Non existing vulnerability listed for npm (yarn) package #131
Description
Docker Desktop 4.31.0 (153195)
docker scout 1.9.3 (this outdated version is bound to latest Docker Desktop)
Vulnerability:
pkg:npm/loader-utils@1.4.0
✗ CRITICAL CVE-2022-37601 [Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')]
https://scout.docker.com/v/CVE-2022-37601
Affected range : <1.4.1
Fixed version : 1.4.1
CVSS Score : 9.8
CVSS Vector : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
✗ HIGH CVE-2022-37603 [Inefficient Regular Expression Complexity]
https://scout.docker.com/v/CVE-2022-37603
Affected range : >=1.0.0
: <1.4.2
Fixed version : 1.4.2
CVSS Score : 7.5
CVSS Vector : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
✗ HIGH CVE-2022-37599 [Inefficient Regular Expression Complexity]
https://scout.docker.com/v/CVE-2022-37599
Affected range : >=1.0.0
: <1.4.2
Fixed version : 1.4.2
CVSS Score : 7.5
CVSS Vector : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Checking version with npm:
# npm list loader-utils
app@ /app
+-- @symfony/stimulus-bridge@2.1.0
| `-- loader-utils@2.0.4
+-- @symfony/webpack-encore@4.2.0
| `-- resolve-url-loader@5.0.0
| +-- adjust-sourcemap-loader@4.0.0
| | `-- loader-utils@2.0.4
| `-- loader-utils@2.0.4
+-- babel-loader@8.3.0
| `-- loader-utils@2.0.4
+-- copy-webpack-plugin@7.0.0
| `-- loader-utils@2.0.4
+-- file-loader@6.2.0
| `-- loader-utils@2.0.4
+-- loader-utils@3.2.1
`-- webpack-jquery-ui@2.0.1
+-- css-loader@1.0.1
| `-- loader-utils@1.4.2
+-- file-loader@1.1.11
| `-- loader-utils@1.4.2 deduped
`-- style-loader@0.21.0
`-- loader-utils@1.4.2
There is no version 1.4.0 installed, only 1.4.2 (or higher).
Is suspect "scout" is checking the package json, ignoring lock files like yarn.lock, but even it you ONLY consider the package json, it should "follow" the installation logic of installing the "highest possible version" when ^ is used, therefore I would expect this vulnerability not showing...
What is the logic behind that?
Metadata
Metadata
Assignees
Labels
No labels