix Resolution : minimist - 1.2.3,minimist - 0.2.1
🟠CVE-2020-7598
Vulnerable Library - minimist-1.2.0.tgz
parse argument options
Library home page: https://registry.npmjs.org/minimist/-/minimist-1.2.0.tgz
Path to dependency file: /package.json
Dependency Hierarchy:
- snyk-1.434.3.tgz (Root Library)
- update-notifier-4.1.3.tgz
- latest-version-5.1.0.tgz
- package-json-6.5.0.tgz
- registry-auth-token-4.2.1.tgz
- rc-1.2.8.tgz
- ❌ minimist-1.2.0.tgz (Vulnerable Library)
Reachability Analysis
The vulnerable code is unreachable
Vulnerability Details
minimist before 1.2.2 could be tricked into adding or modifying properties of Object.prototype using a "constructor" or "proto" payload.
Mend Note: The description of this vulnerability differs from MITRE.
Publish Date: Mar 11, 2020 09:40 PM
URL: CVE-2020-7598
Threat Assessment
Exploit Maturity:Not Defined
EPSS:< 1%
Score: 6.3
Suggested Fix
Type: Upgrade version
Origin: GHSA-vh95-rmgr-6w4m
Release Date: Mar 11, 2020 09:40 PM
Fix Resolution : minimist - 0.2.1,minimist - 1.2.3
🟠CVE-2020-28500
Vulnerable Library - lodash-4.17.20.tgz
Lodash modular utilities.
Library home page: https://registry.npmjs.org/lodash/-/lodash-4.17.20.tgz
Path to dependency file: /package.json
Dependency Hierarchy:
Reachability Analysis
This vulnerability is potentially reachable:
- verdaccio-2.3.1/package.json (Application)
- snyk-1.434.3/dist/cli/index.js (Extension)
- snyk-1.434.3/dist/lib/detect.js (Extension)
-> ❌ lodash-4.17.20/lodash.js (Vulnerable Component)
Vulnerability Details
Lodash versions prior to 4.17.21 are vulnerable to Regular Expression Denial of Service (ReDoS) via the toNumber, trim and trimEnd functions. After conducting further research, Mend has determined that CVE-2020-28500 only affects environments with versions 4.0.0 to 4.17.20 of Lodash.
Publish Date: Feb 15, 2021 11:10 AM
URL: CVE-2020-28500
Threat Assessment
Exploit Maturity:Proof of concept
EPSS:< 1%
Score: 5.5
Suggested Fix
Type: Upgrade version
Origin: GHSA-29mw-wpgm-hmr9
Release Date: Feb 15, 2021 11:10 AM
Fix Resolution : lodash-es - 4.17.21,lodash - 4.17.21
🟠CVE-2020-7788
Vulnerable Library - ini-1.3.4.tgz
An ini encoder/decoder for node
Library home page: https://registry.npmjs.org/ini/-/ini-1.3.4.tgz
Path to dependency file: /package.json
Dependency Hierarchy:
- snyk-1.434.3.tgz (Root Library)
- update-notifier-4.1.3.tgz
- latest-version-5.1.0.tgz
- package-json-6.5.0.tgz
- registry-auth-token-4.2.1.tgz
- rc-1.2.8.tgz
- ❌ ini-1.3.4.tgz (Vulnerable Library)
Reachability Analysis
The vulnerable code is unreachable
Vulnerability Details
This affects the package ini before 1.3.6. If an attacker submits a malicious INI file to an application that parses it with ini.parse, they will pollute the prototype on the application. This can be exploited further depending on the context.
Publish Date: Dec 11, 2020 10:45 AM
URL: CVE-2020-7788
Threat Assessment
Exploit Maturity:Proof of concept
EPSS:< 1%
Score: 5.5
Suggested Fix
Type: Upgrade version
Origin: GHSA-qqgx-2p2h-9c37
Release Date: Dec 11, 2020 10:45 AM
Fix Resolution : ini - 1.3.6
📂 Vulnerable Library - snyk-1.434.3.tgz
snyk library and cli utility
Path to dependency file: /package.json
Findings
Details
🟣CVE-289561-266276
Vulnerable Library - inherits-2.0.4.tgz
Browser-friendly inheritance fully compatible with standard node.js inherits()
Library home page: https://registry.npmjs.org/inherits/-/inherits-2.0.4.tgz
Path to dependency file: /package.json
Dependency Hierarchy:
express-4.17.3.tgz (Root Library)
http-errors-1.8.0.tgz (Root Library)
body-parser-1.20.1.tgz (Root Library)
snyk-1.434.3.tgz (Root Library)
Vulnerability Details
Created automatically by the test suite
Publish Date: Jun 07, 2010 05:12 PM
URL: CVE-289561-266276
Threat Assessment
Exploit Maturity:N/A
EPSS:N/A
Score: 9.8
Suggested Fix
Type: Upgrade version
Origin:
Release Date:
Fix Resolution :
🟣CVE-398484-724968
Vulnerable Library - ms-2.1.3.tgz
Tiny millisecond conversion utility
Library home page: https://registry.npmjs.org/ms/-/ms-2.1.3.tgz
Path to dependency file: /package.json
Dependency Hierarchy:
express-4.17.3.tgz (Root Library)
jsonwebtoken-9.0.0.tgz (Root Library)
snyk-1.434.3.tgz (Root Library)
Vulnerability Details
Created automatically by the test suite
Publish Date: Jun 07, 2010 05:12 PM
URL: CVE-398484-724968
Threat Assessment
Exploit Maturity:N/A
EPSS:N/A
Score: 9.8
Suggested Fix
Type: Upgrade version
Origin:
Release Date:
Fix Resolution :
🟣CVE-72435-185255
Vulnerable Library - tweetnacl-0.14.5.tgz
Port of TweetNaCl cryptographic library to JavaScript
Library home page: https://registry.npmjs.org/tweetnacl/-/tweetnacl-0.14.5.tgz
Path to dependency file: /package.json
Dependency Hierarchy:
request-2.88.2.tgz (Root Library)
snyk-1.434.3.tgz (Root Library)
Vulnerability Details
Created automatically by the test suite
Publish Date: Jun 07, 2010 05:12 PM
URL: CVE-72435-185255
Threat Assessment
Exploit Maturity:N/A
EPSS:N/A
Score: 9.8
Suggested Fix
Type: Upgrade version
Origin:
Release Date:
Fix Resolution :
🟣CVE-2021-28918
Vulnerable Library - netmask-1.0.6.tgz
Parse and lookup IP network blocks
Library home page: https://registry.npmjs.org/netmask/-/netmask-1.0.6.tgz
Path to dependency file: /package.json
Dependency Hierarchy:
Reachability Analysis
This vulnerability is potentially reachable:
Vulnerability Details
Improper input validation of octal strings in netmask npm package v1.0.6 and below allows unauthenticated remote attackers to perform indeterminate SSRF, RFI, and LFI attacks on many of the dependent packages. A remote unauthenticated attacker can bypass packages relying on netmask to filter IPs and reach critical VPN or LAN hosts.
Publish Date: Apr 01, 2021 12:33 PM
URL: CVE-2021-28918
Threat Assessment
Exploit Maturity:Not Defined
EPSS:85.9%
Score: 9.3
Suggested Fix
Type: Upgrade version
Origin:
Release Date:
Fix Resolution :
🟣CVE-2021-44906
Vulnerable Library - minimist-1.2.5.tgz
parse argument options
Library home page: https://registry.npmjs.org/minimist/-/minimist-1.2.5.tgz
Path to dependency file: /package.json
Dependency Hierarchy:
mkdirp-0.5.5.tgz (Root Library)
snyk-1.434.3.tgz (Root Library)
Reachability Analysis
This vulnerability is potentially reachable:
Vulnerability Details
Minimist <=1.2.5 is vulnerable to Prototype Pollution via file index.js, function setKey() (lines 69-95).
Publish Date: Mar 17, 2022 01:05 PM
URL: CVE-2021-44906
Threat Assessment
Exploit Maturity:Not Defined
EPSS:< 1%
Score: 9.3
Suggested Fix
Type: Upgrade version
Origin: GHSA-xvch-5gv4-984h
Release Date: Mar 17, 2022 01:05 PM
Fix Resolution : minimist - 0.2.4,minimist - 1.2.6
🟣CVE-2021-44906
Vulnerable Library - minimist-1.2.0.tgz
parse argument options
Library home page: https://registry.npmjs.org/minimist/-/minimist-1.2.0.tgz
Path to dependency file: /package.json
Dependency Hierarchy:
Reachability Analysis
The vulnerable code is unreachable
Vulnerability Details
Minimist <=1.2.5 is vulnerable to Prototype Pollution via file index.js, function setKey() (lines 69-95).
Publish Date: Mar 17, 2022 01:05 PM
URL: CVE-2021-44906
Threat Assessment
Exploit Maturity:Not Defined
EPSS:< 1%
Score: 9.3
Suggested Fix
Type: Upgrade version
Origin: GHSA-xvch-5gv4-984h
Release Date: Mar 17, 2022 01:05 PM
Fix Resolution : minimist - 0.2.4,minimist - 1.2.6
🔴CVE-2021-23490
Vulnerable Library - parse-link-header-1.0.1.tgz
Parses a link header and returns paging information for each contained link.
Library home page: https://registry.npmjs.org/parse-link-header/-/parse-link-header-1.0.1.tgz
Path to dependency file: /package.json
Dependency Hierarchy:
Reachability Analysis
The vulnerable code is unreachable
Vulnerability Details
The package parse-link-header before 2.0.0 are vulnerable to Regular Expression Denial of Service (ReDoS) via the checkHeader function.
Publish Date: Dec 24, 2021 08:05 PM
URL: CVE-2021-23490
Threat Assessment
Exploit Maturity:Not Defined
EPSS:< 1%
Score: 8.7
Suggested Fix
Type: Upgrade version
Origin: https://osv.dev/vulnerability/CVE-2021-23490
Release Date: Dec 24, 2021 08:05 PM
Fix Resolution : https://github.com/thlorenz/parse-link-header.git - no_fix,parse-link-header - 2.0.0
🔴CVE-2021-33502
Vulnerable Library - normalize-url-4.5.0.tgz
Normalize a URL
Library home page: https://registry.npmjs.org/normalize-url/-/normalize-url-4.5.0.tgz
Path to dependency file: /package.json
Dependency Hierarchy:
Reachability Analysis
The vulnerable code is unreachable
Vulnerability Details
The normalize-url package before 4.5.1, 5.x before 5.3.1, and 6.x before 6.0.1 for Node.js has a ReDoS (regular expression denial of service) issue because it has exponential performance for data: URLs.
Publish Date: May 24, 2021 03:42 PM
URL: CVE-2021-33502
Threat Assessment
Exploit Maturity:Not Defined
EPSS:< 1%
Score: 8.7
Suggested Fix
Type: Upgrade version
Origin: GHSA-px4h-xg32-q955
Release Date: May 24, 2021 03:42 PM
Fix Resolution : normalize-url - 5.3.1,normalize-url - 6.0.1,normalize-url - 4.5.1
🔴CVE-2021-3807
Vulnerable Library - ansi-regex-5.0.0.tgz
Regular expression for matching ANSI escape codes
Library home page: https://registry.npmjs.org/ansi-regex/-/ansi-regex-5.0.0.tgz
Path to dependency file: /package.json
Dependency Hierarchy:
Reachability Analysis
This vulnerability is potentially reachable:
Vulnerability Details
ansi-regex is vulnerable to Inefficient Regular Expression Complexity
Publish Date: Sep 17, 2021 12:00 AM
URL: CVE-2021-3807
Threat Assessment
Exploit Maturity:Not Defined
EPSS:< 1%
Score: 8.7
Suggested Fix
Type: Upgrade version
Origin: https://osv.dev/vulnerability/CVE-2021-3807
Release Date: Sep 17, 2021 12:00 AM
Fix Resolution : https://github.com/chalk/ansi-regex.git - no_fix,ansi-regex - 6.0.1,ansi-regex - 4.1.1,ansi-regex - 5.0.1,ansi-regex - 3.0.1
🔴CVE-2021-3807
Vulnerable Library - ansi-regex-4.1.0.tgz
Regular expression for matching ANSI escape codes
Library home page: https://registry.npmjs.org/ansi-regex/-/ansi-regex-4.1.0.tgz
Path to dependency file: /package.json
Dependency Hierarchy:
Reachability Analysis
The vulnerable code is unreachable
Vulnerability Details
ansi-regex is vulnerable to Inefficient Regular Expression Complexity
Publish Date: Sep 17, 2021 12:00 AM
URL: CVE-2021-3807
Threat Assessment
Exploit Maturity:Not Defined
EPSS:< 1%
Score: 8.7
Suggested Fix
Type: Upgrade version
Origin: GHSA-93q8-gq69-wqmw
Release Date: Sep 17, 2021 12:00 AM
Fix Resolution : ansi-regex - 5.0.1,ansi-regex - 4.1.1,ansi-regex - 6.0.1,ansi-regex - 3.0.1,https://github.com/chalk/ansi-regex.git - no_fix
🔴CVE-2022-3517
Vulnerable Library - minimatch-3.0.4.tgz
a glob matcher in javascript
Library home page: https://registry.npmjs.org/minimatch/-/minimatch-3.0.4.tgz
Path to dependency file: /package.json
Dependency Hierarchy:
bunyan-1.8.14.tgz (Root Library)
❌ minimatch-3.0.4.tgz (Vulnerable Library)
snyk-1.434.3.tgz (Root Library)
Reachability Analysis
This vulnerability is potentially reachable:
Vulnerability Details
A vulnerability was found in the minimatch package. This flaw allows a Regular Expression Denial of Service (ReDoS) when calling the braceExpand function with specific arguments, resulting in a Denial of Service.
Publish Date: Oct 17, 2022 12:00 AM
URL: CVE-2022-3517
Threat Assessment
Exploit Maturity:Not Defined
EPSS:< 1%
Score: 8.7
Suggested Fix
Type: Upgrade version
Origin: GHSA-f8q6-p94x-37v3
Release Date: Oct 17, 2022 12:00 AM
Fix Resolution : minimatch - 3.0.5
🔴CVE-2024-4068
Vulnerable Library - braces-3.0.2.tgz
Bash-like brace expansion, implemented in JavaScript. Safer than other brace expansion libs, with complete support for the Bash 4.3 braces specification, without sacrificing speed.
Library home page: https://registry.npmjs.org/braces/-/braces-3.0.2.tgz
Path to dependency file: /package.json
Dependency Hierarchy:
Reachability Analysis
This vulnerability is potentially reachable:
Vulnerability Details
The NPM package "braces", versions prior to 3.0.3, fails to limit the number of characters it can handle, which could lead to Memory Exhaustion. In "lib/parse.js," if a malicious user sends "imbalanced braces" as input, the parsing will enter a loop, which will cause the program to start allocating heap memory without freeing it at any moment of the loop. Eventually, the JavaScript heap limit is reached, and the program will crash. After conducting a further research, it was concluded that CVE-2024-4068 does not contain a high security risk that reflects the NVD score, but should be kept for users' awareness. Users of braces should follow the fix recommendation as noted.
Publish Date: May 13, 2024 10:06 AM
URL: CVE-2024-4068
Threat Assessment
Exploit Maturity:Not Defined
EPSS:< 1%
Score: 8.7
Suggested Fix
Type: Upgrade version
Origin: GHSA-grv7-fg5c-xmjg
Release Date: May 13, 2024 10:06 AM
Fix Resolution : braces - 3.0.3
🔴CVE-2021-43138
Vulnerable Library - async-3.2.0.tgz
Higher-order functions and common patterns for asynchronous code
Library home page: https://registry.npmjs.org/async/-/async-3.2.0.tgz
Path to dependency file: /package.json
Dependency Hierarchy:
Reachability Analysis
The vulnerable code is unreachable
Vulnerability Details
In Async before 2.6.4 and 3.x before 3.2.2, a malicious user can obtain privileges via the mapValues() method, aka lib/internal/iterator.js createObjectIterator prototype pollution.
Publish Date: Apr 06, 2022 12:00 AM
URL: CVE-2021-43138
Threat Assessment
Exploit Maturity:Not Defined
EPSS:< 1%
Score: 8.5
Suggested Fix
Type: Upgrade version
Origin: GHSA-fwr7-v2mv-hh25
Release Date: Apr 06, 2022 12:00 AM
Fix Resolution : async - 2.6.4,async - 3.2.2
🔴CVE-2022-40764
Vulnerable Library - snyk-go-plugin-1.16.2.tgz
Snyk CLI Golang plugin
Library home page: https://registry.npmjs.org/snyk-go-plugin/-/snyk-go-plugin-1.16.2.tgz
Path to dependency file: /package.json
Dependency Hierarchy:
Vulnerability Details
Snyk CLI before 1.996.0 allows arbitrary command execution, affecting Snyk IDE plugins and the snyk npm package. Exploitation could follow from the common practice of viewing untrusted files in the Visual Studio Code editor, for example. The original demonstration was with shell metacharacters in the vendor.json ignore field, affecting snyk-go-plugin before 1.19.1. This affects, for example, the Snyk TeamCity plugin (which does not update automatically) before 20220930.142957.
