node-sass3.13.1: 21 vulnerabilities (highest severity is: 8.7) #103
Labels
Mend: dependency security vulnerability
Security vulnerability detected by WhiteSource
Comments
mend-for-github-com
bot
added
the
Mend: dependency security vulnerability
mend-for-github-com
bot
changed the title
|
✔️ This issue was automatically closed by Mend because the vulnerable library in the specific branch(es) was either marked as ignored or it is no longer part of the Mend inventory. |
mend-for-github-com
bot
changed the title
|
ℹ️ This issue was automatically re-opened by Mend because the vulnerable library in the specific branch(es) has been detected in the Mend inventory. |
|
✔️ This issue was automatically closed by Mend because the vulnerable library in the specific branch(es) was either marked as ignored or it is no longer part of the Mend inventory. |
mend-for-github-com
bot
changed the title
mend-for-github-com
bot
changed the title
|
ℹ️ This issue was automatically re-opened by Mend because the vulnerable library in the specific branch(es) has been detected in the Mend inventory. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Wrapper around libsass
Library home page: https://www.npmjs.com/package/node-sass
Found in HEAD commit: eb47eeefc02a252a76628fec10a3c26aacb34024
Vulnerabilities
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
Vulnerable Library - node-sass3.13.1
Wrapper around libsass
Library home page: https://www.npmjs.com/package/node-sass
Found in HEAD commit: eb47eeefc02a252a76628fec10a3c26aacb34024
Found in base branch: master
Vulnerable Source Files (1)
Vulnerability Details
Stack Overflow vulnerability in libsass 3.6.5 via the CompoundSelector::has_real_parent_ref function.
Publish Date: 2023-08-22
URL: CVE-2022-26592
CVSS 4 Score Details (8.7)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: N/A
- Scope: N/A
- Impact Metrics:
- Confidentiality Impact: N/A
- Integrity Impact: N/A
- Availability Impact: N/A
For more information on CVSS4 Scores, click here.Vulnerable Libraries - node-sass3.13.1, node-sass3.13.1, node-sass3.13.1, node-sass3.13.1, node-sass3.13.1
Vulnerability Details
There is a stack consumption vulnerability in the Parser::advanceToNextToken function in parser.cpp in LibSass 3.4.5. A crafted input may lead to remote denial of service.
Publish Date: 2017-07-23
URL: CVE-2017-11556
CVSS 4 Score Details (8.7)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: N/A
- Impact Metrics:
- Confidentiality Impact: N/A
- Integrity Impact: N/A
- Availability Impact: N/A
For more information on CVSS4 Scores, click here.Suggested Fix
Type: Upgrade version
Release Date: 2017-07-23
Fix Resolution: LibSass - 3.5.0
Vulnerable Library - node-sass3.13.1
Wrapper around libsass
Library home page: https://www.npmjs.com/package/node-sass
Found in HEAD commit: eb47eeefc02a252a76628fec10a3c26aacb34024
Found in base branch: master
Vulnerable Source Files (1)
Vulnerability Details
An issue was discovered in LibSass through 3.5.4. An out-of-bounds read of a memory region was found in the function Sass::Prelexer::skip_over_scopes which could be leveraged by an attacker to disclose information or manipulated to read from unmapped memory causing a denial of service.
Publish Date: 2018-06-04
URL: CVE-2018-11693
CVSS 4 Score Details (7.2)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: N/A
- Scope: N/A
- Impact Metrics:
- Confidentiality Impact: N/A
- Integrity Impact: N/A
- Availability Impact: N/A
For more information on CVSS4 Scores, click here.Suggested Fix
Type: Upgrade version
Release Date: 2018-06-04
Fix Resolution: node-sass - 4.14.0
Vulnerable Library - node-sass3.13.1
Wrapper around libsass
Library home page: https://www.npmjs.com/package/node-sass
Found in HEAD commit: eb47eeefc02a252a76628fec10a3c26aacb34024
Found in base branch: master
Vulnerable Source Files (1)
Vulnerability Details
In LibSass 3.5.5, a heap-based buffer over-read exists in Sass::Prelexer::skip_over_scopes in prelexer.hpp when called from Sass::Parser::parse_import(), a similar issue to CVE-2018-11693.
Publish Date: 2019-01-14
URL: CVE-2019-6286
CVSS 4 Score Details (7.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: N/A
- Scope: N/A
- Impact Metrics:
- Confidentiality Impact: N/A
- Integrity Impact: N/A
- Availability Impact: N/A
For more information on CVSS4 Scores, click here.Suggested Fix
Type: Upgrade version
Release Date: 2019-01-14
Fix Resolution: Fable.Template.Elmish.React - 0.1.6;GR.PageRender.Razor - 1.8.0;MIDIator.WebClient - 1.0.105
Vulnerable Library - node-sass3.13.1
Wrapper around libsass
Library home page: https://www.npmjs.com/package/node-sass
Found in HEAD commit: eb47eeefc02a252a76628fec10a3c26aacb34024
Found in base branch: master
Vulnerable Source Files (1)
Vulnerability Details
In LibSass 3.5.5, a heap-based buffer over-read exists in Sass::Prelexer::alternatives in prelexer.hpp.
Publish Date: 2019-01-14
URL: CVE-2019-6284
CVSS 4 Score Details (7.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: N/A
- Scope: N/A
- Impact Metrics:
- Confidentiality Impact: N/A
- Integrity Impact: N/A
- Availability Impact: N/A
For more information on CVSS4 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2019-6284
Release Date: 2019-01-14
Fix Resolution: node-sass - 5.0.0;Fable.Template.Elmish.React - 0.1.6;GR.PageRender.Razor - 1.8.0;MIDIator.WebClient - 1.0.105
Vulnerable Library - node-sass3.13.1
Wrapper around libsass
Library home page: https://www.npmjs.com/package/node-sass
Found in HEAD commit: eb47eeefc02a252a76628fec10a3c26aacb34024
Found in base branch: master
Vulnerable Source Files (1)
Vulnerability Details
In LibSass 3.5.5, a heap-based buffer over-read exists in Sass::Prelexer::parenthese_scope in prelexer.hpp.
Publish Date: 2019-01-14
URL: CVE-2019-6283
CVSS 4 Score Details (7.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: N/A
- Scope: N/A
- Impact Metrics:
- Confidentiality Impact: N/A
- Integrity Impact: N/A
- Availability Impact: N/A
For more information on CVSS4 Scores, click here.Suggested Fix
Type: Upgrade version
Release Date: 2019-01-14
Fix Resolution: Fable.Template.Elmish.React - 0.1.6;GR.PageRender.Razor - 1.8.0;MIDIator.WebClient - 1.0.105
Vulnerable Library - node-sass3.13.1
Wrapper around libsass
Library home page: https://www.npmjs.com/package/node-sass
Found in HEAD commit: eb47eeefc02a252a76628fec10a3c26aacb34024
Found in base branch: master
Vulnerable Source Files (1)
Vulnerability Details
LibSass 3.6.1 has uncontrolled recursion in Sass::Eval::operator()(Sass::Binary_Expression*) in eval.cpp.
Publish Date: 2019-11-06
URL: CVE-2019-18797
CVSS 4 Score Details (7.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: N/A
- Scope: N/A
- Impact Metrics:
- Confidentiality Impact: N/A
- Integrity Impact: N/A
- Availability Impact: N/A
For more information on CVSS4 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2019-18797
Release Date: 2019-11-06
Fix Resolution: GR.PageRender.Razor - 1.8.0;MIDIator.WebClient - 1.0.105;node-sass - 4.14.0,4.8.0;Fable.Template.Elmish.React - 0.1.6
Vulnerable Libraries - node-sass3.13.1, node-sass3.13.1
Vulnerability Details
The parsing component in LibSass through 3.5.5 allows attackers to cause a denial-of-service (uncontrolled recursion in Sass::Parser::parse_css_variable_value in parser.cpp).
Publish Date: 2019-04-23
URL: CVE-2018-20821
CVSS 4 Score Details (7.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: N/A
- Scope: N/A
- Impact Metrics:
- Confidentiality Impact: N/A
- Integrity Impact: N/A
- Availability Impact: N/A
For more information on CVSS4 Scores, click here.Suggested Fix
Type: Upgrade version
Release Date: 2019-04-23
Fix Resolution: Fable.Template.Elmish.React - 0.1.6;GR.PageRender.Razor - 1.8.0;MIDIator.WebClient - 1.0.105
Vulnerable Libraries - node-sass3.13.1, node-sass3.13.1
Vulnerability Details
In LibSass 3.5.5, a NULL Pointer Dereference in the function Sass::Eval::operator()(Sass::Supports_Operator*) in eval.cpp may cause a Denial of Service (application crash) via a crafted sass input file.
Publish Date: 2018-12-17
URL: CVE-2018-20190
CVSS 4 Score Details (7.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: N/A
- Scope: N/A
- Impact Metrics:
- Confidentiality Impact: N/A
- Integrity Impact: N/A
- Availability Impact: N/A
For more information on CVSS4 Scores, click here.Suggested Fix
Type: Upgrade version
Release Date: 2018-12-17
Fix Resolution: GR.PageRender.Razor - 1.8.0;Fable.Template.Elmish.React - 0.1.6
Vulnerable Library - node-sass3.13.1
Wrapper around libsass
Library home page: https://www.npmjs.com/package/node-sass
Found in HEAD commit: eb47eeefc02a252a76628fec10a3c26aacb34024
Found in base branch: master
Vulnerable Source Files (1)
Vulnerability Details
In LibSass prior to 3.5.5, functions inside ast.cpp for IMPLEMENT_AST_OPERATORS expansion allow attackers to cause a denial-of-service resulting from stack consumption via a crafted sass file, as demonstrated by recursive calls involving clone(), cloneChildren(), and copy().
Publish Date: 2018-12-04
URL: CVE-2018-19838
CVSS 4 Score Details (7.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: N/A
- Scope: N/A
- Impact Metrics:
- Confidentiality Impact: N/A
- Integrity Impact: N/A
- Availability Impact: N/A
For more information on CVSS4 Scores, click here.Suggested Fix
Type: Upgrade version
Release Date: 2018-12-04
Fix Resolution: libsass - 3.5.5;node-sass - 4.14.0
Vulnerable Library - node-sass3.13.1
Wrapper around libsass
Library home page: https://www.npmjs.com/package/node-sass
Found in HEAD commit: eb47eeefc02a252a76628fec10a3c26aacb34024
Found in base branch: master
Vulnerable Source Files (1)
Vulnerability Details
In LibSass prior to 3.5.5, Sass::Eval::operator()(Sass::Binary_Expression*) inside eval.cpp allows attackers to cause a denial-of-service resulting from stack consumption via a crafted sass file, because of certain incorrect parsing of '%' as a modulo operator in parser.cpp.
Publish Date: 2018-12-04
URL: CVE-2018-19837
CVSS 4 Score Details (7.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: N/A
- Scope: N/A
- Impact Metrics:
- Confidentiality Impact: N/A
- Integrity Impact: N/A
- Availability Impact: N/A
For more information on CVSS4 Scores, click here.Suggested Fix
Type: Upgrade version
Release Date: 2018-12-04
Fix Resolution: libsass - 3.5.5;node-sass - 4.14.0
Vulnerable Library - node-sass3.13.1
Wrapper around libsass
Library home page: https://www.npmjs.com/package/node-sass
Found in HEAD commit: eb47eeefc02a252a76628fec10a3c26aacb34024
Found in base branch: master
Vulnerable Source Files (1)
Vulnerability Details
In inspect.cpp in LibSass 3.5.5, a high memory footprint caused by an endless loop (containing a Sass::Inspect::operator()(Sass::String_Quoted*) stack frame) may cause a Denial of Service via crafted sass input files with stray '&' or '/' characters. NOTE: Upstream comments indicate this issue is closed as "won't fix" and "works as intended" by design
Publish Date: 2018-12-03
URL: CVE-2018-19826
CVSS 4 Score Details (7.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: N/A
- Scope: N/A
- Impact Metrics:
- Confidentiality Impact: N/A
- Integrity Impact: N/A
- Availability Impact: N/A
For more information on CVSS4 Scores, click here.Vulnerable Library - node-sass3.13.1
Wrapper around libsass
Library home page: https://www.npmjs.com/package/node-sass
Found in HEAD commit: eb47eeefc02a252a76628fec10a3c26aacb34024
Found in base branch: master
Vulnerable Source Files (1)
Vulnerability Details
In sass versions between 3.2.0 to 3.6.3 may read 1 byte outside an allocated buffer while parsing a specially crafted css rule.
Publish Date: 2019-07-16
URL: WS-2019-0605
CVSS 4 Score Details (6.9)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Local
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: N/A
- Impact Metrics:
- Confidentiality Impact: N/A
- Integrity Impact: N/A
- Availability Impact: N/A
For more information on CVSS4 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: https://osv.dev/vulnerability/OSV-2020-734
Release Date: 2019-07-16
Fix Resolution: 3.6.4
Vulnerable Libraries - node-sass3.13.1, node-sass3.13.1
Vulnerability Details
In LibSass prior to 3.5.5, the function handle_error in sass_context.cpp allows attackers to cause a denial-of-service resulting from a heap-based buffer over-read via a crafted sass file.
Publish Date: 2018-12-04
URL: CVE-2018-19839
CVSS 4 Score Details (6.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: N/A
- Impact Metrics:
- Confidentiality Impact: N/A
- Integrity Impact: N/A
- Availability Impact: N/A
For more information on CVSS4 Scores, click here.Suggested Fix
Type: Upgrade version
Release Date: 2018-12-04
Fix Resolution: Fable.Template.Elmish.React - 0.1.6;GR.PageRender.Razor - 1.8.0;MIDIator.WebClient - 1.0.105
Vulnerable Library - node-sass3.13.1
Wrapper around libsass
Library home page: https://www.npmjs.com/package/node-sass
Found in HEAD commit: eb47eeefc02a252a76628fec10a3c26aacb34024
Found in base branch: master
Vulnerable Source Files (1)
Vulnerability Details
In LibSass 3.5.5, a use-after-free vulnerability exists in the SharedPtr class in SharedPtr.cpp (or SharedPtr.hpp) that may cause a denial of service (application crash) or possibly have unspecified other impact.
Publish Date: 2018-12-03
URL: CVE-2018-19827
CVSS 4 Score Details (6.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: N/A
- Impact Metrics:
- Confidentiality Impact: N/A
- Integrity Impact: N/A
- Availability Impact: N/A
For more information on CVSS4 Scores, click here.Suggested Fix
Type: Upgrade version
Release Date: 2018-12-03
Fix Resolution: GR.PageRender.Razor - 1.8.0;Fable.Template.Elmish.React - 0.1.6
Vulnerable Library - node-sass3.13.1
Wrapper around libsass
Library home page: https://www.npmjs.com/package/node-sass
Found in HEAD commit: eb47eeefc02a252a76628fec10a3c26aacb34024
Found in base branch: master
Vulnerable Source Files (1)
Vulnerability Details
In LibSass 3.5.5, a NULL Pointer Dereference in the function Sass::Selector_List::populate_extends in SharedPtr.hpp (used by ast.cpp and ast_selectors.cpp) may cause a Denial of Service (application crash) via a crafted sass input file.
Publish Date: 2018-12-03
URL: CVE-2018-19797
CVSS 4 Score Details (6.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: N/A
- Impact Metrics:
- Confidentiality Impact: N/A
- Integrity Impact: N/A
- Availability Impact: N/A
For more information on CVSS4 Scores, click here.Suggested Fix
Type: Upgrade version
Release Date: 2018-12-03
Fix Resolution: Fable.Template.Elmish.React - 0.1.6;GR.PageRender.Razor - 1.8.0;MIDIator.WebClient - 1.0.105
Vulnerable Library - node-sass3.13.1
Wrapper around libsass
Library home page: https://www.npmjs.com/package/node-sass
Found in HEAD commit: eb47eeefc02a252a76628fec10a3c26aacb34024
Found in base branch: master
Vulnerable Source Files (1)
Vulnerability Details
An issue was discovered in LibSass through 3.5.4. An out-of-bounds read of a memory region was found in the function Sass::handle_error which could be leveraged by an attacker to disclose information or manipulated to read from unmapped memory causing a denial of service.
Publish Date: 2018-06-04
URL: CVE-2018-11698
CVSS 4 Score Details (6.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: N/A
- Impact Metrics:
- Confidentiality Impact: N/A
- Integrity Impact: N/A
- Availability Impact: N/A
For more information on CVSS4 Scores, click here.Suggested Fix
Type: Upgrade version
Release Date: 2018-06-04
Fix Resolution: node-sass - 3.6.0
Vulnerable Libraries - node-sass3.13.1, node-sass3.13.1, node-sass3.13.1
Vulnerability Details
An issue was discovered in LibSass through 3.5.4. An out-of-bounds read of a memory region was found in the function Sass::Prelexer::exactly() which could be leveraged by an attacker to disclose information or manipulated to read from unmapped memory causing a denial of service.
Publish Date: 2018-06-04
URL: CVE-2018-11697
CVSS 4 Score Details (6.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: N/A
- Impact Metrics:
- Confidentiality Impact: N/A
- Integrity Impact: N/A
- Availability Impact: N/A
For more information on CVSS4 Scores, click here.Suggested Fix
Type: Upgrade version
Release Date: 2018-06-04
Fix Resolution: libsass - 3.6.0
Vulnerable Library - node-sass3.13.1
Wrapper around libsass
Library home page: https://www.npmjs.com/package/node-sass
Found in HEAD commit: eb47eeefc02a252a76628fec10a3c26aacb34024
Found in base branch: master
Vulnerable Source Files (1)
Vulnerability Details
An issue was discovered in LibSass through 3.5.4. A NULL pointer dereference was found in the function Sass::Inspect::operator which could be leveraged by an attacker to cause a denial of service (application crash) or possibly have unspecified other impact.
Publish Date: 2018-06-04
URL: CVE-2018-11696
CVSS 4 Score Details (6.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: N/A
- Impact Metrics:
- Confidentiality Impact: N/A
- Integrity Impact: N/A
- Availability Impact: N/A
For more information on CVSS4 Scores, click here.Suggested Fix
Type: Upgrade version
Release Date: 2018-06-04
Fix Resolution: libsass - 3.5.5;node-sass - 4.14.0
Vulnerable Library - node-sass3.13.1
Wrapper around libsass
Library home page: https://www.npmjs.com/package/node-sass
Found in HEAD commit: eb47eeefc02a252a76628fec10a3c26aacb34024
Found in base branch: master
Vulnerable Source Files (1)
Vulnerability Details
An issue was discovered in LibSass <3.5.3. A NULL pointer dereference was found in the function Sass::Expand::operator which could be leveraged by an attacker to cause a denial of service (application crash) or possibly have unspecified other impact.
Publish Date: 2018-06-04
URL: CVE-2018-11695
CVSS 4 Score Details (6.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: N/A
- Impact Metrics:
- Confidentiality Impact: N/A
- Integrity Impact: N/A
- Availability Impact: N/A
For more information on CVSS4 Scores, click here.Suggested Fix
Type: Upgrade version
Release Date: 2018-06-04
Fix Resolution: libsass - 3.5.3;node-sass - 4.9.0
Vulnerable Libraries - node-sass3.13.1, node-sass3.13.1
Vulnerability Details
An issue was discovered in LibSass through 3.5.4. A NULL pointer dereference was found in the function Sass::Functions::selector_append which could be leveraged by an attacker to cause a denial of service (application crash) or possibly have unspecified other impact.
Publish Date: 2018-06-04
URL: CVE-2018-11694
CVSS 4 Score Details (6.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: N/A
- Impact Metrics:
- Confidentiality Impact: N/A
- Integrity Impact: N/A
- Availability Impact: N/A
For more information on CVSS4 Scores, click here.Suggested Fix
Type: Upgrade version
Release Date: 2018-06-04
Fix Resolution: Fable.Template.Elmish.React - 0.1.6;GR.PageRender.Razor - 1.8.0;MIDIator.WebClient - 1.0.105
The text was updated successfully, but these errors were encountered: