Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

webpack-4.46.0.tgz: 13 vulnerabilities (highest severity is: 9.8) #69

Open
mend-bolt-for-github bot opened this issue Jul 18, 2022 · 3 comments
Open

webpack-4.46.0.tgz: 13 vulnerabilities (highest severity is: 9.8) #69

mend-bolt-for-github bot opened this issue Jul 18, 2022 · 3 comments
Labels
Mend: dependency security vulnerability Security vulnerability detected by WhiteSource

Comments

@mend-bolt-for-github
Copy link
Contributor

mend-bolt-for-github bot commented Jul 18, 2022
edited
Loading

Vulnerable Library - webpack-4.46.0.tgz

Packs CommonJs/AMD modules for the browser. Allows to split your codebase into multiple bundles, which can be loaded on demand. Support loaders to preprocess files, i.e. json, jsx, es7, css, less, ... and your custom stuff.

Library home page: https://registry.npmjs.org/webpack/-/webpack-4.46.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/webpack/package.json

Found in HEAD commit: 5c247eb22e22c12bff47f03f69c6fad26286b722

Vulnerabilities

CVE Severity CVSS Dependency Type Fixed in (webpack version) Remediation Possible**
CVE-2022-37601 Critical 9.8 loader-utils-1.4.0.tgz Transitive 4.47.0
CVE-2021-44906 Critical 9.8 minimist-1.2.5.tgz Transitive 4.47.0
CVE-2024-48949 Critical 9.1 elliptic-6.5.4.tgz Transitive 4.47.0
CVE-2024-4068 High 7.5 detected in multiple dependencies Transitive N/A*
CVE-2022-38900 High 7.5 decode-uri-component-0.2.0.tgz Transitive 4.47.0
CVE-2022-37603 High 7.5 loader-utils-1.4.0.tgz Transitive 4.47.0
CVE-2022-46175 High 7.1 json5-1.0.1.tgz Transitive 4.47.0
CVE-2023-46234 Medium 6.5 browserify-sign-4.2.1.tgz Transitive 4.47.0
CVE-2024-43788 Medium 6.4 webpack-4.46.0.tgz Direct 5.94.0
CVE-2024-4067 Medium 5.3 micromatch-3.1.10.tgz Transitive 5.0.0
CVE-2022-25883 Medium 5.3 semver-5.7.1.tgz Transitive 5.0.0
CVE-2022-25858 Medium 5.3 terser-4.8.0.tgz Transitive 4.47.0
CVE-2024-48948 Medium 4.8 elliptic-6.5.4.tgz Transitive N/A*

*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.

**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation

Details

CVE-2022-37601

Vulnerable Library - loader-utils-1.4.0.tgz

utils for webpack loaders

Library home page: https://registry.npmjs.org/loader-utils/-/loader-utils-1.4.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/loader-utils/package.json

Dependency Hierarchy:

  • webpack-4.46.0.tgz (Root Library)
    • loader-utils-1.4.0.tgz (Vulnerable Library)

Found in HEAD commit: 5c247eb22e22c12bff47f03f69c6fad26286b722

Found in base branch: main

Vulnerability Details

Prototype pollution vulnerability in function parseQuery in parseQuery.js in webpack loader-utils via the name variable in parseQuery.js. This affects all versions prior to 1.4.1 and 2.0.3.

Publish Date: 2022-10-12

URL: CVE-2022-37601

CVSS 3 Score Details (9.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-76p3-8jx3-jpfq

Release Date: 2022-10-12

Fix Resolution (loader-utils): 1.4.1

Direct dependency fix Resolution (webpack): 4.47.0

Step up your Open Source Security Game with Mend here

CVE-2021-44906

Vulnerable Library - minimist-1.2.5.tgz

parse argument options

Library home page: https://registry.npmjs.org/minimist/-/minimist-1.2.5.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/minimist/package.json,/backend/node_modules/minimist/package.json,/backend/new/chongluadao-backend/node_modules/minimist/package.json

Dependency Hierarchy:

  • webpack-4.46.0.tgz (Root Library)
    • mkdirp-0.5.5.tgz
      • minimist-1.2.5.tgz (Vulnerable Library)

Found in HEAD commit: 5c247eb22e22c12bff47f03f69c6fad26286b722

Found in base branch: main

Vulnerability Details

Minimist <=1.2.5 is vulnerable to Prototype Pollution via file index.js, function setKey() (lines 69-95).

Publish Date: 2022-03-17

URL: CVE-2021-44906

CVSS 3 Score Details (9.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-xvch-5gv4-984h

Release Date: 2022-03-17

Fix Resolution (minimist): 1.2.6

Direct dependency fix Resolution (webpack): 4.47.0

Step up your Open Source Security Game with Mend here

CVE-2024-48949

Vulnerable Library - elliptic-6.5.4.tgz

EC cryptography

Library home page: https://registry.npmjs.org/elliptic/-/elliptic-6.5.4.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/elliptic/package.json

Dependency Hierarchy:

  • webpack-4.46.0.tgz (Root Library)
    • node-libs-browser-2.2.1.tgz
      • crypto-browserify-3.12.0.tgz
        • create-ecdh-4.0.4.tgz
          • elliptic-6.5.4.tgz (Vulnerable Library)

Found in HEAD commit: 5c247eb22e22c12bff47f03f69c6fad26286b722

Found in base branch: main

Vulnerability Details

The verify function in lib/elliptic/eddsa/index.js in the Elliptic package before 6.5.6 for Node.js omits "sig.S().gte(sig.eddsa.curve.n) || sig.S().isNeg()" validation.

Publish Date: 2024-10-10

URL: CVE-2024-48949

CVSS 3 Score Details (9.1)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://www.cve.org/CVERecord?id=CVE-2024-48949

Release Date: 2024-10-10

Fix Resolution (elliptic): 6.5.6

Direct dependency fix Resolution (webpack): 4.47.0

Step up your Open Source Security Game with Mend here

CVE-2024-4068

Vulnerable Libraries - braces-2.3.2.tgz, braces-3.0.2.tgz

braces-2.3.2.tgz

Bash-like brace expansion, implemented in JavaScript. Safer than other brace expansion libs, with complete support for the Bash 4.3 braces specification, without sacrificing speed.

Library home page: https://registry.npmjs.org/braces/-/braces-2.3.2.tgz

Path to dependency file: /backend/new/chongluadao-backend/package.json

Path to vulnerable library: /backend/new/chongluadao-backend/node_modules/sane/node_modules/braces/package.json,/node_modules/braces/package.json

Dependency Hierarchy:

  • webpack-4.46.0.tgz (Root Library)
    • micromatch-3.1.10.tgz
      • braces-2.3.2.tgz (Vulnerable Library)

braces-3.0.2.tgz

Bash-like brace expansion, implemented in JavaScript. Safer than other brace expansion libs, with complete support for the Bash 4.3 braces specification, without sacrificing speed.

Library home page: https://registry.npmjs.org/braces/-/braces-3.0.2.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/watchpack/node_modules/braces/package.json,/backend/new/chongluadao-backend/node_modules/braces/package.json

Dependency Hierarchy:

  • webpack-4.46.0.tgz (Root Library)
    • watchpack-1.7.5.tgz
      • chokidar-3.5.1.tgz
        • braces-3.0.2.tgz (Vulnerable Library)

Found in HEAD commit: 5c247eb22e22c12bff47f03f69c6fad26286b722

Found in base branch: main

Vulnerability Details

The NPM package braces, versions prior to 3.0.3, fails to limit the number of characters it can handle, which could lead to Memory Exhaustion. In lib/parse.js, if a malicious user sends "imbalanced braces" as input, the parsing will enter a loop, which will cause the program to start allocating heap memory without freeing it at any moment of the loop. Eventually, the JavaScript heap limit is reached, and the program will crash.
Mend Note: After conducting a further research, it was concluded that CVE-2024-4068 does not contain a high security risk that reflects the NVD score, but should be kept for users' awareness. Users of braces should follow the fix recommendation as noted.

Publish Date: 2024-05-13

URL: CVE-2024-4068

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2024-05-13

Fix Resolution: braces - 3.0.3

Step up your Open Source Security Game with Mend here

CVE-2022-38900

Vulnerable Library - decode-uri-component-0.2.0.tgz

A better decodeURIComponent

Library home page: https://registry.npmjs.org/decode-uri-component/-/decode-uri-component-0.2.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/decode-uri-component/package.json,/backend/new/chongluadao-backend/node_modules/decode-uri-component/package.json

Dependency Hierarchy:

  • webpack-4.46.0.tgz (Root Library)
    • micromatch-3.1.10.tgz
      • snapdragon-0.8.2.tgz
        • source-map-resolve-0.5.3.tgz
          • decode-uri-component-0.2.0.tgz (Vulnerable Library)

Found in HEAD commit: 5c247eb22e22c12bff47f03f69c6fad26286b722

Found in base branch: main

Vulnerability Details

decode-uri-component 0.2.0 is vulnerable to Improper Input Validation resulting in DoS.

Publish Date: 2022-11-28

URL: CVE-2022-38900

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-w573-4hg7-7wgq

Release Date: 2022-11-28

Fix Resolution (decode-uri-component): 0.2.1

Direct dependency fix Resolution (webpack): 4.47.0

Step up your Open Source Security Game with Mend here

CVE-2022-37603

Vulnerable Library - loader-utils-1.4.0.tgz

utils for webpack loaders

Library home page: https://registry.npmjs.org/loader-utils/-/loader-utils-1.4.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/loader-utils/package.json

Dependency Hierarchy:

  • webpack-4.46.0.tgz (Root Library)
    • loader-utils-1.4.0.tgz (Vulnerable Library)

Found in HEAD commit: 5c247eb22e22c12bff47f03f69c6fad26286b722

Found in base branch: main

Vulnerability Details

A Regular expression denial of service (ReDoS) flaw was found in Function interpolateName in interpolateName.js in webpack loader-utils 2.0.0 via the url variable in interpolateName.js.

Publish Date: 2022-10-14

URL: CVE-2022-37603

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-3rfm-jhwj-7488

Release Date: 2022-10-14

Fix Resolution (loader-utils): 1.4.2

Direct dependency fix Resolution (webpack): 4.47.0

Step up your Open Source Security Game with Mend here

CVE-2022-46175

Vulnerable Library - json5-1.0.1.tgz

JSON for humans.

Library home page: https://registry.npmjs.org/json5/-/json5-1.0.1.tgz

Path to dependency file: /backend/new/chongluadao-backend/package.json

Path to vulnerable library: /backend/new/chongluadao-backend/node_modules/json5/package.json,/node_modules/json5/package.json

Dependency Hierarchy:

  • webpack-4.46.0.tgz (Root Library)
    • loader-utils-1.4.0.tgz
      • json5-1.0.1.tgz (Vulnerable Library)

Found in HEAD commit: 5c247eb22e22c12bff47f03f69c6fad26286b722

Found in base branch: main

Vulnerability Details

JSON5 is an extension to the popular JSON file format that aims to be easier to write and maintain by hand (e.g. for config files). The parse method of the JSON5 library before and including versions 1.0.1 and 2.2.1 does not restrict parsing of keys named __proto__, allowing specially crafted strings to pollute the prototype of the resulting object. This vulnerability pollutes the prototype of the object returned by JSON5.parse and not the global Object prototype, which is the commonly understood definition of Prototype Pollution. However, polluting the prototype of a single object can have significant security impact for an application if the object is later used in trusted operations. This vulnerability could allow an attacker to set arbitrary and unexpected keys on the object returned from JSON5.parse. The actual impact will depend on how applications utilize the returned object and how they filter unwanted keys, but could include denial of service, cross-site scripting, elevation of privilege, and in extreme cases, remote code execution. JSON5.parse should restrict parsing of __proto__ keys when parsing JSON strings to objects. As a point of reference, the JSON.parse method included in JavaScript ignores __proto__ keys. Simply changing JSON5.parse to JSON.parse in the examples above mitigates this vulnerability. This vulnerability is patched in json5 versions 1.0.2, 2.2.2, and later.

Publish Date: 2022-12-24

URL: CVE-2022-46175

CVSS 3 Score Details (7.1)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: High
    • Privileges Required: Low
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: Low
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://www.cve.org/CVERecord?id=CVE-2022-46175

Release Date: 2022-12-24

Fix Resolution (json5): 1.0.2

Direct dependency fix Resolution (webpack): 4.47.0

Step up your Open Source Security Game with Mend here

CVE-2023-46234

Vulnerable Library - browserify-sign-4.2.1.tgz

adds node crypto signing for browsers

Library home page: https://registry.npmjs.org/browserify-sign/-/browserify-sign-4.2.1.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/browserify-sign/package.json

Dependency Hierarchy:

  • webpack-4.46.0.tgz (Root Library)
    • node-libs-browser-2.2.1.tgz
      • crypto-browserify-3.12.0.tgz
        • browserify-sign-4.2.1.tgz (Vulnerable Library)

Found in HEAD commit: 5c247eb22e22c12bff47f03f69c6fad26286b722

Found in base branch: main

Vulnerability Details

browserify-sign is a package to duplicate the functionality of node's crypto public key functions, much of this is based on Fedor Indutny's work on indutny/tls.js. An upper bound check issue in dsaVerify function allows an attacker to construct signatures that can be successfully verified by any public key, thus leading to a signature forgery attack. All places in this project that involve DSA verification of user-input signatures will be affected by this vulnerability. This issue has been patched in version 4.2.2.

Publish Date: 2023-10-26

URL: CVE-2023-46234

CVSS 3 Score Details (6.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: Low
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-x9w5-v3q2-3rhw

Release Date: 2023-10-26

Fix Resolution (browserify-sign): 4.2.2

Direct dependency fix Resolution (webpack): 4.47.0

Step up your Open Source Security Game with Mend here

CVE-2024-43788

Vulnerable Library - webpack-4.46.0.tgz

Packs CommonJs/AMD modules for the browser. Allows to split your codebase into multiple bundles, which can be loaded on demand. Support loaders to preprocess files, i.e. json, jsx, es7, css, less, ... and your custom stuff.

Library home page: https://registry.npmjs.org/webpack/-/webpack-4.46.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/webpack/package.json

Dependency Hierarchy:

  • webpack-4.46.0.tgz (Vulnerable Library)

Found in HEAD commit: 5c247eb22e22c12bff47f03f69c6fad26286b722

Found in base branch: main

Vulnerability Details

Webpack is a module bundler. Its main purpose is to bundle JavaScript files for usage in a browser, yet it is also capable of transforming, bundling, or packaging just about any resource or asset. The webpack developers have discovered a DOM Clobbering vulnerability in Webpack’s AutoPublicPathRuntimeModule. The DOM Clobbering gadget in the module can lead to cross-site scripting (XSS) in web pages where scriptless attacker-controlled HTML elements (e.g., an img tag with an unsanitized name attribute) are present. Real-world exploitation of this gadget has been observed in the Canvas LMS which allows a XSS attack to happen through a javascript code compiled by Webpack (the vulnerable part is from Webpack). DOM Clobbering is a type of code-reuse attack where the attacker first embeds a piece of non-script, seemingly benign HTML markups in the webpage (e.g. through a post or comment) and leverages the gadgets (pieces of js code) living in the existing javascript code to transform it into executable code. This vulnerability can lead to cross-site scripting (XSS) on websites that include Webpack-generated files and allow users to inject certain scriptless HTML tags with improperly sanitized name or id attributes. This issue has been addressed in release version 5.94.0. All users are advised to upgrade. There are no known workarounds for this issue.

Publish Date: 2024-08-27

URL: CVE-2024-43788

CVSS 3 Score Details (6.4)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: High
    • Privileges Required: Low
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: Low
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-4vvj-4cpr-p986

Release Date: 2024-08-27

Fix Resolution: 5.94.0

Step up your Open Source Security Game with Mend here

CVE-2024-4067

Vulnerable Library - micromatch-3.1.10.tgz

Glob matching for javascript/node.js. A drop-in replacement and faster alternative to minimatch and multimatch.

Library home page: https://registry.npmjs.org/micromatch/-/micromatch-3.1.10.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/micromatch/package.json,/backend/new/chongluadao-backend/node_modules/sane/node_modules/micromatch/package.json

Dependency Hierarchy:

  • webpack-4.46.0.tgz (Root Library)
    • micromatch-3.1.10.tgz (Vulnerable Library)

Found in HEAD commit: 5c247eb22e22c12bff47f03f69c6fad26286b722

Found in base branch: main

Vulnerability Details

The NPM package micromatch prior to 4.0.8 is vulnerable to Regular Expression Denial of Service (ReDoS). The vulnerability occurs in micromatch.braces() in index.js because the pattern .* will greedily match anything. By passing a malicious payload, the pattern matching will keep backtracking to the input while it doesn't find the closing bracket. As the input size increases, the consumption time will also increase until it causes the application to hang or slow down. There was a merged fix but further testing shows the issue persists. This issue should be mitigated by using a safe pattern that won't start backtracking the regular expression due to greedy matching. This issue was fixed in version 4.0.8.
Mend Note: After conducting a further research, it was concluded that CVE-2024-4067 should not reflect the security risk score in NVD, but will be kept for users' awareness.

Publish Date: 2024-05-13

URL: CVE-2024-4067

CVSS 3 Score Details (5.3)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2024-05-13

Fix Resolution (micromatch): 4.0.8

Direct dependency fix Resolution (webpack): 5.0.0

Step up your Open Source Security Game with Mend here

CVE-2022-25883

Vulnerable Library - semver-5.7.1.tgz

The semantic version parser used by npm.

Library home page: https://registry.npmjs.org/semver/-/semver-5.7.1.tgz

Path to dependency file: /backend/new/chongluadao-backend/package.json

Path to vulnerable library: /backend/new/chongluadao-backend/node_modules/jsonwebtoken/node_modules/semver/package.json,/backend/new/chongluadao-backend/node_modules/require_optional/node_modules/semver/package.json,/node_modules/make-dir/node_modules/semver/package.json,/backend/node_modules/semver/package.json,/node_modules/normalize-package-data/node_modules/semver/package.json,/node_modules/webpack-cli/node_modules/semver/package.json,/backend/new/chongluadao-backend/node_modules/sane/node_modules/semver/package.json,/backend/new/chongluadao-backend/node_modules/normalize-package-data/node_modules/semver/package.json

Dependency Hierarchy:

  • webpack-4.46.0.tgz (Root Library)
    • terser-webpack-plugin-1.4.5.tgz
      • find-cache-dir-2.1.0.tgz
        • make-dir-2.1.0.tgz
          • semver-5.7.1.tgz (Vulnerable Library)

Found in HEAD commit: 5c247eb22e22c12bff47f03f69c6fad26286b722

Found in base branch: main

Vulnerability Details

Versions of the package semver before 7.5.2 are vulnerable to Regular Expression Denial of Service (ReDoS) via the function new Range, when untrusted user data is provided as a range.

Publish Date: 2023-06-21

URL: CVE-2022-25883

CVSS 3 Score Details (5.3)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-c2qf-rxjj-qqgw

Release Date: 2023-06-21

Fix Resolution (semver): 5.7.2

Direct dependency fix Resolution (webpack): 5.0.0

Step up your Open Source Security Game with Mend here

CVE-2022-25858

Vulnerable Library - terser-4.8.0.tgz

JavaScript parser, mangler/compressor and beautifier toolkit for ES6+

Library home page: https://registry.npmjs.org/terser/-/terser-4.8.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/terser/package.json

Dependency Hierarchy:

  • webpack-4.46.0.tgz (Root Library)
    • terser-webpack-plugin-1.4.5.tgz
      • terser-4.8.0.tgz (Vulnerable Library)

Found in HEAD commit: 5c247eb22e22c12bff47f03f69c6fad26286b722

Found in base branch: main

Vulnerability Details

The package terser before 4.8.1, from 5.0.0 and before 5.14.2 are vulnerable to Regular Expression Denial of Service (ReDoS) due to insecure usage of regular expressions.

Publish Date: 2022-07-15

URL: CVE-2022-25858

CVSS 3 Score Details (5.3)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-25858

Release Date: 2022-07-15

Fix Resolution (terser): 4.8.1

Direct dependency fix Resolution (webpack): 4.47.0

Step up your Open Source Security Game with Mend here

CVE-2024-48948

Vulnerable Library - elliptic-6.5.4.tgz

EC cryptography

Library home page: https://registry.npmjs.org/elliptic/-/elliptic-6.5.4.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/elliptic/package.json

Dependency Hierarchy:

  • webpack-4.46.0.tgz (Root Library)
    • node-libs-browser-2.2.1.tgz
      • crypto-browserify-3.12.0.tgz
        • create-ecdh-4.0.4.tgz
          • elliptic-6.5.4.tgz (Vulnerable Library)

Found in HEAD commit: 5c247eb22e22c12bff47f03f69c6fad26286b722

Found in base branch: main

Vulnerability Details

The Elliptic package 6.5.7 for Node.js, in its for ECDSA implementation, does not correctly verify valid signatures if the hash contains at least four leading 0 bytes and when the order of the elliptic curve's base point is smaller than the hash, because of an _truncateToN anomaly. This leads to valid signatures being rejected. Legitimate transactions or communications may be incorrectly flagged as invalid.

Publish Date: 2024-10-15

URL: CVE-2024-48948

CVSS 3 Score Details (4.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: High
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: Low
    • Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-fc9h-whq2-v747

Release Date: 2024-10-15

Fix Resolution: elliptic - 6.6.0

Step up your Open Source Security Game with Mend here
@mend-bolt-for-github mend-bolt-for-github bot added the Mend: dependency security vulnerability Security vulnerability detected by WhiteSource label Jul 18, 2022
@secure-code-warrior-for-github
Copy link

Micro-Learning Topic: Vulnerable library (Detected by phrase)

Matched on "Vulnerable Library"

What is this? (2min video)

Use of vulnerable components will introduce weaknesses into the application. Components with published vulnerabilities will allow easy exploitation as resources will often be available to automate the process.

Try this challenge in Secure Code Warrior

Micro-Learning Topic: Regular expression denial of service (Detected by phrase)

Matched on "Regular Expression Denial of Service"

What is this? (2min video)

Denial of Service (DoS) attacks caused by Regular Expression which causes the system to hang or cause them to work very slowly when attacker sends a well-crafted input(exponentially related to input size).Denial of service attacks significantly degrade the service quality experienced by legitimate users. These attacks introduce large response delays, excessive losses, and service interruptions, resulting in direct impact on availability.

Try this challenge in Secure Code Warrior

Micro-Learning Topic: Denial of service (Detected by phrase)

Matched on "Denial of Service"

The Denial of Service (DoS) attack is focused on making a resource (site, application, server) unavailable for the purpose it was designed. There are many ways to make a service unavailable for legitimate users by manipulating network packets, programming, logical, or resources handling vulnerabilities, among others. Source: https://www.owasp.org/index.php/Denial_of_Service

Try this challenge in Secure Code Warrior

@mend-bolt-for-github mend-bolt-for-github bot changed the title webpack-4.46.0.tgz: 1 vulnerabilities (highest severity is: 5.3) webpack-4.46.0.tgz: 1 vulnerabilities (highest severity is: 7.5) Jul 26, 2022
@mend-bolt-for-github mend-bolt-for-github bot changed the title webpack-4.46.0.tgz: 1 vulnerabilities (highest severity is: 7.5) webpack-4.46.0.tgz: 13 vulnerabilities (highest severity is: 9.8) Jan 19, 2025
@mend-bolt-for-github Mend Bolt for GitHub
Copy link
Contributor Author

ℹ️ This issue was automatically re-opened by Mend because the vulnerable library in the specific branch(es) has been detected in the Mend inventory.

@secure-code-warrior-for-github Secure Code Warrior for GitHub
Copy link

Micro-Learning Topic: Weak input validation (Detected by phrase)

Matched on "Improper Input Validation"

Injection flaws, such as SQL, NoSQL, OS, and LDAP injection, occur when untrusted data is sent to an interpreter as part of a command or query. The attacker’s hostile data can trick the interpreter into executing unintended commands or accessing data without proper authorization. Source: https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project

Try a challenge in Secure Code Warrior

Helpful references

Micro-Learning Topic: Cross-site scripting (Detected by phrase)

Matched on "cross-site scripting"

What is this? (2min video)

Cross-site scripting vulnerabilities occur when unescaped input is rendered into a page displayed to the user. When HTML or script is included in the input, it will be processed by a user's browser as HTML or script and can alter the appearance of the page or execute malicious scripts in their user context.

Try a challenge in Secure Code Warrior

Helpful references

Micro-Learning Topic: Prototype pollution (Detected by phrase)

Matched on "Prototype pollution"

What is this? (2min video)

By adding or modifying attributes of an object prototype, it is possible to create attributes that exist on every object, or replace critical attributes with malicious ones. This can be problematic if the software depends on existence or non-existence of certain attributes, or uses pre-defined attributes of object prototype (such as hasOwnProperty, toString or valueOf).

Try a challenge in Secure Code Warrior

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Mend: dependency security vulnerability Security vulnerability detected by WhiteSource
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@dshongphuc