Publish Date: Oct 03, 2022 02:03 PM
URL: CVE-2022-40764
Threat Assessment
Exploit Maturity:Not Defined
EPSS:3.1%
Score: 8.5
Suggested Fix
Type: Upgrade version
Origin: https://osv.dev/vulnerability/CVE-2022-40764
Release Date: Oct 03, 2022 02:03 PM
Fix Resolution : https://github.com/snyk/cli.git - no_fix
🔴CVE-2022-40764
Vulnerable Library - snyk-1.434.3.tgz
snyk library and cli utility
Library home page: https://registry.npmjs.org/snyk/-/snyk-1.434.3.tgz
Path to dependency file: /package.json
Dependency Hierarchy:
Reachability Analysis
This vulnerability is potentially reachable:
Vulnerability Details
Snyk CLI before 1.996.0 allows arbitrary command execution, affecting Snyk IDE plugins and the snyk npm package. Exploitation could follow from the common practice of viewing untrusted files in the Visual Studio Code editor, for example. The original demonstration was with shell metacharacters in the vendor.json ignore field, affecting snyk-go-plugin before 1.19.1. This affects, for example, the Snyk TeamCity plugin (which does not update automatically) before 20220930.142957.
Publish Date: Oct 03, 2022 02:03 PM
URL: CVE-2022-40764
Threat Assessment
Exploit Maturity:Not Defined
EPSS:3.1%
Score: 8.5
Suggested Fix
Type: Upgrade version
Origin: https://osv.dev/vulnerability/CVE-2022-40764
Release Date: Oct 03, 2022 02:03 PM
Fix Resolution : https://github.com/snyk/cli.git - no_fix
🔴CVE-2020-8203
Vulnerable Library - lodash.set-4.3.2.tgz
The lodash method
_.setexported as a module.Library home page: https://registry.npmjs.org/lodash.set/-/lodash.set-4.3.2.tgz
Path to dependency file: /package.json
Dependency Hierarchy:
Vulnerability Details
Prototype pollution attack when using _.zipObjectDeep in lodash before 4.17.20.
Publish Date: Jul 15, 2020 04:10 PM
URL: CVE-2020-8203
Threat Assessment
Exploit Maturity:Not Defined
EPSS:2.4%
Score: 8.3
Suggested Fix
Type: Upgrade version
Origin: GHSA-p6mc-m468-83gw
Release Date: Jul 15, 2020 04:10 PM
Fix Resolution : lodash - 4.17.19,lodash-es - 4.17.20
🔴CVE-2021-23406
Vulnerable Library - pac-resolver-3.0.0.tgz
Generates an asynchronous resolver function from a PAC file
Library home page: https://registry.npmjs.org/pac-resolver/-/pac-resolver-3.0.0.tgz
Path to dependency file: /package.json
Dependency Hierarchy:
Reachability Analysis
This vulnerability is potentially reachable:
Vulnerability Details
This affects the package pac-resolver before 5.0.0. This can occur when used with untrusted input, due to unsafe PAC file handling. NOTE: The fix for this vulnerability is applied in the node-degenerator library, a dependency written by the same maintainer.
Mend Note: The description of this vulnerability differs from MITRE.
Publish Date: Aug 24, 2021 07:45 AM
URL: CVE-2021-23406
Threat Assessment
Exploit Maturity:Proof of concept
EPSS:1.0%
Score: 8.2
Suggested Fix
Type: Upgrade version
Origin:
Release Date:
Fix Resolution :
🔴CVE-2021-23406
Vulnerable Library - degenerator-1.0.4.tgz
Turns sync functions into async generator functions
Library home page: https://registry.npmjs.org/degenerator/-/degenerator-1.0.4.tgz
Path to dependency file: /package.json
Dependency Hierarchy:
Reachability Analysis
This vulnerability is potentially reachable:
Vulnerability Details
This affects the package pac-resolver before 5.0.0. This can occur when used with untrusted input, due to unsafe PAC file handling. NOTE: The fix for this vulnerability is applied in the node-degenerator library, a dependency written by the same maintainer.
Mend Note: The description of this vulnerability differs from MITRE.
Publish Date: Aug 24, 2021 07:45 AM
URL: CVE-2021-23406
Threat Assessment
Exploit Maturity:Proof of concept
EPSS:1.0%
Score: 8.2
Suggested Fix
Type: Upgrade version
Origin:
Release Date:
Fix Resolution :
🔴CVE-2021-23337
Vulnerable Library - lodash-4.17.20.tgz
Lodash modular utilities.
Library home page: https://registry.npmjs.org/lodash/-/lodash-4.17.20.tgz
Path to dependency file: /package.json
Dependency Hierarchy:
❌ lodash-4.17.20.tgz (Vulnerable Library)
snyk-1.434.3.tgz (Root Library)
Reachability Analysis
This vulnerability is potentially reachable:
Vulnerability Details
Lodash versions prior to 4.17.21 are vulnerable to Command Injection via the template function.
Publish Date: Feb 15, 2021 12:15 PM
URL: CVE-2021-23337
Threat Assessment
Exploit Maturity:Proof of concept
EPSS:< 1%
Score: 7.3
Suggested Fix
Type: Upgrade version
Origin: GHSA-35jh-r3h4-6jhm
Release Date: Feb 15, 2021 12:15 PM
Fix Resolution : lodash - 4.17.21,lodash-es - 4.17.21
🟠CVE-2021-23413
Vulnerable Library - jszip-3.5.0.tgz
Create, read and edit .zip files with JavaScript http://stuartk.com/jszip
Library home page: https://registry.npmjs.org/jszip/-/jszip-3.5.0.tgz
Path to dependency file: /package.json
Dependency Hierarchy:
Reachability Analysis
The vulnerable code is unreachable
Vulnerability Details
This affects the package jszip before 3.7.0. Crafting a new zip file with filenames set to Object prototype values (e.g proto, toString, etc) results in a returned object with a modified prototype instance.
Mend Note: The description of this vulnerability differs from MITRE.
Publish Date: Jul 25, 2021 01:10 PM
URL: CVE-2021-23413
Threat Assessment
Exploit Maturity:Not Defined
EPSS:< 1%
Score: 6.9
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23413
Release Date: Jul 25, 2021 01:10 PM
Fix Resolution : jszip - 3.7.0,jszip - 2.7.0,jszip - 3.7.0
🟠CVE-2021-23413
Vulnerable Library - jszip-3.4.0.tgz
Create, read and edit .zip files with JavaScript http://stuartk.com/jszip
Library home page: https://registry.npmjs.org/jszip/-/jszip-3.4.0.tgz
Path to dependency file: /package.json
Dependency Hierarchy:
Reachability Analysis
This vulnerability is potentially reachable:
Vulnerability Details
This affects the package jszip before 3.7.0. Crafting a new zip file with filenames set to Object prototype values (e.g proto, toString, etc) results in a returned object with a modified prototype instance.
Mend Note: The description of this vulnerability differs from MITRE.
Publish Date: Jul 25, 2021 01:10 PM
URL: CVE-2021-23413
Threat Assessment
Exploit Maturity:Not Defined
EPSS:< 1%
Score: 6.9
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23413
Release Date: Jul 25, 2021 01:10 PM
Fix Resolution : jszip - 3.7.0,jszip - 2.7.0,jszip - 3.7.0
🟠CVE-2021-29418
Vulnerable Library - netmask-1.0.6.tgz
Parse and lookup IP network blocks
Library home page: https://registry.npmjs.org/netmask/-/netmask-1.0.6.tgz
Path to dependency file: /package.json
Dependency Hierarchy:
Reachability Analysis
This vulnerability is potentially reachable:
Vulnerability Details
The netmask package before 2.0.1 for Node.js mishandles certain unexpected characters in an IP address string, such as an octal digit of 9. This (in some situations) allows attackers to bypass access control that is based on IP addresses. NOTE: this issue exists because of an incomplete fix for CVE-2021-28918.
Publish Date: Mar 30, 2021 06:08 AM
URL: CVE-2021-29418
Threat Assessment
Exploit Maturity:Not Defined
EPSS:< 1%
Score: 6.9
Suggested Fix
Type: Upgrade version
Origin: GHSA-pch5-whg9-qr2r
Release Date: Mar 30, 2021 06:08 AM
Fix Resolution : netmask - 2.0.1
🟠CVE-2022-25881
Vulnerable Library - http-cache-semantics-4.1.0.tgz
Parses Cache-Control and other headers. Helps building correct HTTP caches and proxies
Library home page: https://registry.npmjs.org/http-cache-semantics/-/http-cache-semantics-4.1.0.tgz
Path to dependency file: /package.json
Dependency Hierarchy:
Reachability Analysis
The vulnerable code is unreachable
Vulnerability Details
This affects versions of the package http-cache-semantics before 4.1.1. The issue can be exploited via malicious request header values sent to a server, when that server reads the cache policy from the request using this library.
Publish Date: Jan 31, 2023 05:00 AM
URL: CVE-2022-25881
Threat Assessment
Exploit Maturity:Not Defined
EPSS:< 1%
Score: 6.9
Suggested Fix
Type: Upgrade version
Origin: GHSA-rc47-6667-2j5j
Release Date: Jan 31, 2023 05:00 AM
Fix Resolution : org.webjars.npm:http-cache-semantics:4.1.1,http-cache-semantics - 4.1.1
🟠CVE-2022-33987
Vulnerable Library - got-9.6.0.tgz
Simplified HTTP requests
Library home page: https://registry.npmjs.org/got/-/got-9.6.0.tgz
Path to dependency file: /package.json
Dependency Hierarchy:
Reachability Analysis
The vulnerable code is unreachable
Vulnerability Details
The got package before 12.1.0 (also fixed in 11.8.5) for Node.js allows a redirect to a UNIX socket.
Publish Date: Jun 18, 2022 08:51 PM
URL: CVE-2022-33987
Threat Assessment
Exploit Maturity:Not Defined
EPSS:< 1%
Score: 6.9
Suggested Fix
Type: Upgrade version
Origin: GHSA-pfrx-2q88-qq97
Release Date: Jun 18, 2022 08:51 PM
Fix Resolution : got - 11.8.5,got - 12.1.0
🟠CVE-2022-33987
Vulnerable Library - got-11.4.0.tgz
Human-friendly and powerful HTTP request library for Node.js
Library home page: https://registry.npmjs.org/got/-/got-11.4.0.tgz
Path to dependency file: /package.json
Dependency Hierarchy:
Reachability Analysis
The vulnerable code is unreachable
Vulnerability Details
The got package before 12.1.0 (also fixed in 11.8.5) for Node.js allows a redirect to a UNIX socket.
Publish Date: Jun 18, 2022 08:51 PM
URL: CVE-2022-33987
Threat Assessment
Exploit Maturity:Not Defined
EPSS:< 1%
Score: 6.9
Suggested Fix
Type: Upgrade version
Origin: GHSA-pfrx-2q88-qq97
Release Date: Jun 18, 2022 08:51 PM
Fix Resolution : got - 12.1.0,got - 11.8.5
🟠CVE-2022-48285
Vulnerable Library - jszip-3.4.0.tgz
Create, read and edit .zip files with JavaScript http://stuartk.com/jszip
Library home page: https://registry.npmjs.org/jszip/-/jszip-3.4.0.tgz
Path to dependency file: /package.json
Dependency Hierarchy:
Reachability Analysis
This vulnerability is potentially reachable:
Vulnerability Details
loadAsync in JSZip before 3.8.0 allows Directory Traversal via a crafted ZIP archive. Converted from WS-2023-0004, on 2023-02-01.
Publish Date: Jan 29, 2023 12:00 AM
URL: CVE-2022-48285
Threat Assessment
Exploit Maturity:Not Defined
EPSS:< 1%
Score: 6.9
Suggested Fix
Type: Upgrade version
Origin: GHSA-36fh-84j7-cv5h
Release Date: Jan 29, 2023 12:00 AM
Fix Resolution : jszip - 3.8.0,jszip - 3.8.0
🟠CVE-2022-48285
Vulnerable Library - jszip-3.5.0.tgz
Create, read and edit .zip files with JavaScript http://stuartk.com/jszip
Library home page: https://registry.npmjs.org/jszip/-/jszip-3.5.0.tgz
Path to dependency file: /package.json
Dependency Hierarchy:
Reachability Analysis
The vulnerable code is unreachable
Vulnerability Details
loadAsync in JSZip before 3.8.0 allows Directory Traversal via a crafted ZIP archive. Converted from WS-2023-0004, on 2023-02-01.
Publish Date: Jan 29, 2023 12:00 AM
URL: CVE-2022-48285
Threat Assessment
Exploit Maturity:Not Defined
EPSS:< 1%
Score: 6.9
Suggested Fix
Type: Upgrade version
Origin: GHSA-36fh-84j7-cv5h
Release Date: Jan 29, 2023 12:00 AM
Fix Resolution : jszip - 3.8.0,jszip - 3.8.0
🟠CVE-2018-16487
Vulnerable Library - lodash.clonedeep-4.5.0.tgz
The lodash method
_.cloneDeepexported as a module.Library home page: https://registry.npmjs.org/lodash.clonedeep/-/lodash.clonedeep-4.5.0.tgz
Path to dependency file: /package.json
Dependency Hierarchy:
Reachability Analysis
This vulnerability is potentially reachable:
Vulnerability Details
A prototype pollution vulnerability was found in lodash <4.17.11 where the functions merge, mergeWith, and defaultsDeep can be tricked into adding or modifying properties of Object.prototype.
Publish Date: Feb 01, 2019 06:00 PM
URL: CVE-2018-16487
Threat Assessment
Exploit Maturity:Not Defined
EPSS:< 1%
Score: 6.3
Suggested Fix
Type: Upgrade version
Origin: GHSA-4xc9-xhrj-v574
Release Date: Feb 01, 2019 06:00 PM
Fix Resolution : lodash - 4.17.11
🟠CVE-2020-7598
Vulnerable Library - minimist-1.2.5.tgz
parse argument options
Library home page: https://registry.npmjs.org/minimist/-/minimist-1.2.5.tgz
Path to dependency file: /package.json
Dependency Hierarchy:
mkdirp-0.5.5.tgz (Root Library)
snyk-1.434.3.tgz (Root Library)
Vulnerability Details
minimist before 1.2.2 could be tricked into adding or modifying properties of Object.prototype using a "constructor" or "proto" payload.
Mend Note: The description of this vulnerability differs from MITRE.
Publish Date: Mar 11, 2020 09:40 PM
URL: CVE-2020-7598
Threat Assessment
Exploit Maturity:Not Defined
EPSS:< 1%
Score: 6.3
Suggested Fix
Type: Upgrade version
Origin: GHSA-vh95-rmgr-6w4m
Release Date: Mar 11, 2020 09:40 PM
Fix Resolution : minimist - 1.2.3,minimist - 0.2.1
🟠CVE-2020-7598
Vulnerable Library - minimist-1.2.0.tgz
parse argument options
Library home page: https://registry.npmjs.org/minimist/-/minimist-1.2.0.tgz
Path to dependency file: /package.json
Dependency Hierarchy:
Reachability Analysis
The vulnerable code is unreachable
Vulnerability Details
minimist before 1.2.2 could be tricked into adding or modifying properties of Object.prototype using a "constructor" or "proto" payload.
Mend Note: The description of this vulnerability differs from MITRE.
Publish Date: Mar 11, 2020 09:40 PM
URL: CVE-2020-7598
Threat Assessment
Exploit Maturity:Not Defined
EPSS:< 1%
Score: 6.3
Suggested Fix
Type: Upgrade version
Origin: GHSA-vh95-rmgr-6w4m
Release Date: Mar 11, 2020 09:40 PM
Fix Resolution : minimist - 0.2.1,minimist - 1.2.3
🟠CVE-2020-28500
Vulnerable Library - lodash-4.17.20.tgz
Lodash modular utilities.
Library home page: https://registry.npmjs.org/lodash/-/lodash-4.17.20.tgz
Path to dependency file: /package.json
Dependency Hierarchy:
❌ lodash-4.17.20.tgz (Vulnerable Library)
snyk-1.434.3.tgz (Root Library)
Reachability Analysis
This vulnerability is potentially reachable:
Vulnerability Details
Lodash versions prior to 4.17.21 are vulnerable to Regular Expression Denial of Service (ReDoS) via the toNumber, trim and trimEnd functions. After conducting further research, Mend has determined that CVE-2020-28500 only affects environments with versions 4.0.0 to 4.17.20 of Lodash.
Publish Date: Feb 15, 2021 11:10 AM
URL: CVE-2020-28500
Threat Assessment
Exploit Maturity:Proof of concept
EPSS:< 1%
Score: 5.5
Suggested Fix
Type: Upgrade version
Origin: GHSA-29mw-wpgm-hmr9
Release Date: Feb 15, 2021 11:10 AM
Fix Resolution : lodash-es - 4.17.21,lodash - 4.17.21
🟠CVE-2020-7788
Vulnerable Library - ini-1.3.4.tgz
An ini encoder/decoder for node
Library home page: https://registry.npmjs.org/ini/-/ini-1.3.4.tgz
Path to dependency file: /package.json
Dependency Hierarchy:
Reachability Analysis
The vulnerable code is unreachable
Vulnerability Details
This affects the package ini before 1.3.6. If an attacker submits a malicious INI file to an application that parses it with ini.parse, they will pollute the prototype on the application. This can be exploited further depending on the context.
Publish Date: Dec 11, 2020 10:45 AM
URL: CVE-2020-7788
Threat Assessment
Exploit Maturity:Proof of concept
EPSS:< 1%
Score: 5.5
Suggested Fix
Type: Upgrade version
Origin: GHSA-qqgx-2p2h-9c37
Release Date: Dec 11, 2020 10:45 AM
Fix Resolution : ini - 1.3.6