serverless-1.47.0.tgz: 33 vulnerabilities (highest severity is: 9.8)

[mend-for-github.aaakk.us.kg]

Vulnerable Library - serverless-1.47.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/jszip/package.json

Found in HEAD commit: aa914de618a178424105cc38c474133a60c17eeb

Vulnerabilities

CVE	Severity	CVSS	Exploit Maturity	EPSS	Dependency	Type	Fixed in (serverless version)	Remediation Possible**	Reachability
CVE-2024-27307	Critical	9.8	Not Defined	0.0%	jsonata-1.6.5.tgz	Transitive	1.48.0	✅
CVE-2021-44906	Critical	9.8	Not Defined	4.6%	detected in multiple dependencies	Transitive	1.48.0	✅
CVE-2020-12265	Critical	9.8	Not Defined	0.6%	decompress-4.2.0.tgz	Transitive	1.48.0	✅
CVE-2021-43138	High	7.8	Not Defined	0.2%	async-2.6.2.tgz	Transitive	1.48.0	✅
WS-2020-0044	High	7.5	Not Defined		decompress-4.2.0.tgz	Transitive	1.48.0	✅
WS-2019-0310	High	7.5	Not Defined		https-proxy-agent-2.2.2.tgz	Transitive	1.48.0	✅
CVE-2024-21538	High	7.5	Proof of concept	0.0%	cross-spawn-5.1.0.tgz	Transitive	N/A*	❌
CVE-2022-38900	High	7.5	Not Defined	0.4%	decode-uri-component-0.2.0.tgz	Transitive	1.48.0	✅
CVE-2022-3517	High	7.5	Not Defined	0.2%	minimatch-3.0.4.tgz	Transitive	N/A*	❌
CVE-2022-31129	High	7.5	Not Defined	0.8%	moment-2.24.0.tgz	Transitive	1.48.0	✅
CVE-2022-24785	High	7.5	Not Defined	0.4%	moment-2.24.0.tgz	Transitive	1.48.0	✅
CVE-2021-3807	High	7.5	Not Defined	0.4%	detected in multiple dependencies	Transitive	1.48.0	✅
CVE-2021-3795	High	7.5	Not Defined	0.1%	semver-regex-1.0.0.tgz	Transitive	2.0.0-264b9b2d	✅
CVE-2019-20149	High	7.5	Not Defined	0.1%	kind-of-6.0.2.tgz	Transitive	1.48.0	✅
CVE-2022-48285	High	7.3	Not Defined	0.70000005%	jszip-3.2.2.tgz	Transitive	1.48.0	✅
CVE-2020-8116	High	7.3	Not Defined	0.2%	dot-prop-4.2.0.tgz	Transitive	1.48.0	✅
CVE-2020-7788	High	7.3	Proof of concept	1.2%	ini-1.3.5.tgz	Transitive	1.48.0	✅
CVE-2020-28472	High	7.3	Proof of concept	1.9%	aws-sdk-2.492.0.tgz	Transitive	1.48.0	✅
CVE-2021-23337	High	7.2	Proof of concept	0.9%	lodash-4.17.19.tgz	Transitive	1.48.0	✅
CVE-2020-8244	Medium	6.5	Not Defined	0.1%	bl-1.2.2.tgz	Transitive	1.48.0	✅
CVE-2020-36632	Medium	6.3	Not Defined	0.70000005%	flat-4.1.0.tgz	Transitive	1.48.0	✅
CVE-2022-0235	Medium	6.1	Not Defined	0.4%	detected in multiple dependencies	Transitive	1.70.0	✅
CVE-2021-43307	Medium	5.9	Not Defined	0.1%	semver-regex-1.0.0.tgz	Transitive	2.0.0-264b9b2d	✅
CVE-2020-7598	Medium	5.6	Not Defined	0.1%	detected in multiple dependencies	Transitive	1.48.0	✅
CVE-2024-47764	Medium	5.3	Not Defined	0.0%	cookie-0.3.1.tgz	Transitive	1.70.0	✅
CVE-2022-33987	Medium	5.3	Not Defined	0.1%	got-6.7.1.tgz	Transitive	2.72.2-c1500451	✅
CVE-2022-25901	Medium	5.3	Proof of concept	0.4%	cookiejar-2.1.2.tgz	Transitive	1.48.0	✅
CVE-2022-25883	Medium	5.3	Proof of concept	0.3%	semver-5.7.0.tgz	Transitive	4.0.0	✅
CVE-2021-23413	Medium	5.3	Not Defined	0.2%	jszip-3.2.2.tgz	Transitive	1.48.0	✅
CVE-2020-28500	Medium	5.3	Proof of concept	0.2%	lodash-4.17.19.tgz	Transitive	1.48.0	✅
CVE-2017-16137	Low	3.7	Not Defined	0.3%	debug-3.2.6.tgz	Transitive	1.48.0	✅
CVE-2020-15168	Low	2.6	Not Defined	0.1%	detected in multiple dependencies	Transitive	1.70.0	✅
CVE-2024-27088	Low	0.0	Not Defined	0.0%	es5-ext-0.10.50.tgz	Transitive	1.48.0	✅

*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.

**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation

Details

Partial details (22 vulnerabilities) are displayed below due to a content size limitation in GitHub. To view information on the remaining vulnerabilities, navigate to the Mend Application.

CVE-2024-27307

Vulnerable Library - jsonata-1.6.5.tgz

JSON query and transformation language

Library home page: https://registry.npmjs.org/jsonata/-/jsonata-1.6.5.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/jsonata/package.json

Dependency Hierarchy:

• serverless-1.47.0.tgz (Root Library)
  • enterprise-plugin-1.2.0.tgz
    • ❌ jsonata-1.6.5.tgz (Vulnerable Library)

Found in HEAD commit: aa914de618a178424105cc38c474133a60c17eeb

Found in base branch: main

Vulnerability Details

JSONata is a JSON query and transformation language. Starting in version 1.4.0 and prior to version 1.8.7 and 2.0.4, a malicious expression can use the transform operator to override properties on the Object constructor and prototype. This may lead to denial of service, remote code execution or other unexpected behavior in applications that evaluate user-provided JSONata expressions. This issue has been fixed in JSONata versions 1.8.7 and 2.0.4. Applications that evaluate user-provided expressions should update ASAP to prevent exploitation. As a workaround, one may apply the patch manually.

Publish Date: 2024-03-06

URL: CVE-2024-27307

Threat Assessment

Exploit Maturity: Not Defined

EPSS: 0.0%

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-fqg8-vfv7-8fj8

Release Date: 2024-03-06

Fix Resolution (jsonata): 1.8.7

Direct dependency fix Resolution (serverless): 1.48.0

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2021-44906

Vulnerable Libraries - minimist-1.2.0.tgz, minimist-0.0.8.tgz

minimist-1.2.0.tgz

parse argument options

Library home page: https://registry.npmjs.org/minimist/-/minimist-1.2.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/minimist/package.json

Dependency Hierarchy:

• serverless-1.47.0.tgz (Root Library)
  • ❌ minimist-1.2.0.tgz (Vulnerable Library)

minimist-0.0.8.tgz

parse argument options

Library home page: https://registry.npmjs.org/minimist/-/minimist-0.0.8.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/mkdirp/node_modules/minimist/package.json

Dependency Hierarchy:

• serverless-1.47.0.tgz (Root Library)
  • mkdirp-0.5.1.tgz
    • ❌ minimist-0.0.8.tgz (Vulnerable Library)

Found in HEAD commit: aa914de618a178424105cc38c474133a60c17eeb

Found in base branch: main

Vulnerability Details

Minimist <=1.2.5 is vulnerable to Prototype Pollution via file index.js, function setKey() (lines 69-95).

Publish Date: 2022-03-17

URL: CVE-2021-44906

Threat Assessment

Exploit Maturity: Not Defined

EPSS: 4.6%

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-xvch-5gv4-984h

Release Date: 2022-03-17

Fix Resolution (minimist): 1.2.6

Direct dependency fix Resolution (serverless): 1.48.0

Fix Resolution (minimist): 1.2.6

Direct dependency fix Resolution (serverless): 1.48.0

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2020-12265

Vulnerable Library - decompress-4.2.0.tgz

Extracting archives made easy

Library home page: https://registry.npmjs.org/decompress/-/decompress-4.2.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/decompress/package.json

Dependency Hierarchy:

• serverless-1.47.0.tgz (Root Library)
  • download-5.0.3.tgz
    • ❌ decompress-4.2.0.tgz (Vulnerable Library)

Found in HEAD commit: aa914de618a178424105cc38c474133a60c17eeb

Found in base branch: main

Vulnerability Details

The decompress package before 4.2.1 for Node.js is vulnerable to Arbitrary File Write via ../ in an archive member, when a symlink is used, because of Directory Traversal.
Mend Note: Decompress versions prior to 4.2.1 are vulnerable to CVE-2020-12265 which could lead to Path Traversal. decompress-tar is a tar plugin for decompress and is also vulnerable to CVE-2020-12265 and there is no fixed version for decompress-tar.

Publish Date: 2020-04-26

URL: CVE-2020-12265

Threat Assessment

Exploit Maturity: Not Defined

EPSS: 0.6%

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-qgfr-5hqp-vrw9

Release Date: 2020-04-26

Fix Resolution (decompress): 4.2.1

Direct dependency fix Resolution (serverless): 1.48.0

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2021-43138

Vulnerable Library - async-2.6.2.tgz

Higher-order functions and common patterns for asynchronous code

Library home page: https://registry.npmjs.org/async/-/async-2.6.2.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/archiver/node_modules/async/package.json

Dependency Hierarchy:

• serverless-1.47.0.tgz (Root Library)
  • archiver-1.3.0.tgz
    • ❌ async-2.6.2.tgz (Vulnerable Library)

Found in HEAD commit: aa914de618a178424105cc38c474133a60c17eeb

Found in base branch: main

Vulnerability Details

In Async before 2.6.4 and 3.x before 3.2.2, a malicious user can obtain privileges via the mapValues() method, aka lib/internal/iterator.js createObjectIterator prototype pollution.

Publish Date: 2022-04-06

URL: CVE-2021-43138

Threat Assessment

Exploit Maturity: Not Defined

EPSS: 0.2%

CVSS 3 Score Details (7.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Local
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2021-43138

Release Date: 2022-04-06

Fix Resolution (async): 2.6.4

Direct dependency fix Resolution (serverless): 1.48.0

⛑️ Automatic Remediation will be attempted for this issue.

WS-2020-0044

Vulnerable Library - decompress-4.2.0.tgz

Extracting archives made easy

Library home page: https://registry.npmjs.org/decompress/-/decompress-4.2.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/decompress/package.json

Dependency Hierarchy:

• serverless-1.47.0.tgz (Root Library)
  • download-5.0.3.tgz
    • ❌ decompress-4.2.0.tgz (Vulnerable Library)

Found in HEAD commit: aa914de618a178424105cc38c474133a60c17eeb

Found in base branch: main

Vulnerability Details

decompress in all its versions is vulnerable to arbitrary file write. the package fails to prevent an extraction of files with relative paths which allows attackers to write to any folder in the system.

Publish Date: 2020-03-08

URL: WS-2020-0044

Threat Assessment

Exploit Maturity: Not Defined

EPSS:

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: High
  • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2020-03-08

Fix Resolution (decompress): 4.2.1

Direct dependency fix Resolution (serverless): 1.48.0

⛑️ Automatic Remediation will be attempted for this issue.

WS-2019-0310

Vulnerable Library - https-proxy-agent-2.2.2.tgz

An HTTP(s) proxy `http.Agent` implementation for HTTPS

Library home page: https://registry.npmjs.org/https-proxy-agent/-/https-proxy-agent-2.2.2.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/https-proxy-agent/package.json

Dependency Hierarchy:

• serverless-1.47.0.tgz (Root Library)
  • ❌ https-proxy-agent-2.2.2.tgz (Vulnerable Library)

Found in HEAD commit: aa914de618a178424105cc38c474133a60c17eeb

Found in base branch: main

Vulnerability Details

"in 'https-proxy-agent', before v2.2.3, there is a failure of TLS enforcement on the socket. Attacker may intercept unencrypted communications.

Publish Date: 2019-10-07

URL: WS-2019-0310

Threat Assessment

Exploit Maturity: Not Defined

EPSS:

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: None
  • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://www.npmjs.com/advisories/1184

Release Date: 2019-10-07

Fix Resolution (https-proxy-agent): 2.2.3

Direct dependency fix Resolution (serverless): 1.48.0

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2024-21538

Vulnerable Library - cross-spawn-5.1.0.tgz

Cross platform child_process#spawn and child_process#spawnSync

Library home page: https://registry.npmjs.org/cross-spawn/-/cross-spawn-5.1.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/cross-spawn/package.json

Dependency Hierarchy:

• serverless-1.47.0.tgz (Root Library)
  • update-notifier-2.5.0.tgz
    • boxen-1.3.0.tgz
      • term-size-1.2.0.tgz
        • execa-0.7.0.tgz
          • ❌ cross-spawn-5.1.0.tgz (Vulnerable Library)

Found in HEAD commit: aa914de618a178424105cc38c474133a60c17eeb

Found in base branch: main

Vulnerability Details

Versions of the package cross-spawn before 7.0.5 are vulnerable to Regular Expression Denial of Service (ReDoS) due to improper input sanitization. An attacker can increase the CPU usage and crash the program by crafting a very large and well crafted string.

Publish Date: 2024-11-08

URL: CVE-2024-21538

Threat Assessment

Exploit Maturity: Proof of concept

EPSS: 0.0%

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://www.cve.org/CVERecord?id=CVE-2024-21538

Release Date: 2024-11-08

Fix Resolution: cross-spawn - 7.0.5

CVE-2022-38900

Vulnerable Library - decode-uri-component-0.2.0.tgz

A better decodeURIComponent

Library home page: https://registry.npmjs.org/decode-uri-component/-/decode-uri-component-0.2.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/decode-uri-component/package.json

Dependency Hierarchy:

• serverless-1.47.0.tgz (Root Library)
  • nanomatch-1.2.13.tgz
    • snapdragon-0.8.2.tgz
      • source-map-resolve-0.5.2.tgz
        • ❌ decode-uri-component-0.2.0.tgz (Vulnerable Library)

Found in HEAD commit: aa914de618a178424105cc38c474133a60c17eeb

Found in base branch: main

Vulnerability Details

decode-uri-component 0.2.0 is vulnerable to Improper Input Validation resulting in DoS.

Publish Date: 2022-11-28

URL: CVE-2022-38900

Threat Assessment

Exploit Maturity: Not Defined

EPSS: 0.4%

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-w573-4hg7-7wgq

Release Date: 2022-11-28

Fix Resolution (decode-uri-component): 0.2.1

Direct dependency fix Resolution (serverless): 1.48.0

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2022-3517

Vulnerable Library - minimatch-3.0.4.tgz

a glob matcher in javascript

Library home page: https://registry.npmjs.org/minimatch/-/minimatch-3.0.4.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/minimatch/package.json

Dependency Hierarchy:

• serverless-1.47.0.tgz (Root Library)
  • enterprise-plugin-1.2.0.tgz
    • node-dir-0.1.17.tgz
      • ❌ minimatch-3.0.4.tgz (Vulnerable Library)

Found in HEAD commit: aa914de618a178424105cc38c474133a60c17eeb

Found in base branch: main

Vulnerability Details

A vulnerability was found in the minimatch package. This flaw allows a Regular Expression Denial of Service (ReDoS) when calling the braceExpand function with specific arguments, resulting in a Denial of Service.

Publish Date: 2022-10-17

URL: CVE-2022-3517

Threat Assessment

Exploit Maturity: Not Defined

EPSS: 0.2%

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2022-10-17

Fix Resolution: minimatch - 3.0.5

CVE-2022-31129

Vulnerable Library - moment-2.24.0.tgz

Parse, validate, manipulate, and display dates

Library home page: https://registry.npmjs.org/moment/-/moment-2.24.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/moment/package.json

Dependency Hierarchy:

• serverless-1.47.0.tgz (Root Library)
  • ❌ moment-2.24.0.tgz (Vulnerable Library)

Found in HEAD commit: aa914de618a178424105cc38c474133a60c17eeb

Found in base branch: main

Vulnerability Details

moment is a JavaScript date library for parsing, validating, manipulating, and formatting dates. Affected versions of moment were found to use an inefficient parsing algorithm. Specifically using string-to-date parsing in moment (more specifically rfc2822 parsing, which is tried by default) has quadratic (N^2) complexity on specific inputs. Users may notice a noticeable slowdown is observed with inputs above 10k characters. Users who pass user-provided strings without sanity length checks to moment constructor are vulnerable to (Re)DoS attacks. The problem is patched in 2.29.4, the patch can be applied to all affected versions with minimal tweaking. Users are advised to upgrade. Users unable to upgrade should consider limiting date lengths accepted from user input.

Publish Date: 2022-07-06

URL: CVE-2022-31129

Threat Assessment

Exploit Maturity: Not Defined

EPSS: 0.8%

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-wc69-rhjr-hc9g

Release Date: 2022-07-06

Fix Resolution (moment): 2.29.4

Direct dependency fix Resolution (serverless): 1.48.0

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2022-24785

Vulnerable Library - moment-2.24.0.tgz

Parse, validate, manipulate, and display dates

Library home page: https://registry.npmjs.org/moment/-/moment-2.24.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/moment/package.json

Dependency Hierarchy:

• serverless-1.47.0.tgz (Root Library)
  • ❌ moment-2.24.0.tgz (Vulnerable Library)

Found in HEAD commit: aa914de618a178424105cc38c474133a60c17eeb

Found in base branch: main

Vulnerability Details

Moment.js is a JavaScript date library for parsing, validating, manipulating, and formatting dates. A path traversal vulnerability impacts npm (server) users of Moment.js between versions 1.0.1 and 2.29.1, especially if a user-provided locale string is directly used to switch moment locale. This problem is patched in 2.29.2, and the patch can be applied to all affected versions. As a workaround, sanitize the user-provided locale name before passing it to Moment.js.

Publish Date: 2022-04-04

URL: CVE-2022-24785

Threat Assessment

Exploit Maturity: Not Defined

EPSS: 0.4%

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: High
  • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-8hfj-j24r-96c4

Release Date: 2022-04-04

Fix Resolution (moment): 2.29.2

Direct dependency fix Resolution (serverless): 1.48.0

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2021-3807

Vulnerable Libraries - ansi-regex-4.1.0.tgz, ansi-regex-3.0.0.tgz

ansi-regex-4.1.0.tgz

Regular expression for matching ANSI escape codes

Library home page: https://registry.npmjs.org/ansi-regex/-/ansi-regex-4.1.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/strip-ansi/node_modules/ansi-regex/package.json

Dependency Hierarchy:

• serverless-1.47.0.tgz (Root Library)
  • inquirer-6.5.0.tgz
    • strip-ansi-5.2.0.tgz
      • ❌ ansi-regex-4.1.0.tgz (Vulnerable Library)

ansi-regex-3.0.0.tgz

Regular expression for matching ANSI escape codes

Library home page: https://registry.npmjs.org/ansi-regex/-/ansi-regex-3.0.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/ansi-regex/package.json

Dependency Hierarchy:

• serverless-1.47.0.tgz (Root Library)
  • inquirer-6.5.0.tgz
    • string-width-2.1.1.tgz
      • strip-ansi-4.0.0.tgz
        • ❌ ansi-regex-3.0.0.tgz (Vulnerable Library)

Found in HEAD commit: aa914de618a178424105cc38c474133a60c17eeb

Found in base branch: main

Vulnerability Details

ansi-regex is vulnerable to Inefficient Regular Expression Complexity

Publish Date: 2021-09-17

URL: CVE-2021-3807

Threat Assessment

Exploit Maturity: Not Defined

EPSS: 0.4%

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-93q8-gq69-wqmw

Release Date: 2021-09-17

Fix Resolution (ansi-regex): 4.1.1

Direct dependency fix Resolution (serverless): 1.48.0

Fix Resolution (ansi-regex): 4.1.1

Direct dependency fix Resolution (serverless): 1.48.0

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2021-3795

Vulnerable Library - semver-regex-1.0.0.tgz

Regular expression for matching semver versions

Library home page: https://registry.npmjs.org/semver-regex/-/semver-regex-1.0.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/semver-regex/package.json

Dependency Hierarchy:

• serverless-1.47.0.tgz (Root Library)
  • ❌ semver-regex-1.0.0.tgz (Vulnerable Library)

Found in HEAD commit: aa914de618a178424105cc38c474133a60c17eeb

Found in base branch: main

Vulnerability Details

semver-regex is vulnerable to Inefficient Regular Expression Complexity

Publish Date: 2021-09-15

URL: CVE-2021-3795

Threat Assessment

Exploit Maturity: Not Defined

EPSS: 0.1%

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2021-09-15

Fix Resolution (semver-regex): 3.1.3

Direct dependency fix Resolution (serverless): 2.0.0-264b9b2d

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2019-20149

Vulnerable Library - kind-of-6.0.2.tgz

Get the native type of a value.

Library home page: https://registry.npmjs.org/kind-of/-/kind-of-6.0.2.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/kind-of/package.json

Dependency Hierarchy:

• serverless-1.47.0.tgz (Root Library)
  • nanomatch-1.2.13.tgz
    • ❌ kind-of-6.0.2.tgz (Vulnerable Library)

Found in HEAD commit: aa914de618a178424105cc38c474133a60c17eeb

Found in base branch: main

Vulnerability Details

ctorName in index.js in kind-of v6.0.2 allows external user input to overwrite certain internal attributes via a conflicting name, as demonstrated by 'constructor': {'name':'Symbol'}. Hence, a crafted payload can overwrite this builtin attribute to manipulate the type detection result.

Publish Date: 2019-12-30

URL: CVE-2019-20149

Threat Assessment

Exploit Maturity: Not Defined

EPSS: 0.1%

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: High
  • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2019-12-30

Fix Resolution (kind-of): 6.0.3

Direct dependency fix Resolution (serverless): 1.48.0

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2022-48285

Vulnerable Library - jszip-3.2.2.tgz

Create, read and edit .zip files with JavaScript http://stuartk.com/jszip

Library home page: https://registry.npmjs.org/jszip/-/jszip-3.2.2.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/jszip/package.json

Dependency Hierarchy:

• serverless-1.47.0.tgz (Root Library)
  • ❌ jszip-3.2.2.tgz (Vulnerable Library)

Found in HEAD commit: aa914de618a178424105cc38c474133a60c17eeb

Found in base branch: main

Vulnerability Details

loadAsync in JSZip before 3.8.0 allows Directory Traversal via a crafted ZIP archive.
Mend Note: Converted from WS-2023-0004, on 2023-02-01.

Publish Date: 2023-01-29

URL: CVE-2022-48285

Threat Assessment

Exploit Maturity: Not Defined

EPSS: 0.70000005%

CVSS 3 Score Details (7.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2023-01-29

Fix Resolution (jszip): 3.8.0

Direct dependency fix Resolution (serverless): 1.48.0

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2020-8116

Vulnerable Library - dot-prop-4.2.0.tgz

Get, set, or delete a property from a nested object using a dot path

Library home page: https://registry.npmjs.org/dot-prop/-/dot-prop-4.2.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/dot-prop/package.json

Dependency Hierarchy:

• serverless-1.47.0.tgz (Root Library)
  • update-notifier-2.5.0.tgz
    • configstore-3.1.2.tgz
      • ❌ dot-prop-4.2.0.tgz (Vulnerable Library)

Found in HEAD commit: aa914de618a178424105cc38c474133a60c17eeb

Found in base branch: main

Vulnerability Details

Prototype pollution vulnerability in dot-prop npm package versions before 4.2.1 and versions 5.x before 5.1.1 allows an attacker to add arbitrary properties to JavaScript language constructs such as objects.

Publish Date: 2020-02-04

URL: CVE-2020-8116

Threat Assessment

Exploit Maturity: Not Defined

EPSS: 0.2%

CVSS 3 Score Details (7.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8116

Release Date: 2020-02-04

Fix Resolution (dot-prop): 4.2.1

Direct dependency fix Resolution (serverless): 1.48.0

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2020-7788

Vulnerable Library - ini-1.3.5.tgz

An ini encoder/decoder for node

Library home page: https://registry.npmjs.org/ini/-/ini-1.3.5.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/ini/package.json

Dependency Hierarchy:

• serverless-1.47.0.tgz (Root Library)
  • rc-1.2.8.tgz
    • ❌ ini-1.3.5.tgz (Vulnerable Library)

Found in HEAD commit: aa914de618a178424105cc38c474133a60c17eeb

Found in base branch: main

Vulnerability Details

This affects the package ini before 1.3.6. If an attacker submits a malicious INI file to an application that parses it with ini.parse, they will pollute the prototype on the application. This can be exploited further depending on the context.

Publish Date: 2020-12-11

URL: CVE-2020-7788

Threat Assessment

Exploit Maturity: Proof of concept

EPSS: 1.2%

CVSS 3 Score Details (7.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7788

Release Date: 2020-12-11

Fix Resolution (ini): 1.3.6

Direct dependency fix Resolution (serverless): 1.48.0

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2020-28472

Vulnerable Library - aws-sdk-2.492.0.tgz

AWS SDK for JavaScript

Library home page: https://registry.npmjs.org/aws-sdk/-/aws-sdk-2.492.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/serverless/node_modules/aws-sdk/package.json

Dependency Hierarchy:

• serverless-1.47.0.tgz (Root Library)
  • ❌ aws-sdk-2.492.0.tgz (Vulnerable Library)

Found in HEAD commit: aa914de618a178424105cc38c474133a60c17eeb

Found in base branch: main

Vulnerability Details

This affects the package @aws-sdk/shared-ini-file-loader before 1.0.0-rc.9; the package aws-sdk before 2.814.0. If an attacker submits a malicious INI file to an application that parses it with loadSharedConfigFiles , they will pollute the prototype on the application. This can be exploited further depending on the context.

Publish Date: 2021-01-19

URL: CVE-2020-28472

Threat Assessment

Exploit Maturity: Proof of concept

EPSS: 1.9%

CVSS 3 Score Details (7.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2020-28472

Release Date: 2021-01-19

Fix Resolution (aws-sdk): 2.814.0

Direct dependency fix Resolution (serverless): 1.48.0

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2021-23337

Vulnerable Library - lodash-4.17.19.tgz

Lodash modular utilities.

Library home page: https://registry.npmjs.org/lodash/-/lodash-4.17.19.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/lodash/package.json

Dependency Hierarchy:

• serverless-1.47.0.tgz (Root Library)
  • ❌ lodash-4.17.19.tgz (Vulnerable Library)

Found in HEAD commit: aa914de618a178424105cc38c474133a60c17eeb

Found in base branch: main

Vulnerability Details

Lodash versions prior to 4.17.21 are vulnerable to Command Injection via the template function.

Publish Date: 2021-02-15

URL: CVE-2021-23337

Threat Assessment

Exploit Maturity: Proof of concept

EPSS: 0.9%

CVSS 3 Score Details (7.2)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: High
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-35jh-r3h4-6jhm

Release Date: 2021-02-15

Fix Resolution (lodash): 4.17.21

Direct dependency fix Resolution (serverless): 1.48.0

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2020-8244

Vulnerable Library - bl-1.2.2.tgz

Buffer List: collect buffers and access with a standard readable Buffer interface, streamable too!

Library home page: https://registry.npmjs.org/bl/-/bl-1.2.2.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/bl/package.json

Dependency Hierarchy:

• serverless-1.47.0.tgz (Root Library)
  • archiver-1.3.0.tgz
    • tar-stream-1.6.2.tgz
      • ❌ bl-1.2.2.tgz (Vulnerable Library)

Found in HEAD commit: aa914de618a178424105cc38c474133a60c17eeb

Found in base branch: main

Vulnerability Details

A buffer over-read vulnerability exists in bl <4.0.3, <3.0.1, <2.2.1, and <1.2.3 which could allow an attacker to supply user input (even typed) that if it ends up in consume() argument and can become negative, the BufferList state can be corrupted, tricking it into exposing uninitialized memory via regular .slice() calls.

Publish Date: 2020-08-30

URL: CVE-2020-8244

Threat Assessment

Exploit Maturity: Not Defined

EPSS: 0.1%

CVSS 3 Score Details (6.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: None
  • Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-pp7h-53gx-mx7r

Release Date: 2020-08-30

Fix Resolution (bl): 1.2.3

Direct dependency fix Resolution (serverless): 1.48.0

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2020-36632

Vulnerable Library - flat-4.1.0.tgz

Take a nested Javascript object and flatten it, or unflatten an object with delimited keys

Library home page: https://registry.npmjs.org/flat/-/flat-4.1.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/flat/package.json

Dependency Hierarchy:

• serverless-1.47.0.tgz (Root Library)
  • enterprise-plugin-1.2.0.tgz
    • ❌ flat-4.1.0.tgz (Vulnerable Library)

Found in HEAD commit: aa914de618a178424105cc38c474133a60c17eeb

Found in base branch: main

Vulnerability Details

A vulnerability, which was classified as critical, was found in hughsk flat up to 5.0.0. This affects the function unflatten of the file index.js. The manipulation leads to improperly controlled modification of object prototype attributes ('prototype pollution'). It is possible to initiate the attack remotely. Upgrading to version 5.0.1 is able to address this issue. The name of the patch is 20ef0ef55dfa028caddaedbcb33efbdb04d18e13. It is recommended to upgrade the affected component. The identifier VDB-216777 was assigned to this vulnerability.

Publish Date: 2022-12-25

URL: CVE-2020-36632

Threat Assessment

Exploit Maturity: Not Defined

EPSS: 0.70000005%

CVSS 3 Score Details (6.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: Low
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-2j2x-2gpw-g8fm

Release Date: 2022-12-25

Fix Resolution (flat): 4.1.1

Direct dependency fix Resolution (serverless): 1.48.0

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2022-0235

Vulnerable Libraries - node-fetch-2.6.0.tgz, node-fetch-1.7.3.tgz

node-fetch-2.6.0.tgz

A light-weight module that brings window.fetch to node.js

Library home page: https://registry.npmjs.org/node-fetch/-/node-fetch-2.6.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/@serverless/enterprise-plugin/node_modules/node-fetch/package.json

Dependency Hierarchy:

• serverless-1.47.0.tgz (Root Library)
  • enterprise-plugin-1.2.0.tgz
    • ❌ node-fetch-2.6.0.tgz (Vulnerable Library)

node-fetch-1.7.3.tgz

A light-weight module that brings window.fetch to node.js and io.js

Library home page: https://registry.npmjs.org/node-fetch/-/node-fetch-1.7.3.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/node-fetch/package.json

Dependency Hierarchy:

• serverless-1.47.0.tgz (Root Library)
  • ❌ node-fetch-1.7.3.tgz (Vulnerable Library)

Found in HEAD commit: aa914de618a178424105cc38c474133a60c17eeb

Found in base branch: main

Vulnerability Details

node-fetch is vulnerable to Exposure of Sensitive Information to an Unauthorized Actor

Publish Date: 2022-01-16

URL: CVE-2022-0235

Threat Assessment

Exploit Maturity: Not Defined

EPSS: 0.4%

CVSS 3 Score Details (6.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-r683-j2x4-v87g

Release Date: 2022-01-16

Fix Resolution (node-fetch): 2.6.7

Direct dependency fix Resolution (serverless): 1.70.0

Fix Resolution (node-fetch): 2.6.7

Direct dependency fix Resolution (serverless): 1.70.0

⛑️ Automatic Remediation will be attempted for this issue.

---

⛑️Automatic Remediation will be attempted for this issue.