react-scripts-3.4.1.tgz: 20 vulnerabilities (highest severity is: 9.8) reachable

[mend-local-app]

Vulnerable Library - react-scripts-3.4.1.tgz

Path to dependency file: /console2/package.json

Path to vulnerable library: /console2/node_modules/minimist/package.json

Found in HEAD commit: 2e02dde31a397b33d53c1741a9c81bf8eca85623

Vulnerabilities

CVE	Severity	CVSS	Dependency	Type	Fixed in (react-scripts version)	Remediation Possible**	Reachability
CVE-2019-10747	High	9.8	detected in multiple dependencies	Transitive	3.4.2	✅
CVE-2019-10746	High	9.8	mixin-deep-1.3.1.tgz	Transitive	3.4.2	✅
CVE-2021-44906	High	9.8	detected in multiple dependencies	Transitive	3.4.2	✅
CVE-2020-7788	High	9.8	ini-1.3.5.tgz	Transitive	3.4.2	✅
CVE-2021-23440	High	9.8	detected in multiple dependencies	Transitive	3.4.2	✅
CVE-2020-7774	High	9.8	y18n-4.0.0.tgz	Transitive	3.4.2	✅
CVE-2020-7660	High	8.1	serialize-javascript-2.1.2.tgz	Transitive	N/A*	❌
CVE-2020-13822	High	7.7	elliptic-6.5.2.tgz	Transitive	N/A*	❌
CVE-2019-20149	High	7.5	kind-of-6.0.2.tgz	Transitive	3.4.2	✅
CVE-2022-24999	High	7.5	detected in multiple dependencies	Transitive	3.4.2	✅
CVE-2020-28469	High	7.5	detected in multiple dependencies	Transitive	5.0.0	✅
CVE-2022-3517	High	7.5	minimatch-3.0.4.tgz	Transitive	N/A*	❌
WS-2020-0091	High	7.5	http-proxy-1.18.0.tgz	Transitive	N/A*	❌
CVE-2021-3777	High	7.5	tmpl-1.0.4.tgz	Transitive	3.4.2	✅
CVE-2020-7662	High	7.5	websocket-extensions-0.1.3.tgz	Transitive	N/A*	❌
CVE-2021-3803	High	7.5	nth-check-1.0.2.tgz	Transitive	N/A*	❌
WS-2019-0424	Medium	5.9	elliptic-6.5.2.tgz	Transitive	N/A*	❌
CVE-2020-7598	Medium	5.6	detected in multiple dependencies	Transitive	3.4.2	✅
CVE-2020-7693	Medium	5.3	sockjs-0.3.19.tgz	Transitive	3.4.2	✅
CVE-2020-7608	Medium	5.3	yargs-parser-11.1.1.tgz	Transitive	N/A*	❌

*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.

**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation

Details

CVE-2019-10747

Vulnerable Libraries - set-value-0.4.3.tgz, set-value-2.0.0.tgz

set-value-0.4.3.tgz

Create nested values and any intermediaries using dot notation (`'a.b.c'`) paths.

Library home page: https://registry.npmjs.org/set-value/-/set-value-0.4.3.tgz

Path to dependency file: /console2/package.json

Path to vulnerable library: /console2/node_modules/union-value/node_modules/set-value/package.json

Dependency Hierarchy:

• react-scripts-3.4.1.tgz (Root Library)
  • webpack-4.42.0.tgz
    • micromatch-3.1.10.tgz
      • snapdragon-0.8.2.tgz
        • base-0.11.2.tgz
          • cache-base-1.0.1.tgz
            • union-value-1.0.0.tgz
              • ❌ set-value-0.4.3.tgz (Vulnerable Library)

set-value-2.0.0.tgz

Create nested values and any intermediaries using dot notation (`'a.b.c'`) paths.

Library home page: https://registry.npmjs.org/set-value/-/set-value-2.0.0.tgz

Path to dependency file: /console2/package.json

Path to vulnerable library: /console2/node_modules/set-value/package.json

Dependency Hierarchy:

• react-scripts-3.4.1.tgz (Root Library)
  • webpack-4.42.0.tgz
    • micromatch-3.1.10.tgz
      • snapdragon-0.8.2.tgz
        • base-0.11.2.tgz
          • cache-base-1.0.1.tgz
            • ❌ set-value-2.0.0.tgz (Vulnerable Library)

Found in HEAD commit: 2e02dde31a397b33d53c1741a9c81bf8eca85623

Found in base branch: master

Reachability Analysis

The vulnerable code is not reachable.

Vulnerability Details

set-value is vulnerable to Prototype Pollution in versions lower than 3.0.1. The function mixin-deep could be tricked into adding or modifying properties of Object.prototype using any of the constructor, prototype and proto payloads.

Publish Date: 2019-08-23

URL: CVE-2019-10747

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2019-08-23

Fix Resolution (set-value): 2.0.1

Direct dependency fix Resolution (react-scripts): 3.4.2

Fix Resolution (set-value): 2.0.1

Direct dependency fix Resolution (react-scripts): 3.4.2

In order to enable automatic remediation, please create workflow rules

CVE-2019-10746

Vulnerable Library - mixin-deep-1.3.1.tgz

Deeply mix the properties of objects into the first object. Like merge-deep, but doesn't clone.

Library home page: https://registry.npmjs.org/mixin-deep/-/mixin-deep-1.3.1.tgz

Path to dependency file: /console2/package.json

Path to vulnerable library: /console2/node_modules/mixin-deep/package.json

Dependency Hierarchy:

• react-scripts-3.4.1.tgz (Root Library)
  • webpack-4.42.0.tgz
    • micromatch-3.1.10.tgz
      • snapdragon-0.8.2.tgz
        • base-0.11.2.tgz
          • ❌ mixin-deep-1.3.1.tgz (Vulnerable Library)

Found in HEAD commit: 2e02dde31a397b33d53c1741a9c81bf8eca85623

Found in base branch: master

Reachability Analysis

The vulnerable code is not reachable.

Vulnerability Details

mixin-deep is vulnerable to Prototype Pollution in versions before 1.3.2 and version 2.0.0. The function mixin-deep could be tricked into adding or modifying properties of Object.prototype using a constructor payload.

Publish Date: 2019-08-23

URL: CVE-2019-10746

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2019-08-23

Fix Resolution (mixin-deep): 1.3.2

Direct dependency fix Resolution (react-scripts): 3.4.2

In order to enable automatic remediation, please create workflow rules

CVE-2021-44906

Vulnerable Libraries - minimist-1.2.0.tgz, minimist-0.0.8.tgz, minimist-1.2.5.tgz

minimist-1.2.0.tgz

parse argument options

Library home page: https://registry.npmjs.org/minimist/-/minimist-1.2.0.tgz

Path to dependency file: /console2/package.json

Path to vulnerable library: /console2/node_modules/minimist/package.json

Dependency Hierarchy:

• react-scripts-3.4.1.tgz (Root Library)
  • resolve-url-loader-3.1.1.tgz
    • adjust-sourcemap-loader-2.0.0.tgz
      • loader-utils-1.2.3.tgz
        • json5-1.0.1.tgz
          • ❌ minimist-1.2.0.tgz (Vulnerable Library)

minimist-0.0.8.tgz

parse argument options

Library home page: https://registry.npmjs.org/minimist/-/minimist-0.0.8.tgz

Path to dependency file: /console2/package.json

Path to vulnerable library: /console2/node_modules/mkdirp/node_modules/minimist/package.json

Dependency Hierarchy:

• react-scripts-3.4.1.tgz (Root Library)
  • eslint-6.8.0.tgz
    • mkdirp-0.5.1.tgz
      • ❌ minimist-0.0.8.tgz (Vulnerable Library)

minimist-1.2.5.tgz

parse argument options

Library home page: https://registry.npmjs.org/minimist/-/minimist-1.2.5.tgz

Path to dependency file: /console2/package.json

Path to vulnerable library: /console2/node_modules/json5/node_modules/minimist/package.json,/console2/node_modules/babel-loader/node_modules/minimist/package.json

Dependency Hierarchy:

• react-scripts-3.4.1.tgz (Root Library)
  • babel-loader-8.1.0.tgz
    • mkdirp-0.5.5.tgz
      • ❌ minimist-1.2.5.tgz (Vulnerable Library)

Found in HEAD commit: 2e02dde31a397b33d53c1741a9c81bf8eca85623

Found in base branch: master

Reachability Analysis

The vulnerable code is not reachable.

Vulnerability Details

Minimist <=1.2.5 is vulnerable to Prototype Pollution via file index.js, function setKey() (lines 69-95).

Publish Date: 2022-03-17

URL: CVE-2021-44906

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2022-03-17

Fix Resolution (minimist): 1.2.6

Direct dependency fix Resolution (react-scripts): 3.4.2

Fix Resolution (minimist): 1.2.6

Direct dependency fix Resolution (react-scripts): 3.4.2

Fix Resolution (minimist): 1.2.6

Direct dependency fix Resolution (react-scripts): 3.4.2

In order to enable automatic remediation, please create workflow rules

CVE-2020-7788

Vulnerable Library - ini-1.3.5.tgz

An ini encoder/decoder for node

Library home page: https://registry.npmjs.org/ini/-/ini-1.3.5.tgz

Path to dependency file: /console2/package.json

Path to vulnerable library: /console2/node_modules/ini/package.json

Dependency Hierarchy:

• react-scripts-3.4.1.tgz (Root Library)
  • react-dev-utils-10.2.1.tgz
    • global-modules-2.0.0.tgz
      • global-prefix-3.0.0.tgz
        • ❌ ini-1.3.5.tgz (Vulnerable Library)

Found in HEAD commit: 2e02dde31a397b33d53c1741a9c81bf8eca85623

Found in base branch: master

Vulnerability Details

This affects the package ini before 1.3.6. If an attacker submits a malicious INI file to an application that parses it with ini.parse, they will pollute the prototype on the application. This can be exploited further depending on the context.

Publish Date: 2020-12-11

URL: CVE-2020-7788

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7788

Release Date: 2020-12-11

Fix Resolution (ini): 1.3.6

Direct dependency fix Resolution (react-scripts): 3.4.2

In order to enable automatic remediation, please create workflow rules

CVE-2021-23440

Vulnerable Libraries - set-value-0.4.3.tgz, set-value-2.0.0.tgz

set-value-0.4.3.tgz

Create nested values and any intermediaries using dot notation (`'a.b.c'`) paths.

Library home page: https://registry.npmjs.org/set-value/-/set-value-0.4.3.tgz

Path to dependency file: /console2/package.json

Path to vulnerable library: /console2/node_modules/union-value/node_modules/set-value/package.json

Dependency Hierarchy:

• react-scripts-3.4.1.tgz (Root Library)
  • webpack-4.42.0.tgz
    • micromatch-3.1.10.tgz
      • snapdragon-0.8.2.tgz
        • base-0.11.2.tgz
          • cache-base-1.0.1.tgz
            • union-value-1.0.0.tgz
              • ❌ set-value-0.4.3.tgz (Vulnerable Library)

set-value-2.0.0.tgz

Create nested values and any intermediaries using dot notation (`'a.b.c'`) paths.

Library home page: https://registry.npmjs.org/set-value/-/set-value-2.0.0.tgz

Path to dependency file: /console2/package.json

Path to vulnerable library: /console2/node_modules/set-value/package.json

Dependency Hierarchy:

• react-scripts-3.4.1.tgz (Root Library)
  • webpack-4.42.0.tgz
    • micromatch-3.1.10.tgz
      • snapdragon-0.8.2.tgz
        • base-0.11.2.tgz
          • cache-base-1.0.1.tgz
            • ❌ set-value-2.0.0.tgz (Vulnerable Library)

Found in HEAD commit: 2e02dde31a397b33d53c1741a9c81bf8eca85623

Found in base branch: master

Reachability Analysis

The vulnerable code is not reachable.

Vulnerability Details

Mend Note: After conducting further research, Mend has determined that all versions of set-value before versions 2.0.1, 4.0.1 are vulnerable to CVE-2021-23440.

Publish Date: 2021-09-12

URL: CVE-2021-23440

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://www.huntr.dev/bounties/2eae1159-01de-4f82-a177-7478a408c4a2/

Release Date: 2021-09-12

Fix Resolution (set-value): 2.0.1

Direct dependency fix Resolution (react-scripts): 3.4.2

Fix Resolution (set-value): 2.0.1

Direct dependency fix Resolution (react-scripts): 3.4.2

In order to enable automatic remediation, please create workflow rules

CVE-2020-7774

Vulnerable Library - y18n-4.0.0.tgz

Library home page: https://registry.npmjs.org/y18n/-/y18n-4.0.0.tgz

Path to dependency file: /console2/package.json

Path to vulnerable library: /console2/node_modules/y18n/package.json

Dependency Hierarchy:

• react-scripts-3.4.1.tgz (Root Library)
  • jest-24.9.0.tgz
    • jest-cli-24.9.0.tgz
      • yargs-13.3.2.tgz
        • ❌ y18n-4.0.0.tgz (Vulnerable Library)

Found in HEAD commit: 2e02dde31a397b33d53c1741a9c81bf8eca85623

Found in base branch: master

Vulnerability Details

The package y18n before 3.2.2, 4.0.1 and 5.0.5, is vulnerable to Prototype Pollution.

Publish Date: 2020-11-17

URL: CVE-2020-7774

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://www.npmjs.com/advisories/1654

Release Date: 2020-11-17

Fix Resolution (y18n): 4.0.1

Direct dependency fix Resolution (react-scripts): 3.4.2

In order to enable automatic remediation, please create workflow rules

CVE-2020-7660

Vulnerable Library - serialize-javascript-2.1.2.tgz

Serialize JavaScript to a superset of JSON that includes regular expressions and functions.

Library home page: https://registry.npmjs.org/serialize-javascript/-/serialize-javascript-2.1.2.tgz

Path to dependency file: /console2/package.json

Path to vulnerable library: /console2/node_modules/serialize-javascript/package.json

Dependency Hierarchy:

• react-scripts-3.4.1.tgz (Root Library)
  • webpack-4.42.0.tgz
    • terser-webpack-plugin-1.4.3.tgz
      • ❌ serialize-javascript-2.1.2.tgz (Vulnerable Library)

Found in HEAD commit: 2e02dde31a397b33d53c1741a9c81bf8eca85623

Found in base branch: master

Vulnerability Details

serialize-javascript prior to 3.1.0 allows remote attackers to inject arbitrary code via the function "deleteFunctions" within "index.js".

Publish Date: 2020-06-01

URL: CVE-2020-7660

CVSS 3 Score Details (8.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7660

Release Date: 2020-06-01

Fix Resolution: serialize-javascript - 3.1.0

CVE-2020-13822

Vulnerable Library - elliptic-6.5.2.tgz

EC cryptography

Library home page: https://registry.npmjs.org/elliptic/-/elliptic-6.5.2.tgz

Path to dependency file: /console2/package.json

Path to vulnerable library: /console2/node_modules/elliptic/package.json

Dependency Hierarchy:

• react-scripts-3.4.1.tgz (Root Library)
  • webpack-4.42.0.tgz
    • node-libs-browser-2.2.1.tgz
      • crypto-browserify-3.12.0.tgz
        • create-ecdh-4.0.3.tgz
          • ❌ elliptic-6.5.2.tgz (Vulnerable Library)

Found in HEAD commit: 2e02dde31a397b33d53c1741a9c81bf8eca85623

Found in base branch: master

Reachability Analysis

The vulnerable code is not reachable.

Vulnerability Details

The Elliptic package 6.5.2 for Node.js allows ECDSA signature malleability via variations in encoding, leading '\0' bytes, or integer overflows. This could conceivably have a security-relevant impact if an application relied on a single canonical signature.

Publish Date: 2020-06-04

URL: CVE-2020-13822

CVSS 3 Score Details (7.7)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2020-06-04

Fix Resolution: v6.5.3

CVE-2019-20149

Vulnerable Library - kind-of-6.0.2.tgz

Get the native type of a value.

Library home page: https://registry.npmjs.org/kind-of/-/kind-of-6.0.2.tgz

Path to dependency file: /console2/package.json

Path to vulnerable library: /console2/node_modules/snapdragon-node/node_modules/kind-of/package.json,/console2/node_modules/define-property/node_modules/kind-of/package.json,/console2/node_modules/nanomatch/node_modules/kind-of/package.json,/console2/node_modules/micromatch/node_modules/kind-of/package.json,/console2/node_modules/base/node_modules/kind-of/package.json,/console2/node_modules/extglob/node_modules/kind-of/package.json

Dependency Hierarchy:

• react-scripts-3.4.1.tgz (Root Library)
  • webpack-4.42.0.tgz
    • micromatch-3.1.10.tgz
      • ❌ kind-of-6.0.2.tgz (Vulnerable Library)

Found in HEAD commit: 2e02dde31a397b33d53c1741a9c81bf8eca85623

Found in base branch: master

Vulnerability Details

ctorName in index.js in kind-of v6.0.2 allows external user input to overwrite certain internal attributes via a conflicting name, as demonstrated by 'constructor': {'name':'Symbol'}. Hence, a crafted payload can overwrite this builtin attribute to manipulate the type detection result.

Publish Date: 2019-12-30

URL: CVE-2019-20149

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: High
  • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-20149

Release Date: 2019-12-30

Fix Resolution (kind-of): 6.0.3

Direct dependency fix Resolution (react-scripts): 3.4.2

In order to enable automatic remediation, please create workflow rules

CVE-2022-24999

Vulnerable Libraries - qs-6.7.0.tgz, qs-6.5.2.tgz

qs-6.7.0.tgz

A querystring parser that supports nesting and arrays, with a depth limit

Library home page: https://registry.npmjs.org/qs/-/qs-6.7.0.tgz

Path to dependency file: /console2/package.json

Path to vulnerable library: /console2/node_modules/express/node_modules/qs/package.json,/console2/node_modules/body-parser/node_modules/qs/package.json

Dependency Hierarchy:

• react-scripts-3.4.1.tgz (Root Library)
  • webpack-dev-server-3.10.3.tgz
    • express-4.17.1.tgz
      • ❌ qs-6.7.0.tgz (Vulnerable Library)

qs-6.5.2.tgz

A querystring parser that supports nesting and arrays, with a depth limit

Library home page: https://registry.npmjs.org/qs/-/qs-6.5.2.tgz

Path to dependency file: /console2/package.json

Path to vulnerable library: /console2/node_modules/qs/package.json

Dependency Hierarchy:

• react-scripts-3.4.1.tgz (Root Library)
  • jest-environment-jsdom-fourteen-1.0.1.tgz
    • jsdom-14.1.0.tgz
      • request-2.88.2.tgz
        • ❌ qs-6.5.2.tgz (Vulnerable Library)

Found in HEAD commit: 2e02dde31a397b33d53c1741a9c81bf8eca85623

Found in base branch: master

Reachability Analysis

This vulnerability is potentially used

concord-console/scripts/devServer.js (Application)
  -> express/index.js (Extension)
   -> express/lib/express.js (Extension)
    -> express/lib/middleware/query.js (Extension)
     -> qs/lib/index.js (Extension)
      -> ❌ qs/lib/parse.js (Vulnerable Component)

Vulnerability Details

qs before 6.10.3, as used in Express before 4.17.3 and other products, allows attackers to cause a Node process hang for an Express application because an __ proto__ key can be used. In many typical Express use cases, an unauthenticated remote attacker can place the attack payload in the query string of the URL that is used to visit the application, such as a[proto]=b&a[proto]&a[length]=100000000. The fix was backported to qs 6.9.7, 6.8.3, 6.7.3, 6.6.1, 6.5.3, 6.4.1, 6.3.3, and 6.2.4 (and therefore Express 4.17.3, which has "deps: [email protected]" in its release description, is not vulnerable).

Publish Date: 2022-11-27

URL: CVE-2022-24999

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://www.cve.org/CVERecord?id=CVE-2022-24999

Release Date: 2022-11-27

Fix Resolution (qs): 6.7.3

Direct dependency fix Resolution (react-scripts): 3.4.2

Fix Resolution (qs): 6.7.3

Direct dependency fix Resolution (react-scripts): 3.4.2

In order to enable automatic remediation, please create workflow rules

CVE-2020-28469

Vulnerable Libraries - glob-parent-3.1.0.tgz, glob-parent-5.1.1.tgz

glob-parent-3.1.0.tgz

Strips glob magic from a string to provide the parent directory path

Library home page: https://registry.npmjs.org/glob-parent/-/glob-parent-3.1.0.tgz

Path to dependency file: /console2/package.json

Path to vulnerable library: /console2/node_modules/watchpack/node_modules/glob-parent/package.json,/console2/node_modules/fast-glob/node_modules/glob-parent/package.json,/console2/node_modules/webpack-dev-server/node_modules/glob-parent/package.json

Dependency Hierarchy:

• react-scripts-3.4.1.tgz (Root Library)
  • webpack-dev-server-3.10.3.tgz
    • chokidar-2.1.8.tgz
      • ❌ glob-parent-3.1.0.tgz (Vulnerable Library)

glob-parent-5.1.1.tgz

Extract the non-magic parent path from a glob string.

Library home page: https://registry.npmjs.org/glob-parent/-/glob-parent-5.1.1.tgz

Path to dependency file: /console2/package.json

Path to vulnerable library: /console2/node_modules/glob-parent/package.json

Dependency Hierarchy:

• react-scripts-3.4.1.tgz (Root Library)
  • eslint-6.8.0.tgz
    • ❌ glob-parent-5.1.1.tgz (Vulnerable Library)

Found in HEAD commit: 2e02dde31a397b33d53c1741a9c81bf8eca85623

Found in base branch: master

Reachability Analysis

The vulnerable code is not reachable.

Vulnerability Details

This affects the package glob-parent before 5.1.2. The enclosure regex used to check for strings ending in enclosure containing path separator.

Publish Date: 2021-06-03

URL: CVE-2020-28469

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-28469

Release Date: 2021-06-03

Fix Resolution (glob-parent): 5.1.2

Direct dependency fix Resolution (react-scripts): 5.0.0

Fix Resolution (glob-parent): 5.1.2

Direct dependency fix Resolution (react-scripts): 5.0.0

In order to enable automatic remediation, please create workflow rules

CVE-2022-3517

Vulnerable Library - minimatch-3.0.4.tgz

a glob matcher in javascript

Library home page: https://registry.npmjs.org/minimatch/-/minimatch-3.0.4.tgz

Path to dependency file: /console2/package.json

Path to vulnerable library: /console2/node_modules/minimatch/package.json

Dependency Hierarchy:

• react-scripts-3.4.1.tgz (Root Library)
  • workbox-webpack-plugin-4.3.1.tgz
    • workbox-build-4.3.1.tgz
      • glob-7.1.3.tgz
        • ❌ minimatch-3.0.4.tgz (Vulnerable Library)

Found in HEAD commit: 2e02dde31a397b33d53c1741a9c81bf8eca85623

Found in base branch: master

Reachability Analysis

The vulnerable code is not reachable.

Vulnerability Details

A vulnerability was found in the minimatch package. This flaw allows a Regular Expression Denial of Service (ReDoS) when calling the braceExpand function with specific arguments, resulting in a Denial of Service.

Publish Date: 2022-10-17

URL: CVE-2022-3517

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2022-10-17

Fix Resolution: minimatch - 3.0.5

WS-2020-0091

Vulnerable Library - http-proxy-1.18.0.tgz

HTTP proxying for the masses

Library home page: https://registry.npmjs.org/http-proxy/-/http-proxy-1.18.0.tgz

Path to dependency file: /console2/package.json

Path to vulnerable library: /console2/node_modules/http-proxy/package.json

Dependency Hierarchy:

• react-scripts-3.4.1.tgz (Root Library)
  • webpack-dev-server-3.10.3.tgz
    • http-proxy-middleware-0.19.1.tgz
      • ❌ http-proxy-1.18.0.tgz (Vulnerable Library)

Found in HEAD commit: 2e02dde31a397b33d53c1741a9c81bf8eca85623

Found in base branch: master

Reachability Analysis

The vulnerable code is not reachable.

Vulnerability Details

Versions of http-proxy prior to 1.18.1 are vulnerable to Denial of Service. An HTTP request with a long body triggers an ERR_HTTP_HEADERS_SENT unhandled exception that crashes the proxy server. This is only possible when the proxy server sets headers in the proxy request using the proxyReq.setHeader function.

Publish Date: 2020-05-14

URL: WS-2020-0091

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://www.npmjs.com/advisories/1486

Release Date: 2020-05-26

Fix Resolution: http-proxy - 1.18.1

CVE-2021-3777

Vulnerable Library - tmpl-1.0.4.tgz

JavaScript micro templates.

Library home page: https://registry.npmjs.org/tmpl/-/tmpl-1.0.4.tgz

Path to dependency file: /console2/package.json

Path to vulnerable library: /console2/node_modules/tmpl/package.json

Dependency Hierarchy:

• react-scripts-3.4.1.tgz (Root Library)
  • babel-jest-24.9.0.tgz
    • transform-24.9.0.tgz
      • jest-haste-map-24.9.0.tgz
        • walker-1.0.7.tgz
          • makeerror-1.0.11.tgz
            • ❌ tmpl-1.0.4.tgz (Vulnerable Library)

Found in HEAD commit: 2e02dde31a397b33d53c1741a9c81bf8eca85623

Found in base branch: master

Vulnerability Details

nodejs-tmpl is vulnerable to Inefficient Regular Expression Complexity

Publish Date: 2021-09-15

URL: CVE-2021-3777

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2021-09-15

Fix Resolution (tmpl): 1.0.5

Direct dependency fix Resolution (react-scripts): 3.4.2

In order to enable automatic remediation, please create workflow rules

CVE-2020-7662

Vulnerable Library - websocket-extensions-0.1.3.tgz

Generic extension manager for WebSocket connections

Library home page: https://registry.npmjs.org/websocket-extensions/-/websocket-extensions-0.1.3.tgz

Path to dependency file: /console2/package.json

Path to vulnerable library: /console2/node_modules/websocket-extensions/package.json

Dependency Hierarchy:

• react-scripts-3.4.1.tgz (Root Library)
  • webpack-dev-server-3.10.3.tgz
    • sockjs-0.3.19.tgz
      • faye-websocket-0.10.0.tgz
        • websocket-driver-0.7.3.tgz
          • ❌ websocket-extensions-0.1.3.tgz (Vulnerable Library)

Found in HEAD commit: 2e02dde31a397b33d53c1741a9c81bf8eca85623

Found in base branch: master

Reachability Analysis

The vulnerable code is not reachable.

Vulnerability Details

websocket-extensions npm module prior to 1.0.4 allows Denial of Service (DoS) via Regex Backtracking. The extension parser may take quadratic time when parsing a header containing an unclosed string parameter value whose content is a repeating two-byte sequence of a backslash and some other character. This could be abused by an attacker to conduct Regex Denial Of Service (ReDoS) on a single-threaded server by providing a malicious payload with the Sec-WebSocket-Extensions header.

Publish Date: 2020-06-02

URL: CVE-2020-7662

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7662

Release Date: 2020-06-02

Fix Resolution: websocket-extensions:0.1.4

CVE-2021-3803

Vulnerable Library - nth-check-1.0.2.tgz

performant nth-check parser & compiler

Library home page: https://registry.npmjs.org/nth-check/-/nth-check-1.0.2.tgz

Path to dependency file: /console2/package.json

Path to vulnerable library: /console2/node_modules/nth-check/package.json

Dependency Hierarchy:

• react-scripts-3.4.1.tgz (Root Library)
  • webpack-4.3.3.tgz
    • plugin-svgo-4.3.1.tgz
      • svgo-1.3.2.tgz
        • css-select-2.1.0.tgz
          • ❌ nth-check-1.0.2.tgz (Vulnerable Library)

Found in HEAD commit: 2e02dde31a397b33d53c1741a9c81bf8eca85623

Found in base branch: master

Reachability Analysis

The vulnerable code is not reachable.

Vulnerability Details

nth-check is vulnerable to Inefficient Regular Expression Complexity

Publish Date: 2021-09-17

URL: CVE-2021-3803

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2021-09-17

Fix Resolution: nth-check - v2.0.1

WS-2019-0424

Vulnerable Library - elliptic-6.5.2.tgz

EC cryptography

Library home page: https://registry.npmjs.org/elliptic/-/elliptic-6.5.2.tgz

Path to dependency file: /console2/package.json

Path to vulnerable library: /console2/node_modules/elliptic/package.json

Dependency Hierarchy:

• react-scripts-3.4.1.tgz (Root Library)
  • webpack-4.42.0.tgz
    • node-libs-browser-2.2.1.tgz
      • crypto-browserify-3.12.0.tgz
        • create-ecdh-4.0.3.tgz
          • ❌ elliptic-6.5.2.tgz (Vulnerable Library)

Found in HEAD commit: 2e02dde31a397b33d53c1741a9c81bf8eca85623

Found in base branch: master

Reachability Analysis

The vulnerable code is not reachable.

Vulnerability Details

all versions of elliptic are vulnerable to Timing Attack through side-channels.

Publish Date: 2019-11-13

URL: WS-2019-0424

CVSS 3 Score Details (5.9)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Adjacent
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: High
  • Availability Impact: None

For more information on CVSS3 Scores, click here.

CVE-2020-7598

Vulnerable Libraries - minimist-0.0.8.tgz, minimist-1.2.0.tgz

minimist-0.0.8.tgz

parse argument options

Library home page: https://registry.npmjs.org/minimist/-/minimist-0.0.8.tgz

Path to dependency file: /console2/package.json

Path to vulnerable library: /console2/node_modules/mkdirp/node_modules/minimist/package.json

Dependency Hierarchy:

• react-scripts-3.4.1.tgz (Root Library)
  • eslint-6.8.0.tgz
    • mkdirp-0.5.1.tgz
      • ❌ minimist-0.0.8.tgz (Vulnerable Library)

minimist-1.2.0.tgz

parse argument options

Library home page: https://registry.npmjs.org/minimist/-/minimist-1.2.0.tgz

Path to dependency file: /console2/package.json

Path to vulnerable library: /console2/node_modules/minimist/package.json

Dependency Hierarchy:

• react-scripts-3.4.1.tgz (Root Library)
  • resolve-url-loader-3.1.1.tgz
    • adjust-sourcemap-loader-2.0.0.tgz
      • loader-utils-1.2.3.tgz
        • json5-1.0.1.tgz
          • ❌ minimist-1.2.0.tgz (Vulnerable Library)

Found in HEAD commit: 2e02dde31a397b33d53c1741a9c81bf8eca85623

Found in base branch: master

Reachability Analysis

The vulnerable code is not reachable.

Vulnerability Details

minimist before 1.2.2 could be tricked into adding or modifying properties of Object.prototype using a "constructor" or "proto" payload.

Publish Date: 2020-03-12

URL: CVE-2020-7598

CVSS 3 Score Details (5.6)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2020-03-12

Fix Resolution (minimist): 0.2.1

Direct dependency fix Resolution (react-scripts): 3.4.2

Fix Resolution (minimist): 0.2.1

Direct dependency fix Resolution (react-scripts): 3.4.2

In order to enable automatic remediation, please create workflow rules

CVE-2020-7693

Vulnerable Library - sockjs-0.3.19.tgz

SockJS-node is a server counterpart of SockJS-client a JavaScript library that provides a WebSocket-like object in the browser. SockJS gives you a coherent, cross-browser, Javascript API which creates a low latency, full duplex, cross-domain communication

Library home page: https://registry.npmjs.org/sockjs/-/sockjs-0.3.19.tgz

Path to dependency file: /console2/package.json

Path to vulnerable library: /console2/node_modules/sockjs/package.json

Dependency Hierarchy:

• react-scripts-3.4.1.tgz (Root Library)
  • webpack-dev-server-3.10.3.tgz
    • ❌ sockjs-0.3.19.tgz (Vulnerable Library)

Found in HEAD commit: 2e02dde31a397b33d53c1741a9c81bf8eca85623

Found in base branch: master

Reachability Analysis

The vulnerable code is not reachable.

Vulnerability Details

Incorrect handling of Upgrade header with the value websocket leads in crashing of containers hosting sockjs apps. This affects the package sockjs before 0.3.20.

Publish Date: 2020-07-09

URL: CVE-2020-7693

CVSS 3 Score Details (5.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2020-07-14

Fix Resolution (sockjs): 0.3.20

Direct dependency fix Resolution (react-scripts): 3.4.2

In order to enable automatic remediation, please create workflow rules

CVE-2020-7608

Vulnerable Library - yargs-parser-11.1.1.tgz

the mighty option parser used by yargs

Library home page: https://registry.npmjs.org/yargs-parser/-/yargs-parser-11.1.1.tgz

Path to dependency file: /console2/package.json

Path to vulnerable library: /console2/node_modules/webpack-dev-server/node_modules/yargs-parser/package.json

Dependency Hierarchy:

• react-scripts-3.4.1.tgz (Root Library)
  • webpack-dev-server-3.10.3.tgz
    • yargs-12.0.5.tgz
      • ❌ yargs-parser-11.1.1.tgz (Vulnerable Library)

Found in HEAD commit: 2e02dde31a397b33d53c1741a9c81bf8eca85623

Found in base branch: master

Reachability Analysis

The vulnerable code is not reachable.

Vulnerability Details

yargs-parser could be tricked into adding or modifying properties of Object.prototype using a "proto" payload.

Publish Date: 2020-03-16

URL: CVE-2020-7608

CVSS 3 Score Details (5.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Local
  • Attack Complexity: Low
  • Privileges Required: Low
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7608

Release Date: 2020-03-16

Fix Resolution: v18.1.1;13.1.2;15.0.1

---

In order to enable automatic remediation for this issue, please create workflow rules