bitfinex-api-node-5.0.0.tgz: 8 vulnerabilities (highest severity is: 9.3) - autoclosed #881
Labels
Mend: dependency security vulnerability
Security vulnerability detected by WhiteSource
Comments
mend-for-github-com
bot
added
the
Mend: dependency security vulnerability
mend-for-github-com
bot
changed the title
mend-for-github-com
bot
changed the title
mend-for-github-com
bot
changed the title
mend-for-github-com
bot
changed the title
|
ℹ️ This issue was automatically closed by Mend because it is a duplicate of an existing issue: #947 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Found in HEAD commit: 7f99c836ea749efa113ef0ccdc60bfe4cbbfa856
Vulnerabilities
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
Vulnerable Library - minimist-0.0.8.tgz
parse argument options
Library home page: https://registry.npmjs.org/minimist/-/minimist-0.0.8.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
Found in HEAD commit: 7f99c836ea749efa113ef0ccdc60bfe4cbbfa856
Found in base branch: unstable
Vulnerability Details
Minimist <=1.2.5 is vulnerable to Prototype Pollution via file index.js, function setKey() (lines 69-95).
Publish Date: 2022-03-17
URL: CVE-2021-44906
Threat Assessment
Exploit Maturity: Not Defined
EPSS: 1.2%
CVSS 4 Score Details (9.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: N/A
- Impact Metrics:
- Confidentiality Impact: N/A
- Integrity Impact: N/A
- Availability Impact: N/A
For more information on CVSS4 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-xvch-5gv4-984h
Release Date: 2022-03-17
Fix Resolution (minimist): 0.2.4
Direct dependency fix Resolution (bitfinex-api-node): 5.0.1
In order to enable automatic remediation, please create workflow rules
Vulnerable Library - json-schema-0.2.3.tgz
JSON Schema validation and specifications
Library home page: https://registry.npmjs.org/json-schema/-/json-schema-0.2.3.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
Found in HEAD commit: 7f99c836ea749efa113ef0ccdc60bfe4cbbfa856
Found in base branch: unstable
Vulnerability Details
json-schema is vulnerable to Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')
Publish Date: 2021-11-13
URL: CVE-2021-3918
Threat Assessment
Exploit Maturity: Not Defined
EPSS: 0.4%
CVSS 4 Score Details (9.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: N/A
- Impact Metrics:
- Confidentiality Impact: N/A
- Integrity Impact: N/A
- Availability Impact: N/A
For more information on CVSS4 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2021-3918
Release Date: 2021-11-13
Fix Resolution (json-schema): 0.4.0
Direct dependency fix Resolution (bitfinex-api-node): 5.0.1
In order to enable automatic remediation, please create workflow rules
Vulnerable Library - set-getter-0.1.0.tgz
Create nested getter properties and any intermediary dot notation (`'a.b.c'`) paths
Library home page: https://registry.npmjs.org/set-getter/-/set-getter-0.1.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
Found in HEAD commit: 7f99c836ea749efa113ef0ccdc60bfe4cbbfa856
Found in base branch: unstable
Vulnerability Details
Prototype pollution vulnerability in 'set-getter' version 0.1.0 allows an attacker to cause a denial of service and may lead to remote code execution.
Publish Date: 2021-06-10
URL: CVE-2021-25949
Threat Assessment
Exploit Maturity: Not Defined
EPSS: 0.70000005%
CVSS 4 Score Details (9.2)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: N/A
- Impact Metrics:
- Confidentiality Impact: N/A
- Integrity Impact: N/A
- Availability Impact: N/A
For more information on CVSS4 Scores, click here.Suggested Fix
Type: Upgrade version
Release Date: 2021-06-10
Fix Resolution (set-getter): 0.1.1
Direct dependency fix Resolution (bitfinex-api-node): 5.0.1
In order to enable automatic remediation, please create workflow rules
Vulnerable Library - marked-0.7.0.tgz
A markdown parser built for speed
Library home page: https://registry.npmjs.org/marked/-/marked-0.7.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
Found in HEAD commit: 7f99c836ea749efa113ef0ccdc60bfe4cbbfa856
Found in base branch: unstable
Vulnerability Details
Marked is a markdown parser and compiler. Prior to version 4.0.10, the regular expression
inline.reflinkSearchmay cause catastrophic backtracking against some strings and lead to a denial of service (DoS). Anyone who runs untrusted markdown through a vulnerable version of marked and does not use a worker with a time limit may be affected. This issue is patched in version 4.0.10. As a workaround, avoid running untrusted markdown through marked or run marked on a worker thread and set a reasonable time limit to prevent draining resources.Publish Date: 2022-01-14
URL: CVE-2022-21681
Threat Assessment
Exploit Maturity: Not Defined
EPSS: 0.2%
CVSS 4 Score Details (8.7)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: N/A
- Impact Metrics:
- Confidentiality Impact: N/A
- Integrity Impact: N/A
- Availability Impact: N/A
