max-4.3.30.tgz: 8 vulnerabilities (highest severity is: 9.8) #2806
Description
Vulnerable Library - max-4.3.30.tgz
Path to dependency file: /ui/package.json
Path to vulnerable library: /ui/package.json
Vulnerabilities
| CVE | Severity |  CVSS |
Dependency | Type | Fixed in (max version) | Remediation Possible** |
|---|---|---|---|---|---|---|
| CVE-2021-3757 |  Critical |
9.8 | immer-8.0.4.tgz | Transitive | N/A* | ❌ |
| WS-2023-0439 |  High |
7.5 | axios-0.27.2.tgz | Transitive | N/A* | ❌ |
| CVE-2024-45296 | High |
7.5 | path-to-regexp-1.7.0.tgz | Transitive | N/A* | ❌ |
| CVE-2023-45857 |  Medium |
6.5 | axios-0.27.2.tgz | Transitive | N/A* | ❌ |
| CVE-2024-45812 | Medium |
6.4 | vite-4.5.2.tgz | Transitive | N/A* | ❌ |
| CVE-2024-31207 | Medium |
5.9 | vite-4.5.2.tgz | Transitive | N/A* | ❌ |
| CVE-2021-23436 | Medium |
5.6 | immer-8.0.4.tgz | Transitive | N/A* | ❌ |
| CVE-2024-45811 | Medium |
4.8 | vite-4.5.2.tgz | Transitive | N/A* | ❌ |
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
CVE-2021-3757
Vulnerable Library - immer-8.0.4.tgz
Create your next immutable state by mutating the current one
Library home page: https://registry.npmjs.org/immer/-/immer-8.0.4.tgz
Path to dependency file: /ui/package.json
Path to vulnerable library: /ui/package.json
Dependency Hierarchy:
- max-4.3.30.tgz (Root Library)
- plugins-4.3.30.tgz
- dva-immer-1.0.2.tgz
- ❌ immer-8.0.4.tgz (Vulnerable Library)
- dva-immer-1.0.2.tgz
- plugins-4.3.30.tgz
Found in base branch: master
Vulnerability Details
immer is vulnerable to Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')
Publish Date: 2021-09-02
URL: CVE-2021-3757
CVSS 3 Score Details (9.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: https://huntr.dev/bounties/23d38099-71cd-42ed-a77a-71e68094adfa/
Release Date: 2021-09-02
Fix Resolution: immer - 9.0.6
Step up your Open Source Security Game with Mend here
WS-2023-0439
Vulnerable Library - axios-0.27.2.tgz
Promise based HTTP client for the browser and node.js
Library home page: https://registry.npmjs.org/axios/-/axios-0.27.2.tgz
Path to dependency file: /ui/package.json
Path to vulnerable library: /ui/package.json
Dependency Hierarchy:
- max-4.3.30.tgz (Root Library)
- plugins-4.3.30.tgz
- ❌ axios-0.27.2.tgz (Vulnerable Library)
- plugins-4.3.30.tgz
Found in base branch: master
Vulnerability Details
Axios is vulnerable to Regular Expression Denial of Service (ReDoS). When a manipulated string is provided as input to the format method, the regular expression exhibits a time complexity of O(n^2). Server becomes unable to provide normal service due to the excessive cost and time wasted in processing vulnerable regular expressions.
Publish Date: 2023-10-25
URL: WS-2023-0439
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/WS-2023-0439
Release Date: 2023-10-25
Fix Resolution: axios - 1.6.3,0.20.0
Step up your Open Source Security Game with Mend here
CVE-2024-45296
Vulnerable Library - path-to-regexp-1.7.0.tgz
Express style path to RegExp utility
Library home page: https://registry.npmjs.org/path-to-regexp/-/path-to-regexp-1.7.0.tgz
Path to dependency file: /ui/package.json
Path to vulnerable library: /ui/package.json
Dependency Hierarchy:
- max-4.3.30.tgz (Root Library)
- umi-4.3.30.tgz
- preset-umi-4.3.30.tgz
- ❌ path-to-regexp-1.7.0.tgz (Vulnerable Library)
- preset-umi-4.3.30.tgz
- umi-4.3.30.tgz
Found in base branch: master
Vulnerability Details
path-to-regexp turns path strings into a regular expressions. In certain cases, path-to-regexp will output a regular expression that can be exploited to cause poor performance. Because JavaScript is single threaded and regex matching runs on the main thread, poor performance will block the event loop and lead to a DoS. The bad regular expression is generated any time you have two parameters within a single segment, separated by something that is not a period (.). For users of 0.1, upgrade to 0.1.10. All other users should upgrade to 8.0.0.
Publish Date: 2024-09-09
URL: CVE-2024-45296
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: GHSA-9wv6-86v2-598j
Release Date: 2024-09-09
Fix Resolution: path-to-regexp - 0.1.10,8.0.0
Step up your Open Source Security Game with Mend here
CVE-2023-45857
Vulnerable Library - axios-0.27.2.tgz
Promise based HTTP client for the browser and node.js
Library home page: https://registry.npmjs.org/axios/-/axios-0.27.2.tgz
Path to dependency file: /ui/package.json
Path to vulnerable library: /ui/package.json
Dependency Hierarchy:
- max-4.3.30.tgz (Root Library)
- plugins-4.3.30.tgz
- ❌ axios-0.27.2.tgz (Vulnerable Library)
- plugins-4.3.30.tgz
Found in base branch: master
Vulnerability Details
An issue discovered in Axios 1.5.1 inadvertently reveals the confidential XSRF-TOKEN stored in cookies by including it in the HTTP header X-XSRF-TOKEN for every request made to any host allowing attackers to view sensitive information.
Publish Date: 2023-11-08
URL: CVE-2023-45857
CVSS 3 Score Details (6.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: None
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Release Date: 2023-11-08
Fix Resolution: axios - 1.6.0
Step up your Open Source Security Game with Mend here
CVE-2024-45812
Vulnerable Library - vite-4.5.2.tgz
Library home page: https://registry.npmjs.org/vite/-/vite-4.5.2.tgz
Path to dependency file: /ui/package.json
Path to vulnerable library: /ui/package.json
Dependency Hierarchy:
- max-4.3.30.tgz (Root Library)
- umi-4.3.30.tgz
- preset-umi-4.3.30.tgz
- bundler-vite-4.3.30.tgz
- ❌ vite-4.5.2.tgz (Vulnerable Library)
- bundler-vite-4.3.30.tgz
- preset-umi-4.3.30.tgz
- umi-4.3.30.tgz
Found in base branch: master
Vulnerability Details
Vite a frontend build tooling framework for javascript. Affected versions of vite were discovered to contain a DOM Clobbering vulnerability when building scripts to cjs/iife/umd output format. The DOM Clobbering gadget in the module can lead to cross-site scripting (XSS) in web pages where scriptless attacker-controlled HTML elements (e.g., an img tag with an unsanitized name attribute) are present. DOM Clobbering is a type of code-reuse attack where the attacker first embeds a piece of non-script, seemingly benign HTML markups in the webpage (e.g. through a post or comment) and leverages the gadgets (pieces of js code) living in the existing javascript code to transform it into executable code. We have identified a DOM Clobbering vulnerability in Vite bundled scripts, particularly when the scripts dynamically import other scripts from the assets folder and the developer sets the build output format to cjs, iife, or umd. In such cases, Vite replaces relative paths starting with __VITE_ASSET__ using the URL retrieved from document.currentScript. However, this implementation is vulnerable to a DOM Clobbering attack. The document.currentScript lookup can be shadowed by an attacker via the browser's named DOM tree element access mechanism. This manipulation allows an attacker to replace the intended script element with a malicious HTML element. When this happens, the src attribute of the attacker-controlled element is used as the URL for importing scripts, potentially leading to the dynamic loading of scripts from an attacker-controlled server. This vulnerability can result in cross-site scripting (XSS) attacks on websites that include Vite-bundled files (configured with an output format of cjs, iife, or umd) and allow users to inject certain scriptless HTML tags without properly sanitizing the name or id attributes. This issue has been patched in versions 5.4.6, 5.3.6, 5.2.14, 4.5.5, and 3.2.11. Users are advised to upgrade. There are no known workarounds for this vulnerability.
Publish Date: 2024-09-17
URL: CVE-2024-45812
CVSS 3 Score Details (6.4)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: Low
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: GHSA-64vr-g452-qvp3
Release Date: 2024-09-17
Fix Resolution: vite - 3.2.11,4.5.5,5.1.8,5.2.14,5.3.6,5.4.6
Step up your Open Source Security Game with Mend here
CVE-2024-31207
Vulnerable Library - vite-4.5.2.tgz
Library home page: https://registry.npmjs.org/vite/-/vite-4.5.2.tgz
Path to dependency file: /ui/package.json
Path to vulnerable library: /ui/package.json
Dependency Hierarchy:
- max-4.3.30.tgz (Root Library)
- umi-4.3.30.tgz
- preset-umi-4.3.30.tgz
- bundler-vite-4.3.30.tgz
- ❌ vite-4.5.2.tgz (Vulnerable Library)
- bundler-vite-4.3.30.tgz
- preset-umi-4.3.30.tgz
- umi-4.3.30.tgz
Found in base branch: master
Vulnerability Details
Vite (French word for "quick", pronounced /vit/, like "veet") is a frontend build tooling to improve the frontend development experience.server.fs.deny does not deny requests for patterns with directories. This vulnerability has been patched in version(s) 5.2.6, 5.1.7, 5.0.13, 4.5.3, 3.2.10 and 2.9.18.
Publish Date: 2024-04-04
URL: CVE-2024-31207
CVSS 3 Score Details (5.9)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: None
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Origin: GHSA-8jhw-289h-jh2g
Release Date: 2024-04-04
Fix Resolution: vite - 2.9.18,3.2.10,4.5.3,5.0.13,5.1.7,5.2.6
Step up your Open Source Security Game with Mend here
CVE-2021-23436
Vulnerable Library - immer-8.0.4.tgz
Create your next immutable state by mutating the current one
Library home page: https://registry.npmjs.org/immer/-/immer-8.0.4.tgz
Path to dependency file: /ui/package.json
Path to vulnerable library: /ui/package.json
Dependency Hierarchy:
- max-4.3.30.tgz (Root Library)
- plugins-4.3.30.tgz
- dva-immer-1.0.2.tgz
- ❌ immer-8.0.4.tgz (Vulnerable Library)
- dva-immer-1.0.2.tgz
- plugins-4.3.30.tgz
Found in base branch: master
Vulnerability Details
This affects the package immer before 9.0.6. A type confusion vulnerability can lead to a bypass of CVE-2020-28477 when the user-provided keys used in the path parameter are arrays. In particular, this bypass is possible because the condition (p === "proto" || p === "constructor") in applyPatches_ returns false if p is ['proto'] (or ['constructor']). The === operator (strict equality operator) returns false if the operands have different type.
Publish Date: 2021-09-01
URL: CVE-2021-23436
CVSS 3 Score Details (5.6)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: Low
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23436
Release Date: 2021-09-01
Fix Resolution: immer - 9.0.6
Step up your Open Source Security Game with Mend here
CVE-2024-45811
Vulnerable Library - vite-4.5.2.tgz
Library home page: https://registry.npmjs.org/vite/-/vite-4.5.2.tgz
Path to dependency file: /ui/package.json
Path to vulnerable library: /ui/package.json
Dependency Hierarchy:
- max-4.3.30.tgz (Root Library)
- umi-4.3.30.tgz
- preset-umi-4.3.30.tgz
- bundler-vite-4.3.30.tgz
- ❌ vite-4.5.2.tgz (Vulnerable Library)
- bundler-vite-4.3.30.tgz
- preset-umi-4.3.30.tgz
- umi-4.3.30.tgz
Found in base branch: master
Vulnerability Details
Vite a frontend build tooling framework for javascript. In affected versions the contents of arbitrary files can be returned to the browser. @fs denies access to files outside of Vite serving allow list. Adding ?import&raw to the URL bypasses this limitation and returns the file content if it exists. This issue has been patched in versions 5.4.6, 5.3.6, 5.2.14, 4.5.5, and 3.2.11. Users are advised to upgrade. There are no known workarounds for this vulnerability.
Publish Date: 2024-09-17
URL: CVE-2024-45811
CVSS 3 Score Details (4.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Adjacent
- Attack Complexity: High
- Privileges Required: None
- User Interaction: Required
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: None
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Origin: GHSA-9cwx-2883-4wfx
Release Date: 2024-09-17
Fix Resolution: vite - 3.2.11,4.5.5,5.1.8,5.2.14,5.3.6,5.4.6
Step up your Open Source Security Game with Mend here