food-react-native-app's People
food-react-native-app's Issues
CVE-2020-28168 (Medium) detected in axios-0.19.2.tgz
CVE-2020-28168 - Medium Severity Vulnerability
Vulnerable Library - axios-0.19.2.tgz
Promise based HTTP client for the browser and node.js
Library home page: https://registry.npmjs.org/axios/-/axios-0.19.2.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/axios/package.json
Dependency Hierarchy:
- ❌ axios-0.19.2.tgz (Vulnerable Library)
Found in base branch: master
Vulnerability Details
Axios NPM package 0.21.0 contains a Server-Side Request Forgery (SSRF) vulnerability where an attacker is able to bypass a proxy by providing a URL that responds with a redirect to a restricted host or IP address.
Publish Date: 2020-11-06
URL: CVE-2020-28168
CVSS 3 Score Details (5.9)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: None
- Availability Impact: None
Step up your Open Source Security Game with Mend here
CVE-2023-45133 (High) detected in traverse-7.10.5.tgz
CVE-2023-45133 - High Severity Vulnerability
Vulnerable Library - traverse-7.10.5.tgz
The Babel Traverse module maintains the overall tree state, and is responsible for replacing, removing, and adding nodes
Library home page: https://registry.npmjs.org/@babel/traverse/-/traverse-7.10.5.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/@babel/traverse/package.json
Dependency Hierarchy:
- core-7.10.5.tgz (Root Library)
- ❌ traverse-7.10.5.tgz (Vulnerable Library)
Found in base branch: master
Vulnerability Details
Babel is a compiler for writingJavaScript. In @babel/traverse
prior to versions 7.23.2 and 8.0.0-alpha.4 and all versions of babel-traverse
, using Babel to compile code that was specifically crafted by an attacker can lead to arbitrary code execution during compilation, when using plugins that rely on the path.evaluate()
or path.evaluateTruthy()
internal Babel methods. Known affected plugins are @babel/plugin-transform-runtime
; @babel/preset-env
when using its useBuiltIns
option; and any "polyfill provider" plugin that depends on @babel/helper-define-polyfill-provider
, such as babel-plugin-polyfill-corejs3
, babel-plugin-polyfill-corejs2
, babel-plugin-polyfill-es-shims
, babel-plugin-polyfill-regenerator
. No other plugins under the @babel/
namespace are impacted, but third-party plugins might be. Users that only compile trusted code are not impacted. The vulnerability has been fixed in @babel/[email protected]
and @babel/[email protected]
. Those who cannot upgrade @babel/traverse
and are using one of the affected packages mentioned above should upgrade them to their latest version to avoid triggering the vulnerable code path in affected @babel/traverse
versions: @babel/plugin-transform-runtime
v7.23.2, @babel/preset-env
v7.23.2, @babel/helper-define-polyfill-provider
v0.4.3, babel-plugin-polyfill-corejs2
v0.4.6, babel-plugin-polyfill-corejs3
v0.8.5, babel-plugin-polyfill-es-shims
v0.10.0, babel-plugin-polyfill-regenerator
v0.5.3.
Publish Date: 2023-10-12
URL: CVE-2023-45133
CVSS 3 Score Details (8.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Local
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: None
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: GHSA-67hx-6x53-jw92
Release Date: 2023-10-12
Fix Resolution (@babel/traverse): 7.23.2
Direct dependency fix Resolution (@babel/core): 7.11.0
Step up your Open Source Security Game with Mend here
CVE-2022-22912 (Critical) detected in plist-3.0.1.tgz
CVE-2022-22912 - Critical Severity Vulnerability
Vulnerable Library - plist-3.0.1.tgz
Mac OS X Plist parser/builder for Node.js and browsers
Library home page: https://registry.npmjs.org/plist/-/plist-3.0.1.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/plist/package.json
Dependency Hierarchy:
- react-native-0.61.5.tgz (Root Library)
- cli-3.2.1.tgz
- ❌ plist-3.0.1.tgz (Vulnerable Library)
- cli-3.2.1.tgz
Found in base branch: master
Vulnerability Details
Prototype pollution vulnerability via .parse() in Plist before v3.0.4 allows attackers to cause a Denial of Service (DoS) and may lead to remote code execution.
Publish Date: 2022-02-17
URL: CVE-2022-22912
CVSS 3 Score Details (9.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Release Date: 2022-02-17
Fix Resolution (plist): 3.0.6
Direct dependency fix Resolution (react-native): 0.62.0
Step up your Open Source Security Game with Mend here
CVE-2020-1911 (Critical) detected in hermes-engine-0.2.1.tgz
CVE-2020-1911 - Critical Severity Vulnerability
Vulnerable Library - hermes-engine-0.2.1.tgz
A JavaScript engine optimized for running React Native on Android
Library home page: https://registry.npmjs.org/hermes-engine/-/hermes-engine-0.2.1.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/hermes-engine/package.json
Dependency Hierarchy:
- react-native-0.61.5.tgz (Root Library)
- ❌ hermes-engine-0.2.1.tgz (Vulnerable Library)
Found in base branch: master
Vulnerability Details
A type confusion vulnerability when resolving properties of JavaScript objects with specially-crafted prototype chains in Facebook Hermes prior to commit fe52854cdf6725c2eaa9e125995da76e6ceb27da allows attackers to potentially execute arbitrary code via crafted JavaScript. Note that this is only exploitable if the application using Hermes permits evaluation of untrusted JavaScript. Hence, most React Native applications are not affected.
Publish Date: 2020-09-04
URL: CVE-2020-1911
CVSS 3 Score Details (9.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: GHSA-f5x2-xv93-4p23
Release Date: 2020-09-11
Fix Resolution: hermes-engine - 0.5.2
Step up your Open Source Security Game with Mend here
CVE-2020-4075 (High) detected in electron-1.8.8.tgz
CVE-2020-4075 - High Severity Vulnerability
Vulnerable Library - electron-1.8.8.tgz
Build cross platform desktop apps with JavaScript, HTML, and CSS
Library home page: https://registry.npmjs.org/electron/-/electron-1.8.8.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/electron/package.json
Dependency Hierarchy:
- react-devtools-3.6.3.tgz (Root Library)
- ❌ electron-1.8.8.tgz (Vulnerable Library)
Found in HEAD commit: 98c222e71725c8cb39b1693983ec7573926d4dcc
Found in base branch: master
Vulnerability Details
In Electron before versions 7.2.4, 8.2.4, and 9.0.0-beta21, arbitrary local file read is possible by defining unsafe window options on a child window opened via window.open. As a workaround, ensure you are calling event.preventDefault()
on all new-window events where the url
or options
is not something you expect. This is fixed in versions 9.0.0-beta.21, 8.2.4 and 7.2.4.
Publish Date: 2020-07-07
URL: CVE-2020-4075
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: None
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Origin: GHSA-f9mq-jph6-9mhm
Release Date: 2020-07-13
Fix Resolution (electron): 7.2.4
Direct dependency fix Resolution (react-devtools): 4.8.0
Step up your Open Source Security Game with Mend here
CVE-2022-21718 (Medium) detected in electron-1.8.8.tgz
CVE-2022-21718 - Medium Severity Vulnerability
Vulnerable Library - electron-1.8.8.tgz
Build cross platform desktop apps with JavaScript, HTML, and CSS
Library home page: https://registry.npmjs.org/electron/-/electron-1.8.8.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/electron/package.json
Dependency Hierarchy:
- react-devtools-3.6.3.tgz (Root Library)
- ❌ electron-1.8.8.tgz (Vulnerable Library)
Found in base branch: master
Vulnerability Details
Electron is a framework for writing cross-platform desktop applications using JavaScript, HTML and CSS. A vulnerability in versions prior to 17.0.0-alpha.6
, 16.0.6
, 15.3.5
, 14.2.4
, and 13.6.6
allows renderers to obtain access to a bluetooth device via the web bluetooth API if the app has not configured a custom select-bluetooth-device
event handler. This has been patched and Electron versions 17.0.0-alpha.6
, 16.0.6
, 15.3.5
, 14.2.4
, and 13.6.6
contain the fix. Code from the GitHub Security Advisory can be added to the app to work around the issue.
Publish Date: 2022-03-22
URL: CVE-2022-21718
CVSS 3 Score Details (5.0)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: None
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: None
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21718
Release Date: 2022-03-22
Fix Resolution (electron): 13.6.6
Direct dependency fix Resolution (react-devtools): 4.27.3
Step up your Open Source Security Game with Mend here
WS-2019-0336 (Medium) detected in JSXTransformer-0.13.3.js, react-with-addons-0.13.3.js
WS-2019-0336 - Medium Severity Vulnerability
Vulnerable Libraries - JSXTransformer-0.13.3.js, react-with-addons-0.13.3.js
JSXTransformer-0.13.3.js
React is a JavaScript library for building user interfaces.
Library home page: https://cdnjs.cloudflare.com/ajax/libs/react/0.13.3/JSXTransformer.js
Path to dependency file: /node_modules/react-native/Libraries/Animated/examples/demo.html
Path to vulnerable library: /node_modules/react-native/Libraries/Animated/examples/demo.html
Dependency Hierarchy:
- ❌ JSXTransformer-0.13.3.js (Vulnerable Library)
react-with-addons-0.13.3.js
React is a JavaScript library for building user interfaces.
Library home page: https://cdnjs.cloudflare.com/ajax/libs/react/0.13.3/react-with-addons.js
Path to dependency file: /node_modules/react-native/Libraries/Animated/examples/demo.html
Path to vulnerable library: /node_modules/react-native/Libraries/Animated/examples/demo.html
Dependency Hierarchy:
- ❌ react-with-addons-0.13.3.js (Vulnerable Library)
Found in base branch: master
Vulnerability Details
Cross-Site Scripting vulnerability found in react before 0.14.0. The package's createElement function fails to properly validate its input object, allowing attackers to execute arbitrary JavaScript in a victim's browser.
Publish Date: 2019-12-17
URL: WS-2019-0336
CVSS 3 Score Details (6.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Origin: http://danlec.com/blog/xss-via-a-spoofed-react-element
Release Date: 2019-12-17
Fix Resolution: react - 0.14.0
Step up your Open Source Security Game with Mend here
CVE-2021-23440 (High) detected in set-value-2.0.1.tgz - autoclosed
CVE-2021-23440 - High Severity Vulnerability
Vulnerable Library - set-value-2.0.1.tgz
Create nested values and any intermediaries using dot notation (`'a.b.c'`) paths.
Library home page: https://registry.npmjs.org/set-value/-/set-value-2.0.1.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/set-value/package.json
Dependency Hierarchy:
- babel-jest-24.9.0.tgz (Root Library)
- transform-24.9.0.tgz
- micromatch-3.1.10.tgz
- snapdragon-0.8.2.tgz
- base-0.11.2.tgz
- cache-base-1.0.1.tgz
- ❌ set-value-2.0.1.tgz (Vulnerable Library)
- cache-base-1.0.1.tgz
- base-0.11.2.tgz
- snapdragon-0.8.2.tgz
- micromatch-3.1.10.tgz
- transform-24.9.0.tgz
Found in base branch: master
Vulnerability Details
This affects the package set-value before <2.0.1, >=3.0.0 <4.0.1. A type confusion vulnerability can lead to a bypass of CVE-2019-10747 when the user-provided keys used in the path parameter are arrays.
Mend Note: After conducting further research, Mend has determined that all versions of set-value up to version 4.0.0 are vulnerable to CVE-2021-23440.
Publish Date: 2021-09-12
URL: CVE-2021-23440
CVSS 3 Score Details (9.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
Step up your Open Source Security Game with Mend here
CVE-2022-25647 (High) detected in gson-2.8.0.jar
CVE-2022-25647 - High Severity Vulnerability
Vulnerable Library - gson-2.8.0.jar
Gson JSON library
Library home page: https://github.com/google/gson
Path to vulnerable library: /node_modules/jetifier/lib/gson-2.8.0.jar
Dependency Hierarchy:
- ❌ gson-2.8.0.jar (Vulnerable Library)
Found in base branch: master
Vulnerability Details
The package com.google.code.gson:gson before 2.8.9 are vulnerable to Deserialization of Untrusted Data via the writeReplace() method in internal classes, which may lead to DoS attacks.
Publish Date: 2022-05-01
URL: CVE-2022-25647
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-25647`
Release Date: 2022-05-01
Fix Resolution: 2.8.9
Step up your Open Source Security Game with Mend here
WS-2017-0421 (High) detected in ws-1.1.5.tgz - autoclosed
WS-2017-0421 - High Severity Vulnerability
Vulnerable Library - ws-1.1.5.tgz
Simple to use, blazing fast and thoroughly tested websocket client and server for Node.js
Library home page: https://registry.npmjs.org/ws/-/ws-1.1.5.tgz
Path to dependency file: food-react-native-app/package.json
Path to vulnerable library: food-react-native-app/node_modules/ws/package.json
Dependency Hierarchy:
- react-native-0.61.5.tgz (Root Library)
- cli-3.2.1.tgz
- ❌ ws-1.1.5.tgz (Vulnerable Library)
- cli-3.2.1.tgz
Found in base branch: master
Vulnerability Details
Affected version of ws (0.2.6 through 3.3.0 excluding 0.3.4-2, 0.3.5-2, 0.3.5-3, 0.3.5-4, 1.1.5, 2.0.0-beta.0, 2.0.0-beta.1 and 2.0.0-beta.2) are vulnerable to A specially crafted value of the Sec-WebSocket-Extensions header that used Object.prototype property names as extension or parameter names could be used to make a ws server crash.
Publish Date: 2017-11-08
URL: WS-2017-0421
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: websockets/ws@c4fe466
Release Date: 2017-11-08
Fix Resolution: ws - 3.3.1
Step up your Open Source Security Game with WhiteSource here
CVE-2022-36077 (Medium) detected in electron-1.8.8.tgz
CVE-2022-36077 - Medium Severity Vulnerability
Vulnerable Library - electron-1.8.8.tgz
Build cross platform desktop apps with JavaScript, HTML, and CSS
Library home page: https://registry.npmjs.org/electron/-/electron-1.8.8.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/electron/package.json
Dependency Hierarchy:
- react-devtools-3.6.3.tgz (Root Library)
- ❌ electron-1.8.8.tgz (Vulnerable Library)
Found in base branch: master
Vulnerability Details
The Electron framework enables writing cross-platform desktop applications using JavaScript, HTML and CSS. In versions prior to 21.0.0-beta.1, 20.0.1, 19.0.11, and 18.3.7, Electron is vulnerable to Exposure of Sensitive Information. When following a redirect, Electron delays a check for redirecting to file:// URLs from other schemes. The contents of the file is not available to the renderer following the redirect, but if the redirect target is a SMB URL such as file://some.website.com/
, then in some cases, Windows will connect to that server and attempt NTLM authentication, which can include sending hashed credentials.This issue has been patched in versions: 21.0.0-beta.1, 20.0.1, 19.0.11, and 18.3.7. Users are recommended to upgrade to the latest stable version of Electron. If upgrading isn't possible, this issue can be addressed without upgrading by preventing redirects to file:// URLs in the WebContents.on('will-redirect')
event, for all WebContents as a workaround.
Publish Date: 2022-11-08
URL: CVE-2022-36077
CVSS 3 Score Details (6.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Origin: GHSA-p2jh-44qj-pf2v
Release Date: 2022-11-08
Fix Resolution (electron): 18.3.7
Direct dependency fix Resolution (react-devtools): 4.27.3
Step up your Open Source Security Game with Mend here
CVE-2022-0155 (Medium) detected in follow-redirects-1.5.10.tgz
CVE-2022-0155 - Medium Severity Vulnerability
Vulnerable Library - follow-redirects-1.5.10.tgz
HTTP and HTTPS modules that follow redirects.
Library home page: https://registry.npmjs.org/follow-redirects/-/follow-redirects-1.5.10.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/follow-redirects/package.json
Dependency Hierarchy:
- axios-0.19.2.tgz (Root Library)
- ❌ follow-redirects-1.5.10.tgz (Vulnerable Library)
Found in base branch: master
Vulnerability Details
follow-redirects is vulnerable to Exposure of Private Personal Information to an Unauthorized Actor
Publish Date: 2022-01-10
URL: CVE-2022-0155
CVSS 3 Score Details (6.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: None
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Origin: https://huntr.dev/bounties/fc524e4b-ebb6-427d-ab67-a64181020406/
Release Date: 2022-01-10
Fix Resolution (follow-redirects): 1.14.7
Direct dependency fix Resolution (axios): 0.20.0-0
Step up your Open Source Security Game with Mend here
CVE-2022-0235 (Medium) detected in node-fetch-1.7.3.tgz, node-fetch-2.6.0.tgz
CVE-2022-0235 - Medium Severity Vulnerability
Vulnerable Libraries - node-fetch-1.7.3.tgz, node-fetch-2.6.0.tgz
node-fetch-1.7.3.tgz
A light-weight module that brings window.fetch to node.js and io.js
Library home page: https://registry.npmjs.org/node-fetch/-/node-fetch-1.7.3.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/isomorphic-fetch/node_modules/node-fetch/package.json
Dependency Hierarchy:
- react-native-0.61.5.tgz (Root Library)
- fbjs-1.0.0.tgz
- isomorphic-fetch-2.2.1.tgz
- ❌ node-fetch-1.7.3.tgz (Vulnerable Library)
- isomorphic-fetch-2.2.1.tgz
- fbjs-1.0.0.tgz
node-fetch-2.6.0.tgz
A light-weight module that brings window.fetch to node.js
Library home page: https://registry.npmjs.org/node-fetch/-/node-fetch-2.6.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/node-fetch/package.json
Dependency Hierarchy:
- react-native-0.61.5.tgz (Root Library)
- cli-platform-android-3.1.4.tgz
- cli-tools-3.0.0.tgz
- ❌ node-fetch-2.6.0.tgz (Vulnerable Library)
- cli-tools-3.0.0.tgz
- cli-platform-android-3.1.4.tgz
Found in base branch: master
Vulnerability Details
node-fetch is vulnerable to Exposure of Sensitive Information to an Unauthorized Actor
Publish Date: 2022-01-16
URL: CVE-2022-0235
CVSS 3 Score Details (6.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Origin: GHSA-r683-j2x4-v87g
Release Date: 2022-01-16
Fix Resolution (node-fetch): 2.6.7
Direct dependency fix Resolution (react-native): 0.64.0
Fix Resolution (node-fetch): 2.6.7
Direct dependency fix Resolution (react-native): 0.64.0
Step up your Open Source Security Game with Mend here
CVE-2022-3517 (High) detected in minimatch-3.0.4.tgz
CVE-2022-3517 - High Severity Vulnerability
Vulnerable Library - minimatch-3.0.4.tgz
a glob matcher in javascript
Library home page: https://registry.npmjs.org/minimatch/-/minimatch-3.0.4.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/minimatch/package.json
Dependency Hierarchy:
- eslint-6.8.0.tgz (Root Library)
- ❌ minimatch-3.0.4.tgz (Vulnerable Library)
Found in base branch: master
Vulnerability Details
A vulnerability was found in the minimatch package. This flaw allows a Regular Expression Denial of Service (ReDoS) when calling the braceExpand function with specific arguments, resulting in a Denial of Service.
Publish Date: 2022-10-17
URL: CVE-2022-3517
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
Step up your Open Source Security Game with Mend here
WS-2020-0070 (High) detected in lodash-4.17.15.tgz
WS-2020-0070 - High Severity Vulnerability
Vulnerable Library - lodash-4.17.15.tgz
Lodash modular utilities.
Library home page: https://registry.npmjs.org/lodash/-/lodash-4.17.15.tgz
Path to dependency file: /tmp/ws-scm/food-react-native-app/package.json
Path to vulnerable library: /tmp/ws-scm/food-react-native-app/node_modules/lodash/package.json
Dependency Hierarchy:
- core-7.10.4.tgz (Root Library)
- ❌ lodash-4.17.15.tgz (Vulnerable Library)
Found in HEAD commit: e5302ac1412821f2cb84b8317bf81bc615078c87
Vulnerability Details
All versions of lodash are vulnerable to Prototype Pollution. The function zipObjectDeep allows a malicious user to modify the prototype of Object if the property identifiers are user-supplied. Being affected by this issue requires zipping objects based on user-provided property arrays. This vulnerability may lead to Denial of Service or Code Execution.
Publish Date: 2020-04-28
URL: WS-2020-0070
CVSS 3 Score Details (8.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
Step up your Open Source Security Game with WhiteSource here
CVE-2020-1920 (High) detected in react-native-0.61.5.tgz
CVE-2020-1920 - High Severity Vulnerability
Vulnerable Library - react-native-0.61.5.tgz
A framework for building native apps using React
Library home page: https://registry.npmjs.org/react-native/-/react-native-0.61.5.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/react-native/package.json
Dependency Hierarchy:
- ❌ react-native-0.61.5.tgz (Vulnerable Library)
Found in base branch: master
Vulnerability Details
A regular expression denial of service (ReDoS) vulnerability in the validateBaseUrl function can cause the application to use excessive resources, become unresponsive, or crash. This was introduced in react-native version 0.59.0 and fixed in version 0.64.1.
Publish Date: 2021-06-01
URL: CVE-2020-1920
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1920
Release Date: 2021-06-01
Fix Resolution: 0.62.3
Step up your Open Source Security Game with Mend here
CVE-2020-28469 (High) detected in glob-parent-5.1.1.tgz
CVE-2020-28469 - High Severity Vulnerability
Vulnerable Library - glob-parent-5.1.1.tgz
Extract the non-magic parent path from a glob string.
Library home page: https://registry.npmjs.org/glob-parent/-/glob-parent-5.1.1.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/glob-parent/package.json
Dependency Hierarchy:
- eslint-6.8.0.tgz (Root Library)
- ❌ glob-parent-5.1.1.tgz (Vulnerable Library)
Found in base branch: master
Vulnerability Details
This affects the package glob-parent before 5.1.2. The enclosure regex used to check for strings ending in enclosure containing path separator.
Publish Date: 2021-06-03
URL: CVE-2020-28469
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-28469
Release Date: 2021-06-03
Fix Resolution (glob-parent): 5.1.2
Direct dependency fix Resolution (eslint): 7.0.0
Step up your Open Source Security Game with Mend here
CVE-2022-24329 (Medium) detected in kotlin-stdlib-1.3.60.jar
CVE-2022-24329 - Medium Severity Vulnerability
Vulnerable Library - kotlin-stdlib-1.3.60.jar
Kotlin Standard Library for JVM
Library home page: https://kotlinlang.org/
Path to vulnerable library: /node_modules/jetifier/lib/kotlin-stdlib-1.3.60.jar
Dependency Hierarchy:
- ❌ kotlin-stdlib-1.3.60.jar (Vulnerable Library)
Found in base branch: master
Vulnerability Details
In JetBrains Kotlin before 1.6.0, it was not possible to lock dependencies for Multiplatform Gradle Projects.
Publish Date: 2022-02-25
URL: CVE-2022-24329
CVSS 3 Score Details (5.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: Low
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Origin: GHSA-2qp4-g3q3-f92w
Release Date: 2022-02-25
Fix Resolution: 1.6.0-M1
Step up your Open Source Security Game with Mend here
CVE-2022-38900 (High) detected in decode-uri-component-0.2.0.tgz
CVE-2022-38900 - High Severity Vulnerability
Vulnerable Library - decode-uri-component-0.2.0.tgz
A better decodeURIComponent
Library home page: https://registry.npmjs.org/decode-uri-component/-/decode-uri-component-0.2.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/decode-uri-component/package.json
Dependency Hierarchy:
- react-navigation-4.4.0.tgz (Root Library)
- core-3.7.6.tgz
- query-string-6.13.1.tgz
- ❌ decode-uri-component-0.2.0.tgz (Vulnerable Library)
- query-string-6.13.1.tgz
- core-3.7.6.tgz
Found in base branch: master
Vulnerability Details
decode-uri-component 0.2.0 is vulnerable to Improper Input Validation resulting in DoS.
Publish Date: 2022-11-28
URL: CVE-2022-38900
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: GHSA-w573-4hg7-7wgq
Release Date: 2022-11-28
Fix Resolution (decode-uri-component): 0.2.1
Direct dependency fix Resolution (react-navigation): 4.4.1
Step up your Open Source Security Game with Mend here
CVE-2023-44402 (High) detected in electron-1.8.8.tgz
CVE-2023-44402 - High Severity Vulnerability
Vulnerable Library - electron-1.8.8.tgz
Build cross platform desktop apps with JavaScript, HTML, and CSS
Library home page: https://registry.npmjs.org/electron/-/electron-1.8.8.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/electron/package.json
Dependency Hierarchy:
- react-devtools-3.6.3.tgz (Root Library)
- ❌ electron-1.8.8.tgz (Vulnerable Library)
Found in base branch: master
Vulnerability Details
Electron is an open source framework for writing cross-platform desktop applications using JavaScript, HTML and CSS. This only impacts apps that have the embeddedAsarIntegrityValidation
and onlyLoadAppFromAsar
fuses enabled. Apps without these fuses enabled are not impacted. This issue is specific to macOS as these fuses are only currently supported on macOS. Specifically this issue can only be exploited if your app is launched from a filesystem the attacker has write access too. i.e. the ability to edit files inside the .app
bundle on macOS which these fuses are supposed to protect against. There are no app side workarounds, you must update to a patched version of Electron.
Publish Date: 2023-12-01
URL: CVE-2023-44402
CVSS 3 Score Details (7.0)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Local
- Attack Complexity: High
- Privileges Required: None
- User Interaction: Required
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: GHSA-7m48-wc93-9g85
Release Date: 2023-12-01
Fix Resolution (electron): 22.3.24
Direct dependency fix Resolution (react-devtools): 4.27.3
Step up your Open Source Security Game with Mend here
CVE-2021-35065 (High) detected in glob-parent-5.1.1.tgz - autoclosed
CVE-2021-35065 - High Severity Vulnerability
Vulnerable Library - glob-parent-5.1.1.tgz
Extract the non-magic parent path from a glob string.
Library home page: https://registry.npmjs.org/glob-parent/-/glob-parent-5.1.1.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/glob-parent/package.json
Dependency Hierarchy:
- eslint-6.8.0.tgz (Root Library)
- ❌ glob-parent-5.1.1.tgz (Vulnerable Library)
Found in base branch: master
Vulnerability Details
The package glob-parent before 6.0.1 are vulnerable to Regular Expression Denial of Service (ReDoS)
Publish Date: 2021-06-22
URL: CVE-2021-35065
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: GHSA-cj88-88mr-972w
Release Date: 2021-06-22
Fix Resolution (glob-parent): 6.0.1
Direct dependency fix Resolution (eslint): 8.0.0
Step up your Open Source Security Game with Mend here
CVE-2020-29582 (Medium) detected in kotlin-stdlib-1.3.60.jar
CVE-2020-29582 - Medium Severity Vulnerability
Vulnerable Library - kotlin-stdlib-1.3.60.jar
Kotlin Standard Library for JVM
Library home page: https://kotlinlang.org/
Path to vulnerable library: /node_modules/jetifier/lib/kotlin-stdlib-1.3.60.jar
Dependency Hierarchy:
- ❌ kotlin-stdlib-1.3.60.jar (Vulnerable Library)
Found in base branch: master
Vulnerability Details
In JetBrains Kotlin before 1.4.21, a vulnerable Java API was used for temporary file and folder creation. An attacker was able to read data from such files and list directories due to insecure permissions.
Publish Date: 2021-02-03
URL: CVE-2020-29582
CVSS 3 Score Details (5.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: None
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Origin: GHSA-cqj8-47ch-rvvq
Release Date: 2021-02-03
Fix Resolution: 1.4.21
Step up your Open Source Security Game with Mend here
CVE-2020-4076 (Critical) detected in electron-1.8.8.tgz
CVE-2020-4076 - Critical Severity Vulnerability
Vulnerable Library - electron-1.8.8.tgz
Build cross platform desktop apps with JavaScript, HTML, and CSS
Library home page: https://registry.npmjs.org/electron/-/electron-1.8.8.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/electron/package.json
Dependency Hierarchy:
- react-devtools-3.6.3.tgz (Root Library)
- ❌ electron-1.8.8.tgz (Vulnerable Library)
Found in HEAD commit: 98c222e71725c8cb39b1693983ec7573926d4dcc
Found in base branch: master
Vulnerability Details
In Electron before versions 7.2.4, 8.2.4, and 9.0.0-beta21, there is a context isolation bypass. Code running in the main world context in the renderer can reach into the isolated Electron context and perform privileged actions. Apps using contextIsolation are affected. This is fixed in versions 9.0.0-beta.21, 8.2.4 and 7.2.4.
Publish Date: 2020-07-07
URL: CVE-2020-4076
CVSS 3 Score Details (9.0)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Local
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Origin: GHSA-m93v-9qjc-3g79
Release Date: 2020-07-13
Fix Resolution (electron): 7.2.4
Direct dependency fix Resolution (react-devtools): 4.8.0
Step up your Open Source Security Game with Mend here
WS-2021-0419 (High) detected in gson-2.8.0.jar
WS-2021-0419 - High Severity Vulnerability
Vulnerable Library - gson-2.8.0.jar
Gson JSON library
Library home page: https://github.com/google/gson
Path to vulnerable library: /node_modules/jetifier/lib/gson-2.8.0.jar
Dependency Hierarchy:
- ❌ gson-2.8.0.jar (Vulnerable Library)
Found in base branch: master
Vulnerability Details
Denial of Service vulnerability was discovered in gson before 2.8.9 via the writeReplace() method.
Publish Date: 2021-10-11
URL: WS-2021-0419
CVSS 3 Score Details (7.7)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: High
- Availability Impact: High
Step up your Open Source Security Game with Mend here
CVE-2023-39956 (Medium) detected in electron-1.8.8.tgz
CVE-2023-39956 - Medium Severity Vulnerability
Vulnerable Library - electron-1.8.8.tgz
Build cross platform desktop apps with JavaScript, HTML, and CSS
Library home page: https://registry.npmjs.org/electron/-/electron-1.8.8.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/electron/package.json
Dependency Hierarchy:
- react-devtools-3.6.3.tgz (Root Library)
- ❌ electron-1.8.8.tgz (Vulnerable Library)
Found in HEAD commit: 98c222e71725c8cb39b1693983ec7573926d4dcc
Found in base branch: master
Vulnerability Details
Electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS. Electron apps that are launched as command line executables are impacted. Specifically this issue can only be exploited if the following conditions are met: 1. The app is launched with an attacker-controlled working directory and 2. The attacker has the ability to write files to that working directory. This makes the risk quite low, in fact normally issues of this kind are considered outside of our threat model as similar to Chromium we exclude Physically Local Attacks but given the ability for this issue to bypass certain protections like ASAR Integrity it is being treated with higher importance. This issue has been fixed in versions:26.0.0-beta.13
, 25.4.1
, 24.7.1
, 23.3.13
, and 22.3.19
. There are no app side workarounds, users must update to a patched version of Electron.
Publish Date: 2023-09-06
URL: CVE-2023-39956
CVSS 3 Score Details (6.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Local
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: Required
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: High
- Availability Impact: Low
Suggested Fix
Type: Upgrade version
Origin: https://www.cve.org/CVERecord?id=CVE-2023-39956
Release Date: 2023-09-06
Fix Resolution (electron): 22.3.21
Direct dependency fix Resolution (react-devtools): 4.27.3
Step up your Open Source Security Game with Mend here
CVE-2021-33813 (High) detected in jdom2-2.0.6.jar
CVE-2021-33813 - High Severity Vulnerability
Vulnerable Library - jdom2-2.0.6.jar
A complete, Java-based solution for accessing, manipulating, and outputting XML data
Library home page: http://www.jdom.org
Path to vulnerable library: /node_modules/jetifier/lib/jdom2-2.0.6.jar
Dependency Hierarchy:
- ❌ jdom2-2.0.6.jar (Vulnerable Library)
Found in base branch: master
Vulnerability Details
An XXE issue in SAXBuilder in JDOM through 2.0.6 allows attackers to cause a denial of service via a crafted HTTP request.
Publish Date: 2021-06-16
URL: CVE-2021-33813
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2021-33813
Release Date: 2021-06-16
Fix Resolution: 2.0.6.1
Step up your Open Source Security Game with Mend here
WS-2019-0307 (Medium) detected in mem-1.1.0.tgz
WS-2019-0307 - Medium Severity Vulnerability
Vulnerable Library - mem-1.1.0.tgz
Memoize functions - An optimization used to speed up consecutive function calls by caching the result of calls with identical input
Library home page: https://registry.npmjs.org/mem/-/mem-1.1.0.tgz
Path to dependency file: /tmp/ws-scm/food-react-native-app/package.json
Path to vulnerable library: /tmp/ws-scm/food-react-native-app/node_modules/mem/package.json
Dependency Hierarchy:
- react-native-0.61.5.tgz (Root Library)
- cli-3.2.1.tgz
- metro-0.56.4.tgz
- yargs-9.0.1.tgz
- os-locale-2.1.0.tgz
- ❌ mem-1.1.0.tgz (Vulnerable Library)
- os-locale-2.1.0.tgz
- yargs-9.0.1.tgz
- metro-0.56.4.tgz
- cli-3.2.1.tgz
Found in HEAD commit: e5302ac1412821f2cb84b8317bf81bc615078c87
Vulnerability Details
Denial of Service (DoS) vulnerability found in mem before 4.0.0. There is a failure in removal of old values from the cache. As a result, attacker may exhaust the system's memory.
Publish Date: 2018-08-27
URL: WS-2019-0307
Suggested Fix
Type: Upgrade version
Origin: https://www.npmjs.com/advisories/1084
Release Date: 2019-12-01
Fix Resolution: mem - 4.0.0
Step up your Open Source Security Game with WhiteSource here
CVE-2020-7789 (Medium) detected in node-notifier-5.4.3.tgz
CVE-2020-7789 - Medium Severity Vulnerability
Vulnerable Library - node-notifier-5.4.3.tgz
A Node.js module for sending notifications on native Mac, Windows (post and pre 8) and Linux (or Growl as fallback)
Library home page: https://registry.npmjs.org/node-notifier/-/node-notifier-5.4.3.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/node-notifier/package.json
Dependency Hierarchy:
- react-native-0.61.5.tgz (Root Library)
- cli-3.2.1.tgz
- ❌ node-notifier-5.4.3.tgz (Vulnerable Library)
- cli-3.2.1.tgz
Found in base branch: master
Vulnerability Details
This affects the package node-notifier before 9.0.0. It allows an attacker to run arbitrary commands on Linux machines due to the options params not being sanitised when being passed an array.
Publish Date: 2020-12-11
URL: CVE-2020-7789
CVSS 3 Score Details (5.6)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: Low
Suggested Fix
Type: Upgrade version
Origin: https://bugzilla.redhat.com/show_bug.cgi?id=1906853
Release Date: 2020-12-11
Fix Resolution (node-notifier): 5.4.4
Direct dependency fix Resolution (react-native): 0.62.0
Step up your Open Source Security Game with Mend here
CVE-2020-1913 (High) detected in hermes-engine-0.2.1.tgz
CVE-2020-1913 - High Severity Vulnerability
Vulnerable Library - hermes-engine-0.2.1.tgz
A JavaScript engine optimized for running React Native on Android
Library home page: https://registry.npmjs.org/hermes-engine/-/hermes-engine-0.2.1.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/hermes-engine/package.json
Dependency Hierarchy:
- react-native-0.61.5.tgz (Root Library)
- ❌ hermes-engine-0.2.1.tgz (Vulnerable Library)
Found in base branch: master
Vulnerability Details
An Integer signedness error in the JavaScript Interpreter in Facebook Hermes prior to commit 2c7af7ec481ceffd0d14ce2d7c045e475fd71dc6 allows attackers to cause a denial of service attack or a potential RCE via crafted JavaScript. Note that this is only exploitable if the application using Hermes permits evaluation of untrusted JavaScript. Hence, most React Native applications are not affected.
Publish Date: 2020-09-09
URL: CVE-2020-1913
CVSS 3 Score Details (8.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Release Date: 2020-09-15
Fix Resolution (hermes-engine): 0.7.0
Direct dependency fix Resolution (react-native): 0.64.0
Step up your Open Source Security Game with Mend here
WS-2018-0236 (Medium) detected in mem-1.1.0.tgz
WS-2018-0236 - Medium Severity Vulnerability
Vulnerable Library - mem-1.1.0.tgz
Memoize functions - An optimization used to speed up consecutive function calls by caching the result of calls with identical input
Library home page: https://registry.npmjs.org/mem/-/mem-1.1.0.tgz
Path to dependency file: /tmp/ws-scm/food-react-native-app/package.json
Path to vulnerable library: /tmp/ws-scm/food-react-native-app/node_modules/mem/package.json
Dependency Hierarchy:
- react-native-0.61.5.tgz (Root Library)
- cli-3.2.1.tgz
- metro-0.56.4.tgz
- yargs-9.0.1.tgz
- os-locale-2.1.0.tgz
- ❌ mem-1.1.0.tgz (Vulnerable Library)
- os-locale-2.1.0.tgz
- yargs-9.0.1.tgz
- metro-0.56.4.tgz
- cli-3.2.1.tgz
Found in HEAD commit: e5302ac1412821f2cb84b8317bf81bc615078c87
Vulnerability Details
In nodejs-mem before version 4.0.0 there is a memory leak due to old results not being removed from the cache despite reaching maxAge. Exploitation of this can lead to exhaustion of memory and subsequent denial of service.
Publish Date: 2018-08-27
URL: WS-2018-0236
Suggested Fix
Type: Upgrade version
Origin: https://bugzilla.redhat.com/show_bug.cgi?id=1623744
Release Date: 2019-05-30
Fix Resolution: 4.0.0
Step up your Open Source Security Game with WhiteSource here
CVE-2023-29198 (High) detected in electron-1.8.8.tgz
CVE-2023-29198 - High Severity Vulnerability
Vulnerable Library - electron-1.8.8.tgz
Build cross platform desktop apps with JavaScript, HTML, and CSS
Library home page: https://registry.npmjs.org/electron/-/electron-1.8.8.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/electron/package.json
Dependency Hierarchy:
- react-devtools-3.6.3.tgz (Root Library)
- ❌ electron-1.8.8.tgz (Vulnerable Library)
Found in base branch: master
Vulnerability Details
Electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS. Electron apps using contextIsolation
and contextBridge
are affected. This is a context isolation bypass, meaning that code running in the main world context in the renderer can reach into the isolated Electron context and perform privileged actions. This issue is only exploitable if an API exposed to the main world via contextBridge
can return an object or array that contains a javascript object which cannot be serialized, for instance, a canvas rendering context. This would normally result in an exception being thrown Error: object could not be cloned
. The app side workaround is to ensure that such a case is not possible. Ensure all values returned from a function exposed over the context bridge are supported. This issue has been fixed in versions 25.0.0-alpha.2
, 24.0.1
, 23.2.3
, and 22.3.6
.
Publish Date: 2023-09-06
URL: CVE-2023-29198
CVSS 3 Score Details (8.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: Low
- User Interaction: None
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: https://www.cve.org/CVERecord?id=CVE-2023-29198
Release Date: 2023-09-06
Fix Resolution (electron): 22.3.6
Direct dependency fix Resolution (react-devtools): 4.27.3
Step up your Open Source Security Game with Mend here
CVE-2021-42740 (Critical) detected in shell-quote-1.6.1.tgz
CVE-2021-42740 - Critical Severity Vulnerability
Vulnerable Library - shell-quote-1.6.1.tgz
quote and parse shell commands
Library home page: https://registry.npmjs.org/shell-quote/-/shell-quote-1.6.1.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/shell-quote/package.json
Dependency Hierarchy:
- react-devtools-3.6.3.tgz (Root Library)
- react-devtools-core-3.6.3.tgz
- ❌ shell-quote-1.6.1.tgz (Vulnerable Library)
- react-devtools-core-3.6.3.tgz
Found in HEAD commit: e5302ac1412821f2cb84b8317bf81bc615078c87
Found in base branch: master
Vulnerability Details
The shell-quote package before 1.7.3 for Node.js allows command injection. An attacker can inject unescaped shell metacharacters through a regex designed to support Windows drive letters. If the output of this package is passed to a real shell as a quoted argument to a command with exec(), an attacker can inject arbitrary commands. This is because the Windows drive letter regex character class is {A-z] instead of the correct {A-Za-z]. Several shell metacharacters exist in the space between capital letter Z and lower case letter a, such as the backtick character.
Publish Date: 2021-10-21
URL: CVE-2021-42740
CVSS 3 Score Details (9.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-42740
Release Date: 2021-10-21
Fix Resolution (shell-quote): 1.7.3
Direct dependency fix Resolution (react-devtools): 4.0.0
Step up your Open Source Security Game with Mend here
CVE-2022-29247 (Critical) detected in electron-1.8.8.tgz
CVE-2022-29247 - Critical Severity Vulnerability
Vulnerable Library - electron-1.8.8.tgz
Build cross platform desktop apps with JavaScript, HTML, and CSS
Library home page: https://registry.npmjs.org/electron/-/electron-1.8.8.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/electron/package.json
Dependency Hierarchy:
- react-devtools-3.6.3.tgz (Root Library)
- ❌ electron-1.8.8.tgz (Vulnerable Library)
Found in base branch: master
Vulnerability Details
Electron is a framework for writing cross-platform desktop applications using JavaScript (JS), HTML, and CSS. A vulnerability in versions prior to 18.0.0-beta.6, 17.2.0, 16.2.6, and 15.5.5 allows a renderer with JS execution to obtain access to a new renderer process with nodeIntegrationInSubFrames
enabled which in turn allows effective access to ipcRenderer
. The nodeIntegrationInSubFrames
option does not implicitly grant Node.js access. Rather, it depends on the existing sandbox setting. If an application is sandboxed, then nodeIntegrationInSubFrames
just gives access to the sandboxed renderer APIs, which include ipcRenderer
. If the application then additionally exposes IPC messages without IPC senderFrame
validation that perform privileged actions or return confidential data this access to ipcRenderer
can in turn compromise your application / user even with the sandbox enabled. Electron versions 18.0.0-beta.6, 17.2.0, 16.2.6, and 15.5.5 contain a fix for this issue. As a workaround, ensure that all IPC message handlers appropriately validate senderFrame
.
Publish Date: 2022-06-13
URL: CVE-2022-29247
CVSS 3 Score Details (9.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-29247
Release Date: 2022-06-13
Fix Resolution (electron): 15.5.5
Direct dependency fix Resolution (react-devtools): 4.27.3
Step up your Open Source Security Game with Mend here
CVE-2020-4077 (Critical) detected in electron-1.8.8.tgz
CVE-2020-4077 - Critical Severity Vulnerability
Vulnerable Library - electron-1.8.8.tgz
Build cross platform desktop apps with JavaScript, HTML, and CSS
Library home page: https://registry.npmjs.org/electron/-/electron-1.8.8.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/electron/package.json
Dependency Hierarchy:
- react-devtools-3.6.3.tgz (Root Library)
- ❌ electron-1.8.8.tgz (Vulnerable Library)
Found in HEAD commit: 98c222e71725c8cb39b1693983ec7573926d4dcc
Found in base branch: master
Vulnerability Details
In Electron before versions 7.2.4, 8.2.4, and 9.0.0-beta21, there is a context isolation bypass. Code running in the main world context in the renderer can reach into the isolated Electron context and perform privileged actions. Apps using both contextIsolation
and contextBridge
are affected. This is fixed in versions 9.0.0-beta.21, 8.2.4 and 7.2.4.
Publish Date: 2020-07-07
URL: CVE-2020-4077
CVSS 3 Score Details (9.9)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: None
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: GHSA-h9jc-284h-533g
Release Date: 2020-07-13
Fix Resolution (electron): 7.2.4
Direct dependency fix Resolution (react-devtools): 4.8.0
Step up your Open Source Security Game with Mend here
CVE-2022-46175 (High) detected in json5-2.1.3.tgz
CVE-2022-46175 - High Severity Vulnerability
Vulnerable Library - json5-2.1.3.tgz
JSON for humans.
Library home page: https://registry.npmjs.org/json5/-/json5-2.1.3.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/json5/package.json
Dependency Hierarchy:
- core-7.10.5.tgz (Root Library)
- ❌ json5-2.1.3.tgz (Vulnerable Library)
Found in HEAD commit: 98c222e71725c8cb39b1693983ec7573926d4dcc
Found in base branch: master
Vulnerability Details
JSON5 is an extension to the popular JSON file format that aims to be easier to write and maintain by hand (e.g. for config files). The parse
method of the JSON5 library before and including versions 1.0.1 and 2.2.1 does not restrict parsing of keys named __proto__
, allowing specially crafted strings to pollute the prototype of the resulting object. This vulnerability pollutes the prototype of the object returned by JSON5.parse
and not the global Object prototype, which is the commonly understood definition of Prototype Pollution. However, polluting the prototype of a single object can have significant security impact for an application if the object is later used in trusted operations. This vulnerability could allow an attacker to set arbitrary and unexpected keys on the object returned from JSON5.parse
. The actual impact will depend on how applications utilize the returned object and how they filter unwanted keys, but could include denial of service, cross-site scripting, elevation of privilege, and in extreme cases, remote code execution. JSON5.parse
should restrict parsing of __proto__
keys when parsing JSON strings to objects. As a point of reference, the JSON.parse
method included in JavaScript ignores __proto__
keys. Simply changing JSON5.parse
to JSON.parse
in the examples above mitigates this vulnerability. This vulnerability is patched in json5 versions 1.0.2, 2.2.2, and later.
Publish Date: 2022-12-24
URL: CVE-2022-46175
CVSS 3 Score Details (8.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: https://www.cve.org/CVERecord?id=CVE-2022-46175
Release Date: 2022-12-24
Fix Resolution (json5): 2.2.2
Direct dependency fix Resolution (@babel/core): 7.11.0
Step up your Open Source Security Game with Mend here
CVE-2021-3749 (High) detected in axios-0.19.2.tgz
CVE-2021-3749 - High Severity Vulnerability
Vulnerable Library - axios-0.19.2.tgz
Promise based HTTP client for the browser and node.js
Library home page: https://registry.npmjs.org/axios/-/axios-0.19.2.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/axios/package.json
Dependency Hierarchy:
- ❌ axios-0.19.2.tgz (Vulnerable Library)
Found in base branch: master
Vulnerability Details
axios is vulnerable to Inefficient Regular Expression Complexity
Publish Date: 2021-08-31
URL: CVE-2021-3749
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: https://huntr.dev/bounties/1e8f07fc-c384-4ff9-8498-0690de2e8c31/
Release Date: 2021-08-31
Fix Resolution: 0.20.0
Step up your Open Source Security Game with Mend here
CVE-2020-7608 (Medium) detected in yargs-parser-7.0.0.tgz, yargs-parser-11.1.1.tgz
CVE-2020-7608 - Medium Severity Vulnerability
Vulnerable Libraries - yargs-parser-7.0.0.tgz, yargs-parser-11.1.1.tgz
yargs-parser-7.0.0.tgz
the mighty option parser used by yargs
Library home page: https://registry.npmjs.org/yargs-parser/-/yargs-parser-7.0.0.tgz
Path to dependency file: /tmp/ws-scm/food-react-native-app/package.json
Path to vulnerable library: /tmp/ws-scm/food-react-native-app/node_modules/yargs-parser/package.json
Dependency Hierarchy:
- react-native-0.61.5.tgz (Root Library)
- cli-3.2.1.tgz
- metro-0.56.4.tgz
- yargs-9.0.1.tgz
- ❌ yargs-parser-7.0.0.tgz (Vulnerable Library)
- yargs-9.0.1.tgz
- metro-0.56.4.tgz
- cli-3.2.1.tgz
yargs-parser-11.1.1.tgz
the mighty option parser used by yargs
Library home page: https://registry.npmjs.org/yargs-parser/-/yargs-parser-11.1.1.tgz
Path to dependency file: /tmp/ws-scm/food-react-native-app/package.json
Path to vulnerable library: /tmp/ws-scm/food-react-native-app/node_modules/logkitty/node_modules/yargs-parser/package.json
Dependency Hierarchy:
- react-native-0.61.5.tgz (Root Library)
- cli-platform-android-3.1.4.tgz
- logkitty-0.6.1.tgz
- yargs-12.0.5.tgz
- ❌ yargs-parser-11.1.1.tgz (Vulnerable Library)
- yargs-12.0.5.tgz
- logkitty-0.6.1.tgz
- cli-platform-android-3.1.4.tgz
Found in HEAD commit: e5302ac1412821f2cb84b8317bf81bc615078c87
Vulnerability Details
yargs-parser could be tricked into adding or modifying properties of Object.prototype using a "proto" payload.
Publish Date: 2020-03-16
URL: CVE-2020-7608
CVSS 3 Score Details (5.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Local
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: Low
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7608
Release Date: 2020-03-16
Fix Resolution: v18.1.1;13.1.2;15.0.1
Step up your Open Source Security Game with WhiteSource here
CVE-2022-29257 (High) detected in electron-1.8.8.tgz
CVE-2022-29257 - High Severity Vulnerability
Vulnerable Library - electron-1.8.8.tgz
Build cross platform desktop apps with JavaScript, HTML, and CSS
Library home page: https://registry.npmjs.org/electron/-/electron-1.8.8.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/electron/package.json
Dependency Hierarchy:
- react-devtools-3.6.3.tgz (Root Library)
- ❌ electron-1.8.8.tgz (Vulnerable Library)
Found in base branch: master
Vulnerability Details
Electron is a framework for writing cross-platform desktop applications using JavaScript (JS), HTML, and CSS. A vulnerability in versions prior to 18.0.0-beta.6, 17.2.0, 16.2.6, and 15.5.5 allows attackers who have control over a given apps update server / update storage to serve maliciously crafted update packages that pass the code signing validation check but contain malicious code in some components. This kind of attack would require significant privileges in a potential victim's own auto updating infrastructure and the ease of that attack entirely depends on the potential victim's infrastructure security. Electron versions 18.0.0-beta.6, 17.2.0, 16.2.6, and 15.5.5 contain a fix for this issue. There are no known workarounds.
Publish Date: 2022-06-13
URL: CVE-2022-29257
CVSS 3 Score Details (7.2)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: High
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: GHSA-77xc-hjv8-ww97
Release Date: 2022-06-13
Fix Resolution (electron): 15.5.0
Direct dependency fix Resolution (react-devtools): 4.27.3
Step up your Open Source Security Game with Mend here
CVE-2020-1914 (Critical) detected in hermes-engine-0.2.1.tgz
CVE-2020-1914 - Critical Severity Vulnerability
Vulnerable Library - hermes-engine-0.2.1.tgz
A JavaScript engine optimized for running React Native on Android
Library home page: https://registry.npmjs.org/hermes-engine/-/hermes-engine-0.2.1.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/hermes-engine/package.json
Dependency Hierarchy:
- react-native-0.61.5.tgz (Root Library)
- ❌ hermes-engine-0.2.1.tgz (Vulnerable Library)
Found in base branch: master
Vulnerability Details
A logic vulnerability when handling the SaveGeneratorLong instruction in Facebook Hermes prior to commit b2021df620824627f5a8c96615edbd1eb7fdddfc allows attackers to potentially read out of bounds or theoretically execute arbitrary code via crafted JavaScript. Note that this is only exploitable if the application using Hermes permits evaluation of untrusted JavaScript. Hence, most React Native applications are not affected.
Publish Date: 2020-10-08
URL: CVE-2020-1914
CVSS 3 Score Details (9.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: GHSA-327c-qx3v-h673
Release Date: 2020-10-20
Fix Resolution: hermes-engine - 0.7.2
Step up your Open Source Security Game with Mend here
CVE-2023-28155 (Medium) detected in request-2.88.2.tgz
CVE-2023-28155 - Medium Severity Vulnerability
Vulnerable Library - request-2.88.2.tgz
Simplified HTTP request client.
Library home page: https://registry.npmjs.org/request/-/request-2.88.2.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/request/package.json
Dependency Hierarchy:
- react-devtools-3.6.3.tgz (Root Library)
- electron-1.8.8.tgz
- electron-download-3.3.0.tgz
- nugget-2.0.1.tgz
- ❌ request-2.88.2.tgz (Vulnerable Library)
- nugget-2.0.1.tgz
- electron-download-3.3.0.tgz
- electron-1.8.8.tgz
Found in base branch: master
Vulnerability Details
The request package through 2.88.2 for Node.js and the @cypress/request package prior to 3.0.0 allow a bypass of SSRF mitigations via an attacker-controller server that does a cross-protocol redirect (HTTP to HTTPS, or HTTPS to HTTP).NOTE: The request package is no longer supported by the maintainer.
Publish Date: 2023-03-16
URL: CVE-2023-28155
CVSS 3 Score Details (6.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Origin: GHSA-p8p7-x288-28g6
Release Date: 2023-03-16
Fix Resolution: @cypress/request - 3.0.0
Step up your Open Source Security Game with Mend here
CVE-2022-33987 (Medium) detected in got-6.7.1.tgz
CVE-2022-33987 - Medium Severity Vulnerability
Vulnerable Library - got-6.7.1.tgz
Simplified HTTP requests
Library home page: https://registry.npmjs.org/got/-/got-6.7.1.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/got/package.json
Dependency Hierarchy:
- react-devtools-3.6.3.tgz (Root Library)
- update-notifier-2.5.0.tgz
- latest-version-3.1.0.tgz
- package-json-4.0.1.tgz
- ❌ got-6.7.1.tgz (Vulnerable Library)
- package-json-4.0.1.tgz
- latest-version-3.1.0.tgz
- update-notifier-2.5.0.tgz
Found in base branch: master
Vulnerability Details
The got package before 12.1.0 (also fixed in 11.8.5) for Node.js allows a redirect to a UNIX socket.
Publish Date: 2022-06-18
URL: CVE-2022-33987
CVSS 3 Score Details (5.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: Low
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-33987
Release Date: 2022-06-18
Fix Resolution: got - 11.8.5,12.1.0
Step up your Open Source Security Game with Mend here
CVE-2020-8116 (High) detected in dot-prop-4.2.0.tgz
CVE-2020-8116 - High Severity Vulnerability
Vulnerable Library - dot-prop-4.2.0.tgz
Get, set, or delete a property from a nested object using a dot path
Library home page: https://registry.npmjs.org/dot-prop/-/dot-prop-4.2.0.tgz
Path to dependency file: /tmp/ws-scm/food-react-native-app/package.json
Path to vulnerable library: /tmp/ws-scm/food-react-native-app/node_modules/dot-prop/package.json
Dependency Hierarchy:
- react-devtools-3.6.3.tgz (Root Library)
- update-notifier-2.5.0.tgz
- configstore-3.1.2.tgz
- ❌ dot-prop-4.2.0.tgz (Vulnerable Library)
- configstore-3.1.2.tgz
- update-notifier-2.5.0.tgz
Found in HEAD commit: e5302ac1412821f2cb84b8317bf81bc615078c87
Vulnerability Details
Prototype pollution vulnerability in dot-prop npm package version 5.1.0 and earlier allows an attacker to add arbitrary properties to JavaScript language constructs such as objects.
Publish Date: 2020-02-04
URL: CVE-2020-8116
CVSS 3 Score Details (9.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8116
Release Date: 2020-02-04
Fix Resolution: dot-prop - 5.1.1
Step up your Open Source Security Game with WhiteSource here
CVE-2021-43138 (High) detected in async-2.6.3.tgz
CVE-2021-43138 - High Severity Vulnerability
Vulnerable Library - async-2.6.3.tgz
Higher-order functions and common patterns for asynchronous code
Library home page: https://registry.npmjs.org/async/-/async-2.6.3.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/async/package.json
Dependency Hierarchy:
- react-native-0.61.5.tgz (Root Library)
- cli-3.2.1.tgz
- metro-0.56.4.tgz
- ❌ async-2.6.3.tgz (Vulnerable Library)
- metro-0.56.4.tgz
- cli-3.2.1.tgz
Found in base branch: master
Vulnerability Details
In Async before 2.6.4 and 3.x before 3.2.2, a malicious user can obtain privileges via the mapValues() method, aka lib/internal/iterator.js createObjectIterator prototype pollution.
Publish Date: 2022-04-06
URL: CVE-2021-43138
CVSS 3 Score Details (7.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Local
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2021-43138
Release Date: 2022-04-06
Fix Resolution (async): 2.6.4
Direct dependency fix Resolution (react-native): 0.62.0
Step up your Open Source Security Game with Mend here
WS-2020-0042 (High) detected in acorn-5.7.4.tgz - autoclosed
WS-2020-0042 - High Severity Vulnerability
Vulnerable Library - acorn-5.7.4.tgz
ECMAScript parser
Library home page: https://registry.npmjs.org/acorn/-/acorn-5.7.4.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/jsdom/node_modules/acorn/package.json
Dependency Hierarchy:
- jest-24.9.0.tgz (Root Library)
- jest-cli-24.9.0.tgz
- jest-config-24.9.0.tgz
- jest-environment-jsdom-24.9.0.tgz
- jsdom-11.12.0.tgz
- ❌ acorn-5.7.4.tgz (Vulnerable Library)
- jsdom-11.12.0.tgz
- jest-environment-jsdom-24.9.0.tgz
- jest-config-24.9.0.tgz
- jest-cli-24.9.0.tgz
Found in HEAD commit: e5302ac1412821f2cb84b8317bf81bc615078c87
Found in base branch: master
Vulnerability Details
acorn is vulnerable to REGEX DoS. A regex of the form /[x-\ud800]/u causes the parser to enter an infinite loop. attackers may leverage the vulnerability leading to a Denial of Service since the string is not valid UTF16 and it results in it being sanitized before reaching the parser.
Publish Date: 2020-03-01
URL: WS-2020-0042
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: https://www.npmjs.com/advisories/1488
Release Date: 2020-03-01
Fix Resolution (acorn): 6.4.1
Direct dependency fix Resolution (jest): 25.0.0
Step up your Open Source Security Game with Mend here
CVE-2020-8149 (High) detected in logkitty-0.6.1.tgz
CVE-2020-8149 - High Severity Vulnerability
Vulnerable Library - logkitty-0.6.1.tgz
Display pretty Android and iOS logs without Android Studio or Console.app, with intuitive Command Line Interface.
Library home page: https://registry.npmjs.org/logkitty/-/logkitty-0.6.1.tgz
Path to dependency file: /tmp/ws-scm/food-react-native-app/package.json
Path to vulnerable library: /tmp/ws-scm/food-react-native-app/node_modules/logkitty/package.json
Dependency Hierarchy:
- react-native-0.61.5.tgz (Root Library)
- cli-platform-android-3.1.4.tgz
- ❌ logkitty-0.6.1.tgz (Vulnerable Library)
- cli-platform-android-3.1.4.tgz
Found in HEAD commit: e5302ac1412821f2cb84b8317bf81bc615078c87
Vulnerability Details
Lack of output sanitization allowed an attack to execute arbitrary shell commands via the logkitty npm package before version 0.7.1.
Publish Date: 2020-05-15
URL: CVE-2020-8149
CVSS 3 Score Details (9.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8149
Release Date: 2020-05-15
Fix Resolution: 0.7.1
Step up your Open Source Security Game with WhiteSource here
CVE-2020-1912 (High) detected in hermes-engine-0.2.1.tgz
CVE-2020-1912 - High Severity Vulnerability
Vulnerable Library - hermes-engine-0.2.1.tgz
A JavaScript engine optimized for running React Native on Android
Library home page: https://registry.npmjs.org/hermes-engine/-/hermes-engine-0.2.1.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/hermes-engine/package.json
Dependency Hierarchy:
- react-native-0.61.5.tgz (Root Library)
- ❌ hermes-engine-0.2.1.tgz (Vulnerable Library)
Found in base branch: master
Vulnerability Details
An out-of-bounds read/write vulnerability when executing lazily compiled inner generator functions in Facebook Hermes prior to commit 091835377369c8fd5917d9b87acffa721ad2a168 allows attackers to potentially execute arbitrary code via crafted JavaScript. Note that this is only exploitable if the application using Hermes permits evaluation of untrusted JavaScript. Hence, most React Native applications are not affected.
Publish Date: 2020-09-09
URL: CVE-2020-1912
CVSS 3 Score Details (8.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Release Date: 2020-09-15
Fix Resolution (hermes-engine): 0.7.0
Direct dependency fix Resolution (react-native): 0.64.0
Step up your Open Source Security Game with Mend here
CVE-2023-45857 (Medium) detected in axios-0.19.2.tgz
CVE-2023-45857 - Medium Severity Vulnerability
Vulnerable Library - axios-0.19.2.tgz
Promise based HTTP client for the browser and node.js
Library home page: https://registry.npmjs.org/axios/-/axios-0.19.2.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/axios/package.json
Dependency Hierarchy:
- ❌ axios-0.19.2.tgz (Vulnerable Library)
Found in base branch: master
Vulnerability Details
An issue discovered in Axios 1.5.1 inadvertently reveals the confidential XSRF-TOKEN stored in cookies by including it in the HTTP header X-XSRF-TOKEN for every request made to any host allowing attackers to view sensitive information.
Publish Date: 2023-11-08
URL: CVE-2023-45857
CVSS 3 Score Details (6.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: None
- Availability Impact: None
Step up your Open Source Security Game with Mend here
CVE-2020-1915 (High) detected in hermes-engine-0.2.1.tgz
CVE-2020-1915 - High Severity Vulnerability
Vulnerable Library - hermes-engine-0.2.1.tgz
A JavaScript engine optimized for running React Native on Android
Library home page: https://registry.npmjs.org/hermes-engine/-/hermes-engine-0.2.1.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/hermes-engine/package.json
Dependency Hierarchy:
- react-native-0.61.5.tgz (Root Library)
- ❌ hermes-engine-0.2.1.tgz (Vulnerable Library)
Found in base branch: master
Vulnerability Details
An out-of-bounds read in the JavaScript Interpreter in Facebook Hermes prior to commit 8cb935cd3b2321c46aa6b7ed8454d95c75a7fca0 allows attackers to cause a denial of service attack or possible further memory corruption via crafted JavaScript. Note that this is only exploitable if the application using Hermes permits evaluation of untrusted JavaScript. Hence, most React Native applications are not affected.
Publish Date: 2020-10-26
URL: CVE-2020-1915
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: GHSA-x4cf-6jr3-3qvp
Release Date: 2020-11-02
Fix Resolution: hermes-engine - 0.7.2
Step up your Open Source Security Game with Mend here
CVE-2020-15168 (Medium) detected in node-fetch-1.7.3.tgz, node-fetch-2.6.0.tgz
CVE-2020-15168 - Medium Severity Vulnerability
Vulnerable Libraries - node-fetch-1.7.3.tgz, node-fetch-2.6.0.tgz
node-fetch-1.7.3.tgz
A light-weight module that brings window.fetch to node.js and io.js
Library home page: https://registry.npmjs.org/node-fetch/-/node-fetch-1.7.3.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/isomorphic-fetch/node_modules/node-fetch/package.json
Dependency Hierarchy:
- react-native-0.61.5.tgz (Root Library)
- fbjs-1.0.0.tgz
- isomorphic-fetch-2.2.1.tgz
- ❌ node-fetch-1.7.3.tgz (Vulnerable Library)
- isomorphic-fetch-2.2.1.tgz
- fbjs-1.0.0.tgz
node-fetch-2.6.0.tgz
A light-weight module that brings window.fetch to node.js
Library home page: https://registry.npmjs.org/node-fetch/-/node-fetch-2.6.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/node-fetch/package.json
Dependency Hierarchy:
- react-native-0.61.5.tgz (Root Library)
- cli-platform-android-3.1.4.tgz
- cli-tools-3.0.0.tgz
- ❌ node-fetch-2.6.0.tgz (Vulnerable Library)
- cli-tools-3.0.0.tgz
- cli-platform-android-3.1.4.tgz
Found in base branch: master
Vulnerability Details
node-fetch before versions 2.6.1 and 3.0.0-beta.9 did not honor the size option after following a redirect, which means that when a content size was over the limit, a FetchError would never get thrown and the process would end without failure. For most people, this fix will have a little or no impact. However, if you are relying on node-fetch to gate files above a size, the impact could be significant, for example: If you don't double-check the size of the data after fetch() has completed, your JS thread could get tied up doing work on a large file (DoS) and/or cost you money in computing.
Publish Date: 2020-09-10
URL: CVE-2020-15168
CVSS 3 Score Details (5.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: Low
Suggested Fix
Type: Upgrade version
Origin: GHSA-w7rc-rwvf-8q5r
Release Date: 2020-09-17
Fix Resolution (node-fetch): 2.6.1
Direct dependency fix Resolution (react-native): 0.64.0
Fix Resolution (node-fetch): 2.6.1
Direct dependency fix Resolution (react-native): 0.64.0
Step up your Open Source Security Game with Mend here
CVE-2020-15096 (Medium) detected in electron-1.8.8.tgz
CVE-2020-15096 - Medium Severity Vulnerability
Vulnerable Library - electron-1.8.8.tgz
Build cross platform desktop apps with JavaScript, HTML, and CSS
Library home page: https://registry.npmjs.org/electron/-/electron-1.8.8.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/electron/package.json
Dependency Hierarchy:
- react-devtools-3.6.3.tgz (Root Library)
- ❌ electron-1.8.8.tgz (Vulnerable Library)
Found in HEAD commit: 98c222e71725c8cb39b1693983ec7573926d4dcc
Found in base branch: master
Vulnerability Details
In Electron before versions 6.1.1, 7.2.4, 8.2.4, and 9.0.0-beta21, there is a context isolation bypass, meaning that code running in the main world context in the renderer can reach into the isolated Electron context and perform privileged actions. Apps using "contextIsolation" are affected. There are no app-side workarounds, you must update your Electron version to be protected. This is fixed in versions 6.1.1, 7.2.4, 8.2.4, and 9.0.0-beta21.
Publish Date: 2020-07-07
URL: CVE-2020-15096
CVSS 3 Score Details (6.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: High
- User Interaction: None
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: High
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Origin: GHSA-6vrv-94jv-crrg
Release Date: 2020-07-10
Fix Resolution (electron): 6.1.11
Direct dependency fix Resolution (react-devtools): 4.8.0
Step up your Open Source Security Game with Mend here
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.