For more information on CVSS4 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-5v2h-r2cx-5xgj
Release Date: 2022-01-14
Fix Resolution (marked): 4.0.10
Direct dependency fix Resolution (bitfinex-api-node): 5.0.1
In order to enable automatic remediation, please create workflow rules
Vulnerable Library - marked-0.7.0.tgz
A markdown parser built for speed
Library home page: https://registry.npmjs.org/marked/-/marked-0.7.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
Found in HEAD commit: 7f99c836ea749efa113ef0ccdc60bfe4cbbfa856
Found in base branch: unstable
Vulnerability Details
Marked is a markdown parser and compiler. Prior to version 4.0.10, the regular expression
block.defmay cause catastrophic backtracking against some strings and lead to a regular expression denial of service (ReDoS). Anyone who runs untrusted markdown through a vulnerable version of marked and does not use a worker with a time limit may be affected. This issue is patched in version 4.0.10. As a workaround, avoid running untrusted markdown through marked or run marked on a worker thread and set a reasonable time limit to prevent draining resources.Publish Date: 2022-01-14
URL: CVE-2022-21680
Threat Assessment
Exploit Maturity: Not Defined
EPSS: 0.3%
CVSS 4 Score Details (8.7)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: N/A
- Impact Metrics:
- Confidentiality Impact: N/A
- Integrity Impact: N/A
- Availability Impact: N/A
For more information on CVSS4 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-rrrm-qjm4-v8hf
Release Date: 2022-01-14
Fix Resolution (marked): 4.0.10
Direct dependency fix Resolution (bitfinex-api-node): 5.0.1
In order to enable automatic remediation, please create workflow rules
Vulnerable Library - glob-parent-2.0.0.tgz
Strips glob magic from a string to provide the parent path
Library home page: https://registry.npmjs.org/glob-parent/-/glob-parent-2.0.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
Found in HEAD commit: 7f99c836ea749efa113ef0ccdc60bfe4cbbfa856
Found in base branch: unstable
Vulnerability Details
This affects the package glob-parent before 5.1.2. The enclosure regex used to check for strings ending in enclosure containing path separator.
Publish Date: 2021-06-03
URL: CVE-2020-28469
Threat Assessment
Exploit Maturity: Not Defined
EPSS: 1.2%
CVSS 4 Score Details (8.7)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: N/A
- Impact Metrics:
- Confidentiality Impact: N/A
- Integrity Impact: N/A
- Availability Impact: N/A
For more information on CVSS4 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-28469
Release Date: 2021-06-03
Fix Resolution (glob-parent): 5.1.2
Direct dependency fix Resolution (bitfinex-api-node): 5.0.2
In order to enable automatic remediation, please create workflow rules
Vulnerable Library - marked-0.7.0.tgz
A markdown parser built for speed
Library home page: https://registry.npmjs.org/marked/-/marked-0.7.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
Found in HEAD commit: 7f99c836ea749efa113ef0ccdc60bfe4cbbfa856
Found in base branch: unstable
Vulnerability Details
marked before 1.1.1 is vulnerable to Regular Expression Denial of Service (REDoS). rules.js have multiple unused capture groups which can lead to a Denial of Service.
Publish Date: 2020-07-02
URL: WS-2020-0163
Threat Assessment
Exploit Maturity: Not Defined
EPSS:
CVSS 4 Score Details (8.2)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: N/A
- Impact Metrics:
- Confidentiality Impact: N/A
- Integrity Impact: N/A
- Availability Impact: N/A
For more information on CVSS4 Scores, click here.Suggested Fix
Type: Upgrade version
Release Date: 2020-07-02
Fix Resolution (marked): 1.1.1
Direct dependency fix Resolution (bitfinex-api-node): 5.0.1
In order to enable automatic remediation, please create workflow rules
Vulnerable Library - minimist-0.0.8.tgz
parse argument options
Library home page: https://registry.npmjs.org/minimist/-/minimist-0.0.8.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
Found in HEAD commit: 7f99c836ea749efa113ef0ccdc60bfe4cbbfa856
Found in base branch: unstable
Vulnerability Details
minimist before 1.2.2 could be tricked into adding or modifying properties of Object.prototype using a "constructor" or "proto" payload.
Publish Date: 2020-03-11
URL: CVE-2020-7598
Threat Assessment
Exploit Maturity: Not Defined
EPSS: 0.1%
CVSS 4 Score Details (6.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: N/A
- Impact Metrics:
- Confidentiality Impact: N/A
- Integrity Impact: N/A
- Availability Impact: N/A
For more information on CVSS4 Scores, click here.Suggested Fix
Type: Upgrade version
Release Date: 2020-03-11
Fix Resolution (minimist): 0.2.1
Direct dependency fix Resolution (bitfinex-api-node): 5.0.1
In order to enable automatic remediation, please create workflow rules
In order to enable automatic remediation for this issue, please create workflow rules
The text was updated successfully, but these errors were encountered: