CVE-2023-26136 (Critical) detected in tough-cookie-2.5.0.tgz - autoclosed

[mend-for-github-com]

CVE-2023-26136 - Critical Severity Vulnerability

Vulnerable Library - tough-cookie-2.5.0.tgz

RFC6265 Cookies and Cookie Jar for node.js

Library home page: https://registry.npmjs.org/tough-cookie/-/tough-cookie-2.5.0.tgz

Path to dependency file: /core/jazz_es-kinesis-log-streamer/package.json

Path to vulnerable library: /core/jazz_es-kinesis-log-streamer/node_modules/tough-cookie/package.json,/builds/jazz_azure-create-service/node_modules/tough-cookie/package.json,/core/jazz_is-slack-channel-available/node_modules/tough-cookie/package.json,/core/jazz_delete-serverless-service/node_modules/tough-cookie/package.json,/core/jazz_asset-event-handler/node_modules/tough-cookie/package.json,/core/jazz_deployments-event-handler/node_modules/tough-cookie/package.json,/core/jazz_token-authorizer/node_modules/tough-cookie/package.json,/core/jazz_environments/node_modules/tough-cookie/package.json,/core/jazz_deployments/node_modules/tough-cookie/package.json,/core/jazz_slack-event-handler/node_modules/tough-cookie/package.json,/core/jazz_logs/node_modules/tough-cookie/package.json,/core/jazz_metrics/node_modules/tough-cookie/package.json,/core/jazz_splunk-kinesis-log-streamer/node_modules/tough-cookie/package.json,/core/jazz_create-serverless-service/node_modules/tough-cookie/package.json,/core/jazz_environment-event-handler/node_modules/tough-cookie/package.json,/templates/react-website-template/app/node_modules/tough-cookie/package.json,/core/jazz_assets/node_modules/tough-cookie/package.json,/core/jazz_scm-webhook/node_modules/tough-cookie/package.json,/core/jazz_acl/node_modules/tough-cookie/package.json,/core/jazz_cognito-authorizer/node_modules/tough-cookie/package.json,/core/jazz_test-lambda/node_modules/tough-cookie/package.json,/core/jazz_usermanagement/node_modules/tough-cookie/package.json,/core/jazz_events/node_modules/tough-cookie/package.json,/core/jazz_codeq/node_modules/tough-cookie/package.json,/core/jazz_slack-channel/node_modules/tough-cookie/package.json,/core/jazz_t-vault/node_modules/tough-cookie/package.json,/core/jazz_cognito-admin-authorizer/node_modules/tough-cookie/package.json

Dependency Hierarchy:

• react-scripts-2.1.8.tgz (Root Library)
  • jest-23.6.0.tgz
    • jest-cli-23.6.0.tgz
      • jest-environment-jsdom-23.4.0.tgz
        • jsdom-11.12.0.tgz
          • ❌ tough-cookie-2.5.0.tgz (Vulnerable Library)

Found in HEAD commit: 712665b267203375ee4b15e1f8d1ebe08abc1547

Found in base branch: develop

Vulnerability Details

Versions of the package tough-cookie before 4.1.3 are vulnerable to Prototype Pollution due to improper handling of Cookies when using CookieJar in rejectPublicSuffixes=false mode. This issue arises from the manner in which the objects are initialized.

Publish Date: 2023-07-01

URL: CVE-2023-26136

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://www.cve.org/CVERecord?id=CVE-2023-26136

Release Date: 2023-07-01

Fix Resolution (tough-cookie): 4.1.3

Direct dependency fix Resolution (react-scripts): 4.0.0

---

⛑️ Automatic Remediation will be attempted for this issue.

[mend-for-github-com]

✔️ This issue was automatically closed by Mend because the vulnerable library in the specific branch(es) was either marked as ignored or it is no longer part of the Mend inventory.

[mend-for-github-com]

ℹ️ This issue was automatically re-opened by Mend because the vulnerable library in the specific branch(es) has been detected in the Mend inventory.

[mend-for-github-com]

ℹ️ This issue was automatically closed by Mend because it is a duplicate of an existing issue: #462