rvvergara / food-react-native-app Goto Github PK

Vulnerable Library - axios-0.19.2.tgz

Promise based HTTP client for the browser and node.js

Library home page: https://registry.npmjs.org/axios/-/axios-0.19.2.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/axios/package.json

Dependency Hierarchy:

• ❌ axios-0.19.2.tgz (Vulnerable Library)

Found in base branch: master

Vulnerability Details

Axios NPM package 0.21.0 contains a Server-Side Request Forgery (SSRF) vulnerability where an attacker is able to bypass a proxy by providing a URL that responds with a redirect to a restricted host or IP address.

Publish Date: 2020-11-06

URL: CVE-2020-28168

CVSS 3 Score Details (5.9)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: None
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Release Date: 2020-11-06

Fix Resolution: 0.21.1

Vulnerable Library - traverse-7.10.5.tgz

The Babel Traverse module maintains the overall tree state, and is responsible for replacing, removing, and adding nodes

Library home page: https://registry.npmjs.org/@babel/traverse/-/traverse-7.10.5.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/@babel/traverse/package.json

Dependency Hierarchy:

• core-7.10.5.tgz (Root Library)
  • ❌ traverse-7.10.5.tgz (Vulnerable Library)

Found in base branch: master

Vulnerability Details

Babel is a compiler for writingJavaScript. In @babel/traverse prior to versions 7.23.2 and 8.0.0-alpha.4 and all versions of babel-traverse, using Babel to compile code that was specifically crafted by an attacker can lead to arbitrary code execution during compilation, when using plugins that rely on the path.evaluate()or path.evaluateTruthy() internal Babel methods. Known affected plugins are @babel/plugin-transform-runtime; @babel/preset-env when using its useBuiltIns option; and any "polyfill provider" plugin that depends on @babel/helper-define-polyfill-provider, such as babel-plugin-polyfill-corejs3, babel-plugin-polyfill-corejs2, babel-plugin-polyfill-es-shims, babel-plugin-polyfill-regenerator. No other plugins under the @babel/ namespace are impacted, but third-party plugins might be. Users that only compile trusted code are not impacted. The vulnerability has been fixed in @babel/[email protected] and @babel/[email protected]. Those who cannot upgrade @babel/traverse and are using one of the affected packages mentioned above should upgrade them to their latest version to avoid triggering the vulnerable code path in affected @babel/traverse versions: @babel/plugin-transform-runtime v7.23.2, @babel/preset-env v7.23.2, @babel/helper-define-polyfill-provider v0.4.3, babel-plugin-polyfill-corejs2 v0.4.6, babel-plugin-polyfill-corejs3 v0.8.5, babel-plugin-polyfill-es-shims v0.10.0, babel-plugin-polyfill-regenerator v0.5.3.

Publish Date: 2023-10-12

URL: CVE-2023-45133

CVSS 3 Score Details (8.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Local
  • Attack Complexity: Low
  • Privileges Required: Low
  • User Interaction: None
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: GHSA-67hx-6x53-jw92

Release Date: 2023-10-12

Fix Resolution (@babel/traverse): 7.23.2

Direct dependency fix Resolution (@babel/core): 7.11.0

Vulnerable Library - plist-3.0.1.tgz

Mac OS X Plist parser/builder for Node.js and browsers

Library home page: https://registry.npmjs.org/plist/-/plist-3.0.1.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/plist/package.json

Dependency Hierarchy:

• react-native-0.61.5.tgz (Root Library)
  • cli-3.2.1.tgz
    • ❌ plist-3.0.1.tgz (Vulnerable Library)

Found in base branch: master

Vulnerability Details

Prototype pollution vulnerability via .parse() in Plist before v3.0.4 allows attackers to cause a Denial of Service (DoS) and may lead to remote code execution.

Publish Date: 2022-02-17

URL: CVE-2022-22912

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Release Date: 2022-02-17

Fix Resolution (plist): 3.0.6

Direct dependency fix Resolution (react-native): 0.62.0

Vulnerable Library - hermes-engine-0.2.1.tgz

A JavaScript engine optimized for running React Native on Android

Library home page: https://registry.npmjs.org/hermes-engine/-/hermes-engine-0.2.1.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/hermes-engine/package.json

Dependency Hierarchy:

• react-native-0.61.5.tgz (Root Library)
  • ❌ hermes-engine-0.2.1.tgz (Vulnerable Library)

Found in base branch: master

Vulnerability Details

A type confusion vulnerability when resolving properties of JavaScript objects with specially-crafted prototype chains in Facebook Hermes prior to commit fe52854cdf6725c2eaa9e125995da76e6ceb27da allows attackers to potentially execute arbitrary code via crafted JavaScript. Note that this is only exploitable if the application using Hermes permits evaluation of untrusted JavaScript. Hence, most React Native applications are not affected.

Publish Date: 2020-09-04

URL: CVE-2020-1911

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: GHSA-f5x2-xv93-4p23

Release Date: 2020-09-11

Fix Resolution: hermes-engine - 0.5.2

Vulnerable Library - electron-1.8.8.tgz

Build cross platform desktop apps with JavaScript, HTML, and CSS

Library home page: https://registry.npmjs.org/electron/-/electron-1.8.8.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/electron/package.json

Dependency Hierarchy:

• react-devtools-3.6.3.tgz (Root Library)
  • ❌ electron-1.8.8.tgz (Vulnerable Library)

Found in HEAD commit: 98c222e71725c8cb39b1693983ec7573926d4dcc

Found in base branch: master

Vulnerability Details

In Electron before versions 7.2.4, 8.2.4, and 9.0.0-beta21, arbitrary local file read is possible by defining unsafe window options on a child window opened via window.open. As a workaround, ensure you are calling event.preventDefault() on all new-window events where the url or options is not something you expect. This is fixed in versions 9.0.0-beta.21, 8.2.4 and 7.2.4.

Publish Date: 2020-07-07

URL: CVE-2020-4075

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: None
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: GHSA-f9mq-jph6-9mhm

Release Date: 2020-07-13

Fix Resolution (electron): 7.2.4

Direct dependency fix Resolution (react-devtools): 4.8.0

Vulnerable Library - electron-1.8.8.tgz

Build cross platform desktop apps with JavaScript, HTML, and CSS

Library home page: https://registry.npmjs.org/electron/-/electron-1.8.8.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/electron/package.json

Dependency Hierarchy:

• react-devtools-3.6.3.tgz (Root Library)
  • ❌ electron-1.8.8.tgz (Vulnerable Library)

Found in base branch: master

Vulnerability Details

Electron is a framework for writing cross-platform desktop applications using JavaScript, HTML and CSS. A vulnerability in versions prior to 17.0.0-alpha.6, 16.0.6, 15.3.5, 14.2.4, and 13.6.6 allows renderers to obtain access to a bluetooth device via the web bluetooth API if the app has not configured a custom select-bluetooth-device event handler. This has been patched and Electron versions 17.0.0-alpha.6, 16.0.6, 15.3.5, 14.2.4, and 13.6.6 contain the fix. Code from the GitHub Security Advisory can be added to the app to work around the issue.

Publish Date: 2022-03-22

URL: CVE-2022-21718

CVSS 3 Score Details (5.0)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: Low
  • User Interaction: None
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: None
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21718

Release Date: 2022-03-22

Fix Resolution (electron): 13.6.6

Direct dependency fix Resolution (react-devtools): 4.27.3

Vulnerable Libraries - JSXTransformer-0.13.3.js, react-with-addons-0.13.3.js

Found in base branch: master

Vulnerability Details

Cross-Site Scripting vulnerability found in react before 0.14.0. The package's createElement function fails to properly validate its input object, allowing attackers to execute arbitrary JavaScript in a victim's browser.

Publish Date: 2019-12-17

URL: WS-2019-0336

CVSS 3 Score Details (6.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: http://danlec.com/blog/xss-via-a-spoofed-react-element

Release Date: 2019-12-17

Fix Resolution: react - 0.14.0

Vulnerable Library - set-value-2.0.1.tgz

Create nested values and any intermediaries using dot notation (`'a.b.c'`) paths.

Library home page: https://registry.npmjs.org/set-value/-/set-value-2.0.1.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/set-value/package.json

Dependency Hierarchy:

• babel-jest-24.9.0.tgz (Root Library)
  • transform-24.9.0.tgz
    • micromatch-3.1.10.tgz
      • snapdragon-0.8.2.tgz
        • base-0.11.2.tgz
          • cache-base-1.0.1.tgz
            • ❌ set-value-2.0.1.tgz (Vulnerable Library)

Found in base branch: master

Vulnerability Details

This affects the package set-value before <2.0.1, >=3.0.0 <4.0.1. A type confusion vulnerability can lead to a bypass of CVE-2019-10747 when the user-provided keys used in the path parameter are arrays.
Mend Note: After conducting further research, Mend has determined that all versions of set-value up to version 4.0.0 are vulnerable to CVE-2021-23440.

Publish Date: 2021-09-12

URL: CVE-2021-23440

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Release Date: 2021-09-12

Fix Resolution: set-value - 4.0.1

Vulnerable Library - gson-2.8.0.jar

Gson JSON library

Library home page: https://github.com/google/gson

Path to vulnerable library: /node_modules/jetifier/lib/gson-2.8.0.jar

Dependency Hierarchy:

• ❌ gson-2.8.0.jar (Vulnerable Library)

Found in base branch: master

Vulnerability Details

The package com.google.code.gson:gson before 2.8.9 are vulnerable to Deserialization of Untrusted Data via the writeReplace() method in internal classes, which may lead to DoS attacks.

Publish Date: 2022-05-01

URL: CVE-2022-25647

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-25647`

Release Date: 2022-05-01

Fix Resolution: 2.8.9

Vulnerable Library - ws-1.1.5.tgz

Simple to use, blazing fast and thoroughly tested websocket client and server for Node.js

Library home page: https://registry.npmjs.org/ws/-/ws-1.1.5.tgz

Path to dependency file: food-react-native-app/package.json

Path to vulnerable library: food-react-native-app/node_modules/ws/package.json

Dependency Hierarchy:

• react-native-0.61.5.tgz (Root Library)
  • cli-3.2.1.tgz
    • ❌ ws-1.1.5.tgz (Vulnerable Library)

Found in base branch: master

Vulnerability Details

Affected version of ws (0.2.6 through 3.3.0 excluding 0.3.4-2, 0.3.5-2, 0.3.5-3, 0.3.5-4, 1.1.5, 2.0.0-beta.0, 2.0.0-beta.1 and 2.0.0-beta.2) are vulnerable to A specially crafted value of the Sec-WebSocket-Extensions header that used Object.prototype property names as extension or parameter names could be used to make a ws server crash.

Publish Date: 2017-11-08

URL: WS-2017-0421

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: websockets/ws@c4fe466

Release Date: 2017-11-08

Fix Resolution: ws - 3.3.1

Vulnerable Library - electron-1.8.8.tgz

Build cross platform desktop apps with JavaScript, HTML, and CSS

Library home page: https://registry.npmjs.org/electron/-/electron-1.8.8.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/electron/package.json

Dependency Hierarchy:

• react-devtools-3.6.3.tgz (Root Library)
  • ❌ electron-1.8.8.tgz (Vulnerable Library)

Found in base branch: master

Vulnerability Details

The Electron framework enables writing cross-platform desktop applications using JavaScript, HTML and CSS. In versions prior to 21.0.0-beta.1, 20.0.1, 19.0.11, and 18.3.7, Electron is vulnerable to Exposure of Sensitive Information. When following a redirect, Electron delays a check for redirecting to file:// URLs from other schemes. The contents of the file is not available to the renderer following the redirect, but if the redirect target is a SMB URL such as file://some.website.com/, then in some cases, Windows will connect to that server and attempt NTLM authentication, which can include sending hashed credentials.This issue has been patched in versions: 21.0.0-beta.1, 20.0.1, 19.0.11, and 18.3.7. Users are recommended to upgrade to the latest stable version of Electron. If upgrading isn't possible, this issue can be addressed without upgrading by preventing redirects to file:// URLs in the WebContents.on('will-redirect') event, for all WebContents as a workaround.

Publish Date: 2022-11-08

URL: CVE-2022-36077

CVSS 3 Score Details (6.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: GHSA-p2jh-44qj-pf2v

Release Date: 2022-11-08

Fix Resolution (electron): 18.3.7

Direct dependency fix Resolution (react-devtools): 4.27.3

Vulnerable Library - follow-redirects-1.5.10.tgz

HTTP and HTTPS modules that follow redirects.

Library home page: https://registry.npmjs.org/follow-redirects/-/follow-redirects-1.5.10.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/follow-redirects/package.json

Dependency Hierarchy:

• axios-0.19.2.tgz (Root Library)
  • ❌ follow-redirects-1.5.10.tgz (Vulnerable Library)

Found in base branch: master

Vulnerability Details

follow-redirects is vulnerable to Exposure of Private Personal Information to an Unauthorized Actor

Publish Date: 2022-01-10

URL: CVE-2022-0155

CVSS 3 Score Details (6.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: None
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://huntr.dev/bounties/fc524e4b-ebb6-427d-ab67-a64181020406/

Release Date: 2022-01-10

Fix Resolution (follow-redirects): 1.14.7

Direct dependency fix Resolution (axios): 0.20.0-0

Vulnerable Libraries - node-fetch-1.7.3.tgz, node-fetch-2.6.0.tgz

Found in base branch: master

Vulnerability Details

node-fetch is vulnerable to Exposure of Sensitive Information to an Unauthorized Actor

Publish Date: 2022-01-16

URL: CVE-2022-0235

CVSS 3 Score Details (6.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: GHSA-r683-j2x4-v87g

Release Date: 2022-01-16

Fix Resolution (node-fetch): 2.6.7

Direct dependency fix Resolution (react-native): 0.64.0

Fix Resolution (node-fetch): 2.6.7

Direct dependency fix Resolution (react-native): 0.64.0

Vulnerable Library - minimatch-3.0.4.tgz

a glob matcher in javascript

Library home page: https://registry.npmjs.org/minimatch/-/minimatch-3.0.4.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/minimatch/package.json

Dependency Hierarchy:

• eslint-6.8.0.tgz (Root Library)
  • ❌ minimatch-3.0.4.tgz (Vulnerable Library)

Found in base branch: master

Vulnerability Details

A vulnerability was found in the minimatch package. This flaw allows a Regular Expression Denial of Service (ReDoS) when calling the braceExpand function with specific arguments, resulting in a Denial of Service.

Publish Date: 2022-10-17

URL: CVE-2022-3517

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Release Date: 2022-10-17

Fix Resolution: minimatch - 3.0.5

Vulnerable Library - lodash-4.17.15.tgz

Lodash modular utilities.

Library home page: https://registry.npmjs.org/lodash/-/lodash-4.17.15.tgz

Path to dependency file: /tmp/ws-scm/food-react-native-app/package.json

Path to vulnerable library: /tmp/ws-scm/food-react-native-app/node_modules/lodash/package.json

Dependency Hierarchy:

• core-7.10.4.tgz (Root Library)
  • ❌ lodash-4.17.15.tgz (Vulnerable Library)

Found in HEAD commit: e5302ac1412821f2cb84b8317bf81bc615078c87

Vulnerability Details

All versions of lodash are vulnerable to Prototype Pollution. The function zipObjectDeep allows a malicious user to modify the prototype of Object if the property identifiers are user-supplied. Being affected by this issue requires zipping objects based on user-provided property arrays. This vulnerability may lead to Denial of Service or Code Execution.

Publish Date: 2020-04-28

URL: WS-2020-0070

CVSS 3 Score Details (8.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Vulnerable Library - react-native-0.61.5.tgz

A framework for building native apps using React

Library home page: https://registry.npmjs.org/react-native/-/react-native-0.61.5.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/react-native/package.json

Dependency Hierarchy:

• ❌ react-native-0.61.5.tgz (Vulnerable Library)

Found in base branch: master

Vulnerability Details

A regular expression denial of service (ReDoS) vulnerability in the validateBaseUrl function can cause the application to use excessive resources, become unresponsive, or crash. This was introduced in react-native version 0.59.0 and fixed in version 0.64.1.

Publish Date: 2021-06-01

URL: CVE-2020-1920

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1920

Release Date: 2021-06-01

Fix Resolution: 0.62.3

Vulnerable Library - glob-parent-5.1.1.tgz

Extract the non-magic parent path from a glob string.

Library home page: https://registry.npmjs.org/glob-parent/-/glob-parent-5.1.1.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/glob-parent/package.json

Dependency Hierarchy:

• eslint-6.8.0.tgz (Root Library)
  • ❌ glob-parent-5.1.1.tgz (Vulnerable Library)

Found in base branch: master

Vulnerability Details

This affects the package glob-parent before 5.1.2. The enclosure regex used to check for strings ending in enclosure containing path separator.

Publish Date: 2021-06-03

URL: CVE-2020-28469

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-28469

Release Date: 2021-06-03

Fix Resolution (glob-parent): 5.1.2

Direct dependency fix Resolution (eslint): 7.0.0

Vulnerable Library - kotlin-stdlib-1.3.60.jar

Kotlin Standard Library for JVM

Library home page: https://kotlinlang.org/

Path to vulnerable library: /node_modules/jetifier/lib/kotlin-stdlib-1.3.60.jar

Dependency Hierarchy:

• ❌ kotlin-stdlib-1.3.60.jar (Vulnerable Library)

Found in base branch: master

Vulnerability Details

In JetBrains Kotlin before 1.6.0, it was not possible to lock dependencies for Multiplatform Gradle Projects.

Publish Date: 2022-02-25

URL: CVE-2022-24329

CVSS 3 Score Details (5.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: Low
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: GHSA-2qp4-g3q3-f92w

Release Date: 2022-02-25

Fix Resolution: 1.6.0-M1

Vulnerable Library - decode-uri-component-0.2.0.tgz

A better decodeURIComponent

Library home page: https://registry.npmjs.org/decode-uri-component/-/decode-uri-component-0.2.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/decode-uri-component/package.json

Dependency Hierarchy:

• react-navigation-4.4.0.tgz (Root Library)
  • core-3.7.6.tgz
    • query-string-6.13.1.tgz
      • ❌ decode-uri-component-0.2.0.tgz (Vulnerable Library)

Found in base branch: master

Vulnerability Details

decode-uri-component 0.2.0 is vulnerable to Improper Input Validation resulting in DoS.

Publish Date: 2022-11-28

URL: CVE-2022-38900

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: GHSA-w573-4hg7-7wgq

Release Date: 2022-11-28

Fix Resolution (decode-uri-component): 0.2.1

Direct dependency fix Resolution (react-navigation): 4.4.1

Vulnerable Library - electron-1.8.8.tgz

Build cross platform desktop apps with JavaScript, HTML, and CSS

Library home page: https://registry.npmjs.org/electron/-/electron-1.8.8.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/electron/package.json

Dependency Hierarchy:

• react-devtools-3.6.3.tgz (Root Library)
  • ❌ electron-1.8.8.tgz (Vulnerable Library)

Found in base branch: master

Vulnerability Details

Electron is an open source framework for writing cross-platform desktop applications using JavaScript, HTML and CSS. This only impacts apps that have the embeddedAsarIntegrityValidation and onlyLoadAppFromAsar fuses enabled. Apps without these fuses enabled are not impacted. This issue is specific to macOS as these fuses are only currently supported on macOS. Specifically this issue can only be exploited if your app is launched from a filesystem the attacker has write access too. i.e. the ability to edit files inside the .app bundle on macOS which these fuses are supposed to protect against. There are no app side workarounds, you must update to a patched version of Electron.

Publish Date: 2023-12-01

URL: CVE-2023-44402

CVSS 3 Score Details (7.0)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Local
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: GHSA-7m48-wc93-9g85

Release Date: 2023-12-01

Fix Resolution (electron): 22.3.24

Direct dependency fix Resolution (react-devtools): 4.27.3

Vulnerable Library - glob-parent-5.1.1.tgz

Extract the non-magic parent path from a glob string.

Library home page: https://registry.npmjs.org/glob-parent/-/glob-parent-5.1.1.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/glob-parent/package.json

Dependency Hierarchy:

• eslint-6.8.0.tgz (Root Library)
  • ❌ glob-parent-5.1.1.tgz (Vulnerable Library)

Found in base branch: master

Vulnerability Details

The package glob-parent before 6.0.1 are vulnerable to Regular Expression Denial of Service (ReDoS)

Publish Date: 2021-06-22

URL: CVE-2021-35065

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: GHSA-cj88-88mr-972w

Release Date: 2021-06-22

Fix Resolution (glob-parent): 6.0.1

Direct dependency fix Resolution (eslint): 8.0.0

Vulnerable Library - kotlin-stdlib-1.3.60.jar

Kotlin Standard Library for JVM

Library home page: https://kotlinlang.org/

Path to vulnerable library: /node_modules/jetifier/lib/kotlin-stdlib-1.3.60.jar

Dependency Hierarchy:

• ❌ kotlin-stdlib-1.3.60.jar (Vulnerable Library)

Found in base branch: master

Vulnerability Details

In JetBrains Kotlin before 1.4.21, a vulnerable Java API was used for temporary file and folder creation. An attacker was able to read data from such files and list directories due to insecure permissions.

Publish Date: 2021-02-03

URL: CVE-2020-29582

CVSS 3 Score Details (5.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: None
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: GHSA-cqj8-47ch-rvvq

Release Date: 2021-02-03

Fix Resolution: 1.4.21

Vulnerable Library - electron-1.8.8.tgz

Build cross platform desktop apps with JavaScript, HTML, and CSS

Library home page: https://registry.npmjs.org/electron/-/electron-1.8.8.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/electron/package.json

Dependency Hierarchy:

• react-devtools-3.6.3.tgz (Root Library)
  • ❌ electron-1.8.8.tgz (Vulnerable Library)

Found in HEAD commit: 98c222e71725c8cb39b1693983ec7573926d4dcc

Found in base branch: master

Vulnerability Details

In Electron before versions 7.2.4, 8.2.4, and 9.0.0-beta21, there is a context isolation bypass. Code running in the main world context in the renderer can reach into the isolated Electron context and perform privileged actions. Apps using contextIsolation are affected. This is fixed in versions 9.0.0-beta.21, 8.2.4 and 7.2.4.

Publish Date: 2020-07-07

URL: CVE-2020-4076

CVSS 3 Score Details (9.0)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Local
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: GHSA-m93v-9qjc-3g79

Release Date: 2020-07-13

Fix Resolution (electron): 7.2.4

Direct dependency fix Resolution (react-devtools): 4.8.0

Vulnerable Library - gson-2.8.0.jar

Gson JSON library

Library home page: https://github.com/google/gson

Path to vulnerable library: /node_modules/jetifier/lib/gson-2.8.0.jar

Dependency Hierarchy:

• ❌ gson-2.8.0.jar (Vulnerable Library)

Found in base branch: master

Vulnerability Details

Denial of Service vulnerability was discovered in gson before 2.8.9 via the writeReplace() method.

Publish Date: 2021-10-11

URL: WS-2021-0419

CVSS 3 Score Details (7.7)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Release Date: 2021-10-11

Fix Resolution: 2.8.9

Vulnerable Library - electron-1.8.8.tgz

Build cross platform desktop apps with JavaScript, HTML, and CSS

Library home page: https://registry.npmjs.org/electron/-/electron-1.8.8.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/electron/package.json

Dependency Hierarchy:

• react-devtools-3.6.3.tgz (Root Library)
  • ❌ electron-1.8.8.tgz (Vulnerable Library)

Found in HEAD commit: 98c222e71725c8cb39b1693983ec7573926d4dcc

Found in base branch: master

Vulnerability Details

Electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS. Electron apps that are launched as command line executables are impacted. Specifically this issue can only be exploited if the following conditions are met: 1. The app is launched with an attacker-controlled working directory and 2. The attacker has the ability to write files to that working directory. This makes the risk quite low, in fact normally issues of this kind are considered outside of our threat model as similar to Chromium we exclude Physically Local Attacks but given the ability for this issue to bypass certain protections like ASAR Integrity it is being treated with higher importance. This issue has been fixed in versions:26.0.0-beta.13, 25.4.1, 24.7.1, 23.3.13, and 22.3.19. There are no app side workarounds, users must update to a patched version of Electron.

Publish Date: 2023-09-06

URL: CVE-2023-39956

CVSS 3 Score Details (6.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Local
  • Attack Complexity: Low
  • Privileges Required: Low
  • User Interaction: Required
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: High
  • Availability Impact: Low

Suggested Fix

Type: Upgrade version

Origin: https://www.cve.org/CVERecord?id=CVE-2023-39956

Release Date: 2023-09-06

Fix Resolution (electron): 22.3.21

Direct dependency fix Resolution (react-devtools): 4.27.3

Vulnerable Library - jdom2-2.0.6.jar

A complete, Java-based solution for accessing, manipulating, and outputting XML data

Library home page: http://www.jdom.org

Path to vulnerable library: /node_modules/jetifier/lib/jdom2-2.0.6.jar

Dependency Hierarchy:

• ❌ jdom2-2.0.6.jar (Vulnerable Library)

Found in base branch: master

Vulnerability Details

An XXE issue in SAXBuilder in JDOM through 2.0.6 allows attackers to cause a denial of service via a crafted HTTP request.

Publish Date: 2021-06-16

URL: CVE-2021-33813

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2021-33813

Release Date: 2021-06-16

Fix Resolution: 2.0.6.1

Vulnerable Library - mem-1.1.0.tgz

Memoize functions - An optimization used to speed up consecutive function calls by caching the result of calls with identical input

Library home page: https://registry.npmjs.org/mem/-/mem-1.1.0.tgz

Path to dependency file: /tmp/ws-scm/food-react-native-app/package.json

Path to vulnerable library: /tmp/ws-scm/food-react-native-app/node_modules/mem/package.json

Dependency Hierarchy:

• react-native-0.61.5.tgz (Root Library)
  • cli-3.2.1.tgz
    • metro-0.56.4.tgz
      • yargs-9.0.1.tgz
        • os-locale-2.1.0.tgz
          • ❌ mem-1.1.0.tgz (Vulnerable Library)

Found in HEAD commit: e5302ac1412821f2cb84b8317bf81bc615078c87

Vulnerability Details

Denial of Service (DoS) vulnerability found in mem before 4.0.0. There is a failure in removal of old values from the cache. As a result, attacker may exhaust the system's memory.

Publish Date: 2018-08-27

URL: WS-2019-0307

CVSS 2 Score Details (5.0)

Base Score Metrics not available

Suggested Fix

Type: Upgrade version

Origin: https://www.npmjs.com/advisories/1084

Release Date: 2019-12-01

Fix Resolution: mem - 4.0.0

Vulnerable Library - node-notifier-5.4.3.tgz

A Node.js module for sending notifications on native Mac, Windows (post and pre 8) and Linux (or Growl as fallback)

Library home page: https://registry.npmjs.org/node-notifier/-/node-notifier-5.4.3.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/node-notifier/package.json

Dependency Hierarchy:

• react-native-0.61.5.tgz (Root Library)
  • cli-3.2.1.tgz
    • ❌ node-notifier-5.4.3.tgz (Vulnerable Library)

Found in base branch: master

Vulnerability Details

This affects the package node-notifier before 9.0.0. It allows an attacker to run arbitrary commands on Linux machines due to the options params not being sanitised when being passed an array.

Publish Date: 2020-12-11

URL: CVE-2020-7789

CVSS 3 Score Details (5.6)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: Low

Suggested Fix

Type: Upgrade version

Origin: https://bugzilla.redhat.com/show_bug.cgi?id=1906853

Release Date: 2020-12-11

Fix Resolution (node-notifier): 5.4.4

Direct dependency fix Resolution (react-native): 0.62.0

Vulnerable Library - hermes-engine-0.2.1.tgz

A JavaScript engine optimized for running React Native on Android

Library home page: https://registry.npmjs.org/hermes-engine/-/hermes-engine-0.2.1.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/hermes-engine/package.json

Dependency Hierarchy:

• react-native-0.61.5.tgz (Root Library)
  • ❌ hermes-engine-0.2.1.tgz (Vulnerable Library)

Found in base branch: master

Vulnerability Details

An Integer signedness error in the JavaScript Interpreter in Facebook Hermes prior to commit 2c7af7ec481ceffd0d14ce2d7c045e475fd71dc6 allows attackers to cause a denial of service attack or a potential RCE via crafted JavaScript. Note that this is only exploitable if the application using Hermes permits evaluation of untrusted JavaScript. Hence, most React Native applications are not affected.

Publish Date: 2020-09-09

URL: CVE-2020-1913

CVSS 3 Score Details (8.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Release Date: 2020-09-15

Fix Resolution (hermes-engine): 0.7.0

Direct dependency fix Resolution (react-native): 0.64.0

Vulnerable Library - mem-1.1.0.tgz

Memoize functions - An optimization used to speed up consecutive function calls by caching the result of calls with identical input

Library home page: https://registry.npmjs.org/mem/-/mem-1.1.0.tgz

Path to dependency file: /tmp/ws-scm/food-react-native-app/package.json

Path to vulnerable library: /tmp/ws-scm/food-react-native-app/node_modules/mem/package.json

Dependency Hierarchy:

• react-native-0.61.5.tgz (Root Library)
  • cli-3.2.1.tgz
    • metro-0.56.4.tgz
      • yargs-9.0.1.tgz
        • os-locale-2.1.0.tgz
          • ❌ mem-1.1.0.tgz (Vulnerable Library)

Found in HEAD commit: e5302ac1412821f2cb84b8317bf81bc615078c87

Vulnerability Details

In nodejs-mem before version 4.0.0 there is a memory leak due to old results not being removed from the cache despite reaching maxAge. Exploitation of this can lead to exhaustion of memory and subsequent denial of service.

Publish Date: 2018-08-27

URL: WS-2018-0236

CVSS 2 Score Details (5.5)

Base Score Metrics not available

Suggested Fix

Type: Upgrade version

Origin: https://bugzilla.redhat.com/show_bug.cgi?id=1623744

Release Date: 2019-05-30

Fix Resolution: 4.0.0

Vulnerable Library - electron-1.8.8.tgz

Build cross platform desktop apps with JavaScript, HTML, and CSS

Library home page: https://registry.npmjs.org/electron/-/electron-1.8.8.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/electron/package.json

Dependency Hierarchy:

• react-devtools-3.6.3.tgz (Root Library)
  • ❌ electron-1.8.8.tgz (Vulnerable Library)

Found in base branch: master

Vulnerability Details

Electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS. Electron apps using contextIsolation and contextBridge are affected. This is a context isolation bypass, meaning that code running in the main world context in the renderer can reach into the isolated Electron context and perform privileged actions. This issue is only exploitable if an API exposed to the main world via contextBridge can return an object or array that contains a javascript object which cannot be serialized, for instance, a canvas rendering context. This would normally result in an exception being thrown Error: object could not be cloned. The app side workaround is to ensure that such a case is not possible. Ensure all values returned from a function exposed over the context bridge are supported. This issue has been fixed in versions 25.0.0-alpha.2, 24.0.1, 23.2.3, and 22.3.6.

Publish Date: 2023-09-06

URL: CVE-2023-29198

CVSS 3 Score Details (8.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: Low
  • User Interaction: None
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://www.cve.org/CVERecord?id=CVE-2023-29198

Release Date: 2023-09-06

Fix Resolution (electron): 22.3.6

Direct dependency fix Resolution (react-devtools): 4.27.3

Vulnerable Library - shell-quote-1.6.1.tgz

quote and parse shell commands

Library home page: https://registry.npmjs.org/shell-quote/-/shell-quote-1.6.1.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/shell-quote/package.json

Dependency Hierarchy:

• react-devtools-3.6.3.tgz (Root Library)
  • react-devtools-core-3.6.3.tgz
    • ❌ shell-quote-1.6.1.tgz (Vulnerable Library)

Found in HEAD commit: e5302ac1412821f2cb84b8317bf81bc615078c87

Found in base branch: master

Vulnerability Details

The shell-quote package before 1.7.3 for Node.js allows command injection. An attacker can inject unescaped shell metacharacters through a regex designed to support Windows drive letters. If the output of this package is passed to a real shell as a quoted argument to a command with exec(), an attacker can inject arbitrary commands. This is because the Windows drive letter regex character class is {A-z] instead of the correct {A-Za-z]. Several shell metacharacters exist in the space between capital letter Z and lower case letter a, such as the backtick character.

Publish Date: 2021-10-21

URL: CVE-2021-42740

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-42740

Release Date: 2021-10-21

Fix Resolution (shell-quote): 1.7.3

Direct dependency fix Resolution (react-devtools): 4.0.0

Vulnerable Library - electron-1.8.8.tgz

Build cross platform desktop apps with JavaScript, HTML, and CSS

Library home page: https://registry.npmjs.org/electron/-/electron-1.8.8.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/electron/package.json

Dependency Hierarchy:

• react-devtools-3.6.3.tgz (Root Library)
  • ❌ electron-1.8.8.tgz (Vulnerable Library)

Found in base branch: master

Vulnerability Details

Electron is a framework for writing cross-platform desktop applications using JavaScript (JS), HTML, and CSS. A vulnerability in versions prior to 18.0.0-beta.6, 17.2.0, 16.2.6, and 15.5.5 allows a renderer with JS execution to obtain access to a new renderer process with nodeIntegrationInSubFrames enabled which in turn allows effective access to ipcRenderer. The nodeIntegrationInSubFrames option does not implicitly grant Node.js access. Rather, it depends on the existing sandbox setting. If an application is sandboxed, then nodeIntegrationInSubFrames just gives access to the sandboxed renderer APIs, which include ipcRenderer. If the application then additionally exposes IPC messages without IPC senderFrame validation that perform privileged actions or return confidential data this access to ipcRenderer can in turn compromise your application / user even with the sandbox enabled. Electron versions 18.0.0-beta.6, 17.2.0, 16.2.6, and 15.5.5 contain a fix for this issue. As a workaround, ensure that all IPC message handlers appropriately validate senderFrame.

Publish Date: 2022-06-13

URL: CVE-2022-29247

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-29247

Release Date: 2022-06-13

Fix Resolution (electron): 15.5.5

Direct dependency fix Resolution (react-devtools): 4.27.3

Vulnerable Library - electron-1.8.8.tgz

Build cross platform desktop apps with JavaScript, HTML, and CSS

Library home page: https://registry.npmjs.org/electron/-/electron-1.8.8.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/electron/package.json

Dependency Hierarchy:

• react-devtools-3.6.3.tgz (Root Library)
  • ❌ electron-1.8.8.tgz (Vulnerable Library)

Found in HEAD commit: 98c222e71725c8cb39b1693983ec7573926d4dcc

Found in base branch: master

Vulnerability Details

In Electron before versions 7.2.4, 8.2.4, and 9.0.0-beta21, there is a context isolation bypass. Code running in the main world context in the renderer can reach into the isolated Electron context and perform privileged actions. Apps using both contextIsolation and contextBridge are affected. This is fixed in versions 9.0.0-beta.21, 8.2.4 and 7.2.4.

Publish Date: 2020-07-07

URL: CVE-2020-4077

CVSS 3 Score Details (9.9)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: Low
  • User Interaction: None
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: GHSA-h9jc-284h-533g

Release Date: 2020-07-13

Fix Resolution (electron): 7.2.4

Direct dependency fix Resolution (react-devtools): 4.8.0

Vulnerable Library - json5-2.1.3.tgz

JSON for humans.

Library home page: https://registry.npmjs.org/json5/-/json5-2.1.3.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/json5/package.json

Dependency Hierarchy:

• core-7.10.5.tgz (Root Library)
  • ❌ json5-2.1.3.tgz (Vulnerable Library)

Found in HEAD commit: 98c222e71725c8cb39b1693983ec7573926d4dcc

Found in base branch: master

Vulnerability Details

JSON5 is an extension to the popular JSON file format that aims to be easier to write and maintain by hand (e.g. for config files). The parse method of the JSON5 library before and including versions 1.0.1 and 2.2.1 does not restrict parsing of keys named __proto__, allowing specially crafted strings to pollute the prototype of the resulting object. This vulnerability pollutes the prototype of the object returned by JSON5.parse and not the global Object prototype, which is the commonly understood definition of Prototype Pollution. However, polluting the prototype of a single object can have significant security impact for an application if the object is later used in trusted operations. This vulnerability could allow an attacker to set arbitrary and unexpected keys on the object returned from JSON5.parse. The actual impact will depend on how applications utilize the returned object and how they filter unwanted keys, but could include denial of service, cross-site scripting, elevation of privilege, and in extreme cases, remote code execution. JSON5.parse should restrict parsing of __proto__ keys when parsing JSON strings to objects. As a point of reference, the JSON.parse method included in JavaScript ignores __proto__ keys. Simply changing JSON5.parse to JSON.parse in the examples above mitigates this vulnerability. This vulnerability is patched in json5 versions 1.0.2, 2.2.2, and later.

Publish Date: 2022-12-24

URL: CVE-2022-46175

CVSS 3 Score Details (8.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: Low
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://www.cve.org/CVERecord?id=CVE-2022-46175

Release Date: 2022-12-24

Fix Resolution (json5): 2.2.2

Direct dependency fix Resolution (@babel/core): 7.11.0

Vulnerable Library - axios-0.19.2.tgz

Promise based HTTP client for the browser and node.js

Library home page: https://registry.npmjs.org/axios/-/axios-0.19.2.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/axios/package.json

Dependency Hierarchy:

• ❌ axios-0.19.2.tgz (Vulnerable Library)

Found in base branch: master

Vulnerability Details

axios is vulnerable to Inefficient Regular Expression Complexity

Publish Date: 2021-08-31

URL: CVE-2021-3749

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://huntr.dev/bounties/1e8f07fc-c384-4ff9-8498-0690de2e8c31/

Release Date: 2021-08-31

Fix Resolution: 0.20.0

Vulnerable Libraries - yargs-parser-7.0.0.tgz, yargs-parser-11.1.1.tgz

Found in HEAD commit: e5302ac1412821f2cb84b8317bf81bc615078c87

Vulnerability Details

yargs-parser could be tricked into adding or modifying properties of Object.prototype using a "proto" payload.

Publish Date: 2020-03-16

URL: CVE-2020-7608

CVSS 3 Score Details (5.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Local
  • Attack Complexity: Low
  • Privileges Required: Low
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: Low

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7608

Release Date: 2020-03-16

Fix Resolution: v18.1.1;13.1.2;15.0.1

Vulnerable Library - electron-1.8.8.tgz

Build cross platform desktop apps with JavaScript, HTML, and CSS

Library home page: https://registry.npmjs.org/electron/-/electron-1.8.8.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/electron/package.json

Dependency Hierarchy:

• react-devtools-3.6.3.tgz (Root Library)
  • ❌ electron-1.8.8.tgz (Vulnerable Library)

Found in base branch: master

Vulnerability Details

Electron is a framework for writing cross-platform desktop applications using JavaScript (JS), HTML, and CSS. A vulnerability in versions prior to 18.0.0-beta.6, 17.2.0, 16.2.6, and 15.5.5 allows attackers who have control over a given apps update server / update storage to serve maliciously crafted update packages that pass the code signing validation check but contain malicious code in some components. This kind of attack would require significant privileges in a potential victim's own auto updating infrastructure and the ease of that attack entirely depends on the potential victim's infrastructure security. Electron versions 18.0.0-beta.6, 17.2.0, 16.2.6, and 15.5.5 contain a fix for this issue. There are no known workarounds.

Publish Date: 2022-06-13

URL: CVE-2022-29257

CVSS 3 Score Details (7.2)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: High
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: GHSA-77xc-hjv8-ww97

Release Date: 2022-06-13

Fix Resolution (electron): 15.5.0

Direct dependency fix Resolution (react-devtools): 4.27.3

Vulnerable Library - hermes-engine-0.2.1.tgz

A JavaScript engine optimized for running React Native on Android

Library home page: https://registry.npmjs.org/hermes-engine/-/hermes-engine-0.2.1.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/hermes-engine/package.json

Dependency Hierarchy:

• react-native-0.61.5.tgz (Root Library)
  • ❌ hermes-engine-0.2.1.tgz (Vulnerable Library)

Found in base branch: master

Vulnerability Details

A logic vulnerability when handling the SaveGeneratorLong instruction in Facebook Hermes prior to commit b2021df620824627f5a8c96615edbd1eb7fdddfc allows attackers to potentially read out of bounds or theoretically execute arbitrary code via crafted JavaScript. Note that this is only exploitable if the application using Hermes permits evaluation of untrusted JavaScript. Hence, most React Native applications are not affected.

Publish Date: 2020-10-08

URL: CVE-2020-1914

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: GHSA-327c-qx3v-h673

Release Date: 2020-10-20

Fix Resolution: hermes-engine - 0.7.2

Vulnerable Library - request-2.88.2.tgz

Simplified HTTP request client.

Library home page: https://registry.npmjs.org/request/-/request-2.88.2.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/request/package.json

Dependency Hierarchy:

• react-devtools-3.6.3.tgz (Root Library)
  • electron-1.8.8.tgz
    • electron-download-3.3.0.tgz
      • nugget-2.0.1.tgz
        • ❌ request-2.88.2.tgz (Vulnerable Library)

Found in base branch: master

Vulnerability Details

The request package through 2.88.2 for Node.js and the @cypress/request package prior to 3.0.0 allow a bypass of SSRF mitigations via an attacker-controller server that does a cross-protocol redirect (HTTP to HTTPS, or HTTPS to HTTP).NOTE: The request package is no longer supported by the maintainer.

Publish Date: 2023-03-16

URL: CVE-2023-28155

CVSS 3 Score Details (6.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: GHSA-p8p7-x288-28g6

Release Date: 2023-03-16

Fix Resolution: @cypress/request - 3.0.0

Vulnerable Library - got-6.7.1.tgz

Simplified HTTP requests

Library home page: https://registry.npmjs.org/got/-/got-6.7.1.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/got/package.json

Dependency Hierarchy:

• react-devtools-3.6.3.tgz (Root Library)
  • update-notifier-2.5.0.tgz
    • latest-version-3.1.0.tgz
      • package-json-4.0.1.tgz
        • ❌ got-6.7.1.tgz (Vulnerable Library)

Found in base branch: master

Vulnerability Details

The got package before 12.1.0 (also fixed in 11.8.5) for Node.js allows a redirect to a UNIX socket.

Publish Date: 2022-06-18

URL: CVE-2022-33987

CVSS 3 Score Details (5.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: Low
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-33987

Release Date: 2022-06-18

Fix Resolution: got - 11.8.5,12.1.0

Vulnerable Library - dot-prop-4.2.0.tgz

Get, set, or delete a property from a nested object using a dot path

Library home page: https://registry.npmjs.org/dot-prop/-/dot-prop-4.2.0.tgz

Path to dependency file: /tmp/ws-scm/food-react-native-app/package.json

Path to vulnerable library: /tmp/ws-scm/food-react-native-app/node_modules/dot-prop/package.json

Dependency Hierarchy:

• react-devtools-3.6.3.tgz (Root Library)
  • update-notifier-2.5.0.tgz
    • configstore-3.1.2.tgz
      • ❌ dot-prop-4.2.0.tgz (Vulnerable Library)

Found in HEAD commit: e5302ac1412821f2cb84b8317bf81bc615078c87

Vulnerability Details

Prototype pollution vulnerability in dot-prop npm package version 5.1.0 and earlier allows an attacker to add arbitrary properties to JavaScript language constructs such as objects.

Publish Date: 2020-02-04

URL: CVE-2020-8116

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8116

Release Date: 2020-02-04

Fix Resolution: dot-prop - 5.1.1

Vulnerable Library - async-2.6.3.tgz

Higher-order functions and common patterns for asynchronous code

Library home page: https://registry.npmjs.org/async/-/async-2.6.3.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/async/package.json

Dependency Hierarchy:

• react-native-0.61.5.tgz (Root Library)
  • cli-3.2.1.tgz
    • metro-0.56.4.tgz
      • ❌ async-2.6.3.tgz (Vulnerable Library)

Found in base branch: master

Vulnerability Details

In Async before 2.6.4 and 3.x before 3.2.2, a malicious user can obtain privileges via the mapValues() method, aka lib/internal/iterator.js createObjectIterator prototype pollution.

Publish Date: 2022-04-06

URL: CVE-2021-43138

CVSS 3 Score Details (7.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Local
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2021-43138

Release Date: 2022-04-06

Fix Resolution (async): 2.6.4

Direct dependency fix Resolution (react-native): 0.62.0

Vulnerable Library - acorn-5.7.4.tgz

ECMAScript parser

Library home page: https://registry.npmjs.org/acorn/-/acorn-5.7.4.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/jsdom/node_modules/acorn/package.json

Dependency Hierarchy:

• jest-24.9.0.tgz (Root Library)
  • jest-cli-24.9.0.tgz
    • jest-config-24.9.0.tgz
      • jest-environment-jsdom-24.9.0.tgz
        • jsdom-11.12.0.tgz
          • ❌ acorn-5.7.4.tgz (Vulnerable Library)

Found in HEAD commit: e5302ac1412821f2cb84b8317bf81bc615078c87

Found in base branch: master

Vulnerability Details

acorn is vulnerable to REGEX DoS. A regex of the form /[x-\ud800]/u causes the parser to enter an infinite loop. attackers may leverage the vulnerability leading to a Denial of Service since the string is not valid UTF16 and it results in it being sanitized before reaching the parser.

Publish Date: 2020-03-01

URL: WS-2020-0042

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://www.npmjs.com/advisories/1488

Release Date: 2020-03-01

Fix Resolution (acorn): 6.4.1

Direct dependency fix Resolution (jest): 25.0.0

Vulnerable Library - logkitty-0.6.1.tgz

Display pretty Android and iOS logs without Android Studio or Console.app, with intuitive Command Line Interface.

Library home page: https://registry.npmjs.org/logkitty/-/logkitty-0.6.1.tgz

Path to dependency file: /tmp/ws-scm/food-react-native-app/package.json

Path to vulnerable library: /tmp/ws-scm/food-react-native-app/node_modules/logkitty/package.json

Dependency Hierarchy:

• react-native-0.61.5.tgz (Root Library)
  • cli-platform-android-3.1.4.tgz
    • ❌ logkitty-0.6.1.tgz (Vulnerable Library)

Found in HEAD commit: e5302ac1412821f2cb84b8317bf81bc615078c87

Vulnerability Details

Lack of output sanitization allowed an attack to execute arbitrary shell commands via the logkitty npm package before version 0.7.1.

Publish Date: 2020-05-15

URL: CVE-2020-8149

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8149

Release Date: 2020-05-15

Fix Resolution: 0.7.1

Vulnerable Library - hermes-engine-0.2.1.tgz

A JavaScript engine optimized for running React Native on Android

Library home page: https://registry.npmjs.org/hermes-engine/-/hermes-engine-0.2.1.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/hermes-engine/package.json

Dependency Hierarchy:

• react-native-0.61.5.tgz (Root Library)
  • ❌ hermes-engine-0.2.1.tgz (Vulnerable Library)

Found in base branch: master

Vulnerability Details

An out-of-bounds read/write vulnerability when executing lazily compiled inner generator functions in Facebook Hermes prior to commit 091835377369c8fd5917d9b87acffa721ad2a168 allows attackers to potentially execute arbitrary code via crafted JavaScript. Note that this is only exploitable if the application using Hermes permits evaluation of untrusted JavaScript. Hence, most React Native applications are not affected.

Publish Date: 2020-09-09

URL: CVE-2020-1912

CVSS 3 Score Details (8.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Release Date: 2020-09-15

Fix Resolution (hermes-engine): 0.7.0

Direct dependency fix Resolution (react-native): 0.64.0

Vulnerable Library - axios-0.19.2.tgz

Promise based HTTP client for the browser and node.js

Library home page: https://registry.npmjs.org/axios/-/axios-0.19.2.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/axios/package.json

Dependency Hierarchy:

• ❌ axios-0.19.2.tgz (Vulnerable Library)

Found in base branch: master

Vulnerability Details

An issue discovered in Axios 1.5.1 inadvertently reveals the confidential XSRF-TOKEN stored in cookies by including it in the HTTP header X-XSRF-TOKEN for every request made to any host allowing attackers to view sensitive information.

Publish Date: 2023-11-08

URL: CVE-2023-45857

CVSS 3 Score Details (6.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: None
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Release Date: 2023-11-08

Fix Resolution: 0.20.0

Vulnerable Library - hermes-engine-0.2.1.tgz

A JavaScript engine optimized for running React Native on Android

Library home page: https://registry.npmjs.org/hermes-engine/-/hermes-engine-0.2.1.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/hermes-engine/package.json

Dependency Hierarchy:

• react-native-0.61.5.tgz (Root Library)
  • ❌ hermes-engine-0.2.1.tgz (Vulnerable Library)

Found in base branch: master

Vulnerability Details

An out-of-bounds read in the JavaScript Interpreter in Facebook Hermes prior to commit 8cb935cd3b2321c46aa6b7ed8454d95c75a7fca0 allows attackers to cause a denial of service attack or possible further memory corruption via crafted JavaScript. Note that this is only exploitable if the application using Hermes permits evaluation of untrusted JavaScript. Hence, most React Native applications are not affected.

Publish Date: 2020-10-26

URL: CVE-2020-1915

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: GHSA-x4cf-6jr3-3qvp

Release Date: 2020-11-02

Fix Resolution: hermes-engine - 0.7.2

Vulnerable Libraries - node-fetch-1.7.3.tgz, node-fetch-2.6.0.tgz

Found in base branch: master

Vulnerability Details

node-fetch before versions 2.6.1 and 3.0.0-beta.9 did not honor the size option after following a redirect, which means that when a content size was over the limit, a FetchError would never get thrown and the process would end without failure. For most people, this fix will have a little or no impact. However, if you are relying on node-fetch to gate files above a size, the impact could be significant, for example: If you don't double-check the size of the data after fetch() has completed, your JS thread could get tied up doing work on a large file (DoS) and/or cost you money in computing.

Publish Date: 2020-09-10

URL: CVE-2020-15168

CVSS 3 Score Details (5.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: Low

Suggested Fix

Type: Upgrade version

Origin: GHSA-w7rc-rwvf-8q5r

Release Date: 2020-09-17

Fix Resolution (node-fetch): 2.6.1

Direct dependency fix Resolution (react-native): 0.64.0

Fix Resolution (node-fetch): 2.6.1

Direct dependency fix Resolution (react-native): 0.64.0

Vulnerable Library - electron-1.8.8.tgz

Build cross platform desktop apps with JavaScript, HTML, and CSS

Library home page: https://registry.npmjs.org/electron/-/electron-1.8.8.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/electron/package.json

Dependency Hierarchy:

• react-devtools-3.6.3.tgz (Root Library)
  • ❌ electron-1.8.8.tgz (Vulnerable Library)

Found in HEAD commit: 98c222e71725c8cb39b1693983ec7573926d4dcc

Found in base branch: master

Vulnerability Details

In Electron before versions 6.1.1, 7.2.4, 8.2.4, and 9.0.0-beta21, there is a context isolation bypass, meaning that code running in the main world context in the renderer can reach into the isolated Electron context and perform privileged actions. Apps using "contextIsolation" are affected. There are no app-side workarounds, you must update your Electron version to be protected. This is fixed in versions 6.1.1, 7.2.4, 8.2.4, and 9.0.0-beta21.

Publish Date: 2020-07-07

URL: CVE-2020-15096

CVSS 3 Score Details (6.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: High
  • User Interaction: None
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: High
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: GHSA-6vrv-94jv-crrg

Release Date: 2020-07-10

Fix Resolution (electron): 6.1.11

Direct dependency fix Resolution (react-devtools): 4.8.0