Skip to content
This repository was archived by the owner on Nov 25, 2022. It is now read-only.
This repository was archived by the owner on Nov 25, 2022. It is now read-only.

prop-types-15.5.10.tgz: 4 vulnerabilities (highest severity is: 7.5) #225

Open
Open
prop-types-15.5.10.tgz: 4 vulnerabilities (highest severity is: 7.5)#225
Labels
security vulnerabilitySecurity vulnerability detected by Mend
@mend-for-github-com

Description

@mend-for-github-com
mend-for-github-com
bot
opened on Jun 6, 2022
Vulnerable Library - prop-types-15.5.10.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/node-fetch/package.json

Found in HEAD commit: a3dbf35cb085f06d30ddebd988d7a451931e5f89

Vulnerabilities

CVE Severity CVSS Dependency Type Fixed in Remediation Available
CVE-2020-7733 High 7.5 ua-parser-js-0.7.12.tgz Transitive 15.6.0
CVE-2020-7793 High 7.5 ua-parser-js-0.7.12.tgz Transitive 15.6.0
CVE-2022-0235 Medium 6.1 node-fetch-1.7.0.tgz Transitive 15.6.2
CVE-2020-15168 Medium 5.3 node-fetch-1.7.0.tgz Transitive 15.6.2

Details

CVE-2020-7733

Vulnerable Library - ua-parser-js-0.7.12.tgz

Lightweight JavaScript-based user-agent string parser

Library home page: https://registry.npmjs.org/ua-parser-js/-/ua-parser-js-0.7.12.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/ua-parser-js/package.json

Dependency Hierarchy:

  • prop-types-15.5.10.tgz (Root Library)
    • fbjs-0.8.12.tgz
      • ua-parser-js-0.7.12.tgz (Vulnerable Library)

Found in HEAD commit: a3dbf35cb085f06d30ddebd988d7a451931e5f89

Found in base branch: main

Vulnerability Details

The package ua-parser-js before 0.7.22 are vulnerable to Regular Expression Denial of Service (ReDoS) via the regex for Redmi Phones and Mi Pad Tablets UA.

Publish Date: 2020-09-16

URL: CVE-2020-7733

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7733

Release Date: 2020-09-16

Fix Resolution (ua-parser-js): 0.7.22

Direct dependency fix Resolution (prop-types): 15.6.0

⛑️ Automatic Remediation is available for this issue

CVE-2020-7793

Vulnerable Library - ua-parser-js-0.7.12.tgz

Lightweight JavaScript-based user-agent string parser

Library home page: https://registry.npmjs.org/ua-parser-js/-/ua-parser-js-0.7.12.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/ua-parser-js/package.json

Dependency Hierarchy:

  • prop-types-15.5.10.tgz (Root Library)
    • fbjs-0.8.12.tgz
      • ua-parser-js-0.7.12.tgz (Vulnerable Library)

Found in HEAD commit: a3dbf35cb085f06d30ddebd988d7a451931e5f89

Found in base branch: main

Vulnerability Details

The package ua-parser-js before 0.7.23 are vulnerable to Regular Expression Denial of Service (ReDoS) in multiple regexes (see linked commit for more info).

Publish Date: 2020-12-11

URL: CVE-2020-7793

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2020-12-11

Fix Resolution (ua-parser-js): 0.7.23

Direct dependency fix Resolution (prop-types): 15.6.0

⛑️ Automatic Remediation is available for this issue

CVE-2022-0235

Vulnerable Library - node-fetch-1.7.0.tgz

A light-weight module that brings window.fetch to node.js and io.js

Library home page: https://registry.npmjs.org/node-fetch/-/node-fetch-1.7.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/node-fetch/package.json

Dependency Hierarchy:

  • prop-types-15.5.10.tgz (Root Library)
    • fbjs-0.8.12.tgz
      • isomorphic-fetch-2.2.1.tgz
        • node-fetch-1.7.0.tgz (Vulnerable Library)

Found in HEAD commit: a3dbf35cb085f06d30ddebd988d7a451931e5f89

Found in base branch: main

Vulnerability Details

node-fetch is vulnerable to Exposure of Sensitive Information to an Unauthorized Actor

Publish Date: 2022-01-16

URL: CVE-2022-0235

CVSS 3 Score Details (6.1)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Changed
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: Low
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-r683-j2x4-v87g

Release Date: 2022-01-16

Fix Resolution (node-fetch): 2.6.7

Direct dependency fix Resolution (prop-types): 15.6.2

⛑️ Automatic Remediation is available for this issue

CVE-2020-15168

Vulnerable Library - node-fetch-1.7.0.tgz

A light-weight module that brings window.fetch to node.js and io.js

Library home page: https://registry.npmjs.org/node-fetch/-/node-fetch-1.7.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/node-fetch/package.json

Dependency Hierarchy:

  • prop-types-15.5.10.tgz (Root Library)
    • fbjs-0.8.12.tgz
      • isomorphic-fetch-2.2.1.tgz
        • node-fetch-1.7.0.tgz (Vulnerable Library)

Found in HEAD commit: a3dbf35cb085f06d30ddebd988d7a451931e5f89

Found in base branch: main

Vulnerability Details

node-fetch before versions 2.6.1 and 3.0.0-beta.9 did not honor the size option after following a redirect, which means that when a content size was over the limit, a FetchError would never get thrown and the process would end without failure. For most people, this fix will have a little or no impact. However, if you are relying on node-fetch to gate files above a size, the impact could be significant, for example: If you don't double-check the size of the data after fetch() has completed, your JS thread could get tied up doing work on a large file (DoS) and/or cost you money in computing.

Publish Date: 2020-09-10

URL: CVE-2020-15168

CVSS 3 Score Details (5.3)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-w7rc-rwvf-8q5r

Release Date: 2020-09-17

Fix Resolution (node-fetch): 2.6.1

Direct dependency fix Resolution (prop-types): 15.6.2

⛑️ Automatic Remediation is available for this issue

⛑️ Automatic Remediation is available for this issue.

Metadata

Metadata

Assignees

No one assigned

    Labels

    security vulnerabilitySecurity vulnerability detected by Mend

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions