CVE-2021-44906 (Critical) detected in multiple libraries - autoclosed #554
Labels
Mend: dependency security vulnerability
Security vulnerability detected by WhiteSource
Comments
mend-for-github-com
bot
added
the
Mend: dependency security vulnerability
mend-for-github-com
bot
changed the title
|
✔️ This issue was automatically closed by WhiteSource because the vulnerable library in the specific branch(es) was either marked as ignored or it is no longer part of the WhiteSource inventory. |
mend-for-github-com
bot
changed the title
|
ℹ️ This issue was automatically re-opened by WhiteSource because the vulnerable library in the specific branch(es) has been detected in the WhiteSource inventory. |
mend-for-github-com
bot
changed the title
mend-for-github-com
bot
changed the title
mend-for-github-com
bot
changed the title
1 task
mend-for-github-com
bot
changed the title
mend-for-github-com
bot
changed the title
mend-for-github-com
bot
changed the title
mend-for-github-com
bot
changed the title
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
CVE-2021-44906 - Critical Severity Vulnerability
minimist-0.0.10.tgz
parse argument options
Library home page: https://registry.npmjs.org/minimist/-/minimist-0.0.10.tgz
Path to dependency file: /npm_and_yarn/spec/fixtures/projects/yarn/github_dependency_slash/package.json
Path to vulnerable library: /npm_and_yarn/spec/fixtures/projects/yarn/github_dependency_slash/node_modules/minimist,/npm_and_yarn/spec/fixtures/projects/yarn/lockfile_only_change/node_modules/minimist,/npm_and_yarn/spec/fixtures/projects/yarn/typedoc-plugin-ui-router/node_modules/minimist
Dependency Hierarchy:
minimist-1.2.5.tgz
parse argument options
Library home page: https://registry.npmjs.org/minimist/-/minimist-1.2.5.tgz
Path to dependency file: /npm_and_yarn/spec/fixtures/projects/npm7/library/package.json
Path to vulnerable library: /npm_and_yarn/spec/fixtures/projects/npm7/library/node_modules/minimist/package.json,/npm_and_yarn/helpers/node_modules/npm/node_modules/minimist/package.json,/npm_and_yarn/spec/fixtures/projects/npm7/app_no_version/node_modules/minimist/package.json,/npm_and_yarn/spec/fixtures/projects/npm6/path_dependency/deps/etag/node_modules/minimist/package.json,/npm_and_yarn/spec/fixtures/projects/npm6_and_yarn/path_dependency/deps/etag/node_modules/minimist/package.json,/npm_and_yarn/helpers/node_modules/npm/node_modules/mkdirp/node_modules/minimist/package.json,/npm_and_yarn/spec/fixtures/projects/npm6/peer_dependency_typescript_no_lockfile/node_modules/minimist/package.json,/npm_and_yarn/spec/fixtures/projects/npm6/multiple_sources/node_modules/minimist/package.json,/npm_and_yarn/spec/fixtures/projects/npm6/duplicate/node_modules/minimist/package.json,/npm_and_yarn/spec/fixtures/projects/npm7/path_dependency/deps/etag/node_modules/minimist/package.json,/npm_and_yarn/spec/fixtures/projects/npm7/peer_dependency_multiple/node_modules/minimist/package.json,/npm_and_yarn/spec/fixtures/projects/npm6/etag_no_lockfile/node_modules/minimist/package.json,/npm_and_yarn/helpers/node_modules/minimist/package.json,/npm_and_yarn/spec/fixtures/projects/npm7/duplicate_identical/node_modules/minimist/package.json,/npm_and_yarn/spec/fixtures/projects/npm7/minor_version_specified/node_modules/minimist/package.json
Dependency Hierarchy:
minimist-1.2.0.tgz
parse argument options
Library home page: https://registry.npmjs.org/minimist/-/minimist-1.2.0.tgz
Path to dependency file: /npm_and_yarn/spec/fixtures/projects/npm6/subdependency_update/package.json
Path to vulnerable library: /npm_and_yarn/spec/fixtures/projects/npm6/subdependency_update/node_modules/watch/node_modules/minimist/package.json,/npm_and_yarn/spec/fixtures/projects/npm5_and_yarn/npm_subdependency_update/node_modules/sane/node_modules/minimist/package.json,/npm_and_yarn/spec/fixtures/projects/yarn/duplicate_indirect_dependency/node_modules/minimist,/npm_and_yarn/spec/fixtures/projects/npm6_and_yarn/npm_subdependency_update/node_modules/sane/node_modules/minimist/package.json,/npm_and_yarn/spec/fixtures/projects/npm5_and_yarn/npm_subdependency_update/node_modules/watch/node_modules/minimist/package.json,/npm_and_yarn/spec/fixtures/projects/npm7/subdependency_update/node_modules/sane/node_modules/minimist/package.json,/npm_and_yarn/spec/fixtures/projects/npm7/lerna/node_modules/get-pkg-repo/node_modules/minimist/package.json,/npm_and_yarn/spec/fixtures/projects/npm6_and_yarn/lerna/node_modules/strong-log-transformer/node_modules/minimist/package.json,/npm_and_yarn/spec/fixtures/projects/yarn/dist_tag/node_modules/minimist,/npm_and_yarn/spec/fixtures/projects/npm7/subdependency_update/node_modules/watch/node_modules/minimist/package.json,/npm_and_yarn/spec/fixtures/projects/npm7/lerna/node_modules/strong-log-transformer/node_modules/minimist/package.json,/npm_and_yarn/spec/fixtures/projects/npm5/subdependency_update/node_modules/watch/node_modules/minimist/package.json,/npm_and_yarn/spec/fixtures/projects/yarn/no_lockfile_change/node_modules/minimist,/npm_and_yarn/spec/fixtures/projects/npm6_and_yarn/lerna/node_modules/get-pkg-repo/node_modules/minimist/package.json,/npm_and_yarn/spec/fixtures/projects/npm7/lerna/node_modules/meow/node_modules/minimist/package.json,/npm_and_yarn/spec/fixtures/projects/npm6_and_yarn/npm_subdependency_update/node_modules/watch/node_modules/minimist/package.json,/npm_and_yarn/spec/fixtures/projects/yarn/git_dependency_local_file/node_modules/minimist,/npm_and_yarn/spec/fixtures/projects/yarn/lockfile_only_change/node_modules/minimist,/npm_and_yarn/spec/fixtures/projects/npm6_and_yarn/lerna/node_modules/meow/node_modules/minimist/package.json,/npm_and_yarn/spec/fixtures/projects/npm5/subdependency_update/node_modules/sane/node_modules/minimist/package.json,/npm_and_yarn/spec/fixtures/projects/yarn/github_dependency_slash/node_modules/minimist,/npm_and_yarn/spec/fixtures/projects/npm6/subdependency_update/node_modules/sane/node_modules/minimist/package.json,/npm_and_yarn/spec/fixtures/projects/npm6/git_dependency_local_file/node_modules/minimist/package.json,/npm_and_yarn/spec/fixtures/projects/npm7/git_dependency_local_file/node_modules/minimist/package.json
Dependency Hierarchy:
minimist-0.0.8.tgz
parse argument options
Library home page: https://registry.npmjs.org/minimist/-/minimist-0.0.8.tgz
Path to dependency file: /npm_and_yarn/spec/fixtures/projects/yarn/dist_tag/package.json
Path to vulnerable library: /npm_and_yarn/spec/fixtures/projects/yarn/dist_tag/node_modules/minimist,/npm_and_yarn/spec/fixtures/projects/yarn/github_dependency_slash/node_modules/minimist,/npm_and_yarn/spec/fixtures/projects/npm5_and_yarn/npm_subdependency_update/node_modules/minimist/package.json,/npm_and_yarn/spec/fixtures/projects/npm6/peer_dependency_multiple/node_modules/minimist/package.json,/npm_and_yarn/spec/fixtures/projects/npm7/path_dependency/deps/etag/node_modules/mocha/node_modules/minimist/package.json,/npm_and_yarn/spec/fixtures/projects/yarn/no_lockfile_change/node_modules/minimist,/npm_and_yarn/spec/fixtures/projects/yarn/resolution_specified/node_modules/minimist,/npm_and_yarn/spec/fixtures/projects/npm6_and_yarn/npm_subdependency_update/node_modules/minimist/package.json,/npm_and_yarn/spec/fixtures/projects/npm6/etag_no_lockfile/node_modules/mocha/node_modules/minimist/package.json,/npm_and_yarn/spec/fixtures/projects/yarn/duplicate_indirect_dependency/node_modules/minimist,/npm_and_yarn/spec/fixtures/projects/npm6_and_yarn/lerna/node_modules/minimist/package.json,/npm_and_yarn/spec/fixtures/projects/yarn/peer_dependency_multiple/node_modules/minimist,/npm_and_yarn/spec/fixtures/projects/npm6/subdependency_update/node_modules/minimist/package.json,/npm_and_yarn/spec/fixtures/projects/npm7/subdependency_update/node_modules/minimist/package.json,/npm_and_yarn/spec/fixtures/projects/npm7/lerna/node_modules/minimist/package.json,/npm_and_yarn/spec/fixtures/projects/npm5/subdependency_update/node_modules/minimist/package.json,/npm_and_yarn/spec/fixtures/projects/yarn/lockfile_only_change/node_modules/minimist,/npm_and_yarn/spec/fixtures/projects/npm6/path_dependency/deps/etag/node_modules/mocha/node_modules/minimist/package.json,/npm_and_yarn/spec/fixtures/projects/npm7/library/node_modules/mocha/node_modules/minimist/package.json,/npm_and_yarn/spec/fixtures/projects/npm6_and_yarn/path_dependency/deps/etag/node_modules/mocha/node_modules/minimist/package.json
Dependency Hierarchy:
Found in HEAD commit: ba8cd9078c8ce0cb202767d627706711237abf71
Found in base branch: main
Minimist <=1.2.5 is vulnerable to Prototype Pollution via file index.js, function setKey() (lines 69-95).
Publish Date: 2022-03-17
URL: CVE-2021-44906
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
For more information on CVSS3 Scores, click here.Type: Upgrade version
Origin: GHSA-xvch-5gv4-984h
Release Date: 2022-03-17
Fix Resolution (minimist): 0.2.4
Direct dependency fix Resolution (bull-arena): 2.5.0
Fix Resolution (minimist): 0.2.4
Direct dependency fix Resolution (eslint): 3.16.0
Fix Resolution (minimist): 0.2.4
Direct dependency fix Resolution (graphql-cli): 3.0.4
Fix Resolution (minimist): 0.2.4
Direct dependency fix Resolution (graphql-cli): 3.0.4
⛑️ Automatic Remediation will be attempted for this issue.
The text was updated successfully, but these errors were encountered: