Skip to content

jest-24.9.0.tgz: 21 vulnerabilities (highest severity is: 9.8) #2

New issue
New issue
Open
Open
jest-24.9.0.tgz: 21 vulnerabilities (highest severity is: 9.8)#2
Labels
Mend: dependency security vulnerabilitySecurity vulnerability detected by Mend
@dev-mend-for-github-com

Description

@dev-mend-for-github-com
dev-mend-for-github-com
bot
opened on Oct 17, 2023
Vulnerable Library - jest-24.9.0.tgz

Path to dependency file: /ndp-check-redirects/package.json

Path to vulnerable library: /codesnippets-auto-pr/node_modules/braces/package.json,/ndp-check-redirects/node_modules/braces/package.json

Vulnerabilities

CVE Severity CVSS Dependency Type Fixed in (jest version) Remediation Possible** Reachability
CVE-2022-37598 Critical 9.8 detected in multiple dependencies Transitive 25.0.0
CVE-2021-44906 Critical 9.8 detected in multiple dependencies Transitive 25.0.0
CVE-2021-37712 High 8.2 tar-4.4.8.tgz Transitive 25.0.0
WS-2020-0042 High 7.5 detected in multiple dependencies Transitive 25.0.0
CVE-2024-4068 High 7.5 braces-2.3.2.tgz Transitive N/A*
CVE-2022-38900 High 7.5 decode-uri-component-0.2.0.tgz Transitive 25.0.0
CVE-2022-3517 High 7.5 minimatch-3.0.4.tgz Transitive N/A*
CVE-2022-24999 High 7.5 qs-6.5.2.tgz Transitive 25.0.0
CVE-2021-3807 High 7.5 detected in multiple dependencies Transitive 25.0.0
CVE-2019-20149 High 7.5 kind-of-6.0.2.tgz Transitive 25.0.0
CVE-2022-46175 High 7.1 json5-2.1.1.tgz Transitive 25.0.0
CVE-2023-28155 Medium 6.1 request-2.88.0.tgz Transitive N/A*
CVE-2021-23383 Medium 5.6 handlebars-4.5.3.tgz Transitive 25.0.0
CVE-2021-23369 Medium 5.6 handlebars-4.5.3.tgz Transitive 25.0.0
CVE-2020-7598 Medium 5.6 detected in multiple dependencies Transitive 25.0.0
CVE-2020-15366 Medium 5.6 detected in multiple dependencies Transitive 25.0.0
CVE-2021-32640 Medium 5.3 ws-5.2.2.tgz Transitive 25.0.0
CVE-2021-23362 Medium 5.3 hosted-git-info-2.8.5.tgz Transitive 25.0.0
CVE-2021-23343 Medium 5.3 path-parse-1.0.6.tgz Transitive 25.0.0
CVE-2020-7608 Medium 5.3 yargs-parser-13.1.1.tgz Transitive 25.0.0
CVE-2020-28500 Medium 5.3 detected in multiple dependencies Transitive 25.0.0

*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.

**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation

Details

CVE-2022-37598

Vulnerable Libraries - uglify-js-3.7.0.tgz, uglify-js-3.7.1.tgz

uglify-js-3.7.0.tgz

JavaScript parser, mangler/compressor and beautifier toolkit

Library home page: https://registry.npmjs.org/uglify-js/-/uglify-js-3.7.0.tgz

Path to dependency file: /ndp-check-redirects/package.json

Path to vulnerable library: /ndp-check-redirects/node_modules/uglify-js/package.json

Dependency Hierarchy:

  • jest-24.9.0.tgz (Root Library)
    • jest-cli-24.9.0.tgz
      • core-24.9.0.tgz
        • reporters-24.9.0.tgz
          • istanbul-reports-2.2.6.tgz
            • handlebars-4.5.3.tgz
              • uglify-js-3.7.0.tgz (Vulnerable Library)

uglify-js-3.7.1.tgz

JavaScript parser, mangler/compressor and beautifier toolkit

Library home page: https://registry.npmjs.org/uglify-js/-/uglify-js-3.7.1.tgz

Dependency Hierarchy:

  • jest-24.9.0.tgz (Root Library)
    • jest-cli-24.9.0.tgz
      • core-24.9.0.tgz
        • reporters-24.9.0.tgz
          • istanbul-reports-2.2.6.tgz
            • handlebars-4.5.3.tgz
              • uglify-js-3.7.1.tgz (Vulnerable Library)

Found in base branch: main

Vulnerability Details

Prototype pollution vulnerability in function DEFNODE in ast.js in mishoo UglifyJS 3.13.2 via the name variable in ast.js. NOTE: the vendor considers this an invalid report.

Publish Date: 2022-10-20

URL: CVE-2022-37598

CVSS 3 Score Details (9.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2022-10-20

Fix Resolution (uglify-js): 3.13.10

Direct dependency fix Resolution (jest): 25.0.0

Fix Resolution (uglify-js): 3.13.10

Direct dependency fix Resolution (jest): 25.0.0

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2021-44906

Vulnerable Libraries - minimist-0.0.8.tgz, minimist-0.0.10.tgz, minimist-1.2.0.tgz

minimist-0.0.8.tgz

parse argument options

Library home page: https://registry.npmjs.org/minimist/-/minimist-0.0.8.tgz

Dependency Hierarchy:

  • jest-24.9.0.tgz (Root Library)
    • jest-cli-24.9.0.tgz
      • core-24.9.0.tgz
        • jest-haste-map-24.9.0.tgz
          • fsevents-1.2.9.tgz
            • node-pre-gyp-0.12.0.tgz
              • mkdirp-0.5.1.tgz
                • minimist-0.0.8.tgz (Vulnerable Library)

minimist-0.0.10.tgz

parse argument options

Library home page: https://registry.npmjs.org/minimist/-/minimist-0.0.10.tgz

Dependency Hierarchy:

  • jest-24.9.0.tgz (Root Library)
    • jest-cli-24.9.0.tgz
      • core-24.9.0.tgz
        • reporters-24.9.0.tgz
          • istanbul-reports-2.2.6.tgz
            • handlebars-4.5.3.tgz
              • optimist-0.6.1.tgz
                • minimist-0.0.10.tgz (Vulnerable Library)

minimist-1.2.0.tgz

parse argument options

Library home page: https://registry.npmjs.org/minimist/-/minimist-1.2.0.tgz

Dependency Hierarchy:

  • jest-24.9.0.tgz (Root Library)
    • jest-cli-24.9.0.tgz
      • jest-config-24.9.0.tgz
        • core-7.7.4.tgz
          • json5-2.1.1.tgz
            • minimist-1.2.0.tgz (Vulnerable Library)

Found in base branch: main

Vulnerability Details

Minimist <=1.2.5 is vulnerable to Prototype Pollution via file index.js, function setKey() (lines 69-95).

Publish Date: 2022-03-17

URL: CVE-2021-44906

CVSS 3 Score Details (9.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2022-03-17

Fix Resolution (minimist): 0.2.2

Direct dependency fix Resolution (jest): 25.0.0

Fix Resolution (minimist): 0.2.2

Direct dependency fix Resolution (jest): 25.0.0

Fix Resolution (minimist): 0.2.2

Direct dependency fix Resolution (jest): 25.0.0

CVE-2021-37712

Vulnerable Library - tar-4.4.8.tgz

tar for node

Library home page: https://registry.npmjs.org/tar/-/tar-4.4.8.tgz

Dependency Hierarchy:

  • jest-24.9.0.tgz (Root Library)
    • jest-cli-24.9.0.tgz
      • core-24.9.0.tgz
        • jest-haste-map-24.9.0.tgz
          • fsevents-1.2.9.tgz
            • node-pre-gyp-0.12.0.tgz
              • tar-4.4.8.tgz (Vulnerable Library)

Found in base branch: main

Vulnerability Details

The npm package "tar" (aka node-tar) before versions 4.4.18, 5.0.10, and 6.1.9 has an arbitrary file creation/overwrite and arbitrary code execution vulnerability. node-tar aims to guarantee that any file whose location would be modified by a symbolic link is not extracted. This is, in part, achieved by ensuring that extracted directories are not symlinks. Additionally, in order to prevent unnecessary stat calls to determine whether a given path is a directory, paths are cached when directories are created. This logic was insufficient when extracting tar files that contained both a directory and a symlink with names containing unicode values that normalized to the same value. Additionally, on Windows systems, long path portions would resolve to the same file system entities as their 8.3 "short path" counterparts. A specially crafted tar archive could thus include a directory with one form of the path, followed by a symbolic link with a different string that resolves to the same file system entity, followed by a file using the first form. By first creating a directory, and then replacing that directory with a symlink that had a different apparent name that resolved to the same entry in the filesystem, it was thus possible to bypass node-tar symlink checks on directories, essentially allowing an untrusted tar file to symlink into an arbitrary location and subsequently extracting arbitrary files into that location, thus allowing arbitrary file creation and overwrite. These issues were addressed in releases 4.4.18, 5.0.10 and 6.1.9. The v3 branch of node-tar has been deprecated and did not receive patches for these issues. If you are still using a v3 release we recommend you update to a more recent version of node-tar. If this is not possible, a workaround is available in the referenced GHSA-qq89-hq3f-393p.

Publish Date: 2021-08-31

URL: CVE-2021-37712

CVSS 3 Score Details (8.2)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Local
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Changed
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-qq89-hq3f-393p

Release Date: 2021-08-31

Fix Resolution (tar): 4.4.18

Direct dependency fix Resolution (jest): 25.0.0

WS-2020-0042

Vulnerable Libraries - acorn-6.4.0.tgz, acorn-5.7.3.tgz

acorn-6.4.0.tgz

ECMAScript parser

Library home page: https://registry.npmjs.org/acorn/-/acorn-6.4.0.tgz

Dependency Hierarchy:

  • jest-24.9.0.tgz (Root Library)
    • jest-cli-24.9.0.tgz
      • jest-config-24.9.0.tgz
        • jest-environment-jsdom-24.9.0.tgz
          • jsdom-11.12.0.tgz
            • acorn-globals-4.3.4.tgz
              • acorn-6.4.0.tgz (Vulnerable Library)

acorn-5.7.3.tgz

ECMAScript parser

Library home page: https://registry.npmjs.org/acorn/-/acorn-5.7.3.tgz

Dependency Hierarchy:

  • jest-24.9.0.tgz (Root Library)
    • jest-cli-24.9.0.tgz
      • jest-config-24.9.0.tgz
        • jest-environment-jsdom-24.9.0.tgz
          • jsdom-11.12.0.tgz
            • acorn-5.7.3.tgz (Vulnerable Library)

Found in base branch: main

Vulnerability Details

acorn is vulnerable to REGEX DoS. A regex of the form /[x-\ud800]/u causes the parser to enter an infinite loop. attackers may leverage the vulnerability leading to a Denial of Service since the string is not valid UTF16 and it results in it being sanitized before reaching the parser.

Publish Date: 2020-03-01

URL: WS-2020-0042

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-6chw-6frg-f759

Release Date: 2020-03-01

Fix Resolution (acorn): 6.4.1

Direct dependency fix Resolution (jest): 25.0.0

Fix Resolution (acorn): 6.4.1

Direct dependency fix Resolution (jest): 25.0.0

CVE-2024-4068

Vulnerable Library - braces-2.3.2.tgz

Bash-like brace expansion, implemented in JavaScript. Safer than other brace expansion libs, with complete support for the Bash 4.3 braces specification, without sacrificing speed.

Library home page: https://registry.npmjs.org/braces/-/braces-2.3.2.tgz

Path to dependency file: /codesnippets-auto-pr/package.json

Path to vulnerable library: /codesnippets-auto-pr/node_modules/braces/package.json,/ndp-check-redirects/node_modules/braces/package.json

Dependency Hierarchy:

  • jest-24.9.0.tgz (Root Library)
    • jest-cli-24.9.0.tgz
      • core-24.9.0.tgz
        • micromatch-3.1.10.tgz
          • braces-2.3.2.tgz (Vulnerable Library)

Found in base branch: main

Vulnerability Details

The NPM package braces, versions prior to 3.0.3, fails to limit the number of characters it can handle, which could lead to Memory Exhaustion. In lib/parse.js, if a malicious user sends "imbalanced braces" as input, the parsing will enter a loop, which will cause the program to start allocating heap memory without freeing it at any moment of the loop. Eventually, the JavaScript heap limit is reached, and the program will crash.

Publish Date: 2024-05-13

URL: CVE-2024-4068

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2024-05-13

Fix Resolution: braces - 3.0.3

CVE-2022-38900

Vulnerable Library - decode-uri-component-0.2.0.tgz

A better decodeURIComponent

Library home page: https://registry.npmjs.org/decode-uri-component/-/decode-uri-component-0.2.0.tgz

Dependency Hierarchy:

  • jest-24.9.0.tgz (Root Library)
    • jest-cli-24.9.0.tgz
      • core-24.9.0.tgz
        • micromatch-3.1.10.tgz
          • snapdragon-0.8.2.tgz
            • source-map-resolve-0.5.2.tgz
              • decode-uri-component-0.2.0.tgz (Vulnerable Library)

Found in base branch: main

Vulnerability Details

decode-uri-component 0.2.0 is vulnerable to Improper Input Validation resulting in DoS.

Publish Date: 2022-11-28

URL: CVE-2022-38900

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-w573-4hg7-7wgq

Release Date: 2022-11-28

Fix Resolution (decode-uri-component): 0.2.1

Direct dependency fix Resolution (jest): 25.0.0

CVE-2022-3517

Vulnerable Library - minimatch-3.0.4.tgz

a glob matcher in javascript

Library home page: https://registry.npmjs.org/minimatch/-/minimatch-3.0.4.tgz

Dependency Hierarchy:

  • jest-24.9.0.tgz (Root Library)
    • jest-cli-24.9.0.tgz
      • core-24.9.0.tgz
        • transform-24.9.0.tgz
          • babel-plugin-istanbul-5.2.0.tgz
            • test-exclude-5.2.3.tgz
              • minimatch-3.0.4.tgz (Vulnerable Library)

Found in base branch: main

Vulnerability Details

A vulnerability was found in the minimatch package. This flaw allows a Regular Expression Denial of Service (ReDoS) when calling the braceExpand function with specific arguments, resulting in a Denial of Service.

Publish Date: 2022-10-17

URL: CVE-2022-3517

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2022-10-17

Fix Resolution: minimatch - 3.0.5

CVE-2022-24999

Vulnerable Library - qs-6.5.2.tgz

A querystring parser that supports nesting and arrays, with a depth limit

Library home page: https://registry.npmjs.org/qs/-/qs-6.5.2.tgz

Dependency Hierarchy:

  • jest-24.9.0.tgz (Root Library)
    • jest-cli-24.9.0.tgz
      • jest-config-24.9.0.tgz
        • jest-environment-jsdom-24.9.0.tgz
          • jsdom-11.12.0.tgz
            • request-2.88.0.tgz
              • qs-6.5.2.tgz (Vulnerable Library)

Found in base branch: main

Vulnerability Details

qs before 6.10.3, as used in Express before 4.17.3 and other products, allows attackers to cause a Node process hang for an Express application because an __ proto__ key can be used. In many typical Express use cases, an unauthenticated remote attacker can place the attack payload in the query string of the URL that is used to visit the application, such as a[proto]=b&a[proto]&a[length]=100000000. The fix was backported to qs 6.9.7, 6.8.3, 6.7.3, 6.6.1, 6.5.3, 6.4.1, 6.3.3, and 6.2.4 (and therefore Express 4.17.3, which has "deps: qs@6.9.7" in its release description, is not vulnerable).

Publish Date: 2022-11-26

URL: CVE-2022-24999

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://www.cve.org/CVERecord?id=CVE-2022-24999

Release Date: 2022-11-26

Fix Resolution (qs): 6.5.3

Direct dependency fix Resolution (jest): 25.0.0

CVE-2021-3807

Vulnerable Libraries - ansi-regex-3.0.0.tgz, ansi-regex-4.1.0.tgz

ansi-regex-3.0.0.tgz

Regular expression for matching ANSI escape codes

Library home page: https://registry.npmjs.org/ansi-regex/-/ansi-regex-3.0.0.tgz

Dependency Hierarchy:

  • jest-24.9.0.tgz (Root Library)
    • jest-cli-24.9.0.tgz
      • core-24.9.0.tgz
        • reporters-24.9.0.tgz
          • string-length-2.0.0.tgz
            • strip-ansi-4.0.0.tgz
              • ansi-regex-3.0.0.tgz (Vulnerable Library)

ansi-regex-4.1.0.tgz

Regular expression for matching ANSI escape codes

Library home page: https://registry.npmjs.org/ansi-regex/-/ansi-regex-4.1.0.tgz

Dependency Hierarchy:

  • jest-24.9.0.tgz (Root Library)
    • jest-cli-24.9.0.tgz
      • jest-validate-24.9.0.tgz
        • pretty-format-24.9.0.tgz
          • ansi-regex-4.1.0.tgz (Vulnerable Library)

Found in base branch: main

Vulnerability Details

ansi-regex is vulnerable to Inefficient Regular Expression Complexity

Publish Date: 2021-09-17

URL: CVE-2021-3807

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://huntr.dev/bounties/5b3cf33b-ede0-4398-9974-800876dfd994/

Release Date: 2021-09-17

Fix Resolution (ansi-regex): 3.0.1

Direct dependency fix Resolution (jest): 25.0.0

Fix Resolution (ansi-regex): 3.0.1

Direct dependency fix Resolution (jest): 25.0.0

CVE-2019-20149

Vulnerable Library - kind-of-6.0.2.tgz

Get the native type of a value.

Library home page: https://registry.npmjs.org/kind-of/-/kind-of-6.0.2.tgz

Dependency Hierarchy:

  • jest-24.9.0.tgz (Root Library)
    • jest-cli-24.9.0.tgz
      • core-24.9.0.tgz
        • micromatch-3.1.10.tgz
          • kind-of-6.0.2.tgz (Vulnerable Library)

Found in base branch: main

Vulnerability Details

ctorName in index.js in kind-of v6.0.2 allows external user input to overwrite certain internal attributes via a conflicting name, as demonstrated by 'constructor': {'name':'Symbol'}. Hence, a crafted payload can overwrite this builtin attribute to manipulate the type detection result.

Publish Date: 2019-12-30

URL: CVE-2019-20149

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: High
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-20149

Release Date: 2019-12-30

Fix Resolution (kind-of): 6.0.3

Direct dependency fix Resolution (jest): 25.0.0

CVE-2022-46175

Vulnerable Library - json5-2.1.1.tgz

JSON for humans.

Library home page: https://registry.npmjs.org/json5/-/json5-2.1.1.tgz

Dependency Hierarchy:

  • jest-24.9.0.tgz (Root Library)
    • jest-cli-24.9.0.tgz
      • jest-config-24.9.0.tgz
        • core-7.7.4.tgz
          • json5-2.1.1.tgz (Vulnerable Library)

Found in base branch: main

Vulnerability Details

JSON5 is an extension to the popular JSON file format that aims to be easier to write and maintain by hand (e.g. for config files). The parse method of the JSON5 library before and including versions 1.0.1 and 2.2.1 does not restrict parsing of keys named __proto__, allowing specially crafted strings to pollute the prototype of the resulting object. This vulnerability pollutes the prototype of the object returned by JSON5.parse and not the global Object prototype, which is the commonly understood definition of Prototype Pollution. However, polluting the prototype of a single object can have significant security impact for an application if the object is later used in trusted operations. This vulnerability could allow an attacker to set arbitrary and unexpected keys on the object returned from JSON5.parse. The actual impact will depend on how applications utilize the returned object and how they filter unwanted keys, but could include denial of service, cross-site scripting, elevation of privilege, and in extreme cases, remote code execution. JSON5.parse should restrict parsing of __proto__ keys when parsing JSON strings to objects. As a point of reference, the JSON.parse method included in JavaScript ignores __proto__ keys. Simply changing JSON5.parse to JSON.parse in the examples above mitigates this vulnerability. This vulnerability is patched in json5 versions 1.0.2, 2.2.2, and later.

Publish Date: 2022-12-24

URL: CVE-2022-46175

CVSS 3 Score Details (7.1)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: High
    • Privileges Required: Low
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: Low
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://www.cve.org/CVERecord?id=CVE-2022-46175

Release Date: 2022-12-24

Fix Resolution (json5): 2.2.2

Direct dependency fix Resolution (jest): 25.0.0

CVE-2023-28155

Vulnerable Library - request-2.88.0.tgz

Simplified HTTP request client.

Library home page: https://registry.npmjs.org/request/-/request-2.88.0.tgz

Dependency Hierarchy:

  • jest-24.9.0.tgz (Root Library)
    • jest-cli-24.9.0.tgz
      • jest-config-24.9.0.tgz
        • jest-environment-jsdom-24.9.0.tgz
          • jsdom-11.12.0.tgz
            • request-2.88.0.tgz (Vulnerable Library)

Found in base branch: main

Vulnerability Details

The Request package through 2.88.1 for Node.js allows a bypass of SSRF mitigations via an attacker-controller server that does a cross-protocol redirect (HTTP to HTTPS, or HTTPS to HTTP). NOTE: This vulnerability only affects products that are no longer supported by the maintainer.

Publish Date: 2023-03-16

URL: CVE-2023-28155

CVSS 3 Score Details (6.1)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Changed
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: Low
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

CVE-2021-23383

Vulnerable Library - handlebars-4.5.3.tgz

Handlebars provides the power necessary to let you build semantic templates effectively with no frustration

Library home page: https://registry.npmjs.org/handlebars/-/handlebars-4.5.3.tgz

Dependency Hierarchy:

  • jest-24.9.0.tgz (Root Library)
    • jest-cli-24.9.0.tgz
      • core-24.9.0.tgz
        • reporters-24.9.0.tgz
          • istanbul-reports-2.2.6.tgz
            • handlebars-4.5.3.tgz (Vulnerable Library)

Found in base branch: main

Vulnerability Details

The package handlebars before 4.7.7 are vulnerable to Prototype Pollution when selecting certain compiling options to compile templates coming from an untrusted source.

Publish Date: 2021-05-04

URL: CVE-2021-23383

CVSS 3 Score Details (5.6)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: High
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: Low
    • Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23383

Release Date: 2021-05-04

Fix Resolution (handlebars): 4.7.7

Direct dependency fix Resolution (jest): 25.0.0

CVE-2021-23369

Vulnerable Library - handlebars-4.5.3.tgz

Handlebars provides the power necessary to let you build semantic templates effectively with no frustration

Library home page: https://registry.npmjs.org/handlebars/-/handlebars-4.5.3.tgz

Dependency Hierarchy:

  • jest-24.9.0.tgz (Root Library)
    • jest-cli-24.9.0.tgz
      • core-24.9.0.tgz
        • reporters-24.9.0.tgz
          • istanbul-reports-2.2.6.tgz
            • handlebars-4.5.3.tgz (Vulnerable Library)

Found in base branch: main

Vulnerability Details

The package handlebars before 4.7.7 are vulnerable to Remote Code Execution (RCE) when selecting certain compiling options to compile templates coming from an untrusted source.

Publish Date: 2021-04-12

URL: CVE-2021-23369

CVSS 3 Score Details (5.6)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: High
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: Low
    • Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23369

Release Date: 2021-04-12

Fix Resolution (handlebars): 4.7.7

Direct dependency fix Resolution (jest): 25.0.0

CVE-2020-7598

Vulnerable Libraries - minimist-0.0.8.tgz, minimist-1.2.0.tgz, minimist-0.0.10.tgz

minimist-0.0.8.tgz

parse argument options

Library home page: https://registry.npmjs.org/minimist/-/minimist-0.0.8.tgz

Dependency Hierarchy:

  • jest-24.9.0.tgz (Root Library)
    • jest-cli-24.9.0.tgz
      • core-24.9.0.tgz
        • jest-haste-map-24.9.0.tgz
          • fsevents-1.2.9.tgz
            • node-pre-gyp-0.12.0.tgz
              • mkdirp-0.5.1.tgz
                • minimist-0.0.8.tgz (Vulnerable Library)

minimist-1.2.0.tgz

parse argument options

Library home page: https://registry.npmjs.org/minimist/-/minimist-1.2.0.tgz

Dependency Hierarchy:

  • jest-24.9.0.tgz (Root Library)
    • jest-cli-24.9.0.tgz
      • jest-config-24.9.0.tgz
        • core-7.7.4.tgz
          • json5-2.1.1.tgz
            • minimist-1.2.0.tgz (Vulnerable Library)

minimist-0.0.10.tgz

parse argument options

Library home page: https://registry.npmjs.org/minimist/-/minimist-0.0.10.tgz

Dependency Hierarchy:

  • jest-24.9.0.tgz (Root Library)
    • jest-cli-24.9.0.tgz
      • core-24.9.0.tgz
        • reporters-24.9.0.tgz
          • istanbul-reports-2.2.6.tgz
            • handlebars-4.5.3.tgz
              • optimist-0.6.1.tgz
                • minimist-0.0.10.tgz (Vulnerable Library)

Found in base branch: main

Vulnerability Details

minimist before 1.2.2 could be tricked into adding or modifying properties of Object.prototype using a "constructor" or "proto" payload.

Publish Date: 2020-03-11

URL: CVE-2020-7598

CVSS 3 Score Details (5.6)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: High
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: Low
    • Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2020-03-11

Fix Resolution (minimist): 0.2.1

Direct dependency fix Resolution (jest): 25.0.0

Fix Resolution (minimist): 0.2.1

Direct dependency fix Resolution (jest): 25.0.0

Fix Resolution (minimist): 0.2.1

Direct dependency fix Resolution (jest): 25.0.0

CVE-2020-15366

Vulnerable Libraries - ajv-6.10.2.tgz, ajv-6.10.0.tgz

ajv-6.10.2.tgz

Another JSON Schema Validator

Library home page: https://registry.npmjs.org/ajv/-/ajv-6.10.2.tgz

Dependency Hierarchy:

  • jest-24.9.0.tgz (Root Library)
    • jest-cli-24.9.0.tgz
      • jest-config-24.9.0.tgz
        • jest-environment-jsdom-24.9.0.tgz
          • jsdom-11.12.0.tgz
            • request-2.88.0.tgz
              • har-validator-5.1.3.tgz
                • ajv-6.10.2.tgz (Vulnerable Library)

ajv-6.10.0.tgz

Another JSON Schema Validator

Library home page: https://registry.npmjs.org/ajv/-/ajv-6.10.0.tgz

Dependency Hierarchy:

  • jest-24.9.0.tgz (Root Library)
    • jest-cli-24.9.0.tgz
      • jest-config-24.9.0.tgz
        • jest-environment-jsdom-24.9.0.tgz
          • jsdom-11.12.0.tgz
            • request-2.88.0.tgz
              • har-validator-5.1.3.tgz
                • ajv-6.10.0.tgz (Vulnerable Library)

Found in base branch: main

Vulnerability Details

An issue was discovered in ajv.validate() in Ajv (aka Another JSON Schema Validator) 6.12.2. A carefully crafted JSON schema could be provided that allows execution of other code by prototype pollution. (While untrusted schemas are recommended against, the worst case of an untrusted schema should be a denial of service, not execution of code.)

Publish Date: 2020-07-15

URL: CVE-2020-15366

CVSS 3 Score Details (5.6)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: High
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: Low
    • Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2020-07-15

Fix Resolution (ajv): 6.12.3

Direct dependency fix Resolution (jest): 25.0.0

Fix Resolution (ajv): 6.12.3

Direct dependency fix Resolution (jest): 25.0.0

CVE-2021-32640

Vulnerable Library - ws-5.2.2.tgz

Simple to use, blazing fast and thoroughly tested websocket client and server for Node.js

Library home page: https://registry.npmjs.org/ws/-/ws-5.2.2.tgz

Dependency Hierarchy:

  • jest-24.9.0.tgz (Root Library)
    • jest-cli-24.9.0.tgz
      • jest-config-24.9.0.tgz
        • jest-environment-jsdom-24.9.0.tgz
          • jsdom-11.12.0.tgz
            • ws-5.2.2.tgz (Vulnerable Library)

Found in base branch: main

Vulnerability Details

ws is an open source WebSocket client and server library for Node.js. A specially crafted value of the Sec-Websocket-Protocol header can be used to significantly slow down a ws server. The vulnerability has been fixed in ws@7.4.6 (websockets/ws@00c425e). In vulnerable versions of ws, the issue can be mitigated by reducing the maximum allowed length of the request headers using the --max-http-header-size=size and/or the maxHeaderSize options.

Publish Date: 2021-05-25

URL: CVE-2021-32640

CVSS 3 Score Details (5.3)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-6fc8-4gx4-v693

Release Date: 2021-05-25

Fix Resolution (ws): 5.2.3

Direct dependency fix Resolution (jest): 25.0.0

CVE-2021-23362

Vulnerable Library - hosted-git-info-2.8.5.tgz

Provides metadata and conversions from repository urls for Github, Bitbucket and Gitlab

Library home page: https://registry.npmjs.org/hosted-git-info/-/hosted-git-info-2.8.5.tgz

Dependency Hierarchy:

  • jest-24.9.0.tgz (Root Library)
    • jest-cli-24.9.0.tgz
      • core-24.9.0.tgz
        • transform-24.9.0.tgz
          • babel-plugin-istanbul-5.2.0.tgz
            • test-exclude-5.2.3.tgz
              • read-pkg-up-4.0.0.tgz
                • read-pkg-3.0.0.tgz
                  • normalize-package-data-2.5.0.tgz
                    • hosted-git-info-2.8.5.tgz (Vulnerable Library)

Found in base branch: main

Vulnerability Details

The package hosted-git-info before 3.0.8 are vulnerable to Regular Expression Denial of Service (ReDoS) via regular expression shortcutMatch in the fromUrl function in index.js. The affected regular expression exhibits polynomial worst-case time complexity.

Publish Date: 2021-03-23

URL: CVE-2021-23362

CVSS 3 Score Details (5.3)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-43f8-2h32-f4cj

Release Date: 2021-03-23

Fix Resolution (hosted-git-info): 2.8.9

Direct dependency fix Resolution (jest): 25.0.0

CVE-2021-23343

Vulnerable Library - path-parse-1.0.6.tgz

Node.js path.parse() ponyfill

Library home page: https://registry.npmjs.org/path-parse/-/path-parse-1.0.6.tgz

Dependency Hierarchy:

  • jest-24.9.0.tgz (Root Library)
    • jest-cli-24.9.0.tgz
      • jest-config-24.9.0.tgz
        • core-7.7.4.tgz
          • resolve-1.13.1.tgz
            • path-parse-1.0.6.tgz (Vulnerable Library)

Found in base branch: main

Vulnerability Details

All versions of package path-parse are vulnerable to Regular Expression Denial of Service (ReDoS) via splitDeviceRe, splitTailRe, and splitPathRe regular expressions. ReDoS exhibits polynomial worst-case time complexity.

Publish Date: 2021-05-04

URL: CVE-2021-23343

CVSS 3 Score Details (5.3)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2021-05-04

Fix Resolution (path-parse): 1.0.7

Direct dependency fix Resolution (jest): 25.0.0

CVE-2020-7608

Vulnerable Library - yargs-parser-13.1.1.tgz

the mighty option parser used by yargs

Library home page: https://registry.npmjs.org/yargs-parser/-/yargs-parser-13.1.1.tgz

Dependency Hierarchy:

  • jest-24.9.0.tgz (Root Library)
    • jest-cli-24.9.0.tgz
      • yargs-13.3.0.tgz
        • yargs-parser-13.1.1.tgz (Vulnerable Library)

Found in base branch: main

Vulnerability Details

yargs-parser could be tricked into adding or modifying properties of Object.prototype using a "proto" payload.

Publish Date: 2020-03-16

URL: CVE-2020-7608

CVSS 3 Score Details (5.3)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Local
    • Attack Complexity: Low
    • Privileges Required: Low
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: Low
    • Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2020-03-16

Fix Resolution (yargs-parser): 13.1.2

Direct dependency fix Resolution (jest): 25.0.0

CVE-2020-28500

Vulnerable Libraries - lodash-4.17.15.tgz, lodash-4.17.19.tgz

lodash-4.17.15.tgz

Lodash modular utilities.

Library home page: https://registry.npmjs.org/lodash/-/lodash-4.17.15.tgz

Path to dependency file: /ndp-check-redirects/package.json

Path to vulnerable library: /ndp-check-redirects/node_modules/lodash/package.json

Dependency Hierarchy:

  • jest-24.9.0.tgz (Root Library)
    • jest-cli-24.9.0.tgz
      • core-24.9.0.tgz
        • jest-snapshot-24.9.0.tgz
          • types-7.7.4.tgz
            • lodash-4.17.15.tgz (Vulnerable Library)

lodash-4.17.19.tgz

Lodash modular utilities.

Library home page: https://registry.npmjs.org/lodash/-/lodash-4.17.19.tgz

Dependency Hierarchy:

  • jest-24.9.0.tgz (Root Library)
    • jest-cli-24.9.0.tgz
      • jest-config-24.9.0.tgz
        • core-7.7.4.tgz
          • lodash-4.17.19.tgz (Vulnerable Library)

Found in base branch: main

Vulnerability Details

Lodash versions prior to 4.17.21 are vulnerable to Regular Expression Denial of Service (ReDoS) via the toNumber, trim and trimEnd functions.
Mend Note: After conducting further research, Mend has determined that CVE-2020-28500 only affects environments with versions 4.0.0 to 4.17.20 of Lodash.

Publish Date: 2021-02-15

URL: CVE-2020-28500

CVSS 3 Score Details (5.3)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-28500

Release Date: 2021-02-15

Fix Resolution (lodash): 4.17.21

Direct dependency fix Resolution (jest): 25.0.0

Fix Resolution (lodash): 4.17.21

Direct dependency fix Resolution (jest): 25.0.0

⛑️ Automatic Remediation will be attempted for this issue.

⛑️Automatic Remediation will be attempted for this issue.

Metadata

Metadata

Assignees

No one assigned

    Labels

    Mend: dependency security vulnerabilitySecurity vulnerability detected by Mend

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions