Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

babel-cli-6.26.0.tgz: 7 vulnerabilities (highest severity is: 9.8) #29

Open
dev-mend-for-jackfan.us.kg bot opened this issue May 31, 2024 · 0 comments
Open

babel-cli-6.26.0.tgz: 7 vulnerabilities (highest severity is: 9.8) #29

dev-mend-for-jackfan.us.kg bot opened this issue May 31, 2024 · 0 comments
Labels
Mend: dependency security vulnerability Security vulnerability detected by Mend

Comments

@dev-mend-for-jackfan.us.kg
Copy link

dev-mend-for-jackfan.us.kg bot commented May 31, 2024
edited
Loading

Vulnerable Library - babel-cli-6.26.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Vulnerabilities

CVE Severity CVSS Dependency Type Fixed in (babel-cli version) Remediation Possible** Reachability
CVE-2021-44906 Critical 9.8 detected in multiple dependencies Transitive N/A*
CVE-2021-37712 High 8.2 tar-4.4.1.tgz Transitive N/A*
CVE-2024-4068 High 7.5 braces-1.8.5.tgz Transitive N/A*
CVE-2022-3517 High 7.5 minimatch-3.0.4.tgz Transitive N/A*
CVE-2019-20149 High 7.5 kind-of-6.0.2.tgz Transitive N/A*
CVE-2018-20834 High 7.5 tar-4.4.1.tgz Transitive N/A*
CVE-2020-7598 Medium 5.6 detected in multiple dependencies Transitive N/A*

*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.

**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation

Details

CVE-2021-44906

Vulnerable Libraries - minimist-1.2.0.tgz, minimist-0.0.8.tgz

minimist-1.2.0.tgz

parse argument options

Library home page: https://registry.npmjs.org/minimist/-/minimist-1.2.0.tgz

Dependency Hierarchy:

  • babel-cli-6.26.0.tgz (Root Library)
    • chokidar-1.7.0.tgz
      • fsevents-1.2.4.tgz
        • node-pre-gyp-0.10.0.tgz
          • rc-1.2.7.tgz
            • minimist-1.2.0.tgz (Vulnerable Library)

minimist-0.0.8.tgz

parse argument options

Library home page: https://registry.npmjs.org/minimist/-/minimist-0.0.8.tgz

Dependency Hierarchy:

  • babel-cli-6.26.0.tgz (Root Library)
    • chokidar-1.7.0.tgz
      • fsevents-1.2.4.tgz
        • node-pre-gyp-0.10.0.tgz
          • mkdirp-0.5.1.tgz
            • minimist-0.0.8.tgz (Vulnerable Library)

Found in base branch: master

Vulnerability Details

Minimist <=1.2.5 is vulnerable to Prototype Pollution via file index.js, function setKey() (lines 69-95).

Publish Date: 2022-03-17

URL: CVE-2021-44906

CVSS 3 Score Details (9.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2022-03-17

Fix Resolution: minimist - 1.2.6

CVE-2021-37712

Vulnerable Library - tar-4.4.1.tgz

tar for node

Library home page: https://registry.npmjs.org/tar/-/tar-4.4.1.tgz

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Dependency Hierarchy:

  • babel-cli-6.26.0.tgz (Root Library)
    • chokidar-1.7.0.tgz
      • fsevents-1.2.4.tgz
        • node-pre-gyp-0.10.0.tgz
          • tar-4.4.1.tgz (Vulnerable Library)

Found in base branch: master

Vulnerability Details

The npm package "tar" (aka node-tar) before versions 4.4.18, 5.0.10, and 6.1.9 has an arbitrary file creation/overwrite and arbitrary code execution vulnerability. node-tar aims to guarantee that any file whose location would be modified by a symbolic link is not extracted. This is, in part, achieved by ensuring that extracted directories are not symlinks. Additionally, in order to prevent unnecessary stat calls to determine whether a given path is a directory, paths are cached when directories are created. This logic was insufficient when extracting tar files that contained both a directory and a symlink with names containing unicode values that normalized to the same value. Additionally, on Windows systems, long path portions would resolve to the same file system entities as their 8.3 "short path" counterparts. A specially crafted tar archive could thus include a directory with one form of the path, followed by a symbolic link with a different string that resolves to the same file system entity, followed by a file using the first form. By first creating a directory, and then replacing that directory with a symlink that had a different apparent name that resolved to the same entry in the filesystem, it was thus possible to bypass node-tar symlink checks on directories, essentially allowing an untrusted tar file to symlink into an arbitrary location and subsequently extracting arbitrary files into that location, thus allowing arbitrary file creation and overwrite. These issues were addressed in releases 4.4.18, 5.0.10 and 6.1.9. The v3 branch of node-tar has been deprecated and did not receive patches for these issues. If you are still using a v3 release we recommend you update to a more recent version of node-tar. If this is not possible, a workaround is available in the referenced GHSA-qq89-hq3f-393p.

Publish Date: 2021-08-31

URL: CVE-2021-37712

CVSS 3 Score Details (8.2)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Local
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Changed
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-qq89-hq3f-393p

Release Date: 2021-08-31

Fix Resolution: tar - 4.4.18,5.0.10,6.1.9

CVE-2024-4068

Vulnerable Library - braces-1.8.5.tgz

Fastest brace expansion for node.js, with the most complete support for the Bash 4.3 braces specification.

Library home page: https://registry.npmjs.org/braces/-/braces-1.8.5.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/braces/package.json

Dependency Hierarchy:

  • babel-cli-6.26.0.tgz (Root Library)
    • chokidar-1.7.0.tgz
      • anymatch-1.3.2.tgz
        • micromatch-2.3.11.tgz
          • braces-1.8.5.tgz (Vulnerable Library)

Found in base branch: master

Vulnerability Details

The NPM package braces, versions prior to 3.0.3, fails to limit the number of characters it can handle, which could lead to Memory Exhaustion. In lib/parse.js, if a malicious user sends "imbalanced braces" as input, the parsing will enter a loop, which will cause the program to start allocating heap memory without freeing it at any moment of the loop. Eventually, the JavaScript heap limit is reached, and the program will crash.

Publish Date: 2024-05-13

URL: CVE-2024-4068

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2024-05-13

Fix Resolution: braces - 3.0.3

CVE-2022-3517

Vulnerable Library - minimatch-3.0.4.tgz

a glob matcher in javascript

Library home page: https://registry.npmjs.org/minimatch/-/minimatch-3.0.4.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/minimatch/package.json,/package.json

Dependency Hierarchy:

  • babel-cli-6.26.0.tgz (Root Library)
    • glob-7.1.2.tgz
      • minimatch-3.0.4.tgz (Vulnerable Library)

Found in base branch: master

Vulnerability Details

A vulnerability was found in the minimatch package. This flaw allows a Regular Expression Denial of Service (ReDoS) when calling the braceExpand function with specific arguments, resulting in a Denial of Service.

Publish Date: 2022-10-17

URL: CVE-2022-3517

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2022-10-17

Fix Resolution: minimatch - 3.0.5

CVE-2019-20149

Vulnerable Library - kind-of-6.0.2.tgz

Get the native type of a value.

Library home page: https://registry.npmjs.org/kind-of/-/kind-of-6.0.2.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/clone-deep/node_modules/kind-of/package.json,/node_modules/define-property/node_modules/kind-of/package.json,/node_modules/nanomatch/node_modules/kind-of/package.json,/node_modules/webpack/node_modules/kind-of/package.json,/node_modules/snapdragon-node/node_modules/kind-of/package.json,/node_modules/randomatic/node_modules/kind-of/package.json,/node_modules/base/node_modules/kind-of/package.json,/node_modules/watchpack/node_modules/kind-of/package.json,/node_modules/lint-staged/node_modules/kind-of/package.json

Dependency Hierarchy:

  • babel-cli-6.26.0.tgz (Root Library)
    • chokidar-1.7.0.tgz
      • anymatch-1.3.2.tgz
        • micromatch-2.3.11.tgz
          • braces-1.8.5.tgz
            • expand-range-1.8.2.tgz
              • fill-range-2.2.4.tgz
                • randomatic-3.0.0.tgz
                  • kind-of-6.0.2.tgz (Vulnerable Library)

Found in base branch: master

Vulnerability Details

ctorName in index.js in kind-of v6.0.2 allows external user input to overwrite certain internal attributes via a conflicting name, as demonstrated by 'constructor': {'name':'Symbol'}. Hence, a crafted payload can overwrite this builtin attribute to manipulate the type detection result.

Publish Date: 2019-12-30

URL: CVE-2019-20149

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: High
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-20149

Release Date: 2019-12-30

Fix Resolution: 6.0.3

CVE-2018-20834

Vulnerable Library - tar-4.4.1.tgz

tar for node

Library home page: https://registry.npmjs.org/tar/-/tar-4.4.1.tgz

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Dependency Hierarchy:

  • babel-cli-6.26.0.tgz (Root Library)
    • chokidar-1.7.0.tgz
      • fsevents-1.2.4.tgz
        • node-pre-gyp-0.10.0.tgz
          • tar-4.4.1.tgz (Vulnerable Library)

Found in base branch: master

Vulnerability Details

A vulnerability was found in node-tar before version 4.4.2 (excluding version 2.2.2). An Arbitrary File Overwrite issue exists when extracting a tarball containing a hardlink to a file that already exists on the system, in conjunction with a later plain file with the same name as the hardlink. This plain file content replaces the existing file content. A patch has been applied to node-tar v2.2.2).

Publish Date: 2019-04-30

URL: CVE-2018-20834

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: High
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20834

Release Date: 2019-04-30

Fix Resolution: tar - 2.2.2,4.4.2

CVE-2020-7598

Vulnerable Libraries - minimist-1.2.0.tgz, minimist-0.0.8.tgz

minimist-1.2.0.tgz

parse argument options

Library home page: https://registry.npmjs.org/minimist/-/minimist-1.2.0.tgz

Dependency Hierarchy:

  • babel-cli-6.26.0.tgz (Root Library)
    • chokidar-1.7.0.tgz
      • fsevents-1.2.4.tgz
        • node-pre-gyp-0.10.0.tgz
          • rc-1.2.7.tgz
            • minimist-1.2.0.tgz (Vulnerable Library)

minimist-0.0.8.tgz

parse argument options

Library home page: https://registry.npmjs.org/minimist/-/minimist-0.0.8.tgz

Dependency Hierarchy:

  • babel-cli-6.26.0.tgz (Root Library)
    • chokidar-1.7.0.tgz
      • fsevents-1.2.4.tgz
        • node-pre-gyp-0.10.0.tgz
          • mkdirp-0.5.1.tgz
            • minimist-0.0.8.tgz (Vulnerable Library)

Found in base branch: master

Vulnerability Details

minimist before 1.2.2 could be tricked into adding or modifying properties of Object.prototype using a "constructor" or "proto" payload.

Publish Date: 2020-03-11

URL: CVE-2020-7598

CVSS 3 Score Details (5.6)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: High
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: Low
    • Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2020-03-11

Fix Resolution: minimist - 0.2.1,1.2.3
@dev-mend-for-jackfan.us.kg dev-mend-for-jackfan.us.kg bot added the Mend: dependency security vulnerability Security vulnerability detected by Mend label May 31, 2024
@dev-mend-for-jackfan.us.kg dev-mend-for-jackfan.us.kg bot changed the title babel-cli-6.26.0.tgz: 4 vulnerabilities (highest severity is: 9.8) babel-cli-6.26.0.tgz: 4 vulnerabilities (highest severity is: 8.2) Jul 3, 2024
@dev-mend-for-jackfan.us.kg dev-mend-for-jackfan.us.kg bot changed the title babel-cli-6.26.0.tgz: 4 vulnerabilities (highest severity is: 8.2) babel-cli-6.26.0.tgz: 5 vulnerabilities (highest severity is: 8.2) Dec 23, 2024
@dev-mend-for-jackfan.us.kg dev-mend-for-jackfan.us.kg bot changed the title babel-cli-6.26.0.tgz: 5 vulnerabilities (highest severity is: 8.2) babel-cli-6.26.0.tgz: 9 vulnerabilities (highest severity is: 9.8) Jan 12, 2025
@dev-mend-for-jackfan.us.kg dev-mend-for-jackfan.us.kg bot changed the title babel-cli-6.26.0.tgz: 9 vulnerabilities (highest severity is: 9.8) babel-cli-6.26.0.tgz: 8 vulnerabilities (highest severity is: 9.8) Jan 12, 2025
@dev-mend-for-jackfan.us.kg dev-mend-for-jackfan.us.kg bot changed the title babel-cli-6.26.0.tgz: 8 vulnerabilities (highest severity is: 9.8) babel-cli-6.26.0.tgz: 7 vulnerabilities (highest severity is: 9.8) Jan 13, 2025
@dev-mend-for-jackfan.us.kg dev-mend-for-jackfan.us.kg bot changed the title babel-cli-6.26.0.tgz: 7 vulnerabilities (highest severity is: 9.8) babel-cli-6.26.0.tgz: 6 vulnerabilities (highest severity is: 9.8) Jan 16, 2025
@dev-mend-for-jackfan.us.kg dev-mend-for-jackfan.us.kg bot changed the title babel-cli-6.26.0.tgz: 6 vulnerabilities (highest severity is: 9.8) babel-cli-6.26.0.tgz: 7 vulnerabilities (highest severity is: 9.8) reachable Jan 22, 2025
@dev-mend-for-jackfan.us.kg dev-mend-for-jackfan.us.kg bot changed the title babel-cli-6.26.0.tgz: 7 vulnerabilities (highest severity is: 9.8) reachable babel-cli-6.26.0.tgz: 7 vulnerabilities (highest severity is: 9.8) Feb 6, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Mend: dependency security vulnerability Security vulnerability detected by Mend
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
0 participants