jest-cli-16.0.2.tgz: 21 vulnerabilities (highest severity is: 9.8) - autoclosed

[mend-for-github-com]

Vulnerable Library - jest-cli-16.0.2.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/handlebars/package.json

Found in HEAD commit: eb47eeefc02a252a76628fec10a3c26aacb34024

Vulnerabilities

CVE	Severity	CVSS	Dependency	Type	Fixed in (jest-cli version)	Remediation Possible**
CVE-2021-23369	Critical	9.8	handlebars-4.0.10.tgz	Transitive	17.0.0	✅
CVE-2020-28499	Critical	9.8	merge-1.2.1.tgz	Transitive	24.0.0	✅
CVE-2019-19919	Critical	9.8	handlebars-4.0.10.tgz	Transitive	17.0.0	✅
CVE-2021-23383	Critical	9.8	handlebars-4.0.10.tgz	Transitive	17.0.0	✅
CVE-2020-7774	Critical	9.8	y18n-3.2.1.tgz	Transitive	17.0.0	✅
CVE-2019-20920	High	8.1	handlebars-4.0.10.tgz	Transitive	17.0.0	✅
WS-2019-0063	High	8.1	js-yaml-3.7.0.tgz	Transitive	17.0.0	✅
CVE-2019-20922	High	7.5	handlebars-4.0.10.tgz	Transitive	17.0.0	✅
WS-2020-0450	High	7.5	handlebars-4.0.10.tgz	Transitive	17.0.0	✅
CVE-2022-21681	High	7.5	marked-0.3.19.tgz	Transitive	19.0.0	✅
CVE-2021-3777	High	7.5	tmpl-1.0.4.tgz	Transitive	17.0.0	✅
CVE-2022-21680	High	7.5	marked-0.3.19.tgz	Transitive	19.0.0	✅
WS-2019-0032	High	7.5	js-yaml-3.7.0.tgz	Transitive	17.0.0	✅
WS-2019-0064	High	7.3	handlebars-4.0.10.tgz	Transitive	17.0.0	✅
WS-2018-0590	High	7.1	diff-3.3.0.tgz	Transitive	17.0.0	✅
WS-2020-0163	Medium	5.9	marked-0.3.19.tgz	Transitive	19.0.0	✅
WS-2019-0103	Medium	5.6	handlebars-4.0.10.tgz	Transitive	17.0.0	✅
CVE-2020-7789	Medium	5.6	node-notifier-4.6.1.tgz	Transitive	19.0.0	✅
WS-2019-0169	Medium	5.3	marked-0.3.19.tgz	Transitive	17.0.0	✅
CVE-2020-7608	Medium	5.3	yargs-parser-3.2.0.tgz	Transitive	20.0.0	✅
WS-2018-0628	Medium	5.3	marked-0.3.19.tgz	Transitive	17.0.0	✅

**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation

Details

CVE-2021-23369

Vulnerable Library - handlebars-4.0.10.tgz

Handlebars provides the power necessary to let you build semantic templates effectively with no frustration

Library home page: https://registry.npmjs.org/handlebars/-/handlebars-4.0.10.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/handlebars/package.json

Dependency Hierarchy:

• jest-cli-16.0.2.tgz (Root Library)
  • istanbul-api-1.1.10.tgz
    • istanbul-reports-1.1.1.tgz
      • ❌ handlebars-4.0.10.tgz (Vulnerable Library)

Found in HEAD commit: eb47eeefc02a252a76628fec10a3c26aacb34024

Found in base branch: master

Vulnerability Details

The package handlebars before 4.7.7 are vulnerable to Remote Code Execution (RCE) when selecting certain compiling options to compile templates coming from an untrusted source.

Publish Date: 2021-04-12

URL: CVE-2021-23369

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2021-04-12

Fix Resolution (handlebars): 4.1.2-0

Direct dependency fix Resolution (jest-cli): 17.0.0

In order to enable automatic remediation, please create workflow rules

CVE-2020-28499

Vulnerable Library - merge-1.2.1.tgz

Merge multiple objects into one, optionally creating a new cloned object. Similar to the jQuery.extend but more flexible. Works in Node.js and the browser.

Library home page: https://registry.npmjs.org/merge/-/merge-1.2.1.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/merge/package.json

Dependency Hierarchy:

• jest-cli-16.0.2.tgz (Root Library)
  • sane-1.4.1.tgz
    • exec-sh-0.2.0.tgz
      • ❌ merge-1.2.1.tgz (Vulnerable Library)

Found in HEAD commit: eb47eeefc02a252a76628fec10a3c26aacb34024

Found in base branch: master

Vulnerability Details

All versions of package merge are vulnerable to Prototype Pollution via _recursiveMerge .
Mend Note: Converted from WS-2020-0218, on 2021-07-21.

Publish Date: 2021-02-18

URL: CVE-2020-28499

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2021-02-18

Fix Resolution (merge): 2.1.0

Direct dependency fix Resolution (jest-cli): 24.0.0

In order to enable automatic remediation, please create workflow rules

CVE-2019-19919

Vulnerable Library - handlebars-4.0.10.tgz

Handlebars provides the power necessary to let you build semantic templates effectively with no frustration

Library home page: https://registry.npmjs.org/handlebars/-/handlebars-4.0.10.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/handlebars/package.json

Dependency Hierarchy:

• jest-cli-16.0.2.tgz (Root Library)
  • istanbul-api-1.1.10.tgz
    • istanbul-reports-1.1.1.tgz
      • ❌ handlebars-4.0.10.tgz (Vulnerable Library)

Found in HEAD commit: eb47eeefc02a252a76628fec10a3c26aacb34024

Found in base branch: master

Vulnerability Details

Versions of handlebars prior to 4.3.0 are vulnerable to Prototype Pollution leading to Remote Code Execution. Templates may alter an Object's proto and defineGetter properties, which may allow an attacker to execute arbitrary code through crafted payloads.
Mend Note: Converted from WS-2019-0368, on 2022-11-08.

Publish Date: 2019-12-20

URL: CVE-2019-19919

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-w457-6q6x-cgp9

Release Date: 2019-12-20

Fix Resolution (handlebars): 4.3.0

Direct dependency fix Resolution (jest-cli): 17.0.0

In order to enable automatic remediation, please create workflow rules

CVE-2021-23383

Vulnerable Library - handlebars-4.0.10.tgz

Handlebars provides the power necessary to let you build semantic templates effectively with no frustration

Library home page: https://registry.npmjs.org/handlebars/-/handlebars-4.0.10.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/handlebars/package.json

Dependency Hierarchy:

• jest-cli-16.0.2.tgz (Root Library)
  • istanbul-api-1.1.10.tgz
    • istanbul-reports-1.1.1.tgz
      • ❌ handlebars-4.0.10.tgz (Vulnerable Library)

Found in HEAD commit: eb47eeefc02a252a76628fec10a3c26aacb34024

Found in base branch: master

Vulnerability Details

The package handlebars before 4.7.7 are vulnerable to Prototype Pollution when selecting certain compiling options to compile templates coming from an untrusted source.

Publish Date: 2021-05-04

URL: CVE-2021-23383

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23383

Release Date: 2021-05-04

Fix Resolution (handlebars): 4.1.2-0

Direct dependency fix Resolution (jest-cli): 17.0.0

In order to enable automatic remediation, please create workflow rules

CVE-2020-7774

Vulnerable Library - y18n-3.2.1.tgz

the bare-bones internationalization library used by yargs

Library home page: https://registry.npmjs.org/y18n/-/y18n-3.2.1.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/y18n/package.json

Dependency Hierarchy:

• jest-cli-16.0.2.tgz (Root Library)
  • yargs-5.0.0.tgz
    • ❌ y18n-3.2.1.tgz (Vulnerable Library)

Found in HEAD commit: eb47eeefc02a252a76628fec10a3c26aacb34024

Found in base branch: master

Vulnerability Details

The package y18n before 3.2.2, 4.0.1 and 5.0.5, is vulnerable to Prototype Pollution.

Publish Date: 2020-11-17

URL: CVE-2020-7774

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://www.npmjs.com/advisories/1654

Release Date: 2020-11-17

Fix Resolution (y18n): 3.2.2

Direct dependency fix Resolution (jest-cli): 17.0.0

In order to enable automatic remediation, please create workflow rules

CVE-2019-20920

Vulnerable Library - handlebars-4.0.10.tgz

Handlebars provides the power necessary to let you build semantic templates effectively with no frustration

Library home page: https://registry.npmjs.org/handlebars/-/handlebars-4.0.10.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/handlebars/package.json

Dependency Hierarchy:

• jest-cli-16.0.2.tgz (Root Library)
  • istanbul-api-1.1.10.tgz
    • istanbul-reports-1.1.1.tgz
      • ❌ handlebars-4.0.10.tgz (Vulnerable Library)

Found in HEAD commit: eb47eeefc02a252a76628fec10a3c26aacb34024

Found in base branch: master

Vulnerability Details

Handlebars before 3.0.8 and 4.x before 4.5.3 is vulnerable to Arbitrary Code Execution. The lookup helper fails to properly validate templates, allowing attackers to submit templates that execute arbitrary JavaScript. This can be used to run arbitrary code on a server processing Handlebars templates or in a victim's browser (effectively serving as XSS).

Publish Date: 2020-09-30

URL: CVE-2019-20920

CVSS 3 Score Details (8.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: Low
  • Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://www.npmjs.com/advisories/1316

Release Date: 2020-10-15

Fix Resolution (handlebars): 4.5.3

Direct dependency fix Resolution (jest-cli): 17.0.0

In order to enable automatic remediation, please create workflow rules

WS-2019-0063

Vulnerable Library - js-yaml-3.7.0.tgz

YAML 1.2 parser and serializer

Library home page: https://registry.npmjs.org/js-yaml/-/js-yaml-3.7.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/js-yaml/package.json,/app/compilers/react-compiler/node_modules/js-yaml/package.json

Dependency Hierarchy:

• jest-cli-16.0.2.tgz (Root Library)
  • istanbul-api-1.1.10.tgz
    • ❌ js-yaml-3.7.0.tgz (Vulnerable Library)

Found in HEAD commit: eb47eeefc02a252a76628fec10a3c26aacb34024

Found in base branch: master

Vulnerability Details

Js-yaml prior to 3.13.1 are vulnerable to Code Injection. The load() function may execute arbitrary code injected through a malicious YAML file.

Publish Date: 2019-04-05

URL: WS-2019-0063

CVSS 3 Score Details (8.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://www.npmjs.com/advisories/813

Release Date: 2019-04-05

Fix Resolution (js-yaml): 3.13.1

Direct dependency fix Resolution (jest-cli): 17.0.0

In order to enable automatic remediation, please create workflow rules

CVE-2019-20922

Vulnerable Library - handlebars-4.0.10.tgz

Handlebars provides the power necessary to let you build semantic templates effectively with no frustration

Library home page: https://registry.npmjs.org/handlebars/-/handlebars-4.0.10.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/handlebars/package.json

Dependency Hierarchy:

• jest-cli-16.0.2.tgz (Root Library)
  • istanbul-api-1.1.10.tgz
    • istanbul-reports-1.1.1.tgz
      • ❌ handlebars-4.0.10.tgz (Vulnerable Library)

Found in HEAD commit: eb47eeefc02a252a76628fec10a3c26aacb34024

Found in base branch: master

Vulnerability Details

Handlebars before 4.4.5 allows Regular Expression Denial of Service (ReDoS) because of eager matching. The parser may be forced into an endless loop while processing crafted templates. This may allow attackers to exhaust system resources.
Mend Note: Converted from WS-2019-0491, on 2022-11-08.

Publish Date: 2020-09-30

URL: CVE-2019-20922

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://www.npmjs.com/advisories/1300

Release Date: 2020-09-30

Fix Resolution (handlebars): 4.4.5

Direct dependency fix Resolution (jest-cli): 17.0.0

In order to enable automatic remediation, please create workflow rules

WS-2020-0450

Vulnerable Library - handlebars-4.0.10.tgz

Handlebars provides the power necessary to let you build semantic templates effectively with no frustration

Library home page: https://registry.npmjs.org/handlebars/-/handlebars-4.0.10.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/handlebars/package.json

Dependency Hierarchy:

• jest-cli-16.0.2.tgz (Root Library)
  • istanbul-api-1.1.10.tgz
    • istanbul-reports-1.1.1.tgz
      • ❌ handlebars-4.0.10.tgz (Vulnerable Library)

Found in HEAD commit: eb47eeefc02a252a76628fec10a3c26aacb34024

Found in base branch: master

Vulnerability Details

Handlebars before 4.6.0 vulnerable to Prototype Pollution. Prototype access to the template engine allows for potential code execution, which may lead to Denial Of Service (DoS).

Publish Date: 2020-01-09

URL: WS-2020-0450

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2020-01-09

Fix Resolution (handlebars): 4.1.2-0

Direct dependency fix Resolution (jest-cli): 17.0.0

In order to enable automatic remediation, please create workflow rules

CVE-2022-21681

Vulnerable Library - marked-0.3.19.tgz

A markdown parser built for speed

Library home page: https://registry.npmjs.org/marked/-/marked-0.3.19.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/marked/package.json

Dependency Hierarchy:

• jest-cli-16.0.2.tgz (Root Library)
  • node-notifier-4.6.1.tgz
    • cli-usage-0.1.4.tgz
      • ❌ marked-0.3.19.tgz (Vulnerable Library)

Found in HEAD commit: eb47eeefc02a252a76628fec10a3c26aacb34024

Found in base branch: master

Vulnerability Details

Marked is a markdown parser and compiler. Prior to version 4.0.10, the regular expression inline.reflinkSearch may cause catastrophic backtracking against some strings and lead to a denial of service (DoS). Anyone who runs untrusted markdown through a vulnerable version of marked and does not use a worker with a time limit may be affected. This issue is patched in version 4.0.10. As a workaround, avoid running untrusted markdown through marked or run marked on a worker thread and set a reasonable time limit to prevent draining resources.

Publish Date: 2022-01-14

URL: CVE-2022-21681

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-5v2h-r2cx-5xgj

Release Date: 2022-01-14

Fix Resolution (marked): 4.0.10

Direct dependency fix Resolution (jest-cli): 19.0.0

In order to enable automatic remediation, please create workflow rules

CVE-2021-3777

Vulnerable Library - tmpl-1.0.4.tgz

JavaScript micro templates.

Library home page: https://registry.npmjs.org/tmpl/-/tmpl-1.0.4.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/tmpl/package.json

Dependency Hierarchy:

• jest-cli-16.0.2.tgz (Root Library)
  • sane-1.4.1.tgz
    • walker-1.0.7.tgz
      • makeerror-1.0.11.tgz
        • ❌ tmpl-1.0.4.tgz (Vulnerable Library)

Found in HEAD commit: eb47eeefc02a252a76628fec10a3c26aacb34024

Found in base branch: master

Vulnerability Details

nodejs-tmpl is vulnerable to Inefficient Regular Expression Complexity

Publish Date: 2021-09-15

URL: CVE-2021-3777

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2021-09-15

Fix Resolution (tmpl): 1.0.5

Direct dependency fix Resolution (jest-cli): 17.0.0

In order to enable automatic remediation, please create workflow rules

CVE-2022-21680

Vulnerable Library - marked-0.3.19.tgz

A markdown parser built for speed

Library home page: https://registry.npmjs.org/marked/-/marked-0.3.19.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/marked/package.json

Dependency Hierarchy:

• jest-cli-16.0.2.tgz (Root Library)
  • node-notifier-4.6.1.tgz
    • cli-usage-0.1.4.tgz
      • ❌ marked-0.3.19.tgz (Vulnerable Library)

Found in HEAD commit: eb47eeefc02a252a76628fec10a3c26aacb34024

Found in base branch: master

Vulnerability Details

Marked is a markdown parser and compiler. Prior to version 4.0.10, the regular expression block.def may cause catastrophic backtracking against some strings and lead to a regular expression denial of service (ReDoS). Anyone who runs untrusted markdown through a vulnerable version of marked and does not use a worker with a time limit may be affected. This issue is patched in version 4.0.10. As a workaround, avoid running untrusted markdown through marked or run marked on a worker thread and set a reasonable time limit to prevent draining resources.

Publish Date: 2022-01-14

URL: CVE-2022-21680

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-rrrm-qjm4-v8hf

Release Date: 2022-01-14

Fix Resolution (marked): 4.0.10

Direct dependency fix Resolution (jest-cli): 19.0.0

In order to enable automatic remediation, please create workflow rules

WS-2019-0032

Vulnerable Library - js-yaml-3.7.0.tgz

YAML 1.2 parser and serializer

Library home page: https://registry.npmjs.org/js-yaml/-/js-yaml-3.7.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/js-yaml/package.json,/app/compilers/react-compiler/node_modules/js-yaml/package.json

Dependency Hierarchy:

• jest-cli-16.0.2.tgz (Root Library)
  • istanbul-api-1.1.10.tgz
    • ❌ js-yaml-3.7.0.tgz (Vulnerable Library)

Found in HEAD commit: eb47eeefc02a252a76628fec10a3c26aacb34024

Found in base branch: master

Vulnerability Details

Versions js-yaml prior to 3.13.0 are vulnerable to Denial of Service. By parsing a carefully-crafted YAML file, the node process stalls and may exhaust system resources leading to a Denial of Service.

Publish Date: 2019-03-20

URL: WS-2019-0032

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://www.npmjs.com/advisories/788/versions

Release Date: 2019-03-20

Fix Resolution (js-yaml): 3.13.0

Direct dependency fix Resolution (jest-cli): 17.0.0

In order to enable automatic remediation, please create workflow rules

WS-2019-0064

Vulnerable Library - handlebars-4.0.10.tgz

Handlebars provides the power necessary to let you build semantic templates effectively with no frustration

Library home page: https://registry.npmjs.org/handlebars/-/handlebars-4.0.10.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/handlebars/package.json

Dependency Hierarchy:

• jest-cli-16.0.2.tgz (Root Library)
  • istanbul-api-1.1.10.tgz
    • istanbul-reports-1.1.1.tgz
      • ❌ handlebars-4.0.10.tgz (Vulnerable Library)

Found in HEAD commit: eb47eeefc02a252a76628fec10a3c26aacb34024

Found in base branch: master

Vulnerability Details

Versions of handlebars prior to 4.0.14 are vulnerable to Prototype Pollution. Templates may alter an Objects' prototype, thus allowing an attacker to execute arbitrary code on the server.

Publish Date: 2019-01-30

URL: WS-2019-0064

CVSS 3 Score Details (7.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://www.npmjs.com/advisories/755/

Release Date: 2019-01-30

Fix Resolution (handlebars): 4.0.14

Direct dependency fix Resolution (jest-cli): 17.0.0

In order to enable automatic remediation, please create workflow rules

WS-2018-0590

Vulnerable Library - diff-3.3.0.tgz

A javascript text diff implementation.

Library home page: https://registry.npmjs.org/diff/-/diff-3.3.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/diff/package.json

Dependency Hierarchy:

• jest-cli-16.0.2.tgz (Root Library)
  • jest-util-16.0.2.tgz
    • ❌ diff-3.3.0.tgz (Vulnerable Library)

Found in HEAD commit: eb47eeefc02a252a76628fec10a3c26aacb34024

Found in base branch: master

Vulnerability Details

A vulnerability was found in diff before v3.5.0, the affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS) attacks.

Publish Date: 2018-03-05

URL: WS-2018-0590

CVSS 3 Score Details (7.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2018-03-05

Fix Resolution (diff): 3.5.0

Direct dependency fix Resolution (jest-cli): 17.0.0

In order to enable automatic remediation, please create workflow rules

WS-2020-0163

Vulnerable Library - marked-0.3.19.tgz

A markdown parser built for speed

Library home page: https://registry.npmjs.org/marked/-/marked-0.3.19.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/marked/package.json

Dependency Hierarchy:

• jest-cli-16.0.2.tgz (Root Library)
  • node-notifier-4.6.1.tgz
    • cli-usage-0.1.4.tgz
      • ❌ marked-0.3.19.tgz (Vulnerable Library)

Found in HEAD commit: eb47eeefc02a252a76628fec10a3c26aacb34024

Found in base branch: master

Vulnerability Details

marked before 1.1.1 is vulnerable to Regular Expression Denial of Service (REDoS). rules.js have multiple unused capture groups which can lead to a Denial of Service.

Publish Date: 2020-07-02

URL: WS-2020-0163

CVSS 3 Score Details (5.9)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2020-07-02

Fix Resolution (marked): 1.1.1

Direct dependency fix Resolution (jest-cli): 19.0.0

In order to enable automatic remediation, please create workflow rules

WS-2019-0103

Vulnerable Library - handlebars-4.0.10.tgz

Handlebars provides the power necessary to let you build semantic templates effectively with no frustration

Library home page: https://registry.npmjs.org/handlebars/-/handlebars-4.0.10.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/handlebars/package.json

Dependency Hierarchy:

• jest-cli-16.0.2.tgz (Root Library)
  • istanbul-api-1.1.10.tgz
    • istanbul-reports-1.1.1.tgz
      • ❌ handlebars-4.0.10.tgz (Vulnerable Library)

Found in HEAD commit: eb47eeefc02a252a76628fec10a3c26aacb34024

Found in base branch: master

Vulnerability Details

Handlebars.js before 4.1.0 has Remote Code Execution (RCE)

Publish Date: 2019-01-30

URL: WS-2019-0103

CVSS 3 Score Details (5.6)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2019-01-30

Fix Resolution (handlebars): 4.0.13

Direct dependency fix Resolution (jest-cli): 17.0.0

In order to enable automatic remediation, please create workflow rules

CVE-2020-7789

Vulnerable Library - node-notifier-4.6.1.tgz

A Node.js module for sending notifications on native Mac, Windows (post and pre 8) and Linux (or Growl as fallback)

Library home page: https://registry.npmjs.org/node-notifier/-/node-notifier-4.6.1.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/node-notifier/package.json

Dependency Hierarchy:

• jest-cli-16.0.2.tgz (Root Library)
  • ❌ node-notifier-4.6.1.tgz (Vulnerable Library)

Found in HEAD commit: eb47eeefc02a252a76628fec10a3c26aacb34024

Found in base branch: master

Vulnerability Details

This affects the package node-notifier before 9.0.0. It allows an attacker to run arbitrary commands on Linux machines due to the options params not being sanitised when being passed an array.

Publish Date: 2020-12-11

URL: CVE-2020-7789

CVSS 3 Score Details (5.6)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://bugzilla.redhat.com/show_bug.cgi?id=1906853

Release Date: 2020-12-11

Fix Resolution (node-notifier): 5.4.4

Direct dependency fix Resolution (jest-cli): 19.0.0

In order to enable automatic remediation, please create workflow rules

WS-2019-0169

Vulnerable Library - marked-0.3.19.tgz

A markdown parser built for speed

Library home page: https://registry.npmjs.org/marked/-/marked-0.3.19.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/marked/package.json

Dependency Hierarchy:

• jest-cli-16.0.2.tgz (Root Library)
  • node-notifier-4.6.1.tgz
    • cli-usage-0.1.4.tgz
      • ❌ marked-0.3.19.tgz (Vulnerable Library)

Found in HEAD commit: eb47eeefc02a252a76628fec10a3c26aacb34024

Found in base branch: master

Vulnerability Details

marked versions >0.3.14 and < 0.6.2 has Regular Expression Denial of Service vulnerability Email addresses may be evaluated in quadratic time, allowing attackers to potentially crash the node process due to resource exhaustion.

Publish Date: 2019-04-03

URL: WS-2019-0169

CVSS 3 Score Details (5.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://www.npmjs.com/advisories/812

Release Date: 2019-04-03

Fix Resolution (marked): 0.6.2

Direct dependency fix Resolution (jest-cli): 17.0.0

In order to enable automatic remediation, please create workflow rules

CVE-2020-7608

Vulnerable Library - yargs-parser-3.2.0.tgz

the mighty option parser used by yargs

Library home page: https://registry.npmjs.org/yargs-parser/-/yargs-parser-3.2.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/jest-cli/node_modules/yargs-parser/package.json,/node_modules/jest-runtime/node_modules/yargs-parser/package.json

Dependency Hierarchy:

• jest-cli-16.0.2.tgz (Root Library)
  • yargs-5.0.0.tgz
    • ❌ yargs-parser-3.2.0.tgz (Vulnerable Library)

Found in HEAD commit: eb47eeefc02a252a76628fec10a3c26aacb34024

Found in base branch: master

Vulnerability Details

yargs-parser could be tricked into adding or modifying properties of Object.prototype using a "proto" payload.

Publish Date: 2020-03-16

URL: CVE-2020-7608

CVSS 3 Score Details (5.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Local
  • Attack Complexity: Low
  • Privileges Required: Low
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2020-03-16

Fix Resolution (yargs-parser): 5.0.0-security.0

Direct dependency fix Resolution (jest-cli): 20.0.0

In order to enable automatic remediation, please create workflow rules

WS-2018-0628

Vulnerable Library - marked-0.3.19.tgz

A markdown parser built for speed

Library home page: https://registry.npmjs.org/marked/-/marked-0.3.19.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/marked/package.json

Dependency Hierarchy:

• jest-cli-16.0.2.tgz (Root Library)
  • node-notifier-4.6.1.tgz
    • cli-usage-0.1.4.tgz
      • ❌ marked-0.3.19.tgz (Vulnerable Library)

Found in HEAD commit: eb47eeefc02a252a76628fec10a3c26aacb34024

Found in base branch: master

Vulnerability Details

marked before 0.4.0 is vulnerable to Regular Expression Denial of Service (REDoS) through heading in marked.js.

Publish Date: 2018-04-16

URL: WS-2018-0628

CVSS 3 Score Details (5.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2018-04-16

Fix Resolution (marked): 0.4.0

Direct dependency fix Resolution (jest-cli): 17.0.0

In order to enable automatic remediation, please create workflow rules

---

In order to enable automatic remediation for this issue, please create workflow rules

[mend-for-github-com]

✔️ This issue was automatically closed by WhiteSource because the vulnerable library in the specific branch(es) was either marked as ignored or it is no longer part of the WhiteSource inventory.

[mend-for-github-com]

ℹ️ This issue was automatically re-opened by WhiteSource because the vulnerable library in the specific branch(es) has been detected in the WhiteSource inventory.

[mend-for-github-com]

✔️ This issue was automatically closed by Mend because the vulnerable library in the specific branch(es) was either marked as ignored or it is no longer part of the Mend inventory.

[mend-for-github-com]

✔️ This issue was automatically closed by Mend because the vulnerable library in the specific branch(es) was either marked as ignored or it is no longer part of the Mend inventory.

[mend-for-github-com]

ℹ️ This issue was automatically re-opened by Mend because the vulnerable library in the specific branch(es) has been detected in the Mend inventory.

[mend-for-github-com]

✔️ This issue was automatically closed by Mend because the vulnerable library in the specific branch(es) was either marked as ignored or it is no longer part of the Mend inventory.

[mend-for-github-com]

ℹ️ This issue was automatically re-opened by Mend because the vulnerable library in the specific branch(es) has been detected in the Mend inventory.

[mend-for-github-com]

✔️ This issue was automatically closed by Mend because the vulnerable library in the specific branch(es) was either marked as ignored or it is no longer part of the Mend inventory.

[mend-for-github-com]

ℹ️ This issue was automatically re-opened by Mend because the vulnerable library in the specific branch(es) has been detected in the Mend inventory.

[mend-for-github-com]

✔️ This issue was automatically closed by Mend because the vulnerable library in the specific branch(es) was either marked as ignored or it is no longer part of the Mend inventory.