Description
Vulnerable Library - eslint-5.4.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/js-yaml/package.json
Vulnerabilities
| CVE | Severity |  CVSS |
Dependency | Type | Fixed in (eslint version) | Remediation Possible** | Reachability |
|---|---|---|---|---|---|---|---|
| CVE-2019-15657 |  Critical |
9.8 | eslint-utils-1.3.1.tgz | Transitive | 5.5.0 | ✅ | |
| WS-2019-0063 |  High |
8.1 | js-yaml-3.12.0.tgz | Transitive | 5.5.0 | ✅ | |
| WS-2020-0042 | High |
7.5 | acorn-5.7.1.tgz | Transitive | 5.5.0 | ✅ | |
| WS-2019-0032 | High |
7.5 | js-yaml-3.12.0.tgz | Transitive | 5.5.0 | ✅ | |
| CVE-2022-3517 | High |
7.5 | minimatch-3.0.4.tgz | Transitive | N/A* | ❌ | |
| CVE-2021-3807 | High |
7.5 | ansi-regex-3.0.0.tgz | Transitive | 5.5.0 | ✅ |
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
CVE-2019-15657
Vulnerable Library - eslint-utils-1.3.1.tgz
Utilities for ESLint plugins.
Library home page: https://registry.npmjs.org/eslint-utils/-/eslint-utils-1.3.1.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/eslint-utils/package.json
Dependency Hierarchy:
- eslint-5.4.0.tgz (Root Library)
- ❌ eslint-utils-1.3.1.tgz (Vulnerable Library)
Found in base branch: master
Vulnerability Details
In eslint-utils before 1.4.1, the getStaticValue function can execute arbitrary code.
Publish Date: 2019-08-26
URL: CVE-2019-15657
CVSS 3 Score Details (9.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-15657
Release Date: 2020-08-24
Fix Resolution (eslint-utils): 1.4.1
Direct dependency fix Resolution (eslint): 5.5.0
⛑️ Automatic Remediation will be attempted for this issue.
WS-2019-0063
Vulnerable Library - js-yaml-3.12.0.tgz
YAML 1.2 parser and serializer
Library home page: https://registry.npmjs.org/js-yaml/-/js-yaml-3.12.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/js-yaml/package.json
Dependency Hierarchy:
- eslint-5.4.0.tgz (Root Library)
- ❌ js-yaml-3.12.0.tgz (Vulnerable Library)
Found in base branch: master
Vulnerability Details
Js-yaml prior to 3.13.1 are vulnerable to Code Injection. The load() function may execute arbitrary code injected through a malicious YAML file.
Publish Date: 2019-04-05
URL: WS-2019-0063
CVSS 3 Score Details (8.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: https://www.npmjs.com/advisories/813
Release Date: 2019-04-05
Fix Resolution (js-yaml): 3.13.1
Direct dependency fix Resolution (eslint): 5.5.0
⛑️ Automatic Remediation will be attempted for this issue.
WS-2020-0042
Vulnerable Library - acorn-5.7.1.tgz
ECMAScript parser
Library home page: https://registry.npmjs.org/acorn/-/acorn-5.7.1.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/acorn/package.json
Dependency Hierarchy:
- eslint-5.4.0.tgz (Root Library)
- espree-4.0.0.tgz
- ❌ acorn-5.7.1.tgz (Vulnerable Library)
- espree-4.0.0.tgz
Found in base branch: master
Vulnerability Details
acorn is vulnerable to REGEX DoS. A regex of the form /[x-\ud800]/u causes the parser to enter an infinite loop. attackers may leverage the vulnerability leading to a Denial of Service since the string is not valid UTF16 and it results in it being sanitized before reaching the parser.
Publish Date: 2020-03-01
URL: WS-2020-0042
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: GHSA-6chw-6frg-f759
Release Date: 2020-03-01
Fix Resolution (acorn): 5.7.4
Direct dependency fix Resolution (eslint): 5.5.0
⛑️ Automatic Remediation will be attempted for this issue.
WS-2019-0032
Vulnerable Library - js-yaml-3.12.0.tgz
YAML 1.2 parser and serializer
Library home page: https://registry.npmjs.org/js-yaml/-/js-yaml-3.12.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/js-yaml/package.json
Dependency Hierarchy:
- eslint-5.4.0.tgz (Root Library)
- ❌ js-yaml-3.12.0.tgz (Vulnerable Library)
Found in base branch: master
Vulnerability Details
Versions js-yaml prior to 3.13.0 are vulnerable to Denial of Service. By parsing a carefully-crafted YAML file, the node process stalls and may exhaust system resources leading to a Denial of Service.
Publish Date: 2019-03-20
URL: WS-2019-0032
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: https://www.npmjs.com/advisories/788/versions
Release Date: 2019-03-20
Fix Resolution (js-yaml): 3.13.0
Direct dependency fix Resolution (eslint): 5.5.0
⛑️ Automatic Remediation will be attempted for this issue.
CVE-2022-3517
Vulnerable Library - minimatch-3.0.4.tgz
a glob matcher in javascript
Library home page: https://registry.npmjs.org/minimatch/-/minimatch-3.0.4.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/minimatch/package.json,/package.json
Dependency Hierarchy:
- eslint-5.4.0.tgz (Root Library)
- ❌ minimatch-3.0.4.tgz (Vulnerable Library)
Found in base branch: master
Vulnerability Details
A vulnerability was found in the minimatch package. This flaw allows a Regular Expression Denial of Service (ReDoS) when calling the braceExpand function with specific arguments, resulting in a Denial of Service.
Publish Date: 2022-10-17
URL: CVE-2022-3517
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Release Date: 2022-10-17
Fix Resolution: minimatch - 3.0.5
CVE-2021-3807
Vulnerable Library - ansi-regex-3.0.0.tgz
Regular expression for matching ANSI escape codes
Library home page: https://registry.npmjs.org/ansi-regex/-/ansi-regex-3.0.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/eslint/node_modules/ansi-regex/package.json,/node_modules/pretty-format/node_modules/ansi-regex/package.json,/node_modules/concurrently/node_modules/ansi-regex/package.json,/node_modules/table/node_modules/ansi-regex/package.json,/node_modules/webpack-cli/node_modules/ansi-regex/package.json,/node_modules/inquirer/node_modules/ansi-regex/package.json
Dependency Hierarchy:
- eslint-5.4.0.tgz (Root Library)
- strip-ansi-4.0.0.tgz
- ❌ ansi-regex-3.0.0.tgz (Vulnerable Library)
- strip-ansi-4.0.0.tgz
Found in base branch: master
Vulnerability Details
ansi-regex is vulnerable to Inefficient Regular Expression Complexity
Publish Date: 2021-09-17
URL: CVE-2021-3807
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: https://huntr.dev/bounties/5b3cf33b-ede0-4398-9974-800876dfd994/
Release Date: 2021-09-17
Fix Resolution (ansi-regex): 3.0.1
Direct dependency fix Resolution (eslint): 5.5.0
⛑️ Automatic Remediation will be attempted for this issue.
⛑️Automatic Remediation will be attempted for this issue.