Skip to content

eslint-plugin-import-2.14.0.tgz: 2 vulnerabilities (highest severity is: 7.5) #23

New issue
New issue
Open
Open
eslint-plugin-import-2.14.0.tgz: 2 vulnerabilities (highest severity is: 7.5)#23
Labels
Mend: dependency security vulnerabilitySecurity vulnerability detected by Mend
@dev-mend-for-github-com

Description

@dev-mend-for-github-com
dev-mend-for-github-com
opened on May 30, 2024
Vulnerable Library - eslint-plugin-import-2.14.0.tgz

Path to dependency file: /package.json

Vulnerabilities

CVE Severity CVSS Dependency Type Fixed in (eslint-plugin-import version) Remediation Possible** Reachability
CVE-2021-23343 Medium 5.3 path-parse-1.0.6.tgz Transitive 2.15.0

Unreachable
CVE-2022-3517 High 7.5 minimatch-3.0.4.tgz Transitive N/A*

*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.

**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation

Details

CVE-2021-23343

Vulnerable Library - path-parse-1.0.6.tgz

Node.js path.parse() ponyfill

Library home page: https://registry.npmjs.org/path-parse/-/path-parse-1.0.6.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/path-parse/package.json

Dependency Hierarchy:

  • eslint-plugin-import-2.14.0.tgz (Root Library)
    • resolve-1.8.1.tgz
      • path-parse-1.0.6.tgz (Vulnerable Library)

Found in base branch: master

Reachability Analysis

The vulnerable code is unreachable

Vulnerability Details

All versions of package path-parse are vulnerable to Regular Expression Denial of Service (ReDoS) via splitDeviceRe, splitTailRe, and splitPathRe regular expressions. ReDoS exhibits polynomial worst-case time complexity.

Publish Date: 2021-05-04

URL: CVE-2021-23343

CVSS 3 Score Details (5.3)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2021-05-04

Fix Resolution (path-parse): 1.0.7

Direct dependency fix Resolution (eslint-plugin-import): 2.15.0

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2022-3517

Vulnerable Library - minimatch-3.0.4.tgz

a glob matcher in javascript

Library home page: https://registry.npmjs.org/minimatch/-/minimatch-3.0.4.tgz

Dependency Hierarchy:

  • eslint-plugin-import-2.14.0.tgz (Root Library)
    • minimatch-3.0.4.tgz (Vulnerable Library)

Found in base branch: master

Vulnerability Details

A vulnerability was found in the minimatch package. This flaw allows a Regular Expression Denial of Service (ReDoS) when calling the braceExpand function with specific arguments, resulting in a Denial of Service.

Publish Date: 2022-10-17

URL: CVE-2022-3517

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2022-10-17

Fix Resolution: minimatch - 3.0.5

⛑️Automatic Remediation will be attempted for this issue.

Metadata

Metadata

Assignees

No one assigned

    Labels

    Mend: dependency security vulnerabilitySecurity vulnerability detected by Mend

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions