marked-0.3.19.tgz: 5 vulnerabilities (highest severity is: 7.5)

[mend-for-github-com]

Vulnerable Library - marked-0.3.19.tgz

A markdown parser built for speed

Library home page: https://registry.npmjs.org/marked/-/marked-0.3.19.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/marked/package.json

Found in HEAD commit: 185069a9af406ebbf266a8f7ff196d415e54744f

Vulnerabilities

CVE	Severity	CVSS	Dependency	Type	Fixed in (marked version)	Remediation Possible**
CVE-2022-21681	High	7.5	marked-0.3.19.tgz	Direct	4.0.10	✅
CVE-2022-21680	High	7.5	marked-0.3.19.tgz	Direct	4.0.10	✅
WS-2020-0163	Medium	5.9	marked-0.3.19.tgz	Direct	1.1.1	✅
WS-2019-0169	Medium	5.3	marked-0.3.19.tgz	Direct	0.6.2	✅
WS-2018-0628	Medium	5.3	marked-0.3.19.tgz	Direct	0.4.0	✅

**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation

Details

CVE-2022-21681

Vulnerable Library - marked-0.3.19.tgz

A markdown parser built for speed

Library home page: https://registry.npmjs.org/marked/-/marked-0.3.19.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/marked/package.json

Dependency Hierarchy:

• ❌ marked-0.3.19.tgz (Vulnerable Library)

Found in HEAD commit: 185069a9af406ebbf266a8f7ff196d415e54744f

Found in base branch: master

Vulnerability Details

Marked is a markdown parser and compiler. Prior to version 4.0.10, the regular expression inline.reflinkSearch may cause catastrophic backtracking against some strings and lead to a denial of service (DoS). Anyone who runs untrusted markdown through a vulnerable version of marked and does not use a worker with a time limit may be affected. This issue is patched in version 4.0.10. As a workaround, avoid running untrusted markdown through marked or run marked on a worker thread and set a reasonable time limit to prevent draining resources.

Publish Date: 2022-01-14

URL: CVE-2022-21681

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-5v2h-r2cx-5xgj

Release Date: 2022-01-14

Fix Resolution: 4.0.10

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2022-21680

Vulnerable Library - marked-0.3.19.tgz

A markdown parser built for speed

Library home page: https://registry.npmjs.org/marked/-/marked-0.3.19.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/marked/package.json

Dependency Hierarchy:

• ❌ marked-0.3.19.tgz (Vulnerable Library)

Found in HEAD commit: 185069a9af406ebbf266a8f7ff196d415e54744f

Found in base branch: master

Vulnerability Details

Marked is a markdown parser and compiler. Prior to version 4.0.10, the regular expression block.def may cause catastrophic backtracking against some strings and lead to a regular expression denial of service (ReDoS). Anyone who runs untrusted markdown through a vulnerable version of marked and does not use a worker with a time limit may be affected. This issue is patched in version 4.0.10. As a workaround, avoid running untrusted markdown through marked or run marked on a worker thread and set a reasonable time limit to prevent draining resources.

Publish Date: 2022-01-14

URL: CVE-2022-21680

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-rrrm-qjm4-v8hf

Release Date: 2022-01-14

Fix Resolution: 4.0.10

⛑️ Automatic Remediation will be attempted for this issue.

WS-2020-0163

Vulnerable Library - marked-0.3.19.tgz

A markdown parser built for speed

Library home page: https://registry.npmjs.org/marked/-/marked-0.3.19.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/marked/package.json

Dependency Hierarchy:

• ❌ marked-0.3.19.tgz (Vulnerable Library)

Found in HEAD commit: 185069a9af406ebbf266a8f7ff196d415e54744f

Found in base branch: master

Vulnerability Details

marked before 1.1.1 is vulnerable to Regular Expression Denial of Service (REDoS). rules.js have multiple unused capture groups which can lead to a Denial of Service.

Publish Date: 2020-07-02

URL: WS-2020-0163

CVSS 3 Score Details (5.9)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2020-07-02

Fix Resolution: 1.1.1

⛑️ Automatic Remediation will be attempted for this issue.

WS-2019-0169

Vulnerable Library - marked-0.3.19.tgz

A markdown parser built for speed

Library home page: https://registry.npmjs.org/marked/-/marked-0.3.19.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/marked/package.json

Dependency Hierarchy:

• ❌ marked-0.3.19.tgz (Vulnerable Library)

Found in HEAD commit: 185069a9af406ebbf266a8f7ff196d415e54744f

Found in base branch: master

Vulnerability Details

marked versions >0.3.14 and < 0.6.2 has Regular Expression Denial of Service vulnerability Email addresses may be evaluated in quadratic time, allowing attackers to potentially crash the node process due to resource exhaustion.

Publish Date: 2019-04-03

URL: WS-2019-0169

CVSS 3 Score Details (5.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://www.npmjs.com/advisories/812

Release Date: 2019-04-03

Fix Resolution: 0.6.2

⛑️ Automatic Remediation will be attempted for this issue.

WS-2018-0628

Vulnerable Library - marked-0.3.19.tgz

A markdown parser built for speed

Library home page: https://registry.npmjs.org/marked/-/marked-0.3.19.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/marked/package.json

Dependency Hierarchy:

• ❌ marked-0.3.19.tgz (Vulnerable Library)

Found in HEAD commit: 185069a9af406ebbf266a8f7ff196d415e54744f

Found in base branch: master

Vulnerability Details

marked before 0.4.0 is vulnerable to Regular Expression Denial of Service (REDoS) through heading in marked.js.

Publish Date: 2018-04-16

URL: WS-2018-0628

CVSS 3 Score Details (5.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2018-04-16

Fix Resolution: 0.4.0

⛑️ Automatic Remediation will be attempted for this issue.

---

⛑️Automatic Remediation will be attempted for this issue.