url-loader-0.5.7.tgz: 1 vulnerabilities (highest severity is: 8.7)

[mend-for-github-com]

Vulnerable Library - url-loader-0.5.7.tgz

Path to dependency file: /app/compilers/react-compiler/package.json

Path to vulnerable library: /app/compilers/react-compiler/node_modules/url-loader/node_modules/mime/package.json,/app/compilers/react-compiler/node_modules/url-loader/node_modules/mime/package.json

Found in HEAD commit: eb47eeefc02a252a76628fec10a3c26aacb34024

Vulnerabilities

CVE	Severity	CVSS	Dependency	Type	Fixed in (url-loader version)	Remediation Possible**
CVE-2017-16138	High	8.7	mime-1.2.11.tgz	Transitive	0.6.0	✅

**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation

Details

CVE-2017-16138

Vulnerable Library - mime-1.2.11.tgz

A comprehensive library for mime-type mapping

Library home page: https://registry.npmjs.org/mime/-/mime-1.2.11.tgz

Path to dependency file: /app/compilers/react-compiler/package.json

Path to vulnerable library: /app/compilers/react-compiler/node_modules/url-loader/node_modules/mime/package.json,/app/compilers/react-compiler/node_modules/url-loader/node_modules/mime/package.json

Dependency Hierarchy:

• url-loader-0.5.7.tgz (Root Library)
  • ❌ mime-1.2.11.tgz (Vulnerable Library)

Found in HEAD commit: eb47eeefc02a252a76628fec10a3c26aacb34024

Found in base branch: master

Vulnerability Details

The mime module < 1.4.1, 2.0.1, 2.0.2 is vulnerable to regular expression denial of service when a mime lookup is performed on untrusted user input.
Mend Note: Converted from WS-2017-0330, on 2022-11-08.

Publish Date: 2018-06-07

URL: CVE-2017-16138

CVSS 4 Score Details (8.7)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: N/A
• Impact Metrics:
  • Confidentiality Impact: N/A
  • Integrity Impact: N/A
  • Availability Impact: N/A

For more information on CVSS4 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16138

Release Date: 2018-06-07

Fix Resolution (mime): 1.4.1

Direct dependency fix Resolution (url-loader): 0.6.0

In order to enable automatic remediation, please create workflow rules

---

In order to enable automatic remediation for this issue, please create workflow rules

[mend-for-github-com]

✔️ This issue was automatically closed by WhiteSource because the vulnerable library in the specific branch(es) was either marked as ignored or it is no longer part of the WhiteSource inventory.

[mend-for-github-com]

ℹ️ This issue was automatically re-opened by WhiteSource because the vulnerable library in the specific branch(es) has been detected in the WhiteSource inventory.

[mend-for-github-com]

✔️ This issue was automatically closed by WhiteSource because the vulnerable library in the specific branch(es) was either marked as ignored or it is no longer part of the WhiteSource inventory.

[mend-for-github-com]

ℹ️ This issue was automatically re-opened by WhiteSource because the vulnerable library in the specific branch(es) has been detected in the WhiteSource inventory.

[mend-for-github-com]

✔️ This issue was automatically closed by WhiteSource because the vulnerable library in the specific branch(es) was either marked as ignored or it is no longer part of the WhiteSource inventory.

[mend-for-github-com]

ℹ️ This issue was automatically re-opened by WhiteSource because the vulnerable library in the specific branch(es) has been detected in the WhiteSource inventory.

[mend-for-github-com]

✔️ This issue was automatically closed by Mend because the vulnerable library in the specific branch(es) was either marked as ignored or it is no longer part of the Mend inventory.

[mend-for-github-com]

ℹ️ This issue was automatically re-opened by Mend because the vulnerable library in the specific branch(es) has been detected in the Mend inventory.