Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

@kleros/cross-chain-realitio-evidence-display-1.0.1.tgz: 47 vulnerabilities (highest severity is: 9.8) #6

Open
mend-bolt-for-github bot opened this issue Jan 15, 2025 · 0 comments
Labels
dependencies Pull requests that update a dependency file Mend: dependency security vulnerability Security vulnerability detected by Mend

Comments

@mend-bolt-for-github
Copy link
Contributor

Vulnerable Library - @kleros/cross-chain-realitio-evidence-display-1.0.1.tgz

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Found in HEAD commit: 219ac178dd6fbf9d312f027e0a592615967de732

Vulnerabilities

CVE Severity CVSS Dependency Type Fixed in (@kleros/cross-chain-realitio-evidence-display version) Remediation Possible**
MSC-2023-16600 Critical 9.8 fsevents-1.2.4.tgz Transitive N/A*
CVE-2023-45311 Critical 9.8 fsevents-1.2.4.tgz Transitive N/A*
CVE-2022-37601 Critical 9.8 loader-utils-1.2.3.tgz Transitive N/A*
CVE-2021-42740 Critical 9.8 shell-quote-1.6.1.tgz Transitive N/A*
CVE-2021-3757 Critical 9.8 immer-1.10.0.tgz Transitive N/A*
CVE-2023-45133 Critical 9.3 babel-traverse-6.26.0.tgz Transitive N/A*
CVE-2024-48949 Critical 9.1 elliptic-6.5.4.tgz Transitive N/A*
CVE-2024-29415 Critical 9.1 ip-1.1.9.tgz Transitive N/A*
CVE-2020-7660 High 8.1 serialize-javascript-1.9.1.tgz Transitive N/A*
CVE-2024-48930 High 7.5 secp256k1-4.0.3.tgz Transitive N/A*
CVE-2024-4068 High 7.5 detected in multiple dependencies Transitive N/A*
CVE-2024-37890 High 7.5 detected in multiple dependencies Transitive N/A*
CVE-2024-21538 High 7.5 detected in multiple dependencies Transitive N/A*
CVE-2024-21536 High 7.5 http-proxy-middleware-0.18.0.tgz Transitive N/A*
CVE-2024-21505 High 7.5 web3-utils-1.3.1.tgz Transitive N/A*
CVE-2022-37620 High 7.5 html-minifier-3.5.21.tgz Transitive N/A*
CVE-2022-37603 High 7.5 loader-utils-1.2.3.tgz Transitive N/A*
CVE-2022-3517 High 7.5 minimatch-3.0.4.tgz Transitive N/A*
CVE-2022-24772 High 7.5 node-forge-0.10.0.tgz Transitive N/A*
CVE-2022-24771 High 7.5 node-forge-0.10.0.tgz Transitive N/A*
CVE-2021-3803 High 7.5 nth-check-1.0.2.tgz Transitive N/A*
CVE-2021-23424 High 7.5 ansi-html-0.0.7.tgz Transitive N/A*
CVE-2020-28477 High 7.5 immer-1.10.0.tgz Transitive N/A*
CVE-2024-29180 High 7.4 webpack-dev-middleware-3.4.0.tgz Transitive N/A*
CVE-2020-28499 High 7.3 merge-1.2.1.tgz Transitive N/A*
CVE-2022-46175 High 7.1 json5-0.5.1.tgz Transitive N/A*
WS-2022-0008 Medium 6.6 node-forge-0.10.0.tgz Transitive N/A*
CVE-2024-28863 Medium 6.5 tar-4.4.19.tgz Transitive N/A*
CVE-2023-26136 Medium 6.5 tough-cookie-2.5.0.tgz Transitive N/A*
CVE-2024-43788 Medium 6.4 webpack-4.28.3.tgz Transitive N/A*
CVE-2023-28155 Medium 6.1 request-2.88.2.tgz Transitive N/A*
CVE-2022-0235 Medium 6.1 node-fetch-1.7.3.tgz Transitive N/A*
CVE-2022-0122 Medium 6.1 node-forge-0.10.0.tgz Transitive N/A*
CVE-2021-24033 Medium 5.6 react-dev-utils-8.0.0.tgz Transitive N/A*
CVE-2021-23436 Medium 5.6 immer-1.10.0.tgz Transitive N/A*
CVE-2024-4067 Medium 5.3 detected in multiple dependencies Transitive N/A*
CVE-2023-44270 Medium 5.3 detected in multiple dependencies Transitive N/A*
CVE-2022-33987 Medium 5.3 got-9.6.0.tgz Transitive N/A*
CVE-2022-25858 Medium 5.3 terser-3.17.0.tgz Transitive N/A*
CVE-2022-24773 Medium 5.3 node-forge-0.10.0.tgz Transitive N/A*
CVE-2021-23382 Medium 5.3 postcss-6.0.23.tgz Transitive N/A*
CVE-2021-23364 Medium 5.3 browserslist-4.4.1.tgz Transitive N/A*
CVE-2020-7693 Medium 5.3 sockjs-0.3.19.tgz Transitive N/A*
CVE-2020-7608 Medium 5.3 detected in multiple dependencies Transitive N/A*
CVE-2020-28469 Medium 5.3 detected in multiple dependencies Transitive N/A*
CVE-2024-48948 Medium 4.8 elliptic-6.5.4.tgz Transitive N/A*
CVE-2019-16769 Medium 4.2 serialize-javascript-1.9.1.tgz Transitive N/A*

*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.

**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation

Details

Partial details (20 vulnerabilities) are displayed below due to a content size limitation in GitHub. To view information on the remaining vulnerabilities, navigate to the Mend Application.

MSC-2023-16600

Vulnerable Library - fsevents-1.2.4.tgz

Native Access to Mac OS-X FSEvents

Library home page: https://registry.npmjs.org/fsevents/-/fsevents-1.2.4.tgz

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Dependency Hierarchy:

  • @kleros/cross-chain-realitio-evidence-display-1.0.1.tgz (Root Library)
    • react-scripts-2.1.8.tgz
      • fsevents-1.2.4.tgz (Vulnerable Library)

Found in HEAD commit: 219ac178dd6fbf9d312f027e0a592615967de732

Found in base branch: master

Vulnerability Details

This package has been identified by Mend as containing potential malicious functionality. The severity of the functionality can change depending on where the library is running (user's machine or backend server). The following risks were identified: Malware dropper – this package contains a Trojan horse, allowing the unauthorized installation of other potentially malicious software.

Publish Date: 2023-09-20

URL: MSC-2023-16600

CVSS 3 Score Details (9.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Step up your Open Source Security Game with Mend here

CVE-2023-45311

Vulnerable Library - fsevents-1.2.4.tgz

Native Access to Mac OS-X FSEvents

Library home page: https://registry.npmjs.org/fsevents/-/fsevents-1.2.4.tgz

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Dependency Hierarchy:

  • @kleros/cross-chain-realitio-evidence-display-1.0.1.tgz (Root Library)
    • react-scripts-2.1.8.tgz
      • fsevents-1.2.4.tgz (Vulnerable Library)

Found in HEAD commit: 219ac178dd6fbf9d312f027e0a592615967de732

Found in base branch: master

Vulnerability Details

fsevents before 1.2.11 depends on the https://fsevents-binaries.s3-us-west-2.amazonaws.com URL, which might allow an adversary to execute arbitrary code if any JavaScript project (that depends on fsevents) distributes code that was obtained from that URL at a time when it was controlled by an adversary. NOTE: some sources feel that this means that no version is affected any longer, because the URL is not controlled by an adversary.

Publish Date: 2023-10-06

URL: CVE-2023-45311

CVSS 3 Score Details (9.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://www.cve.org/CVERecord?id=CVE-2023-45311

Release Date: 2023-10-06

Fix Resolution: fsevents - 1.2.11

Step up your Open Source Security Game with Mend here

CVE-2022-37601

Vulnerable Library - loader-utils-1.2.3.tgz

utils for webpack loaders

Library home page: https://registry.npmjs.org/loader-utils/-/loader-utils-1.2.3.tgz

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Dependency Hierarchy:

  • @kleros/cross-chain-realitio-evidence-display-1.0.1.tgz (Root Library)
    • react-scripts-2.1.8.tgz
      • react-dev-utils-8.0.0.tgz
        • loader-utils-1.2.3.tgz (Vulnerable Library)

Found in HEAD commit: 219ac178dd6fbf9d312f027e0a592615967de732

Found in base branch: master

Vulnerability Details

Prototype pollution vulnerability in function parseQuery in parseQuery.js in webpack loader-utils via the name variable in parseQuery.js. This affects all versions prior to 1.4.1 and 2.0.3.

Publish Date: 2022-10-12

URL: CVE-2022-37601

CVSS 3 Score Details (9.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-76p3-8jx3-jpfq

Release Date: 2022-10-12

Fix Resolution: loader-utils - 1.4.1,2.0.3

Step up your Open Source Security Game with Mend here

CVE-2021-42740

Vulnerable Library - shell-quote-1.6.1.tgz

quote and parse shell commands

Library home page: https://registry.npmjs.org/shell-quote/-/shell-quote-1.6.1.tgz

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Dependency Hierarchy:

  • @kleros/cross-chain-realitio-evidence-display-1.0.1.tgz (Root Library)
    • react-scripts-2.1.8.tgz
      • react-dev-utils-8.0.0.tgz
        • shell-quote-1.6.1.tgz (Vulnerable Library)

Found in HEAD commit: 219ac178dd6fbf9d312f027e0a592615967de732

Found in base branch: master

Vulnerability Details

The shell-quote package before 1.7.3 for Node.js allows command injection. An attacker can inject unescaped shell metacharacters through a regex designed to support Windows drive letters. If the output of this package is passed to a real shell as a quoted argument to a command with exec(), an attacker can inject arbitrary commands. This is because the Windows drive letter regex character class is {A-z] instead of the correct {A-Za-z]. Several shell metacharacters exist in the space between capital letter Z and lower case letter a, such as the backtick character.

Publish Date: 2021-10-21

URL: CVE-2021-42740

CVSS 3 Score Details (9.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-42740

Release Date: 2021-10-21

Fix Resolution: shell-quote - 1.7.3

Step up your Open Source Security Game with Mend here

CVE-2021-3757

Vulnerable Library - immer-1.10.0.tgz

Create your next immutable state by mutating the current one

Library home page: https://registry.npmjs.org/immer/-/immer-1.10.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Dependency Hierarchy:

  • @kleros/cross-chain-realitio-evidence-display-1.0.1.tgz (Root Library)
    • react-scripts-2.1.8.tgz
      • react-dev-utils-8.0.0.tgz
        • immer-1.10.0.tgz (Vulnerable Library)

Found in HEAD commit: 219ac178dd6fbf9d312f027e0a592615967de732

Found in base branch: master

Vulnerability Details

immer is vulnerable to Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')

Publish Date: 2021-09-02

URL: CVE-2021-3757

CVSS 3 Score Details (9.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://huntr.dev/bounties/23d38099-71cd-42ed-a77a-71e68094adfa/

Release Date: 2021-09-02

Fix Resolution: immer - 9.0.6

Step up your Open Source Security Game with Mend here

CVE-2023-45133

Vulnerable Library - babel-traverse-6.26.0.tgz

The Babel Traverse module maintains the overall tree state, and is responsible for replacing, removing, and adding nodes

Library home page: https://registry.npmjs.org/babel-traverse/-/babel-traverse-6.26.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Dependency Hierarchy:

  • @kleros/cross-chain-realitio-evidence-display-1.0.1.tgz (Root Library)
    • react-scripts-2.1.8.tgz
      • babel-jest-23.6.0.tgz
        • babel-plugin-istanbul-4.1.6.tgz
          • istanbul-lib-instrument-1.10.2.tgz
            • babel-traverse-6.26.0.tgz (Vulnerable Library)

Found in HEAD commit: 219ac178dd6fbf9d312f027e0a592615967de732

Found in base branch: master

Vulnerability Details

Babel is a compiler for writingJavaScript. In @babel/traverse prior to versions 7.23.2 and 8.0.0-alpha.4 and all versions of babel-traverse, using Babel to compile code that was specifically crafted by an attacker can lead to arbitrary code execution during compilation, when using plugins that rely on the path.evaluate()or path.evaluateTruthy() internal Babel methods. Known affected plugins are @babel/plugin-transform-runtime; @babel/preset-env when using its useBuiltIns option; and any "polyfill provider" plugin that depends on @babel/helper-define-polyfill-provider, such as babel-plugin-polyfill-corejs3, babel-plugin-polyfill-corejs2, babel-plugin-polyfill-es-shims, babel-plugin-polyfill-regenerator. No other plugins under the @babel/ namespace are impacted, but third-party plugins might be. Users that only compile trusted code are not impacted. The vulnerability has been fixed in @babel/[email protected] and @babel/[email protected]. Those who cannot upgrade @babel/traverse and are using one of the affected packages mentioned above should upgrade them to their latest version to avoid triggering the vulnerable code path in affected @babel/traverse versions: @babel/plugin-transform-runtime v7.23.2, @babel/preset-env v7.23.2, @babel/helper-define-polyfill-provider v0.4.3, babel-plugin-polyfill-corejs2 v0.4.6, babel-plugin-polyfill-corejs3 v0.8.5, babel-plugin-polyfill-es-shims v0.10.0, babel-plugin-polyfill-regenerator v0.5.3.

Publish Date: 2023-10-12

URL: CVE-2023-45133

CVSS 3 Score Details (9.3)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Local
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Changed
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-67hx-6x53-jw92

Release Date: 2023-10-12

Fix Resolution: @babel/traverse - 7.23.2

Step up your Open Source Security Game with Mend here

CVE-2024-48949

Vulnerable Library - elliptic-6.5.4.tgz

EC cryptography

Library home page: https://registry.npmjs.org/elliptic/-/elliptic-6.5.4.tgz

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Dependency Hierarchy:

  • @kleros/cross-chain-realitio-evidence-display-1.0.1.tgz (Root Library)
    • reality-eth-lib-3.1.13.tgz
      • ethereumjs-abi-0.6.8.tgz
        • ethereumjs-util-6.2.1.tgz
          • elliptic-6.5.4.tgz (Vulnerable Library)

Found in HEAD commit: 219ac178dd6fbf9d312f027e0a592615967de732

Found in base branch: master

Vulnerability Details

The verify function in lib/elliptic/eddsa/index.js in the Elliptic package before 6.5.6 for Node.js omits "sig.S().gte(sig.eddsa.curve.n) || sig.S().isNeg()" validation.

Publish Date: 2024-10-10

URL: CVE-2024-48949

CVSS 3 Score Details (9.1)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://www.cve.org/CVERecord?id=CVE-2024-48949

Release Date: 2024-10-10

Fix Resolution: elliptic - 6.5.6

Step up your Open Source Security Game with Mend here

CVE-2024-29415

Vulnerable Library - ip-1.1.9.tgz

Library home page: https://registry.npmjs.org/ip/-/ip-1.1.9.tgz

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Dependency Hierarchy:

  • @kleros/cross-chain-realitio-evidence-display-1.0.1.tgz (Root Library)
    • react-scripts-2.1.8.tgz
      • webpack-dev-server-3.1.14.tgz
        • ip-1.1.9.tgz (Vulnerable Library)

Found in HEAD commit: 219ac178dd6fbf9d312f027e0a592615967de732

Found in base branch: master

Vulnerability Details

The ip package through 2.0.1 for Node.js might allow SSRF because some IP addresses (such as 127.1, 01200034567, 012.1.2.3, 000:0:0000::01, and ::fFFf:127.0.0.1) are improperly categorized as globally routable via isPublic. NOTE: this issue exists because of an incomplete fix for CVE-2023-42282.
Mend Note: We assigned a different CVSS score to this CVE because of its potential to result in a Server-Side Request Forgery (SSRF) vulnerability. Additionally, the package is no longer maintained, which increases the associated risk.

Publish Date: 2024-05-27

URL: CVE-2024-29415

CVSS 3 Score Details (9.1)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Step up your Open Source Security Game with Mend here

CVE-2020-7660

Vulnerable Library - serialize-javascript-1.9.1.tgz

Serialize JavaScript to a superset of JSON that includes regular expressions and functions.

Library home page: https://registry.npmjs.org/serialize-javascript/-/serialize-javascript-1.9.1.tgz

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Dependency Hierarchy:

  • @kleros/cross-chain-realitio-evidence-display-1.0.1.tgz (Root Library)
    • react-scripts-2.1.8.tgz
      • terser-webpack-plugin-1.2.2.tgz
        • serialize-javascript-1.9.1.tgz (Vulnerable Library)

Found in HEAD commit: 219ac178dd6fbf9d312f027e0a592615967de732

Found in base branch: master

Vulnerability Details

serialize-javascript prior to 3.1.0 allows remote attackers to inject arbitrary code via the function "deleteFunctions" within "index.js".

Publish Date: 2020-06-01

URL: CVE-2020-7660

CVSS 3 Score Details (8.1)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: High
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7660

Release Date: 2020-06-01

Fix Resolution: serialize-javascript - 3.1.0

Step up your Open Source Security Game with Mend here

CVE-2024-48930

Vulnerable Library - secp256k1-4.0.3.tgz

This module provides native bindings to ecdsa secp256k1 functions

Library home page: https://registry.npmjs.org/secp256k1/-/secp256k1-4.0.3.tgz

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Dependency Hierarchy:

  • @kleros/cross-chain-realitio-evidence-display-1.0.1.tgz (Root Library)
    • reality-eth-lib-3.1.13.tgz
      • ethereumjs-abi-0.6.8.tgz
        • ethereumjs-util-6.2.1.tgz
          • ethereum-cryptography-0.1.3.tgz
            • secp256k1-4.0.3.tgz (Vulnerable Library)

Found in HEAD commit: 219ac178dd6fbf9d312f027e0a592615967de732

Found in base branch: master

Vulnerability Details

secp256k1-node is a Node.js binding for an Optimized C library for EC operations on curve secp256k1. In elliptic-based version, loadUncompressedPublicKey has a check that the public key is on the curve. Prior to versions 5.0.1, 4.0.4, and 3.8.1, however, loadCompressedPublicKey is missing that check. That allows the attacker to use public keys on low-cardinality curves to extract enough information to fully restore the private key from as little as 11 ECDH sessions, and very cheaply on compute power. Other operations on public keys are also affected, including e.g. publicKeyVerify() incorrectly returning true on those invalid keys, and e.g. publicKeyTweakMul() also returning predictable outcomes allowing to restore the tweak. Versions 5.0.1, 4.0.4, and 3.8.1 contain a fix for the issue.

Publish Date: 2024-10-21

URL: CVE-2024-48930

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: None
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-584q-6j8j-r5pm

Release Date: 2024-10-21

Fix Resolution: secp256k1 - 3.8.1,4.0.4,5.0.1

Step up your Open Source Security Game with Mend here

CVE-2024-4068

Vulnerable Libraries - braces-1.8.5.tgz, braces-2.3.2.tgz

braces-1.8.5.tgz

Fastest brace expansion for node.js, with the most complete support for the Bash 4.3 braces specification.

Library home page: https://registry.npmjs.org/braces/-/braces-1.8.5.tgz

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Dependency Hierarchy:

  • @kleros/cross-chain-realitio-evidence-display-1.0.1.tgz (Root Library)
    • react-scripts-2.1.8.tgz
      • jest-23.6.0.tgz
        • jest-cli-23.6.0.tgz
          • micromatch-2.3.11.tgz
            • braces-1.8.5.tgz (Vulnerable Library)

braces-2.3.2.tgz

Bash-like brace expansion, implemented in JavaScript. Safer than other brace expansion libs, with complete support for the Bash 4.3 braces specification, without sacrificing speed.

Library home page: https://registry.npmjs.org/braces/-/braces-2.3.2.tgz

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Dependency Hierarchy:

  • @kleros/cross-chain-realitio-evidence-display-1.0.1.tgz (Root Library)
    • react-scripts-2.1.8.tgz
      • webpack-dev-server-3.1.14.tgz
        • chokidar-2.1.8.tgz
          • braces-2.3.2.tgz (Vulnerable Library)

Found in HEAD commit: 219ac178dd6fbf9d312f027e0a592615967de732

Found in base branch: master

Vulnerability Details

The NPM package braces, versions prior to 3.0.3, fails to limit the number of characters it can handle, which could lead to Memory Exhaustion. In lib/parse.js, if a malicious user sends "imbalanced braces" as input, the parsing will enter a loop, which will cause the program to start allocating heap memory without freeing it at any moment of the loop. Eventually, the JavaScript heap limit is reached, and the program will crash.
Mend Note: After conducting a further research, it was concluded that CVE-2024-4068 does not contain a high security risk that reflects the NVD score, but should be kept for users' awareness. Users of braces should follow the fix recommendation as noted.

Publish Date: 2024-05-13

URL: CVE-2024-4068

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2024-05-13

Fix Resolution: braces - 3.0.3

Step up your Open Source Security Game with Mend here

CVE-2024-37890

Vulnerable Libraries - ws-7.4.6.tgz, ws-3.3.3.tgz

ws-7.4.6.tgz

Simple to use, blazing fast and thoroughly tested websocket client and server for Node.js

Library home page: https://registry.npmjs.org/ws/-/ws-7.4.6.tgz

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Dependency Hierarchy:

  • @kleros/cross-chain-realitio-evidence-display-1.0.1.tgz (Root Library)
    • reality-eth-lib-3.1.13.tgz
      • contracts-3.0.66.tgz
        • ethers-5.7.2.tgz
          • providers-5.7.2.tgz
            • ws-7.4.6.tgz (Vulnerable Library)

ws-3.3.3.tgz

Simple to use, blazing fast and thoroughly tested websocket client and server for Node.js

Library home page: https://registry.npmjs.org/ws/-/ws-3.3.3.tgz

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Dependency Hierarchy:

  • @kleros/cross-chain-realitio-evidence-display-1.0.1.tgz (Root Library)
    • web3-1.3.1.tgz
      • web3-bzz-1.3.1.tgz
        • swarm-js-0.1.42.tgz
          • eth-lib-0.1.29.tgz
            • ws-3.3.3.tgz (Vulnerable Library)

Found in HEAD commit: 219ac178dd6fbf9d312f027e0a592615967de732

Found in base branch: master

Vulnerability Details

ws is an open source WebSocket client and server for Node.js. A request with a number of headers exceeding theserver.maxHeadersCount threshold could be used to crash a ws server. The vulnerability was fixed in [email protected] (e55e510) and backported to [email protected] (22c2876), [email protected] (eeb76d3), and [email protected] (4abd8f6). In vulnerable versions of ws, the issue can be mitigated in the following ways: 1. Reduce the maximum allowed length of the request headers using the --max-http-header-size=size and/or the maxHeaderSize options so that no more headers than the server.maxHeadersCount limit can be sent. 2. Set server.maxHeadersCount to 0 so that no limit is applied.

Publish Date: 2024-06-17

URL: CVE-2024-37890

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-3h5v-q93c-6h6q

Release Date: 2024-06-17

Fix Resolution: ws - 5.2.4,6.2.3,7.5.10,8.17.1

Step up your Open Source Security Game with Mend here

CVE-2024-21538

Vulnerable Libraries - cross-spawn-6.0.5.tgz, cross-spawn-7.0.3.tgz

cross-spawn-6.0.5.tgz

Cross platform child_process#spawn and child_process#spawnSync

Library home page: https://registry.npmjs.org/cross-spawn/-/cross-spawn-6.0.5.tgz

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Dependency Hierarchy:

  • @kleros/cross-chain-realitio-evidence-display-1.0.1.tgz (Root Library)
    • react-scripts-2.1.8.tgz
      • react-dev-utils-8.0.0.tgz
        • cross-spawn-6.0.5.tgz (Vulnerable Library)

cross-spawn-7.0.3.tgz

Cross platform child_process#spawn and child_process#spawnSync

Library home page: https://registry.npmjs.org/cross-spawn/-/cross-spawn-7.0.3.tgz

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Dependency Hierarchy:

  • @kleros/cross-chain-realitio-evidence-display-1.0.1.tgz (Root Library)
    • react-scripts-2.1.8.tgz
      • fsevents-1.2.4.tgz
        • nan-2.22.0.tgz
          • node-gyp-10.1.0.tgz
            • glob-10.4.2.tgz
              • foreground-child-3.2.1.tgz
                • cross-spawn-7.0.3.tgz (Vulnerable Library)

Found in HEAD commit: 219ac178dd6fbf9d312f027e0a592615967de732

Found in base branch: master

Vulnerability Details

Versions of the package cross-spawn before 7.0.5 are vulnerable to Regular Expression Denial of Service (ReDoS) due to improper input sanitization. An attacker can increase the CPU usage and crash the program by crafting a very large and well crafted string.

Publish Date: 2024-11-08

URL: CVE-2024-21538

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://www.cve.org/CVERecord?id=CVE-2024-21538

Release Date: 2024-11-08

Fix Resolution: cross-spawn - 7.0.5

Step up your Open Source Security Game with Mend here

CVE-2024-21536

Vulnerable Library - http-proxy-middleware-0.18.0.tgz

The one-liner node.js proxy middleware for connect, express and browser-sync

Library home page: https://registry.npmjs.org/http-proxy-middleware/-/http-proxy-middleware-0.18.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Dependency Hierarchy:

  • @kleros/cross-chain-realitio-evidence-display-1.0.1.tgz (Root Library)
    • react-scripts-2.1.8.tgz
      • webpack-dev-server-3.1.14.tgz
        • http-proxy-middleware-0.18.0.tgz (Vulnerable Library)

Found in HEAD commit: 219ac178dd6fbf9d312f027e0a592615967de732

Found in base branch: master

Vulnerability Details

Versions of the package http-proxy-middleware before 2.0.7, from 3.0.0 and before 3.0.3 are vulnerable to Denial of Service (DoS) due to an UnhandledPromiseRejection error thrown by micromatch. An attacker could kill the Node.js process and crash the server by making requests to certain paths.

Publish Date: 2024-10-19

URL: CVE-2024-21536

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://www.cve.org/CVERecord?id=CVE-2024-21536

Release Date: 2024-10-19

Fix Resolution: http-proxy-middleware - 2.0.7,3.0.3

Step up your Open Source Security Game with Mend here

CVE-2024-21505

Vulnerable Library - web3-utils-1.3.1.tgz

Library home page: https://registry.npmjs.org/web3-utils/-/web3-utils-1.3.1.tgz

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Dependency Hierarchy:

  • @kleros/cross-chain-realitio-evidence-display-1.0.1.tgz (Root Library)
    • web3-1.3.1.tgz
      • web3-utils-1.3.1.tgz (Vulnerable Library)

Found in HEAD commit: 219ac178dd6fbf9d312f027e0a592615967de732

Found in base branch: master

Vulnerability Details

Versions of the package web3-utils before 4.2.1 are vulnerable to Prototype Pollution via the utility functions format and mergeDeep, due to insecure recursive merge.
An attacker can manipulate an object's prototype, potentially leading to the alteration of the behavior of all objects inheriting from the affected prototype by passing specially crafted input to these functions.

Publish Date: 2024-03-25

URL: CVE-2024-21505

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://www.cve.org/CVERecord?id=CVE-2024-21505

Release Date: 2024-03-25

Fix Resolution: web3-utils - 4.2.1

Step up your Open Source Security Game with Mend here

CVE-2022-37620

Vulnerable Library - html-minifier-3.5.21.tgz

Highly configurable, well-tested, JavaScript-based HTML minifier.

Library home page: https://registry.npmjs.org/html-minifier/-/html-minifier-3.5.21.tgz

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Dependency Hierarchy:

  • @kleros/cross-chain-realitio-evidence-display-1.0.1.tgz (Root Library)
    • react-scripts-2.1.8.tgz
      • html-webpack-plugin-4.0.0-alpha.2.tgz
        • html-minifier-3.5.21.tgz (Vulnerable Library)

Found in HEAD commit: 219ac178dd6fbf9d312f027e0a592615967de732

Found in base branch: master

Vulnerability Details

A Regular Expression Denial of Service (ReDoS) flaw was found in kangax html-minifier 4.0.0 via the candidate variable in htmlminifier.js.

Publish Date: 2022-10-31

URL: CVE-2022-37620

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Step up your Open Source Security Game with Mend here

CVE-2022-37603

Vulnerable Library - loader-utils-1.2.3.tgz

utils for webpack loaders

Library home page: https://registry.npmjs.org/loader-utils/-/loader-utils-1.2.3.tgz

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Dependency Hierarchy:

  • @kleros/cross-chain-realitio-evidence-display-1.0.1.tgz (Root Library)
    • react-scripts-2.1.8.tgz
      • react-dev-utils-8.0.0.tgz
        • loader-utils-1.2.3.tgz (Vulnerable Library)

Found in HEAD commit: 219ac178dd6fbf9d312f027e0a592615967de732

Found in base branch: master

Vulnerability Details

A Regular expression denial of service (ReDoS) flaw was found in Function interpolateName in interpolateName.js in webpack loader-utils 2.0.0 via the url variable in interpolateName.js.

Publish Date: 2022-10-14

URL: CVE-2022-37603

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-3rfm-jhwj-7488

Release Date: 2022-10-14

Fix Resolution: loader-utils - 1.4.2,2.0.4,3.2.1

Step up your Open Source Security Game with Mend here

CVE-2022-3517

Vulnerable Library - minimatch-3.0.4.tgz

a glob matcher in javascript

Library home page: https://registry.npmjs.org/minimatch/-/minimatch-3.0.4.tgz

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Dependency Hierarchy:

  • @kleros/cross-chain-realitio-evidence-display-1.0.1.tgz (Root Library)
    • react-scripts-2.1.8.tgz
      • react-dev-utils-8.0.0.tgz
        • recursive-readdir-2.2.2.tgz
          • minimatch-3.0.4.tgz (Vulnerable Library)

Found in HEAD commit: 219ac178dd6fbf9d312f027e0a592615967de732

Found in base branch: master

Vulnerability Details

A vulnerability was found in the minimatch package. This flaw allows a Regular Expression Denial of Service (ReDoS) when calling the braceExpand function with specific arguments, resulting in a Denial of Service.

Publish Date: 2022-10-17

URL: CVE-2022-3517

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2022-10-17

Fix Resolution: minimatch - 3.0.5

Step up your Open Source Security Game with Mend here

CVE-2022-24772

Vulnerable Library - node-forge-0.10.0.tgz

JavaScript implementations of network transports, cryptography, ciphers, PKI, message digests, and various utilities.

Library home page: https://registry.npmjs.org/node-forge/-/node-forge-0.10.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Dependency Hierarchy:

  • @kleros/cross-chain-realitio-evidence-display-1.0.1.tgz (Root Library)
    • react-scripts-2.1.8.tgz
      • webpack-dev-server-3.1.14.tgz
        • selfsigned-1.10.14.tgz
          • node-forge-0.10.0.tgz (Vulnerable Library)

Found in HEAD commit: 219ac178dd6fbf9d312f027e0a592615967de732

Found in base branch: master

Vulnerability Details

Forge (also called node-forge) is a native implementation of Transport Layer Security in JavaScript. Prior to version 1.3.0, RSA PKCS#1 v1.5 signature verification code does not check for tailing garbage bytes after decoding a DigestInfo ASN.1 structure. This can allow padding bytes to be removed and garbage data added to forge a signature when a low public exponent is being used. The issue has been addressed in node-forge version 1.3.0. There are currently no known workarounds.

Publish Date: 2022-03-18

URL: CVE-2022-24772

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: High
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24772

Release Date: 2022-03-18

Fix Resolution: node-forge - 1.3.0

Step up your Open Source Security Game with Mend here

CVE-2022-24771

Vulnerable Library - node-forge-0.10.0.tgz

JavaScript implementations of network transports, cryptography, ciphers, PKI, message digests, and various utilities.

Library home page: https://registry.npmjs.org/node-forge/-/node-forge-0.10.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Dependency Hierarchy:

  • @kleros/cross-chain-realitio-evidence-display-1.0.1.tgz (Root Library)
    • react-scripts-2.1.8.tgz
      • webpack-dev-server-3.1.14.tgz
        • selfsigned-1.10.14.tgz
          • node-forge-0.10.0.tgz (Vulnerable Library)

Found in HEAD commit: 219ac178dd6fbf9d312f027e0a592615967de732

Found in base branch: master

Vulnerability Details

Forge (also called node-forge) is a native implementation of Transport Layer Security in JavaScript. Prior to version 1.3.0, RSA PKCS#1 v1.5 signature verification code is lenient in checking the digest algorithm structure. This can allow a crafted structure that steals padding bytes and uses unchecked portion of the PKCS#1 encoded message to forge a signature when a low public exponent is being used. The issue has been addressed in node-forge version 1.3.0. There are currently no known workarounds.

Publish Date: 2022-03-18

URL: CVE-2022-24771

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: High
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24771

Release Date: 2022-03-18

Fix Resolution: node-forge - 1.3.0

Step up your Open Source Security Game with Mend here

@mend-bolt-for-github mend-bolt-for-github bot added dependencies Pull requests that update a dependency file Mend: dependency security vulnerability Security vulnerability detected by Mend labels Jan 15, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
dependencies Pull requests that update a dependency file Mend: dependency security vulnerability Security vulnerability detected by Mend
Projects
None yet
Development

No branches or pull requests

0 participants