This repository has been archived by the owner on Apr 27, 2022. It is now read-only.
ng-packagr-11.0.3.tgz: 15 vulnerabilities (highest severity is: 9.8) - autoclosed #33
Labels
security vulnerability
Security vulnerability detected by WhiteSource
Comments
mend-bolt-for-github
bot
added
the
security vulnerability
mend-bolt-for-github
bot
changed the title
mend-bolt-for-github
bot
changed the title
|
✔️ This issue was automatically closed by WhiteSource because the vulnerable library in the specific branch(es) was either marked as ignored or it is no longer part of the WhiteSource inventory. |
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Path to dependency file: /angular/package.json
Path to vulnerable library: /angular/node_modules/ng-packagr/node_modules/postcss/package.json
Found in HEAD commit: 2e5128b82914ee6f0021bd2c18fef7b5c70d6088
Vulnerabilities
Details
Vulnerable Library - minimist-1.2.5.tgz
parse argument options
Library home page: https://registry.npmjs.org/minimist/-/minimist-1.2.5.tgz
Path to dependency file: /angular/package.json
Path to vulnerable library: /angular/node_modules/minimist/package.json
Dependency Hierarchy:
Found in HEAD commit: 2e5128b82914ee6f0021bd2c18fef7b5c70d6088
Found in base branch: develop
Vulnerability Details
Minimist <=1.2.5 is vulnerable to Prototype Pollution via file index.js, function setKey() (lines 69-95).
Publish Date: 2022-03-17
URL: CVE-2021-44906
CVSS 3 Score Details (9.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: https://github.com/substack/minimist/issues/164
Release Date: 2022-03-17
Fix Resolution (minimist): 1.2.6
Direct dependency fix Resolution (ng-packagr): 12.0.0-next.9
Step up your Open Source Security Game with WhiteSource here
Vulnerable Library - ansi-regex-5.0.0.tgz
Regular expression for matching ANSI escape codes
Library home page: https://registry.npmjs.org/ansi-regex/-/ansi-regex-5.0.0.tgz
Path to dependency file: /angular/package.json
Path to vulnerable library: /angular/node_modules/strip-ansi/node_modules/ansi-regex/package.json
Dependency Hierarchy:
Found in HEAD commit: 2e5128b82914ee6f0021bd2c18fef7b5c70d6088
Found in base branch: develop
Vulnerability Details
ansi-regex is vulnerable to Inefficient Regular Expression Complexity
Publish Date: 2021-09-17
URL: CVE-2021-3807
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: https://huntr.dev/bounties/5b3cf33b-ede0-4398-9974-800876dfd994/
Release Date: 2021-09-17
Fix Resolution (ansi-regex): 5.0.1
Direct dependency fix Resolution (ng-packagr): 11.1.0
Step up your Open Source Security Game with WhiteSource here
Vulnerable Library - glob-parent-5.1.1.tgz
Extract the non-magic parent path from a glob string.
Library home page: https://registry.npmjs.org/glob-parent/-/glob-parent-5.1.1.tgz
Path to dependency file: /angular/package.json
Path to vulnerable library: /angular/node_modules/glob-parent/package.json
Dependency Hierarchy:
Found in HEAD commit: 2e5128b82914ee6f0021bd2c18fef7b5c70d6088
Found in base branch: develop
Vulnerability Details
This affects the package glob-parent before 5.1.2. The enclosure regex used to check for strings ending in enclosure containing path separator.
Publish Date: 2021-06-03
URL: CVE-2020-28469
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-28469
Release Date: 2021-06-03
Fix Resolution (glob-parent): 5.1.2
Direct dependency fix Resolution (ng-packagr): 11.1.0
Step up your Open Source Security Game with WhiteSource here
Vulnerable Library - is-svg-3.0.0.tgz
Check if a string or buffer is SVG
Library home page: https://registry.npmjs.org/is-svg/-/is-svg-3.0.0.tgz
Path to dependency file: /angular/package.json
Path to vulnerable library: /angular/node_modules/is-svg/package.json
Dependency Hierarchy:
Found in HEAD commit: 2e5128b82914ee6f0021bd2c18fef7b5c70d6088
Found in base branch: develop
Vulnerability Details
The is-svg package 2.1.0 through 4.2.1 for Node.js uses a regular expression that is vulnerable to Regular Expression Denial of Service (ReDoS). If an attacker provides a malicious string, is-svg will get stuck processing the input for a very long time.
Publish Date: 2021-03-12
URL: CVE-2021-28092
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-28092
Release Date: 2021-03-12
Fix Resolution (is-svg): 4.2.2
Direct dependency fix Resolution (ng-packagr): 11.1.0
Step up your Open Source Security Game with WhiteSource here
Vulnerable Library - normalize-url-3.3.0.tgz
Normalize a URL
Library home page: https://registry.npmjs.org/normalize-url/-/normalize-url-3.3.0.tgz
Path to dependency file: /angular/package.json
Path to vulnerable library: /angular/node_modules/normalize-url/package.json
Dependency Hierarchy:
Found in HEAD commit: 2e5128b82914ee6f0021bd2c18fef7b5c70d6088
Found in base branch: develop
Vulnerability Details
The normalize-url package before 4.5.1, 5.x before 5.3.1, and 6.x before 6.0.1 for Node.js has a ReDoS (regular expression denial of service) issue because it has exponential performance for data: URLs.
Publish Date: 2021-05-24
URL: CVE-2021-33502
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-33502
Release Date: 2021-05-24
Fix Resolution (normalize-url): 4.5.1
Direct dependency fix Resolution (ng-packagr): 12.0.0-next.9
Step up your Open Source Security Game with WhiteSource here
Vulnerable Library - css-what-3.4.2.tgz
a CSS selector parser
Library home page: https://registry.npmjs.org/css-what/-/css-what-3.4.2.tgz
Path to dependency file: /angular/package.json
Path to vulnerable library: /angular/node_modules/css-what/package.json
Dependency Hierarchy:
Found in HEAD commit: 2e5128b82914ee6f0021bd2c18fef7b5c70d6088
Found in base branch: develop
Vulnerability Details
The css-what package 4.0.0 through 5.0.0 for Node.js does not ensure that attribute parsing has Linear Time Complexity relative to the size of the input.
Publish Date: 2021-05-28
URL: CVE-2021-33587
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-33587
Release Date: 2021-05-28
Fix Resolution (css-what): 5.0.1
Direct dependency fix Resolution (ng-packagr): 12.0.0-next.9
Step up your Open Source Security Game with WhiteSource here
Vulnerable Library - color-string-1.5.4.tgz
Parser and generator for CSS color strings
Library home page: https://registry.npmjs.org/color-string/-/color-string-1.5.4.tgz
Path to dependency file: /angular/package.json
Path to vulnerable library: /angular/node_modules/color-string/package.json
Dependency Hierarchy:
Found in HEAD commit: 2e5128b82914ee6f0021bd2c18fef7b5c70d6088
Found in base branch: develop
Vulnerability Details
Regular Expression Denial of Service (ReDoS) was found in color-string before 1.5.5.
Publish Date: 2021-03-12
URL: WS-2021-0152
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: https://github.com/Qix-/color-string/releases/tag/1.5.5
Release Date: 2021-03-12
Fix Resolution (color-string): 1.5.5
Direct dependency fix Resolution (ng-packagr): 11.1.0
Step up your Open Source Security Game with WhiteSource here
Vulnerable Library - is-svg-3.0.0.tgz
Check if a string or buffer is SVG
Library home page: https://registry.npmjs.org/is-svg/-/is-svg-3.0.0.tgz
Path to dependency file: /angular/package.json
Path to vulnerable library: /angular/node_modules/is-svg/package.json
Dependency Hierarchy:
Found in HEAD commit: 2e5128b82914ee6f0021bd2c18fef7b5c70d6088
Found in base branch: develop
Vulnerability Details
A vulnerability was discovered in IS-SVG version 2.1.0 to 4.2.2 and below where a Regular Expression Denial of Service (ReDOS) occurs if the application is provided and checks a crafted invalid SVG string.
Publish Date: 2021-06-21
URL: CVE-2021-29059
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: https://github.com/sindresorhus/is-svg/releases/tag/v4.3.0
Release Date: 2021-06-21
Fix Resolution (is-svg): 4.3.0
Direct dependency fix Resolution (ng-packagr): 11.1.0
Step up your Open Source Security Game with WhiteSource here
Vulnerable Library - path-parse-1.0.6.tgz
Node.js path.parse() ponyfill
Library home page: https://registry.npmjs.org/path-parse/-/path-parse-1.0.6.tgz
Path to dependency file: /angular/package.json
Path to vulnerable library: /angular/node_modules/path-parse/package.json,/aspnet-core/src/Thor.SSO.HttpApi.Host/node_modules/path-parse/package.json
Dependency Hierarchy:
Found in HEAD commit: 2e5128b82914ee6f0021bd2c18fef7b5c70d6088
Found in base branch: develop
Vulnerability Details
All versions of package path-parse are vulnerable to Regular Expression Denial of Service (ReDoS) via splitDeviceRe, splitTailRe, and splitPathRe regular expressions. ReDoS exhibits polynomial worst-case time complexity.
Publish Date: 2021-05-04
URL: CVE-2021-23343
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: jbgutierrez/path-parse#8
Release Date: 2021-05-04
Fix Resolution (path-parse): 1.0.7
Direct dependency fix Resolution (ng-packagr): 11.1.0
Step up your Open Source Security Game with WhiteSource here
Vulnerable Library - nth-check-1.0.2.tgz
performant nth-check parser & compiler
Library home page: https://registry.npmjs.org/nth-check/-/nth-check-1.0.2.tgz
Path to dependency file: /angular/package.json
Path to vulnerable library: /angular/node_modules/nth-check/package.json
Dependency Hierarchy:
Found in HEAD commit: 2e5128b82914ee6f0021bd2c18fef7b5c70d6088
Found in base branch: develop
Vulnerability Details
nth-check is vulnerable to Inefficient Regular Expression Complexity
Publish Date: 2021-09-17
URL: CVE-2021-3803
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: fb55/nth-check@v2.0.0...v2.0.1
Release Date: 2021-09-17
Fix Resolution (nth-check): 2.0.1
Direct dependency fix Resolution (ng-packagr): 12.0.0-next.9
Step up your Open Source Security Game with WhiteSource here
Vulnerable Library - color-string-1.5.4.tgz
Parser and generator for CSS color strings
Library home page: https://registry.npmjs.org/color-string/-/color-string-1.5.4.tgz
Path to dependency file: /angular/package.json
Path to vulnerable library: /angular/node_modules/color-string/package.json
Dependency Hierarchy:
Found in HEAD commit: 2e5128b82914ee6f0021bd2c18fef7b5c70d6088
Found in base branch: develop
Vulnerability Details
A Regular Expression Denial of Service (ReDOS) vulnerability was discovered in Color-String version 1.5.5 and below which occurs when the application is provided and checks a crafted invalid HWB string.
Publish Date: 2021-06-21
URL: CVE-2021-29060
CVSS 3 Score Details (5.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: Low
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-257v-vj4p-3w2h
Release Date: 2021-06-21
Fix Resolution (color-string): 1.5.5
Direct dependency fix Resolution (ng-packagr): 11.1.0
Step up your Open Source Security Game with WhiteSource here
Vulnerable Library - postcss-7.0.35.tgz
Tool for transforming styles with JS plugins
Library home page: https://registry.npmjs.org/postcss/-/postcss-7.0.35.tgz
Path to dependency file: /angular/package.json
Path to vulnerable library: /angular/node_modules/ng-packagr/node_modules/postcss/package.json
Dependency Hierarchy:
Found in HEAD commit: 2e5128b82914ee6f0021bd2c18fef7b5c70d6088
Found in base branch: develop
Vulnerability Details
The package postcss before 8.2.13 are vulnerable to Regular Expression Denial of Service (ReDoS) via getAnnotationURL() and loadAnnotation() in lib/previous-map.js. The vulnerable regexes are caused mainly by the sub-pattern /*\s* sourceMappingURL=(.*).
Publish Date: 2021-04-26
URL: CVE-2021-23382
CVSS 3 Score Details (5.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: Low
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23382
Release Date: 2021-04-26
Fix Resolution (postcss): 7.0.36
Direct dependency fix Resolution (ng-packagr): 11.1.0
Step up your Open Source Security Game with WhiteSource here
Vulnerable Library - hosted-git-info-2.8.8.tgz
Provides metadata and conversions from repository urls for Github, Bitbucket and Gitlab
Library home page: https://registry.npmjs.org/hosted-git-info/-/hosted-git-info-2.8.8.tgz
Path to dependency file: /angular/package.json
Path to vulnerable library: /angular/node_modules/hosted-git-info/package.json
Dependency Hierarchy:
Found in HEAD commit: 2e5128b82914ee6f0021bd2c18fef7b5c70d6088
Found in base branch: develop
Vulnerability Details
The package hosted-git-info before 3.0.8 are vulnerable to Regular Expression Denial of Service (ReDoS) via regular expression shortcutMatch in the fromUrl function in index.js. The affected regular expression exhibits polynomial worst-case time complexity.
Publish Date: 2021-03-23
URL: CVE-2021-23362
CVSS 3 Score Details (5.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: Low
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-43f8-2h32-f4cj
Release Date: 2021-03-23
Fix Resolution (hosted-git-info): 2.8.9
Direct dependency fix Resolution (ng-packagr): 11.1.0
Step up your Open Source Security Game with WhiteSource here
Vulnerable Library - browserslist-4.15.0.tgz
Share target browsers between different front-end tools, like Autoprefixer, Stylelint and babel-env-preset
Library home page: https://registry.npmjs.org/browserslist/-/browserslist-4.15.0.tgz
Path to dependency file: /angular/package.json
Path to vulnerable library: /angular/node_modules/browserslist/package.json
Dependency Hierarchy:
Found in HEAD commit: 2e5128b82914ee6f0021bd2c18fef7b5c70d6088
Found in base branch: develop
Vulnerability Details
The package browserslist from 4.0.0 and before 4.16.5 are vulnerable to Regular Expression Denial of Service (ReDoS) during parsing of queries.
Publish Date: 2021-04-28
URL: CVE-2021-23364
CVSS 3 Score Details (5.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: Low
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23364
Release Date: 2021-04-28
Fix Resolution (browserslist): 4.16.5
Direct dependency fix Resolution (ng-packagr): 11.1.0
Step up your Open Source Security Game with WhiteSource here
Vulnerable Library - postcss-7.0.35.tgz
Tool for transforming styles with JS plugins
Library home page: https://registry.npmjs.org/postcss/-/postcss-7.0.35.tgz
Path to dependency file: /angular/package.json
Path to vulnerable library: /angular/node_modules/ng-packagr/node_modules/postcss/package.json
Dependency Hierarchy:
Found in HEAD commit: 2e5128b82914ee6f0021bd2c18fef7b5c70d6088
Found in base branch: develop
Vulnerability Details
The package postcss from 7.0.0 and before 8.2.10 are vulnerable to Regular Expression Denial of Service (ReDoS) during source map parsing.
Publish Date: 2021-04-12
URL: CVE-2021-23368
CVSS 3 Score Details (5.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: Low
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23368
Release Date: 2021-04-12
Fix Resolution (postcss): 7.0.36
Direct dependency fix Resolution (ng-packagr): 11.1.0
Step up your Open Source Security Game with WhiteSource here
The text was updated successfully, but these errors were encountered: