exporter-metrics-otlp-grpc-0.44.0.tgz: 1 vulnerabilities (highest severity is: 9.8) - autoclosed

[mend-for-github-com]

Vulnerable Library - exporter-metrics-otlp-grpc-0.44.0.tgz

Path to dependency file: /src/paymentservice/package.json

Path to vulnerable library: /src/frontend/node_modules/protobufjs/package.json,/src/paymentservice/node_modules/protobufjs/package.json

Found in HEAD commit: de73c8b6e42eb87e8f3abc02dbfb4a71a6d2f028

Vulnerabilities

CVE	Severity	CVSS	Dependency	Type	Fixed in (exporter-metrics-otlp-grpc version)	Remediation Possible**
CVE-2023-36665	Critical	9.8	protobufjs-7.2.4.tgz	Transitive	0.45.0	✅

**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation

Details

CVE-2023-36665

Vulnerable Library - protobufjs-7.2.4.tgz

Library home page: https://registry.npmjs.org/protobufjs/-/protobufjs-7.2.4.tgz

Path to dependency file: /src/frontend/package.json

Path to vulnerable library: /src/frontend/node_modules/protobufjs/package.json,/src/paymentservice/node_modules/protobufjs/package.json

Dependency Hierarchy:

• exporter-metrics-otlp-grpc-0.44.0.tgz (Root Library)
  • otlp-grpc-exporter-base-0.44.0.tgz
    • ❌ protobufjs-7.2.4.tgz (Vulnerable Library)

Found in HEAD commit: de73c8b6e42eb87e8f3abc02dbfb4a71a6d2f028

Found in base branch: main

Vulnerability Details

"protobuf.js (aka protobufjs) 6.10.0 through 7.x before 7.2.5 allows Prototype Pollution, a different vulnerability than CVE-2022-25878. A user-controlled protobuf message can be used by an attacker to pollute the prototype of Object.prototype by adding and overwriting its data and functions. Exploitation can involve: (1) using the function parse to parse protobuf messages on the fly, (2) loading .proto files by using load/loadSync functions, or (3) providing untrusted input to the functions ReflectionObject.setParsedOption and util.setProperty.

Publish Date: 2023-07-05

URL: CVE-2023-36665

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2023-36665

Release Date: 2023-07-05

Fix Resolution (protobufjs): 7.2.5

Direct dependency fix Resolution (@opentelemetry/exporter-metrics-otlp-grpc): 0.45.0

⛑️ Automatic Remediation will be attempted for this issue.

---

⛑️Automatic Remediation will be attempted for this issue.

[mend-for-github-com]

✔️ This issue was automatically closed by Mend because the vulnerable library in the specific branch(es) was either marked as ignored or it is no longer part of the Mend inventory.