react-scripts-1.0.10.tgz: 89 vulnerabilities (highest severity is: 10.0)

[dev-mend-for-github-com]

Vulnerable Library - react-scripts-1.0.10.tgz

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Vulnerabilities

CVE	Severity	CVSS	Dependency	Type	Fixed in (react-scripts version)	Remediation Possible**
WS-2018-0113	High	10.0	macaddress-0.2.8.tgz	Transitive	1.0.11	✅
WS-2020-0344	Critical	9.8	is-my-json-valid-2.16.0.tgz	Transitive	1.0.11	✅
CVE-2022-37601	Critical	9.8	detected in multiple dependencies	Transitive	4.0.0	✅
CVE-2021-44906	Critical	9.8	detected in multiple dependencies	Transitive	1.0.11	✅
CVE-2020-7720	Critical	9.8	node-forge-0.6.33.tgz	Transitive	1.0.11	✅
CVE-2019-19919	Critical	9.8	handlebars-4.0.10.tgz	Transitive	1.0.11	✅
CVE-2018-6342	Critical	9.8	react-dev-utils-3.0.2.tgz	Transitive	1.0.11	✅
CVE-2018-3774	Critical	9.8	detected in multiple dependencies	Transitive	1.0.11	✅
CVE-2018-16492	Critical	9.8	extend-3.0.1.tgz	Transitive	1.0.11	✅
CVE-2018-13797	Critical	9.8	macaddress-0.2.8.tgz	Transitive	1.0.11	✅
CVE-2018-1000620	Critical	9.8	cryptiles-2.0.5.tgz	Transitive	1.1.1	✅
CVE-2019-10744	Critical	9.1	lodash.template-4.4.0.tgz	Transitive	1.0.11	✅
CVE-2018-3728	High	8.8	hoek-2.16.3.tgz	Transitive	1.1.1	✅
WS-2019-0333	High	8.1	handlebars-4.0.10.tgz	Transitive	1.0.11	✅
WS-2019-0063	High	8.1	js-yaml-3.7.0.tgz	Transitive	2.0.0	✅
CVE-2019-20920	High	8.1	handlebars-4.0.10.tgz	Transitive	1.0.11	✅
WS-2018-0084	High	8.0	detected in multiple dependencies	Transitive	1.0.11	✅
CVE-2021-23386	High	7.7	dns-packet-1.1.1.tgz	Transitive	1.0.11	✅
CVE-2020-13822	High	7.7	elliptic-6.4.0.tgz	Transitive	1.0.11	✅
WS-2018-0588	High	7.6	detected in multiple dependencies	Transitive	1.0.11	✅
WS-2021-0152	High	7.5	color-string-0.3.0.tgz	Transitive	2.0.0	✅
WS-2020-0218	High	7.5	merge-1.2.0.tgz	Transitive	3.0.0	✅
WS-2020-0091	High	7.5	http-proxy-1.16.2.tgz	Transitive	1.0.11	✅
WS-2019-0541	High	7.5	macaddress-0.2.8.tgz	Transitive	1.0.11	✅
WS-2019-0493	High	7.5	handlebars-4.0.10.tgz	Transitive	1.0.11	✅
WS-2019-0492	High	7.5	handlebars-4.0.10.tgz	Transitive	1.0.11	✅
WS-2019-0318	High	7.5	handlebars-4.0.10.tgz	Transitive	1.0.11	✅
WS-2019-0032	High	7.5	js-yaml-3.7.0.tgz	Transitive	2.0.0	✅
WS-2018-0069	High	7.5	is-my-json-valid-2.16.0.tgz	Transitive	1.0.11	✅
CVE-2022-37620	High	7.5	html-minifier-3.5.3.tgz	Transitive	N/A*	❌
CVE-2022-37603	High	7.5	loader-utils-1.1.0.tgz	Transitive	1.0.11	✅
CVE-2022-3517	High	7.5	detected in multiple dependencies	Transitive	N/A*	❌
CVE-2022-24999	High	7.5	qs-6.4.0.tgz	Transitive	1.0.11	✅
CVE-2021-3807	High	7.5	ansi-regex-3.0.0.tgz	Transitive	1.0.11	✅
CVE-2021-33623	High	7.5	trim-newlines-1.0.0.tgz	Transitive	2.0.1	✅
CVE-2021-28092	High	7.5	is-svg-2.1.0.tgz	Transitive	2.0.0	✅
CVE-2021-27516	High	7.5	urijs-1.18.10.tgz	Transitive	1.0.11	✅
CVE-2020-7662	High	7.5	websocket-extensions-0.1.1.tgz	Transitive	1.0.11	✅
CVE-2019-20922	High	7.5	handlebars-4.0.10.tgz	Transitive	1.0.11	✅
CVE-2019-13173	High	7.5	fstream-1.0.11.tgz	Transitive	1.0.11	✅
CVE-2018-3737	High	7.5	detected in multiple dependencies	Transitive	1.0.11	✅
CVE-2018-20834	High	7.5	tar-2.2.1.tgz	Transitive	1.0.11	✅
CVE-2018-16469	High	7.5	merge-1.2.0.tgz	Transitive	1.0.11	✅
CVE-2018-14732	High	7.5	webpack-dev-server-2.5.0.tgz	Transitive	2.0.0	✅
CVE-2017-16099	High	7.5	no-case-2.3.1.tgz	Transitive	1.0.11	✅
CVE-2017-15010	High	7.5	tough-cookie-2.3.2.tgz	Transitive	1.0.11	✅
WS-2019-0064	High	7.3	handlebars-4.0.10.tgz	Transitive	1.0.11	✅
CVE-2020-8116	High	7.3	dot-prop-3.0.0.tgz	Transitive	1.0.11	✅
CVE-2020-7788	High	7.3	ini-1.3.4.tgz	Transitive	1.0.11	✅
CVE-2020-7774	High	7.3	y18n-3.2.1.tgz	Transitive	1.0.11	✅
CVE-2020-28499	High	7.3	merge-1.2.0.tgz	Transitive	3.0.0	✅
CVE-2018-3750	High	7.3	deep-extend-0.4.2.tgz	Transitive	1.0.11	✅
CVE-2022-46175	High	7.1	json5-0.5.1.tgz	Transitive	3.0.0	✅
WS-2018-0590	High	7.0	diff-3.3.0.tgz	Transitive	1.0.11	✅
CVE-2020-28498	Medium	6.8	elliptic-6.4.0.tgz	Transitive	1.0.11	✅
CVE-2020-26291	Medium	6.5	urijs-1.18.10.tgz	Transitive	1.0.11	✅
CVE-2018-21270	Medium	6.5	stringstream-0.0.5.tgz	Transitive	1.0.11	✅
CVE-2023-28155	Medium	6.1	request-2.81.0.tgz	Transitive	N/A*	❌
CVE-2022-1233	Medium	6.1	urijs-1.18.10.tgz	Transitive	1.0.11	✅
CVE-2021-3647	Medium	6.1	urijs-1.18.10.tgz	Transitive	1.0.11	✅
WS-2019-0424	Medium	5.9	elliptic-6.4.0.tgz	Transitive	1.0.11	✅
WS-2019-0103	Medium	5.6	handlebars-4.0.10.tgz	Transitive	1.0.11	✅
CVE-2021-24033	Medium	5.6	react-dev-utils-3.0.2.tgz	Transitive	4.0.0	✅
CVE-2021-23383	Medium	5.6	handlebars-4.0.10.tgz	Transitive	1.0.11	✅
CVE-2021-23369	Medium	5.6	handlebars-4.0.10.tgz	Transitive	1.0.11	✅
CVE-2020-7789	Medium	5.6	node-notifier-5.1.2.tgz	Transitive	1.0.11	✅
CVE-2020-7598	Medium	5.6	detected in multiple dependencies	Transitive	1.0.11	✅
CVE-2020-15366	Medium	5.6	detected in multiple dependencies	Transitive	2.0.0	✅
WS-2020-0342	Medium	5.3	is-my-json-valid-2.16.0.tgz	Transitive	1.0.11	✅
WS-2019-0017	Medium	5.3	clean-css-4.1.7.tgz	Transitive	1.0.11	✅
WS-2018-0347	Medium	5.3	eslint-3.19.0.tgz	Transitive	2.0.0	✅
WS-2017-3757	Medium	5.3	content-type-parser-1.0.1.tgz	Transitive	N/A*	❌
CVE-2022-33987	Medium	5.3	got-5.7.1.tgz	Transitive	2.0.1	✅
CVE-2021-27515	Medium	5.3	detected in multiple dependencies	Transitive	1.0.11	✅
CVE-2021-23382	Medium	5.3	detected in multiple dependencies	Transitive	3.0.0	✅
CVE-2021-23362	Medium	5.3	hosted-git-info-2.5.0.tgz	Transitive	1.0.11	✅
CVE-2021-23343	Medium	5.3	path-parse-1.0.5.tgz	Transitive	1.0.11	✅
CVE-2020-8124	Medium	5.3	detected in multiple dependencies	Transitive	1.0.11	✅
CVE-2020-7693	Medium	5.3	sockjs-0.3.18.tgz	Transitive	3.4.2	✅
CVE-2020-7608	Medium	5.3	detected in multiple dependencies	Transitive	1.0.11	✅
CVE-2018-1107	Medium	5.3	is-my-json-valid-2.16.0.tgz	Transitive	1.0.11	✅
CVE-2017-16028	Medium	5.3	randomatic-1.1.7.tgz	Transitive	1.0.11	✅
WS-2019-0427	Medium	5.0	elliptic-6.4.0.tgz	Transitive	1.0.11	✅
WS-2019-0332	Medium	5.0	handlebars-4.0.10.tgz	Transitive	1.0.11	✅
WS-2019-0331	Medium	5.0	handlebars-4.0.10.tgz	Transitive	1.0.11	✅
WS-2018-0103	Medium	4.8	stringstream-0.0.5.tgz	Transitive	1.0.11	✅
WS-2018-0589	Medium	4.0	nwmatcher-1.4.1.tgz	Transitive	1.0.11	✅
CVE-2017-16137	Low	3.7	debug-2.6.8.tgz	Transitive	1.0.11	✅
CVE-2017-20165	Low	3.5	debug-2.6.8.tgz	Transitive	1.0.11	✅

*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.

**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation

Details

Partial details (18 vulnerabilities) are displayed below due to a content size limitation in GitHub. To view information on the remaining vulnerabilities, navigate to the Mend Application.

WS-2018-0113

Vulnerable Library - macaddress-0.2.8.tgz

Get the MAC addresses (hardware addresses) of the hosts network interfaces.

Library home page: https://registry.npmjs.org/macaddress/-/macaddress-0.2.8.tgz

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Dependency Hierarchy:

• react-scripts-1.0.10.tgz (Root Library)
  • css-loader-0.28.4.tgz
    • cssnano-3.10.0.tgz
      • postcss-filter-plugins-2.0.2.tgz
        • uniqid-4.1.1.tgz
          • ❌ macaddress-0.2.8.tgz (Vulnerable Library)

Found in base branch: master

Vulnerability Details

All versions of macaddress are vulnerable to command injection. For this vulnerability to be exploited an attacker needs to control the iface argument to the one method.

Publish Date: 2018-05-16

URL: WS-2018-0113

CVSS 2 Score Details (10.0)

Base Score Metrics not available

Suggested Fix

Type: Upgrade version

Origin: 2.8.2

Release Date: 2018-01-27

Fix Resolution (macaddress): 0.2.9

Direct dependency fix Resolution (react-scripts): 1.0.11

⛑️ Automatic Remediation will be attempted for this issue.

WS-2020-0344

Vulnerable Library - is-my-json-valid-2.16.0.tgz

A JSONSchema validator that uses code generation to be extremely fast

Library home page: https://registry.npmjs.org/is-my-json-valid/-/is-my-json-valid-2.16.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Dependency Hierarchy:

• react-scripts-1.0.10.tgz (Root Library)
  • eslint-3.19.0.tgz
    • ❌ is-my-json-valid-2.16.0.tgz (Vulnerable Library)

Found in base branch: master

Vulnerability Details

Arbitrary Code Execution vulnerability was found in is-my-json-valid before 2.20.3 via the fromatName function.

Publish Date: 2020-06-09

URL: WS-2020-0344

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2020-06-09

Fix Resolution (is-my-json-valid): 2.20.3

Direct dependency fix Resolution (react-scripts): 1.0.11

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2022-37601

Vulnerable Libraries - loader-utils-0.2.17.tgz, loader-utils-1.1.0.tgz

loader-utils-0.2.17.tgz

utils for webpack loaders

Library home page: https://registry.npmjs.org/loader-utils/-/loader-utils-0.2.17.tgz

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Dependency Hierarchy:

• react-scripts-1.0.10.tgz (Root Library)
  • webpack-2.6.1.tgz
    • ❌ loader-utils-0.2.17.tgz (Vulnerable Library)

loader-utils-1.1.0.tgz

utils for webpack loaders

Library home page: https://registry.npmjs.org/loader-utils/-/loader-utils-1.1.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Dependency Hierarchy:

• react-scripts-1.0.10.tgz (Root Library)
  • css-loader-0.28.4.tgz
    • ❌ loader-utils-1.1.0.tgz (Vulnerable Library)

Found in base branch: master

Vulnerability Details

Prototype pollution vulnerability in function parseQuery in parseQuery.js in webpack loader-utils 2.0.0 via the name variable in parseQuery.js.

Publish Date: 2022-10-12

URL: CVE-2022-37601

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-76p3-8jx3-jpfq

Release Date: 2022-10-12

Fix Resolution (loader-utils): 1.4.1

Direct dependency fix Resolution (react-scripts): 4.0.0

Fix Resolution (loader-utils): 1.4.1

Direct dependency fix Resolution (react-scripts): 4.0.0

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2021-44906

Vulnerable Libraries - minimist-1.2.0.tgz, minimist-0.0.8.tgz

minimist-1.2.0.tgz

parse argument options

Library home page: https://registry.npmjs.org/minimist/-/minimist-1.2.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Dependency Hierarchy:

• react-scripts-1.0.10.tgz (Root Library)
  • postcss-loader-2.0.6.tgz
    • postcss-load-config-1.2.0.tgz
      • cosmiconfig-2.2.2.tgz
        • ❌ minimist-1.2.0.tgz (Vulnerable Library)

minimist-0.0.8.tgz

parse argument options

Library home page: https://registry.npmjs.org/minimist/-/minimist-0.0.8.tgz

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Dependency Hierarchy:

• react-scripts-1.0.10.tgz (Root Library)
  • babel-loader-7.0.0.tgz
    • mkdirp-0.5.1.tgz
      • ❌ minimist-0.0.8.tgz (Vulnerable Library)

Found in base branch: master

Vulnerability Details

Minimist <=1.2.5 is vulnerable to Prototype Pollution via file index.js, function setKey() (lines 69-95).

Publish Date: 2022-03-17

URL: CVE-2021-44906

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2022-03-17

Fix Resolution (minimist): 1.2.6

Direct dependency fix Resolution (react-scripts): 1.0.11

Fix Resolution (minimist): 1.2.6

Direct dependency fix Resolution (react-scripts): 1.0.11

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2020-7720

Vulnerable Library - node-forge-0.6.33.tgz

JavaScript implementations of network transports, cryptography, ciphers, PKI, message digests, and various utilities.

Library home page: https://registry.npmjs.org/node-forge/-/node-forge-0.6.33.tgz

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Dependency Hierarchy:

• react-scripts-1.0.10.tgz (Root Library)
  • webpack-dev-server-2.5.0.tgz
    • selfsigned-1.9.1.tgz
      • ❌ node-forge-0.6.33.tgz (Vulnerable Library)

Found in base branch: master

Vulnerability Details

The package node-forge before 0.10.0 is vulnerable to Prototype Pollution via the util.setPath function. Note: Version 0.10.0 is a breaking change removing the vulnerable functions.

Publish Date: 2020-09-01

URL: CVE-2020-7720

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2020-09-01

Fix Resolution (node-forge): 0.10.0

Direct dependency fix Resolution (react-scripts): 1.0.11

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2019-19919

Vulnerable Library - handlebars-4.0.10.tgz

Handlebars provides the power necessary to let you build semantic templates effectively with no frustration

Library home page: https://registry.npmjs.org/handlebars/-/handlebars-4.0.10.tgz

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Dependency Hierarchy:

• react-scripts-1.0.10.tgz (Root Library)
  • jest-20.0.4.tgz
    • jest-cli-20.0.4.tgz
      • istanbul-api-1.1.11.tgz
        • istanbul-reports-1.1.1.tgz
          • ❌ handlebars-4.0.10.tgz (Vulnerable Library)

Found in base branch: master

Vulnerability Details

Versions of handlebars prior to 4.3.0 are vulnerable to Prototype Pollution leading to Remote Code Execution. Templates may alter an Object's proto and defineGetter properties, which may allow an attacker to execute arbitrary code through crafted payloads.
Mend Note: Converted from WS-2019-0368, on 2022-11-08.

Publish Date: 2019-12-20

URL: CVE-2019-19919

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://www.npmjs.com/advisories/1164

Release Date: 2019-12-20

Fix Resolution (handlebars): 4.3.0

Direct dependency fix Resolution (react-scripts): 1.0.11

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2018-6342

Vulnerable Library - react-dev-utils-3.0.2.tgz

Webpack utilities used by Create React App

Library home page: https://registry.npmjs.org/react-dev-utils/-/react-dev-utils-3.0.2.tgz

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Dependency Hierarchy:

• react-scripts-1.0.10.tgz (Root Library)
  • ❌ react-dev-utils-3.0.2.tgz (Vulnerable Library)

Found in base branch: master

Vulnerability Details

react-dev-utils on Windows allows developers to run a local webserver for accepting various commands, including a command to launch an editor. The input to that command was not properly sanitized, allowing an attacker who can make a network request to the server (either via CSRF or by direct request) to execute arbitrary commands on the targeted system. This issue affects multiple branches: 1.x.x prior to 1.0.4, 2.x.x prior to 2.0.2, 3.x.x prior to 3.1.2, 4.x.x prior to 4.2.2, and 5.x.x prior to 5.0.2.

Publish Date: 2018-12-31

URL: CVE-2018-6342

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6342

Release Date: 2018-12-31

Fix Resolution (react-dev-utils): 3.1.2

Direct dependency fix Resolution (react-scripts): 1.0.11

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2018-3774

Vulnerable Libraries - url-parse-1.1.9.tgz, url-parse-1.0.5.tgz

url-parse-1.1.9.tgz

Small footprint URL parser that works seamlessly across Node.js and browser environments

Library home page: https://registry.npmjs.org/url-parse/-/url-parse-1.1.9.tgz

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Dependency Hierarchy:

• react-scripts-1.0.10.tgz (Root Library)
  • react-dev-utils-3.0.2.tgz
    • sockjs-client-1.1.4.tgz
      • ❌ url-parse-1.1.9.tgz (Vulnerable Library)

url-parse-1.0.5.tgz

Small footprint URL parser that works seamlessly across Node.js and browser environments

Library home page: https://registry.npmjs.org/url-parse/-/url-parse-1.0.5.tgz

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Dependency Hierarchy:

• react-scripts-1.0.10.tgz (Root Library)
  • react-dev-utils-3.0.2.tgz
    • sockjs-client-1.1.4.tgz
      • eventsource-0.1.6.tgz
        • original-1.0.0.tgz
          • ❌ url-parse-1.0.5.tgz (Vulnerable Library)

Found in base branch: master

Vulnerability Details

Incorrect parsing in url-parse <1.4.3 returns wrong hostname which leads to multiple vulnerabilities such as SSRF, Open Redirect, Bypass Authentication Protocol.

