forever-2.0.0.tgz: 11 vulnerabilities (highest severity is: 9.8)

[dev-mend-for-github-com]

Vulnerable Library - forever-2.0.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/braces/package.json

Vulnerabilities

CVE	Severity	CVSS	Dependency	Type	Fixed in (forever version)	Remediation Possible**	Reachability
CVE-2021-44906	Critical	9.8	detected in multiple dependencies	Transitive	N/A*	❌
CVE-2019-10747	Critical	9.8	detected in multiple dependencies	Transitive	3.0.0	✅
CVE-2019-10746	Critical	9.8	mixin-deep-1.3.1.tgz	Transitive	3.0.0	✅
CVE-2021-37712	High	8.2	tar-4.4.8.tgz	Transitive	3.0.0	✅
WS-2018-0148	High	7.5	detected in multiple dependencies	Transitive	N/A*	❌
CVE-2024-4068	High	7.5	braces-2.3.2.tgz	Transitive	N/A*	❌
CVE-2022-38900	High	7.5	decode-uri-component-0.2.0.tgz	Transitive	3.0.0	✅
CVE-2022-3517	High	7.5	minimatch-3.0.4.tgz	Transitive	N/A*	❌
CVE-2019-20149	High	7.5	kind-of-6.0.2.tgz	Transitive	3.0.0	✅
CVE-2020-7774	High	7.3	y18n-3.2.1.tgz	Transitive	3.0.0	✅
CVE-2020-7598	Medium	5.6	detected in multiple dependencies	Transitive	3.0.0	✅

*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.

**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation

Details

CVE-2021-44906

Vulnerable Libraries - minimist-0.0.8.tgz, minimist-0.0.10.tgz, minimist-1.2.0.tgz, minimist-1.2.5.tgz

minimist-0.0.8.tgz

parse argument options

Library home page: https://registry.npmjs.org/minimist/-/minimist-0.0.8.tgz

Path to dependency file: /package.json

Path to vulnerable library: /package.json,/node_modules/mkdirp/node_modules/minimist/package.json

Dependency Hierarchy:

• forever-2.0.0.tgz (Root Library)
  • mkdirp-0.5.1.tgz
    • ❌ minimist-0.0.8.tgz (Vulnerable Library)

minimist-0.0.10.tgz

parse argument options

Library home page: https://registry.npmjs.org/minimist/-/minimist-0.0.10.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/minimist/package.json

Dependency Hierarchy:

• forever-2.0.0.tgz (Root Library)
  • flatiron-0.4.3.tgz
    • optimist-0.6.0.tgz
      • ❌ minimist-0.0.10.tgz (Vulnerable Library)

minimist-1.2.0.tgz

parse argument options

Library home page: https://registry.npmjs.org/minimist/-/minimist-1.2.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Dependency Hierarchy:

• forever-2.0.0.tgz (Root Library)
  • forever-monitor-2.0.0.tgz
    • chokidar-2.1.8.tgz
      • fsevents-1.2.9.tgz
        • node-pre-gyp-0.12.0.tgz
          • rc-1.2.8.tgz
            • ❌ minimist-1.2.0.tgz (Vulnerable Library)

minimist-1.2.5.tgz

parse argument options

Library home page: https://registry.npmjs.org/minimist/-/minimist-1.2.5.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/prettyjson/node_modules/minimist/package.json

Dependency Hierarchy:

• forever-2.0.0.tgz (Root Library)
  • prettyjson-1.2.1.tgz
    • ❌ minimist-1.2.5.tgz (Vulnerable Library)

Found in base branch: master

Vulnerability Details

Minimist <=1.2.5 is vulnerable to Prototype Pollution via file index.js, function setKey() (lines 69-95).

Publish Date: 2022-03-17

URL: CVE-2021-44906

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2022-03-17

Fix Resolution: minimist - 1.2.6

CVE-2019-10747

Vulnerable Libraries - set-value-2.0.0.tgz, set-value-0.4.3.tgz

set-value-2.0.0.tgz

Create nested values and any intermediaries using dot notation (`'a.b.c'`) paths.

Library home page: https://registry.npmjs.org/set-value/-/set-value-2.0.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/set-value/package.json

Dependency Hierarchy:

• forever-2.0.0.tgz (Root Library)
  • forever-monitor-2.0.0.tgz
    • chokidar-2.1.8.tgz
      • braces-2.3.2.tgz
        • snapdragon-0.8.2.tgz
          • base-0.11.2.tgz
            • cache-base-1.0.1.tgz
              • ❌ set-value-2.0.0.tgz (Vulnerable Library)

set-value-0.4.3.tgz

Create nested values and any intermediaries using dot notation (`'a.b.c'`) paths.

Library home page: https://registry.npmjs.org/set-value/-/set-value-0.4.3.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/union-value/node_modules/set-value/package.json

Dependency Hierarchy:

• forever-2.0.0.tgz (Root Library)
  • forever-monitor-2.0.0.tgz
    • chokidar-2.1.8.tgz
      • braces-2.3.2.tgz
        • snapdragon-0.8.2.tgz
          • base-0.11.2.tgz
            • cache-base-1.0.1.tgz
              • union-value-1.0.0.tgz
                • ❌ set-value-0.4.3.tgz (Vulnerable Library)

Found in base branch: master

Vulnerability Details

set-value is vulnerable to Prototype Pollution in versions lower than 3.0.1. The function mixin-deep could be tricked into adding or modifying properties of Object.prototype using any of the constructor, prototype and proto payloads.

Publish Date: 2019-08-23

URL: CVE-2019-10747

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2019-08-23

Fix Resolution (set-value): 2.0.1

Direct dependency fix Resolution (forever): 3.0.0

Fix Resolution (set-value): 2.0.1

Direct dependency fix Resolution (forever): 3.0.0

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2019-10746

Vulnerable Library - mixin-deep-1.3.1.tgz

Deeply mix the properties of objects into the first object. Like merge-deep, but doesn't clone.

Library home page: https://registry.npmjs.org/mixin-deep/-/mixin-deep-1.3.1.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/mixin-deep/package.json

Dependency Hierarchy:

• forever-2.0.0.tgz (Root Library)
  • forever-monitor-2.0.0.tgz
    • chokidar-2.1.8.tgz
      • braces-2.3.2.tgz
        • snapdragon-0.8.2.tgz
          • base-0.11.2.tgz
            • ❌ mixin-deep-1.3.1.tgz (Vulnerable Library)

Found in base branch: master

Vulnerability Details

mixin-deep is vulnerable to Prototype Pollution in versions before 1.3.2 and version 2.0.0. The function mixin-deep could be tricked into adding or modifying properties of Object.prototype using a constructor payload.

Publish Date: 2019-08-23

URL: CVE-2019-10746

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2019-08-23

Fix Resolution (mixin-deep): 1.3.2

Direct dependency fix Resolution (forever): 3.0.0

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2021-37712

Vulnerable Library - tar-4.4.8.tgz

tar for node

Library home page: https://registry.npmjs.org/tar/-/tar-4.4.8.tgz

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Dependency Hierarchy:

• forever-2.0.0.tgz (Root Library)
  • forever-monitor-2.0.0.tgz
    • chokidar-2.1.8.tgz
      • fsevents-1.2.9.tgz
        • node-pre-gyp-0.12.0.tgz
          • ❌ tar-4.4.8.tgz (Vulnerable Library)

Found in base branch: master

Vulnerability Details

The npm package "tar" (aka node-tar) before versions 4.4.18, 5.0.10, and 6.1.9 has an arbitrary file creation/overwrite and arbitrary code execution vulnerability. node-tar aims to guarantee that any file whose location would be modified by a symbolic link is not extracted. This is, in part, achieved by ensuring that extracted directories are not symlinks. Additionally, in order to prevent unnecessary stat calls to determine whether a given path is a directory, paths are cached when directories are created. This logic was insufficient when extracting tar files that contained both a directory and a symlink with names containing unicode values that normalized to the same value. Additionally, on Windows systems, long path portions would resolve to the same file system entities as their 8.3 "short path" counterparts. A specially crafted tar archive could thus include a directory with one form of the path, followed by a symbolic link with a different string that resolves to the same file system entity, followed by a file using the first form. By first creating a directory, and then replacing that directory with a symlink that had a different apparent name that resolved to the same entry in the filesystem, it was thus possible to bypass node-tar symlink checks on directories, essentially allowing an untrusted tar file to symlink into an arbitrary location and subsequently extracting arbitrary files into that location, thus allowing arbitrary file creation and overwrite. These issues were addressed in releases 4.4.18, 5.0.10 and 6.1.9. The v3 branch of node-tar has been deprecated and did not receive patches for these issues. If you are still using a v3 release we recommend you update to a more recent version of node-tar. If this is not possible, a workaround is available in the referenced GHSA-qq89-hq3f-393p.

Publish Date: 2021-08-31

URL: CVE-2021-37712

CVSS 3 Score Details (8.2)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Local
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-qq89-hq3f-393p

Release Date: 2021-08-31

Fix Resolution (tar): 4.4.18

Direct dependency fix Resolution (forever): 3.0.0

⛑️ Automatic Remediation will be attempted for this issue.

WS-2018-0148

Vulnerable Libraries - utile-0.3.0.tgz, utile-0.2.1.tgz

utile-0.3.0.tgz

A drop-in replacement for `util` with some additional advantageous functions

Library home page: https://registry.npmjs.org/utile/-/utile-0.3.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/utile/package.json

Dependency Hierarchy:

• forever-2.0.0.tgz (Root Library)
  • ❌ utile-0.3.0.tgz (Vulnerable Library)

utile-0.2.1.tgz

A drop-in replacement for `util` with some additional advantageous functions

Library home page: https://registry.npmjs.org/utile/-/utile-0.2.1.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/prompt/node_modules/utile/package.json,/node_modules/broadway/node_modules/utile/package.json

Dependency Hierarchy:

• forever-2.0.0.tgz (Root Library)
  • flatiron-0.4.3.tgz
    • prompt-0.2.14.tgz
      • ❌ utile-0.2.1.tgz (Vulnerable Library)

Found in base branch: master

Vulnerability Details

The utile npm module, version 0.3.0, allows to extract sensitive data from uninitialized memory or to cause a DoS by passing in a large number, in setups where typed user input can be passed (e.g. from JSON).

Publish Date: 2018-07-16

URL: WS-2018-0148

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/WS-2018-0148

Release Date: 2018-01-16

Fix Resolution: JetBrains.Rider.Frontend5 - 212.0.20210826.92917,212.0.20211008.220753

CVE-2024-4068

Vulnerable Library - braces-2.3.2.tgz

Bash-like brace expansion, implemented in JavaScript. Safer than other brace expansion libs, with complete support for the Bash 4.3 braces specification, without sacrificing speed.

Library home page: https://registry.npmjs.org/braces/-/braces-2.3.2.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/braces/package.json

Dependency Hierarchy:

• forever-2.0.0.tgz (Root Library)
  • forever-monitor-2.0.0.tgz
    • chokidar-2.1.8.tgz
      • ❌ braces-2.3.2.tgz (Vulnerable Library)

Found in base branch: master

Vulnerability Details

The NPM package braces, versions prior to 3.0.3, fails to limit the number of characters it can handle, which could lead to Memory Exhaustion. In lib/parse.js, if a malicious user sends "imbalanced braces" as input, the parsing will enter a loop, which will cause the program to start allocating heap memory without freeing it at any moment of the loop. Eventually, the JavaScript heap limit is reached, and the program will crash.

Publish Date: 2024-05-13

URL: CVE-2024-4068

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2024-05-13

Fix Resolution: braces - 3.0.3

CVE-2022-38900

Vulnerable Library - decode-uri-component-0.2.0.tgz

A better decodeURIComponent

Library home page: https://registry.npmjs.org/decode-uri-component/-/decode-uri-component-0.2.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/decode-uri-component/package.json

Dependency Hierarchy:

• forever-2.0.0.tgz (Root Library)
  • forever-monitor-2.0.0.tgz
    • chokidar-2.1.8.tgz
      • braces-2.3.2.tgz
        • snapdragon-0.8.2.tgz
          • source-map-resolve-0.5.2.tgz
            • ❌ decode-uri-component-0.2.0.tgz (Vulnerable Library)

Found in base branch: master

Vulnerability Details

decode-uri-component 0.2.0 is vulnerable to Improper Input Validation resulting in DoS.

Publish Date: 2022-11-28

URL: CVE-2022-38900

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-w573-4hg7-7wgq

Release Date: 2022-11-28

Fix Resolution (decode-uri-component): 0.2.1

Direct dependency fix Resolution (forever): 3.0.0

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2022-3517

Vulnerable Library - minimatch-3.0.4.tgz

a glob matcher in javascript

Library home page: https://registry.npmjs.org/minimatch/-/minimatch-3.0.4.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/minimatch/package.json,/package.json

Dependency Hierarchy:

• forever-2.0.0.tgz (Root Library)
  • utile-0.3.0.tgz
    • rimraf-2.6.3.tgz
      • glob-7.1.3.tgz
        • ❌ minimatch-3.0.4.tgz (Vulnerable Library)

Found in base branch: master

Vulnerability Details

A vulnerability was found in the minimatch package. This flaw allows a Regular Expression Denial of Service (ReDoS) when calling the braceExpand function with specific arguments, resulting in a Denial of Service.

Publish Date: 2022-10-17

URL: CVE-2022-3517

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2022-10-17

Fix Resolution: minimatch - 3.0.5

CVE-2019-20149

Vulnerable Library - kind-of-6.0.2.tgz

Get the native type of a value.

Library home page: https://registry.npmjs.org/kind-of/-/kind-of-6.0.2.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/micromatch/node_modules/kind-of/package.json,/node_modules/define-property/node_modules/kind-of/package.json,/node_modules/snapdragon-node/node_modules/kind-of/package.json,/node_modules/extglob/node_modules/kind-of/package.json,/node_modules/nanomatch/node_modules/kind-of/package.json,/node_modules/base/node_modules/kind-of/package.json

Dependency Hierarchy:

• forever-2.0.0.tgz (Root Library)
  • forever-monitor-2.0.0.tgz
    • chokidar-2.1.8.tgz
      • readdirp-2.2.1.tgz
        • micromatch-3.1.10.tgz
          • ❌ kind-of-6.0.2.tgz (Vulnerable Library)

Found in base branch: master

Vulnerability Details

ctorName in index.js in kind-of v6.0.2 allows external user input to overwrite certain internal attributes via a conflicting name, as demonstrated by 'constructor': {'name':'Symbol'}. Hence, a crafted payload can overwrite this builtin attribute to manipulate the type detection result.

Publish Date: 2019-12-30

URL: CVE-2019-20149

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: High
  • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-20149

Release Date: 2019-12-30

Fix Resolution (kind-of): 6.0.3

Direct dependency fix Resolution (forever): 3.0.0

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2020-7774

Vulnerable Library - y18n-3.2.1.tgz

the bare-bones internationalization library used by yargs

Library home page: https://registry.npmjs.org/y18n/-/y18n-3.2.1.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/y18n/package.json

Dependency Hierarchy:

• forever-2.0.0.tgz (Root Library)
  • nconf-0.10.0.tgz
    • yargs-3.32.0.tgz
      • ❌ y18n-3.2.1.tgz (Vulnerable Library)

Found in base branch: master

Vulnerability Details

The package y18n before 3.2.2, 4.0.1 and 5.0.5, is vulnerable to Prototype Pollution.

Publish Date: 2020-11-17

URL: CVE-2020-7774

CVSS 3 Score Details (7.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://www.npmjs.com/advisories/1654

Release Date: 2020-11-17

Fix Resolution (y18n): 3.2.2

Direct dependency fix Resolution (forever): 3.0.0

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2020-7598

Vulnerable Libraries - minimist-1.2.0.tgz, minimist-0.0.10.tgz, minimist-0.0.8.tgz

minimist-1.2.0.tgz

parse argument options

Library home page: https://registry.npmjs.org/minimist/-/minimist-1.2.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Dependency Hierarchy:

• forever-2.0.0.tgz (Root Library)
  • forever-monitor-2.0.0.tgz
    • chokidar-2.1.8.tgz
      • fsevents-1.2.9.tgz
        • node-pre-gyp-0.12.0.tgz
          • rc-1.2.8.tgz
            • ❌ minimist-1.2.0.tgz (Vulnerable Library)

minimist-0.0.10.tgz

parse argument options

Library home page: https://registry.npmjs.org/minimist/-/minimist-0.0.10.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/minimist/package.json

Dependency Hierarchy:

• forever-2.0.0.tgz (Root Library)
  • flatiron-0.4.3.tgz
    • optimist-0.6.0.tgz
      • ❌ minimist-0.0.10.tgz (Vulnerable Library)

minimist-0.0.8.tgz

parse argument options

Library home page: https://registry.npmjs.org/minimist/-/minimist-0.0.8.tgz

Path to dependency file: /package.json

Path to vulnerable library: /package.json,/node_modules/mkdirp/node_modules/minimist/package.json

Dependency Hierarchy:

• forever-2.0.0.tgz (Root Library)
  • mkdirp-0.5.1.tgz
    • ❌ minimist-0.0.8.tgz (Vulnerable Library)

Found in base branch: master

Vulnerability Details

minimist before 1.2.2 could be tricked into adding or modifying properties of Object.prototype using a "constructor" or "proto" payload.

Publish Date: 2020-03-11

URL: CVE-2020-7598

CVSS 3 Score Details (5.6)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2020-03-11

Fix Resolution (minimist): 1.2.3

Direct dependency fix Resolution (forever): 3.0.0

Fix Resolution (minimist): 1.2.3

Direct dependency fix Resolution (forever): 3.0.0

Fix Resolution (minimist): 1.2.3

Direct dependency fix Resolution (forever): 3.0.0

⛑️ Automatic Remediation will be attempted for this issue.

---

⛑️Automatic Remediation will be attempted for this issue.