Giter VIP home page Giter VIP logo

microsoft-teams-apps-company-communicator's People

Contributors

amyzhao1321 avatar aosolis avatar cbitter78 avatar dependabot[bot] avatar jotrick avatar juna-gupta avatar lakshmipratapg avatar mend-for-github-com[bot] avatar microsoftopensource avatar mikhail2k15 avatar msftgits avatar paul-cheung avatar porkai-pandian avatar priyank29 avatar snowdensb avatar tsujonathan avatar v-abtan avatar v-smahaj avatar yashrajmungale avatar

microsoft-teams-apps-company-communicator's Issues

CVE-2021-3807 (High) detected in ansi-regex-4.1.0.tgz

CVE-2021-3807 - High Severity Vulnerability

Vulnerable Library - ansi-regex-4.1.0.tgz

Regular expression for matching ANSI escape codes

Library home page: https://registry.npmjs.org/ansi-regex/-/ansi-regex-4.1.0.tgz

Path to dependency file: /Source/CompanyCommunicator/ClientApp/package.json

Path to vulnerable library: /Source/CompanyCommunicator/ClientApp/node_modules/webpack-dev-server/node_modules/wrap-ansi/node_modules/ansi-regex/package.json,/Source/CompanyCommunicator/ClientApp/node_modules/webpack-dev-server/node_modules/cliui/node_modules/ansi-regex/package.json,/Source/CompanyCommunicator/ClientApp/node_modules/webpack-dev-server/node_modules/string-width/node_modules/ansi-regex/package.json

Dependency Hierarchy:

  • react-scripts-4.0.3.tgz (Root Library)
    • webpack-dev-server-3.11.1.tgz
      • yargs-13.3.2.tgz
        • cliui-5.0.0.tgz
          • strip-ansi-5.2.0.tgz
            • ansi-regex-4.1.0.tgz (Vulnerable Library)

Found in HEAD commit: 32bf8559b65e6695a5e727d0fdf93e7ae135d32a

Found in base branch: master

Vulnerability Details

ansi-regex is vulnerable to Inefficient Regular Expression Complexity

Publish Date: 2021-09-17

URL: CVE-2021-3807

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://huntr.dev/bounties/5b3cf33b-ede0-4398-9974-800876dfd994/

Release Date: 2021-09-17

Fix Resolution (ansi-regex): 4.1.1

Direct dependency fix Resolution (react-scripts): 5.0.0

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2022-0639 (Medium) detected in url-parse-1.5.3.tgz

CVE-2022-0639 - Medium Severity Vulnerability

Vulnerable Library - url-parse-1.5.3.tgz

Small footprint URL parser that works seamlessly across Node.js and browser environments

Library home page: https://registry.npmjs.org/url-parse/-/url-parse-1.5.3.tgz

Path to dependency file: /Source/CompanyCommunicator/ClientApp/package.json

Path to vulnerable library: /Source/CompanyCommunicator/ClientApp/node_modules/url-parse/package.json

Dependency Hierarchy:

  • react-scripts-4.0.3.tgz (Root Library)
    • webpack-dev-server-3.11.1.tgz
      • sockjs-client-1.5.0.tgz
        • url-parse-1.5.3.tgz (Vulnerable Library)

Found in HEAD commit: 32bf8559b65e6695a5e727d0fdf93e7ae135d32a

Found in base branch: master

Vulnerability Details

Authorization Bypass Through User-Controlled Key in NPM url-parse prior to 1.5.7.

Publish Date: 2022-02-17

URL: CVE-2022-0639

CVSS 3 Score Details (5.3)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: Low
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0639

Release Date: 2022-02-17

Fix Resolution (url-parse): 1.5.7

Direct dependency fix Resolution (react-scripts): 5.0.0

⛑️ Automatic Remediation will be attempted for this issue.

WS-2020-0438 (Medium) detected in i18next-19.8.2.tgz

WS-2020-0438 - Medium Severity Vulnerability

Vulnerable Library - i18next-19.8.2.tgz

i18next internationalization framework

Library home page: https://registry.npmjs.org/i18next/-/i18next-19.8.2.tgz

Path to dependency file: /Source/CompanyCommunicator/ClientApp/package.json

Path to vulnerable library: /Source/CompanyCommunicator/ClientApp/node_modules/i18next/package.json

Dependency Hierarchy:

  • i18next-19.8.2.tgz (Vulnerable Library)

Found in HEAD commit: 32bf8559b65e6695a5e727d0fdf93e7ae135d32a

Found in base branch: master

Vulnerability Details

In i18next in versions v19.6.0 to v19.8.2 is vulnerable to prototype pollution, it allows to modify the prototype of a base object, which may result in DoS, XSS, RCE, etc.

Publish Date: 2020-02-12

URL: WS-2020-0438

CVSS 3 Score Details (4.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: High
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: Low
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://hackerone.com/reports/968355

Release Date: 2020-02-12

Fix Resolution: 19.8.3

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2022-0122 (Medium) detected in node-forge-0.10.0.tgz

CVE-2022-0122 - Medium Severity Vulnerability

Vulnerable Library - node-forge-0.10.0.tgz

JavaScript implementations of network transports, cryptography, ciphers, PKI, message digests, and various utilities.

Library home page: https://registry.npmjs.org/node-forge/-/node-forge-0.10.0.tgz

Path to dependency file: /Source/CompanyCommunicator/ClientApp/package.json

Path to vulnerable library: /Source/CompanyCommunicator/ClientApp/node_modules/node-forge/package.json

Dependency Hierarchy:

  • react-scripts-4.0.3.tgz (Root Library)
    • webpack-dev-server-3.11.1.tgz
      • selfsigned-1.10.8.tgz
        • node-forge-0.10.0.tgz (Vulnerable Library)

Found in HEAD commit: 32bf8559b65e6695a5e727d0fdf93e7ae135d32a

Found in base branch: master

Vulnerability Details

forge is vulnerable to URL Redirection to Untrusted Site
Mend Note: Converted from WS-2022-0007, on 2022-11-07.

Publish Date: 2022-01-06

URL: CVE-2022-0122

CVSS 3 Score Details (6.1)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Changed
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: Low
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-gf8q-jrpm-jvxq

Release Date: 2022-01-06

Fix Resolution (node-forge): 1.0.0

Direct dependency fix Resolution (react-scripts): 5.0.0

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2020-8244 (Medium) detected in i18next-19.8.2.tgz

CVE-2020-8244 - Medium Severity Vulnerability

Vulnerable Library - i18next-19.8.2.tgz

i18next internationalization framework

Library home page: https://registry.npmjs.org/i18next/-/i18next-19.8.2.tgz

Path to dependency file: /Source/CompanyCommunicator/ClientApp/package.json

Path to vulnerable library: /Source/CompanyCommunicator/ClientApp/node_modules/i18next/package.json

Dependency Hierarchy:

  • i18next-19.8.2.tgz (Vulnerable Library)

Found in HEAD commit: 32bf8559b65e6695a5e727d0fdf93e7ae135d32a

Found in base branch: master

Vulnerability Details

A buffer over-read vulnerability exists in bl <4.0.3, <3.0.1, <2.2.1, and <1.2.3 which could allow an attacker to supply user input (even typed) that if it ends up in consume() argument and can become negative, the BufferList state can be corrupted, tricking it into exposing uninitialized memory via regular .slice() calls.

Publish Date: 2020-08-30

URL: CVE-2020-8244

CVSS 3 Score Details (6.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: None
    • Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-pp7h-53gx-mx7r

Release Date: 2020-08-30

Fix Resolution: 19.8.3

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2021-43138 (High) detected in async-2.6.3.tgz

CVE-2021-43138 - High Severity Vulnerability

Vulnerable Library - async-2.6.3.tgz

Higher-order functions and common patterns for asynchronous code

Library home page: https://registry.npmjs.org/async/-/async-2.6.3.tgz

Path to dependency file: /Source/CompanyCommunicator/ClientApp/package.json

Path to vulnerable library: /Source/CompanyCommunicator/ClientApp/node_modules/async/package.json

Dependency Hierarchy:

  • react-scripts-4.0.3.tgz (Root Library)
    • webpack-dev-server-3.11.1.tgz
      • portfinder-1.0.28.tgz
        • async-2.6.3.tgz (Vulnerable Library)

Found in HEAD commit: 32bf8559b65e6695a5e727d0fdf93e7ae135d32a

Found in base branch: master

Vulnerability Details

In Async before 2.6.4 and 3.x before 3.2.2, a malicious user can obtain privileges via the mapValues() method, aka lib/internal/iterator.js createObjectIterator prototype pollution.

Publish Date: 2022-04-06

URL: CVE-2021-43138

CVSS 3 Score Details (7.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Local
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2021-43138

Release Date: 2022-04-06

Fix Resolution (async): 2.6.4

Direct dependency fix Resolution (react-scripts): 5.0.0

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2021-23424 (High) detected in ansi-html-0.0.7.tgz

CVE-2021-23424 - High Severity Vulnerability

Vulnerable Library - ansi-html-0.0.7.tgz

An elegant lib that converts the chalked (ANSI) text to HTML.

Library home page: https://registry.npmjs.org/ansi-html/-/ansi-html-0.0.7.tgz

Path to dependency file: /Source/CompanyCommunicator/ClientApp/package.json

Path to vulnerable library: /Source/CompanyCommunicator/ClientApp/node_modules/ansi-html/package.json

Dependency Hierarchy:

  • react-scripts-4.0.3.tgz (Root Library)
    • webpack-dev-server-3.11.1.tgz
      • ansi-html-0.0.7.tgz (Vulnerable Library)

Found in HEAD commit: 32bf8559b65e6695a5e727d0fdf93e7ae135d32a

Found in base branch: master

Vulnerability Details

This affects all versions of package ansi-html. If an attacker provides a malicious string, it will get stuck processing the input for an extremely long time.

Publish Date: 2021-08-18

URL: CVE-2021-23424

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2021-23424

Release Date: 2021-08-18

Fix Resolution (ansi-html): 0.0.8

Direct dependency fix Resolution (react-scripts): 5.0.0

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2022-0536 (Medium) detected in follow-redirects-1.14.7.tgz

CVE-2022-0536 - Medium Severity Vulnerability

Vulnerable Library - follow-redirects-1.14.7.tgz

HTTP and HTTPS modules that follow redirects.

Library home page: https://registry.npmjs.org/follow-redirects/-/follow-redirects-1.14.7.tgz

Path to dependency file: /Source/CompanyCommunicator/ClientApp/package.json

Path to vulnerable library: /Source/CompanyCommunicator/ClientApp/node_modules/axios/node_modules/follow-redirects/package.json,/Source/CompanyCommunicator/ClientApp/node_modules/follow-redirects/package.json

Dependency Hierarchy:

  • react-scripts-4.0.3.tgz (Root Library)
    • webpack-dev-server-3.11.1.tgz
      • http-proxy-middleware-0.19.1.tgz
        • http-proxy-1.18.1.tgz
          • follow-redirects-1.14.7.tgz (Vulnerable Library)

Found in HEAD commit: 32bf8559b65e6695a5e727d0fdf93e7ae135d32a

Found in base branch: master

Vulnerability Details

Improper Removal of Sensitive Information Before Storage or Transfer in NPM follow-redirects prior to 1.14.8.

Publish Date: 2022-02-09

URL: CVE-2022-0536

CVSS 3 Score Details (5.9)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: High
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: None
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0536

Release Date: 2022-02-09

Fix Resolution (follow-redirects): 1.14.8

Direct dependency fix Resolution (react-scripts): 5.0.0

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2020-1045 (High) detected in microsoft.aspnetcore.http.2.1.0.nupkg

CVE-2020-1045 - High Severity Vulnerability

Vulnerable Library - microsoft.aspnetcore.http.2.1.0.nupkg

ASP.NET Core default HTTP feature implementations.

Library home page: https://api.nuget.org/packages/microsoft.aspnetcore.http.2.1.0.nupkg

Path to dependency file: /Source/Test/CompanyCommunicator.Send.Func.Test/Microsoft.Teams.Apps.CompanyCommunicator.Send.Func.Test.csproj

Path to vulnerable library: /home/wss-scanner/.nuget/packages/microsoft.aspnetcore.http/2.1.0/microsoft.aspnetcore.http.2.1.0.nupkg

Dependency Hierarchy:

  • microsoft.bot.builder.integration.aspnet.core.4.12.1.nupkg (Root Library)
    • microsoft.aspnetcore.mvc.core.2.1.0.nupkg
      • microsoft.aspnetcore.authentication.core.2.1.0.nupkg
        • microsoft.aspnetcore.http.2.1.0.nupkg (Vulnerable Library)

Found in HEAD commit: 32bf8559b65e6695a5e727d0fdf93e7ae135d32a

Found in base branch: master

Vulnerability Details

A security feature bypass vulnerability exists in the way Microsoft ASP.NET Core parses encoded cookie names.The ASP.NET Core cookie parser decodes entire cookie strings which could allow a malicious attacker to set a second cookie with the name being percent encoded.The security update addresses the vulnerability by fixing the way the ASP.NET Core cookie parser handles encoded names., aka 'Microsoft ASP.NET Core Security Feature Bypass Vulnerability'.

Publish Date: 2020-09-11

URL: CVE-2020-1045

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: High
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2020-09-11

Fix Resolution: Microsoft.AspNetCore.App - 2.1.22, Microsoft.AspNetCore.All - 2.1.22,Microsoft.NETCore.App - 2.1.22, Microsoft.AspNetCore.Http - 2.1.22

CVE-2021-23364 (Medium) detected in browserslist-4.14.2.tgz

CVE-2021-23364 - Medium Severity Vulnerability

Vulnerable Library - browserslist-4.14.2.tgz

Share target browsers between different front-end tools, like Autoprefixer, Stylelint and babel-env-preset

Library home page: https://registry.npmjs.org/browserslist/-/browserslist-4.14.2.tgz

Path to dependency file: /Source/CompanyCommunicator/ClientApp/package.json

Path to vulnerable library: /Source/CompanyCommunicator/ClientApp/node_modules/react-dev-utils/node_modules/browserslist/package.json

Dependency Hierarchy:

  • react-scripts-4.0.3.tgz (Root Library)
    • react-dev-utils-11.0.4.tgz
      • browserslist-4.14.2.tgz (Vulnerable Library)

Found in HEAD commit: 32bf8559b65e6695a5e727d0fdf93e7ae135d32a

Found in base branch: master

Vulnerability Details

The package browserslist from 4.0.0 and before 4.16.5 are vulnerable to Regular Expression Denial of Service (ReDoS) during parsing of queries.

Publish Date: 2021-04-28

URL: CVE-2021-23364

CVSS 3 Score Details (5.3)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23364

Release Date: 2021-04-28

Fix Resolution (browserslist): 4.16.5

Direct dependency fix Resolution (react-scripts): 5.0.0

⛑️ Automatic Remediation will be attempted for this issue.

WS-2022-0008 (Medium) detected in node-forge-0.10.0.tgz

WS-2022-0008 - Medium Severity Vulnerability

Vulnerable Library - node-forge-0.10.0.tgz

JavaScript implementations of network transports, cryptography, ciphers, PKI, message digests, and various utilities.

Library home page: https://registry.npmjs.org/node-forge/-/node-forge-0.10.0.tgz

Path to dependency file: /Source/CompanyCommunicator/ClientApp/package.json

Path to vulnerable library: /Source/CompanyCommunicator/ClientApp/node_modules/node-forge/package.json

Dependency Hierarchy:

  • react-scripts-4.0.3.tgz (Root Library)
    • webpack-dev-server-3.11.1.tgz
      • selfsigned-1.10.8.tgz
        • node-forge-0.10.0.tgz (Vulnerable Library)

Found in HEAD commit: 32bf8559b65e6695a5e727d0fdf93e7ae135d32a

Found in base branch: master

Vulnerability Details

The forge.debug API had a potential prototype pollution issue if called with untrusted input. The API was only used for internal debug purposes in a safe way and never documented or advertised. It is suspected that uses of this API, if any exist, would likely not have used untrusted inputs in a vulnerable way.

Publish Date: 2022-01-08

URL: WS-2022-0008

CVSS 3 Score Details (6.6)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: High
    • Privileges Required: High
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-5rrq-pxf6-6jx5

Release Date: 2022-01-08

Fix Resolution (node-forge): 1.0.0

Direct dependency fix Resolution (react-scripts): 5.0.0

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2021-27290 (High) detected in ssri-6.0.1.tgz

CVE-2021-27290 - High Severity Vulnerability

Vulnerable Library - ssri-6.0.1.tgz

Standard Subresource Integrity library -- parses, serializes, generates, and verifies integrity metadata according to the SRI spec.

Library home page: https://registry.npmjs.org/ssri/-/ssri-6.0.1.tgz

Path to dependency file: /Source/CompanyCommunicator/ClientApp/package.json

Path to vulnerable library: /Source/CompanyCommunicator/ClientApp/node_modules/webpack/node_modules/ssri/package.json

Dependency Hierarchy:

  • react-scripts-4.0.3.tgz (Root Library)
    • webpack-4.44.2.tgz
      • terser-webpack-plugin-1.4.5.tgz
        • cacache-12.0.4.tgz
          • ssri-6.0.1.tgz (Vulnerable Library)

Found in HEAD commit: 32bf8559b65e6695a5e727d0fdf93e7ae135d32a

Found in base branch: master

Vulnerability Details

ssri 5.2.2-8.0.0, fixed in 8.0.1, processes SRIs using a regular expression which is vulnerable to a denial of service. Malicious SRIs could take an extremely long time to process, leading to denial of service. This issue only affects consumers using the strict option.

Publish Date: 2021-03-12

URL: CVE-2021-27290

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-vx3p-948g-6vhq

Release Date: 2021-03-12

Fix Resolution (ssri): 6.0.2

Direct dependency fix Resolution (react-scripts): 5.0.0

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2021-23436 (Critical) detected in immer-8.0.1.tgz

CVE-2021-23436 - Critical Severity Vulnerability

Vulnerable Library - immer-8.0.1.tgz

Create your next immutable state by mutating the current one

Library home page: https://registry.npmjs.org/immer/-/immer-8.0.1.tgz

Path to dependency file: /Source/CompanyCommunicator/ClientApp/package.json

Path to vulnerable library: /Source/CompanyCommunicator/ClientApp/node_modules/immer/package.json

Dependency Hierarchy:

  • react-scripts-4.0.3.tgz (Root Library)
    • react-dev-utils-11.0.4.tgz
      • immer-8.0.1.tgz (Vulnerable Library)

Found in HEAD commit: 32bf8559b65e6695a5e727d0fdf93e7ae135d32a

Found in base branch: master

Vulnerability Details

This affects the package immer before 9.0.6. A type confusion vulnerability can lead to a bypass of CVE-2020-28477 when the user-provided keys used in the path parameter are arrays. In particular, this bypass is possible because the condition (p === "proto" || p === "constructor") in applyPatches_ returns false if p is ['proto'] (or ['constructor']). The === operator (strict equality operator) returns false if the operands have different type.

Publish Date: 2021-09-01

URL: CVE-2021-23436

CVSS 3 Score Details (9.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23436

Release Date: 2021-09-01

Fix Resolution (immer): 9.0.6

Direct dependency fix Resolution (react-scripts): 5.0.0

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2021-3803 (High) detected in nth-check-1.0.2.tgz

CVE-2021-3803 - High Severity Vulnerability

Vulnerable Library - nth-check-1.0.2.tgz

performant nth-check parser & compiler

Library home page: https://registry.npmjs.org/nth-check/-/nth-check-1.0.2.tgz

Path to dependency file: /Source/CompanyCommunicator/ClientApp/package.json

Path to vulnerable library: /Source/CompanyCommunicator/ClientApp/node_modules/nth-check/package.json

Dependency Hierarchy:

  • react-scripts-4.0.3.tgz (Root Library)
    • webpack-5.5.0.tgz
      • plugin-svgo-5.5.0.tgz
        • svgo-1.3.2.tgz
          • css-select-2.1.0.tgz
            • nth-check-1.0.2.tgz (Vulnerable Library)

Found in HEAD commit: 32bf8559b65e6695a5e727d0fdf93e7ae135d32a

Found in base branch: master

Vulnerability Details

nth-check is vulnerable to Inefficient Regular Expression Complexity

Publish Date: 2021-09-17

URL: CVE-2021-3803

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2021-09-17

Fix Resolution: nth-check - v2.0.1

CVE-2022-24773 (Medium) detected in node-forge-0.10.0.tgz

CVE-2022-24773 - Medium Severity Vulnerability

Vulnerable Library - node-forge-0.10.0.tgz

JavaScript implementations of network transports, cryptography, ciphers, PKI, message digests, and various utilities.

Library home page: https://registry.npmjs.org/node-forge/-/node-forge-0.10.0.tgz

Path to dependency file: /Source/CompanyCommunicator/ClientApp/package.json

Path to vulnerable library: /Source/CompanyCommunicator/ClientApp/node_modules/node-forge/package.json

Dependency Hierarchy:

  • react-scripts-4.0.3.tgz (Root Library)
    • webpack-dev-server-3.11.1.tgz
      • selfsigned-1.10.8.tgz
        • node-forge-0.10.0.tgz (Vulnerable Library)

Found in HEAD commit: 32bf8559b65e6695a5e727d0fdf93e7ae135d32a

Found in base branch: master

Vulnerability Details

Forge (also called node-forge) is a native implementation of Transport Layer Security in JavaScript. Prior to version 1.3.0, RSA PKCS#1 v1.5 signature verification code does not properly check DigestInfo for a proper ASN.1 structure. This can lead to successful verification with signatures that contain invalid structures but a valid digest. The issue has been addressed in node-forge version 1.3.0. There are currently no known workarounds.

Publish Date: 2022-03-18

URL: CVE-2022-24773

CVSS 3 Score Details (5.3)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: Low
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24773

Release Date: 2022-03-18

Fix Resolution (node-forge): 1.3.0

Direct dependency fix Resolution (react-scripts): 5.0.0

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2021-44906 (Critical) detected in minimist-1.2.5.tgz

CVE-2021-44906 - Critical Severity Vulnerability

Vulnerable Library - minimist-1.2.5.tgz

parse argument options

Library home page: https://registry.npmjs.org/minimist/-/minimist-1.2.5.tgz

Path to dependency file: /Source/CompanyCommunicator/ClientApp/package.json

Path to vulnerable library: /Source/CompanyCommunicator/ClientApp/node_modules/minimist/package.json,/Source/CompanyCommunicator/ClientApp/node_modules/mkdirp/node_modules/minimist/package.json

Dependency Hierarchy:

  • react-scripts-4.0.3.tgz (Root Library)
    • babel-loader-8.1.0.tgz
      • mkdirp-0.5.5.tgz
        • minimist-1.2.5.tgz (Vulnerable Library)

Found in HEAD commit: 32bf8559b65e6695a5e727d0fdf93e7ae135d32a

Found in base branch: master

Vulnerability Details

Minimist <=1.2.5 is vulnerable to Prototype Pollution via file index.js, function setKey() (lines 69-95).

Publish Date: 2022-03-17

URL: CVE-2021-44906

CVSS 3 Score Details (9.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-xvch-5gv4-984h

Release Date: 2022-03-17

Fix Resolution (minimist): 1.2.6

Direct dependency fix Resolution (react-scripts): 5.0.0

⛑️ Automatic Remediation will be attempted for this issue.

WS-2021-0153 (Critical) detected in ejs-2.7.4.tgz

WS-2021-0153 - Critical Severity Vulnerability

Vulnerable Library - ejs-2.7.4.tgz

Embedded JavaScript templates

Library home page: https://registry.npmjs.org/ejs/-/ejs-2.7.4.tgz

Path to dependency file: /Source/CompanyCommunicator/ClientApp/package.json

Path to vulnerable library: /Source/CompanyCommunicator/ClientApp/node_modules/ejs/package.json

Dependency Hierarchy:

  • react-scripts-4.0.3.tgz (Root Library)
    • workbox-webpack-plugin-5.1.4.tgz
      • workbox-build-5.1.4.tgz
        • rollup-plugin-off-main-thread-1.4.2.tgz
          • ejs-2.7.4.tgz (Vulnerable Library)

Found in HEAD commit: 32bf8559b65e6695a5e727d0fdf93e7ae135d32a

Found in base branch: master

Vulnerability Details

Arbitrary Code Injection vulnerability was found in ejs before 3.1.6. Caused by filename which isn't sanitized for display.

Publish Date: 2021-01-22

URL: WS-2021-0153

CVSS 3 Score Details (9.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2021-01-22

Fix Resolution (ejs): 3.1.6

Direct dependency fix Resolution (react-scripts): 5.0.0

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2022-0512 (Medium) detected in url-parse-1.5.3.tgz

CVE-2022-0512 - Medium Severity Vulnerability

Vulnerable Library - url-parse-1.5.3.tgz

Small footprint URL parser that works seamlessly across Node.js and browser environments

Library home page: https://registry.npmjs.org/url-parse/-/url-parse-1.5.3.tgz

Path to dependency file: /Source/CompanyCommunicator/ClientApp/package.json

Path to vulnerable library: /Source/CompanyCommunicator/ClientApp/node_modules/url-parse/package.json

Dependency Hierarchy:

  • react-scripts-4.0.3.tgz (Root Library)
    • webpack-dev-server-3.11.1.tgz
      • sockjs-client-1.5.0.tgz
        • url-parse-1.5.3.tgz (Vulnerable Library)

Found in HEAD commit: 32bf8559b65e6695a5e727d0fdf93e7ae135d32a

Found in base branch: master

Vulnerability Details

Authorization Bypass Through User-Controlled Key in NPM url-parse prior to 1.5.6.

Publish Date: 2022-02-14

URL: CVE-2022-0512

CVSS 3 Score Details (5.3)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: Low
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0512

Release Date: 2022-02-14

Fix Resolution (url-parse): 1.5.6

Direct dependency fix Resolution (react-scripts): 5.0.0

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2022-24772 (High) detected in node-forge-0.10.0.tgz

CVE-2022-24772 - High Severity Vulnerability

Vulnerable Library - node-forge-0.10.0.tgz

JavaScript implementations of network transports, cryptography, ciphers, PKI, message digests, and various utilities.

Library home page: https://registry.npmjs.org/node-forge/-/node-forge-0.10.0.tgz

Path to dependency file: /Source/CompanyCommunicator/ClientApp/package.json

Path to vulnerable library: /Source/CompanyCommunicator/ClientApp/node_modules/node-forge/package.json

Dependency Hierarchy:

  • react-scripts-4.0.3.tgz (Root Library)
    • webpack-dev-server-3.11.1.tgz
      • selfsigned-1.10.8.tgz
        • node-forge-0.10.0.tgz (Vulnerable Library)

Found in HEAD commit: 32bf8559b65e6695a5e727d0fdf93e7ae135d32a

Found in base branch: master

Vulnerability Details

Forge (also called node-forge) is a native implementation of Transport Layer Security in JavaScript. Prior to version 1.3.0, RSA PKCS#1 v1.5 signature verification code does not check for tailing garbage bytes after decoding a DigestInfo ASN.1 structure. This can allow padding bytes to be removed and garbage data added to forge a signature when a low public exponent is being used. The issue has been addressed in node-forge version 1.3.0. There are currently no known workarounds.

Publish Date: 2022-03-18

URL: CVE-2022-24772

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: High
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24772

Release Date: 2022-03-18

Fix Resolution (node-forge): 1.3.0

Direct dependency fix Resolution (react-scripts): 5.0.0

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2022-0686 (Critical) detected in url-parse-1.5.3.tgz

CVE-2022-0686 - Critical Severity Vulnerability

Vulnerable Library - url-parse-1.5.3.tgz

Small footprint URL parser that works seamlessly across Node.js and browser environments

Library home page: https://registry.npmjs.org/url-parse/-/url-parse-1.5.3.tgz

Path to dependency file: /Source/CompanyCommunicator/ClientApp/package.json

Path to vulnerable library: /Source/CompanyCommunicator/ClientApp/node_modules/url-parse/package.json

Dependency Hierarchy:

  • react-scripts-4.0.3.tgz (Root Library)
    • webpack-dev-server-3.11.1.tgz
      • sockjs-client-1.5.0.tgz
        • url-parse-1.5.3.tgz (Vulnerable Library)

Found in HEAD commit: 32bf8559b65e6695a5e727d0fdf93e7ae135d32a

Found in base branch: master

Vulnerability Details

Authorization Bypass Through User-Controlled Key in NPM url-parse prior to 1.5.8.

Publish Date: 2022-02-20

URL: CVE-2022-0686

CVSS 3 Score Details (9.1)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0686

Release Date: 2022-02-20

Fix Resolution (url-parse): 1.5.8

Direct dependency fix Resolution (react-scripts): 5.0.0

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2019-0820 (High) detected in system.text.regularexpressions.4.3.0.nupkg

CVE-2019-0820 - High Severity Vulnerability

Vulnerable Library - system.text.regularexpressions.4.3.0.nupkg

Provides the System.Text.RegularExpressions.Regex class, an implementation of a regular expression e...

Library home page: https://api.nuget.org/packages/system.text.regularexpressions.4.3.0.nupkg

Path to dependency file: /Source/CompanyCommunicator/Microsoft.Teams.Apps.CompanyCommunicator.csproj

Path to vulnerable library: /home/wss-scanner/.nuget/packages/system.text.regularexpressions/4.3.0/system.text.regularexpressions.4.3.0.nupkg

Dependency Hierarchy:

  • microsoft.identity.client.4.30.1.nupkg (Root Library)
    • system.xml.xdocument.4.3.0.nupkg
      • system.xml.readerwriter.4.3.0.nupkg
        • system.text.regularexpressions.4.3.0.nupkg (Vulnerable Library)

Found in HEAD commit: 32bf8559b65e6695a5e727d0fdf93e7ae135d32a

Found in base branch: master

Vulnerability Details

A denial of service vulnerability exists when .NET Framework and .NET Core improperly process RegEx strings, aka '.NET Framework and .NET Core Denial of Service Vulnerability'. This CVE ID is unique from CVE-2019-0980, CVE-2019-0981.
Mend Note: After conducting further research, Mend has determined that CVE-2019-0820 only affects environments with versions 4.3.0 and 4.3.1 only on netcore50 environment of system.text.regularexpressions.nupkg.

Publish Date: 2019-05-16

URL: CVE-2019-0820

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-cmhx-cq75-c4mj

Release Date: 2019-05-16

Fix Resolution: System.Text.RegularExpressions - 4.3.1

CVE-2022-24785 (High) detected in moment-2.24.0.tgz

CVE-2022-24785 - High Severity Vulnerability

Vulnerable Library - moment-2.24.0.tgz

Parse, validate, manipulate, and display dates

Library home page: https://registry.npmjs.org/moment/-/moment-2.24.0.tgz

Path to dependency file: /Source/CompanyCommunicator/ClientApp/package.json

Path to vulnerable library: /Source/CompanyCommunicator/ClientApp/node_modules/moment/package.json

Dependency Hierarchy:

  • moment-2.24.0.tgz (Vulnerable Library)

Found in HEAD commit: 32bf8559b65e6695a5e727d0fdf93e7ae135d32a

Found in base branch: master

Vulnerability Details

Moment.js is a JavaScript date library for parsing, validating, manipulating, and formatting dates. A path traversal vulnerability impacts npm (server) users of Moment.js between versions 1.0.1 and 2.29.1, especially if a user-provided locale string is directly used to switch moment locale. This problem is patched in 2.29.2, and the patch can be applied to all affected versions. As a workaround, sanitize the user-provided locale name before passing it to Moment.js.

Publish Date: 2022-04-04

URL: CVE-2022-24785

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: High
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-8hfj-j24r-96c4

Release Date: 2022-04-04

Fix Resolution: 2.29.2

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2021-33502 (High) detected in normalize-url-1.9.1.tgz, normalize-url-3.3.0.tgz - autoclosed

CVE-2021-33502 - High Severity Vulnerability

Vulnerable Libraries - normalize-url-1.9.1.tgz, normalize-url-3.3.0.tgz

normalize-url-1.9.1.tgz

Normalize a URL

Library home page: https://registry.npmjs.org/normalize-url/-/normalize-url-1.9.1.tgz

Path to dependency file: /Source/CompanyCommunicator/ClientApp/package.json

Path to vulnerable library: /Source/CompanyCommunicator/ClientApp/node_modules/normalize-url/package.json

Dependency Hierarchy:

  • react-scripts-4.0.3.tgz (Root Library)
    • mini-css-extract-plugin-0.11.3.tgz
      • normalize-url-1.9.1.tgz (Vulnerable Library)
normalize-url-3.3.0.tgz

Normalize a URL

Library home page: https://registry.npmjs.org/normalize-url/-/normalize-url-3.3.0.tgz

Path to dependency file: /Source/CompanyCommunicator/ClientApp/package.json

Path to vulnerable library: /Source/CompanyCommunicator/ClientApp/node_modules/postcss-normalize-url/node_modules/normalize-url/package.json

Dependency Hierarchy:

  • react-scripts-4.0.3.tgz (Root Library)
    • optimize-css-assets-webpack-plugin-5.0.4.tgz
      • cssnano-4.1.11.tgz
        • cssnano-preset-default-4.0.8.tgz
          • postcss-normalize-url-4.0.1.tgz
            • normalize-url-3.3.0.tgz (Vulnerable Library)

Found in HEAD commit: 32bf8559b65e6695a5e727d0fdf93e7ae135d32a

Found in base branch: master

Vulnerability Details

The normalize-url package before 4.5.1, 5.x before 5.3.1, and 6.x before 6.0.1 for Node.js has a ReDoS (regular expression denial of service) issue because it has exponential performance for data: URLs.

Publish Date: 2021-05-24

URL: CVE-2021-33502

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-33502

Release Date: 2021-05-24

Fix Resolution (normalize-url): 4.5.1

Direct dependency fix Resolution (react-scripts): 5.0.0

Fix Resolution (normalize-url): 4.5.1

Direct dependency fix Resolution (react-scripts): 5.0.0

⛑️ Automatic Remediation is available for this issue

CVE-2019-0548 (High) detected in microsoft.aspnetcore.server.kestrel.transport.sockets.2.2.0.nupkg

CVE-2019-0548 - High Severity Vulnerability

Vulnerable Library - microsoft.aspnetcore.server.kestrel.transport.sockets.2.2.0.nupkg

Managed socket transport for the ASP.NET Core Kestrel cross-platform web server.

Library home page: https://api.nuget.org/packages/microsoft.aspnetcore.server.kestrel.transport.sockets.2.2.0.nupkg

Path to dependency file: /Source/CompanyCommunicator/Microsoft.Teams.Apps.CompanyCommunicator.csproj

Path to vulnerable library: /home/wss-scanner/.nuget/packages/microsoft.aspnetcore.server.kestrel.transport.sockets/2.2.0/microsoft.aspnetcore.server.kestrel.transport.sockets.2.2.0.nupkg

Dependency Hierarchy:

  • Microsoft.Teams.Apps.CompanyCommunicator.Prep.Func-1.0.0 (Root Library)
    • microsoft.azure.webjobs.extensions.durabletask.2.3.0.nupkg
      • microsoft.aspnetcore.server.kestrel.2.2.0.nupkg
        • microsoft.aspnetcore.server.kestrel.transport.sockets.2.2.0.nupkg (Vulnerable Library)

Found in HEAD commit: 32bf8559b65e6695a5e727d0fdf93e7ae135d32a

Found in base branch: master

Vulnerability Details

A denial of service vulnerability exists when ASP.NET Core improperly handles web requests, aka "ASP.NET Core Denial of Service Vulnerability." This affects ASP.NET Core 2.2, ASP.NET Core 2.1. This CVE ID is unique from CVE-2019-0564.

Publish Date: 2019-01-08

URL: CVE-2019-0548

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2019-01-08

Fix Resolution: Microsoft.AspNetCore.Server.Kestrel.Transport.Sockets - 2.2.1; Microsoft.AspNetCore.Server.IIS - 2.2.1; Microsoft.AspNetCore.Server.IISIntegration - 2.2.1;Microsoft.AspNetCore.Server.Kestrel.Core - 2.1.7

CVE-2021-3757 (Critical) detected in immer-8.0.1.tgz

CVE-2021-3757 - Critical Severity Vulnerability

Vulnerable Library - immer-8.0.1.tgz

Create your next immutable state by mutating the current one

Library home page: https://registry.npmjs.org/immer/-/immer-8.0.1.tgz

Path to dependency file: /Source/CompanyCommunicator/ClientApp/package.json

Path to vulnerable library: /Source/CompanyCommunicator/ClientApp/node_modules/immer/package.json

Dependency Hierarchy:

  • react-scripts-4.0.3.tgz (Root Library)
    • react-dev-utils-11.0.4.tgz
      • immer-8.0.1.tgz (Vulnerable Library)

Found in HEAD commit: 32bf8559b65e6695a5e727d0fdf93e7ae135d32a

Found in base branch: master

Vulnerability Details

immer is vulnerable to Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')

Publish Date: 2021-09-02

URL: CVE-2021-3757

CVSS 3 Score Details (9.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://huntr.dev/bounties/23d38099-71cd-42ed-a77a-71e68094adfa/

Release Date: 2021-09-02

Fix Resolution (immer): 9.0.6

Direct dependency fix Resolution (react-scripts): 5.0.0

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2022-0691 (Critical) detected in url-parse-1.5.3.tgz

CVE-2022-0691 - Critical Severity Vulnerability

Vulnerable Library - url-parse-1.5.3.tgz

Small footprint URL parser that works seamlessly across Node.js and browser environments

Library home page: https://registry.npmjs.org/url-parse/-/url-parse-1.5.3.tgz

Path to dependency file: /Source/CompanyCommunicator/ClientApp/package.json

Path to vulnerable library: /Source/CompanyCommunicator/ClientApp/node_modules/url-parse/package.json

Dependency Hierarchy:

  • react-scripts-4.0.3.tgz (Root Library)
    • webpack-dev-server-3.11.1.tgz
      • sockjs-client-1.5.0.tgz
        • url-parse-1.5.3.tgz (Vulnerable Library)

Found in HEAD commit: 32bf8559b65e6695a5e727d0fdf93e7ae135d32a

Found in base branch: master

Vulnerability Details

Authorization Bypass Through User-Controlled Key in NPM url-parse prior to 1.5.9.

Publish Date: 2022-02-21

URL: CVE-2022-0691

CVSS 3 Score Details (9.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0691

Release Date: 2022-02-21

Fix Resolution (url-parse): 1.5.9

Direct dependency fix Resolution (react-scripts): 5.0.0

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2021-33587 (High) detected in css-what-3.4.2.tgz - autoclosed

CVE-2021-33587 - High Severity Vulnerability

Vulnerable Library - css-what-3.4.2.tgz

a CSS selector parser

Library home page: https://registry.npmjs.org/css-what/-/css-what-3.4.2.tgz

Path to dependency file: /Source/CompanyCommunicator/ClientApp/package.json

Path to vulnerable library: /Source/CompanyCommunicator/ClientApp/node_modules/css-select/node_modules/css-what/package.json

Dependency Hierarchy:

  • react-scripts-4.0.3.tgz (Root Library)
    • webpack-5.5.0.tgz
      • plugin-svgo-5.5.0.tgz
        • svgo-1.3.2.tgz
          • css-select-2.1.0.tgz
            • css-what-3.4.2.tgz (Vulnerable Library)

Found in HEAD commit: 32bf8559b65e6695a5e727d0fdf93e7ae135d32a

Found in base branch: master

Vulnerability Details

The css-what package 4.0.0 through 5.0.0 for Node.js does not ensure that attribute parsing has Linear Time Complexity relative to the size of the input.

Publish Date: 2021-05-28

URL: CVE-2021-33587

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-33587

Release Date: 2021-05-28

Fix Resolution (css-what): 5.0.1

Direct dependency fix Resolution (react-scripts): 5.0.1

⛑️ Automatic Remediation is available for this issue

CVE-2020-28469 (High) detected in glob-parent-3.1.0.tgz

CVE-2020-28469 - High Severity Vulnerability

Vulnerable Library - glob-parent-3.1.0.tgz

Strips glob magic from a string to provide the parent directory path

Library home page: https://registry.npmjs.org/glob-parent/-/glob-parent-3.1.0.tgz

Path to dependency file: /Source/CompanyCommunicator/ClientApp/package.json

Path to vulnerable library: /Source/CompanyCommunicator/ClientApp/node_modules/webpack-dev-server/node_modules/glob-parent/package.json,/Source/CompanyCommunicator/ClientApp/node_modules/watchpack-chokidar2/node_modules/glob-parent/package.json

Dependency Hierarchy:

  • react-scripts-4.0.3.tgz (Root Library)
    • webpack-dev-server-3.11.1.tgz
      • chokidar-2.1.8.tgz
        • glob-parent-3.1.0.tgz (Vulnerable Library)

Found in HEAD commit: 32bf8559b65e6695a5e727d0fdf93e7ae135d32a

Found in base branch: master

Vulnerability Details

This affects the package glob-parent before 5.1.2. The enclosure regex used to check for strings ending in enclosure containing path separator.

Publish Date: 2021-06-03

URL: CVE-2020-28469

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-28469

Release Date: 2021-06-03

Fix Resolution (glob-parent): 5.1.2

Direct dependency fix Resolution (react-scripts): 5.0.0

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2022-24771 (High) detected in node-forge-0.10.0.tgz

CVE-2022-24771 - High Severity Vulnerability

Vulnerable Library - node-forge-0.10.0.tgz

JavaScript implementations of network transports, cryptography, ciphers, PKI, message digests, and various utilities.

Library home page: https://registry.npmjs.org/node-forge/-/node-forge-0.10.0.tgz

Path to dependency file: /Source/CompanyCommunicator/ClientApp/package.json

Path to vulnerable library: /Source/CompanyCommunicator/ClientApp/node_modules/node-forge/package.json

Dependency Hierarchy:

  • react-scripts-4.0.3.tgz (Root Library)
    • webpack-dev-server-3.11.1.tgz
      • selfsigned-1.10.8.tgz
        • node-forge-0.10.0.tgz (Vulnerable Library)

Found in HEAD commit: 32bf8559b65e6695a5e727d0fdf93e7ae135d32a

Found in base branch: master

Vulnerability Details

Forge (also called node-forge) is a native implementation of Transport Layer Security in JavaScript. Prior to version 1.3.0, RSA PKCS#1 v1.5 signature verification code is lenient in checking the digest algorithm structure. This can allow a crafted structure that steals padding bytes and uses unchecked portion of the PKCS#1 encoded message to forge a signature when a low public exponent is being used. The issue has been addressed in node-forge version 1.3.0. There are currently no known workarounds.

Publish Date: 2022-03-18

URL: CVE-2022-24771

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: High
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24771

Release Date: 2022-03-18

Fix Resolution (node-forge): 1.3.0

Direct dependency fix Resolution (react-scripts): 5.0.0

⛑️ Automatic Remediation will be attempted for this issue.

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.