cssnano-4.1.0.tgz: 7 vulnerabilities (highest severity is: 8.1) reachable

[dev-mend-for-jackfan.us.kg]

Vulnerable Library - cssnano-4.1.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/js-yaml/package.json

Vulnerabilities

CVE	Severity	CVSS	Dependency	Type	Fixed in (cssnano version)	Remediation Possible**	Reachability
WS-2019-0063	High	8.1	js-yaml-3.12.0.tgz	Transitive	4.1.1	✅	Reachable
WS-2021-0152	High	7.5	color-string-1.5.3.tgz	Transitive	4.1.1	✅	Reachable
WS-2019-0032	High	7.5	js-yaml-3.12.0.tgz	Transitive	4.1.1	✅	Reachable
CVE-2021-28092	High	7.5	is-svg-3.0.0.tgz	Transitive	4.1.1	✅	Reachable
CVE-2020-8116	High	7.3	dot-prop-4.2.0.tgz	Transitive	4.1.1	✅	Reachable
CVE-2021-23382	Medium	5.3	postcss-6.0.23.tgz	Transitive	4.1.1	✅	Reachable
CVE-2021-23364	Medium	5.3	browserslist-4.1.0.tgz	Transitive	4.1.1	✅	Reachable

**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation

Details

WS-2019-0063

Vulnerable Library - js-yaml-3.12.0.tgz

YAML 1.2 parser and serializer

Library home page: https://registry.npmjs.org/js-yaml/-/js-yaml-3.12.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/js-yaml/package.json

Dependency Hierarchy:

• cssnano-4.1.0.tgz (Root Library)
  • cosmiconfig-5.0.6.tgz
    • ❌ js-yaml-3.12.0.tgz (Vulnerable Library)

Found in base branch: master

Reachability Analysis

This vulnerability is potentially reachable

js-yaml-3.12.0/lib/js-yaml/type/seq.js (Application)
  -> js-yaml-3.12.0/lib/js-yaml/schema/failsafe.js (Extension)
   -> js-yaml-3.12.0/lib/js-yaml.js (Extension)
    -> js-yaml-3.12.0/index.js (Extension)
    ...
      -> eslint-5.4.0/lib/config/config-initializer.js (Extension)
       -> eslint-5.4.0/bin/eslint.js (Extension)
        -> ❌ cezerin-0.33.0/package.json (Vulnerable Component)

Vulnerability Details

Js-yaml prior to 3.13.1 are vulnerable to Code Injection. The load() function may execute arbitrary code injected through a malicious YAML file.

Publish Date: 2019-04-05

URL: WS-2019-0063

CVSS 3 Score Details (8.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://www.npmjs.com/advisories/813

Release Date: 2019-04-05

Fix Resolution (js-yaml): 3.13.1

Direct dependency fix Resolution (cssnano): 4.1.1

⛑️ Automatic Remediation will be attempted for this issue.

WS-2021-0152

Vulnerable Library - color-string-1.5.3.tgz

Parser and generator for CSS color strings

Library home page: https://registry.npmjs.org/color-string/-/color-string-1.5.3.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/color/node_modules/color-string/package.json

Dependency Hierarchy:

• cssnano-4.1.0.tgz (Root Library)
  • cssnano-preset-default-4.0.0.tgz
    • postcss-colormin-4.0.1.tgz
      • color-3.0.0.tgz
        • ❌ color-string-1.5.3.tgz (Vulnerable Library)

Found in base branch: master

Reachability Analysis

This vulnerability is potentially reachable

cezerin-0.33.0/postcss.config.js (Application)
  -> cssnano-4.1.0/dist/index.js (Extension)
   -> cssnano-preset-default-4.0.0/dist/index.js (Extension)
    -> postcss-colormin-4.0.1/dist/index.js (Extension)
     -> postcss-colormin-4.0.1/dist/colours.js (Extension)
      -> color-3.0.0/index.js (Extension)
       -> ❌ color-string-1.5.3/index.js (Vulnerable Component)

Vulnerability Details

Regular Expression Denial of Service (ReDoS) was found in color-string before 1.5.5.

Publish Date: 2021-03-12

URL: WS-2021-0152

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2021-03-12

Fix Resolution (color-string): 1.5.5

Direct dependency fix Resolution (cssnano): 4.1.1

⛑️ Automatic Remediation will be attempted for this issue.

WS-2019-0032

Vulnerable Library - js-yaml-3.12.0.tgz

YAML 1.2 parser and serializer

Library home page: https://registry.npmjs.org/js-yaml/-/js-yaml-3.12.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/js-yaml/package.json

Dependency Hierarchy:

• cssnano-4.1.0.tgz (Root Library)
  • cosmiconfig-5.0.6.tgz
    • ❌ js-yaml-3.12.0.tgz (Vulnerable Library)

Found in base branch: master

Reachability Analysis

This vulnerability is potentially reachable

js-yaml-3.12.0/lib/js-yaml/type/str.js (Application)
  -> js-yaml-3.12.0/lib/js-yaml/schema/failsafe.js (Extension)
   -> js-yaml-3.12.0/lib/js-yaml.js (Extension)
    -> cosmiconfig-5.0.6/dist/loaders.js (Extension)
    ...
      -> lint-staged-7.2.2/src/index.js (Extension)
       -> lint-staged-7.2.2/index.js (Extension)
        -> ❌ cezerin-0.33.0/package.json (Vulnerable Component)

Vulnerability Details

Versions js-yaml prior to 3.13.0 are vulnerable to Denial of Service. By parsing a carefully-crafted YAML file, the node process stalls and may exhaust system resources leading to a Denial of Service.

Publish Date: 2019-03-20

URL: WS-2019-0032

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://www.npmjs.com/advisories/788/versions

Release Date: 2019-03-20

Fix Resolution (js-yaml): 3.13.0

Direct dependency fix Resolution (cssnano): 4.1.1

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2021-28092

Vulnerable Library - is-svg-3.0.0.tgz

Check if a string or buffer is SVG

Library home page: https://registry.npmjs.org/is-svg/-/is-svg-3.0.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/is-svg/package.json

Dependency Hierarchy:

• cssnano-4.1.0.tgz (Root Library)
  • cssnano-preset-default-4.0.0.tgz
    • postcss-svgo-4.0.0.tgz
      • ❌ is-svg-3.0.0.tgz (Vulnerable Library)

Found in base branch: master

Reachability Analysis

This vulnerability is potentially reachable

cezerin-0.33.0/postcss.config.js (Application)
  -> cssnano-4.1.0/dist/index.js (Extension)
   -> cssnano-preset-default-4.0.0/dist/index.js (Extension)
    -> postcss-svgo-4.0.0/dist/index.js (Extension)
     -> ❌ is-svg-3.0.0/index.js (Vulnerable Component)

Vulnerability Details

The is-svg package 2.1.0 through 4.2.1 for Node.js uses a regular expression that is vulnerable to Regular Expression Denial of Service (ReDoS). If an attacker provides a malicious string, is-svg will get stuck processing the input for a very long time.

Publish Date: 2021-03-12

URL: CVE-2021-28092

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-28092

Release Date: 2021-03-12

Fix Resolution (is-svg): 4.2.2

Direct dependency fix Resolution (cssnano): 4.1.1

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2020-8116

Vulnerable Library - dot-prop-4.2.0.tgz

Get, set, or delete a property from a nested object using a dot path

Library home page: https://registry.npmjs.org/dot-prop/-/dot-prop-4.2.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/dot-prop/package.json

Dependency Hierarchy:

• cssnano-4.1.0.tgz (Root Library)
  • cssnano-preset-default-4.0.0.tgz
    • postcss-merge-rules-4.0.1.tgz
      • postcss-selector-parser-3.1.1.tgz
        • ❌ dot-prop-4.2.0.tgz (Vulnerable Library)

Found in base branch: master

Reachability Analysis

This vulnerability is potentially reachable

cezerin-0.33.0/postcss.config.js (Application)
  -> cssnano-4.1.0/dist/index.js (Extension)
   -> cssnano-preset-default-4.0.0/dist/index.js (Extension)
    -> postcss-minify-selectors-4.0.0/dist/index.js (Extension)
    ...
      -> postcss-selector-parser-3.1.1/dist/processor.js (Extension)
       -> postcss-selector-parser-3.1.1/dist/parser.js (Extension)
        -> ❌ dot-prop-4.2.0/index.js (Vulnerable Component)

Vulnerability Details

Prototype pollution vulnerability in dot-prop npm package versions before 4.2.1 and versions 5.x before 5.1.1 allows an attacker to add arbitrary properties to JavaScript language constructs such as objects.

Publish Date: 2020-02-04

URL: CVE-2020-8116

CVSS 3 Score Details (7.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8116

Release Date: 2020-02-04

Fix Resolution (dot-prop): 4.2.1

Direct dependency fix Resolution (cssnano): 4.1.1

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2021-23382

Vulnerable Library - postcss-6.0.23.tgz

Tool for transforming styles with JS plugins

Library home page: https://registry.npmjs.org/postcss/-/postcss-6.0.23.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/postcss/package.json

Dependency Hierarchy:

• cssnano-4.1.0.tgz (Root Library)
  • ❌ postcss-6.0.23.tgz (Vulnerable Library)

Found in base branch: master

Reachability Analysis

This vulnerability is potentially reachable

postcss-6.0.23/lib/previous-map.js (Application)
  -> postcss-6.0.23/lib/input.js (Extension)
   -> postcss-6.0.23/lib/parse.js (Extension)
    -> postcss-6.0.23/lib/postcss.js (Extension)
     -> cssnano-4.1.0/dist/index.js (Extension)
      -> ❌ cezerin-0.33.0/postcss.config.js (Vulnerable Component)

Vulnerability Details

The package postcss before 8.2.13 are vulnerable to Regular Expression Denial of Service (ReDoS) via getAnnotationURL() and loadAnnotation() in lib/previous-map.js. The vulnerable regexes are caused mainly by the sub-pattern /*\s* sourceMappingURL=(.*).

Publish Date: 2021-04-26

URL: CVE-2021-23382

CVSS 3 Score Details (5.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23382

Release Date: 2021-04-26

Fix Resolution (postcss): 7.0.36

Direct dependency fix Resolution (cssnano): 4.1.1

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2021-23364

Vulnerable Library - browserslist-4.1.0.tgz

Share target browsers between different front-end tools, like Autoprefixer, Stylelint and babel-env-preset

Library home page: https://registry.npmjs.org/browserslist/-/browserslist-4.1.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/stylehacks/node_modules/browserslist/package.json,/node_modules/postcss-merge-rules/node_modules/browserslist/package.json,/node_modules/caniuse-api/node_modules/browserslist/package.json,/node_modules/postcss-reduce-initial/node_modules/browserslist/package.json,/node_modules/postcss-colormin/node_modules/browserslist/package.json

Dependency Hierarchy:

• cssnano-4.1.0.tgz (Root Library)
  • cssnano-preset-default-4.0.0.tgz
    • postcss-merge-rules-4.0.1.tgz
      • ❌ browserslist-4.1.0.tgz (Vulnerable Library)

Found in base branch: master

Reachability Analysis

This vulnerability is potentially reachable

cezerin-0.33.0/postcss.config.js (Application)
  -> cssnano-4.1.0/dist/index.js (Extension)
   -> cssnano-preset-default-4.0.0/dist/index.js (Extension)
    -> postcss-reduce-initial-4.0.1/dist/index.js (Extension)
     -> ❌ browserslist-4.1.0/index.js (Vulnerable Component)

Vulnerability Details

The package browserslist from 4.0.0 and before 4.16.5 are vulnerable to Regular Expression Denial of Service (ReDoS) during parsing of queries.

Publish Date: 2021-04-28

URL: CVE-2021-23364

CVSS 3 Score Details (5.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23364

Release Date: 2021-04-28

Fix Resolution (browserslist): 4.16.5

Direct dependency fix Resolution (cssnano): 4.1.1

⛑️ Automatic Remediation will be attempted for this issue.

---

⛑️Automatic Remediation will be attempted for this issue.