Publish Date: 2018-08-12

URL: CVE-2018-3774

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2018-3774

Release Date: 2018-08-12

Fix Resolution (url-parse): 1.4.3

Direct dependency fix Resolution (react-scripts): 1.0.11

Fix Resolution (url-parse): 1.4.3

Direct dependency fix Resolution (react-scripts): 1.0.11

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2018-16492

Vulnerable Library - extend-3.0.1.tgz

Port of jQuery.extend for node.js and the browser

Library home page: https://registry.npmjs.org/extend/-/extend-3.0.1.tgz

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Dependency Hierarchy:

• react-scripts-1.0.10.tgz (Root Library)
  • fsevents-1.1.2.tgz
    • node-pre-gyp-0.6.36.tgz
      • request-2.81.0.tgz
        • ❌ extend-3.0.1.tgz (Vulnerable Library)

Found in base branch: master

Vulnerability Details

A prototype pollution vulnerability was found in module extend <2.0.2, ~<3.0.2 that allows an attacker to inject arbitrary properties onto Object.prototype.

Publish Date: 2019-02-01

URL: CVE-2018-16492

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://hackerone.com/reports/381185

Release Date: 2019-02-01

Fix Resolution (extend): 3.0.2

Direct dependency fix Resolution (react-scripts): 1.0.11

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2018-13797

Vulnerable Library - macaddress-0.2.8.tgz

Get the MAC addresses (hardware addresses) of the hosts network interfaces.

Library home page: https://registry.npmjs.org/macaddress/-/macaddress-0.2.8.tgz

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Dependency Hierarchy:

• react-scripts-1.0.10.tgz (Root Library)
  • css-loader-0.28.4.tgz
    • cssnano-3.10.0.tgz
      • postcss-filter-plugins-2.0.2.tgz
        • uniqid-4.1.1.tgz
          • ❌ macaddress-0.2.8.tgz (Vulnerable Library)

Found in base branch: master

Vulnerability Details

The macaddress module before 0.2.9 for Node.js is prone to an arbitrary command injection flaw, due to allowing unsanitized input to an exec (rather than execFile) call.

Publish Date: 2022-10-03

URL: CVE-2018-13797

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2018-13797

Release Date: 2022-10-03

Fix Resolution (macaddress): 0.2.9

Direct dependency fix Resolution (react-scripts): 1.0.11

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2018-1000620

Vulnerable Library - cryptiles-2.0.5.tgz

General purpose crypto utilities

Library home page: https://registry.npmjs.org/cryptiles/-/cryptiles-2.0.5.tgz

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Dependency Hierarchy:

• react-scripts-1.0.10.tgz (Root Library)
  • fsevents-1.1.2.tgz
    • node-pre-gyp-0.6.36.tgz
      • request-2.81.0.tgz
        • hawk-3.1.3.tgz
          • ❌ cryptiles-2.0.5.tgz (Vulnerable Library)

Found in base branch: master

Vulnerability Details

Eran Hammer cryptiles version 4.1.1 earlier contains a CWE-331: Insufficient Entropy vulnerability in randomDigits() method that can result in An attacker is more likely to be able to brute force something that was supposed to be random.. This attack appear to be exploitable via Depends upon the calling application.. This vulnerability appears to have been fixed in 4.1.2.

Publish Date: 2018-07-09

URL: CVE-2018-1000620

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-1000620

Release Date: 2018-07-09

Fix Resolution (cryptiles): 4.1.2

Direct dependency fix Resolution (react-scripts): 1.1.1

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2019-10744

Vulnerable Library - lodash.template-4.4.0.tgz

The lodash method `_.template` exported as a module.

Library home page: https://registry.npmjs.org/lodash.template/-/lodash.template-4.4.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Dependency Hierarchy:

• react-scripts-1.0.10.tgz (Root Library)
  • sw-precache-webpack-plugin-0.11.3.tgz
    • sw-precache-5.2.0.tgz
      • ❌ lodash.template-4.4.0.tgz (Vulnerable Library)

Found in base branch: master

Vulnerability Details

Versions of lodash lower than 4.17.12 are vulnerable to Prototype Pollution. The function defaultsDeep could be tricked into adding or modifying properties of Object.prototype using a constructor payload.

Publish Date: 2019-07-25

URL: CVE-2019-10744

CVSS 3 Score Details (9.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: High
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-jf85-cpcp-j695

Release Date: 2019-07-26

Fix Resolution (lodash.template): 4.5.0

Direct dependency fix Resolution (react-scripts): 1.0.11

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2018-3728

Vulnerable Library - hoek-2.16.3.tgz

General purpose node utilities

Library home page: https://registry.npmjs.org/hoek/-/hoek-2.16.3.tgz

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Dependency Hierarchy:

• react-scripts-1.0.10.tgz (Root Library)
  • fsevents-1.1.2.tgz
    • node-pre-gyp-0.6.36.tgz
      • request-2.81.0.tgz
        • hawk-3.1.3.tgz
          • ❌ hoek-2.16.3.tgz (Vulnerable Library)

Found in base branch: master

Vulnerability Details

hoek node module before 4.2.0 and 5.0.x before 5.0.3 suffers from a Modification of Assumed-Immutable Data (MAID) vulnerability via 'merge' and 'applyToDefaults' functions, which allows a malicious user to modify the prototype of "Object" via proto, causing the addition or modification of an existing property that will exist on all objects.

Publish Date: 2018-03-30

URL: CVE-2018-3728

CVSS 3 Score Details (8.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: Low
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16082

Release Date: 2018-03-30

Fix Resolution (hoek): 4.2.0

Direct dependency fix Resolution (react-scripts): 1.1.1

⛑️ Automatic Remediation will be attempted for this issue.

WS-2019-0333

Vulnerable Library - handlebars-4.0.10.tgz

Handlebars provides the power necessary to let you build semantic templates effectively with no frustration

Library home page: https://registry.npmjs.org/handlebars/-/handlebars-4.0.10.tgz

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Dependency Hierarchy:

• react-scripts-1.0.10.tgz (Root Library)
  • jest-20.0.4.tgz
    • jest-cli-20.0.4.tgz
      • istanbul-api-1.1.11.tgz
        • istanbul-reports-1.1.1.tgz
          • ❌ handlebars-4.0.10.tgz (Vulnerable Library)

Found in base branch: master

Vulnerability Details

In handlebars, versions prior to v4.5.3 are vulnerable to prototype pollution. Using a malicious template it's possbile to add or modify properties to the Object prototype. This can also lead to DOS and RCE in certain conditions.

Publish Date: 2019-11-18

URL: WS-2019-0333

CVSS 3 Score Details (8.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://www.npmjs.com/advisories/1325

Release Date: 2019-11-18

Fix Resolution (handlebars): 4.5.3

Direct dependency fix Resolution (react-scripts): 1.0.11

⛑️ Automatic Remediation will be attempted for this issue.

WS-2019-0063

Vulnerable Library - js-yaml-3.7.0.tgz

YAML 1.2 parser and serializer

Library home page: https://registry.npmjs.org/js-yaml/-/js-yaml-3.7.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Dependency Hierarchy:

• react-scripts-1.0.10.tgz (Root Library)
  • eslint-3.19.0.tgz
    • ❌ js-yaml-3.7.0.tgz (Vulnerable Library)

Found in base branch: master

Vulnerability Details

Js-yaml prior to 3.13.1 are vulnerable to Code Injection. The load() function may execute arbitrary code injected through a malicious YAML file.

Publish Date: 2019-04-05

URL: WS-2019-0063

CVSS 3 Score Details (8.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://www.npmjs.com/advisories/813

Release Date: 2019-04-05

Fix Resolution (js-yaml): 3.13.1

Direct dependency fix Resolution (react-scripts): 2.0.0

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2019-20920

Vulnerable Library - handlebars-4.0.10.tgz

Handlebars provides the power necessary to let you build semantic templates effectively with no frustration

Library home page: https://registry.npmjs.org/handlebars/-/handlebars-4.0.10.tgz

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Dependency Hierarchy:

• react-scripts-1.0.10.tgz (Root Library)
  • jest-20.0.4.tgz
    • jest-cli-20.0.4.tgz
      • istanbul-api-1.1.11.tgz
        • istanbul-reports-1.1.1.tgz
          • ❌ handlebars-4.0.10.tgz (Vulnerable Library)

Found in base branch: master

Vulnerability Details

Handlebars before 3.0.8 and 4.x before 4.5.3 is vulnerable to Arbitrary Code Execution. The lookup helper fails to properly validate templates, allowing attackers to submit templates that execute arbitrary JavaScript. This can be used to run arbitrary code on a server processing Handlebars templates or in a victim's browser (effectively serving as XSS).

Publish Date: 2020-09-30

URL: CVE-2019-20920

CVSS 3 Score Details (8.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: Low
  • Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://www.npmjs.com/advisories/1324

Release Date: 2020-10-15

Fix Resolution (handlebars): 4.5.3

Direct dependency fix Resolution (react-scripts): 1.0.11

⛑️ Automatic Remediation will be attempted for this issue.

WS-2018-0084

Vulnerable Libraries - sshpk-1.13.1.tgz, sshpk-1.13.0.tgz

sshpk-1.13.1.tgz

A library for finding and using SSH public keys

Library home page: https://registry.npmjs.org/sshpk/-/sshpk-1.13.1.tgz

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Dependency Hierarchy:

• react-scripts-1.0.10.tgz (Root Library)
  • jest-20.0.4.tgz
    • jest-cli-20.0.4.tgz
      • jest-environment-jsdom-20.0.3.tgz
        • jsdom-9.12.0.tgz
          • request-2.81.0.tgz
            • http-signature-1.1.1.tgz
              • ❌ sshpk-1.13.1.tgz (Vulnerable Library)

sshpk-1.13.0.tgz

A library for finding and using SSH public keys

Library home page: https://registry.npmjs.org/sshpk/-/sshpk-1.13.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Dependency Hierarchy:

• react-scripts-1.0.10.tgz (Root Library)
  • fsevents-1.1.2.tgz
    • node-pre-gyp-0.6.36.tgz
      • request-2.81.0.tgz
        • http-signature-1.1.1.tgz
          • ❌ sshpk-1.13.0.tgz (Vulnerable Library)

Found in base branch: master

Vulnerability Details

Versions of sshpk before 1.14.1 are vulnerable to regular expression denial of service when parsing crafted invalid public keys.

Publish Date: 2018-04-25

URL: WS-2018-0084

CVSS 2 Score Details (8.0)

Base Score Metrics not available

Suggested Fix

Type: Upgrade version

Origin: https://nodesecurity.io/advisories/606

Release Date: 2018-01-27

Fix Resolution (sshpk): 1.14.1

Direct dependency fix Resolution (react-scripts): 1.0.11

Fix Resolution (sshpk): 1.14.1

Direct dependency fix Resolution (react-scripts): 1.0.11

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2021-23386

Vulnerable Library - dns-packet-1.1.1.tgz

An abstract-encoding compliant module for encoding / decoding DNS packets

Library home page: https://registry.npmjs.org/dns-packet/-/dns-packet-1.1.1.tgz

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Dependency Hierarchy:

• react-scripts-1.0.10.tgz (Root Library)
  • webpack-dev-server-2.5.0.tgz
    • bonjour-3.5.0.tgz
      • multicast-dns-6.1.1.tgz
        • ❌ dns-packet-1.1.1.tgz (Vulnerable Library)

Found in base branch: master

Vulnerability Details

This affects the package dns-packet before 5.2.2. It creates buffers with allocUnsafe and does not always fill them before forming network packets. This can expose internal application memory over unencrypted network when querying crafted invalid domain names.

Publish Date: 2021-05-20

URL: CVE-2021-23386

CVSS 3 Score Details (7.7)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: Low
  • User Interaction: None
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: Low
  • Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23386

Release Date: 2021-05-20

Fix Resolution (dns-packet): 1.3.2

Direct dependency fix Resolution (react-scripts): 1.0.11

⛑️ Automatic Remediation will be attempted for this issue.

---

⛑️Automatic Remediation will be attempted for this issue.