lint-staged-7.2.2.tgz: 7 vulnerabilities (highest severity is: 9.8)

[dev-mend-for-github-com]

Vulnerable Library - lint-staged-7.2.2.tgz

Path to dependency file: /package.json

Vulnerabilities

CVE	Severity	CVSS	Dependency	Type	Fixed in (lint-staged version)	Remediation Possible**	Reachability
CVE-2019-10747	Critical	9.8	detected in multiple dependencies	Transitive	7.3.0	❌
CVE-2019-10746	Critical	9.8	mixin-deep-1.3.1.tgz	Transitive	7.3.0	❌
WS-2019-0063	High	8.1	js-yaml-3.12.0.tgz	Transitive	7.3.0	❌
WS-2019-0032	High	7.5	js-yaml-3.12.0.tgz	Transitive	7.3.0	❌
CVE-2022-38900	High	7.5	decode-uri-component-0.2.0.tgz	Transitive	7.3.0	❌
CVE-2021-3807	High	7.5	ansi-regex-3.0.0.tgz	Transitive	7.3.0	❌
CVE-2019-20149	High	7.5	kind-of-6.0.2.tgz	Transitive	7.3.0	❌

**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation

Details

CVE-2019-10747

Vulnerable Libraries - set-value-0.4.3.tgz, set-value-2.0.0.tgz

set-value-0.4.3.tgz

Create nested values and any intermediaries using dot notation (`'a.b.c'`) paths.

Library home page: https://registry.npmjs.org/set-value/-/set-value-0.4.3.tgz

Dependency Hierarchy:

• lint-staged-7.2.2.tgz (Root Library)
  • micromatch-3.1.10.tgz
    • snapdragon-0.8.2.tgz
      • base-0.11.2.tgz
        • cache-base-1.0.1.tgz
          • union-value-1.0.0.tgz
            • ❌ set-value-0.4.3.tgz (Vulnerable Library)

set-value-2.0.0.tgz

Create nested values and any intermediaries using dot notation (`'a.b.c'`) paths.

Library home page: https://registry.npmjs.org/set-value/-/set-value-2.0.0.tgz

Dependency Hierarchy:

• lint-staged-7.2.2.tgz (Root Library)
  • micromatch-3.1.10.tgz
    • snapdragon-0.8.2.tgz
      • base-0.11.2.tgz
        • cache-base-1.0.1.tgz
          • ❌ set-value-2.0.0.tgz (Vulnerable Library)

Found in base branch: master

Vulnerability Details

set-value is vulnerable to Prototype Pollution in versions lower than 3.0.1. The function mixin-deep could be tricked into adding or modifying properties of Object.prototype using any of the constructor, prototype and proto payloads.

Publish Date: 2019-08-23

URL: CVE-2019-10747

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2019-08-23

Fix Resolution (set-value): 2.0.1

Direct dependency fix Resolution (lint-staged): 7.3.0

Fix Resolution (set-value): 2.0.1

Direct dependency fix Resolution (lint-staged): 7.3.0

CVE-2019-10746

Vulnerable Library - mixin-deep-1.3.1.tgz

Deeply mix the properties of objects into the first object. Like merge-deep, but doesn't clone.

Library home page: https://registry.npmjs.org/mixin-deep/-/mixin-deep-1.3.1.tgz

Dependency Hierarchy:

• lint-staged-7.2.2.tgz (Root Library)
  • micromatch-3.1.10.tgz
    • snapdragon-0.8.2.tgz
      • base-0.11.2.tgz
        • ❌ mixin-deep-1.3.1.tgz (Vulnerable Library)

Found in base branch: master

Vulnerability Details

mixin-deep is vulnerable to Prototype Pollution in versions before 1.3.2 and version 2.0.0. The function mixin-deep could be tricked into adding or modifying properties of Object.prototype using a constructor payload.

Publish Date: 2019-08-23

URL: CVE-2019-10746

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2019-08-23

Fix Resolution (mixin-deep): 1.3.2

Direct dependency fix Resolution (lint-staged): 7.3.0

WS-2019-0063

Vulnerable Library - js-yaml-3.12.0.tgz

YAML 1.2 parser and serializer

Library home page: https://registry.npmjs.org/js-yaml/-/js-yaml-3.12.0.tgz

Dependency Hierarchy:

• lint-staged-7.2.2.tgz (Root Library)
  • cosmiconfig-5.0.6.tgz
    • ❌ js-yaml-3.12.0.tgz (Vulnerable Library)

Found in base branch: master

Vulnerability Details

Js-yaml prior to 3.13.1 are vulnerable to Code Injection. The load() function may execute arbitrary code injected through a malicious YAML file.

Publish Date: 2019-04-05

URL: WS-2019-0063

CVSS 3 Score Details (8.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://www.npmjs.com/advisories/813

Release Date: 2019-04-05

Fix Resolution (js-yaml): 3.13.1

Direct dependency fix Resolution (lint-staged): 7.3.0

WS-2019-0032

Vulnerable Library - js-yaml-3.12.0.tgz

YAML 1.2 parser and serializer

Library home page: https://registry.npmjs.org/js-yaml/-/js-yaml-3.12.0.tgz

Dependency Hierarchy:

• lint-staged-7.2.2.tgz (Root Library)
  • cosmiconfig-5.0.6.tgz
    • ❌ js-yaml-3.12.0.tgz (Vulnerable Library)

Found in base branch: master

Vulnerability Details

Versions js-yaml prior to 3.13.0 are vulnerable to Denial of Service. By parsing a carefully-crafted YAML file, the node process stalls and may exhaust system resources leading to a Denial of Service.

Publish Date: 2019-03-20

URL: WS-2019-0032

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://www.npmjs.com/advisories/788/versions

Release Date: 2019-03-20

Fix Resolution (js-yaml): 3.13.0

Direct dependency fix Resolution (lint-staged): 7.3.0

CVE-2022-38900

Vulnerable Library - decode-uri-component-0.2.0.tgz

A better decodeURIComponent

Library home page: https://registry.npmjs.org/decode-uri-component/-/decode-uri-component-0.2.0.tgz

Dependency Hierarchy:

• lint-staged-7.2.2.tgz (Root Library)
  • micromatch-3.1.10.tgz
    • snapdragon-0.8.2.tgz
      • source-map-resolve-0.5.2.tgz
        • ❌ decode-uri-component-0.2.0.tgz (Vulnerable Library)

Found in base branch: master

Vulnerability Details

decode-uri-component 0.2.0 is vulnerable to Improper Input Validation resulting in DoS.

Publish Date: 2022-11-28

URL: CVE-2022-38900

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-w573-4hg7-7wgq

Release Date: 2022-11-28

Fix Resolution (decode-uri-component): 0.2.1

Direct dependency fix Resolution (lint-staged): 7.3.0

CVE-2021-3807

Vulnerable Library - ansi-regex-3.0.0.tgz

Regular expression for matching ANSI escape codes

Library home page: https://registry.npmjs.org/ansi-regex/-/ansi-regex-3.0.0.tgz

Dependency Hierarchy:

• lint-staged-7.2.2.tgz (Root Library)
  • jest-validate-23.5.0.tgz
    • pretty-format-23.5.0.tgz
      • ❌ ansi-regex-3.0.0.tgz (Vulnerable Library)

Found in base branch: master

Vulnerability Details

ansi-regex is vulnerable to Inefficient Regular Expression Complexity

Publish Date: 2021-09-17

URL: CVE-2021-3807

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://huntr.dev/bounties/5b3cf33b-ede0-4398-9974-800876dfd994/

Release Date: 2021-09-17

Fix Resolution (ansi-regex): 3.0.1

Direct dependency fix Resolution (lint-staged): 7.3.0

CVE-2019-20149

Vulnerable Library - kind-of-6.0.2.tgz

Get the native type of a value.

Library home page: https://registry.npmjs.org/kind-of/-/kind-of-6.0.2.tgz

Dependency Hierarchy:

• lint-staged-7.2.2.tgz (Root Library)
  • micromatch-3.1.10.tgz
    • ❌ kind-of-6.0.2.tgz (Vulnerable Library)

Found in base branch: master

Vulnerability Details

ctorName in index.js in kind-of v6.0.2 allows external user input to overwrite certain internal attributes via a conflicting name, as demonstrated by 'constructor': {'name':'Symbol'}. Hence, a crafted payload can overwrite this builtin attribute to manipulate the type detection result.

Publish Date: 2019-12-30

URL: CVE-2019-20149

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: High
  • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-20149

Release Date: 2019-12-30

Fix Resolution (kind-of): 6.0.3

Direct dependency fix Resolution (lint-staged): 7.3.0