Security Vulnerability CVE-2021-23406 inside /usr/lib/code-server/vendor/modules/code-oss-dev/yarn.lock

[jsjoeio]

Mentioned vulnerability still exists in code-oss-dev . /usr/lib/code-server/vendor/modules/code-oss-dev/yarn.lock still has the 4.2.0 version of pac-resolver.

— Manohar Joshi

Reported to security@coder.com over email.

[manoharsjoshi]

thank you @jsjoeio for creating issue on behalf of me..

[jsjoeio]

Hmmm... I ran our audit tool yarn _audit and don't see anything reported:

➜  code-server git:(main) yarn _audit
yarn run v1.22.11
$ ./ci/dev/audit.sh
$ /Users/jp/Dev/coder/code-server/node_modules/.bin/audit-ci --moderate
audit-ci version: 4.1.0
Yarn audit report results:
{
  "vulnerabilities": {
    "info": 0,
    "low": 0,
    "moderate": 0,
    "high": 0,
    "critical": 0
  },
  "dependencies": 689,
  "devDependencies": 0,
  "optionalDependencies": 0,
  "totalDependencies": 689
}
Passed yarn security audit.
✨  Done in 5.55s.

I also ran yarn audit in /vendor and don't see anything:

➜  code-server git:(main) cd vendor 
➜  vendor git:(main) ls
modules        package.json   postinstall.sh yarn.lock
➜  vendor git:(main) yarn audit
yarn audit v1.22.11
0 vulnerabilities found - Packages audited: 243
✨  Done in 0.92s.

And if I run yarn why pac-resolver in /vendor, I don't get anything:

➜  vendor git:(main) yarn why pac-resolver
yarn why v1.22.11
[1/4] 🤔  Why do we have the module "pac-resolver"...?
[2/4] 🚚  Initialising dependency graph...
[3/4] 🔍  Finding dependency...
error We couldn't find a match!
✨  Done in 0.61s.

I also checked in our fork and don't see anything 🤔

➜  vscode git:(code-server) yarn why pac-resolver
yarn why v1.22.11
[1/4] 🤔  Why do we have the module "pac-resolver"...?
[2/4] 🚚  Initialising dependency graph...
[3/4] 🔍  Finding dependency...
error We couldn't find a match!
✨  Done in 2.34s.

Maybe this has been fixed or something I'm doing something wrong. Any ideas @TeffenEllis @code-asher ?

[manoharsjoshi]

Hello @jsjoeio , Do you need more information on this.

[jsjoeio]

@manoharsjoshi - yes if you don't mind! I am wondering if it's been fixed already. I couldn't reproduce or find it using main or code-server in the VS Code fork repo.

[greyscaled]

I'll take a look with trivy

[greyscaled]

@jsjoeio I actually found a quite extensive list of vulns in vendor using trivy:

modules/code-oss-dev/build/lib/watch/yarn.lock
==============================================
Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)


modules/code-oss-dev/build/win32/Cargo.lock
===========================================
Total: 1 (UNKNOWN: 1, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)

+---------+-------------------+----------+-------------------+---------------+---------------------------------------------+
| LIBRARY | VULNERABILITY ID  | SEVERITY | INSTALLED VERSION | FIXED VERSION |                    TITLE                    |
+---------+-------------------+----------+-------------------+---------------+---------------------------------------------+
| term    | RUSTSEC-2018-0015 | UNKNOWN  | 0.4.6             |               | term is looking for a new maintainer        |
|         |                   |          |                   |               | -->rustsec.org/advisories/RUSTSEC-2018-0015 |
+---------+-------------------+----------+-------------------+---------------+---------------------------------------------+

modules/code-oss-dev/build/yarn.lock
====================================
Total: 5 (UNKNOWN: 0, LOW: 0, MEDIUM: 2, HIGH: 3, CRITICAL: 0)

+------------+------------------+----------+-------------------+---------------+---------------------------------------+
|  LIBRARY   | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION |                 TITLE                 |
+------------+------------------+----------+-------------------+---------------+---------------------------------------+
| nth-check  | CVE-2021-3803    | HIGH     | 1.0.2             | 2.0.1         | nodejs-nth-check: inefficient         |
|            |                  |          |                   |               | regular expression complexity         |
|            |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2021-3803  |
+------------+------------------+          +-------------------+---------------+---------------------------------------+
| underscore | CVE-2021-23358   |          | 1.8.3             | 1.12.1        | nodejs-underscore: Arbitrary code     |
|            |                  |          |                   |               | execution via the template function   |
|            |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2021-23358 |
+            +                  +          +-------------------+               +                                       +
|            |                  |          | 1.9.1             |               |                                       |
|            |                  |          |                   |               |                                       |
|            |                  |          |                   |               |                                       |
+------------+------------------+----------+-------------------+---------------+---------------------------------------+
| xmldom     | CVE-2021-21366   | MEDIUM   | 0.1.31            | 0.5.0         | Misinterpretation of                  |
|            |                  |          |                   |               | malicious XML input                   |
|            |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2021-21366 |
+            +------------------+          +                   +---------------+---------------------------------------+
|            | CVE-2021-32796   |          |                   |               | nodejs-xmldom: misinterpretation      |
|            |                  |          |                   |               | of malicious XML input                |
|            |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2021-32796 |
+------------+------------------+----------+-------------------+---------------+---------------------------------------+

modules/code-oss-dev/extensions/bat/yarn.lock
=============================================
Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)


modules/code-oss-dev/extensions/clojure/yarn.lock
=================================================
Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)


modules/code-oss-dev/extensions/coffeescript/yarn.lock
======================================================
Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)


modules/code-oss-dev/extensions/configuration-editing/yarn.lock
===============================================================
Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)


modules/code-oss-dev/extensions/cpp/yarn.lock
=============================================
Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)


modules/code-oss-dev/extensions/csharp/yarn.lock
================================================
Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)


modules/code-oss-dev/extensions/css-language-features/server/yarn.lock
======================================================================
Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)


modules/code-oss-dev/extensions/css-language-features/yarn.lock
===============================================================
Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)


modules/code-oss-dev/extensions/css/yarn.lock
=============================================
Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)


modules/code-oss-dev/extensions/debug-auto-launch/yarn.lock
===========================================================
Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)


modules/code-oss-dev/extensions/debug-server-ready/yarn.lock
============================================================
Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)


modules/code-oss-dev/extensions/docker/yarn.lock
================================================
Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)


modules/code-oss-dev/extensions/emmet/yarn.lock
===============================================
Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)


modules/code-oss-dev/extensions/extension-editing/yarn.lock
===========================================================
Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)


modules/code-oss-dev/extensions/fsharp/yarn.lock
================================================
Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)


modules/code-oss-dev/extensions/git/yarn.lock
=============================================
Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)


modules/code-oss-dev/extensions/github-authentication/yarn.lock
===============================================================
Total: 1 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 1, CRITICAL: 0)

+---------+------------------+----------+-------------------+---------------+--------------------------------------+
| LIBRARY | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION |                TITLE                 |
+---------+------------------+----------+-------------------+---------------+--------------------------------------+
| axios   | CVE-2021-3749    | HIGH     | 0.21.1            | 0.21.2        | nodejs-axios: Regular expression     |
|         |                  |          |                   |               | denial of service in trim function   |
|         |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2021-3749 |
+---------+------------------+----------+-------------------+---------------+--------------------------------------+

modules/code-oss-dev/extensions/github/yarn.lock
================================================
Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)


modules/code-oss-dev/extensions/go/yarn.lock
============================================
Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)


modules/code-oss-dev/extensions/groovy/yarn.lock
================================================
Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)


modules/code-oss-dev/extensions/grunt/yarn.lock
===============================================
Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)


modules/code-oss-dev/extensions/gulp/yarn.lock
==============================================
Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)


modules/code-oss-dev/extensions/handlebars/yarn.lock
====================================================
Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)


modules/code-oss-dev/extensions/hlsl/yarn.lock
==============================================
Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)


modules/code-oss-dev/extensions/html-language-features/server/yarn.lock
=======================================================================
Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)


modules/code-oss-dev/extensions/html-language-features/yarn.lock
================================================================
Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)


modules/code-oss-dev/extensions/html/yarn.lock
==============================================
Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)


modules/code-oss-dev/extensions/image-preview/yarn.lock
=======================================================
Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)


modules/code-oss-dev/extensions/ini/yarn.lock
=============================================
Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)


modules/code-oss-dev/extensions/ipynb/yarn.lock
===============================================
Total: 2 (UNKNOWN: 0, LOW: 0, MEDIUM: 2, HIGH: 0, CRITICAL: 0)

+-----------+------------------+----------+-------------------+---------------+---------------------------------------+
|  LIBRARY  | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION |                 TITLE                 |
+-----------+------------------+----------+-------------------+---------------+---------------------------------------+
| url-parse | CVE-2021-27515   | MEDIUM   | 1.4.7             | 1.5.0         | nodejs-url-parse: mishandling         |
|           |                  |          |                   |               | certain uses of backslash may         |
|           |                  |          |                   |               | lead to confidentiality compromise    |
|           |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2021-27515 |
+           +------------------+          +                   +---------------+---------------------------------------+
|           | CVE-2021-3664    |          |                   | 1.5.2         | nodejs-url-parse: URL                 |
|           |                  |          |                   |               | Redirection to Untrusted Site         |
|           |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2021-3664  |
+-----------+------------------+----------+-------------------+---------------+---------------------------------------+

modules/code-oss-dev/extensions/jake/yarn.lock
==============================================
Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)


modules/code-oss-dev/extensions/java/yarn.lock
==============================================
Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)


modules/code-oss-dev/extensions/javascript/yarn.lock
====================================================
Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)


modules/code-oss-dev/extensions/json-language-features/server/yarn.lock
=======================================================================
Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)


modules/code-oss-dev/extensions/json-language-features/yarn.lock
================================================================
Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)


modules/code-oss-dev/extensions/json/yarn.lock
==============================================
Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)


modules/code-oss-dev/extensions/less/yarn.lock
==============================================
Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)


modules/code-oss-dev/extensions/log/yarn.lock
=============================================
Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)


modules/code-oss-dev/extensions/lua/yarn.lock
=============================================
Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)


modules/code-oss-dev/extensions/make/yarn.lock
==============================================
Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)


modules/code-oss-dev/extensions/markdown-basics/yarn.lock
=========================================================
Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)


modules/code-oss-dev/extensions/markdown-language-features/yarn.lock
====================================================================
Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)


modules/code-oss-dev/extensions/markdown-math/yarn.lock
=======================================================
Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)


modules/code-oss-dev/extensions/merge-conflict/yarn.lock
========================================================
Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)


modules/code-oss-dev/extensions/microsoft-authentication/yarn.lock
==================================================================
Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)


modules/code-oss-dev/extensions/npm/yarn.lock
=============================================
Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)


modules/code-oss-dev/extensions/objective-c/yarn.lock
=====================================================
Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)


modules/code-oss-dev/extensions/perl/yarn.lock
==============================================
Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)


modules/code-oss-dev/extensions/php-language-features/yarn.lock
===============================================================
Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)


modules/code-oss-dev/extensions/php/yarn.lock
=============================================
Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)


modules/code-oss-dev/extensions/powershell/yarn.lock
====================================================
Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)


modules/code-oss-dev/extensions/pug/yarn.lock
=============================================
Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)


modules/code-oss-dev/extensions/python/yarn.lock
================================================
Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)


modules/code-oss-dev/extensions/r/yarn.lock
===========================================
Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)


modules/code-oss-dev/extensions/razor/yarn.lock
===============================================
Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)


modules/code-oss-dev/extensions/ruby/yarn.lock
==============================================
Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)


modules/code-oss-dev/extensions/rust/yarn.lock
==============================================
Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)


modules/code-oss-dev/extensions/scss/yarn.lock
==============================================
Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)


modules/code-oss-dev/extensions/search-result/yarn.lock
=======================================================
Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)


modules/code-oss-dev/extensions/shaderlab/yarn.lock
===================================================
Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)


modules/code-oss-dev/extensions/shellscript/yarn.lock
=====================================================
Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)


modules/code-oss-dev/extensions/simple-browser/yarn.lock
========================================================
Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)


modules/code-oss-dev/extensions/sql/yarn.lock
=============================================
Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)


modules/code-oss-dev/extensions/swift/yarn.lock
===============================================
Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)


modules/code-oss-dev/extensions/theme-abyss/yarn.lock
=====================================================
Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)


modules/code-oss-dev/extensions/theme-defaults/yarn.lock
========================================================
Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)


modules/code-oss-dev/extensions/theme-kimbie-dark/yarn.lock
===========================================================
Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)


modules/code-oss-dev/extensions/theme-monokai-dimmed/yarn.lock
==============================================================
Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)


modules/code-oss-dev/extensions/theme-monokai/yarn.lock
=======================================================
Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)


modules/code-oss-dev/extensions/theme-quietlight/yarn.lock
==========================================================
Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)


modules/code-oss-dev/extensions/theme-red/yarn.lock
===================================================
Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)


modules/code-oss-dev/extensions/theme-seti/yarn.lock
====================================================
Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)


modules/code-oss-dev/extensions/theme-solarized-dark/yarn.lock
==============================================================
Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)


modules/code-oss-dev/extensions/theme-solarized-light/yarn.lock
===============================================================
Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)


modules/code-oss-dev/extensions/theme-tomorrow-night-blue/yarn.lock
===================================================================
Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)


modules/code-oss-dev/extensions/typescript-basics/yarn.lock
===========================================================
Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)


modules/code-oss-dev/extensions/typescript-language-features/yarn.lock
======================================================================
Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)


modules/code-oss-dev/extensions/vb/yarn.lock
============================================
Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)


modules/code-oss-dev/extensions/vscode-api-tests/yarn.lock
==========================================================
Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)


modules/code-oss-dev/extensions/vscode-colorize-tests/yarn.lock
===============================================================
Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)


modules/code-oss-dev/extensions/vscode-custom-editor-tests/yarn.lock
====================================================================
Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)


modules/code-oss-dev/extensions/vscode-notebook-tests/yarn.lock
===============================================================
Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)


modules/code-oss-dev/extensions/vscode-test-resolver/yarn.lock
==============================================================
Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)


modules/code-oss-dev/extensions/xml/yarn.lock
=============================================
Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)


modules/code-oss-dev/extensions/yaml/yarn.lock
==============================================
Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)


modules/code-oss-dev/extensions/yarn.lock
=========================================
Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)


modules/code-oss-dev/remote/web/yarn.lock
=========================================
Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)


modules/code-oss-dev/remote/yarn.lock
=====================================
Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)


modules/code-oss-dev/test/automation/yarn.lock
==============================================
Total: 4 (UNKNOWN: 0, LOW: 0, MEDIUM: 2, HIGH: 1, CRITICAL: 1)

+-----------------+------------------+----------+-------------------+---------------+---------------------------------------+
|     LIBRARY     | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION |                 TITLE                 |
+-----------------+------------------+----------+-------------------+---------------+---------------------------------------+
| hosted-git-info | CVE-2021-23362   | MEDIUM   | 2.8.8             | 2.8.9, 3.0.8  | nodejs-hosted-git-info: Regular       |
|                 |                  |          |                   |               | Expression denial of service          |
|                 |                  |          |                   |               | via shortcutMatch in fromUrl()        |
|                 |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2021-23362 |
+-----------------+------------------+----------+-------------------+---------------+---------------------------------------+
| merge           | CVE-2020-28499   | CRITICAL | 1.2.1             | 2.1.1         | Prototype Pollution in merge          |
|                 |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2020-28499 |
+-----------------+------------------+----------+-------------------+---------------+---------------------------------------+
| minimist        | CVE-2020-7598    | MEDIUM   | 1.2.0             | 1.2.3, 0.2.1  | nodejs-minimist: prototype            |
|                 |                  |          |                   |               | pollution allows adding               |
|                 |                  |          |                   |               | or modifying properties of            |
|                 |                  |          |                   |               | Object.prototype using a...           |
|                 |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2020-7598  |
+-----------------+------------------+----------+-------------------+---------------+---------------------------------------+
| path-parse      | CVE-2021-23343   | HIGH     | 1.0.6             | 1.0.7         | nodejs-path-parse:                    |
|                 |                  |          |                   |               | ReDoS via splitDeviceRe,              |
|                 |                  |          |                   |               | splitTailRe and splitPathRe           |
|                 |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2021-23343 |
+-----------------+------------------+----------+-------------------+---------------+---------------------------------------+

modules/code-oss-dev/test/integration/browser/yarn.lock
=======================================================
Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)


modules/code-oss-dev/test/leaks/yarn.lock
=========================================
Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)


modules/code-oss-dev/test/monaco/yarn.lock
==========================================
Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)


modules/code-oss-dev/test/smoke/yarn.lock
=========================================
Total: 1 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 1)

+---------+------------------+----------+-------------------+---------------+---------------------------------------+
| LIBRARY | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION |                 TITLE                 |
+---------+------------------+----------+-------------------+---------------+---------------------------------------+
| merge   | CVE-2020-28499   | CRITICAL | 1.2.1             | 2.1.1         | Prototype Pollution in merge          |
|         |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2020-28499 |
+---------+------------------+----------+-------------------+---------------+---------------------------------------+

modules/code-oss-dev/yarn.lock
==============================
Total: 12 (UNKNOWN: 0, LOW: 0, MEDIUM: 1, HIGH: 10, CRITICAL: 1)

+--------------+------------------+----------+-------------------+-------------------------------+---------------------------------------+
|   LIBRARY    | VULNERABILITY ID | SEVERITY | INSTALLED VERSION |         FIXED VERSION         |                 TITLE                 |
+--------------+------------------+----------+-------------------+-------------------------------+---------------------------------------+
| ansi-regex   | CVE-2021-3807    | HIGH     | 3.0.0             | 5.0.1, 6.0.1                  | node-ansi-regex: inefficient          |
|              |                  |          |                   |                               | regular expression                    |
|              |                  |          |                   |                               | complexity allows for a crash         |
|              |                  |          |                   |                               | -->avd.aquasec.com/nvd/cve-2021-3807  |
+              +                  +          +-------------------+                               +                                       +
|              |                  |          | 4.1.0             |                               |                                       |
|              |                  |          |                   |                               |                                       |
|              |                  |          |                   |                               |                                       |
|              |                  |          |                   |                               |                                       |
+              +                  +          +-------------------+                               +                                       +
|              |                  |          | 5.0.0             |                               |                                       |
|              |                  |          |                   |                               |                                       |
|              |                  |          |                   |                               |                                       |
|              |                  |          |                   |                               |                                       |
+--------------+------------------+          +-------------------+-------------------------------+---------------------------------------+
| glob-parent  | CVE-2020-28469   |          | 3.1.0             | 5.1.2                         | nodejs-glob-parent: Regular           |
|              |                  |          |                   |                               | expression denial of service          |
|              |                  |          |                   |                               | -->avd.aquasec.com/nvd/cve-2020-28469 |
+--------------+------------------+          +-------------------+-------------------------------+---------------------------------------+
| nth-check    | CVE-2021-3803    |          | 1.0.2             | 2.0.1                         | nodejs-nth-check: inefficient         |
|              |                  |          |                   |                               | regular expression complexity         |
|              |                  |          |                   |                               | -->avd.aquasec.com/nvd/cve-2021-3803  |
+--------------+------------------+----------+-------------------+-------------------------------+---------------------------------------+
| set-value    | CVE-2021-23440   | CRITICAL | 2.0.1             | 4.0.1                         | nodejs-set-value: type confusion      |
|              |                  |          |                   |                               | allows bypass of CVE-2019-10747       |
|              |                  |          |                   |                               | -->avd.aquasec.com/nvd/cve-2021-23440 |
+--------------+------------------+----------+-------------------+-------------------------------+---------------------------------------+
| tar          | CVE-2021-32803   | HIGH     | 2.2.2             | 6.1.2, 5.0.7, 4.4.15, 3.2.3   | nodejs-tar: Insufficient symlink      |
|              |                  |          |                   |                               | protection allowing arbitrary         |
|              |                  |          |                   |                               | file creation and overwrite           |
|              |                  |          |                   |                               | -->avd.aquasec.com/nvd/cve-2021-32803 |
+              +------------------+          +                   +-------------------------------+---------------------------------------+
|              | CVE-2021-32804   |          |                   | 6.1.1, 5.0.6, 4.4.14, 3.2.2   | nodejs-tar: Insufficient absolute     |
|              |                  |          |                   |                               | path sanitization allowing arbitrary  |
|              |                  |          |                   |                               | file creation and overwrite           |
|              |                  |          |                   |                               | -->avd.aquasec.com/nvd/cve-2021-32804 |
+              +------------------+          +                   +-------------------------------+---------------------------------------+
|              | CVE-2021-37701   |          |                   | 6.1.7, 5.0.8, 4.4.16          | nodejs-tar: insufficient symlink      |
|              |                  |          |                   |                               | protection due to directory cache     |
|              |                  |          |                   |                               | poisoning using symbolic links...     |
|              |                  |          |                   |                               | -->avd.aquasec.com/nvd/cve-2021-37701 |
+              +------------------+          +                   +-------------------------------+---------------------------------------+
|              | CVE-2021-37712   |          |                   | 6.1.9, 5.0.10, 4.4.18         | nodejs-tar: insufficient symlink      |
|              |                  |          |                   |                               | protection due to directory cache     |
|              |                  |          |                   |                               | poisoning using symbolic links...     |
|              |                  |          |                   |                               | -->avd.aquasec.com/nvd/cve-2021-37712 |
+              +------------------+          +                   +                               +---------------------------------------+
|              | CVE-2021-37713   |          |                   |                               | Arbitrary File Creation/Overwrite     |
|              |                  |          |                   |                               | on Windows via insufficient           |
|              |                  |          |                   |                               | relative path sanitization            |
|              |                  |          |                   |                               | -->avd.aquasec.com/nvd/cve-2021-37713 |
+--------------+------------------+----------+-------------------+-------------------------------+---------------------------------------+
| yargs-parser | CVE-2020-7608    | MEDIUM   | 13.1.1            | 5.0.1, 13.1.2, 18.1.2, 15.0.1 | nodejs-yargs-parser: prototype        |
|              |                  |          |                   |                               | pollution vulnerability               |
|              |                  |          |                   |                               | -->avd.aquasec.com/nvd/cve-2020-7608  |
+--------------+------------------+----------+-------------------+-------------------------------+---------------------------------------+

modules/sumchecker/yarn.lock
============================
Total: 29 (UNKNOWN: 0, LOW: 0, MEDIUM: 9, HIGH: 17, CRITICAL: 3)

+-------------------+---------------------+----------+-------------------+-------------------------------+----------------------------------------------+
|      LIBRARY      |  VULNERABILITY ID   | SEVERITY | INSTALLED VERSION |         FIXED VERSION         |                    TITLE                     |
+-------------------+---------------------+----------+-------------------+-------------------------------+----------------------------------------------+
| acorn             | GHSA-6chw-6frg-f759 | HIGH     | 7.1.0             | 5.7.4, 7.1.1, 6.4.1           | Regular Expression Denial                    |
|                   |                     |          |                   |                               | of Service in Acorn                          |
|                   |                     |          |                   |                               | -->github.com/advisories/GHSA-6chw-6frg-f759 |
+-------------------+---------------------+          +-------------------+-------------------------------+----------------------------------------------+
| ansi-regex        | CVE-2021-3807       |          | 4.1.0             | 5.0.1, 6.0.1                  | node-ansi-regex: inefficient                 |
|                   |                     |          |                   |                               | regular expression                           |
|                   |                     |          |                   |                               | complexity allows for a crash                |
|                   |                     |          |                   |                               | -->avd.aquasec.com/nvd/cve-2021-3807         |
+                   +                     +          +-------------------+                               +                                              +
|                   |                     |          | 5.0.0             |                               |                                              |
|                   |                     |          |                   |                               |                                              |
|                   |                     |          |                   |                               |                                              |
|                   |                     |          |                   |                               |                                              |
+                   +                     +          +-------------------+                               +                                              +
|                   |                     |          | 3.0.0             |                               |                                              |
|                   |                     |          |                   |                               |                                              |
|                   |                     |          |                   |                               |                                              |
|                   |                     |          |                   |                               |                                              |
+-------------------+---------------------+----------+-------------------+-------------------------------+----------------------------------------------+
| codecov           | CVE-2020-15123      | CRITICAL | 3.6.1             | 3.7.1                         | Command injection in                         |
|                   |                     |          |                   |                               | codecov (npm package)                        |
|                   |                     |          |                   |                               | -->avd.aquasec.com/nvd/cve-2020-15123        |
+                   +---------------------+----------+                   +-------------------------------+----------------------------------------------+
|                   | CVE-2020-7597       | HIGH     |                   | 3.6.5                         | codecov NPM module allows                    |
|                   |                     |          |                   |                               | remote attackers to                          |
|                   |                     |          |                   |                               | execute arbitrary commands                   |
|                   |                     |          |                   |                               | -->avd.aquasec.com/nvd/cve-2020-7597         |
+-------------------+---------------------+          +-------------------+-------------------------------+----------------------------------------------+
| dot-prop          | CVE-2020-8116       |          | 4.2.0             | 5.1.1, 4.2.1                  | nodejs-dot-prop: prototype pollution         |
|                   |                     |          |                   |                               | -->avd.aquasec.com/nvd/cve-2020-8116         |
+-------------------+---------------------+          +-------------------+-------------------------------+----------------------------------------------+
| glob-parent       | CVE-2020-28469      |          | 5.1.0             | 5.1.2                         | nodejs-glob-parent: Regular                  |
|                   |                     |          |                   |                               | expression denial of service                 |
|                   |                     |          |                   |                               | -->avd.aquasec.com/nvd/cve-2020-28469        |
+                   +                     +          +-------------------+                               +                                              +
|                   |                     |          | 3.1.0             |                               |                                              |
|                   |                     |          |                   |                               |                                              |
|                   |                     |          |                   |                               |                                              |
+-------------------+---------------------+----------+-------------------+-------------------------------+----------------------------------------------+
| handlebars        | CVE-2021-23369      | CRITICAL | 4.5.3             | 4.7.7                         | nodejs-handlebars: Remote                    |
|                   |                     |          |                   |                               | code execution when compiling                |
|                   |                     |          |                   |                               | untrusted compile templates                  |
|                   |                     |          |                   |                               | with strict:true option...                   |
|                   |                     |          |                   |                               | -->avd.aquasec.com/nvd/cve-2021-23369        |
+                   +---------------------+----------+                   +-------------------------------+----------------------------------------------+
|                   | NSWG-ECO-519        | MEDIUM   |                   | >=4.6.0                       | Denial of Service                            |
|                   |                     |          |                   |                               | -->hackerone.com/reports/726364              |
+-------------------+---------------------+          +-------------------+-------------------------------+----------------------------------------------+
| hosted-git-info   | CVE-2021-23362      |          | 2.8.5             | 2.8.9, 3.0.8                  | nodejs-hosted-git-info: Regular              |
|                   |                     |          |                   |                               | Expression denial of service                 |
|                   |                     |          |                   |                               | via shortcutMatch in fromUrl()               |
|                   |                     |          |                   |                               | -->avd.aquasec.com/nvd/cve-2021-23362        |
+-------------------+---------------------+----------+-------------------+-------------------------------+----------------------------------------------+
| ini               | CVE-2020-7788       | HIGH     | 1.3.5             | 1.3.6                         | nodejs-ini: Prototype pollution              |
|                   |                     |          |                   |                               | via malicious INI file                       |
|                   |                     |          |                   |                               | -->avd.aquasec.com/nvd/cve-2020-7788         |
+-------------------+---------------------+          +-------------------+-------------------------------+----------------------------------------------+
| kind-of           | CVE-2019-20149      |          | 6.0.2             | 6.0.3                         | nodejs-kind-of: ctorName in                  |
|                   |                     |          |                   |                               | index.js allows external user input          |
|                   |                     |          |                   |                               | to overwrite certain internal...             |
|                   |                     |          |                   |                               | -->avd.aquasec.com/nvd/cve-2019-20149        |
+-------------------+---------------------+          +-------------------+-------------------------------+----------------------------------------------+
| lodash            | CVE-2020-8203       |          | 4.17.15           | 4.17.19                       | nodejs-lodash: prototype pollution           |
|                   |                     |          |                   |                               | in zipObjectDeep function                    |
|                   |                     |          |                   |                               | -->avd.aquasec.com/nvd/cve-2020-8203         |
+                   +---------------------+          +                   +-------------------------------+----------------------------------------------+
|                   | CVE-2021-23337      |          |                   | 4.17.21                       | nodejs-lodash: command                       |
|                   |                     |          |                   |                               | injection via template                       |
|                   |                     |          |                   |                               | -->avd.aquasec.com/nvd/cve-2021-23337        |
+                   +---------------------+          +                   +-------------------------------+----------------------------------------------+
|                   | NSWG-ECO-516        |          |                   | >=4.17.19                     | Allocation of Resources                      |
|                   |                     |          |                   |                               | Without Limits or Throttling                 |
|                   |                     |          |                   |                               | -->www.npmjs.com/advisories/1523             |
+-------------------+---------------------+----------+-------------------+-------------------------------+----------------------------------------------+
| minimist          | CVE-2020-7598       | MEDIUM   | 0.0.8             | 1.2.3, 0.2.1                  | nodejs-minimist: prototype                   |
|                   |                     |          |                   |                               | pollution allows adding                      |
|                   |                     |          |                   |                               | or modifying properties of                   |
|                   |                     |          |                   |                               | Object.prototype using a...                  |
|                   |                     |          |                   |                               | -->avd.aquasec.com/nvd/cve-2020-7598         |
+                   +                     +          +-------------------+                               +                                              +
|                   |                     |          | 1.2.0             |                               |                                              |
|                   |                     |          |                   |                               |                                              |
|                   |                     |          |                   |                               |                                              |
|                   |                     |          |                   |                               |                                              |
|                   |                     |          |                   |                               |                                              |
+                   +                     +          +-------------------+                               +                                              +
|                   |                     |          | 0.0.10            |                               |                                              |
|                   |                     |          |                   |                               |                                              |
|                   |                     |          |                   |                               |                                              |
|                   |                     |          |                   |                               |                                              |
|                   |                     |          |                   |                               |                                              |
+-------------------+---------------------+          +-------------------+-------------------------------+----------------------------------------------+
| node-fetch        | CVE-2020-15168      |          | 2.6.0             | 3.0.0-beta.9, 2.6.1           | node-fetch: size of data after               |
|                   |                     |          |                   |                               | fetch() JS thread leads to DoS               |
|                   |                     |          |                   |                               | -->avd.aquasec.com/nvd/cve-2020-15168        |
+-------------------+---------------------+----------+-------------------+-------------------------------+----------------------------------------------+
| normalize-url     | CVE-2021-33502      | HIGH     | 4.5.0             | 4.5.1, 6.0.1, 5.3.1           | normalize-url: ReDoS for data URLs           |
|                   |                     |          |                   |                               | -->avd.aquasec.com/nvd/cve-2021-33502        |
+-------------------+---------------------+          +-------------------+-------------------------------+----------------------------------------------+
| path-parse        | CVE-2021-23343      |          | 1.0.6             | 1.0.7                         | nodejs-path-parse:                           |
|                   |                     |          |                   |                               | ReDoS via splitDeviceRe,                     |
|                   |                     |          |                   |                               | splitTailRe and splitPathRe                  |
|                   |                     |          |                   |                               | -->avd.aquasec.com/nvd/cve-2021-23343        |
+-------------------+---------------------+----------+-------------------+-------------------------------+----------------------------------------------+
| set-value         | CVE-2021-23440      | CRITICAL | 2.0.1             | 4.0.1                         | nodejs-set-value: type confusion             |
|                   |                     |          |                   |                               | allows bypass of CVE-2019-10747              |
|                   |                     |          |                   |                               | -->avd.aquasec.com/nvd/cve-2021-23440        |
+-------------------+---------------------+----------+-------------------+-------------------------------+----------------------------------------------+
| trim-newlines     | CVE-2021-33623      | HIGH     | 2.0.0             | 4.0.1, 3.0.1                  | nodejs-trim-newlines:                        |
|                   |                     |          |                   |                               | ReDoS in .end() method                       |
|                   |                     |          |                   |                               | -->avd.aquasec.com/nvd/cve-2021-33623        |
+-------------------+---------------------+----------+-------------------+-------------------------------+----------------------------------------------+
| trim-off-newlines | CVE-2021-23425      | MEDIUM   | 1.0.1             |                               | nodejs-trim-off-newlines:                    |
|                   |                     |          |                   |                               | ReDoS via string processing                  |
|                   |                     |          |                   |                               | -->avd.aquasec.com/nvd/cve-2021-23425        |
+-------------------+---------------------+----------+-------------------+-------------------------------+----------------------------------------------+
| y18n              | CVE-2020-7774       | HIGH     | 4.0.0             | 5.0.5, 4.0.1, 3.2.2           | nodejs-y18n: prototype                       |
|                   |                     |          |                   |                               | pollution vulnerability                      |
|                   |                     |          |                   |                               | -->avd.aquasec.com/nvd/cve-2020-7774         |
+-------------------+---------------------+----------+-------------------+-------------------------------+----------------------------------------------+
| yargs-parser      | CVE-2020-7608       | MEDIUM   | 10.1.0            | 5.0.1, 13.1.2, 18.1.2, 15.0.1 | nodejs-yargs-parser: prototype               |
|                   |                     |          |                   |                               | pollution vulnerability                      |
|                   |                     |          |                   |                               | -->avd.aquasec.com/nvd/cve-2020-7608         |
+                   +                     +          +-------------------+                               +                                              +
|                   |                     |          | 13.1.1            |                               |                                              |
|                   |                     |          |                   |                               |                                              |
|                   |                     |          |                   |                               |                                              |
+-------------------+---------------------+----------+-------------------+-------------------------------+----------------------------------------------+

yarn.lock
=========
Total: 1 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 1, CRITICAL: 0)

+------------+------------------+----------+-------------------+---------------+--------------------------------------+
|  LIBRARY   | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION |                TITLE                 |
+------------+------------------+----------+-------------------+---------------+--------------------------------------+
| ansi-regex | CVE-2021-3807    | HIGH     | 3.0.0             | 5.0.1, 6.0.1  | node-ansi-regex: inefficient         |
|            |                  |          |                   |               | regular expression                   |
|            |                  |          |                   |               | complexity allows for a crash        |
|            |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2021-3807 |
+------------+------------------+----------+-------------------+---------------+--------------------------------------+

[greyscaled]

The ones called out by this issue are specifically:

modules/code-oss-dev/yarn.lock
==============================
Total: 12 (UNKNOWN: 0, LOW: 0, MEDIUM: 1, HIGH: 10, CRITICAL: 1)

+--------------+------------------+----------+-------------------+-------------------------------+---------------------------------------+
|   LIBRARY    | VULNERABILITY ID | SEVERITY | INSTALLED VERSION |         FIXED VERSION         |                 TITLE                 |
+--------------+------------------+----------+-------------------+-------------------------------+---------------------------------------+
| ansi-regex   | CVE-2021-3807    | HIGH     | 3.0.0             | 5.0.1, 6.0.1                  | node-ansi-regex: inefficient          |
|              |                  |          |                   |                               | regular expression                    |
|              |                  |          |                   |                               | complexity allows for a crash         |
|              |                  |          |                   |                               | -->avd.aquasec.com/nvd/cve-2021-3807  |
+              +                  +          +-------------------+                               +                                       +
|              |                  |          | 4.1.0             |                               |                                       |
|              |                  |          |                   |                               |                                       |
|              |                  |          |                   |                               |                                       |
|              |                  |          |                   |                               |                                       |
+              +                  +          +-------------------+                               +                                       +
|              |                  |          | 5.0.0             |                               |                                       |
|              |                  |          |                   |                               |                                       |
|              |                  |          |                   |                               |                                       |
|              |                  |          |                   |                               |                                       |
+--------------+------------------+          +-------------------+-------------------------------+---------------------------------------+
| glob-parent  | CVE-2020-28469   |          | 3.1.0             | 5.1.2                         | nodejs-glob-parent: Regular           |
|              |                  |          |                   |                               | expression denial of service          |
|              |                  |          |                   |                               | -->avd.aquasec.com/nvd/cve-2020-28469 |
+--------------+------------------+          +-------------------+-------------------------------+---------------------------------------+
| nth-check    | CVE-2021-3803    |          | 1.0.2             | 2.0.1                         | nodejs-nth-check: inefficient         |
|              |                  |          |                   |                               | regular expression complexity         |
|              |                  |          |                   |                               | -->avd.aquasec.com/nvd/cve-2021-3803  |
+--------------+------------------+----------+-------------------+-------------------------------+---------------------------------------+
| set-value    | CVE-2021-23440   | CRITICAL | 2.0.1             | 4.0.1                         | nodejs-set-value: type confusion      |
|              |                  |          |                   |                               | allows bypass of CVE-2019-10747       |
|              |                  |          |                   |                               | -->avd.aquasec.com/nvd/cve-2021-23440 |
+--------------+------------------+----------+-------------------+-------------------------------+---------------------------------------+
| tar          | CVE-2021-32803   | HIGH     | 2.2.2             | 6.1.2, 5.0.7, 4.4.15, 3.2.3   | nodejs-tar: Insufficient symlink      |
|              |                  |          |                   |                               | protection allowing arbitrary         |
|              |                  |          |                   |                               | file creation and overwrite           |
|              |                  |          |                   |                               | -->avd.aquasec.com/nvd/cve-2021-32803 |
+              +------------------+          +                   +-------------------------------+---------------------------------------+
|              | CVE-2021-32804   |          |                   | 6.1.1, 5.0.6, 4.4.14, 3.2.2   | nodejs-tar: Insufficient absolute     |
|              |                  |          |                   |                               | path sanitization allowing arbitrary  |
|              |                  |          |                   |                               | file creation and overwrite           |
|              |                  |          |                   |                               | -->avd.aquasec.com/nvd/cve-2021-32804 |
+              +------------------+          +                   +-------------------------------+---------------------------------------+
|              | CVE-2021-37701   |          |                   | 6.1.7, 5.0.8, 4.4.16          | nodejs-tar: insufficient symlink      |
|              |                  |          |                   |                               | protection due to directory cache     |
|              |                  |          |                   |                               | poisoning using symbolic links...     |
|              |                  |          |                   |                               | -->avd.aquasec.com/nvd/cve-2021-37701 |
+              +------------------+          +                   +-------------------------------+---------------------------------------+
|              | CVE-2021-37712   |          |                   | 6.1.9, 5.0.10, 4.4.18         | nodejs-tar: insufficient symlink      |
|              |                  |          |                   |                               | protection due to directory cache     |
|              |                  |          |                   |                               | poisoning using symbolic links...     |
|              |                  |          |                   |                               | -->avd.aquasec.com/nvd/cve-2021-37712 |
+              +------------------+          +                   +                               +---------------------------------------+
|              | CVE-2021-37713   |          |                   |                               | Arbitrary File Creation/Overwrite     |
|              |                  |          |                   |                               | on Windows via insufficient           |
|              |                  |          |                   |                               | relative path sanitization            |
|              |                  |          |                   |                               | -->avd.aquasec.com/nvd/cve-2021-37713 |
+--------------+------------------+----------+-------------------+-------------------------------+---------------------------------------+
| yargs-parser | CVE-2020-7608    | MEDIUM   | 13.1.1            | 5.0.1, 13.1.2, 18.1.2, 15.0.1 | nodejs-yargs-parser: prototype        |
|              |                  |          |                   |                               | pollution vulnerability               |
|              |                  |          |                   |                               | -->avd.aquasec.com/nvd/cve-2020-7608  |
+--------------+------------------+----------+-------------------+-------------------------------+---------------------------------------+

however I don't see 23406

[jsjoeio]

@jsjoeio I actually found a quite extensive list of vulns in vendor using trivy:

Amazing! @vapurrmaid what steps did you run to catch these? I can do the same and then submit a PR to https://github.com/cdr/vscode to the code-server branch (that's our equivalent of main).

[greyscaled]

@jsjoeio I actually found a quite extensive list of vulns in vendor using trivy:

Amazing! @vapurrmaid what steps did you run to catch these? I can do the same and then submit a PR to https://github.com/cdr/vscode to the code-server branch (that's our equivalent of main).

cd vendor
trivy fs .

I have trivy installed in my workspace, so for reproducing in an environment that doesn't already have this installed, you'd need to follow: https://aquasecurity.github.io/trivy/v0.20.0/getting-started/installation/

[jsjoeio]

Easy! Thanks @vapurrmaid 🙌 I'll see if I can knock this out today or tomorrow.